Comments for Perimeter Grid

Comment on Checks: The Most Dangerous Transaction by Charlie

Charlie — Wed, 24 Feb 2010 02:00:58 +0000

Just to relate my own recent experience: I dropped a check in the mail (at an official blue US mailbox in fact) – a large check of $8000 to pay off a car loan. All of a sudden, I started to see large withdrawls out of my checking account to places I had never heard of before. Obviously, I went to the bank right away and they were very good about closing my account and restoring the lost money. It took perhaps ten days or so. The sum of the missing money (done in a couple of transactions to different accounts) was nearly exactly equal to the amount of the large check I had written, which had never been received by the bank that had the car loan.
The guy who works at the bank heard a rumor that the mailbox I mailed the check at was vandalized and mail was taken.
So, yes, checks are scary things!

Comment on Checks: The Most Dangerous Transaction by Grant Bugher

Grant Bugher — Mon, 22 Feb 2010 03:38:01 +0000

Kenneth,

Essentially, they just print out a check with your routing & account numbers on it, print “Signature on file” for the signature line, and give it to their bank. The bank then has your bank debit your account and put the money into theirs. These days it’s usually done electronically rather than by “printing” anything.

Since I originally made this post, it’s gotten a little harder, as the bank issuing the draft is now liable for fraud, rather than the bank paying it. You still have the fundamental problem that the money is already gone and you have to get it back, but at least banks are putting more effort into preventing the fraud as they’ve started to lose their own money to it. There’s a statement from the FTC here that tells a bit more about how it works.

It’s a fraud that requires some setup time — i.e. you need to set up a fake business, get some bank accounts, process some legitimate drafts, and then commit the fraud. You can’t (anymore!) just go to a web site, enter somebody’s account number, and take all the money out. Checking account numbers are, however, still much riskier to give out than credit card numbers, and it’s still a much bigger pain to get the money back.

Comment on Checks: The Most Dangerous Transaction by kenneth

kenneth — Sat, 20 Feb 2010 09:10:34 +0000

i dont really get this, how can someone remove money from my account with just the routing number and account number…its making me nervous because ihave given no less than six people this info

Comment on Anonymity with TOR and its limits by Pete

Pete — Fri, 05 Feb 2010 12:31:43 +0000

Thanks for the info.
My paranoia flag just went up.
After all, you would be paranoid too if everyone was out to get you!

Comment on WPAD: Internet Explorer’s Worst Feature by Grant Bugher

Grant Bugher — Tue, 26 Jan 2010 21:10:51 +0000

I’m not quite sure what sort of attacks against IE “over SSL” you mean. There have, in the past, been attacks against browsers by embedding faulty strings designed to cause buffer overruns directly into the X.509 certificate — the only defenses against these are running a fully-patched browsers (to my knowledge, there are no known attacks of this type that still work on current versions of any major browser) and being cautious as to what you browse to. If you mean simply being attacked by an SSL site (e.g. embedded malware), it’s once again the same mitigations — avoid sites that are often malicious (e.g. warez) and use a current browser. The only thing SSL affects is that network-based IDS systems will not protect you in the case of an SSL site, since they can’t read the encrypted traffic — you’re reliant on host-based protection like anti-virus or anti-spyware software on your own computer. Of course, most people aren’t browsing behind a NIDS anyway, so this is no change unless you’re in a corporate environment.

On the other hand, if you mean attacks not against IE but against SSL itself, such as Moxie’s SSLSniff, they’re hard to detect. One thing that helps is actually opening and verifying the certificate — just because the padlock icon is there doesn’t mean you’re communicating with what you think you’re communicating with. Most of the time attackers don’t forge an entire certificate, just the domain name, so everything else may look wrong (or the certificate may be for * rather than a specific domain.) Once again, use a current, fully-patched browser, as this protects you from null-byte certificates (which actually may look perfect if you inspect them.) And most importantly of all, don’t use insecure wireless networks. Attacks like SSLSniff rely on being a man-in-the-middle — that is, an attacker must be able not just to read your communication but also to modify it. This means either he has to control a router between you and the website you’re talking to, or he has to be on a wireless network with you. The only safe thing to do on an insecure (open or WEP) wireless network is to VPN to a secure network. Anything else is vulnerable.

Comment on WPAD: Internet Explorer’s Worst Feature by Tom

Tom — Tue, 26 Jan 2010 20:45:47 +0000

I understand the countermeasures for IE attacks, but how can you detect an attack against Internet Explorer over SSL?

Comment on BlackHat 2008, Day 1 by cipcipcia

cipcipcia — Mon, 25 Jan 2010 18:22:32 +0000

how can I add to bookrmark your blog? would you like to visit mine? regards!

Comment on SMB Reflection Made Way Too Easy by The Doom of Client-Side Wireless Network Security | Matthias Vallentin

The Doom of Client-Side Wireless Network Security | Matthias Vallentin — Thu, 17 Dec 2009 17:38:13 +0000

[...] if the victim happens to use Internet Explorer, a weakness in Microsoft’s SMB file sharing authentication protocol can be exploited to own the [...]

Comment on BlackHat 2009, Day 1 by blackhatguide

blackhatguide — Mon, 12 Oct 2009 22:26:54 +0000

Hey, great work with the blog! lovin it mate let me know if you want to partner up with my blog as well! =]

Comment on Secure P2P for Pirates by A. peer

A. peer — Mon, 21 Sep 2009 07:45:15 +0000

The fake files is a non-issue, in fact if someone download a file, and its not what he wanted, he wont seed it and report the fake to avoid others to download it.

The torrent of choice must always be the one with the most seeds, not with the most leechers.

he might even report bad quality etc, pointing out the waste of time, problem is, people dont really read before downloading, automating the verifcation could help.

Comment on Checks: The Most Dangerous Transaction by Bonnie

Bonnie — Thu, 03 Sep 2009 16:44:51 +0000

I am 62 years old and have used checks since I was 18 years old.
I never had a problem.
I don’t use credit cards and don’t want any. I simply do not trust any credit card issurer.
I had a debit card until recently when there was fraudulant activity on my account, in spite of how careful I was using it.
The bank said they would send me a new debit card which I said I don’t want.
I will only use an ATM card now so I can get some money out of my account.
I do agree with your last tip to keep as little as possible in
your account.
I’ll keep cash on hand in spite of people telling me it is dangerous.
I have never had my purse stolen, but I sure have had thieves invade my bank account using my debit card !

Comment on BlackHat 2009, Day 2 by Peter Wells

Peter Wells — Fri, 14 Aug 2009 01:55:46 +0000

Every time someone comes up with a scam, we find ways to fight back. It was quite ingenious, I have to admit! But we got ‘em, and the game goes on.

–Peter
peter@tunecore.com

Comment on Checks: The Most Dangerous Transaction by Chris

Chris — Fri, 24 Jul 2009 16:14:20 +0000

Excellent writeup, but I wanted to make two corrections which further enforce your argument. It’s actually a 60 day window, not 30, to report fraudulent charges. And if you still have your card (only the number was compromised) you have no liability at all. The usually-waived $50 liability is for physically stolen cards.

Source: http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

Using a credit card online is incredibly safe.

Comment on Checks: The Most Dangerous Transaction by Ed Smith

Ed Smith — Sun, 19 Jul 2009 19:31:06 +0000

As far back as 1989 some neighborhood teenagers stole A batch of checks out of my mailbox then one of them got a fake I.D. and went around to stores claiming
he was my son, fortunately a got a call from a store early on so I was able to call the bank and they started checking the signatures before any of them where
paid. Normally even back then they didn’t verify signatures for most checks.
Back 1984 I had an elderly relative that had $7000 transferred from her checking account (forged signature on a letter requesting transfer of 70% of the account balance) to a a bank offshore. The bank reimbursed her.

Comment on Checks: The Most Dangerous Transaction by Jay Godse

Jay Godse — Sat, 27 Jun 2009 06:14:30 +0000

Wow! I didn’t realize that cheques were so dangerous. Thanks for the heads-up on the various risks.

Comment on Checks: The Most Dangerous Transaction by Jack Hamilton

Jack Hamilton — Fri, 05 Jun 2009 04:34:40 +0000

@Walter

I beg to differ. They may not be able to be washed as well as back in the day, but they can still certainly be washed. Back in 2000-2002 I worked as a teller and service manager for Wells Fargo. We would get washed checks all the time. Some we’d catch, others not–and we’d find out about them in our fraud reports. And since most tellers are really just kids in their first or second jobs who don’t have much experience, it wasn’t difficult to fool some of them when cashing–they just wouldn’t notice the fade, especially on a Friday with a high check cashing volume from non-bank holders cashing “on-us” checks. But when we did notice the fade, we’d call the cops. I had at least 2 arrests made during my stint at the bank.

Comment on Checks: The Most Dangerous Transaction by Dr. C

Dr. C — Fri, 29 May 2009 18:27:03 +0000

Having owned and managed the largest check recovery firm in America I must report that the instance of merchants and professional practices receiving fradulant checks is minimal compared to debit/credit cards and the merchants can virtually make taking checks as safe as accepting cash, with the added advantage of creating a paper trail. The costs, both to the merchants, and the user of cards are HUGE compared to checks. The risk of a ‘bad person’ stealing your card (which often times leaves your sight at resturants,etc) is infintenitly more likely than having your check book stolen. The most important plus is that it’s harder to go into debt.

Comment on Checks: The Most Dangerous Transaction by Joel

Joel — Wed, 27 May 2009 09:49:45 +0000

I think the bank mails checks to any person who is not in their system I agreed with Hackers stealing credit card information online often steal entire databases.

Comment on WPAD: Internet Explorer’s Worst Feature by Melvin Guaganik

Melvin Guaganik — Fri, 01 May 2009 19:20:18 +0000

I have a small update. I have successfully disabled the Vista service “WinHTTP Web Proxy Auto-Discovery Service” and I believe I have finally stopped the implementation of the Web Proxy Auto-Discovery (WPAD) protocol.

As of now, I’m not sure what side effects I’ll encounter. Disabling this service may also impact COM Automation and the Win32 API components for sending and receiving HTTP requests from applications. Actually, I might like this since I really don’t like apps accessing the web without my control. My browser still works … that’s good! Well see.

By the way, with Wireshark I now see a lot of different activity on initialization of my internet connection. I need to look into this….

Comment on Checks: The Most Dangerous Transaction by Walter Reason

Walter Reason — Fri, 01 May 2009 17:09:45 +0000

All of those things you claim can be done with paper checks are largely fiction.

Checks can’t be “washed” since 1960’s. Try it some time. All of them have chemical protection against this sort of thing.

Even large corporate checks are printed on tamper proof paper. Try washing those some time. The larger the corporation the more tightly controlled the check stock, and the higher the quality. Even el-cheapo Quicken checks have enough protection to defeat washing and lifting.

Lifting laser printing is also fiction. You can’t really do this and not have it immediately detectable to the naked eye.

Physical reproduction with high quality copiers is a greater risk. Some of these are good enough to reproduce currency. But all of those that ARE good enough embed identifying information into every printed image.

Mountain. Mole-Hill.