[SecurityRatty] tag: ireland

Scammers replace credit card readers in Irish stores

Sun, 17 Aug 2008 20:00:00 +0000

Fraudsters in northeast Ireland posing as authorized bank service personnel replaced credit card readers in retailers' stores with their own, capturing data that can be used to empty bank accounts and make purchases.

Card Wars: The Phantom Menace

Tue, 05 Aug 2008 11:06:16 +0000

Just like George Lucas can’t help but return to his old projects, I have been returning to mine. After three years of stagnation, I am pleased to announce the re-launch of phantomwithdrawals.com, freshly re-vamped, updated and turned into a Wiki editable by the general public.

In fact, it’s not just great artists like Mr. Lucas and I starting up old projects, our honourable colleagues wearing the black hats have got the same idea. We have new victims reporting in, rumours abound of an auth system compromise at Citi, the Ombudsman is backlogged with months of disputed withdrawal cases, and some like Alain Job are even going to court.

One original contributor to the phantom case histories has just been hit by a second phantom withdrawal five years on and is chalking up another case in the files. While her new phantom is a bread-and-butter skim incident (a magstripe clone used in the far east), amongst this mass, true phantoms — the real mystery cases — are on the rise too. Two new victims with whom I have been corresponding very kindly offered to fund the hosting for the revamped site.

Let’s consider one of these mysteries. The McGaughey case has been reported in the media in Northern Ireland: dozens of withdrawals taking place over four weeks, totaling almost five thousand pounds, all within a ten mile radius of the McGaughey’s home. Summarised that way it looks like a classic first party fraud (couple short on cash withdraw money, then deny it later). But no-one in the family is short on cash, the McGaugheys look after their card details carefully, and have solid alibis at the time of many of the withdrawals, and the interlocking pattern of real and disputed withdrawals is such that any third party would have a hard time taking and returning the card (whether covertly or in collusion with the McGaugheys). No-one appears to have either the means or the motive.

Unusually the bank has been very cooperative, providing logs from their authorisation system (BASE24), including all of the cryptograms, input data and transaction parameters covering the affected transactions. Everything turns on the Application Transaction Counter (ATC), an on-card counter which increments with every transaction initiated. If an EMV chip can be fully cloned (secret keys and all), then it will have to submit an ATC value when transacting, and if used in parallel with the real card, it won’t be long before the same number pops up twice in the auth system, or large gaps in the sequence appear. The McGaughey’s ATC sequence appears to interlock perfectly: clearly the original card was used?

Of course logs can be misinterpreted (Badger) or even faked, auth systems may not work as expected, and customers may lie and cheat following all sorts of agendas; just around the corner the missing piece of the jigsaw may lie, which reveals the truth behind the case. And there is the totally separate matter of who should suffer the loss in the interim, whilst the truth remains unclear. Liability for disputed withdrawals is the most hotly contested issue of all.

phantomwithdrawals.com can’t do much more for the McGaugheys, but it can bear witness. Documenting the incidence of phantoms and the experiences of customers disputing them adds much needed transparency to the process, and helps researchers and experts seek out the really interesting cases.

Maybe we can lift the lid and discover the truth behind the “phantom menace” — everyone is united in that goal at least — but let’s also hope that Episode 2: Attack of the Clones has not yet started shooting!

Mike.

The power of communication.

Fri, 13 Jun 2008 13:24:00 +0000

I think many of us fail to realize the extreme importance of communicating in a way that ensures we are understood.When I was working for the United Nations in different countries around the world, I would often be told by other UN staff that they were surprised that they could actually understand what I was saying. Apparently, they had met other Irish and could only understand a few words here and there. That was easy for me to understand. As the Deputy and later Chief of the United Nation's Special Investigation Unit, it was of the utmost importance that people could understand me. Imagine questioning a person who was facing deportation back to their country for an alleged crime. It would be unfair to them if I didn't make my self understood, even if it meant that I had to slow down my fast Irish speech and leave out the Irish slang words (that very few people around the world can ever understand).

I was in Dublin last weekend, passing through on my way to the Middle East. The big topic was the Irish referendum on the Lisbon treaty. It seems that the country was fairly evenly divided by those who were; voting yes, voting no, did not know. I wasn't that terribly sure what it was all about so I asked my sister and her husband. They had to admit that the whole thing was rather unclear and that the Politicians didn't do a great job of explaining. Then I met up with my brother. He too was not 100% about the importance of a "yes" or "no" vote. I got the impression that Ireland might lose their National identity if they voted "yes", so I left thinking that "no" was the way to go.

Apparently the rest of Ireland thought so too, as I am sitting in my hotel room in Dubai listening to the BBC and Sky news talking about the after effects of Ireland's rejection of the Lisbon treaty. That got me thinking. The only time we really ever had any problems with a client involved communicating, or a lapse on somebody's part. It is amazing how large the repercussions can be when you are talking about a whole country. Next time you are involved in a negotiation, remember the Lisbon treaty and make sure you know what is at stake. You could be avoiding a costly mistake.

Beware! $4 + a gallon is bringing out the thieves in our communities.

Sat, 31 May 2008 00:53:00 +0000

We recently alerted our readers to watch out for copper piping, wiring and even art pieces that were being stolen by thieves looking to cash in on the rising price of copper. It was only a matter of time before the same thing happened to the fuel tanks on our vehicles.

Neil Cavuto ran a story on Fox's "Cavuto World" today about thieves who are even going so far as to drill into tanks in an effort to steal a vehicle's fuel. Gasoline, Dielsel and even greasy cooking oil is being stolen. That's right - cooking oil.

I first heard that old cooking oil could be used to run a car on from my brother in Northern Ireland about four or five years ago. There was very little start-up costs involved and being the owner of a restaurant, he had a ready supply of used oil. He told me at that at that time, people were converting their vehicles to run on the oil and were going around gathering up used oil from restaurants. The owners of these establishments were thrilled since they used to pay to have the old oil removed previously.

Apparently this recycling of cooking oil has become so popular, that restaurants are now selling it - last I heard for about $1.50 a gallon. Thieves have discovered its worth and are now draining the oil tanks located at the rear of restaurants. The report went on to say that SUVs are especially being targeted as their size gives the thieves plenty of good cover. The fact that their tanks are larger and contain more fuel is an added advantage for them.

What can you do? For starters, if your fuel cap is not lockable, replace it with one that can be locked. If at all possible, keep your vehicle in a locked garage. If that is not an option, park it in a well lit area. Unfortunately, the higher the prices go at the pump, the more prevalent that fuel thefts will become.

BPL Powers Down

Mon, 05 May 2008 05:59:43 +0000

Broadband over powerline (BPL) is always next year's technology; now it's never. Is never soon enough for you? For about the last 13 years, BPL was the going to be the third pipe into the home, supplementing the two incumbent wireline offerings of DSL and cable, which had developed into monopoly or duopoly controls most places in the world. Two years ago, with favorable FCC and upcoming EC decisions on BPL either released or about to happen, BPL seemed about to come into its own. I wrote a positive piece for The Economist based in large part on an enormous deployment that was contracted and underway in Texas, and a contract that had just been signed in France. These two events seemed like they would catalyze BPL. About 18 months later, the Current Communicatins and TXU (now Oncor) Electric Delivery deal, which was expected to pass 2m homes by the end of 2008, is over, with Oncor purchasing the telecommunications network for $90m a few days ago. Oncor will use just the smart grid features that allow dramatically improved network monitoring--which is a well-understood aspect of data over powerlines, dating to much slower and primitive networks. The Dallas Morning News reports that just 64,000 homes were wired for BPL so far, and that Oncor will not offer Internet access. Oncor had agreed in 2006 to pay $150m for smart-grid features. Google was a Current investor, which gave more credence to their plans in 2006. The company had already rolled out some smaller markets, overcome equipment problems, and had a positive relationship with the ARRL, the amateur radio society, in resolving interference issues. Hams have been the biggest complaintants with the FCC over BPL because hams are primary and secondary licensed users in the bands they use, while BPL is an unlicensed use. The French deployment by SIPPEREC, a utility that manages power for the suburbs of Paris, stated that 1.5m homes would eventually be passed with BPL service, but no information has been released since Feb. 2007 about the project, which makes it likely that it simply didn't happen. Even when I was researching the Economist piece, I was troubled by the many European deployments that were announced, went into trials, and then disappeared without a trace. Still, there were some active projects in Spain, Switzerland, and Ireland, and the rollouts in France and Texas seemed both committed (contracts were signed) and imminent. But the laws of physics always win, and I can only think that BPL equipment from whatever vendor simply cannot deliver results that work within budget and reliably enough to make network deployment for broadband make any sense. The FCC's 2006 order that overruled a number of ARRL objectives stated, essentially, that interference was okay even with licensed purposes as long as it was within tightly controlled parameters. Part of the "BPL is dead" argument I make today stems from an appeals court decision in late April which affirms the FCC licensed/unlicensed approach, but which requires the agency to re-evaluate its information about interference. The FCC failed to disclose fully information from studies it relied on in setting rules, which violated public process. The ARRL wrote up the appeals decision on their site, and notes that a study in the UK that was fully released showed a much lower threshold would be needed. The agency's need to redo some of its work, a potential shift of power to Democrats on the commission starting 20-Jan-2009, and the fact that other work shows the rules were established incorrectly could result in restrictions on BPL that make it even less likely to be rolled out. [Initial links via DSL Reports]

Global Dispatches

Mon, 05 May 2008 03:21:40 +0000

The Bank of Ireland said data from 31,500 customers was contained on four stolen laptops; and a parliament committee criticizes the British government's Web strategy.

Stolen laptops raise serious security issues

Tue, 22 Apr 2008 10:23:08 +0000

The Data Protection Commissioner is investigating Bank of Ireland after learning that four of the bank's laptops, with details of 10,000 customers, were stolen last year.

Lost Bank of Ireland laptops affect roughly 10,000 customers

Tue, 22 Apr 2008 05:35:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/22/08

Organization:
Bank of Ireland

Contractor/Consultant/Branch:
Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght, and Montrose

Victims:
"customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda
Dunleer
Bagnelstown
Court Place Carlow
Stephens Green
Tallaght
Montrose"

Number Affected:
~10,000

Types of Data:
"names, addresses, bank account details and medical histories"

Breach Description:
"DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday."

Reference URL:
Bank of Ireland
The Associate Press via International Herald Tribune
Agence France-Presse via Inquirer.net

Report Credit:
Data Protection Commissioner, Billy Hawkes

Response:
From the online sources cited above:

DUBLIN, Ireland: Four laptops containing the personal details of 10,000 Bank of Ireland customers have been stolen, the bank confirmed Monday.

Ireland's second-largest bank made the admission after the chief regulator, Data Protection Commissioner Billy Hawkes, told Irish broadcasters RTE he had been informed of the lost customers' data only last Friday.

Bank of Ireland said the four laptops disappeared between June and October 2007 and contained the names, addresses, bank account details and medical histories of about 10,000 holders of the bank's life insurance policies.

Commenting on the delay in reporting the thefts to the regulatory authorities, managing director Brian Forester said internal procedures had not been followed.
[Evan] Policies and "internal procedures" aren't worth squat if they aren't communicated to all affected persons AND enforced.

"Unfortunately in this situation the procedures were not properly adhered to. The thefts, while they were reported to the Gardai [police], the situation wasn't escalated to the level of management it should have been, through a human error," he said.
[Evan] Yes, human error indeed. Humans run the bank, humans run the information security program (assuming one exists), and humans collect, create, store, access, distribute and destroy confidential information. This was more like "humans error", meaning more than one.

The bank said it had found "no evidence of fraudulent or suspicious activity on any of these accounts."

The four laptops all disappeared in Ireland, at least one of them from a bank worker's home.

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda
Dunleer
Bagnelstown
Court Place Carlow
Stephens Green
Tallaght
Montrose

Anybody who is not a customer of these branches is not affected by this incident.

The customers' personal data was not encrypted to prevent easy access.
[Evan] Should we be surprised?

The bank said it was beginning to encrypt customers' data on its remaining 5,000 laptops
[Evan] Reactionary information security is ineffective. Organizations working with confidential information need to be proactive in risk management and information security in order to be effective. Let's think this through for a second or two. Here we have a bank (or a bank-owned entity) that has many highly confidential records. The bank employs ~5,000 laptop computers and encourages a mobile workforce. Do you think that there is a good (more than 50/50) chance that some of the laptops may be used to work with highly confidential information? Do you think there is a good chance that one of these laptops may be lost or stolen? Obviously the answer to both questions is "yes". Why then are these laptops not adequately protected? Is this another "human error"?

had yet to inform any of the 10,000 customers that their personal details had been compromised.

Bank of Ireland will be writing to these customers in the coming days.

a help-line has been set up to handle any customer queries 1850 365 365 and select the Bank of Ireland Life option

This customer help-line will be open from 9.00am to 6.00pm Monday to Friday.

Bank of Ireland apologises to customers and is committed to moving as quickly as possible to allay the concerns of affected customers.

Ireland's Data Protection Commissioner Billy Hawkes said his office was investigating what he described as "serious" security lapses.
[Evan] Of course my purview is very limited, but I tend to agree that there are some serious information security gaps at The Bank of Ireland.

Commentary:
Baffling is the first word that comes to mind. Poorly protected confidential information and a poor incident response.

Past Breaches:
Unknown

What's new in vulnerability management?

Sun, 13 Apr 2008 18:58:13 +0000

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the "mature" label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon. Here is a recap of some recent developments:

1. Qualys - I had a chance to speak with Philippe and his son at RSA. After riding high on the PCI wave and pioneering the SaaS in security movement, Qualys is now clearly moving into the compliance arena. This release details what Qualys is doing but clearly they see compliance and risk management as a new driver for the business.

2. McAfee- Say goodbye to Foundstone. Years after buying the company McAfee is finally getting rid of the Foundstone name for the vulnerability product and renaming it Vulnerability Manager 6.5 (I think I like the Foundstone name better), as part of the new business unit they have started around GRC. Foundstone founder George Kurtz is heading that unit up. They indicate they will supplement the old Foundstone scanner with abilities to scan applications, web sites and data and databases.

3,. nCircle - I spoke with Andrew Storms and Elizabeth Ireland at RSA. nCircle has been touting their compliance and risk management capabilities for a while now. They also are showing off web application scanning as well. Though they don't get the press that Qualys does, they appear to be holding their own. The question in my mind is how do they break out to the next level (see my post on shimmy's theory of relativity).5.

4. eEye - After many of us including me raised doubts about their viability, eEye has announced the addition of web application scanning to their Retina product. I understand this is an OEM of another companies product and does not represent a lot of investment on eEye's point. I think at the end of the day they are trying to be an endpoint company but can't afford to jettison the scanner business. Their long term viability according to my relativity theory is still in doubt if you ask me.

5. ISS/IBM - I hear nothing on this one, do you? You have to question what is the game plan from Big Blue on this. Do they buy an update or put the money into actually taking this dinosaur out of the Jurassic? I guess we will have to see.

So I am sure some of you ask, OK Shimmy enough about the competition what is StillSecure doing with its VAM product? Well the purpose of this blog post was to set the stage for that. I will post an update on some of the cool stuff we have planned with VAM shortly.

What's new in vulnerability management?

Sun, 13 Apr 2008 17:58:13 +0000