Entries Tagged "scams"

Page 12 of 12

$5M Bank Con

Great crime story:

An ingenious fraudster is believed to be sunning himself on a beach after persuading leading banks to pay him more than €5 million (£3.5 million) in the belief that he was a secret service agent engaged in the fight against terrorist money-laundering.

The man, described by detectives as the greatest conman they had encountered, convinced one bank manager to leave him €358,000 in the lavatories of a Parisian bar. “This man is going to become a hero if he isn’t caught quickly,” an officer said. “The case is exceptional, perfectly unbelievable and surreal.”

Moral: Security is a people problem, not a technology problem

Posted on October 12, 2005 at 7:15 AMView Comments

Phishing

My third Wired column is on line. It’s about phishing.

Financial companies have until now avoided taking on phishers in a serious way, because it’s cheaper and simpler to pay the costs of fraud. That’s unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers — they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers’ assets.

EDITED TO ADD: There’s a discussion on Slashdot.

Posted on October 6, 2005 at 8:10 AMView Comments

Automobile Identity Theft

This scam was uncovered in Israel:

  1. Thief rents a car.
  2. An identical car, legitimately owned, is found and its “identity” stolen.
  3. The stolen identity is applied to the rented car and is then offered for sale in a newspaper ad.
  4. Innocent buyer purchases the car from the thief as a regular private party sale.
  5. After a few days the thief steals the car back from the buyer and returns it to the rental shop.

What ended up happening is that the “new” owners claimed compensation for the theft and most of the damage was absorbed by the insurers.

Clever.

Posted on September 21, 2005 at 7:45 AMView Comments

Identity Cards Don't Help

Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques to identity cards, especially the “chip and PIN” system that is currently being adapted in the UK. Her analysis: the security measures don’t help:

“There are various strategies that fraudsters use to get around the pin problem,” she said. “One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody’s card and then find out the pin.

“So the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale.”

Reliance in the technology actually reduces security, because people stop paying attention:

“One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions,” Dr Finch said. “Point-of-sale staff are told to look away when people put their pin number in; so they don’t check at all.”

[…]

Some strategies relied on trust. Another fraudster trick was to produce a stolen card and pretend to misremember the number and search for it on a piece of paper.

Imagine, she said, someone searching for a piece of paper and saying, “Oh yes, that’s my signature”; there would be instant suspicion.

But there was utter trust in the new technology to pick up a fraudulent transaction, and criminals exploited this trust to get around the problem of having to enter a pin number.

“You go in, you put the card in, you type any number because you don’t know what it is. It won’t go through. The fraudster — because fraudsters are so good with people — says, ‘Oh, it’s no good, I haven’t got the hang of this yet. I could have sworn that was my number… I’ve probably got it confused with my other card.’

“They chat for a bit. The sales assistant, who is either disinterested or sympathetic, falls back on the old system, and swipes the card through.

“Because a relationship of empathy has already been established, and because they have already become accustomed to averting their gaze when people put pin numbers in, they don’t check the signature at all.

“So fraud is actually easier. There is very little vigilance at the point of sale any more. Fraudsters know this and they are taking advantage of it.”

I’ve been saying this kind of thing for a while, and it’s nice to read about some research that backs it up.

Other articles on the research are here, here, and here.

Posted on September 6, 2005 at 4:07 PMView Comments

Social Engineering Via Voicemail

Here’s a clever social engineering attack:

The Division has received a number of calls concerning a voicemail message left by an anonymous female caller urging them to purchase a particular penny stock. The message is intended to appear as if the caller is calling a close friend and has dialed the wrong number. The caller talks fast stating she has a great inside deal on a penny stock. The caller personalizes the conversation by saying the recommendation comes from a broker the woman is dating and that her father previously purchased stock and made a huge profit. The purpose of the call is to make you think you’ve received a hot stock tip by mistake.

Posted on May 20, 2005 at 8:37 AMView Comments

Choicepoint's CISO Speaks

Richard Baich, Choicepoint’s CISO, is interviewed on SearchSecurity.com:

This is not an information security issue. My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren’t. This type of fraud happens every day.

Nice spin job, but it just doesn’t make sense. This isn’t a computer hack in the traditional sense, but it’s a social engineering hack of their system. Information security controls were compromised, and confidential information was leaked.

It’s created a media frenzy; this has been mislabeled a hack and a security breach. That’s such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don’t.

So, Choicepoint believes that providing adequate protection doesn’t include preventing this kind of attack.

I’m sure he’s exaggerating when he says that “this type of fraud happens every day” and “frauds happens every day,” but if it’s true then Choicepoint has a huge information security problem.

Posted on March 1, 2005 at 10:45 AMView Comments

Identity Theft out of Golf Lockers

When someone goes golfing in Japan, he’s given a locker in which to store his valuables. Generally, and at the golf course in question, these are electronic combination locks. The user selects a code himself and locks his valuables. Of course, there’s a back door — a literal one — to the lockers, in case someone forgets his unlock code. Furthermore, the back door allows the administrator of these lockers to read all the codes to all the lockers.

Here’s the scam: A group of thieves worked in conjunction with the locker administrator to open the lockers, copy the golfers’ debit cards, and replace them in their wallets and in their lockers before they were done golfing. In many cases, the golfers used the same code to lock their locker as their bank card PIN, so the thieves got those as well. Then the thieves stole a lot of money from multiple ATMs.

Several factors make this scam even worse. One, unlike the U.S., ATM cards in Japan have no limit. You can literally withdraw everything out of the account. Two, the victims don’t know anything until they find out they have no money when they use their card somewhere. Three, the victims, since they play golf at these expensive courses, are
usually very rich. And four, unlike the United States, Japanese banks do not guarantee loss due to theft.

Posted on March 1, 2005 at 9:20 AMView Comments

1 10 11 12

Sidebar photo of Bruce Schneier by Joe MacInnis.