[SecurityRatty] tag: fraudsters

Government sends auditors to investigate Postapay fraud

Tue, 30 Sep 2008 20:00:00 +0000

Efforts by the Postal Corporation of Kenya to embrace technology have hit a snag, with the government sending forensic auditors to probe the integrity of its electronic money transfer service, Postapay, following reports of millions of shillings lost to fraudsters.

Protect yourselves from identity fraud

Mon, 29 Sep 2008 09:32:18 +0000

Soon you’ll be seeing the infomercials on late nite TV.
Its becoming very profitable, easy set up, even tutoring.

clipped from news.cnet.com

Behind the scenes of online fraud

Fraudsters aren’t just targeting bank customers. They are also luring victims off social networks, where they harvest sensitive private information, and online gaming sites, where they steal accomplished avatars and accounts and sell them for money, Rivner says.

Online fraud tools have price tags just like any other software. For example, the Mpack Infection Kit costs $700, a Dream BotBuilder costs $500, and at just $350, the Limbo Trojan is practically a steal, according to Rivner.

For people who don’t have the skills to install, run, and manage their own Trojans and other tools, fraudsters are offering fraud software as a service for $299 a month, “which means anyone can do it,” he says.

While online attacks get the headlines, a bigger risk is from skimmers, fake faceplates for ATM machines that steal card data from the magnetic strip. The data is then used to make forged cards.

A pro's tips on ATM fraud

Sun, 28 Sep 2008 20:00:00 +0000

A bank-machine hacker who reportedly was arrested earlier this month in Turkey gave would-be fraudsters tips on how to install rogue card-reading devices, including advising them to target drive-through ATMs (automated teller machines) and avoid towns with fewer than 15,000 residents.

Trojan can grab extra personal banking data

Thu, 25 Sep 2008 20:00:00 +0000

A Trojan horse program now available to a growing number of fraudsters can add data entry fields to legitimate online banking sites and entice consumers to give up sensitive information such as bank card numbers and PINs (personal identification numbers).

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 16:53:17 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel?? to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 17:16:43 +0000

Synopsis: Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #81, a 42-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on May 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Tue, 26 Aug 2008 16:16:43 +0000

Synopsis: Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...

Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on April 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the hiatus
Voice of VOIPSA: Are your Skype username and password completely exposed if you use iSkoot?
Voice of VOIPSA: Chronology
Voice of VOIPSA: iSkoot disclosure of Skype credentials resolved – new version by Wednesday
Ofcom confirms VoIP providers must provide access to 999 and 112 – and Hannes Tschofenig points to 4th Emergency Services Coordination Workshop and presentation about the UK
MarketingVOX: British Proposal May Force ISPs to Fork Over Online Activity, Emails, VOIP Calls pointing to Reuters article: Britain mulls plan to store all email and calls

Enterprise VoIP Planet: VoIP Security: SIP-Versatile but Vulnerable

IT Business Edge: Pay Attention to VoIP Security Before The Storm

NetworkWorld: Business Guide to VoIP Security

Pocket-lint: Fraudsters targeting VoIP Users based on report out of Newport Networks (reported in VoIP News) – also covered at Fierce VoIP: Newport Networks riles up VoIP Security Fears and Computeractive: Phreak-out over VoIP and TechHerald article

Network World: Security and management considerations when deploying OCS

LXer: Secure Calling Initiative Reaches Second Milestone pointing to Secure Calling Initiative

[H]Enthusiast: Mobile Phones, VoIP Not Secure, Experts Warn=

VoIP News: The Essential Guide to VoIP Privacy

Voice of VOIPSA: Information Week interviews SecureLogix about VoIP security

eWeek: VoIP Security through Responsible Software Development

Microsoft gives back door keys to Vista to police

Comment (blog) from Martyn Davies

Comment (email) from Detlef

Comment (email) from Dan McGinn-Combs

Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

41:43 - End of show

Thank you for listening and please do let us know what you think of the show.

Scammers replace credit card readers in Irish stores

Sun, 17 Aug 2008 20:00:00 +0000

Fraudsters in northeast Ireland posing as authorized bank service personnel replaced credit card readers in retailers' stores with their own, capturing data that can be used to empty bank accounts and make purchases.

Phishing emails and training users

Mon, 07 Jul 2008 05:24:45 +0000

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.