Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Giant Squid Finally Captured on Video |
| DHS Gets to Spy on Everyone »
January 7, 2013
Details of an Internet Scam
Interesting details of an Amazon Marketplace scam. Worth reading.
Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it's all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you're afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.
The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.
Of course, if I ever did give them my payment information, they'd empty my checking account and, if they're with a larger attacker group, start using my account to traffic stolen funds.
Posted on January 7, 2013 at 6:31 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Of course, if I ever did give them my payment information, they'd empty my checking account and, if they're with a larger attacker group, start using my account to traffic stolen funds."
The attacker asked for a bank transfer, which is initiated by the payer so there is not much an attacker could do with it (apart from taking receipt of the payment of course). And even if the attacker was to obtain the account details of the victim, there still is nothing he could do with it. Bank account numbers and sort codes are quasi-public and you cannot do anything with it really, and certainly not trafficking stolen funds because you cannot make any outbound payments. These things are published on letterheads, websites, during eBay checkouts....
I think the statement above is exaggerated. The attacker depends on the victim making the payment, not disclosing any "payment details".
> The attacker asked for a bank transfer, which is initiated by the payer so there is not much an attacker could do with it
In most of the civilized word, yes, but not in USA, where it's easy to draw money from somebody else's account if you know the number. See e.g. http://money.stackexchange.com/questions/15218/...
A lot of Nigerian scams simply involved obtaining bank details so working with a partner in a corrupt local bank they were able to clean out accounts. This has become a lot harder so they switched to the more familiar send you too much fake money order please return the extra western union scam.
>officerX Same goes for Germany were direct debit is the most used payment form for commercial purchases on the Internet. All you need is the account number and you have full access. Alltough, the original owner has the possibility to cancel the payment but given time and circumstances the money may have gone forever.
>SevenFourNil The time limit for cancelling a direct debit payment is two weeks. It also incurs a small penalty on the initiator of the transaction (10 EUR or so). I used it once, the money is back pretty much instantly if you do this.
@SevenFourNil: There is no risk to the debited account owner.
I'm still having trouble buying the notion that all someone needs is an account number in order to drain the account. Doesn't every check have the account number (and related routing info) written across the bottom in the funky machine readable font that banks use for this sort of thing? If (assuming no "inside man" at the account holder's bank) having the account number is enough to let a villain drain the account then why does anyone at all use checks? Alternatively, what is "missing" on checks that prevents the recipient of a check from draining the sender's bank account?
The scammers can set up direct debit with just account info. Or they will dump illegal funds into it and direct debit the surplus out which nobody would notice until they come looking for the first transfer to reverse.
They can make fake cheques with your account info, bank drafts, money orders ect. I heard of a scammer that would pickup a shipment at an anonymous drop, note the signature on the customs form, then use it for fraud cheques later. Or they would make up some BS that they need a signed invoice for w/e BS import regulations and always ask to pay via direct deposit to get account info
This is completely tangential to the main points here, but it's a commonplace among photography enthusiasts in the US that the best legitimate prices are at B&H Photo, Adorama, and Amazon (that is, Amazon itself, not Amazon Marketplace). If you see a significantly better price than any of those three are offering, it's practically guaranteed to be a scam. I'm skeptical that the blogger really thought he was going to get 50% off on a D800 (one of the most desirable recent cameras). I suspect he was knowingly trying to see how a scam would work; if so, it would have added to his credibility to say so. Of course I can't be certain; it's conceivable that this person who is obviously knowledgeable about cameras, the internet, and security, is unaware of this near-universal opinion. In any case, this is tangential to his main points.
I am the original poster. I had checked out B&H, Adorama and Amazon. The issue was that this particular camera was on Amazon, so there was a certain element of trust there. I knew, from the price, that there was a chance that I was going to be scammed but the possibility of getting the camera for a much better price made me interested in trying.
What was interesting was that, even though I knew it was likely to be a scam, I did find myself getting deeply into the "what if" scenarios. I did not go into it to explore a scam, as I did need the camera (I eventually got one at a local store which did price matching). However, once I confirmed that it was, in fact, a scam, I did run with it further to see how it worked.
Does your local place offer price matching for online (scam) prices?
>> The attacker asked for a bank transfer, which is initiated by the payer so there is not much an attacker could do with it
> In most of the civilized word, yes, but not in USA, where it's easy to draw money from somebody else's account if you know the number.
In Germany, you do not get to see the account number of the sender of a bank transfer.
Is it different in the US?
Speaking about the "civilized world", btw, don't you still send cheques in the mail over there?
@SevenFourNill: "Same goes for Germany were [...] All you need is the account number and you have full access."
I do not think that you can do direct debiting having a "normal" debit account (have not tried, though).
Since the bank carries the complete risk if you abuse the feature (direct debits can be canceled for any reason and you are guaranteed to get your money back), I would assume that you need to jump through some additional hoops (e.g., opeining a business account) in order for your bank to allow you this.
Alas, no. They just matched Adorama and B&H. However, since in this case I would know what I was getting, I figured the advantage of knowing offset the sales tax cost.
Indeed, it looks like direct debit is vulnerable to fraudulent use, although there is generally enough consumer protection to reverse it in full so it is in the interest of the bank(s) to detect and prevent fraudulent use. This should be not too different than fraud prevention for credit cards, i.e. matching billing and shipping addresses etc.
@xxx: "In most of the civilized word, yes, but not in USA, where it's easy to draw money from somebody else's account if you know the number."
Not in France either. At least two different banks trust the institutions having a "numéro national d'émetteur (NNE)" http://fr.wikipedia.org/wiki/... ; 10 different big players with NNE (mostly various providers, and also some public institutions) were able to take money from my account although I never showed to the bank the authorisation that these big players have sent to me and asked me to forward them to my bank.
A few years ago, there have been several newspaper articles in the Netherlands about direct debit fraud attempts.
Generally, the plot involves somone with a legitimate business account who plans to transfer a "small" sum of money from a large number of accounts. Then to wire it to another account and either withdraw or wire it abroad. The plan involves timing the payments to occur during some bank holiday or weekend.
The banks thward such schemes by delaying all unusual payments. So after the bank holiday, the would-be fraudster still has no access to the funds and will get a call from the bank or police for an explanation.
A brash UK TV personality posted his back account number and sort code in a newspaper column and invited people to deduct money from the account without his consent. In theory it should not be possible with just this information so he should have been safe making this inflammation public.
Within a few days he made an "unauthorised" transfer to a charity. Evidently it turns out that it is very easy to do. The system is very leaky and has never been that secure, as I think Bruce said once a long time ago, it's the guarantees that make banking work not the security.
The American practice of checks with no signature is absurd. It destroys the original idea and purpose of checks entirely. The signature used to be (and still is almost everywhere else) an essential element of a check.
A few notes about account numbers, withdrawals and direct debit in Poland, for those interested:
All you can do knowing someone's account number is to send him money. There are various ways: postal order, cash deposit at a bank's branch, wire transfer from your account (all transfers are wire today), various online payment processors etc. To withdraw funds you need some kind of authentication tied to the account's owner: ID card and signature for in-person withdrawal at bank desk, a debit card and PIN (at desk or at an ATM), user ID plus password plus some other authentication method for online operations etc. The details are up to the bank (some minimal requirements are set in the law, but I don't remember the details). I don't know of any bank that uses only user/password for any online withdrawal or similar operations ("read-only" operations after logging in with user/pass are usually allowed). The second authentication method varies: a digital signature using a key stored locally by the user, a TAN from a separately mailed paper list or a scratch-off card, a TAN sent to an owner's mobile phone, a code from a time-based physical token, a code from a challenge-response physical token etc. Many banks allow to choose from several options, some of them involving extra fee.
Direct debit works this way: first you have to grant authorization for direct debit by filling a paper form in two copies, sign them, then send them via mail to your creditor (usually some phone or utility company). The company fills in it's details including some customer ID on one copy and sends it to the bank. The bank authorizes the signature and creates an entry in its system for this particular instance of direct debit authorization. From now on, the company may debit your account. This is done electronically via inter-bank wire transfer system.
You may cancel any direct debit transaction within 56 calendar days (individual) or 5 working days (company). You may revoke the direct debit authorization completely at any time by sending a paper form to your bank. You may also temporary suspend the authorization and restore it later (online or otherwise).
Lately it has been made possible to authorize direct debit online at your bank's site. Some banks support that, but not all.
You may be charged by your bank for using direct debit and/or for each transaction and/or for cancelling a transaction, but many do not charge at all (at least in some plans) and practically all the rest of them charge less than for a regular wire transfer.
@ Adam Trickett,
A brash UK TV personality posted his back accoun number and sort code in a newspaper column
The brash person was Jeremy Clarkson of the BBC motoring show "Top Gear". The newspaper column was the one he writes for the UK's Sun red top newspaper. And he was saying Internet fraud was all hog wash or to that effec and chalenged people to try it by giving his bank details and some instructions on how to find his home address.
Somebody did find his address
which is available on line if you know where to look (apparently JC gave details of how to find his address and apparently this person then signed Jermy up to give a DD of something like 500GBP a month to a charity Diabetes UK (Jeremy is reputed to earn something in excess of 2million GBP a year).
Not that you need to follow Jermey's instructions, it is well known he is part of the "Chipping Norton Set" and was/is good friends of David Cameron (UK PM) and Rebecker Wade/Brooks (disgraced ex editor of the Sun newspaper arrested over phone hacking aligations).
Jermey once (supposadly) purchased an English Electric Lightning fighter aircraft (XM172) and put it in his front garden for one of the programs in his television series "Speed" and thus his address got revealed by all and sundry who had seen it in passing and posted it up on the Internet with GPS/Google Map refrences etc (it actually took me 15mins tops to get his address immediatly after watching the show by just using the aircrafts highly visable markings, which was less time than it took for me to find the two links at the bottom about the story...).
He also has another house on the Ise of Man which due too some sheep on the property being killed he close a path way. Various dog walkers then petitioned the courts and after a long legal battle that brought much of his and his wifes personal life and the address of the property into the public domain.
Oh and after getting a "super Injunction" against his first wife, he voluntarily droped it making public comment that the injunction was pointless and usless, and that rather than providing legal protection caused much comment in the lawless twitter space.
He is also known for doing "crazy stunts" along with his Top Gear co-presenters and has actually injured his neck back and legs in stunts such as driving at speed into brick walls.
You can read more on how he had the money taken out of his Barclays account at,
Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger.
The phrase "don't waste a crisis" comes to mind. Hmm ... con artists, radical troublemakers, and politicians. Sounds about right. :/
Saul Alinski gave us a lot of wisdom. Right vs wrong is a different universe, but there's a lot of truth there.
Here is a classic scam setup:
1. people look for mp3s on Google Search
2. they visit the site, which is designed to look like an old school warez ftp
3. they download the malicious package
4. those behind the site get one more computer for their botnet, while its owner wonders where the damn mp3s are
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.