Community

My sister who works in Paypal sent me the following link, which is a big laugh and somewhat related.

http://www.notla.com/archives/2010/07/nigerian-scammer-gets-a-laptop-from-me/

Good report, Robert.

Defcon tests Social engineering in its pure form: leveraging people’s natural tendency to trust others, tricking them to give you valuable inside information, and use that to gain an unfair advantage when attacking your target. Kevin Mitnik is arguably the most notorious social engineer in the last couple of decades: see https://www.finextra.com/blogs/fullblog.aspx?blogid=3805

If you move to a broader interpretation, such as the one in the Wiki article on social engineering (http://en.wikipedia.org/wiki/Social_engineering_(security)) you’ll find social engineering in many other shapes. The original Trojan horse was an amazing piece of social engineering: faking a retreat and leaving behind a huge wooden horse, the Greeks gained entry to the city of Troy. They counted on the citizens of Troy to celebrate their victory and capture the horse which the ‘defeated’ Greeks left behind.

The bible is also full of social engineering stories: as my colleague Idan Aharoni wrote in this blog (http://www.rsa.com/blog/blog_entry.aspx?id=1588), Jacob used social engineering elements to trick his near sighted father Isaac to bestow upon him a blessing.

Phishing is still a mainstream form of attack because fraudsters find new, creative ways to do social engineering. The latest I saw is using the brand of a big fast food company to run a fake survey. Complete the survey, which asks no sensitive details at all, and you’re entitled to an $80 credit to buy meals. Oh, and they need your card details and ATM PIN code to send you the money.

And social networks are the new breeding ground of both social engineering attacks directed at the members, and collecting data from member pages to attack financial institutions and corporations.

Another good example of social engineering is the latest Microsoft trick of setting up a completely fake bank in New York, and tricking people to give them a huge amount of sensitive data (https://www.finextra.com/news/fullstory.aspx?newsitemid=21598)

Good analysis. Re: leveraging the bad economy to hide first party new account applications, I wrote a blog about this called Riders on the Storm: https://www.finextra.com/blogs/fullblog.aspx?blogid=2904

The first part talks about why mules needed for third party fraud (account takeover) are easy to recruit, and the second part focuses on first party fraud.

Uri

Very good article.

Many of the credit card data breaches happen at the merchant processor level. Heartland is a classic example: it processed transactions for 250,000 businesses, and was breached by the infamous Albert Gonzalez, who was charged with stealing 130 million cards, most of them from Heartland.

An interesting move in this respect was the announcement of First Data, one of the biggest merchant processors, that it now offers merchants a tokenization of credit card data (https://www.finextra.com/news/announcement.aspx?pressreleaseid=29858)

It works like this: once a payment card is used at a merchant’s Point of Sale (POS) device, it is encrypted, sent to First Data, and is immediately replaced with a token value that looks like a credit card number but cannot be linked in any way with the original. If someone inside or outside First Data ever gets their hands on these tokens, they can’t use them anywhere because they’re not the actual card numbers. This dramatically reduces the PCI DSS compliance costs as you don’t need to protect actual card numbers.

Another thing SEPA leadership needs to do is consider fraud implications. Once SEPA is widely accepted, the game changes for online banking fraud: if you compromise an online banking account anywhere in the Euro zone, you no longer need to move the money to a bank in the same country. 

Let me give a specific example: say you have a victim's PC infected with the Zeus Trojan, a massively popular and particularly nasty piece of malware, on a German PC. Once the victim logs into their online banking, your Zeus will automatically send 5,000 euros to a 'mule' account - a destination bank account controlled by a collaborator to remove any traces leading to you.

If before SEPA you had to recruit the mule locally in Germany, now you have the entire EU to look for collaborators. You can recruit people in Latvia, Finland, and Romania; whatever control the German banks had on looking for suspicious in-country transfers goes away.

I'm not talking about a theoretical thing: in fact, RSA found a Zeus Mule database in May 2009 with a special SEPA MULE section, which included mules from the countries mentioned above. There were also 3 transfers of up to 12,000 euros from German bank accounts to mule accounts outside Germany, using the SEPA scheme.

Funny you mention Faster Payments; I sat in an APACS meeting a few years ago just before the introduction of Faster Payments, and the main concern was how to keep fraudsters away from this gold nugget of instant monetization of compromised accounts. Today's Trojans are capable of emptying an account in 10 seconds, and if you don't stop it in real time, the money is gone. 

SEPA is far worse in this perspective: you basically have to treat cross border trx as if they are domestic ones. This means that if you compromise an online banking account anywhere in the Euro zone, you no longer need to move the money to a bank in the same country. 

Let me give a specific example: say you have a victim's PC infected with the Zeus Trojan, a massively popular and particularly nasty piece of malware, on a German PC. Once the victim logs into their online banking, your Zeus will automatically send 5,000 euros to a 'mule' account - a destination bank account controlled by a collaborator to remove any traces leading to you.

If before SEPA you had to recruit the mule locally in Germany, now you have the entire EU to look for collaborators. You can recruit people in Latvia, Finland, and Romania; whatever control the German banks had on looking for suspicious in-country transfers goes away.

I'm not talking about a theoretical thing: in fact, RSA found a Zeus Mule database in May 2009 with a special SEPA MULE section, which included mules from the countries mentioned above. There were also 3 transfers of up to 12,000 euros from German bank accounts to mule accounts outside Germany, using the SEPA scheme.

If SEPA gets 'faster payment', the banks in Europe will have to make instant decisions. Is this a legitimate cross border payment, or an attempt to empty the account? Tough choice, which requires state-of-the-art fraud defense strategy.

Hats off for the Mexico customs control system J

This highly unusual screening process should be enough to deter many would-be-felons, especially those exposed for the first time. A couple of years ago we invited a fraudster to a meeting with some of the UK banks, and asked him which bank was the easiest to target in telephony fraud. “All of them, really” he said, “except one. That bank asked all sorts of strange authentication questions. Like, instead of asking for the date of birth, they asked – what’s your zodiac sign. They kept surprising me. So I left them off”.

So what are you saying, Robert, that Facebook applications such as http://blippy.com are dangerous?

:)

I have only one comment to this:

http://www.youtube.com/watch?v=P47wGPTBmN4

I agree. In fact, with Drive by Download, a user no longer has to be careless or stupid to get infected. You just happen to be in the wrong place at the wrong time.