Privacy

Privacy and anonymity

Card fraud and other details

A family member recently encountered credit card fraud.  That isn’t unusual, but there were some features of the whole experience that seemed odd.

First off, the person involved is certain that the fraud relates to the use of the card at a tap/RFID/proximity reader.  The card has been in use for some time, but the day before the fraudulent charges the card was used, for the first time, at a gas pump with a “tap” reader.

(I suspect this is wrong.  The card owner feels that gas pumps, left unattended all night, would be a prime target for reader tampering.  I can’t fault that logic, but the fact that an address was later associated with use of the card makes me wonder.)

At any rate, the day after the gas was purchased, two charges were made with the credit card.  One was for about $600.00, and was with startech.com, a supplier of computer parts, particularly cables, based in Ontario.  The other charge was for almost $4000.00, and was with megabigpower.com, which specializes in hardware devices for Bitcoin mining, and operates out of Washington state.  (Given the price list, this seems consistent with about 8 Bitcoin mining cards, or about 20 USB mining devices.)  The credit card company was notified, and the card voided and re-issued.

A few days after that, two boxes arrived–at the address of the cardholder.  One came from startech.com via UPS and was addressed to John Purcer, the other was from megabigpower.com via Fedex and was addressed to Tom Smyth.  Both were left at the door, refused and returned to the delivery companies.  (At last report, the cardholder was trying to get delivery tracking numbers to ensure that the packages were returned to the companies.)

As noted previously, this is where I sat up.  Presumably a simple theft of the card data at a reader could not provide the cardholder’s address data.  An attempt might be made to ensure that the “ship to” address is the same as the “bill to” address (one of the companies says as much on its billing page), but I further assume that a call to the credit card company with a “hey, I forgot my address” query wouldn’t fly, and I doubt the credit card company would even give that info to the vendor company.

One further note: I mentioned to the cardholder that it was fortunate that the shipment via UPS was from the Canadian company, since UPS is quite unreasonable with charges (to the deliveree) involving taking anything across a border.  (When I was doing a lot more book reviews in the old days, I had to add a standard prohibition against using UPS to all my correspondence with companies outside Canada.)  When UPS was contacted about this delivery, the agent reported that the package was shown as delivered, with a note of “saw boy,” presumably since the cardholder’s son was home, or in the vicinity of the house, at the time of delivery.  The cardholder was understandably upset and asked to have that note taken off the record, and was then told a) the record could not be changed, and b) that was a standard code, presumably built-in to the tracking devices the drivers carry.

Just a note to those of you who care anything about privacy …

Cyberbullying, anonymity, and censorship

Michael Den Tandt’s recent column in the Vancouver Sun is rather a melange, and deserves to have a number of points addressed separately.

First, it is true that the behaviours the “cyberbullying” bill address, those of spreading malicious and false information widely, generally using anonymous or misleading identities, do sound suspiciously close to those behaviours in which politicians engage themselves.  It might be ironic if the politicians got charged under the act.

Secondly, whether bill C-13 is just a thinly veiled re-introduction of the reviled C-30 is an open question.  (As one who works with forensic linguistics, I’d tend to side with those who say that the changes in the bill are primarily cosmetic: minimal changes intended to address the most vociferous objections, without seriously modifying the underlying intent.)

However, Den Tandt closes with an insistence that we need to address the issue of online anonymity.  Removing anonymity from the net has both good points and bad, and it may be that the evil consequences would outweigh the benefits.  (I would have thought that a journalist would have been aware of the importance of anonymous sources of reporting.)

More importantly, this appeal for the banning of anonymity betrays an ignorance of the inherent nature of networked communitcation.  The Internet, and related technologies, have so great an influence on our lives that it is important to know what can, and can’t, be done with it.

The Internet is not a telephone company, where the central office installs all the wires and knows at least where (and therefore likely who) a call came from.  The net is based on technology whish is designed, from the ground up, in such a way that anyone, with any device, can connect to the nearest available source, and have the network, automatically, pass information to or from the relevant person or site.

The fundamental technology that connects the Internet, the Web, social media, and pretty much everything else that is seen as “digital” these days, is not a simple lookup table at a central office.  It is a complex interrelationship of prototcols, servers, and programs that are built to allow anyone to communicate with anyone, without needing to prove your identity or authorization.  Therefore, nobody has the ability to prevent any communication.

There are, currently, a number of proposals to “require” all communications to be identified, or all users to have an identity, or prevent anyone without an authenticated identity from using the Internet.  Any such proposals will ultimately fail, since they ignore the inherent foundational nature of the net.  People can voluntarily participate in such programs–but those people probably wouldn’t have engaged in cyberbullying in any case.

John Gilmore, one of the people who built the basics of the Internet, famously stated that “the Internet interprets censorship as damage and routes around it.”  This fact allows those under oppressive regimes to communicate with the rest of the world–but it also means that pornography and hate speech can’t be prevented.  The price of reasonable commuincations is constant vigilance and taking the time to build awareness.  A wish for a technical or legal shortcut that will be a magic pill and “fix” everything is doomed to fail.

CyberSec Tips: Email – Spam – Fraud – example 3

This one is slightly interesting, in that it contains elements of both 419 and phishing.  It’s primarily an advance fee fraud message.  First off, the headers:

> Subject: Dear Winner!!!
> From: CHELPT <inf8@hotline.onmicrosoft.com>
> Date: Thu, 28 Nov 2013 17:45:06 +0530
> Reply-To: <morrluke@careceo.com>
> Message-ID: <XXX.eurprd01.prod.exchangelabs.com>

Again, we see different domains, in particular, a different address to reply to, as opposed to where it is supposed to be from.

> Corporate Headquarters
> Technical Office Chevrolet promotion unit
> 43/45 The Promenade…
> Head Office Chevrolet motors
> 43/45 The Promenade Cheltenham
> Ref: UK/9420X2/68
> Batch: 074/05/ZY369
> Chevrolet Canter, London, SE1 7NA – United Kingdom

My, my, my.  With all that addressing and reference numbers, it certainly looks official.  But isn’t.

> Dear Winner,
>
> Congratulations, you have just won a cash prize of £1,000, 000, 00. One million
> Great British Pounds Sterling (GBP) in the satellite software email lottery.
> On-line Sweepstakes International program held on this day Satur day 23rd
> November 2013 @05:42.PM London time. Conducted by CHEVROLET LOTTERY BOARD in
> which your e-mail address was pick randomly by software powered by the Internet
> send data’s to;
> ——————————————————————————–
> Tell: +44 701 423 4661             Email: morrluke@careceo.com Officer Name: Mr.
> Morrison Luke. CHEVROLET LOTTERY BOARD London UK
> ——————————————————————————–

As usual, you have supposedly won something.  If you reply, of course, there will start to be fees or taxes that you have to pay before the money is released to you.  The amounts will start out small (hey, who wouldn’t be willing to pay a hundred pound “processing fee” in order to get a million pounds, right?) but then get larger.  (Once you’ve paid something, then you would tend to be willing to pay more.  Protecting your investment, as it were.)  And, of course you will never see a cent of your winnings, inheritance, charity fund, etc, etc.

> Below is the claims and verifications form. You are expected to fill and return
> it immediately so we can start processing your claims:
>
> 1. Full Names:
> 2. Residential Address:
> 3. Direct Phone No:
> 4. Fax Number
> 5. Occupation:
> 6. Sex:
> 7. Age:
> 8. Nationality:
> 9. Annual Income:
> 10. Won Before:
> 11. Batch number: CHELPT1611201310542PM
> 12: Ticket Numbers: 69475600545-72113
> 13: Lucky numbers: 31-6-26-13-35-7

But here, they are starting to ask you for a lot of personal information.  This could be used for identity theft.  Ultimately, they might ask for your bank account information, in order to transfer your winnings.  Given enough other data on you, they could then empty your account.

> We wish you the best of luck as you spend your good fortune thank you for being
> part of our commemorative yearly Draws.
>
> Sincerely,
> Mrs. Susan Chris.
> CHEVROLET LOTTERY PROMOTION TEAM.

Oh, yeah.  Good luck on ever getting any of this money.

Google’s “Shared Endorsements”

A lot of people are concerned about Google’s new “Shared Endorsements” scheme.

However, one should give credit where credit is due.  This is not one of Facebook’s functions, where, regardless of what you’ve set or unset in the past, every time they add a new feature it defaults to “wide open.”  If you have been careful with your Google account in the past, you will probably find yourself still protected.  I’m pretty paranoid, but when I checked the Shared Endorsements setting page on my accounts, and the “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads” box is unchecked on all of them.  I can only assume that it is because I’ve been circumspect in my settings in the past.

REVIEW: Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed, Jack Nuern

BKIDTHMA.RVW   20120831

“Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”, Jack Nuern, 2012
%A   Jack Nuern http://www.idtheftadvocates.com
%C   4901 W. 136 St., Leawood, KS, USA   66224
%D   2012
%G   ASIN: B0088IG92E
%I   Roadmap Productions
%O   fax 866-594-2771
%O  http://www.amazon.com/exec/obidos/ASIN/B0088IG92E/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/B0088IG92E/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/B0088IG92E/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   128 p.
%T   “Identity Theft Manual: Practical Tips, Legal Hints, and Other Secrets Revealed”

Despite the implications of the title, this is not a primer for performing identity theft, but a guide to preventing and recovering from it.  The information, unfortunately, is fairly pedestrian, and most of it could be obtained from any magazine article on the topic.

Chapter one is a (very) basic introduction to identity theft, with a rather odd emphasis on the use of medical information.  Methods of identity theft are described in chapter two.  Unfortunately, this is where the book starts to show signs of serious disorganization, and some of the material is more sensational than helpful.  Chapter three lists some steps you can take to attempt to prevent identity theft.  The suggestions are the usual standards of not giving out any information to anyone, and the book tacitly admits that protection is not assured.

Chapter four gets to the real intent of the work: actions to take when your identity has been stolen and misused.  There is a great deal of useful content at this point, limited by two factors.  One is that everything discussed is restricted to institutions in the United States.  The other is that there is almost no discussion of what the entities mentioned can do for you or what they can’t or won’t.

As one could expect from a book written by a law firm, chapter five addresses the liability that the victim of identity theft faces.  The answer, unsurprisingly, is “it depends,” backed up with a few stories.  (Pardon me: “case studies.”)

There are some appendices (called, predictably, “Exhibits”).  Again, most of these will only be of use to those in the United States, and some, sections of related laws, will be of very little use to most.  There is a victim complaint and affidavit form which would probably be very helpful to most identity theft victims, reminding them of information to be collected and presented to firms and authorities.

The book is not particularly well written, and could certainly use some better structure and organization.  However, within its limits, it can be of use to those who are in the situation, and who frequently have nowhere to turn.  As the book notes, authorities are often unhelpful and take limited interest in identity theft cases.   And, as the book also (frequently) notes, the book is cheaper than hiring a law firm.

copyright, Robert M. Slade   2012     BKIDTHMA.RVW   20120831

REVIEW: “The Quantum Thief”, Hannu Rajaniemi

BKQNTTHF.RVW   20120724

“The Quantum Thief”, Hannu Rajaniemi, 2010, 978-1-4104-3970-3
%A   Hannu Rajaniemi
%C   175 Fifth Avenue, New York, NY  10010
%D   2010
%G   978-1-4104-3970-3 0765367661
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0765367661/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0765367661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0765367661/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   466 p.
%T   “The Quantum Thief”

This is the type of space opera that creates whole worlds, technologies, and languages behind it.  The language or jargon makes it hard to read.  The worlds are confusing, especially since some are real, and some aren’t.  The technologies make it way too easy to pull huge numbers of deuses ex way too many machinas, which strain the ability to follow, or even care about, the plot.  In this situation, the plot can be random, so the impetus for continued reading tends to rely on the reader’s sympathy for the characters.  Unfortunately, in this work, the characters can also have real or imagined aspects, and can change radically after an event.  It was hard to keep going.

Some of the jargon terms can be figured out fairly easily.  An agora, as it was in Greece, is a public meeting place.  Gogol wrote a book called “Dead Peasants,” so gogols are slaves.  Gevulot is the Hebrew word for borders, and has to deal with agreed-upon privacy deals.  But all of them have quirks, and a number of other terms come out of nowhere.

I was prompted to review this book since it was recommended as a piece of fiction that accurately represented some interesting aspects of information security.  Having read it, I can agree that there are some cute descriptions of significant points.  There is mention of a massive public/asymmetric key infrastructure (PKI) system.  There is reference to the importance of social engineering in breaking technical protection.  There is allusion to the increased fragility of overly complex systems.  But these are mentions only.  The asymmetric crypto system has no mention of a base algorithm, of course, but doesn’t even begin to describe the factors in the PKI itself.

If you know infosec you will recognize some of the mentions.  If you don’t, you won’t learn them.  (A specific reference to social engineering actually relates to an implementation fault.)  Otherwise, you may or may not enjoy being baffled by the pseudo-creativity of the story.

copyright, Robert M. Slade   2012     BKQNTTHF.RVW   20120724

Art, hacking, privacy, and the US Secret Service

“Media artist” creates a form of spyware using Macbook webcams.  Runs it on computers in Apple Stores.  Apple calls Secret Service about the artist.  Lots more.  Some interesting and provocative concepts in the article, covering privacy, legality, search and seizure, and the fact that people show little affect when working with/on computers:

http://www.wired.com/threatlevel/2012/07/people-staring-at-computers/all/

Using Skype Manager? no? Expect incoming fraud

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company? 😀

If you have more insight on the matter, let me know

– Noam