Tag Archives: Automated teller machine

Goertzel, Rugby and the Sweet-talking Scam

The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.

This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).

They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.

It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)

Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.

So, the obvious and slightly less obvious go without saying:

  • Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
  • Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
  • Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
  • Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
  • Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
  • Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official. 

Anyone at the Rugby Sevens this weekend, take note.

Elitism’s Big Security Hole

You would expect that if you choose an elite, premium product or service that it was more secure than its lesser, bog standard one. But after an incident today I’m not so sure.

I happen to have a fancy premium account at my bank. I didn’t really want it, and object to such things on champagne socialist grounds, but it happened that way. So I arrive in town, and am looking for an ATM. I espy the logo of my bank on the airport concourse and head that way. Three members of staff stand around the branch entrance, doing that half-welcoming, half-bouncer thing that staff do. I asked if there was an ATM inside, and they said yes, but instead of letting me in, pointed me back across the vast concourse to the railway terminus. “None in here?” I asked, surprised. By then I was fishing inside my wallet for my ATM card and they caught a glimpse of its fancy charcoal greyness. Their attitude changed in a flash to one of abject obeisance. “This way, kind sire,” they said (or something like that) and ushered me inside the darkened interior, round a couple of corners to my very own ATM machine, before withdrawing to a discreet but accessible distance. Butlers passed bearing flutes of champagne; customers carrying men’s purses perused glossy brochures with names like “Managing Your Family’s Wealth So You Can Have Trouble-free Weekends in Your Phuket Condo With An Office Secretary” or something.

Offputting, but I was happy to get some my hands on some cash. Until I realised I had forgot my PIN. No problem, one of the staff said, and led me around more corners to a bank of eager customer advisor executives, or something, all with perfect teeth and wide smiles. They happily gave me cash and balances, none of it requiring any proof of identity on my part. I got to suck a sweet while they did. The three bouncers led me outside as if I was the King of Siam collecting tribute.

I was happy with all the deference and genuflecting, but it made me realise that premium service isn’t really about premium service; it means paying through the nose not to be troubled by impertinent little serfs asking me for proof of identity when I want to move millions of dollars around/see my jewelry collection in a bank vault/pass through immigration. It’s actually about dismantling security, not about enhancing it.

It’s a simple equation: Companies charge more fees to these kinds of people, providing what looks like a Rolls Royce service. People love getting star treatment, assuming that fake veneer and snow-white smiles equate quality. Of course all it really means is that the basic service — in this case the ATM machine — has been moved off to a remote corner for the unwashed who refuse to pay for the premium service. But more importantly, the actual quality that should be a feature of the improved service is severely compromised, if not entirely absent, since the implicit agreement is that customers won’t be asked for proof of identity. That may seem like an advantage to the customer, but if someone had stolen my wallet they would have been able to empty my account without breaking a sweat. They might even have been offered a shoulder massage while the staff counted the money.

There must be a name for this skewed security thinking. And it must apply to all sorts of services.

Me? I’m downgrading my account and rejoining the plebs. It’s safer there: They won’t let me in the branch without flashing my ID card.

Cash With a Human Face

Here’s a useful innovation for foiling scammers stealing money from ATMs with their heads covered to avoid identification: a system which “can distinguish between someone whose face is covered or uncovered, and only grant access to those who bare their faces.”

No face, no dosh

No face, no dosh

According to Taiwan’s Central News Agency (no story URL available; first paragraph here), the system was developed by a research team headed by Lin Chin-teng, dean of the College of Computer Science, National Chiao Tung University in Hsinchu, “and can deny ATM access to users who have their faces covered”:

The system’s developers said they hoped the device would assist law enforcers in stopping a common crime involving ATMs: thieves disguise their face with motorcycle helmets or masks, even while their images are being captured by ATM surveillance cameras.

Shoulder Surfing. The Old New Phishing

Stealing passwords in the old days used to involve shoulder surfing — cruising past the mark while s/he’s tapping in her/his password into the computer/ATM/cookie dispenser.

But I had a scare today that made me realise that this is still a pretty easy way to get information. Newly landed in Hong Kong, I breezed over to a cash machine. ‘Internet bank with us!’ it said, or something similar, on the welcome screen. ‘It’s safe!’

Well, maybe, but anybody who was shoulder surfing me would have had a head start on my accounts. For a good 15 seconds, possibly longer, my account numbers were fully visible on the screen, as the ATM was processing my transaction. The message was: The following accounts can be accessed using this card, and then it listed them, nice and bold with double space, just in case the shoulder surfer has poor eyesight. How safe is that?

Maybe I’ve been hanging out with social engineers like Anthony Zboralski and Dave McKay too much (more of that anon). But these guys make me realise, if I didn’t already, that a) information is really, really easy to get using social trickery, and b) the institutions we entrust with our information don’t seem to get it that this is the case. Pfft. I’m changing bank in the morning, just as soon as I’ve changed my PIN.

Worm Hits Diebold’s Windows ATMs

It’s not happy days for Diebold, the company behind ATMs and electronic voting. Its e-voting machines have been the source of much controversy — earlier this month it withdrew its suit against people who had posted leaked documents about alleged security breaches in the software. Now its automatic teller machines have been hit — by viruses.

Wired reports that ATMs at two banks running Microsoft Windows software were infected by a computer virus in August, the maker of the machines said. The ATM infections, first reported by SecurityFocus.com, are believed to be the first of a computer virus wiggling directly onto cash machines. (The Register said in January that the Slammer worm brought down 13,000 Bank of America ATMs, but they weren’t directly infected: the worm infected database servers on the same network, spewing so much traffic the cash machines couldn’t process transactions.)

But how can an ATM get infected? SecurityFocus says that while “ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.” In other words: the folk who write worms are smarter than we are.

News: When An ATM Isn’t An ATM

 From the These Thieves Are So Smart, Why Can’t They Get A Real Job Dept comes a story about ATMs. The Canadian Press reports of a scam in Ontario where the bad guys have rigged a number of existing bank machines allowing them to make working copies of customers’ debit cards by putting on a mask.
 
 
The thieves install a false front on an ATM machine for a few hours, painted identically to the actual front of the real machine.When a customer slides a debit card into the card slot on the false front, a small electronic device attached to the front reads all the information contained on the card. A tiny camera installed just above the machine’s number pad videotapes customers as they type in their personal identification numbers. The thieves then produce their own magnetic cards containing identical information to customers’ cards.