Defending The Kingdom

Phones and laptops are easily lost or stolen, and I would urge you to use one or both of the following to protect yourself in the event that it happens to you:

1. Encrypt your personal files. If you choose to do just one of the two things on this list, choose this one.TrueCrypt is a good, non-scary encryption utility.
2. Install tracking software. LoJack and Prey were both mentioned in a recent Economist article, and they seem like reasonably good options.

The Economist article tells the story of a laptop getting stolen and then tracked down without police assistance:

Tales of stolen phones and laptops being successfully retrieved are the exception to the rule. One widely publicised case (perhaps because it was so rare) concerned a Canadian web consultant, who had a bag containing his laptop, mobile phone, health card and copies of his birth certificate lifted while on a business trip to New York. Fortunately, the owner had taken the precaution of installing an open-source tracking tool called Prey on his MacBook Pro beforehand.

Several days later, back in Ottawa, the owner got a message from his stolen laptop, saying it was being used in a restaurant in the Soho district of Manhattan. The tracking software not only sent the location details, but also transmitted screen-shots of what was running on the laptop at the time. It even turned on the user-facing camera and transmitted video of the user to the owner 500 miles away.

In this case, the owner was luckier than most. He had some 12,000 followers on Twitter to call upon for help. Meanwhile, the thief made the mistake of logging onto Skype with his real name. The laptop owner saw all this happening before his eyes and tweeted the details to his followers. He also called the New York police and asked, to no avail, for help. The missing laptop and other items were recovered only when a friend, aided by a Twitter follower in New York, rushed to the restaurant and confronted the staff with the evidence. The stolen laptop was handed over without a struggle.

Being able to track your laptop is a great idea in theory, but if the police aren’t willing to do the potentially dangerous work of confronting the criminal, I suspect the software will be useless to most people. That’s why encrypting your data is priority number one, and installing tracking software is nice to have but not something to rely on.

I can’t. Not always, anyway. Take a look at all the clever ways scammers skim ATM cards and PINs.

If you’ve seen one of those semi-transluscent, green card slots with an image of a padlock on it, you know that banks are aware of the problem and are doing something to prevent it. Still, it seems like banks and other ATM owners could be doing more to let their customers know, at each ATM machine, how to avoid getting suckered by a skimmer. A picture of an unsullied model on the side of every ATM would be a big help. That way, you could compare the real-life model you’re looking at with the image, and hopefully you would notice any material discrepancies. I suppose evil-doers could simply replace the image with their own, but at least their jobs would be made more difficult for having to take that step. And it would provide ATM users with one more chance to notice a sloppy installation of an add-on to the machine.

Another option is a bit more high-tech, and would involve the ATM flashing a number on the screen that should match a number being displayed on the lip of the ATM card slot. This could be hacked, of course, but it would require gaining access to the ATM’s guts. Anything that increases the cost to would-be thieves in time and technical know-how is a good thing.

Anyhow, in the event that banks and other ATM owners do not put in a lot more effort than they currently do to stop this problem, what should you, the average ATM user, do?

Tips for avoiding ATM skimmers

I wish I could give some really solid advice here, but there are no foolproof methods. Here are the things I do to avoid card skimmers:

1. Try to use ATMs inside banks, where it’s less likely that someone will install a skimming device.
2. Quickly look at the parts of the ATM. If you see cheap looking components that seem like they could come off with a slight tug, beware.
3. Cover the keypad with your non-typing hand as you punch in your PIN. Scammers need the information on the magnetic strip of your card and your password to gain access to your bank account. If you deprive them of your password, they’ve only got half of the information they need. Watch out for fake keypads placed over the real keypad, though, since this can allow scammers to get your password no matter how well you cover up when you key it in.

Straight from the “how cool is that?” department:

You are the victim of identity theft and the fraudster calls your bank to transfer money into their own account. But instead of asking them for your personal details, the bank assistant simply presses a button that causes the phone to produce a brief series of clicks in the fraudster’s ear. A message immediately alerts the bank that the person is not who they are claiming to be, and the call is ended.

But there are still a few hurdles before the technique can be used, including this one:

“It has to be able to reliably recognise people over long time periods,” he says. “For example, a fingerprint taken from a 20-year-old is still valid when they are 60.”

The Nigerian scam (also called “419” or “advance fee fraud”) is, I was surprised to discover via Snopes, a very old one:

The Nigerian Scam has been emptying the pockets of victims for decades, first through letters, then with faxes, and now via e-mail. In its earliest incarnation, which dates to the 1920s, it was known as ‘The Spanish Prisoner’ con. In that long-ago version, businessmen were contacted by someone trying to smuggle the scion of a wealthy family out of a prison in Spain. But of course the wealthy family would shower with riches those who helped secure the release of the boy. Those who were suckered into this paid for one failed rescue attempt after another, with the fictitious prisoner continuing to languish in his non-existent dungeon, always just one more bribe, one more scheme, one more try, away from being released.

The typso are intentional

Who is falling for these scams? The website for London’s Metropolitan Police says it’s not who you might expect:

The letters are often littered with spelling mistakes and bad grammar. This is a deliberate ploy by the fraudsters to induce the potential victim to believe that he is dealing with uneducated people who would not have the ability to defraud him/her. Nothing could be further from the truth! The majority of victims prove to be professional business people, doctors and lawyers.

Low success, high yield

The 2006 Internet Crime Report, prepared by the National White Collar Crime Center and the FBI, shows that the Nigerian scam accounts for a small percentage – just 1.7% – of reported total dollar losses due to cybercrime, but that seems to be a function of a few people losing a lot of money. The median loss for someone tricked by a Nigerian scam is $5,100, seven times greater than the median dollar loss for other referred cases of fraud, including auction fraud, failure to deliver merchandise or payment, and check fraud.

Spin-offs

The Nigerian scam is so popular it has engendered a new cyber-sport called scambaiting. The goal is to “enter into a dialogue with scammers, simply to waste their time and resources”, as well as to entertain fellow scambaiters with the resulting correspondence, photos, and recorded phone conversations.

A Recent Parody

I AM MINISTRY OF THE TREASURY OF THE REPUBLIC OF AMERICA. MY COUNTRY HAS HAD CRISIS THAT HAS CAUSED THE NEED FOR LARGE TRANSFER OF FUNDS OF 800 BILLION DOLLARS US. IF YOU WOULD ASSIST ME IN THIS TRANSFER, IT WOULD BE MOST PROFITABLE TO YOU.

Read the rest of the spoof here.

The Economist, reporting research by Symantec, has an interesting chart of the most common goods and services offered by cybercriminals.

You can use the prices on the right of the chart as a sort of risk indicator: if a criminal steals your bank account details, you can expect to lose the amount another criminal is willing to pay (plus the value of the second criminal’s time) to get those details. Keep in mind that these values represent the average (mean) amounts victims will lose and criminals will gain – in reality, some victims will lose a lot more and some a lot less.

Most interesting feature of the chart: email passwords sell for more than full identities. If you think your email password isn’t very valuable, you should know that cybercriminals think otherwise!