Australian Bank Fraud
I really wish this article had more details about the crime. Basically, a criminal ring used an authentication failure with fax transmissions to steal (unsuccessfully, as it turned out) $150 million Australian dollars.
Entries Tagged "authentication"
Page 24 of 28
Caller ID Spoofing
What’s worse than a bad authentication system? A bad authentication system that people have learned to trust. According to the Associated Press:
In the last few years, Caller ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several Web sites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware.
For instance, Spoofcard.com sells a virtual “calling card” for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display.
Near as anyone can tell, this is perfectly legal. (Although the FCC is investigating.)
The applications for Caller ID spoofing are not limited to fooling people. There’s real fraud that can be committed:
Lance James, chief scientist at security company Secure Science Corp., said Caller ID spoofing Web sites are used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder’s home, and use the credit card number to order cash transfers that they then pick up.
Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards.
And, of course, harmful pranks:
In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.
It’s also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox.
I have never been a fan of Caller ID. My phone number is configured to block Caller ID on outgoing calls. The number of phone numbers that refuse to accept my calls is growing, however.
Impressive Phishing Attack
Read about it here, or in even more detail.
I find this phishing attack impressive for several reasons. One, it’s a very sophisticated attack and demonstrates how clever identity thieves are becoming. Two, it narrowly targets a particular credit union, and sneakily uses the fact that credit cards issued by an institution share the same initial digits. Three, it exploits an authentication problem with SSL certificates. And four, it is yet another proof point that “user education” isn’t how we’re going to solve this kind of risk.
Database Error Causes Unbalanced Budget
This story of a database error cascading into a major failure has some interesting security morals:
A house erroneously valued at $400 million is being blamed for budget shortfalls and possible layoffs in municipalities and school districts in northwest Indiana.
[…]
County Treasurer Jim Murphy said the home usually carried about $1,500 in property taxes; this year, it was billed $8 million.
Most local officials did not learn about the mistake until Tuesday, when 18 government taxing units were asked to return a total of $3.1 million of tax money. The city of Valparaiso and the Valparaiso Community School Corp. were asked to return $2.7 million. As a result, the school system has a $200,000 budget shortfall, and the city loses $900,000.
User error is being blamed for the problem:
An outside user of Porter County’s computer system may have triggered the mess by accidentally changing the value of the Valparaiso house, said Sharon Lippens, director of the county’s information technologies and service department.
[…]
Lippens said the outside user changed the property value, most likely while trying to access another program while using the county’s enhanced access system, which charges users a fee for access to public records that are not otherwise available on the Internet.
Lippens said the user probably tried to access a real estate record display by pressing R-E-D, but accidentally typed R-E-R, which brought up an assessment program written in 1995. The program is no longer in use, and technology officials did not know it could be accessed.
Three things immediately spring to mind:
One, the system did not fail safely. This one error seems to have cascaded into multiple errors, as the new tax total immediately changed budgets of “18 government taxing units.”
Two, there were no sanity checks on the system. “The city of Valparaiso and the Valparaiso Community School Corp. were asked to return $2.7 million.” Didn’t the city wonder where all that extra money came from in the first place?
Three, the access-control mechanisms on the computer system were too broad. When a user is authenticated to use the “R-E-D” program, he shouldn’t automatically have permission to use the “R-E-R” program as well. Authentication isn’t all or nothing; it should be granular to the operation.
Security, Economics, and Lost Conference Badges
Conference badges are an interesting security token. They can be very valuable—a full conference registration at the RSA Conference this week in San Jose, for example, costs $1,985—but their value decays rapidly with time. By tomorrow afternoon, they’ll be worthless.
Counterfeiting badges is one security concern, but an even bigger concern is people losing their badge or having their badge stolen. It’s way cheaper to find or steal someone else’s badge than it is to buy your own. People could do this sort of thing on purpose, pretending to lose their badge and giving it to someone else.
A few years ago, the RSA Conference charged people $100 for a replacement badge, which is far cheaper than a second membership. So the fraud remained. (At least, I assume it did. I don’t know anything about how prevalent this kind of fraud was at RSA.)
Last year, the RSA Conference tried to further limit these types of fraud by putting people’s photographs on their badges. Clever idea, but difficult to implement.
For this to work, though, guards need to match photographs with faces. This means that either 1) you need a lot more guards at entrance points, or 2) the lines will move a lot slower. Actually, far more likely is 3) no one will check the photographs.
And it was an expensive solution for the RSA Conference. They needed the equipment to put the photos on the badges. Registration was much slower. And pro-privacy people objected to the conference keeping their photographs on file.
This year, the RSA Conference solved the problem through economics:
If you lose your badge and/or badge holder, you will be required to purchase a new one for a fee of $1,895.00.
Look how clever this is. Instead of trying to solve this particular badge fraud problem through security, they simply moved the problem from the conference to the attendee. The badges still have that $1,895 value, but now if it’s stolen and used by someone else, it’s the attendee who’s out the money. As far as the RSA Conference is concerned, the security risk is an externality.
Note that from an outside perspective, this isn’t the most efficient way to deal with the security problem. It’s likely that the cost to the RSA Conference for centralized security is less than the aggregate cost of all the individual security measures. But the RSA Conference gets to make the trade-off, so they chose a solution that was cheaper for them.
Of course, it would have been nice if the conference provided a slightly more secure attachment point for the badge holder than a thin strip of plastic. But why should they? It’s not their problem anymore.
The New Internet Explorer
I’m just starting to read about the new security features in Internet Explorer 7. So far, I like what I am reading.
IE 7 requires that all browser windows display an address bar. This helps foil attackers that operate by popping up new windows masquerading as pages on a legitimate site, when in fact the site is fraudulent. By requiring an address bar, users will immediately see the true URL of the displayed page, making these types of attacks more obvious. If you think you’re looking at www.microsoft.com, but the browser address bar says www.illhackyou.net, you ought to be suspicious.
I use Opera, and have long used the address bar to “check” on URLs. This is an excellent idea. So is this:
In early November, a bunch of Web browser developers got together and started fleshing out standards for address bar coloring, which can cue users to secured connections. Under the proposal laid out by IE 7 team member Rob Franco, even sites that use a standard SSL certificate will display a standard white address bar. Sites that use a stronger, as yet undetermined level of protection will use a green bar.
I like easy visual indications about what’s going on. And I really like that SSL is generic white, because it really doesn’t prove that you’re communicating with the site you think you’re communicating with. This feature helps with that, though:
Franco also said that when navigating to an SSL-protected site, the IE 7 address bar will display the business name and certification authority’s name in the address bar.
Some of the security measures in IE7 weaken the integration between the browser and the operating system:
People using Windows Vista beta 2 will find a new feature called Protected Mode, which renders IE 7 unable to modify system files and settings. This essentially breaks down part of the integration between IE and Windows itself.
Think of it is as a wall between IE and the rest of the operating system. No, the code won’t be perfect, and yes, there’ll be ways found to circumvent this security, but this is an important and long-overdue feature.
The majority of IE’s notorious security flaws stem from its pervasive integration with Windows. That is a feature no other Web browser offers—and an ability that Vista’s Protected Mode intends to mitigate. IE 7 obviously won’t remove all of that tight integration. Lacking deep architectural changes, the effort has focused instead on hardening or eliminating potential vulnerabilities. Unfortunately, this approach requires Microsoft to anticipate everything that could go wrong and block it in advance—hardly a surefire way to secure a browser.
That last sentence is about the general Internet attitude to allow everything that is not explicitly denied, rather than deny everything that is not explicitly allowed.
Also, you’ll have to wait until Vista to use it:
…this capability will not be available in Windows XP because it’s woven directly into Windows Vista itself.
There are also some good changes under the hood:
IE 7 does eliminate a great deal of legacy code that dates back to the IE 4 days, which is a welcome development.
And:
Microsoft has rewritten a good bit of IE 7’s core code to help combat attacks that rely on malformed URLs (that typically cause a buffer overflow). It now funnels all URL processing through a single function (thus reducing the amount of code that “looks” at URLs).
All good stuff, but I agree with this conclusion:
IE 7 offers several new security features, but it’s hardly a given that the situation will improve. There has already been a set of security updates for IE 7 beta 1 released for both Windows Vista and Windows XP computers. Security vulnerabilities in a beta product shouldn’t be alarming (IE 7 is hardly what you’d consider “finished” at this point), but it may be a sign that the product’s architecture and design still have fundamental security issues.
I’m not switching from Opera yet, and my second choice is still Firefox. But the masses still use IE, and our security depends in part on those masses keeping their computers worm-free and bot-free.
NOTE: Here’s some info on how to get your own copy of Internet Explorer 7 beta 2.
Identity Theft in the UK
Recently there was some serious tax credit fraud in the UK. Basically, there is a tax-credit system that allows taxpayers to get a refund for some of their taxes if they meet certain criteria. Politically, this was a major objective of the Labour Party. So the Inland Revenue (the UK version of the IRS) made it as easy as possible to apply for this refund. One of the ways taxpayers could apply was via a Web portal.
Unfortunately, the only details necessary when applying were the applicant’s National Insurance number (the UK version of the Social Security number) and mother’s maiden name. The refund was then paid directly into any bank account specified on the application form. Anyone who knows anything about security can guess what happened. Estimates are that fifteen millions pounds has been stolen by criminal syndicates.
The press has been treating this as an issue of identity theft, talking about how criminals went Dumpster diving to get National Insurance numbers and so forth. I have seen very little about how the authentication scheme failed. The system tried—using semi-secret information like NI number and mother’s maiden name—to authenticate the person. Instead, the system should have tried to authenticate the transaction. Even a simple verification step—does the name on the account match the name of the person who should receive the refund—would have gone a long way to preventing this type of fraud.
Passlogix Misquotes Me in Their PR Material
I recently received a PR e-mail from a company called Passlogix:
Password security is still a very prevalent threat, 2005 had security gurus like Bruce Schneier publicly suggest that you actually write them down on sticky-notes. A recent survey stated 78% of employees use passwords as their primary forms of security, 52% use the same password for their accounts—yet 77% struggle to remember their passwords.
Actually, I don’t. I recommend writing your passwords down and keeping them in your wallet.
I know nothing about this company, but I am unhappy at their misrepresentation of what I said.
Foiling Counterfeiting Countermeasures
Great story illustrating how criminals adapt to security measures.
The notes were all $5 bills that had been bleached and altered to look like $100 bills, sheriff’s investigators said. They passed muster with the pen because it determines only whether the paper used to manufacture the currency is legitimate, Bandy said.
As a security measure, the merchants use a chemical pen that determines if the bills are counterfeit. But that’s not exactly what the pen does. The pen only verifies that the paper is legitimate. The criminals successfully exploited this security hole.
Forged Credentials and Security
In Beyond Fear, I wrote about the difficulty of verifying credentials. Here’s a real story about that very problem:
When Frank Coco pulled over a 24-year-old carpenter for driving erratically on Interstate 55, Coco was furious. Coco was driving his white Chevy Caprice with flashing lights and had to race in front of the young man and slam on his brakes to force him to stop.
Coco flashed his badge and shouted at the driver, Joe Lilja: “I’m a cop and when I tell you to pull over, you pull over, you motherf——!”
Coco punched Lilja in the face and tried to drag him out of his car.
But Lilja wasn’t resisting arrest. He wasn’t even sure what he’d done wrong.
“I thought, ‘Oh my God, I can’t believe he’s hitting me,’ ” Lilja recalled.
It was only after Lilja sped off to escape—leading Coco on a tire-squealing, 90-mph chase through the southwest suburbs—that Lilja learned the truth.
Coco wasn’t a cop at all.
He was a criminal.
There’s no obvious way to solve this. This is some of what I wrote in Beyond Fear:
Authentication systems suffer when they are rarely used and when people aren’t trained to use them.
[…]
Imagine you’re on an airplane, and Man A starts attacking a flight attendant. Man B jumps out of his seat, announces that he’s a sky marshal, and that he’s taking control of the flight and the attacker. (Presumably, the rest of the plane has subdued Man A by now.) Man C then stands up and says: “Don’t believe Man B. He’s not a sky marshal. He’s one of Man A’s cohorts. I’m really the sky marshal.”
What do you do? You could ask Man B for his sky marshal identification card, but how do you know what an authentic one looks like? If sky marshals travel completely incognito, perhaps neither the pilots nor the flight attendants know what a sky marshal identification card looks like. It doesn’t matter if the identification card is hard to forge if person authenticating the credential doesn’t have any idea what a real card looks like.
[…]
Many authentication systems are even more informal. When someone knocks on your door wearing an electric company uniform, you assume she’s there to read the meter. Similarly with deliverymen, service workers, and parking lot attendants. When I return my rental car, I don’t think twice about giving the keys to someone wearing the correct color uniform. And how often do people inspect a police officer’s badge? The potential for intimidation makes this security system even less effective.
Sidebar photo of Bruce Schneier by Joe MacInnis.