Some current trends in Fraud - a good read
Has chip-and-pin failed to foil fraudsters?
It was supposed to bring an end to unauthorised card transactions, but two years on is chip-and-pin just as fallible as its predecessor?
• Danny Bradbury
• The Guardian,
• Thursday January 3 2008
This is a big week for Alain Job. The 40-year-old football coach is bringing his case against the Halifax bank to court. He says that fraudsters withdrew £2,100 from his account at ATMs, even though he was in possession of his card, and he doesn't want to pay.
Chip-and-pin was supposed to stop disputes like this. First introduced to the UK in 2004, it replaced signatures with chips embedded in bank cards that verify a customer's four-digit pin. Cards also contain a secret key used to validate the card with the bank.
The UK payments association Apacs says that UK card fraud fell 25% in two years thanks to the system, which became mandatory in February 2006. That's cold comfort for customers like Job. Halifax, which wouldn't comment on the case, told him that whoever took the money had access to both his card and his pin.
"Once they gave me my pin, I went to the cash machine and changed it to a number that only I knew," Job retorts, insisting that he had his card at all times. "I destroyed the letter they sent me with the pin, so it's highly unlikely that anyone - even my wife - would know."
Fooling the system
Could criminals have used the details on his card for unauthorised transactions? Mike Bond, a former security researcher at Cambridge University who focused on phantom card withdrawals, suggests several ways to fool chip-and-pin systems.
First, he wonders whether criminals may have refined chip-cloning techniques. "Chips can be copied, but we all had assumed that it was prohibitively expensive to do so," he says, explaining that the chips harbour two highly protected secrets that researchers believe would cost thousands to extract. These are the pin used to authenticate the customer, and the chip's secret key, used by the bank to validate the card.
"One possibility is that someone has found a cheaper way to extract the two secrets from a card to make a perfect copy," Bond muses. There's no evidence of that, but a flawed method of cheaply cloning cards without those secrets does already exist. This involves copying the rest of the chip's data to a smartcard, nicknamed a "yes card".
Yes cards don't need the original pin. Because the card alone verifies the user's pin, a cloned card can be told to say "yes" to any number (hence the name). But working without the secret code is trickier, and means that yes cards only work with chip-and-pin implementations using a security technique called Static Data Authentication (SDA). SDA has a crucial weakness, says Bond: "Unless you're talking to a bank while processing a payment, you cannot check to see if the card is a forgery."
Some chip readers authenticate a card's transaction on their own without contacting the bank (examples include some large chain stores and railway stations, says Bond). A yes card could potentially exploit such devices. However, even they will contact the bank if transactions go over a certain amount, and ATMs all contact the bank to authenticate transactions. This limits a yes card's utility for fraudsters.
Apacs doesn't say whether all UK cards are SDA-based, but an analysis by the team at Cambridge found no evidence of DDA cards in use. Some countries are now moving to another, more secure type of authentication, known as Dynamic Data Authentication (DDA), which will thwart yes cards altogether.
Rather than actually cloning the chip, researchers at Cambridge claim damaging or removing it altogether would exploit another loophole. Apacs confirms that based on the banks' own criteria, chip-and-pin ATMs will sometimes fall back to exclusively reading the magnetic strip traditionally used to verify a card. That is necessary to support cards used by visitors from countries like the US, where chips in cards and readers are not mandatory.
Criminals are able to clone magnetic strips much more easily than chips, using skimming machines that they attach to ATM machines. Skimmers use a camera to record the keypad as the pin is entered, and a card reader to record the card's information. (You can see one that has been removed from a cash machine and dismantled at atm.ev6.net.) h**p://atm.ev6.net/
It's no wonder that banks rely on the two secrets in the chip for evidence of customer liability, then. That was Barclaycard's case against pensioner Donald Reddell, who lost £3,000 in phantom withdrawals from UK ATMs. His wife has a card on the same account, but Reddell says they don't use them for anything other than emergency transactions while on holiday.
"The disputed transactions were made using the chip in the issued card received by Mr Reddell and not a counterfeit card," says Barclaycard, adding that the Ombudsman had upheld its decision to dismiss Mr Reddell's claim.
"That couldn't have happened, because it was kept in my safe," contends Reddell. He only ever used it in an ATM to change the pin on the card, which was new, two weeks before the frauds occurred.
If skimmed, Reddell's card would have been open to fraud in the thousands of overseas ATM machines that don't have chip-and-pin capability, or using "card not present" transactions such as those made via websites. The question is whether the disputed withdrawals could have been made in UK machines, which Apacs believes are now all able to read cards with chips.
It is difficult to prove who is at fault in these cases without scrutinising all of the evidence, which experts complain isn't being made available. Bond worries about a lack of transparency in the way banks present their records, and argues that they should give customers and researchers proof by producing a record of the transaction cryptogram - the code created during the transaction using the chip's secret key.
Finding fault "If the bank can produce those for the transaction in question at the cash machine, that is not totally conclusive but it's pretty definite that either the chip or a copy of the chip was used," he says.
But banks rarely - if ever - provide this information, even in the unlikely event customers know what to ask for. Neither does the Financial Ombudsman Service, the banking industry-funded body that arbitrates in these matters, and which is currently the subject of a transparency and accessibility review by the Tory peer Lord Hunt.
Emma Parker of the ombudsman service argues that customers wouldn't understand such data. "If someone wants to cross-examine the other party or look at the evidence themselves, then perhaps the court might be an alternative for them," she says.
At the moment, the banks and the ombudsman (which insists that it operates independently, though funded by charging case fees to banks) control the way that cases are handled. Legal changes last April forced customers to report card fraud to banks, and not the police. The banks now decide whether or not to pass it on to a regional force or to the Dedicated Cheque and Plastic Crime Unit, a police department which they created in 2002 and fund through Apacs.
Apacs argues that this process makes it much easier for customers to report if they suspect they've been the victim of fraud. For Ross Anderson, the professor of security engineering who supervised Bond's PhD at Cambridge University's Computer Laboratory, such measures also strip out transparency and accountability. "Now that banks completely control the reporting and prosecution of card fraud, they can cover up anything that's too embarrassing," he says. "So we'll probably only learn of a new modus operandi via police overseas." Is it enough to check your ATM for suspicious bolt-ons and shield the keypad from view when entering your pin? A year ago, the Cambridge research team hacked a supposedly tamper-proof point-of-sale card reader that they said could have easily been instructed to skim card details - with no camera required (tinyurl.com/y4e8ub). h**p://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/
They even demonstrated their control by programming it to play Tetris (see the video at tinyurl.com/tlcly). h**p://www.youtube.com/watch?v=wWTzkD9M0sU With the content of your bank account at stake, this is one technology that you don't want to play games with.
How secure are your online passwords?
You might think that your password is safe - but a few minutes with Google and it can be cracked in moments
• Wendy M. Grossman
• The Guardian,
• Thursday December 6 2007
Online shopping accounts with weak passwords are at the mercy of hackers. Photograph: Meredith Parmelee/Getty Just as you hit the button to pay for your online purchase it happens: "First, create a username and password."
The temptation is to pick something easy: your name, your spouse's name, or a standard password you use everywhere. But if the site will store your credit card details, or is one you use for banking or trading shares, think more carefully.
Passwords are a perennial problem. They're hard to think up, to remember and protect. Worse, they're not in themselves secure - your data depends on the carefulness of many strangers. The security of the HMRC discs with the Child Benefit database lost some weeks ago - Zip-encrypted with a password - depends on the strength of that password.
Since Zip encryption uses the AES method, which the US deems good enough for officially secret documents, the HMRC files should be safe from a "brute force" attack. But other password encryption is threatened in quite a different way.
Google's password cracker
Last month, the security group at the University of Cambridge's Computer Lab had its group blog, Light Blue Touchpaper (lightbluetouchpaper.org), hacked via a previously unknown vulnerability in the popular blogging software Wordpress. While cleaning up, researcher Steven Murdoch discovered a new problem: Google makes a fine password cracker.
The hacker gained access via an unused default administrator-level account. Once in, he created another admin account for himself. Murdoch disabled that, but got curious: what was its password?
Basic security principles prohibit storing a list of valid usernames and passwords in clear text. Instead, they are stored in a encrypted ("hashed") form, so the list is unreadable to anyone who does gain access. To check a password, you encrypt it and compare the result against what is stored. Your password never resurfaces in the clear.
Wordpress encrypts passwords using a popular algorithm called MD5, a one-way function that had turned the hacker's password into "20f1aeb7819d7858684c898d1e98c1bb". Murdoch tried cracking it, then tried a Google search on the string. It spat back a few pages showing that the original word - the hacker's password - was "Anthony". (You can try your favourite password at pajhome.org.uk/crypt/md5/ and then search Google for the result.)
The risk to the average user is that if hackers break into a database-dependent site they could be able to read off the hashes of your password, and then work back to your original password.
Murdoch points out that "salting", which protects against this type of problem by adding random characters to each password before it's hashed, has been known since 1978. Since every password can have many hashes, it's harder to build a lookup table. It also makes cracking passwords by brute force much slower.
However, all sorts of password-cracking assistance is readily available online to help system administrators as well as hackers. Plus, says Robert Schifreen, author of Defeating the Hacker, given two random letters of a nine-letter password (like banking site picklists) you can get the rest from a crossword-solving program.
Fighting future hackers
But even well-established advice isn't always infallible. Security consultant Eugene Spafford pointed out that the common company rule requiring users to change their passwords once a month is outdated. That 30-year-old policy, he said, was derived when the contractors in charge of non-networked mainframes calculated it would take several months to crack system passwords by brute force.
Several initiatives are trying to create single sign-on systems that present different passwords to each site, but require the user to know only one. OpenID is intended for blogs and is easy to implement, while Liberty Alliance is an industry consortium working on creating strong authentication hardware and software. Microsoft's Cardspace, installed by default in Vista, also enables secure authentication that's intended to be two-way. But what happens when you're away from your computer?
j
In the longer term, authentication will move on to a second device like those banks are beginning to send out. Murdoch works with Cronto (cronto.com), which uses mobiles and other devices to generate one-time passwords. You register your phone with your bank and enter a Pin to get a single-transaction password. Nothing is stored, and it would foil phishing attacks - but the system is still vulnerable to real-time attacks. Nothing's perfect.
What makes a good password?
The ideal password is hard to guess and easy to remember - a tough combination. In general, don't use a word that can be found in a dictionary: hackers use dictionary lists to generate password attacks. Avoid well-known personal facts, such as your name, address, birthday, user ID and so on.
A couple of strategies can help. The first is to pick a sentence that's meaningful to you and use the first letter of each word, including punctuation. For example: IlrtGTs (for "I love reading the Guardian's Technology section"). Add a number - 04 (for Thursday, the fourth day of the week, when it's published): IlrtGTs04. Who'll guess that?
A second is to take two unrelated words and link them with one or more non-alphabetic characters - for example: quirky!fun. To make it more secure, capitalise one of the letters.
Most standard password protection advice was designed for use in companies: don't write your password down, don't disclose it to anyone and don't use the same password for more than one application. But in a domestic setting, writing down your password may be sensible, as may disclosing it to a family member in case you happen to be incapacitated.
Even some security experts reuse the same memorable, lightweight password for unimportant applications such as media sites, but unique, more secure ones for sensitive apps like online banking, brokerage sites and so on. One solution here is to store all your passwords in a simple text file and to encrypt that file, protecting it with a password that is then the only one you have to manage: Apple's Keychain system works like this for system-wide passwords including Wi-Fi networks and websites.
If you must use computers in public areas, pick passwords you can type quickly and accurately (to make them harder to pick up by shoulder-surfing), and change them often to avoid them being copied.
• The following clarification was printed in the Guardian's Corrections and clarifications column, Tuesday December 11 2007. We quoted a researcher, Steven Murdoch, as saying that the Cronto security system was vulnerable to real-time attacks. In fact he was referring to other systems and not to Cronto, which is designed specifically to defend online transactions against real-time attacks
Do you want Lloyds or HSBC? Account details for sale online
Details of UK bank customers offered for as little as $75
• Robert Booth
• The Guardian,
• Saturday November 24 2007
It took just 19 hours from first contact with the anonymous Russian fraudster until he collected my $240 (£116.50) payment from a local "drop".
I had sent a wire transfer to his frozen Siberian home town in exchange for details that would, in theory, grant access to more than £10,000 from the bank account of an unsuspecting British Halifax customer.
He offered a choice of British accounts held at Lloyds TSB or HSBC and for more money, the balances could have been fatter - anything up to £35,000, the fraudster promised. For a fee of 1% of the balance he promised the name, branch, account number, sort code and internet login.
The encounter with the anonymous Russian in an internet chatroom was one of scores like it going on at the time. In a separate private message, another vendor promised: "I will give you HSBC full info with 26k Pounds...for $500...When can you wire money?"
The account I had chosen could be almost cleared out in one day without hitting its transfer limit and alerting the account holder or bank, I was told.
The exchanges are likely to increase concerns about the security of Britain's banking and identity data. This weekend, the computerised bank details of millions of people remain missing, after the Treasury blunder in which two discs containing the data of 25 million individuals were lost in transit between HM Revenue & Customs and the National Audit Office.
The details of similar British bank accounts are already being offered for sale by internet fraudsters in America, Russia, China and west Africa. According to security experts they have been hacked from computers, gathered in "phishing" expeditions where fraudsters masquerade as trustworthy entities, and burgled from offices before being circulated among the internet banking fraud community.
On one publicly accessible website selling everything from stolen credit card details to fully operating pornographic websites, scores of vendors are lined up selling UK, European, US and Canadian bank details. It is a marketplace which illustrates the international nature of the illegal trade. The website is registered to the Cocos Islands, an Australian territory in the Indian Ocean consisting of two atolls, 27 coral islands and fewer than 1,000 residents. The salespeople are contactable through email addresses routed through servers in Russia and the USA. Most use Yahoo accounts or communicate through ICQ, an untraceable instant messaging programme.
"If the Treasury data gets into the wrong hands these are exactly the illegal markets where it will end up," said Daniel Harrison, an identity theft expert. "Whoever has it will break the details down into small chunks to sell on quickly and without detection. The data is crossing borders incredibly quickly and there is very little that can be done to track it down. It is like an underground eBay."
"The resale of bank account details is mainly managed by Russian organised crime," said Marc Kirby, the former head of computer forensics at the National Hi-Tech Crime Unit, which is now part of the Serious and Organised Crime Agency. "This is a highly organised black market that mirrors legitimate business dealings."
The attempts to defraud British bank customers witnessed by the Guardian were of "great concern", said Brian Mairs, spokesman for the British Banking Association. "Customers have every right to be concerned and this is a double whammy for them after the bad news from HM Revenue & Customs earlier in the week," he said. "But they have the assurance that they will not lose out financially if they have not been responsible for the data being compromised."
The investigation began with Google searches. After a few attempts, a forum emerged for vendors offering skimmed credit card details. Among them were some selling bank details. Each vendor offered an email and a chatroom contact for private negotiations.
Once talking one on one, the sellers unpacked their wares. One seller offered bank account details, complete with their internet logins, for $75. "All live and fresh, contact me now," he urged. Another pushed blocks of Visa card details for $80. "Stuff will be sent out to u in 1-24 hours after payment," he said. "Have system of good discounts for constant buyers."
A Russian-registered vendor offered UK and US bank logins with "good price and service!"
The community has developed a high level of sophistication so that trusted parties can trade efficiently. In one posting on a forum selling card details a fraudster reports to the rest of the community on the "review" he has conducted of a new entrant to the market.
He has tested his speed of response and accuracy of information supplied and marks him out of 10 for communication, timing and product. "Total: 9/10 nice score," he concludes and awards the status of "trial vendor".
Many vendors offer discounts for bulk buyers and even display a replacement policy. If the account details do not work most vendors will replace the data with a different lead. SOCA, which has responsibility for fighting organised Internet fraud, has set up a series of cross-border alliances to tackle the problem, but declined to comment on our findings.
As sobering as the trade in stolen identities has become, there was a crumb of comfort last night for the Halifax account holder whose details the Russian fraudster was peddling. Twelve hours after the payment had been withdrawn from a Siberian wire office, the Guardian was still waiting for the promised bank details.
It's easy money, says online fraudster who stole £250,000
Despite tougher security, identity and credit card theft are at an all-time high
o Bobbie Johnson, technology correspondent
o The Guardian,
o Thursday May 3 2007
On the outside, Tee was a typical student. Living away from home was proving expensive, and he had racked up a sizable debt in a short time. Like most of his peers, he had a computer and a phone in his room - but instead of using them to study, he turned them into the tools of a 21st century criminal.
In his short career as a fraudster, Tee - who is trying to rebuild his life after serving a long prison sentence, and agreed to speak anonymously - estimates that he stole as much as £250,000 through a mixture of harvested credit card details, identity theft and bank account takeover. Police officials last week said the volume of online crime was so high that they could not investigate every case, and that big criminals were moving into the fast-growing field.
Bill Hughes, director general of the Serious and Organised Crime Agency, told a House of Lords investigation into internet security: "Everybody has a laptop now, and it's seen as just another piece of kit, almost like a toaster or kettle. But it's not, and it can be used in another way."
For Tee, who served almost four years for conspiracy to defraud, the chance to use people's ignorance against them was just too easy. "Although it sounds really flippant, it wasn't even like a part-time job - because at least in a job you have to work a few hours," he said. "Maybe it took an hour a night if I really felt like it. But to me it felt like a bit of fun and a pastime which developed into an easy way of making money."
In spare moments around his university schedule - he was studying law - the young Yorkshireman would take card details lifted from insecure websites or passed on from other criminals, and embark on spending sprees that netted him cars, clothes and cash. Sometimes scant details such as a name and phone number could open the door.
"I used to go through different methods depending on how confident I felt," he said. "I used to call people up and pretend to be from a fraud department and just ask them for their details. But sometimes it's as easy as getting information from a local video shop."
Now, 26, Tee admits that by the time he was caught he was looking into the possibility of getting bank loans and even mortgages using stolen identities.
"It was just a game to see how far you could go," he said. "My little party piece was that you get a card in someone's name, you hammer it. Then, within 24 hours, you call the bank up and convince them that you're the genuine person and that you haven't made those transactions - and they refund it. Then you just go to the cash machine and take it all out again." He even sent flowers to one victim, using their stolen bank details to pay for the bouquet as a callous gesture of thanks.
People like Tee represent the smallest end of what is now a multibillion pound criminal industry.
Statistics from Cifas, the UK's fraud prevention service, show that identity theft was up almost 20% last year while internet and card fraud rose to an all-time high of £414m in 2006.
Martin Gill, a criminologist at the University of Leicester, who has studied the actions and motivations of fraudsters - Tee was one of his interviewees - said the perceived ease of fraud, particularly when using the internet, was encouraging to those who commit crime.
"One of the things that comes through is the belief that they're not going to get caught," he said.
Industry insiders say a large number of cases still go unreported because conviction has proved so difficult.
"The common reaction among companies selling goods is a real frustration at how hard it is to prosecute and get convictions for people who commit fraud," said Keith Marsden, managing director of 192.com, which sponsors Prove-ID, a private industrial forum on dealing with fraud. "It's a hard process to go through."
Instead companies are opting for tougher security procedures and programmes to educate the public about safe internet use.
But experienced fraudsters like Tee say that it is still too easy: even chip and pin, which has drastically cut physical fraud levels, can prove beneficial to the seasoned criminal. "I thought chip and pin was brilliant - now cashiers think they've got no right to look at your card. If I wanted to, I could pretend to be anyone, because nobody will ever check. It's a new opportunity for them."
How to avoid scams
• Never give personal details over the phone. Banks should never ask for pin numbers or codes
• Only shop on secure websites that display a padlock or key symbol in your browser. The address should start https instead of http
• Only open email attachments if you are entirely sure it is necessary
• Be wary of suspicious-looking email. Some viruses use the name of somebody you trust as a disguise
Forget your PIN number and password - just use your voice
o Richard Wray
o The Guardian,
o Monday April 30 2007
A new British company will today launch a service using that most basic human trait - a recognisable and distinctive voice - to combat credit card and online banking fraud.
VoicePay is the brainchild of Nick Ogden, the entrepreneur who created online payments group WorldPay and sold it to Royal Bank of Scotland five years ago.
Under VoicePay, when a consumer uses a credit card or tries to access an online bank account, for instance, besides the security checks such as passwords or PIN numbers, the service automatically phones the user to verify their identity. It uses voice recognition technology to check the person is exactly who they say they are. The technology - called VoiceVault - is already in use with ABN Amro, allowing customers to get easy access to their accounts and even trade shares over the phone. It is also used by the American prison service to keep track of offenders released on parole.
VoicePay has merged the technology with its own secure communications capability to create the ring-back service which gives consumers an extra level of security.
VoicePay is already in talks with a number of banks and hopes to have its first installations towards the end of the year.
Rising credit card fraud, especially online, has led financial institutions to introduce extra security.
While chip and PIN cards have made physical transactions with credit cards more secure, this is of little use on the web. The VoicePay service works over any phone it has been instructed to call. Users do not have to remember any new passwords or PIN numbers, just their voice
Reply With Quote
Social Networking Bookmarks