AfterBites: Parking Ticket Social Engineering

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.)

The story:

Parking Tickets as Cyber Attack Social Engineering Vector
(February 4 & 5, 2009)

Cyber criminals in Grand Forks, North Dakota planted phony parking
violation notices on cars. The notices direct the users to a website
for more information, which leads the users through a set of links
that downloads malware onto their computers. That malware then urges
users to download an anti-virus scanner that is worthless.
http://www.techweb.com/article/showArticle?articleID=213200005&section=News
http://news.bbc.co.uk/2/hi/technology/7872299.stm
http://isc.sans.org/diary.html?storyid=5797

A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

My idea was simply to have an onion-routed dead-drop and encourage kids to bicycle around wealthy neighborhoods and rummage through mailboxes looking for bank account and brokerage statements. Take them home, scan them, and Email a PDF to the dead drop, and you'll get a payoff in the mail, in the form of something valuable purchased for you on Ebay, (doubtless, using a stolen Paypal account) paypal, or WoW cash. The attackers could recruit kids by targeting Emails based on searching myspace. Having a paper bank statement would allow the attackers to open Paypal accounts and - in many cases - enable online banking for accounts based on the account number and mailing address. There are lots of variations one could employ around this theme, but basically they would all take advantage of the observation that a lot of banks and brokerages still assume the mail is safe. Which, if you think about it for a second, is patently absurd. I could have a dozen crack addicts rummaging mailboxes in Washington, DC, in 24 hours; it's a relatively safe attack vector for the mailbox-exploiter and completely safe for the remote exploiter.

Where does this all lead us?

Eventually scammers are going to force the online financial industries to radically re-think how they do authentication. They will no longer be able to assume that there is a "split" between online and offline transactions; I'm not sure where that leaves us.

I do my banking at a small local bank. One that is so unsophisticated that their online banking scheme required only account + last-4 digits of social to enroll. The branch manager was surprised when I was suddenly clutching my temples and banging my forehead against the teller's counter-top. After we'd cleared everything up, the branch manager and I came up with a list of operations that my account is flagged to only allow if I, personally, walk into the branch and show ID. My guess is that that's where the end-game lies. I expect that banks, brokerages, etc, will offer a customer a menu of options regarding what can be done and how.

Frankly, I'm amazed that nobody seems to have (yet) hit upon the idea of being able to tell a credit card company "only authorize purchase of goods that are being shipped to my home address." Or "I only apply for credit by appearing in person." By having a menu of options. there's now a good chance that a Bad Guy will stumble across denied options (thereby flagging the account!)   I can't wait for the day when some bank says "no transactions allowed from computers running Internet Explorer."

I'm depressed and disgusted by the rapidity with which humanity has brought all of its worst behaviors into cyber-space.