Entries Tagged "cons"

Page 6 of 6

Fraud and Western Union

Western Union has been the conduit of a lot of fraud. But since they’re not the victim, they don’t care much about security. It’s an externality to them. It took a lawsuit to convince them to take security seriously.

Western Union, one of the world’s most frequently used money transfer services, will begin warning its customers against possible fraud in their transactions.

Persuading consumers to send wire transfers, particularly to Canada, has been a popular method for con artists. Recent scams include offering consumers counterfeit cashier’s checks, advance-fee loans and phony lottery winnings.

More than $113 million was swindled in 2002 from U.S. residents through wire transfer fraud to Canada alone, according to a survey conducted by investigators in seven states.

Washington was one of 10 states that negotiated an $8.5 million settlement with Western Union. Most of the settlement would fund a national program to counsel consumers against telemarketing fraud.

In addition to the money, the company has agreed to increase fraud awareness at more than 50,000 locations, develop a computer program that would spot likely fraud-induced transfers before they are completed and block transfers from specific consumers to specific recipients when the company receives fraud information from state authorities.

Posted on November 18, 2005 at 11:06 AM

$5M Bank Con

Great crime story:

An ingenious fraudster is believed to be sunning himself on a beach after persuading leading banks to pay him more than €5 million (£3.5 million) in the belief that he was a secret service agent engaged in the fight against terrorist money-laundering.

The man, described by detectives as the greatest conman they had encountered, convinced one bank manager to leave him €358,000 in the lavatories of a Parisian bar. “This man is going to become a hero if he isn’t caught quickly,” an officer said. “The case is exceptional, perfectly unbelievable and surreal.”

Moral: Security is a people problem, not a technology problem

Posted on October 12, 2005 at 7:15 AMView Comments

Identity Cards Don't Help

Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques to identity cards, especially the “chip and PIN” system that is currently being adapted in the UK. Her analysis: the security measures don’t help:

“There are various strategies that fraudsters use to get around the pin problem,” she said. “One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody’s card and then find out the pin.

“So the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale.”

Reliance in the technology actually reduces security, because people stop paying attention:

“One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions,” Dr Finch said. “Point-of-sale staff are told to look away when people put their pin number in; so they don’t check at all.”

[…]

Some strategies relied on trust. Another fraudster trick was to produce a stolen card and pretend to misremember the number and search for it on a piece of paper.

Imagine, she said, someone searching for a piece of paper and saying, “Oh yes, that’s my signature”; there would be instant suspicion.

But there was utter trust in the new technology to pick up a fraudulent transaction, and criminals exploited this trust to get around the problem of having to enter a pin number.

“You go in, you put the card in, you type any number because you don’t know what it is. It won’t go through. The fraudster—because fraudsters are so good with people—says, ‘Oh, it’s no good, I haven’t got the hang of this yet. I could have sworn that was my number… I’ve probably got it confused with my other card.’

“They chat for a bit. The sales assistant, who is either disinterested or sympathetic, falls back on the old system, and swipes the card through.

“Because a relationship of empathy has already been established, and because they have already become accustomed to averting their gaze when people put pin numbers in, they don’t check the signature at all.

“So fraud is actually easier. There is very little vigilance at the point of sale any more. Fraudsters know this and they are taking advantage of it.”

I’ve been saying this kind of thing for a while, and it’s nice to read about some research that backs it up.

Other articles on the research are here, here, and here.

Posted on September 6, 2005 at 4:07 PMView Comments

Social Engineering Via Voicemail

Here’s a clever social engineering attack:

The Division has received a number of calls concerning a voicemail message left by an anonymous female caller urging them to purchase a particular penny stock. The message is intended to appear as if the caller is calling a close friend and has dialed the wrong number. The caller talks fast stating she has a great inside deal on a penny stock. The caller personalizes the conversation by saying the recommendation comes from a broker the woman is dating and that her father previously purchased stock and made a huge profit. The purpose of the call is to make you think you’ve received a hot stock tip by mistake.

Posted on May 20, 2005 at 8:37 AMView Comments

Choicepoint's CISO Speaks

Richard Baich, Choicepoint’s CISO, is interviewed on SearchSecurity.com:

This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day.

Nice spin job, but it just doesn’t make sense. This isn’t a computer hack in the traditional sense, but it’s a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked.

It’s created a media frenzy; this has been mislabeled a hack and a security breach. That’s such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don’t.

So, Choicepoint believes that providing adequate protection doesn’t include preventing this kind of attack.

I’m sure he’s exaggerating when he says that “this type of fraud happens every day” and “frauds happens every day,” but if it’s true then Choicepoint has a huge information security problem.

Posted on March 1, 2005 at 10:45 AMView Comments

1 4 5 6

Sidebar photo of Bruce Schneier by Joe MacInnis.