back to article Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases. Researchers bought contactless card-reading technology from a mainstream website before using it to remotely …

  1. Yugguy

    Who's laughing now???

    Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

    Aint noone slurping my details.

    1. Steve Davies 3 Silver badge

      Re: Who's laughing now???

      That won't stop the down voters but I'm there with you with the Wallet. I have an anti-RFID Passport cover as well.

      1. BillG

        Re: Who's laughing now???

        Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

        Question - do RFID-proof wallets set off airport metal detectors?

        1. Annihilator Silver badge

          Re: Who's laughing now???

          "Question - do RFID-proof wallets set off airport metal detectors?"

          Yes. But really, just put all your belongings in the little tray they give you, metal or not. It's just easier!

          1. AMBxx Silver badge
            Coat

            Re: Who's laughing now???

            For the more style aware, just use a pair of scissors to cut an inch into the card where the wires are. Job done.

            1. Yugguy

              Re: Who's laughing now???

              No, mine is not one of those weird looking metal mesh ones, it's a nice looking brown leather one with the mesh hidden in inside.

            2. enormous c word

              Re: Who's laughing now???

              Contactless cards are a bad idea - they're easy to scam and lets face it, most of us have several cards, so at £30 per transaction per card, that soon adds up to £100's just by some scammer with a scanner brushing by you and swiping your card details.

              So the aluminium/tinfoil+duct tape home-made wallets do work and if you are careful, cutting off a corner of your card should break the RFID aerial. But if you just contact your bank and demand a non-contactless card they are obliged to send you a replacement one - that way you can make it plain you dont want any contactless (securityless) cards.

              Thing is - this is a scam - by the banks, they don't want you to pay for stuff with cash because they can't control the transaction, they want to skim a little bit off every transaction in micro-fees. If there is fraud, they will simply refund it and recoup the costs through lower-interest rates and/or bank charges - so as always you the consumer lose.

              Contacless sucks - call your bank and demand a conventional card.

          2. Intractable Potsherd

            Re: Who's laughing now??? @Annihilator

            Apart from handing my passport to border control and (depending on airport) the check-in staff, I do not let my passport leave my pocket/hand, and my cards stay in my pocket too. There is no way on earth I'm putting them in the tray. I'd be pissed off if my wallet/ebook/phone went missing, but they are all insured and easily replaceable - not so my passport and cards.

    2. Velv

      Re: Who's laughing now???

      While I upvote your RFID wallet, the key thing here is not the stealing of the card number, but the fact that merchants are accepting orders without checking the details. Why bother even stealing card numbers if the merchant isn't validating the address and CVV. Just make numbers up (there's a formula) and put the orders through, some will fail but I'm betting some will succeed.

      Security works best when it's multi-layered. An RFID wallet is one good layer, but an RFID wallet is just as easily pick-pocketed as a standard wallet, so that's where all other protective measures come in to play. The big issue comes when Banks refuse to acknowledge fraud is possible at all stages.

      1. Christoph

        Re: Who's laughing now???

        "Official fraud figures show losses attributable to contactless fraud are less than 1p per £100, a very small percentage of the overall figure."

        If the banks behave the same way as they usually do, they won't just refuse to acknowledge fraud is possible, they will have their defrauded customers arrested.

        So it's hardly surprising that their official fraud figures are low.

      2. This post has been deleted by its author

    3. Cuddles Silver badge

      Re: Who's laughing now???

      "Not all you downvoters who mocked my RFID-proof wallet, that's for sure.

      Aint noone slurping my details."

      From the article:

      "The hack relied on getting volunteers to tap their cards onto a bogus card reader."

      "“I don’t think the fact it is contactless is the issue here, as a traditional card skimmer would be able to take those details even from a traditional chip and pin purchase," Dine said."

      I don't think your tinfoil wallet is going to help all that much, since your details can still easily be slurped if you ever actually use your card. This study had absolutely nothing to do with contactless cards, exactly the same could have been done using the magnetic stripe, chip and pin, those funny machines where they stamp the numbers onto carbon paper. or just looking at the card and remembering the numbers. As long as using your card involves potentially untrustworthy people and hardware (ie. always), this problem is going to be present. It doesn't matter how safe you keep your card when not in use, it's the use itself that is inherently insecure.

  2. Lxbr
    WTF?

    Where are they shopping

    Where are Which? shopping online that they don't need to enter a CVV code or use 3D Secure? Because that sounds really convenient, if amazingly insecure.

    1. mark 120

      Re: Where are they shopping

      Amazon doesnt require a CVV.

      1. Anonymous Blowhard

        Re: Where are they shopping

        "Amazon doesnt require a CVV"

        They do the first time you use a card, but not for subsequent transactions.

        As far as the online fraudulent purchases go, they could probably get the same details from the front of a card using a camera aimed at a reader.

        1. Salts

          Re: Where are they shopping

          @blowhard

          Just to add for Amazon if you ask for delivery to a different address then you must give the CVV of the card for the first order to that address.

      2. Anonymous Coward
        Anonymous Coward

        Re: Where are they shopping

        I bought something 30 minutes ago from Amazon with a company credit card I had never used there before (it was something I needed for work, honest). I wasn't asked for the CV2, and neither did it activate the card's 3-D Secure SMS verification.

    2. Tony W

      Re: Where are they shopping

      And which bank is it that doesn't insist on the data that I've taken a lot of trouble to store securely? I'd like to avoid it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Where are they shopping

      Curry's/PC World.

    4. Anonymous Coward
      Anonymous Coward

      Re: Where are they shopping

      My Visa cards almost always ask for the 'verified by Visa', but I often pay with one of my girlfriends Mastercards, and I don't think I've had their equivalent pop up more than once or twice, even though its set up on all her cards. The box usually flashes up in passing, but thats it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Where are they shopping

        My Visa cards almost always ask for the 'verified by Visa', but I often pay with one of my girlfriends Mastercards

        Upvoted for having your girlfriends pay for your stuff. You run a pattern?

        1. AMBxx Silver badge
          Boffin

          Re: Where are they shopping

          I thought verified by Visa et had been scrapped. They were too easy to circumvent and just placed the risk on the card user.

    5. Warm Braw Silver badge

      Re: Where are they shopping

      It certainly used to be common for suppliers to do offline auths - they'd save the card data entered on the website and process it in batch along with their mail order card auths. This is insecure for the merchant if they don't take the CVV and match the delivery and billing address. However, it's insecure for the customer if they do, as the merchant has an electronic record of all that information, possibly in perpetuity.

      This isn't supposed to happen any more (PCI rules), but it's not uncommon for merchants to "take a view" on the risk of non-compliance (particularly if they're at a level they can self-certify), much as they do on the benefits vs. risks of ignoring the Data Protection Act.

    6. chris 17 Silver badge

      Re: Where are they shopping

      i have several new (this year) credit cards that don't use 3D secure.

    7. BristolBachelor Gold badge

      Re: Where are they shopping

      The vendor is not allowed to store the CV2, which means that they can only take it if they bill you that second. However they are not allowed to bill you until they actually supply the goods or service (in the UK). Anyone who tales an order and then seems it later cannot officially use the CV2.

      I'd be more upset that they've created a new system that has EXACTLY the same, known flaw as the last one, which is that it always uses the same number for every single transaction. Was it designe by someone more stupid than Homer Simpson?

  3. theOtherJT

    Attack of the clones

    Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?

    1. sugerbear

      Re: Attack of the clones

      [comment]Ok, you're going to struggle to buy thousands of pounds worth of goods with this - but surely the real way to abuse this system is with a cloned card and just keep paying for little things? Keep a stack of them and never pay for your tube journey again. Never pay for your petrol again (only fill up 1/4 of a tank at a time). Never pay for your round in the pub again... That's what has always really worried me about this contactless thing. Just because it's a small amount of money per transaction doesn't mean someone couldn't systematically steal a lot from you before your next bank statement arrives - I mean, who actually checks theirs daily to make sure it all lines up?[/comment]

      Sigh... your comments are typical of the ill informed "security researchers" that pop up every now and again to tell the world (and sell a story to a newspaper) about some hole in EMV or contactless.

      Your idea of living off someones card are unworkable. It is sad because a little lie goes a long way on the internet. The terminal generates a random number which then forms the ARQC that the issuer validates. So unless you can pre-predict the random number that the terminal will generate your idea is.a crock shite (excuse my french).

      1. theOtherJT

        Re: Attack of the clones

        Ok, sugerbear*

        So, I borrow your contactless card in the pub and go get your round in for you. I don't need your pin, I don't need your address, I just press the card against the reader the nice barman points at me, and I paid for some beers with your card. Job done. Beers for the both of us.

        Now lets say I take your card without asking. I can still do this. You'll get wise pretty soon, because you'll notice your card is missing and cancel it, but I have at least that long to enjoy tasty, tasty beers on you.

        If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20 and the place I'm buying from supports tap-to-pay, right up to the point your next bank statement rocks up and you notice that you've been spending an awful lot more time in the pub than is plausible for someone earning an honest living.

        So, sugearbear**, at what point do I need to start predicting numbers in this scenario?

        * This was worth it just to say that...

        ** Still funny.

        1. Phil O'Sophical Silver badge

          Re: Attack of the clones

          If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy - A thing we know to be possible because it happens already - then I can keep paying for things with it as long as I never go over £20

          There is supposedly a second level or protection, after some small (5-6?) number of transactions the terminal will ask for a PIN, just as a check. I have no idea if this actually happens (my contactless card has a hole through the antenna), nor if Apple pay implements it, though.

          1. jonathanb Silver badge

            Re: Attack of the clones

            Normal pay-by-bonk cards do require a PIN every so often. Apple pay doesn't but requires a fingerprint instead.

          2. enormous c word

            Re: Attack of the clones

            @sugarbear,

            Hello....

            ...Apparently sugarbear has run away in the face of common sense and the harsh realities of life away from 'care bear land'

        2. sugerbear

          Re: Attack of the clones

          @ theOtherJT

          You would have to steal my card first. But fair enough, you take my card and use it buy everyone a round in the pub. I report it to my bank and the money is refunded, I have lost nothing in that scenario because i have not been negligent. You may or may not be filmed on CCTV buying those beers and if you are the type of person that does that kind of thing you are at some stage going to get caught.

          "If in that time I can successfully clone your card and get it back to you so you don't know I've got a copy" how have you cloned the secure element of the chip and extracted the keys? Do you have access to a lab of some sort?

      2. Dabooka Silver badge

        Re: Attack of the clones

        @Sugerbear

        Except it isn't is it? Not really. I don't see why a few small purchases throughout the month wouldn't have a reasonable chance of going unnoticed byt the sort of person who uses wireless to pay for small things. So, you know, not really a crock at all, unless you can explain exactly how your ARQC reference would actually stop someone doing this?

        1. sugerbear

          Re: Attack of the clones

          @Dabooka.

          You dont understand because you dont understand how EMV works maybe?

          Anyway, short answer

          The terminal generates a random number that is sent to the card along with a bunch of transaction info. The card then uses a secret key to generate an ARQC. The terminal then sends the random number + transaction information to the issuer who also hold a copy of the secret key. The issuer then uses the information supplied to the chip to recreate the ARQC and compare it to the one the chip generated. You can check the EMV CO manuals if you want to investigate further.

          If you understand how it works you will understand why cloning a contactless transaction so you can use it later in a contactless terminal wont work because you can't predict the random number that the terminal will send to the card when you attempt to replay it.

          1. theOtherJT

            Re: Attack of the clones

            Possibly we're misunderstanding one another here, sugarbear*

            I'm not worried that someone is going to wirelessly snoop my card. I'm worried that someone is going to clone my card by other means - as actually happened to me a few years back - and it's going to be basically impossible for me to prove to my bank that I'm not the one ringing up the massive bar tab.

            Maybe they'll be kind and refund me anyway - but that wasn't my experience last time. It was a bit of a pain.

            What you seem to be saying is that the chip in the contactless ones is harder to copy than the one in the old chip-n-pin style ones, is that so?

            * last time, I promise, but your handle is cute and makes me smile every time I say it!

            1. Fuzz

              Re: Attack of the clones

              @theOtherJT what sugarbear is saying is that it isn't possible to make a working replica contactless card using the information that can be obtained from the card. If you have in the past had your card cloned, either

              1. The information from the card was used to shop online

              2. The card was used in a store with the details read from the mag stripe or entered directly into the till

              This article is about lax security verification in online stores. The contactless card part is moot, I could obtain this information using CCTV cameras, if you have an American express card I can even get the CV2 since this is on the front of those cards.

      3. chris 17 Silver badge

        Re: Attack of the clones

        To add to your post, the chip in the card generates the ARQC which is sent to the card issuer, the card issuer verifies this as being genuine with an ARPC response to the card which validates it received a response from its issuer.

        https://www.visa-asia.com/ap/center/merchants/productstech/includes/uploads/CTENov02.pdf

        http://www.atmmarketplace.com/videos/arqc-and-arpc-generation-and-validation/

        simply reading the card data with a reader should not be enough to clone it as you actually need the chip in the card to do do the encryption handshake at the point of sale.

    2. jonathanb Silver badge

      Re: Attack of the clones

      Petrol purchases are linked to a photo of your number plate. They can be faked, but if it isn't on the insurance database, you risk getting stopped by the police.

      1. Anonymous Coward
        Stop

        Re: Attack of the clones

        so clone a legit number plate - not difficult

  4. Mage Silver badge
    Facepalm

    I said before

    This tech as implemented, was designed for warehouses. It should NEVER have been mis-applied to passports, credit/debit cards, retail labels, travel and door locks.

    A connector (such as on cards already) is better. Though there is a horrible flaw in Chip and Pin that need not exist.

    For retail tags any info should be in a database, only a serial number for warranty return purposes in the product.

  5. thesykes

    No CVV and no Verified by Visa / Mastercard Securecode?

    Name and shame the sites and get the banks, Visa and Mastercard to refuse to allow online transactions with them.

    Bypassing the most fundamental of security checks is ridiculous, and I would've thought the retailers themselves would have to stand to any losses.

  6. Ed

    I know one of the big mobile company's websites that doesn't check the CVV number when topping up, despite asking for it. You can type any number you like in. This has been the case for the last 2 or 3 years.

    1. Dabooka Silver badge

      Common thing amongst the crooks

      When my CoOp debit card was used rather naughtily a couple of years ago, the chap on the phone was chatting while we went through the transactions. He said (and I have no reason to disbelieve him) that they’ll often try a mobile top up of £10 or suchlike to see if the cards active and open to be hammered, and that they require next to no security checkups.

  7. Notenoughnamespace

    We've been here before, and last time we had video too:

    http://www.theregister.co.uk/2013/04/29/cbc_nfc_tv/

    http://www.theregister.co.uk/2010/12/10/nfc_security/

    The video makes it more scary, to my mind, not to mention an excuse for lots of bum footage.

  8. Dabooka Silver badge

    Still not for me.

    I know this argument goes on and on, but I STILL don't see the need.

    I don't and won't use contactless but I am aware they're in my wallet regardless. When I find a nice one that blocks RFID I'll probably get it, for now I'm confident the 'white noise' emitted from the plethora of plastic will do a half decent job.

    1. Chloe Cresswell

      Re: Still not for me.

      Or if it's some banks.. you can just ask for a card with out the contactless.

      1. 4ecks

        Re: Still not for me.

        HSBC did that for me. Card came with contactless, phoned them and got it disabled that day, new non-contactless card received a few days later.

        Still upset with their new less secure password only internet/phone banking logon facility that can't be disabled.

        I don't want it to be easy to make a payment or access my account, a minimum of 2FA please - something I have & something I know.

  9. Anonymous Coward
    Anonymous Coward

    Hang on, this is *news*?

    We tested NFC cards in the lab when they were introduced and we could read them comfortably from about 1m distance with not too much in the way of equipment. That was the last time any of us used an NFC enabled card, and this was when they first introduced this stupidity.

    Which? is a mite late to figure this one out IMHO.

    1. YetAnotherLocksmith

      Re: Hang on, this is *news*?

      To be fair, they are flagging up that nothing has been done to fix this flaw yet, which is correct. And Which? is also correct.

      Regarding security, surely these are vulnerable to a MITM radio attack? Use a booster scanner to get the signal to your radio bridge, then beam both sides of the conversation to/from your fake card which has a tiny radio in it and that plays back whatever is asked to the real card.

      You know, just like car thieves do!

  10. Steve Davies 3 Silver badge
    Black Helicopters

    Is this just making the case for

    systems like Apple Pay?

    or is that still vunerable when you press on the fingerprint scanner and make the transaction?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this just making the case for

      The DPAN you would read from an ApplePay device won't work for a non-contactless transaction. Some contactless cards also have a different PAN in the chip from that embossed on the card, and the PAN captured in this way also wouldn't work for a non contactless transaction.

  11. Terry 6 Silver badge
    Joke

    Disappointed

    I thought the Which report was about recommending the best card scanner. :-)

  12. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: banks

      Move banks. HSBC replaced ours in 2 days.

      1. Anonymous Coward
        Anonymous Coward

        Re: banks

        Just called NatWest. Two mins on the phone and a new card is on the way.

        No contactless.

        The person I spoke with said that she'd had four calls about this today. All El Reg readers by any chance?

        1. jonathanb Silver badge

          Re: banks

          It has been reported in the mainstream media as well.

        2. Alan Brown Silver badge

          Re: banks

          "No contactless."

          'Very well, I'd like to close my account.'

          Watch how fast they'll change that tune.

      2. PNGuinn
        Go

        Re: banks

        Also Natwest a few months ago. Sent me a new super dooper contactless debit card without asking my permission first. They obviously thought I was some sort of paranoid nutter, but the new standard card arrived a couple of days or so later.

        Silly beggars. They should have asked me first.

        If you have trouble with your bank I suggest microwaving the little blighter - shows up the antenna a treat. Then go in and show it to them telling them it went phatang and ask for a new one. Ask again for a non contact one. If necessary explain, politely, in pedantic detail, just why the old card went phatang and the reasons for the research.

        For bonus points ask if they can supply pre-cut shielding so that you can phatang the remote reading bit on its own without disabling the chip and pin bit. Politely point out the health and safety and legal risks of cack handed weilding of a craft knife.

        Be prepared to change banks if you have to, but at least you'll have upset them already before you upset them by closing your account.

        Double bonus points if you have an audio recording or better a video to share on social meeja if they still want to be eejits.

        1. Yugguy

          Re: banks

          Barclaycard only do contactless now.

    2. JP19

      Re: banks

      "will not give me the choice of having cards without it"

      The cards have an antenna coil which can be disabled with a small cut. On my cards it has been on the same side as the mag stripe. Some cards are transparent enough to see the coil when held to a very bright light (a phone flash LED can work).

  13. Anonymous Coward
    Anonymous Coward

    I still like the good old-fashioned hack

    Of eaves-dropping on people on the train who give out their card details in very loud voices when making purchases over the phone. Not that I've ever exploited it. But I have actually sat near a group who, from their conversation, were obviously highly paid 'digital' consultants. One of them went on to do just this, and the others failed to say afterwards that it was a silly thing to do. I was very tempted to say something as I got off the train.

  14. VinceH

    Optional

    Something nobody has commented on. Am I the only one who spotted it - or who didn't already know this information was stored on the card?

    "With an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards. Limited details of the last 10 transactions were also exposed."

    The Which? article merely says "We were also able to read limited details of the last 10 transactions" - so no more information there.

  15. Oldfogey
    Coat

    Soon....

    In September the contactless payment limit goes up to £30.

    If it's 5 uses before a pin is requested, then that could be £150 down the drain.

    My coat is the one with the lead lined pocket with a combination lock.

  16. Alan Denman

    finger licking good?

    Just maybe this means that for any upcoming iPhone thefts the thieves will let you keep your finger.

  17. Alan Brown Silver badge

    "With an easily obtainable reader and free software to decode data"

    You don't even need that - most smartphones have NFC in them now.

    12-13MHz cards can be read from a surprising distance if you're determined enough to try.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading
  • Indian authorities issue conflicting advice about biometric ID card security
    Government authority forced to backtrack warning that photocopied Aadhaar cards represent a risk

    The Unique Identification Authority of India (UIDAI) has backtracked on advice about how best to secure the "Aadhaar" national identity cards that enable access to a range of government and financial serivces.

    UIDAI promotes the cards as "a single source offline/online identity verification" for tasks ranging from passport applications, accessing social welfare schemes, opening a bank account, dispersing pensions, filing taxes or buying insurance.

    Although Bill Gates has lauded Aadhaar cards for improving access to services, the scheme has been the subject of many security-related scares as inappropriate access to personal information has sometimes been possible, UIDAI's infosec has sometimes been lax, and the biometrics captured to create citizens' records have sometimes been used for multiple individuals. Privacy concerns have also been raised over whether biometric data is properly stored and secured, if surveillance of individuals is made possible through Aadhaar, and and possible data mining of the schemes' massive data store.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims
    Lawsuit accuses Big Blue of cheating investors by shifting systems revenue to trendy cloud, mobile tech

    Special report IBM has been sued by investors who claim the company under former CEO Ginni Rometty propped up its stock price and deceived shareholders by moving revenues from its non-strategic mainframe business to its strategic business segments, allegedly in violation of securities regulations.

    The investors' securities fraud lawsuit [PDF] was filed on Tuesday, April 5 in a southern New York federal court. It names as defendants not only IBM but current and former executives including Rometty, former CFO Martin J. Schroeter (now CEO of IBM spin-off Kyndryl), current CFO James J. Kavanaugh, and current CEO Arvind Krishna.

    IBM "improperly and in violation of Generally Accepted Accounting Principles ('GAAP') embarked on a fraudulent scheme to shift billions of dollars in revenues from its mainframe line of business to its Strategic Imperatives and CAMSS line of business," the complaint reads.

    Continue reading
  • Cybercrooks target students with fake job opportunities
    Legit employers don't normally send a check before you've started – or ask you to send money to a Bitcoin address

    Scammers appear to be targeting university students looking to kickstart their careers, according to research from cybersecurity biz Proofpoint.

    From the department of "if it's too good to be true, it probably is" comes a study in which Proofpoint staffers responded to enticement emails to see what would happen.

    This particular threat comes in the wake of COVID-19, with people open to working from home and so perhaps more susceptible. "Threat actors use the promise of easy money working from home to collect personal data, steal money, or convince victims to unwillingly participate in illegal activities, such as money laundering," the researchers said.

    Continue reading
  • Yale finance director stole $40m in computers to resell on the sly
    Ill-gotten gains bankrolled swish life of flash cars and real estate

    A now-former finance director stole tablet computers and other equipment worth $40 million from the Yale University School of Medicine, and resold them for a profit.

    Jamie Petrone, 42, on Monday pleaded guilty to one count of wire fraud and one count of filing a false tax return, crimes related to the theft of thousands of electronic devices from her former employer. As director of finance and administration in the Department of Emergency Medicine, Petrone, of Lithia Springs, Georgia, was able to purchase products for her organization without approval if the each order total was less than $10,000.

    She abused her position by, for example, repeatedly ordering Apple iPads and Microsoft Surface Pro tablets only to ship them to New York and into the hands of a business listed as ThinkingMac LLC. Money made by this outfit from reselling the redirected equipment was then wired to Maziv Entertainment LLC, a now-defunct company traced back to Petrone and her husband, according to prosecutors in Connecticut [PDF].

    Continue reading
  • Singapore introduces potent anti-scam measures
    Plans to block more scam sites, share liability between banks and customers

    Singapore will step up up efforts to stamp out phishing and spoofing, ministers told the island nation's parliament on Tuesday.

    The topic earned ministerial attention after instances of attacks and scams soared recently. The standout example is the attack on Southeast Asia's second-largest bank, the Oversea-Chinese Banking Corporation (OCBC). In the OCBC bank scam, threat actors stole a combined SG$13.7 million ($10.2M) from 790 customers by spoofing text messages in what minister of finance Lawrence Wong referred to as "by far the most serious phishing scam seen" in Singapore.

    Wong detailed [VIDEO] several ways banks would be expected to improve security, including using more diverse machine learning algorithms to strengthen fraud detection tools to identify suspicious transactions. Banks will also be required to block suspicious transactions in a more consistent fashion, require additional customer confirmations for high-risk transactions or changes to account details, expand biometric technology, and accelerate adoption of – and preference for – mobile banking apps.

    Continue reading
  • Former tech CIO jailed for setting up £475k backhander scam with IT outsourcing firm
    One-time head of Hampshire Police IT gets six years

    A pro-outsourcing CIO whose first act at a new employer was to set up a £475,000 backhander scheme has been jailed for six years.

    Brian Chant, 62, took the bribes after joining procurement services firm Achilles in 2011, Southwark Crown Court heard.

    One of the first things he did was recommend outsourcing of various IT functions, suggesting three companies to Achilles' board for the £22m SPTL and Systems Plus IT contracts.

    Continue reading

Biting the hand that feeds IT © 1998–2022