Subscribe: Schneier on Security
http://www.schneier.com/blog/index.rdf
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
card  carrier  censorship  cuba  details  election  fraud  international  news  online  payment  phone  security  squid  websites 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2016-12-06T12:15:03Z

 



International Phone Fraud Tactics

2016-12-06T12:15:03Z

This article outlines two different types of international phone fraud. The first can happen when you call an expensive country like Cuba: My phone call never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates...

This article outlines two different types of international phone fraud. The first can happen when you call an expensive country like Cuba:

My phone call never actually made it to Cuba. The fraudsters make money because the last carrier simply pretends that it connected to Cuba when it actually connected me to the audiobook recording. So it charges Cuban rates to the previous carrier, which charges the preceding carrier, which charges the preceding carrier, and the costs flow upstream to my telecom carrier. The fraudsters siphoning money from the telecommunications system could be anywhere in the world.

The second happens when phones are forced to dial international premium-rate numbers:

The crime ring wasn't interested in reselling the actual [stolen] phone hardware so much as exploiting the SIM cards. By using all the phones to call international premium numbers, similar to 900 numbers in the U.S. that charge extra, they were making hundreds of thousands of dollars. Elsewhere -- Pakistan and the Philippines being two common locations -- organized crime rings have hacked into phone systems to get those phones to constantly dial either international premium numbers or high-rate countries like Cuba, Latvia, or Somalia.

Why is this kind of thing so hard to stop?

Stamping out international revenue share fraud is a collective action problem. "The only way to prevent IRFS fraud is to stop the money. If everyone agrees, if no one pays for IRFS, that disrupts it," says Yates. That would mean, for example, the second-to-last carrier would refuse to pay the last carrier that routed my call to the audiobooks and the third-to-last would refuse to pay the second-to-last, and so on, all the way back up the chain to my phone company. But when has it been easy to get so many companies to do the same thing? It costs money to investigate fraud cases too, and some companies won't think it's worth the trade off. "Some operators take a very positive approach toward fraud management. Others see it as cost of business and don't put a lot of resources or systems in to manage it," says Yates.




Voynich Manuscript Facsimile Published

2016-12-05T20:20:41Z

Yale University Press has published a facsimile of the Voynich Manuscript. The manuscript is also available online....

Yale University Press has published a facsimile of the Voynich Manuscript.

The manuscript is also available online.




Guessing Credit Card Security Details

2016-12-05T14:31:30Z

Researchers have found that they can guess various credit-card-number security details by spreading their guesses around multiple websites so as not to trigger any alarms. From a news article: Mohammed Ali, a PhD student at the university's School of Computing Science, said: "This sort of attack exploits two weaknesses that on their own are not too severe but when used...

Researchers have found that they can guess various credit-card-number security details by spreading their guesses around multiple websites so as not to trigger any alarms.

From a news article:

Mohammed Ali, a PhD student at the university's School of Computing Science, said: "This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system.

"Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.

"This allows unlimited guesses on each card data field, using up to the allowed number of attempts -- typically 10 or 20 guesses -- on each website.

"Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.

"Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds -- just like any online payment.

"So even starting with no details at all other than the first six digits -- which tell you the bank and card type and so are the same for every card from a single provider -- a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds."

That's card number, expiration date, and CVV code.

From the paper:

Abstract: This article provides an extensive study of the current practice of online payment using credit and debit cards, and the intrinsic security challenges caused by the differences in how payment sites operate. We investigated the Alexa top-400 online merchants' payment sites, and realised that the current landscape facilitates a distributed guessing attack. This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. We will show that this attack would not be practical if all payment sites performed the same security checks. As part of our responsible disclosure measure, we notified a selection of payment sites about our findings, and we report on their responses. We will discuss potential solutions to the problem and the practical difficulty to implement these, given the varying technical and business concerns of the involved parties.

BoingBoing post:

The researchers believe this method has already been used in the wild, as part of a spectacular hack against Tesco bank last month.

MasterCard is immune to this hack because they detect the guesses, even though they're distributed across multiple websites. Visa is not.




A 50-Foot Squid Has Not been Found in New Zealand

2016-12-03T00:18:03Z

A 50-foot squid has not been found in New Zealand. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

A 50-foot squid has not been found in New Zealand.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




Auditing Elections for Signs of Hacking

2016-12-02T12:39:17Z

Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election: The good news is that we know how to solve this problem. We need to audit computers by manually examining randomly selected paper ballots and comparing the results to machine results. Audits require a voter-verified...

Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election:

The good news is that we know how to solve this problem. We need to audit computers by manually examining randomly selected paper ballots and comparing the results to machine results. Audits require a voter-verified paper ballot, which the voter inspects to confirm that his or her selections have been correctly and indelibly recorded. Since 2003, an active community of academics, lawyers, election officials and activists has urged states to adopt paper ballots and robust audit procedures. This campaign has had significant, but slow, success. As of now, about three quarters of U.S. voters vote on paper ballots. Twenty-six states do some type of manual audit, but none of their procedures are adequate. Auditing methods have recently been devised that are much more efficient than those used in any state. It is important that audits be performed on every contest in every election, so that citizens do not have to request manual recounts to feel confident about election results. With high-quality audits, it is very unlikely that election fraud will go undetected whether perpetrated by another country or a political party.

Another essay along similar lines.

Related: there is some information about Russian political hacking this election cycle that is classified. My guess is that it has nothing to do with hacking the voting machines -- the NSA was on high alert for anything, and I have it on good authority that they found nothing -- but something related to either the political-organization hacking, the propaganda machines, or something else before Election Day.




Analyzing WeChat

2016-12-05T14:32:29Z

Citizen Lab has analyzed how censorship works in the Chinese chat app WeChat: Key Findings: Keyword filtering on WeChat is only enabled for users with accounts registered to mainland China phone numbers, and persists even if these users later link the account to an International number. Keyword censorship is no longer transparent. In the past, users received notification when their...

Citizen Lab has analyzed how censorship works in the Chinese chat app WeChat:

Key Findings:

  • Keyword filtering on WeChat is only enabled for users with accounts registered to mainland China phone numbers, and persists even if these users later link the account to an International number.

  • Keyword censorship is no longer transparent. In the past, users received notification when their message was blocked; now censorship of chat messages happens without any user notice.

  • More keywords are blocked on group chat, where messages can reach a larger audience, than one-to-one chat.

  • Keyword censorship is dynamic. Some keywords that triggered censorship in our original tests were later found to be permissible in later tests. Some newfound censored keywords appear to have been added in response to current news events.

  • WeChat's internal browser blocks China-based accounts from accessing a range of websites including gambling, Falun Gong, and media that report critically on China. Websites that are blocked for China accounts were fully accessible for International accounts, but there is intermittent blocking of gambling and pornography websites on International accounts.

Lots more details in the paper.




DigiTally

2016-11-30T15:33:18Z

Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity....

Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity.




You, Too, Can Rent the Murai Botnet

2016-11-29T12:01:13Z

You can rent a 400,000-computer Murai botnet and DDoS anyone you like. BoingBoing post. Slashdot thread....

You can rent a 400,000-computer Murai botnet and DDoS anyone you like.

BoingBoing post. Slashdot thread.




San Francisco Transit System Target of Ransomware

2016-11-28T23:36:34Z

It's really bad. The ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet. Slashdot thread....

It's really bad. The ticket machines were hacked.

Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet.

Slashdot thread.




Friday Squid Blogging: Striped Pyjama Squid

2016-12-05T14:33:02Z

Here's a nice picture of one of the few known poisonous squids. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Here's a nice picture of one of the few known poisonous squids.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.