Schneier on Security
A blog covering security and security technology.
« Sneaking Items Aboard Aircraft |
| Choicepoint's CISO Speaks »
March 1, 2005
Identity Theft out of Golf Lockers
When someone goes golfing in Japan, he's given a locker in which to store his valuables. Generally, and at the golf course in question, these are electronic combination locks. The user selects a code himself and locks his valuables. Of course, there's a back door -- a literal one -- to the lockers, in case someone forgets his unlock code. Furthermore, the back door allows the administrator of these lockers to read all the codes to all the lockers.
Here's the scam: A group of thieves worked in conjunction with the locker administrator to open the lockers, copy the golfers' debit cards, and replace them in their wallets and in their lockers before they were done golfing. In many cases, the golfers used the same code to lock their locker as their bank card PIN, so the thieves got those as well. Then the thieves stole a lot of money from multiple ATMs.
Several factors make this scam even worse. One, unlike the U.S., ATM cards in Japan have no limit. You can literally withdraw everything out of the account. Two, the victims don't know anything until they find out they have no money when they use their card somewhere. Three, the victims, since they play golf at these expensive courses, are
usually very rich. And four, unlike the United States, Japanese banks do not guarantee loss due to theft.
Posted on March 1, 2005 at 9:20 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
At first, when I read this description I thought the title, which includes the phrase "Identity Theft" was erroneous. After all, it is not reported that anyone was able to "take over" someone's identity --just use his bank account. If someone found my house key and broke into my house would that be identity theft?
To my surprise this is indeed the widely used definition of identity theft, although I would have thought an "escalation of privileges" should have been a required part of it.
There were several vulnerabilities here, including "the what you have" (bankcard) that was easily copiable and "the what you know" (pin number) which should not have been reused if it was guarding a bank account. It appears the theft could have been prevented by not reusing the PIN number.
Here's an interesting take on this situation: Perhaps what we see in this situation is another example of the gap created by technology outpacing public awareness of risk.
In other words, did Japanese cultural attitudes towards payment systems determine the security effectiveness of the lockers and the cards? It is true that it is generally safe to carry cash, and it's a preferred form of payment in Japan. However, new generations seem happy to move past cash to adopt bleeding-edge technology. Moreover the mega-stores are willing to take cards and checks without assuming liability for their risks. In fact I just watched a demo of cell-phones with charge cards (hold your phone up to a register to pay wirelessly) where there was only brief mention of anti-fraud mechanisms.
If I look at this from an attacker's perspective:
x Asset = golf lockers are where the keys to personal financial accounts of wealthy individuals will be. cards have no limit
x Vulnerability = a backdoor is designed into the lockers and easy to manipulate without trace
x Threat = golfers probably think their personal belongings are safe in their locker and are unaware of the vulnerabilities, whereas criminals are aware and willing to exploit them.
The high risk (R=AxVxT) should therefore have been obvious, but public awareness of the risk was probably very low. That is a combination attackers look for...organized criminals are especially good at identifying these opportunities and exploiting them in a way to minimize their own risks.
Speaking of this, there were a very common kind of fraud using ATM cards: the thieves call someone and tell him that he won some good prize, or they have some money for him for whatever reason. The thieves trick the victim to the ATM to transfer a large amount of money to another account (which is created by a stolen identity, of course). Generally the victims think they input "passwords" but actually the amount of money. The thieves first ask the victims to input "999999" first, and if it failed, then "499999", etc. Because many people don't know how to operate an ATM (or have little experience with ATM), this stupid scam works surprisingly well.
Now the ATM all have big signs with words like "you can not transfer money from other account through this machine." And the transfer limit is set to NT$20K each time, and NT$60K per day (you can pre-assign several accounts with no transfer limit). The government was pushing the smart cards to replace old ATM cards, however, the banks are not very cooperative.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.