banking Archives - Page 8 of 19 - Schneier on Security

Entries Tagged "banking"

Page 8 of 19

Fingerprinting Telephone Calls

This is clever:

The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network—cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.

This system can be used to differentiate telephone calls from your bank from telephone calls from someone in Nigeria pretending to be from your bank.

The PinDr0p analysis can’t produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.

Naturally a visher can change routings easily, but even so PinDr0p can potentially reveal details that will reveal a given call as being false. A call which has passed through a Russian cell network and P2P VoIP is unlikely to really be from your high-street bank in the UK, for instance.

Unless your bank is outsourcing its customer support to Russia, of course.

The GIT researchers hope to develop a database of different signatures which would let their system provide a geolocation as well as routing information in time.

Statement from the researchers.

Posted on October 18, 2010 at 6:23 AM • View Comments

Stealing Money from a Safe with a Vacuum

Clever:

The burglars broke into their latest store near Paris and drilled a hole in the “pneumatic tube” that siphons money from the checkout to the strong-room.

They then sucked rolls of cash totalling £60,000 from the safe without even having to break its lock.

I like attacks that bypass the defender’s threat model.

Posted on September 28, 2010 at 2:42 PM • View Comments

Hacking ATMs

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

EDITED TO ADD (7/30): Another two articles.

Posted on July 30, 2010 at 8:55 AM • View Comments

Hemingway Authentication Scheme

From 1955, intended as humor:

In the future when I should ever call on the telephone to make a request or issue an order I will identify myself as follows: This is Hemingway, Ernest M. Hemingway speaking and my serial number is 0-363. That is an easy number to remember and is not the correct one which a con man might have. A con character would say 364. So we will make it 363. Any character can then ask how many shares I own and I will reply truly to the best of my knowledge. If the bank has made any once contemplated mergers or there has been a split that I had not been informed of I might give an inaccurate answer.

Posted on July 13, 2010 at 12:42 PM • View Comments

Cryptography Success Story

From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files.

Posted on June 30, 2010 at 9:16 AM • View Comments

Buying an ATM Skimmer

Interesting:

ATM skimmers—or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data—are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap.

The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

Generally, these custom-made devices are not cheap, and you won’t find images of them plastered all over the Web.

EDITED TO ADD (6/23): Another post.

Posted on June 22, 2010 at 6:49 AM • View Comments

Outsourcing to an Indian Jail

This doesn’t seem like the best idea:

Authorities in the southern Indian state of Andhra Pradesh are planning to set up an outsourcing unit in a jail.

The unit will employ 200 educated convicts who will handle back office operations like data entry, and process and transmit information.

It’s not necessarily a bad idea, as long as misusable information isn’t being handled by the criminals.

The unit, which is expected to undertake back-office work for banks, will work round the clock with three shifts of 70 staff each.

Okay, definitely a bad idea.

Working in the unit will also be financially rewarding for the prisoners.

I’ll bet.

Posted on May 18, 2010 at 7:29 AM • View Comments

Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: Do you know why I think you’re so sexy?
A: Probably because you’re totally in love with me.

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Okay, now it’s your turn.

Posted on April 30, 2010 at 7:24 AM •

Externalities and Identity Theft

Chris Hoofnagle has a new paper: “Internalizing Identity Theft.” Basically, he shows that one of the problems is that lenders extend credit even when credit applications are sketchy.

From an article on the work:

Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their names, Mr. Hoofnagle worked with a small sample of six ID theft victims and delved into how they were defrauded.

Of 16 applications presented by imposters to obtain credit or medical services, almost all were rife with errors that should have suggested fraud. Yet in all 16 cases, credit or services were granted anyway.

In the various cases described in the paper, which was published on Wednesday in The U.C.L.A. Journal of Law and Technology, one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth.

Another victim discovered that his imposter was 70 pounds heavier, yet successfully masqueraded as him using what appeared to be his stolen driver’s license, and in one case submitted an incorrect Social Security number.

This is a textbook example of an economic externality. Because most of the cost of identity theft is borne by the victim—even with the lender reimbursing the victim if pushed to—the lenders make the trade-off that’s best for their business, and that means issuing credit even in marginal situations. They make more money that way.

If we want to reduce identity theft, the only solution is to internalize that externality. Either give victims the ability to sue lenders who issue credit in their names to identity thieves, or pass a law with penalties if lenders do this.

Among the ways to move the cost of the crime back to issuers of credit, Mr. Hoofnagle suggests that lenders contribute to a fund that will compensate victims for the loss of their time in resolving their ID theft problems.

Posted on April 14, 2010 at 6:57 AM • View Comments

Master Thief

The amazing story of Gerald Blanchard.

Thorough as ever, Blanchard had spent many previous nights infiltrating the bank to do recon or to tamper with the locks while James acted as lookout, scanning the vicinity with binoculars and providing updates via a scrambled-band walkie-talkie. He had put a transmitter behind an electrical outlet, a pinhole video camera in a thermostat, and a cheap baby monitor behind the wall. He had even mounted handles on the drywall panels so he could remove them to enter and exit the ATM room. Blanchard had also taken detailed measurements of the room and set up a dummy version in a friend’s nearby machine shop. With practice, he had gotten his ATM-cracking routine down to where he needed only 90 seconds after the alarm tripped to finish and escape with his score.

As Blanchard approached, he saw that the door to the ATM room was unlocked and wide open. Sometimes you get lucky. All he had to do was walk inside.

From here he knew the drill by heart. There were seven machines, each with four drawers. He set to work quickly, using just the right technique to spring the machines open without causing any telltale damage. Well rehearsed, Blanchard wheeled out boxes full of cash and several money counters, locked the door behind him, and headed to a van he had parked nearby.

Eight minutes after Blanchard broke into the first ATM, the Winnipeg Police Service arrived in response to the alarm. However, the officers found the doors locked and assumed the alarm had been an error. As the police pronounced the bank secure, Blanchard was zipping away with more than half a million dollars.

Posted on March 29, 2010 at 1:48 PM • View Comments

←Previous 1 … 6 7 8 9 10 … 19 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.