Wednesday, June 17, 2009

Social Engineering

Social engineering is the act of manipulating people into performing actions or divulging
confidential information. While similar to a confidence trick or simple fraud, the term typically
applies to trickery or deception for the purpose of information gathering, fraud, or computer
system access; in most cases the attacker never comes face-to-face with the victim.
The basic goals of social engineering are the same as hacking in general: to gain unauthorized
access to systems or information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network. Typical targets include
telephone companies and answering services, big-name corporations and financial institutions,
military and government agencies, and hospitals. The Internet boom had its share of industrial
engineering attacks in start-ups as well, but attacks generally focus on larger entities. As for why organizations are targeted through social engineering – well, it’s often an easier way
to gain illicit access than are many forms of technical hacking. Even for technical people, it’s
often much simpler to just pick up the phone and ask someone for his password. And most
often, that’s just what a hacker will do.
Social engineering attacks take place on two levels: the physical and the psychological. First,
we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and
even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and
pretend to be a maintenance worker or consultant who has access to the organization. Then
the intruder struts through the office until he or she finds a few passwords lying around and
emerges from the building with ample information to exploit the network from home later that
night. Another technique to gain authentication information is to just stand there and watch an
oblivious employee type in his password.
The most prevalent type of social engineering attack is conducted by phone. A hacker will call
up and imitate someone in a position of authority or relevance and gradually pull information
out of the user. Help desks are particularly prone to this type of attack.Help desks are particularly vulnerable because they are in place specifically to help, a fact
that may be exploited by people who are trying to gain illicit information. Help desk employees
are trained to be friendly and give out information, so this is a gold mine for social engineering.
Most help desk employees are minimally educated in the area of security and get paid
peanuts, so they tend to just answer questions and go on to the next phone call. This can
create a huge security hole.
A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and
obtain credit card numbers and PINs this way. People always stand around phone booths at
airports, so this is a place to be extra cautious. Dumpster diving, also known as trashing, is another popular method of social engineering. A
huge amount of information can be collected through company dumpsters.The Internet is fertile ground for social engineers looking to harvest passwords. The primary
weakness is that many users often repeat the use of one simple password on every account.
So once the hacker has one password, he or she can
probably get into multiple accounts. One way in which hackers have been known to obtain this
kind of password is through an on-line form: they can send out some sort of sweepstakes
information and ask the user to put in a name and password. These forms can
be sent by e-mail .
Another way hackers may obtain information on-line is by pretending to be the network
administrator, sending e-mail through the network and asking for a user’s password. This type
of social engineering attack doesn’t generally work, because users are generally more aware
of hackers when online, but it is something of which to take note. Furthermore, pop-up windows
can be installed by hackers to look like part of the network and request that the user reenter
his username and password to fix some sort of problem. At this point in time, most users
should know not to send passwords in clear text , but it never hurts to have an
occasional reminder of this simple security measure from the System Administrator. Even
better, system administrators might want to warn their users against disclosing their passwords in any fashion other than a face-to-face conversation with a staff member who is known to be
authorized and trusted.
E-mail can also be used for more direct means of gaining access to a system. For instance,
mail attachments sent from someone of authenticity can carry viruses, worms and Trojan
A final, more advanced method of gaining illicit information is known as “reverse social
engineering”. This is when the hacker creates a persona that appears to be in a position of
authority so that employees will ask him for information, rather than the other way around. If
researched, planned and executed well, reverse social engineering attacks may offer the
hacker an even better chance of obtaining valuable data from the employees; however, this
requires a great deal of preparation, research, and pre-hacking to pull off.

Always remember , prevention is better tan cure. Once your personal information has gone then remember there is no cure!

Tuesday, June 16, 2009

Beware of Mobile Phone Cloning!!!!

Mobile phones have become a major part of our everyday life. On the one hand, India’s mobile phone market has grown rapidly in the last few years on the back of falling phone tariffs and handset prices, making it one of the fastest growing markets globally. On the other the number of mobile phone subscribers is exceeding that of fixed-line users. The mobile phone subscriber base has already crossed the 70-mn mark. Today millions of mobile phones users, be it Global System for Mobile communication (GSM) or Code Division Multiple Access (CDMA), run the risk of having their phones cloned. And the worst part is that there isn’t much that you can do to prevent this. Such crime first came to light in January, 2005 when the Delhi police arrested a person with 20 cell phones, a laptop, a SIM scanner, and a writer. The accused was running an exchange illegally wherein he cloned CDMA-based mobile phones. He used software for the cloning and provided cheap international calls to Indian immigrants in West Asia. A similar racket came to light in Mumbai resulting in the arrest of four mobile dealers.
Mobile cloning is copying the identity of one mobile telephone to another mobile telephone. The “cloning” occurs when the account number of a victim telephone user is stolen and reprogrammed into another cellular telephone. Each cellular phone has a unique pair of identifying numbers: the electronic serial number (ESN) and the mobile identification number (MIN). The ESN/MIN pair can be cloned in a number of ways without the knowledge of the carrier or subscriber through the use of electronic scanning devices. After the ESN/MIN pair is captured, the cloner reprograms or alters the microchip of any wireless phone to create a clone of the wireless phone from which the ESN/MIN pair was stolen. The entire programming process takes 10-15 minutes per phone. Any call made with cloned phone are billed to and traced to a legitimate phone account. Innocent citizens end up with unexplained monthly phone bills.
The ESN is the serial number of your cellular telephone. And the MIN is simply the phone number of the cellular telephone. Cellular thieves can capture ESN/MINs using devices such as cell phone ESN reader or digital data interpreters (DDI). DDIs are devices specially manufactured to intercept ESN/MINs. By simply sitting near busy roads where the volume of cellular traffic is high, cellular thieves monitoring the radio wave transmissions from the cell phones of legitimate subscribers can capture ESN/MIN pair. Numbers can be recorded by hand, one-by-one, or stored in the box and later downloaded to a computer. ESN/MIN readers can also be used from inside an offender’s home, office, or hotel room, increasing the difficulty of detection.
To reprogram a phone, the ESN/MINs are transferred using a computer loaded with specialised software, or a “copycat” box, a device whose sole purpose is to clone phones. The devices are connected to the cellular handsets and the new identifying information is entered into the phone. There are also more discreet, concealable devices used to clone cellular phones. Plugs and ES-Pros which are about the size of a pager or small calculator do not require computers or copycat boxes for cloning. The entire programming process takes ten-15 minutes per phone. Each year, the mobile phone industry loses millions of dollars in revenue because of the criminal actions of persons who are able to reconfigure mobile phones so that their calls are billed to other phones owned by innocent third persons. Often these cloned phones are used to place hundreds of calls, often long distance, even to foreign countries, resulting in thousands of dollars in air time and long distance charges. Cellular telephone companies do not require their customers to pay for any charges illegally made to their account, no matter how great the cost. But some portion of the cost of these illegal telephone calls is passed along to cellular telephone consumers as a whole. Many criminals use cloned cellular telephones for illegal activities, because their calls are not billed to them, and are therefore much more difficult to trace. This phenomenon is especially prevalent in drug crimes. Drug dealers need to be in constant contact with their sources of supply and their confederates on the streets. Traffickers acquire cloned phones at a minimum cost, make dozens of calls, and then throw the phone away after as little as a days' use. In the same way, criminals who pose a threat to our national security, such as terrorists, have been known to use cloned phones to thwart law enforcement efforts aimed at tracking their whereabouts.
CDMA differs from GSM and TDMA (Time Division Multiple Access) by its use of spread spectrum techniques for transmitting voice or data over the air. Rather than dividing the radio frequency spectrum into separate user channels by frequency slices or time slots, spread spectrum technology separates users by assigning them digital codes within the same broad spectrum. Advantages of CDMA include higher user capacity and immunity from interference by other signals. GSM is a digital mobile telephone system that is widely used in Europe and other parts of the world. GSM uses a variation of TDMA and is the most widely used of the three digital wireless telephone technologies. GSM digitises and compresses data, then sends it down a channel with two other streams of user data, each in its own time slot. It operates at either the 900 MHz or 1,800 MHz frequency band.

Five persons arrested in Toranto

Five Toronto men have been arrested in what police are calling "a sophisticated debit card fraud" that spanned several GTA cities.
Around 6 a.m. on Saturday, witnesses called Durham police after they saw several men running between the TD and CIBC banks at a Thickson Rd. S. and Dundas St. E. plaza in Whitby.
Shortly after arriving at the scene, police received a call from the TD security guard saying that fake debit cards were being used at their ATMs. One man was arrested inside the bank.
While investigating, police also came across four men at a parking lot at a Bank of Montreal at the Whitby Mall across the street.
All men had a large amount of money on them, said police, who also found four blank white cards with BMO data encoded in them.
A makeshift safe and two locking devices were also located in the suspects' vehicle.
Other white plastic cards were found in a garbage can at the TD ATMs along with some cash.
Officers seized a total of $5,980.
Investigators believe the men conspired with other suspects across the GTA to take part in a fraud. It was a coordinated attempt to withdraw money from ATMs using fake cards around the same time.
The debit card data in this case was eventually traced back to a drugstore in Scarborough.
Arrested are Srimaloj Srianandan, Pirathees Subramaniam, Patrick John, all 22, Luxmanan Balakrishnan, 21, and Anton Sooriyakumar, 23.
They are charged with four counts of fraud under $5,000, four counts of unlawful use of credit card data, use of credit cards obtained by crime, conspiracy to commit an indictable offence and possession of proceeds of crime.
Sooriyakumar also faces three additional counts relating to previous incidents.
Courtesy :

How to prevent Credit Card Fraud?

Credit card frauds are on the rise these days. Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. The credit card number, the Card Verification Value (CVV) or the Card Security Code (CSC), date of birth, credit card limit, residential address (stored on your card's magnetic tape) is all that is needed for someone to misuse your credit card.
Being vigilant while using your credit card is the only way of preventing fraud. Here are some tips.
The CSC or CVV number is a security feature for credit or debit card transactions, giving increased protection against credit card fraud. It is not embossed like the card number, and is always a group of numbers printed on the back signature panel of the card.
This provides a level of protection to the bank/card holder, in that a corrupt merchant cannot simply capture the magnetic stripe details of a card and use them later for 'card not present' purchases over the phone, mail order or Internet.
Whenever you use your card, always ensure that the transaction is completed in front of you and that no details are written down by the merchant. Do not provide photocopies of both sides of the credit card to anyone.
The card verification value (CVV) which is required for online transactions is printed on the reverse of the card. Anyone can use the card for online purchases if the information is available with them.
When using your credit cards for making purchases online:
Ensure that Web site is a secure site.
Do not click on links in e-mail seeking details of your account; they could be phishing e-mails from fraudsters. Most reputed companies will ask you to visit their Web site directly.
Do not give out your credit card details on unknown or suspicious Web sites.
The first and foremost thing to do, after you have confirmed that you have lost your wallet or card or have seen suspicious transactions on your credit card statement, is to call up the bank's call center and deactivate the card or inform the customer service representative about the suspicious transactions.
The representative will help you file a complaint in regard to this. In case of lost cards, check if any transactions have been made on the card and if there are any; inform the bank about the ones that are not yours.
On receipt of a new card ensure that it is in sealed condition and that the seal is not tampered with.
Sign on the back of your new card as soon as you receive it.
Monitor your account regularly either on the Internet or from call centers. Also subscribe to e-mail and mobile alerts to keep track of card usage.
Memorize your card's PIN number.
Destroy and dispose all documents that mention the card number, such as copies of receipts, airline tickets, travel itineraries, etc.
Personal account information should never be shared with anyone unless payment for the purchase is being done from that account.
Another important thing is keeping any useful information such as card number, expiry date, CVV number, and pin number, etc of your cards handy.
However, that does not mean that you keep the information in places where it is easily accessible. Protect your card information as you would protect your money.
Finally, always stay at least 40 per cent below your credit limit and review your account information either online or through the credit card company's call center frequently. This will help you identify any suspicious transactions immediately.
Credit cards, though an easy way to have access to money without carrying around a lot of cash can become a big liability if not used prudently and carefully. Ensure that you use the card responsibly.