Identity Theft out of Golf Lockers

When someone goes golfing in Japan, he's given a locker in which to store his valuables. Generally, and at the golf course in question, these are electronic combination locks. The user selects a code himself and locks his valuables. Of course, there's a back door -- a literal one -- to the lockers, in case someone forgets his unlock code. Furthermore, the back door allows the administrator of these lockers to read all the codes to all the lockers.

Here's the scam: A group of thieves worked in conjunction with the locker administrator to open the lockers, copy the golfers' debit cards, and replace them in their wallets and in their lockers before they were done golfing. In many cases, the golfers used the same code to lock their locker as their bank card PIN, so the thieves got those as well. Then the thieves stole a lot of money from multiple ATMs.

Several factors make this scam even worse. One, unlike the U.S., ATM cards in Japan have no limit. You can literally withdraw everything out of the account. Two, the victims don't know anything until they find out they have no money when they use their card somewhere. Three, the victims, since they play golf at these expensive courses, are
usually very rich. And four, unlike the United States, Japanese banks do not guarantee loss due to theft.

Posted on March 1, 2005 at 9:20 AM • 15 Comments

Comments

anonymousMarch 1, 2005 9:53 AM

This kind of theft has been in the news recently in Japan so the banks are falling over themselves introducing cards with embedded chips and stripes which can't be copied so easily, and where you can choose your own withdrawal limits.

Israel TorresMarch 1, 2005 10:01 AM

As long as they have magnetic stripes on the back of the cards they are vulnerable to portable devices armed with software to glean valuable data from. (ala http://stripesnoop.sourceforge.net/). Regarding mass hack attempts to allegedly private boxes see this 1991 article on hacking FedEx boxes:
http://www.phrack.org/phrack/35/P35-10
... Even without a "master key".

The moral of the story is: keep your valuables at home, or lock them up in your limo before heading out to the course.

Israel Torres


Jon SolworthMarch 1, 2005 10:15 AM

At first, when I read this description I thought the title, which includes the phrase "Identity Theft" was erroneous. After all, it is not reported that anyone was able to "take over" someone's identity --just use his bank account. If someone found my house key and broke into my house would that be identity theft?

To my surprise this is indeed the widely used definition of identity theft, although I would have thought an "escalation of privileges" should have been a required part of it.

There were several vulnerabilities here, including "the what you have" (bankcard) that was easily copiable and "the what you know" (pin number) which should not have been reused if it was guarding a bank account. It appears the theft could have been prevented by not reusing the PIN number.

Jon Solworth

IanMarch 1, 2005 11:18 AM

It's my understanding that banks aren't quite as popular in Japan as the US... Checks are non-existent there, and I guess people keep a lot of cash around. Or so I've heard.

AnonymousMarch 1, 2005 12:43 PM

Moral of the story: do not leave your credit/debit cards where you have no control over them, especially when you're in a public place. And also, do not use your card PIN for anything else.

Another AnonymousMarch 1, 2005 3:27 PM

Not entirely to blame, but if the lockers were designed not to reveal the user's code and perhaps erased it when the administrative code was used so that the user knew the locker had been opened during their absence, then this attack would be much more difficult.

Surely some liability rests with the designers of this system?

Anonymous2March 1, 2005 3:29 PM

Not entirely to blame, but if the lockers had been designed not to reveal the users code, and perhaps erased it if the administrative code was used so that the user would be given some idea that the locker had been opened in their absence, then this attack would be much more difficult.

Surely some of the liability rests with the designers of the lockers?

Davi OttenheimerMarch 1, 2005 3:56 PM

Here's an interesting take on this situation: Perhaps what we see in this situation is another example of the gap created by technology outpacing public awareness of risk.

In other words, did Japanese cultural attitudes towards payment systems determine the security effectiveness of the lockers and the cards? It is true that it is generally safe to carry cash, and it's a preferred form of payment in Japan. However, new generations seem happy to move past cash to adopt bleeding-edge technology. Moreover the mega-stores are willing to take cards and checks without assuming liability for their risks. In fact I just watched a demo of cell-phones with charge cards (hold your phone up to a register to pay wirelessly) where there was only brief mention of anti-fraud mechanisms.

If I look at this from an attacker's perspective:
x Asset = golf lockers are where the keys to personal financial accounts of wealthy individuals will be. cards have no limit
x Vulnerability = a backdoor is designed into the lockers and easy to manipulate without trace
x Threat = golfers probably think their personal belongings are safe in their locker and are unaware of the vulnerabilities, whereas criminals are aware and willing to exploit them.

The high risk (R=AxVxT) should therefore have been obvious, but public awareness of the risk was probably very low. That is a combination attackers look for...organized criminals are especially good at identifying these opportunities and exploiting them in a way to minimize their own risks.

Ping-Che ChenMarch 1, 2005 10:45 PM

Speaking of this, there were a very common kind of fraud using ATM cards: the thieves call someone and tell him that he won some good prize, or they have some money for him for whatever reason. The thieves trick the victim to the ATM to transfer a large amount of money to another account (which is created by a stolen identity, of course). Generally the victims think they input "passwords" but actually the amount of money. The thieves first ask the victims to input "999999" first, and if it failed, then "499999", etc. Because many people don't know how to operate an ATM (or have little experience with ATM), this stupid scam works surprisingly well.

Now the ATM all have big signs with words like "you can not transfer money from other account through this machine." And the transfer limit is set to NT$20K each time, and NT$60K per day (you can pre-assign several accounts with no transfer limit). The government was pushing the smart cards to replace old ATM cards, however, the banks are not very cooperative.

shibatenMarch 2, 2005 7:05 AM

Last year, the book ‘Cash Cards Are Dangerous!’ written by Kunio Yanagida made this problem widely known to people in Japan.

In 1987, the government tried to make a law like 50-pound rule. But the banks resisted it and succeeded not to make such kind of law.

And the banks still resist making such kind of law.

‘Japan's Card Fraud Victims May Get Compensation’
(http://creditcardsmagazine.com/managearticle.asp?C=30&A=7781).

‘Cash Cards Are Dangerous!’
(http://amazon.jp/o/ASIN/4163667202).


By the way, I've heard that unlock code for golf lockers were stolen by hidden cameras.

Zachary BravermanMarch 2, 2005 11:08 PM

I live in Japan, and there was one part of the story you missed (which I heard in the news):

The Japanese banks reserve the right not to guarantee money stolen in this manner if the users do not take adequate measures to secure their PINs. In this case, the banks claimed that using the same number for locker and ATM PIN constituted a failure of the individuals to secure their PIN, hence absolving the bank of any responsibility.

AnonymousMarch 3, 2005 4:38 PM

In what way does the wealth of the victims make this worse? Is it less ethical to steal from a rich man than from a poor man?

Ben WilhelmMarch 3, 2005 7:44 PM

Generally speaking, rich people have a lot more money in their accounts. It's much more worthwhile to steal a million dollars from a rich man than steal a buck fifty from a poor man.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..