disLEXia

Tuesday, 22. July 2003

Hackers break into ATMs security system

Hackers break into ATMs security system

By Azhar Mahmood

KARACHI: Hackers have broken into some banks' ATM security system compelling them to modify systems to combat the new electronic attackers, sources in banking industry said on Monday.

The affected banks have so far failed to trace them and many among them have preferred to keep silence on the issue in order to avoid backlash from customers, sources said.

The attacked banks have not yet started any joint efforts to curb the rising problem of e-raiding under the supervision of central bank.

Sources said a top private bank, which has serious stakes in the ATMs has cautioned its ATM card holders by sending them a notice captioned "Compulsory Change of Pin Code for ATM Cards".

The notice says, "The holders of newly issued ATM cards will be required to first of all change their personnel identification number, generally called as PIN with some different 4 digits of their own choice, which they will keep confidential.

"After one-month, from the date of last PIN changed, ATMs will automatically illustrate an option to change the previous PIN. The facility for changing PIN at any time will, however, remain available to the card holders."

In Pakistan, the ATM card holders manifest a unique tendency to finance ATM accounts by channalising funds from foreign currency accounts. In July 2002 the total FCAs of $3,839.5 billion went down to $2,589.5 billion by the end of June 2003, said the latest official statistics of the SBP.

Sources said according to the first ever census on electronic banking conducted by SBP, the recent massive drop in ATM business of Rs13.948 billion up to March, 2003 was a direct result of $1.250 billion decline in overall foreign currency accounts (FCAs) of the country.

Sources said the funds transfer from FCAs to ATM accounts has however declined for last one year but the overall ATMs business is still facing serious problems.

Sources said the recently established Payment System Department (PSD) in the SBP has started monitoring electronic banking and a draft of new prudential regulations on electronic banking has been issued to solicit views of the bankers and stakeholders.

The PSD is busy evolving a new security system for smooth and safe transaction of electronic baking keeping in view the requirements and standards of the committee on payment systems and technical committee of the international organisation of securities commissions, sources said.

Sources said the central bank is at the same time busy in setting up real-time growth settlement system (RTGS) for safe banking transactions but it will take almost a year to start. The system will make the SBP the first central bank of South Asia to have this state-of-the-art system.

Sources in PSD said, "Payment system stability is a core central banking function. Efficient and well functioning payment system reduces systematic and operational risks, lowers transaction costs, aids in efficient use of financial resources, helps in financial market to become more liquid and promotes stability in the financial system."

Jang Group Jul 21 2003 6:33PM ET [moreover Computersecurity]
09:49 | permanent link | mail this

Hackers using home PCs to defraud clients

Hackers using home PCs to defraud clients Related links

Monday July 21, 2003 15:07 - (SA)

Hackers could be using home computers to steal thousands of rands from Absa Bank's clients -- and not the system of the bank, the Banking Council said in a statement today.

"Because they are finding it increasingly difficult to breach the banks' own security systems, they are beginning to turn to weaker links outside of these systems, for example, internet service providers or the customers' own PCs.   "In this specific instance, it appears that the loophole was not in the banks' system but that home computers are being compromised," council spokeswoman Claire Gerbhardt-Mann said.   She said the banking industry should seek a solution to the problem and prevent fraudsters who continue to try new ways of robbing people of their money.   The Sunday Times reported that a hacker or "internet burglar" had been illegally transferring money from the accounts of Absa clients, apparently after obtaining their banking details by sending them "spy software" -- an email message that, when opened, sets itself up to record certain keystrokes on the computer and transmit these to a given address.   Thus the hacker obtains the victim's bank account number and personal identification number (PIN).   Experts from the police Commercial Crime Unit in Cape Town were investigating the illegal internet transfer of funds from Absa accounts as reported in the Sunday Times, police spokesman Superintendent Riaan Pool said on Sunday.   He said the police team was being assisted by a team from the bank. Police had received 10 complaints of fraud with the amount involved totalling R530,000.   The complaints were all laid at the same Cape Town police station in the course of the past two or three months, Pool said.   Gebhardt-Mann said the way the way this particular scam was perpetrated was that emails were being sent to the public, and when these were opened a virus was downloaded on to the computer which copied whatever was typed in.   "This information is then sent to the fraudsters," she said.   The Banking Council advised the public to make sure that no one had unauthorised access to their computers.   Gebhardt-Mann advised bank customers to install the latest anti-virus applications on their computers, exercise control over the shared folders, keep their PIN secret and to never disclose their PIN to anyone, including bank staff.

Sapa

Sunday Times South Africa Jul 21 2003 10:57AM ET [moreover Computersecurity]

http://www.sundaytimes.co.za/2003/07/20/news/news01.asp

Hacker cleans out bank accounts

Hundreds of thousands of rands stolen via Internet from Absa clients. By Edwin Lombard

A HACKER is targeting clients of South Africa's largest bank and has managed to steal hundreds of thousands of rands by breaching their accounts over the Internet.

The Police Commercial Crimes Unit confirmed this week it was investigating nine cases involving thefts from Absa accounts. Absa is the leading South African Internet banker with about 35% of the market and about 300 000 online clients.

Police and bank officials say it appears the perpetrator used "spyware" to gain access to the personal computers of the victims, and, having found out their Internet banking information, had transferred money out of their accounts.

Total losses of R230 000 have been reported to police - but one victim said late on Friday that he had discovered another R300 000 missing from his account.

Another victim, Helene van Tonder, a bookkeeper from Bellville, said her whole R15 000 salary had disappeared from her bank account the day after she was paid.

"When I went to the ATM on June 27, all my money was gone. When I contacted the bank, they said I must go and lay a charge at the police."

Van Tonder said the bank reimbursed her money and told her that somebody had gained access to her account via the Internet. She had, however, cancelled her Internet account with the bank.

Police spokesman Riaan Pool said police did not yet have all the details of how the hacker had worked but they knew that there was only one perpetrator.

"It is a hacker. The police are following up extremely good clues," he said.

Absa refused to refer to the culprit as a "hacker" and would only refer to the crime as "identity fraud" committed by a person who had gained access to clients' accounts through their own personal computers using the Internet.

Absa's group information security officer, Richard Peasy, said the bank's "security systems and processes had alerted the bank to suspicious activity before these clients knew about it.

"The transactions were frozen and the process for dealing with potentially fraudulent transactions was instituted," he said.

However, attorney Harry de Villiers said R300 000 had gone missing from one of his trust accounts when he went to check his statements on Friday. Fortunately, his trust accounts were insured. He said the bank had only alerted him to R10 000 that was mysteriously transferred into one of his accounts earlier in the week.

De Villiers made a report to the police late on Friday. His complaint is in addition to the nine already being investigated by the police.

He said when he checked his accounts more closely later, he discovered that the hacker had transferred amounts of R227 000 and R93 000 to another account.

De Villiers said further inquiries revealed that the person had bought 15 laptop computers by transferring some of the money into the account of the computer company and the rest into an account at a different bank.

Peasy said the crook had gained access to personal information of account holders through their own computers and said it had nothing to do with the bank.

He said the bank had already identified suspects and Absa's forensic team was working with the police.

"As with other banking channels, no fraud can take place on Internet banking accounts without the fraudster obtaining the client's Internet banking access account number and PIN number," he said.

Peasy said it appeared the fraudster had sent unsuspecting clients an e-mail, which, when it was opened, installed software that recorded information.

"It is a new trend called spyware. This has got nothing to do with the bank. It records keystrokes, like your account and PIN number, and then it e-mails the information to a Hotmail mailbox," he said.

Peasy refused to say how many Absa clients had been defrauded or how much money was involved, saying it was "a forensic issue".

http://www.sundaytimes.co.za/zones/sundaytimes/newsst/newsst1058764362.asp

Police on trail of bank hacker

Police experts from the commercial crime unit in Cape Town were investigating the illegal internet transfer of funds from Absa bank accounts as reported in the Sunday Times of July 20, a spokesman reported yesterday.   Superintendent Riaan Pool said the police team was being assisted by a team from the bank.   The Sunday Times reported that a hacker or "internet burglar" had been illegally transferring money from the accounts of Absa clients, apparently after obtaining their banking details by sending them "spy software" - an email message that, when opened, sets itself up to record certain keystrokes on the computer and transmit these to a given address.   Thus the hacker obtains the victim's bank account number and personal identification number or PIN.   Police had received ten complaints of fraud, said Pool, with the amount involved totalling R530,000. The complaints were all laid at the same Cape Town police station in the course of the last two or three months.   He could not divulge further information because of the sensitivity of the investigation, said Pool.

Sapa

http://www.sundaytimes.co.za/zones/sundaytimes/newsst/newsst1058781448.asp

Absa forensic team probes internet fraud

Monday July 21, 2003 12:30 - (SA)

South African banking group Absa's forensic team is probing several cases of internet fraud. This follows incidents where three clients in the Western Cape have had money moved from their accounts by a fraudster who gained unauthorised access to their computers.

Absa said in a statement that the fraudster gained unauthorised access to these clients computers and loaded software called key-stroke logging software which automatically copied everything they typed on their computers and sent it back to the fraudster without their knowledge.

The software therefore transmitted information about the bank accounts typed in by the clients to the fraudster, who was then able to use this information to electronically impersonate the client and gain access to their bank accounts.  A further six cases are under investigation, it said.

Absa said in a statement that a small number of internet account holders in South Africa have become victims of the latest international trend in internet fraud called identity theft.  Absa and the rest of the banking industry are working together to combat this new crime.

"Fraudsters are beginning to realise how difficult it is to breach bank security systems and are now targeting the home computers of account holders by stealing their electronic identity, mainly their PIN and access account numbers," said Richard Peasey, Absa Group Information Security Officer.

"Absa's forensic team is progressing with the investigation," said Peasey.

All Absa transactions are monitored 24 hours per day, seven days a week, all year round.

Absa has also called a meeting of all the information security officers in the banking industry to find ways of stopping this form of crime.

"At Absa and all the other banks, the peace of mind of our clients is our first priority and whenever we as the industry are faced with a new security problem like this, we work together to ensure the safety of clients' money,"

Peasey added. Absa's forensic team is working with industry experts to resolve the matter.

"All the banks including Absa have been putting information on their websites and in their banking halls for internet banking clients about safety precautions that they should take to protect their personal information.

"Internet banking is safe and clients need to be more vigilant than ever to ensure that it stays safe," he said.

I-Net Bridge

09:22 | permanent link | mail this

Friday, 25. April 2003

Cramming smartcard based payment down our throats

Ross Anderson asked for further references for the plot of using smartcards to enforce age restrictions when buying tobacco products:

Thanks for the information about cigarettes. Is there any online news article or analysis of that which I could cite?

§ 10 (2) Tobacco products may not be sold at vending machines in public places. An exception is granted if:

1. ...

2. technical measures or permanent supervision ensures that Children and youth can't buy tobacco products

At geldkarte.de there is a press release http://www.geldkarte.de/ww/de/pub/presse/pressemitteilungen/pm04.htm The Google translation at h is absurd but might help to get a gasp on it.

In short: For all grown ups they will put a 'encrypted attribute' on the card. Minors (< 16) can ask to get an 'age criteria' on their cards. From 2007 on this cards are mandantory to get cigarrettes at vending machines.

This will only be done with 'bank account related cards' - so no pseudonymous whitecards for buying cigarettes.

800.000 vending machines will be converted by 2007, 40.000 are already (by 06.11.2002) - see http://www.scard.de/news/tabatec_2002/
09:18 | permanent link | mail this

Friday, 21. February 2003

Citibank tries to gag crypto bug disclosure

Ross Anderson on the ukcrypto list:

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs  on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...
21:13 | permanent link | mail this

Thursday, 05. December 2002

ATM smash-and-grab thefts up

TOKYO &151; The National Police Agency on Thursday requested construction firms and others who own or operate heavy machinery to keep watch to prevent such equipment from being stolen for use in thefts from automated teller machines (ATMs).

A total of 40 cases of such thefts were reported in the first 10 months of this year, with the amount of cash stolen coming to 177 million yen, compared with only six cases in the same period last year, the agency said.

The agency requested 15 industry organizations, including the Associated General Constructors of Japan, to step up watch on machinery at construction sites and to equip their machinery with immobilizing devices to prevent machinery thefts, as well as global positioning system devices to help locate stolen equipment.

Earlier Thursday, the police in Kanagawa Prefecture said an ATM installed outside a supermarket in the city of Ebina was uprooted with a power shovel and 23 million yen in cash stolen. The incident took place at around 3:55 a.m., they said.

The agency also said the police are investigated 34 cases of heavy construction machinery being stolen and illegally exported in the January-October period, up by 19 from the first 10 months of 2001. (Kyodo News) [Japan Today: Crime]
10:41 | permanent link | mail this

Wednesday, 27. November 2002

California Firm to Settle Net Porn Scam

A California billing firm has agreed to give up $1.6 million to settle charges that it improperly billed thousands for Internet pornography, the F.T.C. said. [New York Times: Technology]
05:54 | permanent link | mail this

Monday, 25. November 2002

eBay scam site nipped in the bud

By John Leyden

A spate of emails inviting eBay customers to divulge usernames and passwords to a scam site reached epidemic proportions last week.

The emails invited the foolhardy to hand over confidential details to a site called change-eBay.com, Needless to say, this has no affiliation with the online auction site. change-eBay.com was acquired using a stolen credit card and has since been closed CNET reports.

In the scam, users are told that their file has been tampered with and are directed to the fraudulent site to "update your eBay billing file". It's unclear how many people were taken in.

change-eBay.com is the latest in a long line of similar (relatively unsophisticated) scams, which have also targeted PayPal (now part of eBay) and Hotmail users. It's unlikely to be the last although judging from our own emails and those sent in by readers it is one of the most prolific.

So, for the avoidance of any doubt: NEVER respond to emails requests for your credit card information or password. [The Register]
19:00 | permanent link | mail this

Thursday, 14. November 2002

ACCC sues US web site

Australian government consumer watchdog the ACCC has reportedly launched legal action against the operator of a US-based web site purporting to sell tickets for the Sydney Opera House.

"The ACCC alleges that several consumers from the United Kingdom and Europe have attempted to purchase tickets through the imitation sites, and whilst their credit cards have been charged for tickets, they have either been overcharged or have not received them," the watchdog said in a statement.... [zem]
13:01 | permanent link | mail this

Friday, 01. November 2002

Decimal glitch spurs hotel overbill

[I have to wonder what happened to basic software testing?]

If you stayed at a Holiday Inn, Holiday Inn Express, or Crowne Plaza hotel and checked out between 24 Oct and 26 Oct 2002, you are likely to have been one of 26,000 people who were charged 100 times what they owed, such as $6,500 to $21,000 per night. A credit-processing error resulted in the decimal points being dropped. Most of the charges were later reversed, although many people discovered that their credit limits had been exhausted. Overcharged guests will get two free nights at any of those hotels. [Source: Article by Russ Bynum, Associated Press, 01 Nov 2002; PGN-ed] http://story.news.yahoo.com/news ?tmpl=story2&u=/ap/20021101/ap_on_re_us/guests_overcharged ["Fuzzy Gorilla" <fuzzygorilla@euroseek.com> via risks-digest Volume 22, Issue 33]
22:33 | permanent link | mail this

Tuesday, 22. October 2002

Family receives enormous deposit in error

We have heard of bogus deposits before, but this one is unusually high.

The Swedish local newspaper *Tidningen Angermanland* (www.tidningen.to) reports that a "human error" caused an amount of more than 92,700,000,000 SEK (roughly $10 billion, or 10 milliard Euro if you will) to be deposited into the bank account of a family, instead of the normal 950 SEK per child per month that all families in Sweden receive from the government. The bank spokesperson said that payments were processed manually because of a backlog caused by other problems, and would not elaborate on the actual cause, citing security concerns. After less then a day, the payment was reversed, and the family were not allowed to keep the 15 million SEK of interest that had accrued on their account during this time. [Ulf Lindqvist <ulf@sdl.sri.com> via risks-digest Volume 22, Issue 32]
23:53 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif