Abney Associates Tech Blog Teknologi loven vil snart bli omformet av folk som ikke bruker e-post

USAs Høyesterett forstår ikke Internett. Ler alt du vil, men når NSA, Pandora og personvern tilfeller treffer docket, mangel på teknisk kunnskapsrike på benken får skremmende

Internett-radio, ut-av-kontroll programvarepatenter, online innlegg som beskyttet tale og secret NSA bestillinger kan alle dukker opp Høyesterett i nær fremtid. Illustrasjoner: DonkeyHotey / Flickr via Creative Commons (dommere og segl); Electronic Frontier Foundation (NSA)

(TheGuardian) - Det har vært mye diskusjon- og hån-av USAs Høyesteretts nylige ekspedisjoner inn mobiltelefoner og Internett, men som flere og flere av disse tilfellene boble opp høy kammeret, inkludert overvåking reform, vi vil ikke være ler lang: fremtiden for teknologi og personvern loven vil utvilsomt bli skrevet de neste årene av ni personer som ikke har "virkelig"fått"e" og Finn Facebook og Twitter "en utfordring".

Et par saker som gikk før retten denne uken Asovhavets om politiet kan søke noen mobiltelefon etter en arrestasjon, men uten en arrestordre. Rettens beslutninger påvirker uunngåelig millioner. Som New York Times redaksjonsrådet forklart på slutten av argumentene, er"det 12 millioner arrestasjoner i Amerika hvert år, mest for forseelser som kan være så lite som jaywalking." 90% av amerikanere har over mobiltelefoner, og som American Civil Liberties Union hevdet i en orientering til retten, våre mobile enheter "er faktisk vårt nye hjem".

Fleste under 40 ville sannsynligvis enig politiet burde aldri ha rett til å rote gjennom hele vårt liv uten formål basert på mulig årsak.Likevel under argumenter insinuated rettferdighet Roberts at politiet kan rimelig mistanke om en person som bærer to mobiltelefoner som en narkolanger. Er han ikke klar over at en stor del av DC politiske klassen som han assosiere-inkludert mange av hans jus funksjonærer-bærer både en personlig og firmaet telefon, daglig? Høyesterettsjustitiarius av Høyesterett i USA kan bevise denne uken at han kan kaste ut tech lingo som "Facebook" og selv "Fitbit", men han er fanget i skapet fra virkeligheten.

Fleste under 40 ville sannsynligvis enig politiet burde aldri ha rett til å rote gjennom hele vårt liv uten formål basert på mulig årsak.Likevel under argumenter insinuated rettferdighet Roberts at politiet kan rimelig mistanke om en person som bærer to mobiltelefoner som en narkolanger. Er han ikke klar over at en stor del av DC politiske klassen som han assosiere-inkludert mange av hans jus funksjonærer-bærer både en personlig og firmaet telefon, daglig? Høyesterettsjustitiarius av Høyesterett i USA kan bevise denne uken at han kan kaste ut tech lingo som "Facebook" og selv "Fitbit", men han er fanget i skapet fra virkeligheten.

Supremes pleier å gjøre bedre på tech tilfeller når de unngå engasjerende direkte i selve tekniske substansen i teknologi. De fikk ros for dommen, 9-0, to år siden at politiet må fullmakt til å plassere en GPS bane på noens bil. Selv da, skjønt, latterliggjort rettferdighet Alito Justice Scalia kontrollerende mening for å fastslå slike moderne saken "basert på 1700-tallet tort law".

Når det gjelder fremtiden for tech politikken i USA, er denne ukens cellphone argumenter bare toppen av isfjellet. Akkurat nå er FBI er engasjert i alle varianter av warrantless overvåking, ved hjelp av en rekke enheter. Mest kritikerroste mener agency det kan bli vår mobile stedsinformasjon, som avslører de mest intime detaljene av våre liv, uten en arrestordre. Sharp delt i lavere domstolene bare bli sterkere over neste år.

Andre tilfeller trakting gjennom systemet adresse spørsmålet om politiet kan tvinger deg til å overlate passordet til enheter. Gitt at retten til å ikke selv anklage stavet i det femte grunnlovstillegget, og at det paralleller mellom påloggingsinformasjon og annen informasjon lagret i hodet, tvunget kan dekryptering virke antithetical til Grunnloven. Men i saker med krypterte harddisker, regjeringen har hevdet ellers.

Det er ikke alt: radio internettilgang, ut-av-kontroll programvarepatenter, og om online innlegg skal dømmes det samme som tradisjonelt beskyttet tale-alle disse kan alle boble til high court snart.

Og husk, bare måneder før Edward Snowden ble et kjent navn, ACLU foran Høyesterett hevder den Fisa endringer Act, en av de primære lovene i sentrum av NSA skandalen, var grunnlovsstridig. Retten avviste feige saken 5-4 på "stående" grunnlag, og aldri styrt på fortjeneste. En av de første tingene Snowden angivelig sa etter hans avsløringer når ACLU ble hans advokat var: «Har du står nå?

Gjør de noensinne. Takket være Snowdens åpenbaringer, andre flere søksmål-25, The randen talt-har beskjæres opp over hele landet. Selv NSA talsmenn, som i år forsøkte å hindre at domstolene avgjørelse om emnet, antyder plutselig Høyesterett bør veie, håper det er deres eneste utvei.

Tellingly, er NSAs juridiske korthus låst på en forferdelig utdatert sak fra 1970 som styrte regjeringen får telefonen postene for én mistenkt under aktiv etterforskning, for en kort periode. Regjeringen har morphed som å bety de kan samle alle slags metadata, på alle, alltid.

Den gode nyheten er, hvis dommerne kan unngå fixating på tekniske detaljer-veldig snilt de ikke synes å forstå-Roberts retten kan fortsatt komme til den riktige avgjørelsen. Etter chiding dommerne i Aereo, hevdet Vox Tim Lee det er faktisk bra dommerne ikke er teknisk kyndige, fordi det tillater dem å se det store bildet, siterer at de har "gjort en bemerkelsesverdig god jobb med å lage en fornuftig kropp av patent og copyright lover i de siste tiårene". (De også levert en oppmuntrende avgjørelse på patent Troll bare denne uken.)

Det er bevis i siste personvern meninger, som i det minste noen av dommerne forstår hvordan teknologi brukes, selv om de ikke bruker den selv. Som Justice Sotomayor skrev i sin sammenfallende uttalelse i saken GPS:

"Det kan være nødvendig å revurdere premisset om at en person har noen rimelig forventning om personvern i frivillig informasjon til tredjepart...Denne tilnærmingen er syk egnet til den digitale tidsalderen, der folk avsløre mye informasjon om seg selv til tredjeparter i utføre dagligdagse oppgaver.

Oppmuntrende, gjort rettferdighet Kagan lignende kommentarer denne uken.

Men som Electronic Frontier Foundation's Parker Higgins overbevisende hevder, er det ikke dommerne mangel på personlig erfaring med teknologi som er problemet; Det er deres tendensen å ikke forstå hvordan folk bruker den. Tilbake til rettferdighet Roberts bekymringer om skurker med to telefoner: Hvis han er faktisk ikke klar over hvor vanlig adferden er-han absolutt ikke ser Breaking Bad- så som foreslår et stort gap i sin forståelse av samfunnet.

Denne mangelen på grunnleggende forståelse er skremmende, fordi Høyesterett er virkelig den eneste grenen av klar til å konfrontere en av de største utfordringene i vår tid: fanger opp våre lover å tempoet i innovasjon, forsvare våre retningslinjer mot sprinten overvåking. NSA er "trening mer cyberwarriors" så fort, men våre tillitsvalgte flytte på en snegle tempo når det gjelder Internett. Den amerikanske Kongressen har vist seg å passere selv de ukontroversielle forslag, la alene omfattende NSA reformer: lovgivende gren kan ikke engang få sin handle sammen lenge nok til å passere en oppdatering våre primære email personvern loven, som ble skrevet i 1986-før Internett hadde blitt oppfunnet.

Så fremtiden for våre privatliv, vår teknologi-disse problemene land ved foten av en håndfull av tech-unsavvy dommere. Fremtidige nominerte til benken bør bli spurt på deres kunnskap om teknologi på bekreftelse høringer. Og mens mange har gjort argumentet om at hemmelig Fisa retten skal ansette en technologist forklare tekniske problemer til mindre teknisk dommerne, det samme kan sies i Høyesterett. Det er på tide å få nettet allerede.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.

Abney Associates Tech Blog , Android users targeted by iBanking trojan app on Facebook

Cybercriminals have started using a sophisticated Android Trojan app designed for e-banking fraud to target Facebook users, possibly in an attempt to bypass the two-factor authentication protection on the social network.

Security researchers from antivirus vendor ESET have identified a new variant of a computer banking Trojan called Qadars that injects rogue JavaScript code into Facebook pages when opened in a browser from an infected system. The injected code generates a message instructing users to download and install Android malware that can steal authentication codes sent to their phones via SMS.

These man-in-the-browser attacks are known as webinjects and have long been used by computer Trojans to display rogue Web forms on online banking websites with the goal of collecting log-in credentials and other sensitive financial information from users.

Webinjects are also commonly used to display messages that instruct users to download and install malicious applications on their mobile phones by presenting them as security apps required by financial institutions. In reality those rogue mobile apps are designed to steal mobile transaction authorisation numbers (mTANs) and other one-time passwords sent by banks via SMS.

In February security researchers from RSA, the security division of EMC, reported that the source code for an advanced Android Trojan called iBanking was released on an underground forum and warned that this development will allow more cybercriminals to incorporate this mobile threat in their future operations.

Once installed on an Android phone, iBanking can capture incoming and outgoing text messages; can redirect calls to a pre-defined phone number; can capture audio from the surrounding environment using the device’s microphone and can steal the call history log and the phone book.

The authors of the Qadars computer Trojan were quick to adopt iBanking, according to a new report by researchers from ESET, but instead of using it against online banking users they appear to be targeting accounts on Facebook.

This alleged protection system is presented as a mobile application that generates unique authentication codes that can be used instead of regular passwords. In order to obtain the application, users are asked to specify the OS of their mobile phone and their phone number. They are then directed to a page with a download link and a corresponding QR code.

The application being offered to Android device owners is a version of the iBanking Trojan app that has been modified to look as a Facebook application for generating one-time passwords. During installation, users are instructed to enable the Android setting allowing the installation of apps obtained from unknown sources and are asked to give the app device administrator permissions.

“The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud,” ESET malware researcher Jean-Ian Boutin said in a blog post.

“It’s possible that the attackers are using iBanking to steal security codes sent via SMS by Facebook’s legitimate two-factor authentication system. It may be that there’s a growing number of people using this protection feature on Facebook, making accounts harder to compromise through traditional credential theft attacks,” added Boutin.

However, it’s also possible that attackers have chosen to use webinjects on Facebook because it’s an efficient way to distribute the malware to a lot of users without worrying which particular banking sites they regularly interact with.

Abney Associates Tech Blog, Online fraud – why Heartbleed isn’t the only cyber threat

More than a decade ago, I attended an excellent talk by well-known cryptographer and security expert Bruce Schneier, where his key point was that there was nothing new under the sun when it came to security issues.

Yes, the scary stuff happening on the internet at the time, involving hackers and algorithm-cracking and malware, might seem particularly alarming because it was, or seemed, as if it had never been seen before. But actually, he argued, it was all the same old crimes, just done with new tools. Theft, identity-stealing, fraud – they’d all be familiar to a Roman.

Every time I attend a security event, or, as last week, the launch of a security report, his point comes to mind, as it puts the latest trends in malware, or the most recent outrageous hacker exploit, in a useful context. It isn’t so much what’s being done, as how it’s being done. And that, as I discovered way back when I stumbled into my first security conference in Silicon Valley and was hooked like a phishing victim, is endlessly inventive and fascinating.

And so it was, out at Symantec’s security centre in Dublin, as researchers talked through Symantec’s 2014 Internet Security Threat Report , which looks back over key developments in 2013.

Hence Heartbleed, the internet security bug that has made headlines this month, didn’t feature at all. But there were many bizarre and intriguing developments.

I found particularly fascinating a discussion on some of the potential ways to get money out of an ATM.

Most ATM crime still involves boring old “skimming”, the practice of getting hold of people’s account information, generally using some sort of card reader, coupled with a secret camera for recording passwords.

But, said Symantec security operations manager Orla Cox, in South America and more recently the US, groups are beginning to use malware to attack ATMs. They open up the front of the machine by picking the lock or using a duplicate key, then use the USB port on the machine’s computer innards to launch malware.

‘Surprisingly open’

“The actual computer part of the ATM is surprisingly open,” she noted. There are only a limited number of keys to open the tops, too, and unsurprisingly, these are now bought and sold on the internet, and are even produced by 3D printer.

Thieves can then attach a USB key to launch malware which enables someone to use the machine’s screen to access cash. Some have attached a mobile phone to the USB port inside and can simply walk up to the ATM and send a text from their phone to the ATM phone, signalling it to dispense cash.

Another interesting development has been the huge increase in targeted “spear phishing” attacks, where hackers aim to dupe individuals at a certain level, within particular industries, because they are most likely to have access to sensitive accounts and information. And who do you think might be the ideal attack target? Most would likely guess a senior executive in, say, financial services. But it’s actually a personal assistant at a mining company.

It turns out mining companies have a lot of sensitive information, including on oil exploration, which can be stolen (perhaps by corporate or state agents, or by hackers selling to same).

Also, they tend to make a lot of large payouts to suppliers and contractors, making it easier to fake invoices and hide fraudulent payouts. Symantec said one in 2.7 attacks overall was against a mining company, the highest for any industry.

Medium-sized targets

I was also intrigued by the shift away from big multinationals as a target for attacks. In 2011 and 2012, big firms with more than 2,500 employees accounted for 50 per cent of all targeted attacks. In 2013, that declined to 39 per cent, with the difference accounted for by a shift towards medium-sized companies.

That now makes SMEs the leading targets for spear phishing, said Cox, probably because security at smaller firms is poorer as the budget is smaller. Yet SMEs tend to have sensitive account information for big companies.

This is the most significant take-away for Irish businesses, she told me, as Ireland is full of SMEs that act as suppliers to multinationals here and elsewhere, or buy from them. “Smaller companies are the stepping stone,” she said. “They’re the soft touch to get into the larger companies.”

There’s plenty more to read about in the report – a rise in ransomware attacks, for example, where criminals lock down a person’s PC remotely and require them to pay up to then unlock it. Or not – once the money is sent, some just leave the poor victim’s computer in limbo. (“Back up regularly,” says Symantec.)

Abney Associates Tech Blog, Zeus Malware: A Continuing Threat

The indictment of nine alleged participants in a fraud scheme that involved infecting thousands of business computers with Zeus malware to steal millions of dollars shows that the malware remains a formidable ongoing threat, financial services security experts say.

The victims in the case included a Nebraska bank and a Nebraska company, according to an announcement of the indictment from federal prosecutors. The indictment was unsealed in connection with the April 11 arraignment of two Ukrainian nationals, who were recently extradited from the United Kingdom. Three other Ukrainians and a Russian have not yet been arrested; the indictment also names three other "John Doe" defendants.

"These actors are only a few of those who operate Zeus botnets out of a sea of cybercriminals who use variations to commit fraud," says Ryan Sherstobitoff, a threat researcher at security vendor McAfee, a unit of Intel. "Zeus will always be a continuing threat, and cybercriminals will continue to use Zeus to steal money. We as an industry must be vigilant."

Kevin Haley, security response director at security vendor Symantec, says the indictments won't put much of a dent in the use of the malware. "Zeus is not a gang; it's a toolkit, a very popular one used by many gangs," he says. "While today there is one less gang, there are still plenty of others using Zeus to attack us."

Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix, says that when it comes to fighting fraud, the latest indictments are "like taking a scoop of sand out of the beach.

"The thing about Zeus is that the people who develop and distribute Zeus are not the same people who use Zeus to steal money," Baumhof says. "Now we have a couple less people using Zeus."

Zeus is a continuing threat because many financial institutions aren't looking necessarily for the malware itself, says George Tubin, banking expert at anti-malware provider Trusteer. "What [banks] are trying to do is use different authentication means and different fraud prevention technologies to try to spot when fraud happens," he says. "But very few institutions are actually trying to identify when man-in-the-middle malware [such as Zeus] is being used."

Zeus Scheme

The nine defendants in the case revealed April 11 allegedly used the malware to capture passwords, account numbers and other information necessary to log into online banking accounts, federal prosecutors say. The conspirators then used the information to steal millions of dollars from victims' bank accounts.

The defendants allegedly falsely represented to banks that they were employees of the victim organizations and were authorized to make transfers of funds from the victims' bank accounts, according to an announcement from the Federal Bureau of Investigation.

As part of the scheme, the defendants allegedly used money mules in the U.S. who received funds transferred over the ACH network or through other interstate wire systems from victims' bank accounts, the FBI says. The money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators.

All the defendants were charged by a federal grand jury with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud.

Tackling Zeus

McAfee's Sherstobitoff says federal law enforcement is making progress mitigating the Zeus threat through botnet takedowns and disruption efforts. "These disruption efforts are oriented toward breaking up criminal rings who operate Zeus to steal from commercial entities," he says.

Haley at Symantec notes: "Security technology continues to get better, and users become more aware of the social engineering tricks that attackers deploy. But the attackers do not stand still either."

Organizations need to first identify the critical business information that must be protected and prioritize that appropriately, Haley says. Then they must implement security technology, including anti-spam technology, to mitigate the e-mail threats. "And finally, users need security awareness training," he says.

ThreatMetrix's Baumhof says making progress in fighting fraud is challenging because many malware attacks are so targeted. "The trick with Zeus is that it is a very flexible toolkit that you can use in many different ways," he says. "People try to mitigate the specific attacks that they are being attacked with, not against Zeus. People are protecting against cuts and not against the Swiss Army knife."

To fight attacks that use Zeus, banks need to ensure more data is available to systems that assess risk, Baumhof says. And that includes information about end users' devices. "How can a bank make a good decision regarding whether or not a particular transaction is valid if there is no visibility into the endpoint?"