- Email: [email protected]
Where to buy stolen credit cards !
CFSB June.qxd
5/31/02
3:59 PM
Page 2
news transactions, namely 20 times more.
Fraud News
Where to buy stolen credit cards ! Ever wondered what happens to stolen credit card details. According to The New York Times, tens of thousands are being sold over the Internet in members-only online markets. The markets are mostly run by Russian and Ukraine residents. The cost of a single credit card varies from 40 cents to $5 depending on the level of verification details provided. But the most popular method of buying stolen credit card details is to buy in bulk. Security experts advise that the customers stem from across the world but most are of Eastern European, the former Soviet Union and Asian origin. Allegedly black-hat computer hackers sell the stolen information to the cyber-market operators. Gartner have reported that over 1% of online transactions have been subjected to fraudulent interference in 2001, which translates in cash terms to $700 million. This figure is so much more than the losses attributed to fraud involving offline
Biometrics News
Fingerprint sensors discredited? Biometrics is a technology that is ‘in’ at the moment. With all ‘in’ technologies it basks in overwhelming hype but also suffers discredit attempts. Fingerprint sensors have recently been played down by a Japanese cryptographer who made fingerprint replications out of quite basic ingredients. Tsutomo Matsumoto constructed a plastic finger from gelatine. Fingerprint detectors registered the ‘fake’ finger as real four times out of five. Matsumoto used a fingerprint collected from a glass, intensified the print with a cyanoacrylate adhesive and finally took a photograph using a digital camera. He used PhotoShop to enhance the quality of the image and then printed the image onto a transparency sheet. Finally the fingerprint was engraved onto the copper on a photo-sensitive printed-circuit board (PCB) giving it a three-dimensional effect. The result is a
ISSN: 1361-3723/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
gelatine bogus finger, which manages to trick fingerprint detectors 80% of the time. This method was tested on 11 commercial fingerprint sensors; all were unable to tell the difference. Biometrics technologies are supposed to be the answer to password problems with regards to access control but now since this ridiculous display of counterfeiting fingers, the technology may be devalued. Once again, security systems are under attack by ‘white hat hackers’ and once again the attack method is widely publicized. So real hackers with immoral motives know exactly what to do. And the scrutiny does not stop in Japan, a German technology magazine, c't, has tested 11 biometrics products. c't focused on fingerprint scanners and Webcam sensors, technologies relying on authentication via iris scans and facial recognition. c't analyzed facial recognition products and found that these products could be deceived using a still image from a digital camera. A selection of fingerprint scanners were examined and c't managed to gain access by breathing on fingerprint fat deposits left on the sensor, also a water-filled plastic bag had the same effect. Devices
that actually scanned fingerprint sensors were more difficult to crack but this was achieved through the use of a fake finger moulded using a hot candle and silicon. Iris scanners didn't escape testing either and were fooled by a high resolution printed image branding a recognized user's iris with a hole cut in the middle for real human eyes to peer through.
Vulnerability news
SQL server under attack A suspicious amount of connection attempts have been directed towards port 1433, which incidentally is the Microsoft SQL server port. Attacks began to escalate on 20 May, normally connection attempts on this port are 0-3%. The Sans Internet Storm Center has reported that the attempts have leapt to 57%. The techniques being used to connect resemble an average attack, the first communication effort begins with an MSSQL handshake, next a second packet is exchanged, which is an effort to login to the MSSQL server with the account name “sa” and a blank password.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd
5/31/02
3:59 PM
Page 2
news transactions, namely 20 times more.
Fraud News
Where to buy stolen credit cards ! Ever wondered what happens to stolen credit card details. According to The New York Times, tens of thousands are being sold over the Internet in members-only online markets. The markets are mostly run by Russian and Ukraine residents. The cost of a single credit card varies from 40 cents to $5 depending on the level of verification details provided. But the most popular method of buying stolen credit card details is to buy in bulk. Security experts advise that the customers stem from across the world but most are of Eastern European, the former Soviet Union and Asian origin. Allegedly black-hat computer hackers sell the stolen information to the cyber-market operators. Gartner have reported that over 1% of online transactions have been subjected to fraudulent interference in 2001, which translates in cash terms to $700 million. This figure is so much more than the losses attributed to fraud involving offline
Biometrics News
Fingerprint sensors discredited? Biometrics is a technology that is ‘in’ at the moment. With all ‘in’ technologies it basks in overwhelming hype but also suffers discredit attempts. Fingerprint sensors have recently been played down by a Japanese cryptographer who made fingerprint replications out of quite basic ingredients. Tsutomo Matsumoto constructed a plastic finger from gelatine. Fingerprint detectors registered the ‘fake’ finger as real four times out of five. Matsumoto used a fingerprint collected from a glass, intensified the print with a cyanoacrylate adhesive and finally took a photograph using a digital camera. He used PhotoShop to enhance the quality of the image and then printed the image onto a transparency sheet. Finally the fingerprint was engraved onto the copper on a photo-sensitive printed-circuit board (PCB) giving it a three-dimensional effect. The result is a
ISSN: 1361-3723/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Science Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Science Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, email: permissions@ elsevier.com. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.com), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 207 436 5931; fax: (+44) 207 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
gelatine bogus finger, which manages to trick fingerprint detectors 80% of the time. This method was tested on 11 commercial fingerprint sensors; all were unable to tell the difference. Biometrics technologies are supposed to be the answer to password problems with regards to access control but now since this ridiculous display of counterfeiting fingers, the technology may be devalued. Once again, security systems are under attack by ‘white hat hackers’ and once again the attack method is widely publicized. So real hackers with immoral motives know exactly what to do. And the scrutiny does not stop in Japan, a German technology magazine, c't, has tested 11 biometrics products. c't focused on fingerprint scanners and Webcam sensors, technologies relying on authentication via iris scans and facial recognition. c't analyzed facial recognition products and found that these products could be deceived using a still image from a digital camera. A selection of fingerprint scanners were examined and c't managed to gain access by breathing on fingerprint fat deposits left on the sensor, also a water-filled plastic bag had the same effect. Devices
that actually scanned fingerprint sensors were more difficult to crack but this was achieved through the use of a fake finger moulded using a hot candle and silicon. Iris scanners didn't escape testing either and were fooled by a high resolution printed image branding a recognized user's iris with a hole cut in the middle for real human eyes to peer through.
Vulnerability news
SQL server under attack A suspicious amount of connection attempts have been directed towards port 1433, which incidentally is the Microsoft SQL server port. Attacks began to escalate on 20 May, normally connection attempts on this port are 0-3%. The Sans Internet Storm Center has reported that the attempts have leapt to 57%. The techniques being used to connect resemble an average attack, the first communication effort begins with an MSSQL handshake, next a second packet is exchanged, which is an effort to login to the MSSQL server with the account name “sa” and a blank password.
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Science Rights & Permissions Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02065 Printed by Mayfield Press (Oxford) Ltd