Entries Tagged "forgery"

Page 5 of 13

Euro Coin Recycling Scam

This story is just plain weird. Regularly, damaged coins are taken out of circulation. They’re destroyed and then sold to scrap metal dealers. That makes sense, but it seems that one- and two-euro coins aren’t destroyed very well. They’re both bi-metal designs, and they’re just separated into an inner core and an outer ring and then sold to Chinese scrap metal dealers. The dealers, being no dummies, put the two parts back together and sold them back to a German bank at face value. The bank was chosen because they accept damaged coins and don’t inspect them very carefully.

Is this not entirely predictable? If you’re going to take coins out of circulation, you had better use a metal shredder. (Except for pennies, which are worth more in component metals.)

Posted on April 13, 2011 at 6:25 AMView Comments

Comodo Group Issues Bogus SSL Certificates

This isn’t good:

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

More news articles. Comodo announcement.

Fake certs for Google, Yahoo, and Skype? Wow.

This isn’t the first time Comodo has screwed up with certificates. The safest thing for us users to do would be to remove the Comodo root certificate from our browsers so that none of their certificates work, but we don’t have the capability to do that. The browser companies—Microsoft, Mozilla, Opera, etc.—could do that, but my guess is they won’t. The economic incentives don’t work properly. Comodo is likely to sue any browser company that takes this sort of action, and Comodo’s customers might as well. So it’s smarter for the browser companies to just ignore the issue and pass the problem to us users.

Posted on March 31, 2011 at 7:00 AMView Comments

Odd Art Forger

He’s not in it for the money:

Mr. Landis…has been one of the most prolific forgers American museums have encountered in years, writing, calling and presenting himself at their doors, where he tells well-concocted stories about his family’s collection and donates small, expertly faked works, sometimes in honor of nonexistent relatives.

Unlike most forgers, he does not seem to be in it for the money, but for a kind of satisfaction at seeing his works accepted as authentic. He takes nothing more in return for them than an occasional lunch or a few tchotchkes from the gift shop. He turns down tax write-off forms, and it’s unclear whether he has broken any laws.

EDITED TO ADD (1/23): Another article on Landis.

Posted on January 19, 2011 at 7:02 AMView Comments

The Security Threat of Forged Law-Enforcement Credentials

Here’s a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense’s military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[…]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as “Restricted Area” or “Authorized Personnel Only” and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn’t try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

I’ve written about this general problem before:

When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I’d like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification—with picture—that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they’re more manageable than what we have now.

Posted on January 13, 2011 at 8:00 AMView Comments

Fake Amazon Receipt Generators

They can be used to scam Amazon Marketplace merchants:

What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value. After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?

They’re also useful if you want to defraud your employer on expense reimbursement forms.

Posted on December 17, 2010 at 6:28 AMView Comments

Putting Unique Codes on Objects to Detect Counterfeiting

This will help some.

At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of “NO” or “OK,” with the drug’s name, expiration date, and other information.

To defeat the system, the counterfeiter has to copy the bar codes. If the stores selling to customers are in on the scam, it can be the same code. If not, there have to be sufficient different bar codes that the store doesn’t detect duplications. Presumably, numbers that are known to have been copied are added to the database, so the counterfeiters need to keep updating their codes. And presumably the codes are cryptographically hard to predict, so the only way to keep updating them is to look at legitimate products.

Another attack would be to intercept the verification system. A man-in-the-middle attack against the phone number or the website would be difficult, but presumably the verification information would be on the object itself. It would be easy to swap in a fake phone number that would verify anything.

It’ll be interesting to see how the counterfeiters get around this security measure.

Posted on October 6, 2010 at 6:59 AMView Comments

Cloning Retail Gift Cards

Clever attack.

After researching how gift cards work, Zepeda purchased a magnetic card reader online, began stealing blank gift cards, on display for purchase, from Fred Meyer and scanning them with his reader. He would then return some of the scanned cards to the store and wait for a computer program to alert him when the cards were activated and loaded with money.

Using a magnetic card writer, Zepeda then rewrote one of the leftover stolen gift card’s magnetic strip with the activated card’s information, thus creating a cloned card.

Posted on August 13, 2010 at 7:36 AMView Comments

Interview with a Nigerian Internet Scammer

Really interesting reading.

Scam-Detective: How did you find victims for your scams?

John: First you need to understand how the gangs work. At the bottom are the “foot soldiers”, kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed up the chain, to someone who has better English to get copies of ID from them like copies of their passport and driving licenses and build up trust. Then when they are ready to ask for money, they are passed further up again to someone who will pretend to be a barrister or shipping agent who will tell the victim that they need to pay charges or even a bribe to get the big cash amount out of the country. When they pay up, the gang master will collect the money from the Western Union office, using fake ID that they have taken from other scam victims.

[…]

Scam-Detective: Ok, I also want to talk more about how you managed to get your victims to trust you. I know it can be difficult for legitimate businesses to persuade customers to buy their products, yet you were able to convince people to part with their cash to get their hands on money that never existed in the first place, with at least one taking an international flight on top. That’s quite a skill, how did you learn to do it?

John: Once I had spent some time as a “foot soldier” (* sending out initial approaches and passing serious victims to other scammers) I was promoted to act as either a barrister, shipping agent or bank official. In the early days I had a supervisor who would read my emails and suggest responses, then I was left to do it myself. I had lots of different documents that I would use to convince the victim that I was genuine, including photographs of an official looking man in an office, fake ID and storage manifests, bank statements showing the money, whatever would best convince the victim that I, and the money, was real. I think the English term is to “worm my way” into their trust, taking it slowly and carefully so I didn’t scare them away by asking for too much money too soon.

Scam-Detective: What would you do if a victim had sent money and couldn’t afford to send more, or got cold feet?

John: I would use whatever tactics were needed to get more money. I would send faked letters which stated that the money was about to be taken out of the account by the bank or seized by the government to make them think it was urgent, or tell them that this was definitely the last obstacle to the money being released. I would encourage them to take out loans or borrow money from friends to make the last payment, but tell them that it was important that they didn’t tell anyone what the money was for. I promised them that the expenses would be paid back on top of their share of the money.

[…]

John: We had something called the recovery approach. A few months after the original scam, we would approach the victim again, this time pretending to be from the FBI, or the Nigerian Authorities. The email would tell the victim that we had caught a scammer and had found all of the details of the original scam, and that the money could be recovered. Of course there would be fees involved as well. Victims would often pay up again to try and get their money back.

This sounds just like any other confidence game; in fact, it’s a modern variation on a classic con game called the Spanish Prisoner. The only difference is that this one uses the Internet.

Posted on February 11, 2010 at 7:19 AMView Comments

Using Fake Documents to Get a Valid U.S. Passport

I missed this story:

Since 2007, the U.S. State Department has been issuing high-tech “e-passports,” which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn’t particularly difficult for anyone with even basic forgery skills.

A GAO investigator managed to obtain four genuine U.S. passports using fake names and fraudulent documents. In one case, he used the Social Security number of a man who had died in 1965. In another, he used the Social Security number of a fictitious 5-year-old child created for a previous investigation, along with an ID showing that he was 53 years old. The investigator then used one of the fake passports to buy a plane ticket, obtain a boarding pass, and make it through a security checkpoint at a major U.S. airport. (When presented with the results of the GAO investigation, the State Department agreed that there was a “major vulnerability” in the passport issuance process and agreed to study the matter.)

More than 70 countries have adopted the biometric passports, which officials describe as a revolution in immigration security. However, the GAO’s investigation proves that even the best technology can’t keep a country safe when the bureaucracy behind it fails.

No credential can be more secure than its breeder documents and issuance procedures.

Posted on December 8, 2009 at 6:05 AMView Comments

1 3 4 5 6 7 13

Sidebar photo of Bruce Schneier by Joe MacInnis.