loose wire blog

An Indian phone company is warning users against a variation on the premium rate phone scam, whereby users are contacted by email or mail and asked to call a number to confirm winning a prize. The number is a premium number—either local or international—and the user has to sit through several expensive minutes of canned music before finding they haven’t won anything.

The Indian variation is that victims are sent an SMS containing the phone number they should call. They’re then charged Rs500 ($10) a minute as they navigate their way through an automated phone tree.

Control Enter » Blog Archive » Beware of false lottery winning claims via SMS

More on the Italian traffic light scam. I wrote to Mr. Arrighetti asking for comment, and received this from Silvia Guelpa, who says she is a consultant to the company. In summary, she’s arguing that the company, and its founder Stefano Arrighetti, haven’t done anything wrong and that if anyone has broken the law it’s the companies and police who have been responsible for changing the settings which created the huge volume of tickets.

She makes the points that

• KRIA is a manufacturer and does not sell to the City Councils but to Companies who rent the T-RED to the Police with contracts based on the number of ticket (about 30%).
• T-RED—the system--does not actually control the traffic lights, which are managed by a controller.
• T-RED can be configured to detect immediately after the red phase begins or after a configured delay (0-10.000ms). Local Police and Companies renting the systems set the yellow on the controller for as short a period as possible and reset to zero the above mentioned delay, in order to increase the number of tickets.

This, she says, is what is causing the abnormal number of tickets.

She also says there has already been one investigation, by Milan’s attorney, which concluded after one year that KRIA is “absolutely innocent and out of any private interest.” That investigation, she says, resulted in the arrest of “bosses of the companies buying and renting T-RED and they admitted that they forced and won many tenders incorrectly.”

But with public outcry still strong—three million tickets still had to be paid—Verona’s attorney started investigating KRIA’s certification—whether or not its system had all the right paperwork. The idea, she says, was to find an excuse to cancel all the tickets.

KRIA believes it has all the right certification, arguing that the only parts which need to be certified are “the fixed, immutable components of the device”--cameras, lighting systems, PC and PCI board. But Ms Guelpa says the attorney’s power “is unlimited during the investigation phase. They can even arrest people.”

Her argument is basically that Mr. Arrighetti is being made a scapegoat on a technicality.

Lesson from this? I guess I’m still reeling from the idea that police forces would fiddle the system to fill their coffers, not just in Italy but elsewhere. But I guess the bigger point is that all kinds of technology are susceptible to this kind of manipulation, which raises the question: Quis custodiet ipsos custodes?

If true, this is a scam that is going to fuel the conspiracy theories of every driver who feels they were fined unfairly for crossing a red light. Police in Italy have arrested the inventor of a smart traffic light system, and are investigating another 108 people, on suspicion of tampering with the software to speed up the transition from amber to to red, netting the local police and others in on the scam millions of dollars of extra fines.

The question is: Is this kind of thing limited only to Italy?

The Independent writes:

Stefano Arrighetti, 45, an engineering graduate from Genoa who created the "T-Redspeed" system, is under house arrest, and 108 other people are under investigation after it was alleged that his intelligent lights were programmed to turn from amber to red in half the regulation time. The technology, which was adopted all over Italy, employs three cameras designed to assess the three-dimensional placement of vehicles passing a red light and store their number plates on a connected computer system.

Those now under investigation include 63 municipal police commanders, 39 local government officials and the managers of seven private companies.

The fraud, The Independent says, was uncovered by Roberto Franzini, police chief of Lerici, on the Ligurian coast, who – in February 2007 – noticed the abnormal number of fines being issued for jumping red lights. "There were 1,439 for the previous two months," he said. "It seemed too much: at the most our patrols catch 15 per day." He went to check the lights and found that they were changing to red after three seconds instead of the five seconds that had been normal.

Unanswered, of course, is why it’s taken two years for the fraud to be stopped and investigated. The inventor’s lawyer has said he is innocent. Mr Arrighetti’s LinkedIn page is here. He is described as the owner of Kria, a Milan-based company which sells the T-Redspeed and other traffic monitoring systems.

Image of Arrighetti from Insight24 webcast

The T-Redspeed system is described in the company literature as “the newest and most innovative digital system for vehicle speed and red light violation detection. Based on special video cameras, it doesn’t require additional sensors (inductive loops, radars or lasers). It measures the speed of the vehicles (instantaneous and average) up to 300 km/h.”

Some forum posters have suggested a system used by British authorities, RedSpeed, is the same, but on first glance it doesn’t look like it. That said, reducing the amber phase seems to be a widespread source of extra revenue: The National Motorists Association of America has found six cities that have shortened the amber phase beyond the legal amount, apparently as a way to increase revenue.

Illustration from Kria brochure (PDF)

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

(Update: corrected a few things. You can’t see the person’s bank account number. But you can see anyone’s phone bill, whether or not they’re a customer of that bank.)

---

Here’s a hole in Internet banking that allows anyone with an account at a bank to look up other customers’ people’s bills--tax, water bill, Internet bill, landline, cellphone—so long as they have that person’s account or phone number.

This means, for example, I can enter a telephone number and—so long as that person pays their phone has an unpaid bill at that bank—I can find out their name. Think of it as a reverse phone book.

Not only that: I get their bank account number.

It needn’t stop there. If I was the social engineering type, I could then call up the phone company and give them enough information—the name, phone number and bill amount—and persuade them to send me the itemised bill.

The same is true, I’m told, of all bills that can be paid at that bank.

In short, this kind of access gives me enough personal information to socially engineer all sorts of attacks. The mind boggles.

The bank is a well-known Indonesian one—making this sort of attack particularly dangerous--but it’s probably not alone in failing to ensure a validation procedure for its customers. I’ve not had the chance to explore it; most banks, I believe, would require not a phone number but a bill reference number to access this kind of information.

The problem here is that the people who set up the service didn’t imagine that someone might enter a telephone number or bill number that wasn’t their own. Techies need to think like thieves and real people when they set these things up.

Us ordinary folk? We need to stay  on our toes and yell at banks that compromise our personal data in this way. I believe the bank in question knows of this breach but as of the time of writing, it’s not yet fixed.

The Internet is fast becoming a sort of gossip chamber where the real merges with the fantasy, leaving ordinary people overwhelmed. I’m not sure it’s a good thing.

Take an email my wife forwarded me this morning. It’s from a newsgroup comprising Indonesian expat mothers in Singapore (talk about niches!). The sender had forwarded an email they received from someone who claimed to have had the scam they describe befall them in Singapore.

The scam itself is ingenious: someone phones a resident, saying they’ve got a package to deliver and confirming someone will be home. The package is a beautiful basket of flowers and wine. No card (the delivery guy says it’s coming later.) Recipient happy, but told will have to pay $3.50 as proof the delivery guy left the alcohol-containing package to an adult. Fair enough.

The recipient goes to get cash. No, says the guy, it has to be by EFTPOS—a bank card—because he’s not allowed to handle cash. Fair enough.

He swipes the card on  his machine, recipient enters PIN, and off delivery guy goes.

Within a few days, several thousand dollars disappears from the recipient’s account, via a duplicated card and the stolen PIN number.

Now this is a good, classy and brazen scam. And it’s true. It did happen—in Sydney, Australia, in October (and possibly November) 2008. The guy involved was arrested on November 21.

But it didn’t, as far as we know, happen in Singapore. Or anywhere else.

But that hasn’t stopped the email from spreading virally. In Malaysia, Canada, and elsewhere.

Myth-busting sites like Snopes and Hoax Slayer have done a good job of trying to separate fact and fiction. The problem is that as these legitimate stories spread, they serve to confuse and alarm rather than educate the public. As Hoax Slayer puts it:

While they may be perfectly valid when first launched, a problem with such warning emails is that they may continue to circulate for years and eventually become outdated and redundant. And, as noted, false or misleading information may be added to the messages as they circulate and such additions can significantly erode their use as warnings. Before forwarding such warning messages, it is always wise to check that the information they contain is accurate and up-to-date.

I quite agree. It’s good that people are wary, but not based on stories that are no longer true.

Checklist to avoid such scams:

• Ask to see credentials of any delivery guy, whether or not he’s giving you free stuff.
• If you’re wary, don’t accept the delivery. Even if it’s free stuff.
• You should not be asked to pay money by someone appearing at your door unless you’re expecting the package. Sadly this is not properly adhered to, even by supposedly reputable couriers. In Indonesia I would find the couriers demanding duty payments that were not sufficiently documented.
• Don’t let anyone swipe your bank card unless you’ve established who they are.
• If in doubt, demand a name card and take a photo of the person with your cellphone. Then close the door.

Photo credit: North Shore Times.

Turns out it is possible to make money from having your products pirated. You put them out there yourself, and then sue anyone who takes them.

This is what, allegedly, is happening between a U.S. pornographer, a German anti-piracy organisation, and a firm of UK lawyers. Here’s how the scam—allegedly—works. The pornographer cuts a deal with the anti-piracy group to distribute about 300 of its movies. The anti-piracy group uploads them to peer to peer networks like e-Donkey, KaZaa, BitTorrent, etc.

People download them. Then the lawyers come in. They go to the ISP and demand names and addresses of downloaders. Then they send them nasty letters demanding £500 for "copyright infringement" or, else the likelihood of facing a high court action. Most pay up. Many have no idea what they’re talking about.

How do we know all this? Well, there’s a great piece on it by TorrentFreak, who explains it in some detail. The screenshot above is taken from what purports to be a contract [PDF] between the pornographer, John Stagliano, and the German anti-piracy group, DigiProtect. The document states clearly:

To achieve the purpose outlined in clause 1, LICENSOR grants DIGIPROTECT the exclusive right to make the movies listed in Appendix 1 worldwide available to the public via remote computer networks, so-called peer-2-peer and internet file sharing networks such as e-Donkey, Kazaa, Bitorrent, etc. for the duration of this agreement.

DigiProtect then sought and obtained a court order demanding that UK ISPs reveal

the name and postal address ("personal data") of the registered subscriber or subscribers to each of the Respondents' internet account or accounts that were assigned to the internet protocol address listed in Schedule 1 hereto, on the dates and times shown therein and which relate to the Respondents.

The rest—that the lawyers have been hired to essentially blackmail perceived downloaders--seems to be based on assumption. Techdirt has a good account here, and concludes:

In other words, it's quite clear that this has nothing to do with preventing content from getting on file sharing networks. Instead, they're specifically putting it there themselves, apparently hoping to get it as widespread as possible, in order to send out the threat letters more widely, so they can collect on the "settlements" from people scared that they're about to get sued. It's hard to see how that's not a massive abuse of copyright law.

Interestingly, the Guardian piece linked to above, which indicates the extent of the lawyers’ blitz, does not refer to the involvement of the copyright holder (the pornographer) or the suspicious looking contract. This is odd, since the article—the most recent on the topic, posted on Saturday—does refer to a Southampton-based law firm, Lawdit, which is charging clients £50 to fight the demands.

Neither does Lawdit refer to the leaked document in its own advice on the matter, made public on November 19. The lawyer involved is Michael Coyle, who has offered free legal representation in the past on a somewhat similar case.

The lawyers’ firm involved on behalf of DigiProtect is none other than Davenport Lyons, which has something of a reputation in this field.

Needless to say, knowing the IP address doesn’t indicate that the person in whose name it’s held is going to be the one downloading the file in question. Indeed, if there’s any illegality involved, it’s very unlikely someone would use their own Internet connection to do so. More likely they’d use a public connection or piggyback an unsecured WiFI connection.

The lesson: Secure your WiFi network. And don’t pay up if you got one of these letters and you didn’t do anything. If you did, find a lawyer who’s keen to pursue the possibility that this is not a simple case of an aggrieved copyright holder trying to recover its due, but someone who intentionally seeded P2P networks with its content in order to make a killing.

Facebook may have just won a theoretical warchest from a spammer, but it’s not put its house in order when it comes to scams. Indeed, I suspect they’re getting worse. Now you can get infected without even having to visit your Facebook account.

What happens is that, if you have set your profile to receive email updates when someone sends you a message on Facebook, these trojan scams actually make their way direct into your inbox. Facebook is just the vector:

Here’s a message, as it looks in Gmail:

Click on that link and it takes you, not to the Facebook message page, but straight to the dodgy website. In this case the website is still active. It will have a name like YuoTube:

and a YouTube-like interface:

The message in the ‘player’ says “Your version of Flash Player is out of date.” Without you doing anything the download window will appear:

Of course, if you install that you’re in trouble. But are you in trouble if you’ve already visited the page? I’m still working on that.

I make an appearance on the excellent Breakfast Club show on Radio Australia each Friday at 01:15 GMT and some listeners have asked me post links to the stuff I talk about, so here they are.

Follow football on your cellphone through vibrations: a team in Scandavia has come up with a way to convey movement of a ball via vibrations. This would allow folks wanting to follow a soccer game with the phone in their pocket, in theory.

This is how it would happen, as far as I can understand it: someone would watch a game and input data whenever the ball was kicked. This data would translate into vibrations—short if the ball is in midfield, longer and more insistent as it got nearer the goal. The researchers claim that users quickly figure out what is happening and can follow a game pretty well.

Reminds me of when I was a kid trying to follow a soccer match on a bad radio: You kind of guessed when things were getting exciting by the rise in crowd noise and the voice of the commentator.

Obama’s victory has quickly translated into an opportunity for bad guys. Sophos reports that 60% of malicious is Obama related, including what looks like a link to his acceptance speech, but which is in fact a trojan which, among other things, captures keystrokes and sends information back to the Ukraine. Obama-related malware has even been seen in the sponsored ads appearing on Google News.

EA has made another boo-boo: some copies of its Red Alert 3 CDs are missing a character on the serial number. “Try guessing the last character,” explained the support site until someone pointed out that this was dumb and encouraging amateur cracking.

Lost in translation: The continuing saga of Welsh being a language that non-speakers are never going to be able to guess at took another twist with a sign that, in English, reads  “No entry for heavy goods vehicles. Residential site only,” but which in Welsh reads “I am not in the office at the moment. Send any work to be translated.”

I don’t think I need to explain more, except to say that the sign has been removed—apparently by the council that installed it. What Welsh truck drivers made of it has not been recorded.

Photo credit: BBC

WiFi has become a commodity, something we expect to be able to find, but marketers are slowly waking up to its potential to get the message out—by renaming the service. But is it such a good idea?

A Dutch company, according to Adrants, has started changing the name of its WiFi service continually—both to promote items and to nag freeloaders into buying coffee:

By continuously changing the names of their store networks to such things as OrderAnotherCoffeeAlready, BuyCoffeeForCuteGirlOverThere?, HaveYouTriedCoffeeCake?, BuyAnotherCupYouCheapskate, TodaysSpecialExpresso1.60Euro and BuyaLargeLatterGetBrownieForFree, the chain is able to both promote items as well as guilt patrons into realizing free WiFi really isn't totally free.

Some boring questions are not answered in the article, such as whether users find themselves bumped off the network when the name changes (I guess not) to whether regular customers complain that they have to change their WiFi settings every time they log on.

And they’re not the first to try something like this: A German car rental company called SIXT has set up WiFi networks in airports with names promoting the car company’s brand. Select the WiFi network and you’re taken to the company’s home page.

The article doesn’t explain whether these WiFi networks provide real connections, or merely access to the company’s page. Needless to say, if it’s the latter any positive message may be undone. And, as the writer points out, this “wifitising” is a form of spam that people may not appreciate.

On top of that is the growth in dodgy WiFi networks that offer free WiFi but actually launch “man in the middle” attacks to eavesdrop on your passwords and other data as you use the network. A hacker last month, for example, accessed personal emails of guests using a U.S. hotel’s free WiFi network. A study by Cornell University’s Center for Hospitality Research of 147 U.S. hotels found that only six of the 39 hotels (HTML version of the PDF file, which requires registerig to download) offering WiFi were encrypting traffic. It concluded hotels were “ill-prepared to protect their guests from network security issues.”

The problems with changing the names of WiFi networks are obvious: They further confuse the user and reduce the chances of a standard emerging that may reduce people’s vulnerability when using WiFi. Of course, anyone can give a WiFi an official-sounding name, so networks are vulnerable to start with, and the Cornell report shows that using even legit WiFi leaves users vulnerable. So it’s hard to see this wifitising trend—small tho it is—as anything more than a fad, because if it does catch on, it’s going to make using public WiFi more complicated and misleading, rather than less so.

Renamed WiFi Networks Guilt Freeloaders Into Buying Coffee » Adrants