Posts

Shred your Boarding Pass

Apparently there are people who take pictures of their airplane boarding pass…and post it online. I’m dead serious. I’ve heard of toddlers getting excited over scraps of paper, but full-grown adults posting images of their boarding pass online? Don’t get me started.

2DLet’s just only say that this is incredulously absurd. Like, who cares about your bleepity bleep boarding pass, right? OK, you got bumped up to First class. SAVE IT. Well wait a minute. Fraudsters care.

Fraudsters also care about the boarding pass that’s left intact in a rubbish can or lying on a seat somewhere.

Few travelers know that the bar code on the boarding pass MAY contain that individual’s home address, e-mail address, name and contact number. All a crook needs is this basic information (revealed via bar code reader off his cell phone!) to get the fraud ball rolling.

  • Keep your boarding pass out of everyone’s sight except the airport employee who requests it.
  • After you no longer need it, tear it up and flush it down a toilet.
  • When you arrive to your hotel, don’t bring it with you to your hotel room and leave it sitting out in full view. Shred and destroy it prior.  Putting it in the hotel room trash isn’t enough. Realize that when you’re not in the room, maids and other hotel employees can gain access—and I can’t say it enough: You just never know who has a bar code reader app.
  • And for Heaven’s sake, don’t post images of it online, if for no other reason, this makes you come across as less interesting than a doorknob. In fact, don’t even think of taking a picture minus the bar code. You just never know with today’s technology what a crook could get off an image online.

Man, if you still don’t believe me about any of this, check out these two very short but alarming videos. You’ll be flabbergasted at how much information about you a techy thief could get off of your boarding pass! “If a hacker can find it, he can find YOU!”

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.