Entries Tagged "fraud"

Page 14 of 35

Complex Electronic Banking Fraud in Malaysia

The interesting thing about this attack is how it abuses a variety of different security systems.

Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users to execute cash transfers from their victims’ accounts.

Federal CCID director, Commissioner Datuk Syed Ismail Syed Azizan told a press conference today that the syndicate had skimmed the personal online details of those who had used the kiosk by secrets attaching a thumbdrive with a spy software which downloaded and stored the usernames and passwords when the bank customers logged into their online accounts.

He said the syndicate members would discreetly remove the thumbdrive and later downloaded the confidential information into their computer from where they logged on to user accounts to find out the registered handphone numbers of the bank customers.

Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies.

“This new tactic is a combination of phishing and hijacking SIM cards. Obviously when a new SIM card is issued, the one used by the victim will be cancelled and this will raise their suspicions,” Syed Ismail said.

“To counter this, a syndicate member on the pretext of being a telco staff, will call up their victims a day ahead to inform them that they will face interruptions in their mobilephone services for about two hours.

It is during this two hours that the syndicate would get the new simcard and obtains the TAC numbers with which they can transfer all available cash in his victims account to another account of an accomplice. The biggest single loss was RM50,000.” he said.

MyKad is the Malaysian national ID card.

The criminals use a fake card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.

Posted on September 20, 2011 at 6:36 AMView Comments

Cheating at Casinos with Hidden Cameras

Sleeve cameras aren’t new, but they’re now smaller than ever and the cheaters are getting more sophisticated:

In January, at the newly opened $4-billion Cosmopolitan casino in Las Vegas, a gang called the Cutters cheated at baccarat. Before play began, the dealer offered one member of the group a stack of eight decks of cards for a pre-game cut. The player probably rubbed the stack for good luck, at the same instant riffling some of the corners of the cards underneath with his index finger. A small camera, hidden under his forearm, recorded the order.

After a few hands, the cutter left the floor and entered a bathroom stall, where he most likely passed the camera to a confederate in an adjoining stall. The runner carried the camera to a gaming analyst in a nearby hotel room, where the analyst transferred the video to a computer, watching it in slow motion to determine the order of the cards. Not quite half an hour had passed since the cut. Baccarat play averages less than six cards a minute, so there were still at least 160 cards left to play through. Back at the table, other members of the gang were delaying the action, glancing at their cellphones and waiting for the analyst to send them the card order.

Posted on August 23, 2011 at 5:44 AMView Comments

Court Ruling on "Reasonable" Electronic Banking Security

One of the pleasant side effects of being too busy to write longer blog posts is that—if I wait long enough—someone else writes what I would have wanted to.

The ruling in the Patco Construction vs. People’s United Bank case is important, because the judge basically ruled that the bank’s substandard security was good enough—and Patco is stuck paying for the fraud that was a result of that substandard security. The details are important, and Brian Krebs has written an excellent summary.

EDITED TO ADD (7/13): Krebs also writes about a case going in the opposite direction in a Michigan court.

Posted on June 17, 2011 at 12:09 PMView Comments

Forged Subway Passes in Boston

For years, an employee of Cubic Corp—the company that makes the automatic fare card systems for most of the subway systems around the world—forged and then sold monthly passes for the Boston MBTA system.

The scheme was discovered by accident:

Coakley said the alleged scheme was only discovered after a commuter rail operator asked a rider where he had bought his pass. When the rider said he’d purchased the pass on Craigslist, the operator became suspicious and confiscated the ticket.

An investigation by the MBTA Transit Police found that despite opening electronic gates, the printed serial number in the MBTA database did not show the card had ever been activated. Hundreds of similar passes in use by passengers were then discovered, investigators said.

Although you’d think the MBTA would poke around the net occasionally, looking for discount tickets being sold on places like Craigslist.

Cubic Transportation Systems said in a written statement that it is cooperating with authorities. “Our company has numerous safeguards designed to prevent fraudulent production or distribution of Charlie Tickets,” the statement said, referring to the monthly MBTA passes.

It always amuses me when companies pretend the obvious isn’t true in their press releases. “Someone completely broke our system.” “Say that we have a lot of security.” “But it didn’t work.” “Say it anyway; the press will just blindly report it.”

To be fair, we don’t—and probably will never—know how this proprietary system was broken. In this case, an insider did it. But did that insider just have access to the system specifications, or was access to blank ticket stock or specialized equipment necessary as well?

EDITED TO ADD (5/22): More details:

On March 11, a conductor on the commuter rail’s Providence/Stoughton Line did a double-take when a customer flashed a discolored monthly pass, its arrow an unusually light shade of orange. The fading, caused by inadvertent laundering, would have happened even if the pass were legitimate, but the customer, perhaps out of nervousness, volunteered that he had purchased it at a discount on Craigslist, Coakley said.

That raised the conductor’s suspicion. He collected the pass and turned it over to the Transit Police, who found no record of its serial number and began investigating. Working with State Police from Coakley’s office, they traced it to equipment at the Beverly branch of Cubic Transportation Systems Inc. and then specifically to an employee: Townes, a 27-year-old Revere resident.

Auditing could have discovered the fraud much earlier:

A records check would have indicated that the serial numbers were not tied to accounts for paying customers. But the financially strapped MBTA, which handles thousands of passes and moves millions of riders a month, did not have practices in place to sniff out the small percentage of unauthorized passes in circulation, Davey said.

Posted on May 20, 2011 at 7:44 AMView Comments

The Era of "Steal Everything"

Good comment:

“We’re moving into an era of ‘steal everything’,” said David Emm, a senior security researcher for Kaspersky Labs.

He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information.

As both data storage and data processing becomes cheaper, more and more data is collected and stored. An unanticipated effect of this is that more and more data can be stolen and used. As the article says, data minimization is the most effective security tool against this sort of thing. But—of course—it’s not in the database owner’s interest to limit the data it collects; it’s in the interests of those whom the data is about.

Posted on May 10, 2011 at 6:20 AMView Comments

Ebook Fraud

Interesting post—and discussion—on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple identities to give it good reviews. (If it gets a bad review, the scammer just relists the same content under a new name.) That second blog post contains a screen shot of something called “Autopilot Kindle Cash,” which promises to teach people how to post dozens of ebooks to Amazon.com per day.

The second type of fraud is stealing a book and selling it as an ebook. So someone could scan a real book and sell it on an ebook site, even though he doesn’t own the copyright. It could be a book that isn’t already available as an ebook, or it could be a “low cost” version of a book that is already available. Amazon doesn’t seem particularly motivated to deal with this sort of fraud. And it too is suitable for automation.

Broadly speaking, there’s nothing new here. All complex ecosystems have parasites, and every open communications system we’ve ever built gets overrun by scammers and spammers. Far from making editors superfluous, systems that democratize publishing have an even greater need for editors. The solutions are not new, either: reputation-based systems, trusted recommenders, white lists, takedown notices. Google has implemented a bunch of security countermeasures against content farming; ebook sellers should implement them as well. It’ll be interesting to see what particular sort of mix works in this case.

Posted on April 4, 2011 at 9:18 AMView Comments

Comodo Group Issues Bogus SSL Certificates

This isn’t good:

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

More news articles. Comodo announcement.

Fake certs for Google, Yahoo, and Skype? Wow.

This isn’t the first time Comodo has screwed up with certificates. The safest thing for us users to do would be to remove the Comodo root certificate from our browsers so that none of their certificates work, but we don’t have the capability to do that. The browser companies—Microsoft, Mozilla, Opera, etc.—could do that, but my guess is they won’t. The economic incentives don’t work properly. Comodo is likely to sue any browser company that takes this sort of action, and Comodo’s customers might as well. So it’s smarter for the browser companies to just ignore the issue and pass the problem to us users.

Posted on March 31, 2011 at 7:00 AMView Comments

Terrorist-Catching Con Man

Interesting story about a con man who conned the U.S. government, and how the government is trying to hide its dealings with him.

For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths to ensure that his dealings with Washington stay secret.

Posted on February 22, 2011 at 7:21 AMView Comments

Scareware: How Crime Pays

Scareware is fraudulent software that uses deceptive advertising to trick users into believing they’re infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn’t real, and the software they buy is fake, too. It’s all a scam.

Here’s one scareware operator who sold “more than 1 million software products” at “$39.95 or more,” and now has to pay $8.2 million to settle a Federal Trade Commission complaint.

Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model. Their operating costs can’t be very high, since the software doesn’t actually do anything. Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.

Posted on February 7, 2011 at 8:45 AMView Comments

1 12 13 14 15 16 35

Sidebar photo of Bruce Schneier by Joe MacInnis.