Mike Hearn (OP)
Legendary
Offline
Activity: 1526
Merit: 1129
|
|
December 20, 2012, 03:47:26 PM Last edit: December 20, 2012, 04:09:03 PM by Mike Hearn |
|
Though not directly related to Bitcoin, I found this article interesting. It shows how to defeat the chip and PIN 2-factor auth program. http://www.dailymail.co.uk/news/article-2249752/A-999-credit-card-scam-cost-thousands.htmlThe effort involved by the scammers is quite immense. The general gist is this. The victim receives a call from somebody who claims to be a police investigator. They state that your credit/debit card has been cloned and is being abused, and thus that they need to collect it from you. They also say they need the PIN. At this point victims often become suspicious because many people are aware that you aren't supposed to give your PIN out to anyone, including your own bank. So the scammers have a neat trick. They say "dial 999, ask for the police and call me back that way". The victim puts down the phone, picks it up again and hears a dial tone. However what they don't realize is that one side hanging up the phone does not terminate a call. The dial tone they hear is fake, as is the following 999 call (played by a different actor/scammer). Once again, the "police officer" asks for the PIN. If victims hesitate again at this point, they have another neat trick - the scammer says "you don't have to trust me, type your number in and it'll be sent direct to our technical folks". Of course the touch tones are recorded. A courier comes and picks up the card later. Now the bad guys have both card and PIN and can withdraw as much money as they want. The scammer also keeps the victims on the line for as long as possible whilst the couriers withdraw money. This is to try and stop the victims from calling back the bank or police directly, giving time for the withdrawals to go through. The good news is the victim who wrote for the Daily Mail was largely re-imbursed by the banks. This scam relies on the following: - Peoples assumption that hanging up the phone terminates a call, when actually both sides have to hang up. This seems like something that should be fixed at the telephone level. Presumably it doesn't affect mobile phones.
- Trust in authority.
- Peoples incorrect belief that EMV cards can be cloned (the entire premise rests on the idea that the card was compromised when it wasn't).
- Emotional pressure tactics and good acting which are able to override the advice given by banks to never give up your PIN
How might you go about making a similar scam against average/normal Bitcoin users, assuming an absolute best case scenario of a passphrase encrypted wallet containing 2-factor coins, where the second factor is a dedicated hardware device? - Call somebody who you think owns some Bitcoins and is of average technical knowledge. Claim to be from Microsoft/their ISP/etc and state that you believe their computer has a virus. As has been shown many times, at this point a non-trivial number of people will follow instructions and give up control of their computer.
- Tell the victim to download a "virus scanner". Make it look realistic. In the background it finds your wallet file and emails it to the scammer. It also intercepts USB requests to the second factor and blocks them.
- Next time the user wants to make a payment, the virus steals the encryption passphrase. It also intercepts the request to the second factor and blocks it, causing the wallet to show an error message like "Unable to communicate with signing device. Check it's plugged in and operating. To order a replacement call +44 0123 456789". Of course the device is working fine.
- The user calls back and this time you claim to be from the manufacturer of their signing device. Say that you're sorry their signing device is broken and as customer service is important, you'll soon dispatch a courier to provide a new one. The user gratefully accepts this convenient service.
- The courier arrives and takes the second factor signing device.
Now you can steal their money, potentially, their life savings, and this time there's no bank who will try and get the money back for you. 2-factor coins will be a great improvement in Bitcoins security when complete. However it'd still be a woefully insufficient level of security for the case of a country or community that wanted to adopt Bitcoin en-masse. Probably the best solution is "bank like entities" that perform risk analysis on your transactions for you, as an optional service. (edit: minor improvement to the scam)
|
|
|
|
|
|
|
|
The block chain is the main innovation of Bitcoin. It is the
first distributed timestamping system.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
December 20, 2012, 03:51:22 PM |
|
Nice post Mike.
Unfortunately, there will never be an end to the ways and the extremes to which scammers will go to part victims from their money.
We must always remain vigilant. And these post help greatly.
Thanks
|
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
December 20, 2012, 04:15:03 PM |
|
The victims has already been told by the bank to NOT give their pin the ANYONE. If the victim still give away their PIN, it's their own fault.
|
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
dishwara
Legendary
Offline
Activity: 1855
Merit: 1016
|
|
December 20, 2012, 04:23:29 PM |
|
Thanks, Nice post. I hope this helps some one not to get scam.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
December 20, 2012, 05:28:00 PM |
|
With the advent of cell phones, I haven't heard a dial tone in years.
I have used that trick once, decades ago. Don't remember the details, but the other party hung up, whereupon I stayed on the line knowing that that person was going to make another call. I could hear the tones caused by the pressing of the keys, and waited a few seconds, then said hello in a disguised voice. Fucked with them a minute, then let the cat out of the bag, both of us having a good laugh.
|
|
|
|
BCB
CTG
VIP
Legendary
Offline
Activity: 1078
Merit: 1002
BCJ
|
|
December 20, 2012, 05:51:47 PM |
|
The victims has already been told by the bank to NOT give their pin the ANYONE. If the victim still give away their PIN, it's their own fault.
kokojie This is true but this shows two human traits that scammers rely upon (after GREED). 1. Escalation of authority. a. I have a higher rep then you (this works beautifully with nick squaters) b. Appealing to a higher power. 1. My manager 2. The Police 3. etc. 2. And our innate desire to trust our fellow man. 1. "I'm an authority so give me you PIN." 2. "you send first" Problem it's gotten so bad I'm certain I've hung up on and deleted emails from legitimate service providers.
|
|
|
|
flipperfish
Sr. Member
Offline
Activity: 350
Merit: 251
Dolphie Selfie
|
|
December 20, 2012, 08:30:24 PM |
|
LOL? This is news to me. In which countries a phone connection is not terminated, if one side hangs up? Here in Germany the call definitely is terminated if one side hangs up and you would have to redial. And this behavior is not new, the phone network does behave this way since I can remember. With VoIP this is AFAIK the default behavior of most clients, too. (However, on protocol level, there is a 2 sided termination)
|
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
December 20, 2012, 08:38:18 PM |
|
LOL? In which countries a phone connection is not terminated, if one side hangs up? Here in Germany the call definitely is terminated if one side hangs up and you would have to redial. And this behavior is not new, the phone network does behave this way since I can remember. With VoIP this is AFAIK the default behavior of most clients, too. (However, on protocol level, there is a 2 sided termination)
In Canada, hanging up for a short lapse of time won't terminate a call. The US probably use the same system as well.
|
|
|
|
|
flipperfish
Sr. Member
Offline
Activity: 350
Merit: 251
Dolphie Selfie
|
|
December 20, 2012, 08:45:51 PM Last edit: December 20, 2012, 08:55:55 PM by flipperfish |
|
LOL? In which countries a phone connection is not terminated, if one side hangs up? Here in Germany the call definitely is terminated if one side hangs up and you would have to redial. And this behavior is not new, the phone network does behave this way since I can remember. With VoIP this is AFAIK the default behavior of most clients, too. (However, on protocol level, there is a 2 sided termination)
In Canada, hanging up for a short lapse of time won't terminate a call. The US probably use the same system as well. Yes, for old analog wired phones quickly (< 1s) pressing down and releasing the hook does have this effect here, too. But this is intended and used as signal to the network to access several advanced features.
|
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4473
|
|
December 20, 2012, 09:03:08 PM |
|
the fake hang up trick is a well known scam these days
the other scam is saying that they are the telephone company and a bill needs to be paid that day. if the person does not believe them they say they will prove they are the phone company by temporarily cutting off the phone line when they hang up.
when in actual fact they just mute the call so that the victim does not hear a dial tone. and cant dial out.
5 minutes later the scammer calls them again and informs them if they do not pay immediately then the next cut off will be permanent incurring further costs and a 30 day delay in reinstating the service.
never give any details to people that call you. in the UK this is called cold-calling. don't be convinced by a single phonecall that you were not expecting to receive, demanding personal banking details.
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
01BTC10
VIP
Hero Member
Offline
Activity: 756
Merit: 503
|
|
December 20, 2012, 09:07:46 PM |
|
LOL? In which countries a phone connection is not terminated, if one side hangs up? Here in Germany the call definitely is terminated if one side hangs up and you would have to redial. And this behavior is not new, the phone network does behave this way since I can remember. With VoIP this is AFAIK the default behavior of most clients, too. (However, on protocol level, there is a 2 sided termination)
In Canada, hanging up for a short lapse of time won't terminate a call. The US probably use the same system as well. Yes, for old analog wired phones quickly (< 1s) pressing down and releasing the hook does have this effect here, too. But this is intended and used as signal to the network to access several advanced features. Last time I tried(3-4 years ago) I could stay on the line for ~1-2 minutes. I successfully pranked some friends this way. I guess it depends how the network has been setup.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
December 20, 2012, 09:13:28 PM |
|
i'm surprised that any of those scams require a courier. that would be highly risky business for the scammers and easily squelched.
|
|
|
|
marnie
Newbie
Offline
Activity: 40
Merit: 0
|
|
December 20, 2012, 09:16:51 PM |
|
LOL? In which countries a phone connection is not terminated, if one side hangs up? Here in Germany the call definitely is terminated if one side hangs up and you would have to redial. And this behavior is not new, the phone network does behave this way since I can remember. With VoIP this is AFAIK the default behavior of most clients, too. (However, on protocol level, there is a 2 sided termination)
In Canada, hanging up for a short lapse of time won't terminate a call. The US probably use the same system as well. Yes, for old analog wired phones quickly (< 1s) pressing down and releasing the hook does have this effect here, too. But this is intended and used as signal to the network to access several advanced features. Last time I tried(3-4 years ago) I could stay on the line for ~1-2 minutes. I successfully pranked some friends this way. I guess it depends how the network has been setup. I could be wrong, but I don't think it works like that any more.
|
|
|
|
Mike Hearn (OP)
Legendary
Offline
Activity: 1526
Merit: 1129
|
|
December 20, 2012, 11:06:40 PM |
|
i'm surprised that any of those scams require a courier. that would be highly risky business for the scammers and easily squelched.
EMV cards are unclonable. So the PIN without the physical card is worthless. You have to convince the owner to give up both of them.
|
|
|
|
GernMiester
|
|
December 21, 2012, 12:08:15 AM |
|
Only an, here come.... MORON would fall for that nonsense. what a weak ass scam
|
|
|
|
nobbynobbynoob
|
|
December 21, 2012, 01:55:27 AM |
|
There must be something else that terminates a call, maybe after some time if one side is gone it terminates? If I call your home and I never hang up you can never make another call?
This may be a quirk of the British telecommunications systems. The delay was traditionally two minutes on GPO/BT landlines; I do not know whether or not that has been altered in recent years.
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
December 21, 2012, 01:57:48 AM |
|
The victims has already been told by the bank to NOT give their pin the ANYONE. If the victim still give away their PIN, it's their own fault.
There must be something else that terminates a call, maybe after some time if one side is gone it terminates? If I call your home and I never hang up you can never make another call?
This may be a quirk of the British telecommunications systems. The delay was traditionally two minutes on GPO/BT landlines; I do not know whether or not that has been altered in recent years. Ha, you are fast. I deleted after scanning and seeing someone mentioned it doesn't cut the call for a brief d/c, which would make sense for keeping the call alive if there was just a small problem. They must be counting on the person dialing right back. Funny to hear the call to the actual police offering a pin number.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
|
Herodes
|
|
December 21, 2012, 11:01:18 AM |
|
A fool and his money is easily parted.
|
|
|
|
Mike Hearn (OP)
Legendary
Offline
Activity: 1526
Merit: 1129
|
|
December 21, 2012, 11:18:58 AM |
|
That attack doesn't actually clone the card, it exploits weak protocol implementations to achieve a similar effect. I agree that the end result can be rather equivalent, but it can be patched with software upgrades to the buggy terminals and ATMs. You don't need to actually replace the cards because the hardware on them is still secure.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
December 21, 2012, 12:23:53 PM |
|
An interesting scam. Wouldn't work in most of Europe because of the call termination "bug" not existing here. - Call somebody who you think owns some Bitcoins and is of average technical knowledge.
Lol. I wouldn't know who to call. I know lots of people that own bitcoins and lots of people with average or below average technical knowledge. But noone I know fits both descriptions and the one that comes close has their coins in casascius.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Frequency
|
|
December 21, 2012, 12:42:00 PM |
|
Only an, here come.... MORON would fall for that nonsense. what a weak ass scam
Yeah but the digibitics like an 80 year old could get tricked this way... If they make 100 calls a day and only one would fall for it ...they probably made more money then working for a boss ... So keep ur money stored save or in an savingaccount witch is harder get to by scammers .. I would kick the one who gets at my door to pick the card up very very hard in his croutch...
|
COINDER COINDER
|
|
|
|