There seems to be a small epidemic of land title fraud in Ontario, Canada.
What happens is someone impersonates the homeowner, and then sells the house out from under him. The former owner is still liable for the mortgage, but can’t get in his former house. Cleaning up the problem takes a lot of time and energy.
The problem is one of economic incentives. If banks were held liable for fraudulent mortgages, then the problem would go away really quickly. But as long as they’re not, they have no incentive to ensure that this fraud doesn’t occur. (They have some incentive, because the fraud costs them money, but as long as the few fraud cases cost less than ensuring the validity of every mortgage, they’ll just ignore the problem and eat the losses when fraud occurs.)
EDITED TO ADD (9/8): Another article.
Posted on September 8, 2006 at 6:43 AM •
This is impressive:
A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.
Pizza orders are thus routed by AT&T to the fraudster’s line. When a call comes in, the fraudster pretends to take the customer’s order but says payment must be made in advance by credit card.
The unsuspecting customer gives his or her card number and expiration date, and before you can say “extra cheese,” the fraudster is ready to go on an Internet shopping spree using someone else’s money.
Those of us who know security have been telling people not to trust incoming phone calls — that you should call the company if you are going to divulge personal information to them. Seems like that advice isn’t foolproof.
The problem is the phone company, of course. They’re forwarding calls based on an unauthenticated request. AT&T doesn’t really want to talk about details:
He was reluctant to discuss the steps AT&T has taken to improve its call-forwarding system so this sort of thing doesn’t happen again. What, for example, is to prevent someone from convincing AT&T to forward all calls to a local flower store or some other business that takes orders by phone?
“We had some guidelines in place that we believe were effective,” Britton said. “Now we have extra precautions.”
It seems to me that AT&T would solve this problem more quickly if it were liable. Shouldn’t a pizza customer who has been scammed be allowed to sue AT&T? After all, the phone company didn’t route the customer’s calls properly. Does the credit card company have a basis for a suit? Certainly the pizza parlor does, but the effects of AT&T’s sloppy authentication are much greater than a few missed pizza orders.
Posted on August 21, 2006 at 1:35 PM •
In Australia, criminals are posing as census takers and harvesting personal data for fraudulent purposes.
EDITED TO ADD (8/21): I didn’t notice that this link is from 2001. Sorry about missing that, but it actually makes the story more interesting. This is the sort of identity-theft tactic that I would have expected to see this year, as criminals have gotten more and more sophisticated. It surprises me that they were doing this five years ago as well.
Posted on August 21, 2006 at 6:24 AM •
They have a cryptanalysis contest with a $5,000 prize, but a $100 entry fee.
Sounds like a scam to me.
(My comments on cracking contests can be seen here.)
Posted on July 19, 2006 at 1:46 PM •
Lots of details.
The basic service that Pena provided is not uncommon. Telecommunications brokers often buy long-distance minutes from carriers — especially VoIP carriers — and then re-sell those minutes directly to customers. They make money by marking up the services they buy from carriers.
Pena sold minutes to customers, but rather than buy the minutes, he instead decided to hack into the Internet phone company networks, and route calls over those networks surreptitiously, say prosecutors. So he had to pay virtually no costs for providing phone service.
Posted on June 13, 2006 at 2:15 PM •
We discuss credit card data centers getting hacked; why banks getting hacked doesn’t make mainstream media; reissuing bank cards; how much he makes cashing out bank cards; how banks cover money stolen from credit cards; why companies are not cracking down on credit card crimes; how to prevent credit card theft; ATM scams; being “legit” in the criminal world; how he gets cash out gigs; getting PINs and encoding blank credit cards; how much money he can pull in a day; e-gold; his chances of getting caught; the best day to hit the ATMs; encrypting ICQ messages.
Posted on June 5, 2006 at 6:23 AM •
Another in our series on the security problems of trusting people in uniform:
A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.
The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy’s best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution’s takings.
After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.
Posted on May 12, 2006 at 6:10 AM •
According to the BBC:
Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers’ accounts.
This is just sad:
“These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed,” said Apacs spokeswoman Sandra Quinn.
She said Apacs was confident the problem was specific to Shell and not a systemic issue.
A Shell spokeswoman said: “Shell’s chip-and-pin solution is fully accredited and complies with all relevant industry standards.
That spokesperson simply can’t conceive of the fact that those “relevant industry standards” were written by those trying to sell the technology, and might possibly not be enough to ensure security.
And this is just after APACS (that’s the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.
Good commentary here. See also this article. Here’s a chip-and-pin FAQ from February.
EDITED TO ADD (5/8): Arrests have been made. And details emerge:
The scam works by criminals implanting devices into chip and pin machines which can copy a bank card’s magnetic strip and record a person’s pin number.
The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.
This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.
Posted on May 8, 2006 at 12:41 PM •
We’ve talked about counterfeit money, counterfeit concert tickets, counterfeit police credentials, and counterfeit police departments. Here’s a story about a counterfeit company:
Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.
In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.
Posted on May 1, 2006 at 8:02 AM •
Like most Nigerians, you’re probably finding that it’s increasingly difficult to earn a decent living from email. That’s why you need to attend the 3rd Annual Nigerian EMail Conference.
Posted on March 18, 2006 at 10:25 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.