Pages:
Author

Topic: Interesting and slick scam - page 2. (Read 2958 times)

legendary
Activity: 1806
Merit: 1003
December 20, 2012, 11:15:03 AM
#3
The victims has already been told by the bank to NOT give their pin the ANYONE. If the victim still give away their PIN, it's their own fault.
BCB
vip
Activity: 1078
Merit: 1002
BCJ
December 20, 2012, 10:51:22 AM
#2
Nice post Mike.

Unfortunately, there will never be an end to the ways and the extremes to which scammers will go to part victims from their money.

We must always remain vigilant.  And these post help greatly.

Thanks
legendary
Activity: 1526
Merit: 1134
December 20, 2012, 10:47:26 AM
#1
Though not directly related to Bitcoin, I found this article interesting. It shows how to defeat the chip and PIN 2-factor auth program.

  http://www.dailymail.co.uk/news/article-2249752/A-999-credit-card-scam-cost-thousands.html

The effort involved by the scammers is quite immense. The general gist is this. The victim receives a call from somebody who claims to be a police investigator. They state that your credit/debit card has been cloned and is being abused, and thus that they need to collect it from you. They also say they need the PIN.

At this point victims often become suspicious because many people are aware that you aren't supposed to give your PIN out to anyone, including your own bank. So the scammers have a neat trick. They say "dial 999, ask for the police and call me back that way". The victim puts down the phone, picks it up again and hears a dial tone. However what they don't realize is that one side hanging up the phone does not terminate a call. The dial tone they hear is fake, as is the following 999 call (played by a different actor/scammer).

Once again, the "police officer" asks for the PIN. If victims hesitate again at this point, they have another neat trick - the scammer says "you don't have to trust me, type your number in and it'll be sent direct to our technical folks". Of course the touch tones are recorded. A courier comes and picks up the card later. Now the bad guys have both card and PIN and can withdraw as much money as they want.

The scammer also keeps the victims on the line for as long as possible whilst the couriers withdraw money. This is to try and stop the victims from calling back the bank or police directly, giving time for the withdrawals to go through.

The good news is the victim who wrote for the Daily Mail was largely re-imbursed by the banks.

This scam relies on the following:

  • Peoples assumption that hanging up the phone terminates a call, when actually both sides have to hang up. This seems like something that should be fixed at the telephone level. Presumably it doesn't affect mobile phones.
  • Trust in authority.
  • Peoples incorrect belief that EMV cards can be cloned (the entire premise rests on the idea that the card was compromised when it wasn't).
  • Emotional pressure tactics and good acting which are able to override the advice given by banks to never give up your PIN


How might you go about making a similar scam against average/normal Bitcoin users, assuming an absolute best case scenario of a passphrase encrypted wallet containing 2-factor coins, where the second factor is a dedicated hardware device?

  • Call somebody who you think owns some Bitcoins and is of average technical knowledge. Claim to be from Microsoft/their ISP/etc and state that you believe their computer has a virus. As has been shown many times, at this point a non-trivial number of people will follow instructions and give up control of their computer.
  • Tell the victim to download a "virus scanner". Make it look realistic. In the background it finds your wallet file and emails it to the scammer. It also intercepts USB requests to the second factor and blocks them.
  • Next time the user wants to make a payment, the virus steals the encryption passphrase. It also intercepts the request to the second factor and blocks it, causing the wallet to show an error message like "Unable to communicate with signing device. Check it's plugged in and operating. To order a replacement call +44 0123 456789". Of course the device is working fine.
  • The user calls back and this time you claim to be from the manufacturer of their signing device. Say that you're sorry their signing device is broken and as customer service is important, you'll soon dispatch a courier to provide a new one. The user gratefully accepts this convenient service.
  • The courier arrives and takes the second factor signing device.

Now you can steal their money, potentially, their life savings, and this time there's no bank who will try and get the money back for you.

2-factor coins will be a great improvement in Bitcoins security when complete. However it'd still be a woefully insufficient level of security for the case of a country or community that wanted to adopt Bitcoin en-masse. Probably the best solution is "bank like entities" that perform risk analysis on your transactions for you, as an optional service.

(edit: minor improvement to the scam)
Pages:
Jump to: