Posts

Thieves steal 30 Cars using Software

Who needs a hanger to steal a car when you can use a laptop? Despite today’s vehicles having far more sophisticated security protection, thieves can still break in—like the two crooks who stole at least 30 Dodge and Jeep vehicles…with just a laptop computer.

11DIn Houston, video showed the pair in the act, though authorities are still working on piecing together just how the capers were pulled off.

One possibility is that a database contains codes that link key fobs to cars. Perhaps the thieves, who may be part of a ring, somehow got access to this database (one theory is that a crooked employee sold them the access), and from there, created key fobs based on vehicle ID numbers. VINs are visible on vehicles. Vehicles that are targeted for theft don’t “know” an authentic fob from a fraudulent one.

Again, this is all conjecture, but one thing’s for sure: The pair did not steal the vehicles the old-fashioned way.

Though today’s electronic security measures will stop the thief who lacks techy know-how and prefers the coat hanger and hotwire method, technology won’t stop smarter, more ingenious crooks who feel quite at home committing cyber based crimes.

With more and more criminals relying on the Internet of Things to commit all sorts of crimes, maybe the best security for a motor vehicle would indeed be one of the old-fashioned security features: install a kill switch.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Hacking Cars Getting Easier and More Dangerous

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

11DThis hack is more serious than you think. Drivers and passengers should be aware that “flawed” and compromised vehicles can suddenly be overtaken remotely, forced into shutting down the engine in the middle of a highway or drive the car into other cars.  And it’s not just cars, but 18-wheelers and busloads of people.

In fact, white-hat hackers (the good guys) have even demonstrated that a bad hacker could take control of a motor vehicle, ranging from annoying pranks such as turning on the windshield wipers and radio, to potentially lethal actions like stopping the engine.

Hackers could demand ransom from governments in bitcoins for the return of the vehicles’ control to their drivers. Or, as the Assistant Attorney General for National Safety has indicated, “connected cars are the new battlefield”. Connected cars could be used by terrorist organizations to create havoc on mass scale.  The possibilities are limited by the imagination.

This concern has motivated the FBI, Department of Transportation and the National Traffic Safety Administration to issue a public safety alert, warning consumers to keep their service schedule in order to enable to upgrade cars’ software with remedies to those security vulnerabilities.

Solutions are available and in the works.

  • If your car has any web connecting abilities, do your research for year/make/model. Searched “hacked” along with the cars particulars.
  • Manufacturers that have discovered security vulnerabilities (often because a researcher makes it public) have offered subsequent patches in response. These notices may come in the mail or through a dealership.
  • It’s important to check with your cars manufactures website to determine if a vulnerability exists.
  • A connected vehicle has ECUs: electronic control units. An article in Fortune says Karamba Security’s “Carwall” can detect and thwart cyber attacks. Carwall is like a firewall for your vehicle ECU. It detects anything that’s not permitted to load or run on ECUs.

When the ECU software is being built, security software can be seamlessly embedded, becoming part of the entire process. No change of code, no developers’ know-how, no false positives and no hacks. Problem solved.

5 Auto Repair Scams

You take your car to the mechanic; it’s been making a funny grinding noise when you press on the gas pedal. The mechanic tells you what’s wrong and what needs to be fixed, then socks you with the estimate.

1SHow can you tell he’s not embellishing a lot of the “diagnosis”? You know nothing about cars. You have to take his word for it. What if the second opinion is also from a scammer and sounds a lot like the first opinion? You’re screwed.

An article at carbuying.jalopnik.com describes five auto repair scams.

Charging for repairs you don’t need.

  • The mechanic says he fixed the problem.
  • The problem still persists.
  • You take the car back and he “diagnoses” the “real” problem and fixes that.
  • The problem still exists.
  • The game repeats but finally the issue is corrected, but you get charged for the first two “repairs,” which never had to be made in the first place. The mechanic scammed you, and this is illegal.

Saying something is wrong when it’s not.

  • What an easy way for a mechanic to make money and get away with it, especially if the “something wrong” is a small repair. He can really clean up if he pulls this stunt on dozens of customers.
  • A version of this is to find something out of place or not working optimally and tell you it needs to be replaced—even though a repair will fix the problem.
  • This is illegal in many states.

Overcharging for parts or labor. 

  • It’s so easy for a mechanic to do this. How do you know that the four-hour job wasn’t really a two-hour job?
  • Do you know how much a shock absorber or new brakes should cost?
  • Though prices for the same product vary from one shop to the next, consider yourself scammed when the charge is way over the norm.
  • You also shouldn’t pay a mechanic for his inexperience. If he honestly took four hours to do a job that should have taken two hours, you should not be charged for the extra two hours.
  • Get a price and labor estimate before authorizing the work. AND GET IT IN WRITING.

Theft

  • Yes, mechanics have been known to steal valuables including performance features of the vehicle. Even taking a candy bar is illegal.
  • The shop may tell you to file an insurance claim. They’re scamming you because this isn’t how it should work. Since they had possession of your car, the onus is on them that something is missing.
  • Don’t leave valuables in your car.

Joyriding

  • In your car, that is.
  • After the work is completed, the mechanic takes your wheels for a spin.

Damaging your car by accident.

  • They owe you to fix the damage.

If you believe you were scammed, call your lawyer, not your insurance company.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Online Auto Sales Often Involve Scary Scams

Online auction and classifieds websites are unwittingly participating in car sale scams. Ads gain credibility by appearing on eBay, Craigslist, and other online automobile sales websites, but some are either completely phony or have been copied and pasted from other websites.

The FBI’s Internet Crime Complaint Center received nearly 14,000 complaints from 2008 through 2010, from consumers who have been victimized, or at least targeted, by these auto sale scams. Of the victims who lost money, the total dollar amount is staggering: nearly $44.5 million.

The FBI explains how the scam works:

“Consumers find a vehicle they like—often at a below-market price—on a legitimate website. The buyer contacts the seller, usually through an e-mail address in the ad, to indicate their interest. The seller responds via e-mail, often with a hard-luck story about why they want to sell the vehicle and at such a good price.

In the e-mail, the seller asks the buyer to move the transaction to the website of another online company….for security reasons….and then offers a buyer protection plan in the name of a major Internet company (e.g., eBay). Through the new website, the buyer receives an invoice and is instructed to wire the funds for the vehicle to an account somewhere. In a new twist, sometimes the criminals pose as company representatives in a live chat to answer questions from buyers.

Once the funds are wired, the buyer may be asked by the seller to fax a receipt to show that the transaction has taken place. And then the seller and buyer agree upon a time for the delivery of the vehicle.”

Consumers should watch out for the following red flags:

  • Cars are advertised at too-good-to-be true prices
  • Sellers want to move transactions from the original website to another site
  • Sellers claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s website
  • Sellers refuse to meet in person or allow potential buyers to inspect the car ahead of time
  • Sellers who say they want to sell the car because they’re in the U.S. military about to be deployed, are moving, the car belonged to someone who recently died, or a similar story
  • Sellers who ask for funds to be wired ahead of time

Online classified and auction websites could work together, and share information on the devices running these scams, through the device reputation service provided by iovation Inc. Their fraud detection service, called ReputationManager 360, is a B2B SaaS solution incorporating complex device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and behavioral abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

iovation’s “living shared database” is used by fraud analysts daily and shares the reputations of devices from literally every country in the world. This reputation is a combination of fact-based evidence (such actual chargebacks, identity theft, online scams and account takeovers), plus what risk can be inferred at transaction time.  Fraud analysts take this fight seriously and submit 10,000 events of fraud or abuse into the shared database each day.

Performing a device reputation check on a scammer attempting to create a new account at a sale or auction website would stop him before he has a chance to post advertisements for scams, preventing damage to the business and its customers. And when one of your good customers has been scammed, you can submit that evidence back into the iovation database to make sure it does not happen again, whether from the same device, or a related device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.