Pages

Ads 468x60px

Wednesday, April 30, 2014

PC Speak: Abney Associates Tech Blog, Online fraud risks: protect yourself


The internet is such a part of everyday life that we don't even think about it any more. It's no more exotic and unexpected than having water coming out of the taps. However, unlike the water coming out of our taps, the internet isn't always pure and clear. And by using it without taking the proper precautions, we could find ourselves becoming the victims of online fraud.

So how can we protect ourselves?

CIFAS, the UK's fraud prevention service, discovered that in the last year, card fraud and identity theft had surged - with over 125,000 separate instances. A significant proportion of these frauds are perpetrated because people don't take sufficient precautions online. So what do you need to be aware of, and how can you protect yourself?

Experian has produced 5 top tips to stay safe online.

Beware of phishing expeditions
These involve emails or phone calls which come out of the blue, and persuade you to part with your credit card details or bank account information. There are a number of common approaches.

One is to pretend to be from your bank or card provider, asking you to log on and verify your identity. If you click on the link they have sent, you'll be sent to a site run by fraudsters, who will collect the information you input and use it to take your money. Others will use a likely-sounding story, such as telling you you have a PPI repayment waiting or a tax rebate.

Experian says that your best approach is to assume that all emails asking for confidential data are scams. If you receive an email you should contact the organisation involved to let them know about the scam - using email or phone details you have elsewhere rather than the link on the email.

Don't be a Twit
Be careful about what you reveal through social media. It can be easy to post photos of valuable possessions, complain about your bank by name, boast about a forthcoming holiday or mention pet names, your mother's maiden name or anything else you may have used as a password. There are plenty of people out there - including your 'friends' or people posing as them - who would use this to access your email, infiltrate online banking, or even burgle your home while you're away.

Be wary of wi-fi
It might be a useful way to buy something on the hoof, or check your bank balance, but there can be nasties hiding in public wi-fi when you're out and about - and your every online move can be watched.
Experian say it's worth being wary, avoid baking online on public wi-fi, and steer clear of any sites that need a password - from banks to social networks.

Check your statements
If a fraudster has taken over your account, or accessed your credit card, your statement is the first place it will show. Experian says that fraudsters are increasingly taking smaller amounts from their victims on a regular basis rather than a one-off hit. If you don't check your statements, it's easy to miss this. One of the best approaches it to go through every single transaction and only tick them off when you're absolutely sure you know what it is.

Tuesday, April 29, 2014

PC Speak: Abney Associates Tech Blog, Hacker claim about bug in fixed OpenSSL likely a scam

Hackers claim to have found a new vulnerability in the cryptographic library as serious as Heartbleed, and are selling it for 2.5 bitcoins

Security experts have expressed doubts about a hacker claim that there's a new vulnerability in the patched version of OpenSSL, the widely used cryptographic library repaired in early April.

A group of five hackers writes in a posting on Pastebin that they worked for two weeks to find the bug and developed code to exploit it. They've offered the code for the price of 2.5 bitcoins, around $870.

A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did. But the hackers' claim was met with immediate suspicion on Full Disclosure, a forum for discussing vulnerability reports.

One commentator, Todd Bennett, wrote the technical description of their claim is "rather extraordinary."

The open-source OpenSSL code is used by millions of web sites to create encrypted communications between client computers and servers. The flaw disclosed in early April, nicknamed "Heartbleed," can be abused to reveal login credentials or a server's private SSL key.

More than two-thirds of the websites affected by the flaw have patched OpenSSL, according to McAfee.

The hackers said they've found a buffer overflow vulnerability that is similar to Heartbleed. They claim they've spotted a missing bounds check in the handling of the variable "DOPENSSL_NO_HEARTBEATS."

"We could successfully overflow the 'DOPENSSL_NO_HEARTBEATS' and retrieve 64kb chunks of data again on the updated version," they wrote.

They have not published their exploit code, so there is no way to verify their claim. The group provided an email address for questions, but did not immediately respond to a query.

A Google search showed the same email address has been used in other offers for data on Pastebin. In March, it was used in a Pastebin posting advertising a trove of data from Mt. Gox, the defunct Tokyo-based bitcoin exchange that was hacked.

The same advertisement also offered database dumps from "carding" websites, or those selling stolen credit card data, and data from CryptoAve, another virtual currency exchange that's been attacked by hackers. Scammers often try to make money by falsely claiming they have data of interest to the hacking community.

The Heartbleed flaw has since touched off an effort to strengthen the security of widely used open-source products. The OpenSSL Project, for example, had just one full-time employee and only received about $2,000 in donations annual despite its critical role in protecting communications.

On Thursday, a group of technology companies and organizations launched the Core Infrastructure Initiative, a project intended to generate funds for full-time developers on important open-source products.

The group's participants include Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation.

Monday, April 28, 2014

PC Speak: Abney Associates Tech Blog: Online Debit, Credit Fraud Will Soon Get Much Worse


I’m not much of a Nostradamus, but one thing I can predict with near certainty is that this time next year we are likely to find ourselves witnessing an all-time high in the rate of online credit and debit card fraud. Ironically, that surge in online theft will be the result of efforts to make the offline use of credit and debit cards more secure.

By Oct. 1 of next year, retail establishments are supposed to be able to accept new credit and debit cards that have a chip embedded and require the use of a PIN when making purchases at the checkout counter. The point is to make the cards smarter so that financial institutions can better detect fraudulent usage. Requiring a PIN clearly adds a layer of identification and protection that can deter such fraud.

How do we know that this effort to increase security at the point of sale is going to actually drive online fraud? We already saw it happen in Europe.

In 2002, European financial institutions starting rolling out these very same cards and point-of-sale terminals. We call this technology EMV (Europay, MasterCard and Visa). Financial institutions intend to make EMV a global standard for authenticating credit and debit card transactions using integrated chip technology.

This technology has now been partially or fully deployed in about 14 countries and regions, including most Asian Pacific nations, all of Europe, most of Latin America and the Caribbean. Every country and region in which EMV has been deployed has seen a corresponding surge in online fraud.

Four years after beginning the deployment of cards and new point-of-sale terminals, about 99 percent of businesses and consumers were utilizing EMV. No doubt the cards were effective at cutting offline abuse. Before EMV, Europe saw fraud losses in stores of about 13 basis points of net sales. After EMV, the offline fraud rate plummeted to just 3.5 basis points, according to Douglas King in the study, “Chip-and-Pin: Success and Challenges in Reducing Fraud.”

However, the online world was a fraud nightmare. Online credit and debit card fraud rates more than doubled from the pre-EMV days. In 2004, Europe had an online credit and debit card fraud rate of 25 percent. By 2010, the rate had soared to 64 percent. Further, the European Central Bank’s February 2014 report on card fraud found that card-not-present (CNP) payments, i.e. payments via the internet, post or phone, were the source of 60 percent of total fraud incidents across Europe in 2012. With about $1.1 billion in fraud losses in 2012, CNP fraud showed the highest growth rate, up 21.2 percent from 2011, and analysts project this growth rate will continue to increase in 2013 and 2014.

Making credit and debit cards smarter made the crooks smarter. They stopped using cards with EMV technology in brick-and-mortar stores. Even the thieves knew that using one of the new EMV cards in a store was quickly going to get the card shut down.

So they doubled their efforts at stealing online, where the chips in cards did no good when all that was required were card numbers. Additionally, the bad guys shifted more of their nefarious online activity to foreign countries where it’s even harder to tell a legitimate card user from a thief.

When EMV technology was established, the crooks also started targeting debit cards over credit. Most debit cards use the magnetic stripe and therefore behave like credit cards without the chip and pin, making it easier for fraudsters to exploit both offline using the swipe and online using the debit card number.

Some will probably ask why online retailers don’t just require a PIN for all purchases as in-store clerks do with EMV. We may see more of that kind of adoption here in the U.S. than we’ve seen in other countries that saw this surge in online fraud, even as offline fraud declined. However, putting any barrier to check out in the ecommerce world means a lot of full shopping carts that never make it to purchase.


Friday, April 25, 2014

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.


Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.


Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.


Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.


Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Cellphone banking fraud at record high


JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog , Android users targeted by iBanking trojan app on Facebook


Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

Security researchers from antivirus vendor ESET have identified a new variant of a computer banking Trojan called Qadars that injects rogue JavaScript code into Facebook pages when opened in a browser from an infected system. The injected code generates a message instructing users to download and install Android malware that can steal authentication codes sent to their phones via SMS.

These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.

Webinjects are also commonly used to display messages that instruct users to download and install malicious applications on their mobile phones by presenting them as security apps required by financial institutions. In reality those rogue mobile apps are designed to steal mobile transaction authorisation numbers (mTANs) and other one-time passwords sent by banks via SMS.

In February security researchers from RSA, the security division of EMC, reported that the source code for an advanced Android Trojan called iBanking was released on an underground forum and warned that this development will allow more cybercriminals to incorporate this mobile threat in their future operations.

Once installed on an Android phone, iBanking can capture incoming and outgoing text messages; can redirect calls to a pre-defined phone number; can capture audio from the surrounding environment using the device’s microphone and can steal the call history log and the phone book.

The authors of the Qadars computer Trojan were quick to adopt iBanking, according to a new report by researchers from ESET, but instead of using it against online banking users they appear to be targeting accounts on Facebook.

This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. In order to obtain the application, users are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.

The application being offered to Android device owners is a version of the iBanking Trojan app that has been modified to look as a Facebook application for generating one-time passwords. During installation, users are instructed to enable the Android setting allowing the installation of apps obtained from unknown sources and are asked to give the app device administrator permissions.

“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” ESET malware researcher Jean-Ian Boutin said in a blog post.

“It’s possible that the attackers are using iBanking to steal security codes sent via SMS by Facebook’s legitimate two-factor authentication system. It may be that there’s a growing number of people using this protection feature on Facebook, making accounts harder to compromise through traditional credential theft attacks,” added Boutin.

However, it’s also possible that attackers have chosen to use webinjects on Facebook because it’s an efficient way to distribute the malware to a lot of users without worrying which particular banking sites they regularly interact with.

Thursday, April 24, 2014

Abney Associates Tech Blog, Online fraud – why Heartbleed isn’t the only cyber threat


More than a decade ago, I attended an excellent talk by well-known cryptographer and security expert Bruce Schneier, where his key point was that there was nothing new under the sun when it came to security issues.

Yes, the scary stuff happening on the internet at the time, involving hackers and algorithm-cracking and malware, might seem particularly alarming because it was, or seemed, as if it had never been seen before. But actually, he argued, it was all the same old crimes, just done with new tools. Theft, identity-stealing, fraud – they’d all be familiar to a Roman.

Every time I attend a security event, or, as last week, the launch of a security report, his point comes to mind, as it puts the latest trends in malware, or the most recent outrageous hacker exploit, in a useful context. It isn’t so much what’s being done, as how it’s being done. And that, as I discovered way back when I stumbled into my first security conference in Silicon Valley and was hooked like a phishing victim, is endlessly inventive and fascinating.

And so it was, out at Symantec’s security centre in Dublin, as researchers talked through Symantec’s 2014 Internet Security Threat Report , which looks back over key developments in 2013.

Hence Heartbleed, the internet security bug that has made headlines this month, didn’t feature at all. But there were many bizarre and intriguing developments.

I found particularly fascinating a discussion on some of the potential ways to get money out of an ATM.

Most ATM crime still involves boring old “skimming”, the practice of getting hold of people’s account information, generally using some sort of card reader, coupled with a secret camera for recording passwords.

But, said Symantec security operations manager Orla Cox, in South America and more recently the US, groups are beginning to use malware to attack ATMs. They open up the front of the machine by picking the lock or using a duplicate key, then use the USB port on the machine’s computer innards to launch malware.

‘Surprisingly open’

“The actual computer part of the ATM is surprisingly open,” she noted. There are only a limited number of keys to open the tops, too, and unsurprisingly, these are now bought and sold on the internet, and are even produced by 3D printer.

Thieves can then attach a USB key to launch malware which enables someone to use the machine’s screen to access cash. Some have attached a mobile phone to the USB port inside and can simply walk up to the ATM and send a text from their phone to the ATM phone, signalling it to dispense cash.

Another interesting development has been the huge increase in targeted “spear phishing” attacks, where hackers aim to dupe individuals at a certain level, within particular industries, because they are most likely to have access to sensitive accounts and information. And who do you think might be the ideal attack target? Most would likely guess a senior executive in, say, financial services. But it’s actually a personal assistant at a mining company.

It turns out mining companies have a lot of sensitive information, including on oil exploration, which can be stolen (perhaps by corporate or state agents, or by hackers selling to same).

Also, they tend to make a lot of large payouts to suppliers and contractors, making it easier to fake invoices and hide fraudulent payouts. Symantec said one in 2.7 attacks overall was against a mining company, the highest for any industry.

Medium-sized targets

I was also intrigued by the shift away from big multinationals as a target for attacks. In 2011 and 2012, big firms with more than 2,500 employees accounted for 50 per cent of all targeted attacks. In 2013, that declined to 39 per cent, with the difference accounted for by a shift towards medium-sized companies.

That now makes SMEs the leading targets for spear phishing, said Cox, probably because security at smaller firms is poorer as the budget is smaller. Yet SMEs tend to have sensitive account information for big companies.

This is the most significant take-away for Irish businesses, she told me, as Ireland is full of SMEs that act as suppliers to multinationals here and elsewhere, or buy from them. “Smaller companies are the stepping stone,” she said. “They’re the soft touch to get into the larger companies.”

There’s plenty more to read about in the report – a rise in ransomware attacks, for example, where criminals lock down a person’s PC remotely and require them to pay up to then unlock it. Or not – once the money is sent, some just leave the poor victim’s computer in limbo. (“Back up regularly,” says Symantec.)


Tuesday, April 22, 2014

Abney Associates Tech Blog, Zeus Malware: A Continuing Threat


The indictment of nine alleged participants in a fraud scheme that involved infecting thousands of business computers with Zeus malware to steal millions of dollars shows that the malware remains a formidable ongoing threat, financial services security experts say.

The victims in the case included a Nebraska bank and a Nebraska company, according to an announcement of the indictment from federal prosecutors. The indictment was unsealed in connection with the April 11 arraignment of two Ukrainian nationals, who were recently extradited from the United Kingdom. Three other Ukrainians and a Russian have not yet been arrested; the indictment also names three other "John Doe" defendants.

"These actors are only a few of those who operate Zeus botnets out of a sea of cybercriminals who use variations to commit fraud," says Ryan Sherstobitoff, a threat researcher at security vendor McAfee, a unit of Intel. "Zeus will always be a continuing threat, and cybercriminals will continue to use Zeus to steal money. We as an industry must be vigilant."

Kevin Haley, security response director at security vendor Symantec, says the indictments won't put much of a dent in the use of the malware. "Zeus is not a gang; it's a toolkit, a very popular one used by many gangs," he says. "While today there is one less gang, there are still plenty of others using Zeus to attack us."

Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix, says that when it comes to fighting fraud, the latest indictments are "like taking a scoop of sand out of the beach.

"The thing about Zeus is that the people who develop and distribute Zeus are not the same people who use Zeus to steal money," Baumhof says. "Now we have a couple less people using Zeus."

Zeus is a continuing threat because many financial institutions aren't looking necessarily for the malware itself, says George Tubin, banking expert at anti-malware provider Trusteer. "What [banks] are trying to do is use different authentication means and different fraud prevention technologies to try to spot when fraud happens," he says. "But very few institutions are actually trying to identify when man-in-the-middle malware [such as Zeus] is being used."


The nine defendants in the case revealed April 11 allegedly used the malware to capture passwords, account numbers and other information necessary to log into online banking accounts, federal prosecutors say. The conspirators then used the information to steal millions of dollars from victims' bank accounts.

The defendants allegedly falsely represented to banks that they were employees of the victim organizations and were authorized to make transfers of funds from the victims' bank accounts, according to an announcement from the Federal Bureau of Investigation.

As part of the scheme, the defendants allegedly used money mules in the U.S. who received funds transferred over the ACH network or through other interstate wire systems from victims' bank accounts, the FBI says. The money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators.

All the defendants were charged by a federal grand jury with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud.


McAfee's Sherstobitoff says federal law enforcement is making progress mitigating the Zeus threat through botnet takedowns and disruption efforts. "These disruption efforts are oriented toward breaking up criminal rings who operate Zeus to steal from commercial entities," he says.

Haley at Symantec notes: "Security technology continues to get better, and users become more aware of the social engineering tricks that attackers deploy. But the attackers do not stand still either."

Organizations need to first identify the critical business information that must be protected and prioritize that appropriately, Haley says. Then they must implement security technology, including anti-spam technology, to mitigate the e-mail threats. "And finally, users need security awareness training," he says.

ThreatMetrix's Baumhof says making progress in fighting fraud is challenging because many malware attacks are so targeted. "The trick with Zeus is that it is a very flexible toolkit that you can use in many different ways," he says. "People try to mitigate the specific attacks that they are being attacked with, not against Zeus. People are protecting against cuts and not against the Swiss Army knife."

To fight attacks that use Zeus, banks need to ensure more data is available to systems that assess risk, Baumhof says. And that includes information about end users' devices. "How can a bank make a good decision regarding whether or not a particular transaction is valid if there is no visibility into the endpoint?"