« October 2006 | Main | December 2006 »

November 14, 2006

ATM Security & NETs Security

Recently, Singapore has had a wave of ATM Frauds. Measures have been taken by banks to monitor and attempt to avoid ATM frauds as much as possible. If someone performs a fraud using a copy of your ATM card, chances are that the bank will issue you a new ATM card, and will reimburse you immediately the missing money.

What happens on NETs enabled machines?

Introduction
NETs enabled machine are all over Singapore.

' NETS was founded as a result of a need for a centralised e-Payment operator by Singapore's local banks: DBS, Keppel Bank, OCBC, OUB, POSB, Tat Lee Bank and UOB, in 1985. '

NETs enabled machines are machines that accept payment via the NETs network. All local banks ATM cards support NETs, which make these NETs enabled machine very convenient to use.

You can use NETs in government building when paying for various fees, in super markets and almost every shop in Singapore (notorious exceptions are food stalls and pubs or cafes). You can use NETs to pay your bills on SAM machines, or AXS machines. You can also top-up your public transport fare card using NETs. Now you can use NETs to pay for your cab fares too. NETs is basically everywhere and extremely convenient.

Problem with ATM cards
Most ATM cards are just a dumb storage media. On the magnetic strip of the card is encoded such information as your bank ID and your bank account number among others. Information encoded on your ATM card is not encrypted, and therefore anybody with a magnetic card reader can swipe your card in, in order to copy it.

There is a little problem with reading ATM cards using off-the-shelf magnetic card reader. The driver of the magnetic card reader will validate the content of the card against the checksum to protect against read errors. ATM cards usually have an invalid checksum on purpose. So reading them with regular magnetic card readers will fail. In order to succeed, you have to have a lower-lever card reader, or a 'dumb card reader' that does not validate checksums.

Of course the card alone is not enough to perform a fraud. An attacker would also need the corresponding PIN. Recent ATM frauds are based on stealing the card information and the PIN at the same time. Some fraudsters have put a mini magnetic card reader just before the real ATM's card reader: when the victim slides-in his card into the ATM, the fraudster's reader reads the card, then when the card goes deeper the ATM card reader can read the card. It is completely transparent to the victim. The fraudster before hand has put a pin-hole camera in the corner of the ATM booth so he can record the victim's PIN while he types it.

Mitigating Factor
The biggest mitigating factor is the fact that every ATM has a CCTV camera attached to it, so that anybody approaching the ATM will be seen and could potentially be identified after a successful attack. Banks put in place specially shaped card reader enclosures to make it easier for a phony card reader to be spotted by a user.

Convenience vs. Security
While AXS stations seem to have a digital camera, apparently it is only used to take digital pictures, which is used for application like ePostcards. It does not appear to be CCTV like, in the sense that it does not appear that it films every users while they approach or use the machine.

SAM machines do not have cameras either. Almost all POS in Singapore do not have a CCTV camera or have a CCTV camera that cannot see if the cashier swipes the NETs card in the rightful reader or if he swipes it in a recording card reader device first. If such an employee (cashier, taxi driver, etc..) decides to become rogue and steal ATM card information it would be absolutely trivial, and the user would not notice, since he would not be the one sliding the card himself. Before the user realizes his card was misused, it would be too late, and he would have no idea which merchant is to blame.

Possible Solution
A possible solution would be to have a hardware token, very much like the ones recently launched for Internet Banking by Singapore banks.

A user could use the same hardware token on ATMs. Before asking for the PIN, the ATM or POS would check if the card supports NETs. If it does, it would request for the hardware token displayed number instead of asking for the PIN. These hardware token displayed numbers are time dependent and cannot be re-used. A fraudster could still copy the card and film the user entering the number, it would become useless:

  • The number cannot be reused
  • The number would not be supported on foreign ATMs since it is not the usual PIN

If the card is a foreign card that does not support NETs and instead supports VISA, PLUS, or any other usual payment network, then the ATM would ask for the usual PIN and the protection would not apply.

A user of a Singaporean bank ATM card overseas would still have to enter his PIN. But at least using his card in Singapore, the user would face no risk (and neither would the bank or the merchant).

Conclusion
Although this solution would prove to be very effective (the only way to defeat it is to steal/copy the card and the token, as opposed to just steal/copy the card and watch the PIN), it would end-up being costly for the bank:

  • Each ATM customer would require on hardware token (could be shared for his various cards: credit card, ATM card, Internet Banking)
  • Bank would have to have an extensive support program in place to teach users how to use the token during the first few months of the transition

Posted by Fabrice A. Marie at 1:12 AM |

November 12, 2006

Automating SpamCop Reporting

SpamCop is great. You should subscribe, it's worth it and it's for a worthy cause. However, it's a real pain to report 100 spam messages at a time. We propose here a quick Perl script that processes your SpamCop queue.

Introduction

' SpamCop is a service for reporting spam. SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers. By reporting spam, you have a positive impact on the problem. Reporting unsolicited email also helps feed spam filtering systems, including, but not limited to, the SpamCop blacklist used in SpamAssassin as a DNSBL.

Unfortunately, this is an ongoing battle. Spammers adapt quickly and persistently. Report spam and help SpamCop turn the tide. SpamCop makes this otherwise slow and technical task quick and easy.

The SpamCop reporting service is free. '

The easiest way to use SpamCop is to sign up with them. The best is to support them is through donations or to sign up for their services

Sending Your Spam to SpamCop
Once you have your account set up, I recommend that you forward your complete spam message using attachments, to your personal spam reporting email address instead of going through the pain of submitting them via the web based form. Mine looks like this (scrubbed): submit.hXfjblahblablahB@spam.spamcop.net.

Note: make sure you forward to your personal spam reporting address only genuine spam!

I use the excellent Thunderbird with the Okopipi plugin.

' Okopipi plugin for thunderbird reports spam to SpamCop, to the FTC, FDA, SEC, ACMA and/or Knujon.com. It also allows you to put in your own custom addresses to report spam to such as your ISP or corporate abuse address.

This will properly forward any message in your current folder marked as junk to the places you configure in your preferences. All you will have to do is hit send. '

After you have installed Okopipi, configure it to forward spam to your personal SpamCop reporting address. Customize your top -window thunderbird toolbar: right click on toolbar ->  Customize. Add the Okopipi Report button to your toolbar.

All you have to do now when you receive email, is to carefully mark as Junk spam messages and to mark as Not Junk these emails that were incorrectly marked as junk by Thunderbird. Then hit the Okopipi Report button, and click send. SpamCop will receive all your spam, ready to report them for you.

Getting SpamCop to Report the Spam Messages for you
A this point, you may have a few dozens email messages in your SpamCop queue. The main problem right now is that SpamCop requires you to report your spam messages one by one. To report a spam and remove it from the queue, you have to perform 2 clicks. It's hardly usable: if you just forwarded 100 messages that would make 200 clicks...

I seriously hate to click, so I spent half an hour writing a simple Perl script that would process the SpamCop reporting web-based forms, and click "submit" on my behalf. It basically does the monkey job of clicking through all the web based forms for you, all from one command line.

The Script
You can download the script here. Save it somewhere. And don't forget to edit it to reflect your SpamCop settings.

Edit the following stanza to match your settings: 

##########################################
##
## EDIT HERE
##
##########################################
my $username = 'william.gates@msn.com';
my $password = 'My Password Rocks';
##########################################

Further down, you may want to set your HTTP proxy address if you are using any. Uncomment the following line, and set your proxy: 

# if you need proxy, uncomment that.
# $browser->proxy(['http', 'ftp'],
'http://username:password@127.0.0.1:8080/');

Don't forget to modify the ISP settings, lower down in the script. I could have made a configurable array at the beginning of the file, but I was seriously lazy to do it..

You are almost ready to go. Now you'll have some Perl modules dependencies to solve first.

Necessary Perl Modules
use Tie::InsertOrderHash;
use LWP;
use HTTP::Cookies;
use HTML::TreeBuilder;
use MIME::Base64;

Some of these modules may already be installed on your Linux or *BSD distribution. Most of them will be available as a distribution package in .rpm, .deb, .pkg, etc... or you can download them manually and install. Additionally you may want to use the CPAN Shell to download the module and any dependency.

Warning
Please use this script only to report genuine spam. If you abuse this script, SpamCop will respond by changing its form to include Captchas which will disturb real users even more and that will totally spoil the purpose of this script.

Enjoy. If you have any problem with that script, don't hesitate to comment.
Download the script here.

Update 2006-11-17
Apparently, there is a similar script available on sourceforge called SpamCup. I haven't checked yet to see how the two scripts compare though.

Posted by Fabrice A. Marie at 5:15 PM |