Posts filed under ‘fraud’

Invitation to become a bot herder

What else would you call it? Consider the facts:

– Owen Walker, aka AKILL, the Kiwi bot herder who was stupid enough to get caught, couldn’t stop smiling in court when the judge called him a “very bright young man.”

– He spent over two years building bot nets- not a person who was a mule but someone who actively recruited people for his A Team- and would have kept going if not stopped. The judge still sees no criminal intent on his part, just curiosity.

– Even the prosecution called for leniency. So much for the vaunted FBI operation Bot Roast.

– He controlled 1.3 million computers around the world yet escaped conviction (also video) since it might ruin the prospects of using his skills in a positive way. No doubt those 1.3 million people are thrilled at that prospect as is UPenn, which he crashed for a couple of days with an accidental distributed denial of service attack

– All he got was a fine of $9,526 or about US$ 7,300 for damage that runs into millions of dollars because all the police actually proved was the UPenn attack.

OK, so he was 16 when he started and suffers from mild Asperger’s syndrome but what message does the sentence send to bored teenagers? That the Internet is a lawless wild west? That if you’re stupid enough to get caught, don’t worry, there’s not going to be a hanging? Instead, the police and overseas companies will line up to give you a job? That all you’re going to get is a fine that you can probably pay from your first month’s salary (as you’ve already blown the $40,000 you’ve made)?

From the news coverage, it seems to me that all of the hinting that he might work for the police is just a red herring.

Owen Walker was not that good a programmer, even though the police think so (video), just a person with a very relaxed sense of right and wrong.

The message is physical crime is not worth it- you actually do get sent to jail and no prosecutor is going to ask a judge to discharge you without a conviction. The Internet is where the smart guys go to- it seems that everyone is on your side then.

On TV (video) they aren’t willing to speak out against the sentence. So what’s next? A book deal? An invitation to speak at the RSA Conference a la Frank Abagnale?


Do we get the crime that we deserve?

July 17, 2008 at 12:00 am Leave a comment

ID Conference coverage

Had a look around to see the media coverage sparked off by the Identity Conference in Wellington. Given the wide range of things covered, I thought it would provide a good indicator for what the media thinks is news-worthy about identity.

1. The Dom Post was at its in-your-face best, making the Privacy Commissioner’s call for protecting your ‘digital shadow’ as the number one news story (first page, top left). Digital information about people is the “new currency” so maybe it made a good replacement for the usual pessimistic economic lead.

On another note, her full presentation includes, “So should the responsibility to manage identity fall to the public or private sector? Who would you rather have handling your identity? Is it as simple a question as whether we have Microsoft or SSC? I am, of course, being flippant, but the public sector cannot afford to assume it has natural dominion. It is a case of gaining, and then maintaining, New Zealanders’ trust. Identity-driven systems must reflect the multiplicity of modern New Zealand. Those systems must give people options, flexibility and control.”

2. Across at NZ Herald, Peter Griffin blogged (The search for Identity 2.0) about Dick Hardt’s presentation. Good choice but I do wish savvy tech folks understand the difference between identification and authentication. Otherwise we’re going to continue getting some pretty weird conclusions like the need for government-issued photo ID cards to access online services. I sometimes wonder if people take the cards metaphor too far.

3. Still with Peter Griffin but this time in his role as a news reporter, is Identity thieves sharpen their act. The story covers most of the dangerous downsides of the Internet. One particular quote from Dean Winter of TradeMe caught my eye, “Who in New Zealand do we go to and say we’ve identified a botnet?… We get a fantastic response from the hosts of some of these fraudulent networks. But it is still standing at the bottom of the cliff.”

Eve Maler’s obviously found the time and a decent enough broadband connection in Wellington to post her thoughts, Everyday identity and human-centered design. She has a link to her presentation as well as the inspiring work of Don Norman’s usability work in the 80s that continues to be so relevant.

Varied coverage reflecting the varied perspectives of the Conference…

May 1, 2008 at 10:58 pm Leave a comment

Making fingerprints less useful

Bruce Schneier approvingly calls it “political activism.”

I think it’s a stark reminder that some biometrics- such as a person’s fingerprints- are reasonably easy to get. And, once compromised, the person can’t ring up a help desk and get a new one (like they can passwords).

The current story revolves around Germany’s interior minister, Wolfgang Schauble. He is apparently quite vocal about collecting and using biometrics to fight terrorism, including storing them in ePassports.

In the most recent issue of Die Datenschleuder, activists under the name of Chaos Computer Club (“Europe’s largest hacker group”) printed the image of, what they claim, is the fingerprint of his index finger.

The fingerprint, on a plastic foil that leaves fingerprints when it is pressed against biometric readers, is included in the 4,000 copies of the latest issue of the magazine. Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.

If a person’s fingerprints are “in the wild” then they are a far less reliable way to authenticate the person for his/her whole life. If enough fingerprints are similarly widely available- whether by accident or deliberately- it will be enough to make fingerprinting almost useless.

March 31, 2008 at 10:56 pm 4 comments

NZ: Online banking and fraud

It’s a rare pleasure to publicly hear from Stu Woollett (head of e-business at Westpac). That makes his article Internet banking less risky than driving a car a blog-worthy event.

I’ve previously expressed admiration for Westpac’s approach to online banking. For example, they don’t use 2FA and yet are the only major bank that has a guarantee which “promises to reimburse customers for any losses they suffer through Internet banking fraud.” Contrast this with the approach of most other banks who still want to make customers liable even when things are really beyond their control.

So when Stu talks, I listen. And sure enough his article had a few nuggets:

– “As a bank we’re acknowledging that cyberspace can be an unsafe place, but the bank can’t lean on customers to make it safe.”

– “We don’t make it a condition that you have to shell out for the newest, fanciest firewall or anti-virus software. We’ve got all that covered, and more, which is why we’re confident about offering our online guarantee to our customers.”

-“Our January statistics show us that we had nearly four million total logins. We had only one customer affected by a fraudulent transaction and they were refunded under the terms of our guarantee. Some months it doesn’t cost us a thing, and we’d like every month to be a clean month.” [emphasis added]

Wow, 1 fraudulent transaction in 4 million. That’s a pretty incredible statistic and helps put all the media stories about the dangers of transacting online in perspective.

That’s not to say that there aren’t dangers in transacting online. What it does mean is that a combination of security in depth that includes smart back-end systems combined with a commitment to make it work for customers provides the right economic setting for the service provider, not the customer, to take on and manage the risks.

I’m sure Bruce Schneier would approve.

March 11, 2008 at 11:20 pm 2 comments

EV SSL certs and phishing

Extended Validation (EV) SSL certs launched about a year ago were supposed to be a powerful weapon against phishing. The reality is proving to be less promising.

Of course, true believers remain. PayPal recently raised eyebrows when it recommended that customers stop using Apple’s Safari browser. One of the reasons cited was its lack of support for EV certs.

When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”

The reality is somewhat different. An oft-quoted study by Stan U and Microsoft in September 2006 concluded that, “We did not find that extended validation provided a significant advantage in identifying the phishing attacks tested in this study.” More recently a survey conducted by UK managed hosting company NetBenefit found that “70% of shoppers don’t understand the significance of the green browser bar.”

EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:

– First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.

– Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.

So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.

March 5, 2008 at 11:50 pm 2 comments

NZ: how big is identity theft?

Just how big a problem identity theft is in New Zealand has been a barren debate so far. In the absence of official statistics and research, the debate has largely been opinions vs. extrapolation of overseas data.

That makes the report “The Experience of E-Crime, Findings from the New Zealand Crime and Safety Survey 2006” for the Ministry of Justice very welcome even though it seems to only cover a sub-set of the wider identity theft and identity fraud problems.

A nationally representative random sample of 5,400 people was surveyed between February and June 2006. Chapter 4 of the report presents the findings on identity theft in two categories:

– Of card users, 2.3% said that somebody had used a credit, bank or debit card or card number, without permission, to steal from them.

1.1% reported that someone had misused personal information about them to obtain new credit cards or loans, run up debts, open other accounts, or otherwise commit theft, fraud, or some other crime.

– Overall, 2.8% reported that one or the other of the two forms of identity theft they were asked about had occurred once or more and 0.4% of respondents reported both forms of identity theft.

Now, 2.8% extrapolated to the NZ population equates to about 93,000 people aged 15 or more that have suffered from credit card fraud or identity fraud during the January 2005 to June 2006 period.

It is interesting to see how this compares with results from other countries.

However, a great deal of caution is required due to the differences in terminology and the varying definitions of identity theft / identity fraud. In fact, the NZ Police website has a good, clear differentiation between identity theft and identity fraud.

Various reports from the US put the number of US adult victims of identity fraud in the region of 8.5-9 million in 2007. This amounts to about 3.2% of the US population aged 15 or more which isn’t drastically different than the 2.8%.

The 2006 KPMG Fraud Survey however tells a different story from the perspective of NZ and Australia businesses:

– 61% of respondents believed fraud was a major problem for business.

– Amongst 2,146 of Australia and New Zealand’s largest organisations across the public and private sectors, respondents reported 546 cases of identity fraud.

So, if about 3% of the country’s adult population is a victim of identity theft each year and 3 out of 5 large organisations believe it is a major problem, is it a problem that is a priority to address? I believe it is.

February 8, 2008 at 11:39 pm 5 comments

Spies in the Phishing Underground

Recently there was a good interview with Nitesh Dhanjani and Billy Riosin in Help Net Security. “Both Nitesh and Billy are well-known security researchers that have recently managed to infiltrate the phishing underground.”

Some interesting points they made from their undercover days are:

– The average phisher is not a super-smart techie. Phishing kits have made executing attacks trivial. Most phishing sites are a variant of a small set of phishing kits. “Many think that phishing sites are all custom jobs that a particular phisher has developed and deployed. The reality is pre-made, ready-to-deploy, turnkey sites are already created for practically every major organization that you can think of.”

– Many of the phishing kits have backdoors written into the source code so that phishers can phish the phishers.

– One of the “techniques” used by Nitesh and Billy was a simple Google search for a static string in a popular phishing kit. “The results completely stunned us. Social Security numbers, bank account numbers, dates of birth, ATM PINs, addresses, credentials to online banking accounts, all out in the open, a lot of which was collected from victims only a few hours ago.”

– They believe that the core problem is the use of static identifiers, particularly Social Security Numbers and credit card numbers. “Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed.”

I’m pleased that their recommended solution for fighting phishing wasn’t along the lines of better user education will solve all the problems.

February 1, 2008 at 10:36 pm 2 comments

OpenID now an attractive target

I was reading Peter Griffin’s article in the NZ Herald called Managing your online identity today. Most of it was straightforward coverage of OpenID and the critical mass that Yahoo provides.

Towards the end of the article he says, “With that many Yahoo users in the OpenID camp you can bet hackers will try to gain access.” Yes but, more importantly, OpenID is now at a stage where it has become economically attractive for the bad guys to spend some serious efforts and resources on attacking it.

These guys are “rational” and organised. So far, attacking OpenID was not a rational use of resources. Now with critical mass, all that has changed.

I think it is safe to predict that in the near future we are going to see OpenID protocols, implementations, and user experience (for social engineering) coming under intense scrutiny and probed in ways that it hasn’t so far.

In some ways, that’s a good thing as it will help strengthen OpenID. But, getting there may be a bit painful.

January 21, 2008 at 8:10 pm 4 comments

Openness and Kerckhoffs’ principle

I don’t know too much about crypto stuff so when I came across Kerckhoffs’ principle, I was intrigued. This 19th century principle states that a (military crypto) system should be secure even if everything about the system, except the key, is public knowledge.

It was reformulated as “the enemy knows the system” by Claude Shannon and contrasts with the security by obscurity approach.

Several people, including Bruce Schneier in a Crypto-Gram Newsletter, have extended the thinking to other systems.

Got me thinking. I think the point is that the strength of a system is inversely proportional to the number of secrets it has to rely on, i.e. a system which relies on several secrets for its security is inherently less secure than one that relies on a small number of secrets (ideally, none except the “key”).

So, a strategy that relies on peoples’ ignorance is risky.

While this seems intuitive for crypto, I think it can be applied to all sorts of things with interesting results. Authentication systems for one. Proprietary vs. open standards for another. Applying this to government policies makes transparency a better choice.

Come to think of it, in many of my public presentations, I have described the way NZ authentication services are architected and work at a fairly detailed level. The underlying belief was in line with Kerckhoffs’ principle in that they do not rely on obscurity to be secure.

December 18, 2007 at 9:47 pm 1 comment

NZ: online banking- liability and authentication

There are several stories doing the media rounds today about online banking that have some interesting angles:

1. Back in July this year, with the introduction of the new Code of Banking Practice, banks wanted to make online banking customers liable for not patching their OSs or if their “virus scanning, firewall, anti-spyware, operating system and anti-spam software” was not up to date. At that time, I said that none of this makes business, operational, or technical sense for the banks.

Amongst the majors, Westpac was the first to see the obvious and backed down in August (even more interesting when you consider that it is the only major that doesn’t offer two-factor authentication).

Now, Bank of New Zealand (BNZ) has backed down with ANZ National half way there. It’s likely that the others will follow as both Westpac and BNZ are using explicit assurances of no-liability that is believed to be bringing in new customers.

2. BNZ is going to make two-factor authentication compulsory for its online banking customers. Hmmm… the conventional wisdom is to make it optional or only require it beyond some limit. If the other banks follow, this could be the tipping point for two-factor authentication in New Zealand.

3. Unfortunately, BNZ’s two-factor authentication for personal banking barely makes the grade. The bank uses NetGuard that is a “bingo card” with a 7×7 grid. It is “something you have” but fails the test of “something no one else has.” It is trivial for someone to get a copy of the static grid without the customer’s knowledge.

In fact, one of the actual attacks against the NetGuard bingo card has been to try to get the intended victim to fill in the entire grid in a spoofed page. This demonstrates that the bingo card is much more a shared secret one-factor than true two-factor authentication.

4. BNZ has an example where the time from an account was compromised to actual cash in hand (in Canada) was 15 minutes. That shows how important real-time fraud detection and limits imposed by business rules have become to complement authentication. The credit card companies, such as Visa, are the masters in this area.

5. Two-factor authentication works. In a recent phishing scam against BNZ customers, eight customers had their username and passwords phished. The four who were using NetGuard were still safe. Obviously, even low-grade two-factor authentication is better than passwords alone!

December 17, 2007 at 11:12 pm 3 comments

Older Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter