A Sceptical Mind

So I read this article today on Comon.dk: http://www.comon.dk/news/forste.store.smishing-angreb.i.danmark_36080.html

It’s Danish, so if you followed the link and thought to yourself: “What the f*ck?” - That’s probably because you’re not Danish, so lets start with me explaining what the article says!

The article talks about the first big SMiShing attack in Danish history and features comments from Danish security expert Peter Kruse (CSIS Security Group). Now for all of you who don’t know what SMiShing is, SMiShing is basically just a SMS oriented way of doing Phising. So instead of trying to scam a victim to a fake website (which is Phising), SMiShing tries to scam you into calling a specific number due to something like “Hey you won 10 million dollars. Call #somenumber# to claim your prize”. So what’s really dangerous about this? Is people really gonna fall for something like this? - A lot of stuff and yes!

Let’s have a look at the SMS sent to a bunch of Danes the other day:

“Your mobile number won 750.000 Euros from the Espana global promotion. Contact claim dept. on: Tel: 0034664219273 Fax: 0034911013657 mcellproiaim.com”

How many do you think would fall for this scam and call the number? There’s no official number, but former numbers for other Phishing sites have stated that 1-2% of all recipients visit the site after receiving the scam e-mail. So is it also 1-2% with SMiShing? - I would argue no, specifically because e-mail is still being stigmatized. People don’t trust e-mails because they’ve grown accustomed to spam and other forms of fake emails - but they trust their mobile phones! So while we see numbers like 1-2% for e-mail scams, I fear we will be seeing numbers like 4-6% for mobile phone scams - if not even more than that.

So what happens if you call the number? According to Peter Kruse, one would probably be met with the scam artist himself, trying to get your bank information so that he can “transfer the money to you”, while in fact he just wants the information to do some form of identity theft. - Personally I don’t believe this one! It seems very much unlike mass computerized criminals to initiate contact to their victims. Experienced hackers do it, however they’re usually also a lot more focused.. they plan ahead and hit one or two companies very specifically. SMiShing’s nature of mass-oriented scamming is not well suited for this type of theft attempt. No, I find it much more likely you’re met with a computerized voice asking for a lot of information - including a bunch of information that doesn’t seem odd but just completely unnecessary, like address, city, postal code, state, country, gender and so on. So why would a scammer want to know all of these things? Very easy - he wouldn’t! But he would very much like you to stay on the line while you’re chunking up huge premium rate fees - all of which go straight into the scammer’s pockets, without you being able to do much about it.

Scams with premium rate numbers have been around for a very long time and while obviously illegal, it can be very difficult to get someone convicted. So the scammers can sit back while perhaps 2000 people call (if they’ve contacted enough victims with SMS) and on average use 12 minutes on the phone with a fee of 15$ a minute - adding up to: 360000$ in profits for the scammers. - Actually these numbers are probably way to low if they’ve attacked several countries.

But this is just one of the ways you can use SMiShing and is actually one of the more naive ways. A much better way would be to exploit the way SMS’s actually work. Many people believe that SMS’s include numbers and the only way their phones can show names (like “Tom” instead of 08005552342) is if they themselves added it to their phone book. But this is actually not true! You can very easily spoof names instead of numbers, so that when a victim receives a message from you, instead of having 08005551215 as a number, you could choose “Mom”. This way, you would be able to do a very evil form of SMiShing, where the number of callers would quite likely be much higher:

“Hi son. You need to call me straight away - We’re in Honduras and your Dad just had a heart attack! I’m sitting here in the hospital but my phone isn’t working well and almost has no more batteries. Would you please call the hospital’s phone at: (504) 559 - 0300. Love you! - Mom.”

If I were trying to scam people with SMiShing (and I had no soul) - this would be the way to do it!
Assuming it isn’t possible for the son to call his mother (as in she’s not picking up or at work) and the son’s parents aren’t dead already, this will work wonders and a lot more than 4-6% would call!

So to sum it all up. Is SMiShing much of a threat? Well yes because it uses an old technology which hasn’t had any real security boosts and which people mistakenly trust. So in that sense it’s much worse than scamming over e-mail (Phising) as it’s much more likely the victim will fall for the scam. I fear we will be seeing a lot of these scams in the future unless something is done to secure SMS - a scenario that’s probably very unlikely!

I have a Lenovo Thinkpad T61 as my work laptop - You know, one of those laptops with the fancy fingerprint scanner in the bottom right corner. Now without getting into a big discussion about the dangers of biometric security systems, I’m going to tell you why I think these kind of devices are completely ridiculous and benefit with absolutely no extra security what so ever.

Let’s first consider the premises for using a biometric fingerprint scanner! The premises for using a fingerprint scanner, instead of e.g. a password, is that a password can be guessed while a fingerprint is something unique to a user - something the user is the sole possessor of and always carries with him. So while that sounds more secure (since you don’t have to worry about e.g. password strength), in reality it really isn’t. Let’s say we had a hacker Charlie and Charlie here wanted to gain access to a building only Alice had access to - a building using biometric authentication in the form of a fingerprint scanner. How would Charlie accomplish this? Well, it actually turns out he has quite a few options:

• He can force Alice to let him in (read “big fucking gun”)
• He can jump Alice and chop off her finger (thereby giving him the “key” he needs)
• He can break the fragile window next to the top-security, 20 inch steel door (as in: don’t make your damn security systems more solid then what surrounds them.. before long you’ll have burglars blowing up your walls to get in.)
• He can break into the fingerprint scanner and steal the stored fingerprint (fingerprints aren’t stored as images, as some may believe.. Fingerprints are stored as a seemingly random sequences of characters uniquely identifying the fingerprint. It’s much like a hashing function like md5() og sha())
• He can swipe Alice’s fingerprint of some glass or whatever he can find, and then use the same technique as Chaos Computer Club did when they stole a German officials fingerprint, to then reproduce the fingerprint and use it as if he was Alice.

All in all there are tons of ways to break a biometric system. However one of the more disturbing issues isn’t that it’s easy to break. It’s the fact that when it’s been broken - the users are screwed! If you get your fingerprint stolen, you can never use a fingerprint scanner securely again.. simply because the premises isn’t there anymore - you are no longer the sole possessor of the fingerprint. So there are many very real concerns with the use of biometric systems and I can tell you right now - I usually avoid all of these systems!

So back to the subject here: Why the fingerprint scanners on laptops from IBM, Lenovo, HP etc. are completely useless when it comes to security! So really the issue is quite simple. The premises for using biometrics is that the user is the sole possessor and therefore the only one who can log in. Now consider this scenario: Your walking down the street, your laptop in hand, and then suddenly out of the blue a skinny guy runs past you, grabs your laptop and runs like the wind! You, exhausted by the last burger you just ate, try to run after the perpetrator but fail when you start to loose your breath (after 10 meters).. but then - aahhh - a sigh of relief when you remember you had a 35 digit password, encrypted harddrive and a biometric fingerprint scanner! No worries right? … — … — … — … — … — WRONG! The perpetrator gets home and takes a look at your laptop. He noticed your “Linux rocks - I secure my toilet brush” t-shirt while running past you and concludes your harddrive is probably encrypted and your password is probably psycho - but then.. aaahhhh - a sigh of relief when he notices you’ve activated your fingerprint scanner! He then takes a piece of tape, picks a random spot on your laptop, swaps your fingerprint right of, uses CCC’s method to copy your fingerprint and uses it to log in and steal all your data - despite the whole encryption, psycho password stuff.

It’s actually really simple: The fucking key is on the machine you’re trying to break into!!

Imagine an office building having break-in keys hanging from the fucking front door - just for burglar convenience!

All in all it comes down to this: The laptop fingerprint scanners are there because it’s hype! Like Apple, Facebook and a bunch of other stuff, fingerprint scanners for the common man is hype these years - it sells! But while companies are telling people to use these devices, they’re actually misleading the public and giving them a false sense of security - thereby actually weakening security very extensively.

So why am I writing this? Well pretty simple actually - Disable your fucking fingerprint scanner!