Risk Assessment: Smartcard fraud scam Warning

Risk Assessment Department of Computer and Information Sciences, University of Strathclyde and Associates. Security is a balance between confidentiality, authentication and integrity versus convenience, cost and reliability. Figure 4 illustrates the balance that must be struck by stakeholders when implementing technical solutions to counter security vulnerabilities,

Abstract. The introduction of smartcard technologies has reduced the incidence

of card fraud in the UK, but there are still significant losses from fraudulent

card use. In this paper we detail the context of smartcard introduction and describe

the types of fraud that remain a threat to cardholders and other stakeholders

in the card system. We conclude with a risk analysis from the cardholder’s

perspective and recommend greater cardholder awareness of such

risks. Susan Burns, George R. S. Weir

Department of Computer and Information Sciences, University of Strathclyde,

Glasgow G1 1XH, UK

Risk Assessment. Department of Computer and Information Sciences, University of Strathclyde and Associates. Security is a balance between confidentiality, authentication and integrity versus convenience, cost and reliability. Figure 4 illustrates the balance that must be struck by stakeholders when implementing technical solutions to counter security vulnerabilities, essentially this boils down to cost versus benefits.

This generic approach can be applied to security measures for smart card payments,

whereby:

• Cost is the amount it costs the card issuer and card scheme to support the plastic

card payments, including the cost of implementing changes to the system e.g.

longer keys or moving to online authentication to validate all card transactions;

• Performance considers convenience and reliability e.g. avoiding reputational

damage or inconvenience for customers or retailers;

• Risk is remaining level of risk which the security measures have not fully mitigated.

This could be financial loss, additional costs, loss of market share, reputational

damage, corporate embarrassment, legal or regulatory investigation or risk

to personal safety.

The potential loss or exposure from a given risk can be reduced through assessing and

management of the risk (Figure 5). Effective risk reduction methods may leave an

element of residual risk, but will bring benefits, although these may not always be financial, e.g., they could be reputational benefits.

A risk map is a technique to analyse and illustrate risks, likely causal events and potential

impacts [10]. The links shown are not always exhaustive but demonstrate the

potentially wide ranging impacts of each risk and support analysis of outcomes and

mitigation actions. As a tool, they also allow flexibility to consider how the impact of

one risk, e.g., card stolen, can be compounded by the occurrence of other risks, such

as the PIN having been obtained.

Figure 6 illustrates a risk map analysis for the cardholder, based upon four primary

risk conditions, card obtained by fraudsters, card details obtained by fraudsters, PIN

obtained by fraudsters, and PIN forgotten by cardholder. The associated cardholder

events represent the contexts in which the risks are created, and the impact arising

from these circumstances is also indicated.

For the cardholder, the key risks centre on the components for which the cardholder

is responsible, namely the smartcard, the PIN and documents such as statements

and receipts that contain card details. The events include some that are within

the cardholder’s control, e.g., keeping a note of the PIN number, but others such as a compromised terminal are beyond cardholder control.

Summary and Conclusions. Risk Assessment Department of Computer and Information Sciences, University of Strathclyde and Associates. The introduction of smartcards to the UK marketplace has had a significant effect in reducing the incidence of card fraud, but further steps are required to prevent continued instances of fraud. A key step in this direction is to clarify the roles, responsibilities and risks faced by the different stakeholders in the card process. Furthermore, ‘awareness raising’ in which cardholders become more conscious of their risks and responsibilities may afford the best defence against consumer fraud. Our analysis of the card process, stakeholders and cardholder risks may contribute to this awareness. 

Strathclyde ANTI-PHISHING AS A WEB-BASED USER SERVICE Scam

Strathclyde University Associates Warning - This paper describes the recent phenomenon of phishing, in which email messages are sent to unwitting recipients in

order to elicit personal information and perpetrate identity theft and financial fraud. A variety of existing techniques for

addressing this problem are detailed and a novel approach to the provision of phishing advice is introduced. This takes

the form of a Web-based user-service to which users may forward suspect email messages for inspection. The Anti-

Phishing Web Service rates the suspect email and provides a Web-based report that the submitter may view. This

approach promises benefits in the form of added security for the end-user and insight on the factors that are most

revealing of phishing attacks. Keywords detail as Phishing, spam, email scams.

Strathclyde University Associates Introduction. Phishing scams are an increasingly common method of identity theft. They begin with an email message that

appears to originate with an established legitimate organization. The email usually asks the recipient to

submit personal information on a website. However, the email is fraudulent and has actually been sent with

criminal intent. Unfortunately, many email users are unsophisticated in the ways of email and being unable to

spot phishing attempts, they innocently follow the instructions contained therein. A consequence of this

innocence may be significant financial loss.

This paper describes the nature of phishing scams and the associated problems email users face in

identifying phishing emails. In addition, we describe a software solution (the Anti-Phishing Web Service)

that aims to assist with the phishing problem.

Email, spam and scams on Strathclyde University and SCER Associates. The term ‘spam’ commonly refers to unsolicited bulk email. Unsolicited email includes sales and job

enquiries specifically addressed to a particular recipient without their prior knowledge or request. Bulk email

includes mailing lists and newsletters to which the recipient has subscribed. Spam is the intersection of these

email varieties – it is both unsolicited and bulk.

The majority of spam emails advertise products such as computer software or drugs. With negligible cost

and effort required to send spam, it now accounts for around 76% of all email messages (Gaudin, 2004).

Many infrequent email users now find it difficult to locate legitimate email in their mailbox. As a result, the

effectiveness of email as a communication medium has been severely reduced.

To combat this growing problem, most Internet Service Providers (ISPs) prohibit the sending of spam

from their networks. Some spammers use multiple free ISP accounts to send spam, whereby, if one of these

free accounts is terminated, another can be quickly created. Another popular method of despatching spam is

through virus infested PCs, usually belonging to unsuspecting home broadband users (Leyden, 2004a).

Despite attempts to reduce the problem, the incidence of spam continues to increase.

Many countries, including the UK and the US, have introduced laws to prevent the sending of spam (BBC

News, 2003). However, these laws have had little effect, since most spam originates from outside the

legislating country. There are also loopholes and inadequacies in these laws. For example, the US Can Spam

Act requires individuals to opt-out of spam, rather than opt-in. EU anti-spam laws also have problems,

because business email addresses are exempt from the legislation.

Since most legal attempts to address spam have met with limited success, many ISPs and email users now

rely heavily on email filters to remove spam. Spam filters perform a series of tests on each incoming email

and combine the results to determine whether the message is spam or legitimate. Spam filtering takes place at

the mail transfer agent (MTA) or mail user agent (MUA). Popular MTA spam filters include SpamAssassin

and Brightmail. Many MUA, such as Eudora and Mozilla Mail, now provide integrated spam filters. Without

spam filters and related spam blacklists many users might otherwise simply abandon the use of email.

While the majority of spam emails are advertisements for products, some messages aim to entice the

recipient into scams. Common email scams include pyramid schemes that promise very high returns on an

initial investment (Wikipedia, 2006a). Unfortunately, such ‘investors’ have no chance of receiving any return

on their initial outlay. Perhaps the most popular email scam is the Nigerian money transfer (Wikipedia,

2006b). This scam asks the recipient for help with the transfer of money from a Nigerian bank account,

promising a large payment in return. Once entered, the investor is asked for sums of money to help with the

fictitious transfer process. Of course, no money transfer is ever received by the unwitting subjects of this

criminal operation.

The Phishing Process Warning by Christopher Cranston

Department of Computer and Information Sciences, University of Strathclyde, Glasgow

Strathclyde University and Associates - Most phishing attacks take four distinct steps toward defrauding unwary recipients: (1) the scam operators set

up the phishing website. This website usually imitates an established, legitimate site; (2) using guessed or

copied email addresses, the scammers send out emails purporting to come from the legitimate site; (3) the

recipient downloads their email and receives the phishing message. The email asks the user to click on a

hyperlink and enter personal details on the resulting website. If the user clicks on the hyperlink the phishing

site will be displayed. If duped, the user may then enter the requested personal information; (4) the recipient's

personal details are now held by the scam operators. The scammers may now assume the identity of the

recipient and gain illicit access to funds. These steps are elaborated below.

Step 1: Construct the Phishing Website

The first task is to establish a phishing website. These are simple to set up, requiring little more than an

Internet-connected computer serving web pages. The Web pages are usually altered copies of pages

belonging to the targeted organisation. Sometimes, the phishing site appears as a pop-up window over the

legitimate site. Generally, phishing sites are contrived to appear authentic.

Most phishing sites do not have a domain name and Web links to the site in the phishing email usually

take the form of IP addresses, e.g. http://61.71.120.10/citi/index.php. Sometimes phishing sites do use

domain names, often cleverly crafted to mimic established sites, e.g. http://www.usbank-secure.biz/.

However, registering a domain name entails some financial cost and provides additional information that

may be used to track the perpetrators.

Strathclyde University and Associates - Recent analysis by the Anti-Phishing Working Group (APWG) found that most (27%) of phishing sites

were hosted in the US (op. cit.). This was closely followed by South Korea with 20% and China with 16%.

For comparison, the UK hosted only 1% of phishing sites. The report also estimated that 25% of phishing

sites were hosted on hacked computers, without their owners’ knowledge. Finally, the report states that on

average phishing sites are only live for 2.25 days - the longest noted was a site serving content for 15 days.

Sites with a longer lifespan tend to operate from countries where there may be difficulties in closing down

sites, where there are different or no Internet crime laws.

Step 2: Write and Send Phishing Emails

Once the phishing site is set-up, the next step is for large numbers of phishing emails to be sent out. For this

to be possible the scam operators must collate a large number of email addresses. These are acquired using

address harvesting techniques perfected by spammers. Like other spammers, phishing scam operators must

accumulate as many email addresses as possible in order to maximize the response rate.

Address harvesting techniques vary, but one popular methods is to use programs that search the web for

published email addresses. These programs target Usenet posts, web forums, mailing lists and guest books,

since these resources are likely to contain email addresses (Hird, 2002). Another technique is dictionarybased

address generation. Finally, rather than collect addresses themselves, phishing scammers may simply

purchase a list of addresses from an unscrupulous third party. Regardless of the selected technique, large

numbers of addresses are acquired by the scammers. Although many of these addresses will be malformed,

duplicates or out-of-date, and many of the valid addresses will belong to individuals who are not customers

of the organization being impersonated (and so cannot be defrauded by the scam), this will not deter the

scammers, since sending email is of negligible cost. The scammers’ concern is simply to maximize the

quantity of phishing emails sent.

The content of a phishing email is often carefully crafted. A typical email attempts to alarm the recipient

by describing security or maintenance issues at an established legitimate organization. The message will ask

the recipient to resolve these issues by confirming personal information on a web page. An embedded

hyperlink in the email often provides easy access to the web page. This hyperlink is often disguised to

resemble a link to the legitimate website, although it points to the phishing site.

Some emails contain embedded forms for users to enter their personal details. This removes the need for a

separate phishing web site. Other phishing emails do not ask for personal details at all, but urge the user to

install an attached piece of software. Software offered in this way is usually malicious and may be a virus,

worm, Trojan horse or spyware program. Spyware programs are particularly dangerous, as they can intercept

and transmit sensitive personal information, without the user's knowledge.

Regardless of whether the goal is to have recipients visit a web page, enter details in a form or install a

program, the user must be convinced that the email is authentic. To accomplish this, phishing emails often

contain images, slogans or disclaimers taken from the organization being impersonated. Fortunately not all

phishing emails look authentic. Many have poor spelling or grammar and may also bear little resemblance to

legitimate emails from the genuine organization. Such clues may alert users to the email's true purpose.

When phishing emails are sent out, it is common to spoof the sender's address. Spoofing the sender's

address is possible since the current email Simple Mail Transfer Protocol (SMTP) does not validate the

purported ‘From’ address. This loophole allows scammers to send phishing emails that appear to come from

legitimate organizations. A recent Anti-Phishing Working Group Report indicates that in June 2004, 92% of

phishing emails were sent with a spoofed sender's address. This technique is prevalent as it convinces many

recipients that the email is authentic.

Once phishing emails have been written, disguised and addressed, the final step is to send them. This step

employs standard spamming techniques, e.g., sending the phishing emails using someone else's mail server.

In the past this was easily done through open relays and open proxies. Although these vulnerabilities are now

rare, they are still occasionally used to send spam and phishing emails. Todays phishing emails are

commonly sent from mail servers or proxies running on virus infected machines. Viruses such as Sobig

contain built-in SMTP servers, turning infected machines into unwitting spam senders (Sophos, 2006). This

permits the perpetrators to remain hidden, while an estimated 60% of all spam is sent using virus infected

machines (Spamhaus, 2003).

University of Strathclyde and Associates Types of Card Fraud Scam

A recent report from the European Security Transport Association (ESTA) found that nearly 20% of the adult population in Great Britain has been targeted as part of a credit or debit card scam. As a result, the UK has been termed the ‘Card Fraud Capital of Europe’ [1], with UK citizens twice as likely to become victims of card fraud as other Europeans. Plastic card fraud is a lucrative exploit for criminals and the proceeds may be used to fund organised crime. Smart payment cards (Chip and PIN cards) were introduced in the UK to replace magnetic stripe cards and support PIN verification of card transactions. By the end of 2005, more than 107 million of the 141.6 million cards in the UK had been upgraded to smart cards [2]. Levels of plastic card fraud fell by 13% to £439.4 million in 2005 [3] and again to £428 million in 2006 (Figure 1). The reduction has been widely attributed to the rollout of smart cards with Chip and PIN authentication.

Department of Computer and Information Sciences, University of Strathclyde and Associates, Glasgow G1 1XH, UK. Types of Card Fraud Scam. The UK Payments Association (APACS) has identified five categories of card fraud: Counterfeit Card Fraud, Skimming, Mail Non Receipt, Lost and Stolen Fraud, Card not Present

Counterfeit Card Fraud Scam. Counterfeit cards are also referred to as cloned cards. Counterfeit cards are made by altering and re-coding validly issued cards or by printing and encoding cards without permission from the card issuing company. Most cases of counterfeit fraud involve skimming of valid card details, a process whereby the genuine card details from the magnetic stripe are electronically copied onto another card, without the legitimate cardholder’s knowledge. In most cases, the cardholder will be unaware that their card details have been skimmed until card statements reveal that illicit transactions have been made on their account.

Skimming. Department of Computer and Information Sciences, University of Strathclyde and Associates, Glasgow G1 1XH, UK - Skimming of card details can happen at retail outlets where a corrupt employee can put a card through a skimming device which will copy data from the card’s magnetic stripe so it can be used to encode a counterfeit card. Skimming can also occur at cash machines where a skimming device has been fitted. A skimming device is attached to the card entry slot where it records the electronic details from the magnetic stripe on the back of the inserted card. A separate pin-hole camera is hidden to overlook the PIN entry pad to record the PIN number. Fraudsters can then produce a counterfeit card for use with the captured PIN to withdraw cash at a cash machine. Criminals can also shoulder surf, whereby they watch the user entering a PIN and then steal the card for their own use. Another type of device can be inserted into a cash machine where it will trap the inserted card. A fraudster can then suggest retrying the PIN. Once the genuine cardholder gives up and leaves to contact the card issuer or cash machine operator, the criminal can then remove device, retrieve the card

and then use it with the PIN details they have observed.

Trends in Smartcard fraud Warning– Abstract: University of Strathclyde and Associates

Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde, Glasgow G1 1XH, UK {susan.burns, george.weir}@cis.strath.ac.uk

University of Strathclyde and Associates: Abstract. The introduction of smartcard technologies has reduced the incidence of card fraud in the UK, but there are still significant losses from fraudulent card use. In this paper we detail the context of smartcard introduction and describe the types of fraud that remain a threat to cardholders and other stakeholders in the card system. We conclude with a risk analysis from the cardholder’s perspective and recommend greater cardholder awareness of such risks.

University of Strathclyde and Associates: Introduction.  A recent report from the European Security Transport Association (ESTA) found that nearly 20% of the adult population in Great Britain has been targeted as part of a credit or debit card scam. As a result, the UK has been termed the ‘Card Fraud Capital of Europe’ [1], with UK citizens twice as likely to become victims of card fraud as other Europeans. Plastic card fraud is a lucrative exploit for criminals and the proceeds may be used to fund organised crime. Smart payment cards (Chip and PIN cards) were introduced in the UK to replace magnetic stripe cards and support PIN verification of card transactions. By the end of 2005, more than 107 million of the 141.6 million cards in the UK had been upgraded to smart cards [2]. Levels of plastic card fraud fell by 13% to £439.4 million in 2005 [3] and again to £428 million in 2006 (Figure 1). The reduction has been widely attributed to the rollout of smart cards with Chip and PIN authentication.

If the media is to be believed, the UK introduction of Chip and PIN authentication for credit and debit card transactions is flawed and has failed to reduce levels of card fraud across the board. Specific cases highlighting the security implications of smart card based technology have been widely reported, including exploits at Shell petrol stations [4] and Tesco self-service tills.

As cards are a widely accepted international form of payment, fraud can happen virtually anywhere in the world or on the Internet. Cards can be compromised in the UK and then used overseas. Cardwatch research shows that most of the fraud committed abroad on UK cards affects cards that have been compromised in the UK

Although the financial cost of card fraud is largely borne by the banking industry, the cardholder experiences loss of time in taking steps to resolve matters, as well as inconvenience, worry and frustration while a fraudulent incident is investigated. The cardholder’s credit rating can be affected and the whole affair can be a distressing experience.

Strathclyde University and Associates: Boiler Room Movie Review

The Digital Information Office, Strathclyde University and Associates service for electronic resource management review by Bradley Null: America is the land of opportunity, and now more than ever, the opportunity that most Americans are preoccupied with is that of easy money. Our news media is saturated with stories of the instant millionaire, 25-year-old startup CEOs worth nine figures or the crafty investor that bought that startup on IPO and doesn't have to worry too much about his day job anymore either. There are a number of powerful cautionary tales waiting to be drawn from this unwholesome frenzy. Boiler Room tries to tell one of these stories, but sadly it fails to add much to the greed genre established by its two heavily referenced predecessors: Wall Street (1987) and Glengarry Glen Ross (1992).

Boiler Room is the story of Seth (Ribisi), a 19-year-old college dropout obsessed with the American dream of easy money. After concluding rather quickly that college isn't necessarily the fast track to a quick buck, he opens up an underground casino out of his house in Queens, providing a popular service for the local city college kids. After his disapproving father (Rifkin) finds out about the casino, Seth, feeling a repressed need to gain his father's approval, looks into an opportunity to become a stockbroker at the small firm of J.T. Marlin.

As it turns out, the firm, located in the heart of Long Island, conspicuously far from Wall Street, is a 'chop shop,' shorthand for a brokerage house more interested in pawning off securities for its own interests rather than serving its customers. When Seth's father discovers this, not only does Seth not find the approval he was hoping for, but he is excommunicated from the family.

Though he has only a minor part in the film, Ben Affleck is highlighted in trailers for the film, and the discerning observer will notice a strong similarity between his scene in the trailer, and Alec Baldwin's immortalized portrayal of a real estate shark in Glengarry Glen Ross. In fact, Affleck's big scene draws heavily on Baldwin's, though his performance (and the material he has to work with) does not live up to what is almost universally agreed upon as the best performance of Baldwin's career. This is not the only referencing of David Mamet's portrayal of the dark world of real estate cold-calling in this movie, however. Later in the film, when receiving some instructions on how to cold-call potential customers, Seth is told to remember one of Baldwin's catch phrases from that scene, 'A-B-C. Always Be Closing.' Boiler Room also liberally references, both directly and indirectly, its direct predecessor in the 'greed is good' category of filmmaking. Not only drawing its basic theme and plot structure from Wall Street, Boiler Room also draws its best dialogue during a scene in which a number of young stock brokers sitting in one of their sparely decorated mansions, compete with each other to quote lines from Wall Street, whose antagonist, Gordon Gecko, is obviously regarded as an idol within the group.

As a movie, Boiler Room is moderately entertaining. Vin Diesel in particular, off a strong turn in Saving Private Ryan, turns in another powerful performance as Chris, one of Seth's mentors at J.T. Marlin. Sadly though, Ben Younger, in his writing and directorial debut, adds very little to the filmic pantheon in his own voice. Even the film's most prolific statement on the American obsession with getting rich, 'either you're slinging crack rock or you've got a wicked jump shot,' is a quote of the rap star Notorious B.I.G. The most admirable outcome of this film might be that it leads viewers to check out its two predecessors. I would urge the same as well.

Strathclyde University and Associates: Scottish Energy Systems Group

A NEW FOCUS ON QUALITY: The building regulations update away back in 2002 introduced new flexibility into how compliance could be demonstrated. The novel carbon emissions based alternative offered a whole building approach to achieving targets compared to the prescriptive elemental approach which until then had been the only route. It occurred to many building design practitioners that traditional manual design calculation methods would not allow these opportunities to be fully explored.

Strathclyde University and Associates: Scottish Energy Systems Group: Dynamic computer modelling and simulation tools obviously could have a part to play, but where to start? What computational tool to use? What about hardware requirements, recruitment, training? Thus the Scottish Energy Systems Group was established, with funding from The Scottish Executive and Strathclyde European Partnership, to provide guidance and support to the industry. The objective was to give the Scottish building design community a head start in producing a better quality of building design, incorporating more innovation and new ideas, and with confidence that the solution would work as intended.

Strathclyde University and Associates: Scottish Energy Systems Group: Four years on, and a whole new set of regulations are being introduced, with target carbon emissions the only route to compliance. Now computer modelling is an almost indispensable tool for design evaluation, and indeed is becoming an integral part of the route to compliance (see article on New Building Regulations). Most of our members are using one of the various packages available, or at least have explored the possibilities via consultancy partnerships.

So what else is there to do?

Our philosophy from the outset has been total engagement with our members. That means not just putting on seminars and technology introduction workshops, valuable activities in themselves, but also getting out into members’ offices and working on real projects, setting up the technology within their working environment, even lending them the necessary hardware.

Strathclyde University and Associates: Scottish Energy Systems Group: Some members could now be described as pioneers; real leaders in the use of dynamic modelling tools applied to building systems design. Others have had a go, but things have fallen by the wayside, because in adopting the technology they did not adopt an integrated process to go with it. The focus was all on the tool, rather than on how modelling would fit into the overall design process. Starting up an airline is more than just deciding which aircraft to fly. Likewise, there is a lot more to consider in establishing building energy modelling than just which particular software package to go for. That is why, in this issue of HotNews, we are focussing on Quality Assurance (see article “Quality Assurance process for building modelling”). We want members to take a step back and look at how they are using their modelling tools. A good starting point would be to conduct an audit. And where to turn to for help with that? SESG of course! Even if you think you don’t have a problem, a half day of free, on-site consultancy could give you the reassurance you need. If you want to use modelling tools to develop Part L compliant designs, your modelling capabilities will be mission critical (in Scotland it will be Section 6, and a different route to compliance is being developed). We will continue to support this core service (we call it Supported Technology Deployment) with seminars on topical subjects (see the events section) which are often followed up by a technology introduction workshop that allows members to try out various computational approaches for themselves, and even to explore solutions to real live projects, with on-hand support from SESG staff. We will always seek to involve the “pioneers” in such events; they can relate the practicalities of reconciling business-as-usual with new ways of doing things. The usual pattern is that after attending a seminar, say on renewable technologies, a member sees benefits in being able to model, for example, building integrated renewables, and so attends a technology introduction workshop, led by an expert in the field. The next step is for the member to invite SESG staff to come to their office, help with installation of the software, ensure that quality assurance issues are dealt with, and leave the member up and running with a new capability, with occasional follow up sessions as required.

Strathclyde University and Associates: Scottish Energy Systems Group: If you are a Scotland based building design practitioner, installer or manufacturer, no matter how small your organisation might be, you can benefit from this service. How? Very simply, by becoming a member. A simple audit of your current process or evaluation of your needs will start you off, and we will further support you as you move to adopt your chosen packages and integrate their use into your practice. If your needs could be met through a development effort, we may be able to do that for you too. If you would like to have a chat about joining, please contact us at: Jeremy@sesg.strath.ac.uk,

0141 548 5765.

Strathclyde is a great place to study and enjoy life at the same time. And this is where you can find out everything about us - from how we teach, to what's on in Glasgow and how to get around. We want to help you make the most of your time here, so we hope you'll come back to these pages to get all the latest news about what's happening on campus and in and around the city.