www.scamistan.com
You are not safe. Neither are your country’s nuclear reactors, your credit card can be cloned...
You are not safe. Neither are your country’s nuclear reactors, your credit card can be cloned at any swipe terminal and you would never really know the difference between your real banking website and a fake one.
You never really stop to think that Pakistan; a country that has seen its fair share of conventional crime, would have an even seedier underbelly of cybercriminals. They may be few, but they have probably made more money than most of your conventional criminals combined. Unless you take into account crooked bureaucrats, generals and politicians.
I called up an online security expert, Ayaz Ahmed Khan. A week of plaguing the man got me an interview and he agreed to meet me.
The sheer wealth of information at his disposal from working with a boutique information security company was shocking. I consider myself fairly wired into the techie side of life, but what he told me left me feeling exposed and unsafe.
As a part of a security company providing professional online security services, he was one of the few people in this country not oblivious to the possible dangers of living in such a well connected world. He and his team have worked to enhance the IT infrastructure security posture of various companies. Implementation of comprehensive security strategies was also his job. Interestingly, he said that none of our country’s financial institutions were really secure and that they had not really considered hiring any firm to bring their online security up to speed. But while the corporate sector may be complacent, he told me that Pakistan’s cybercriminals have not been idle.
The Bank Phisher
Complex layered social engineering coupled with appropriately sneaky online technical schemes allowed for a pretty neat Pakistani Bank phishing scam. The target was a well-known bank we will refer to as Bank ‘A’.
The cybercriminals set up a clone of Bank A’s website and would send emails from official sounding addresses like manager@bankA.pk. These emails would employ various tactics to trick people into signing into the fake website with their very real account information and other details credentials. One such email suggested that the bank’s server had suffered from a crash and that all the passwords had been reset. The sender would prompt the user to click a link which would take them to the fake website. The user would not be able to tell the difference in the url because the internet allows you to mask domains. Assured that the website’s URL indeed said www.bankA.com they would proceed to enter their username and passwords, never realizing that the website was just like a movie set. The front wall is there, the door is there, but if you actually start exploring, you find out it’s just a front. Sometimes, the cloned websites can even be elaborate enough to have all the data the real site would. Thus fooled, the victims’ passwords and usernames would promptly be sent to the cyber criminal who had set up the fake website.
The crime was reported to the proper authorities, but we do not know what action was taken against the criminal.
The Point of Sale scam
You’ll feel a lot more nervous about using your credit and debit cards after you hear about this scam. Like countless others, Mr. Khalid used his debit card to fill up his tank at a petrol pump in Karachi without really giving it a second thought. A few days later, when he went to make a withdrawal from his bank account, he found he was short by close to Rs. 40,000. After raising the issue with the management of the bank (which happens to be one of Pakistan’s largest domestic banks) he was told that several petrol pumps around the city were somehow stealing account information through their Point of Service (POS) terminals. This information would then be used to conduct fake transactions, draining the targeted account. Then there’s also the case of the Chinese-made POS terminals for credit card swiping that were exported to Europe. These credit card swipe machines that are used for transactions were fitted with chips which cloned credit cards and sent the information to a Pakistan-based cybercriminal gang. The devices selectively sent account data by a wireless connection to computer servers in Lahore, while constantly changing the pattern of theft so it was hard to detect. How these criminals managed to convince or defraud the Chinese manufacturers who shipped such sensitive equipment is still a mystery. How hard would it be to do the same in Pakistan?
The ‘Nigerian’ Scam
Have you ever been sent an email from a Nigerian prince/ politician/ businessman asking for your help in transferring large sums of money from their bank account? While this is in fact a very old scam, it has now moved online. The email would ask you to submit some money to get the money moving and would promise you a significant portion of it for your “trustworthiness” and “help”. However, there were never any funds that needed transferring. The money that you gave to get the funds moving would go to the persons who started the scam. Lots of people fell into the trap, and the criminals made a small fortune.
And now the scammers are getting smarter: A crafty message sent from the hacked e-mail account of the director general of the Pakistan’s Ministry of Information and Broadcasting’s External Publicity Wing played on the news of thugs attacking demonstrators and journalists in Cairo in the recent protests.
The e-mail sent from Director General Samina Parvez’s account to her contacts was typical. The message claimed Parvez had been robbed in Cairo and needed £600 to pay her hotel bills.
Parvez’s PA said the e-mail account was hacked but he did not know who was responsible. She joins a list of Pakistani officials and organisations — including President Asif Ali Zardari and the Pakistan Navy — that have recently faced the brunt of hackers. The director general has now changed her e-mail address.
Little Interest In Secure Solutions
While some of the above mentioned scams can be avoided with a degree of common sense, there are others that need a greater push from the financial sector.
I talked to some security experts in the IT field and they basically told me that while banks were willing to spend money on core banking solutions; their interest flags when it comes to securing those systems. They claimed that while banks were aware of the risks, they were not interested in purchasing software or services that would shore up their security. Part of the reason is that the purchase of licensed software in bulk would put a dent in the bottom line.
Surprisingly, quite a few banks do not even have disaster recovery sites; these are sites which house data backups of all the bank’s sensitive information such as customer account data. This makes them vulnerable to a great deal more than a hack-attack. An expert pointed out that in case of a catastrophe — such as their main server building blowing up — the banks would not be able to recover because they would have absolutely nothing left of their customer records. Much the same result may occur from a massive cyber-attack as well.
They also pointed out that Credit cards were not as secure in Pakistan as they were in other parts of the world, because a security standard called PCI-DSS which ensures a high level of credit card security has not been implemented for Pakistan. Thus far, Pakistan has been getting repeated exemptions, but chances are that won’t last forever and eventually a higher level of security will be implemented. Let’s just hope it happens before this new wave of crime becomes an epidemic.
Published in The Express Tribune, Sunday Magazine, April 3rd, 2011.
You never really stop to think that Pakistan; a country that has seen its fair share of conventional crime, would have an even seedier underbelly of cybercriminals. They may be few, but they have probably made more money than most of your conventional criminals combined. Unless you take into account crooked bureaucrats, generals and politicians.
I called up an online security expert, Ayaz Ahmed Khan. A week of plaguing the man got me an interview and he agreed to meet me.
The sheer wealth of information at his disposal from working with a boutique information security company was shocking. I consider myself fairly wired into the techie side of life, but what he told me left me feeling exposed and unsafe.
As a part of a security company providing professional online security services, he was one of the few people in this country not oblivious to the possible dangers of living in such a well connected world. He and his team have worked to enhance the IT infrastructure security posture of various companies. Implementation of comprehensive security strategies was also his job. Interestingly, he said that none of our country’s financial institutions were really secure and that they had not really considered hiring any firm to bring their online security up to speed. But while the corporate sector may be complacent, he told me that Pakistan’s cybercriminals have not been idle.
The Bank Phisher
Complex layered social engineering coupled with appropriately sneaky online technical schemes allowed for a pretty neat Pakistani Bank phishing scam. The target was a well-known bank we will refer to as Bank ‘A’.
The cybercriminals set up a clone of Bank A’s website and would send emails from official sounding addresses like manager@bankA.pk. These emails would employ various tactics to trick people into signing into the fake website with their very real account information and other details credentials. One such email suggested that the bank’s server had suffered from a crash and that all the passwords had been reset. The sender would prompt the user to click a link which would take them to the fake website. The user would not be able to tell the difference in the url because the internet allows you to mask domains. Assured that the website’s URL indeed said www.bankA.com they would proceed to enter their username and passwords, never realizing that the website was just like a movie set. The front wall is there, the door is there, but if you actually start exploring, you find out it’s just a front. Sometimes, the cloned websites can even be elaborate enough to have all the data the real site would. Thus fooled, the victims’ passwords and usernames would promptly be sent to the cyber criminal who had set up the fake website.
The crime was reported to the proper authorities, but we do not know what action was taken against the criminal.
The Point of Sale scam
You’ll feel a lot more nervous about using your credit and debit cards after you hear about this scam. Like countless others, Mr. Khalid used his debit card to fill up his tank at a petrol pump in Karachi without really giving it a second thought. A few days later, when he went to make a withdrawal from his bank account, he found he was short by close to Rs. 40,000. After raising the issue with the management of the bank (which happens to be one of Pakistan’s largest domestic banks) he was told that several petrol pumps around the city were somehow stealing account information through their Point of Service (POS) terminals. This information would then be used to conduct fake transactions, draining the targeted account. Then there’s also the case of the Chinese-made POS terminals for credit card swiping that were exported to Europe. These credit card swipe machines that are used for transactions were fitted with chips which cloned credit cards and sent the information to a Pakistan-based cybercriminal gang. The devices selectively sent account data by a wireless connection to computer servers in Lahore, while constantly changing the pattern of theft so it was hard to detect. How these criminals managed to convince or defraud the Chinese manufacturers who shipped such sensitive equipment is still a mystery. How hard would it be to do the same in Pakistan?
The ‘Nigerian’ Scam
Have you ever been sent an email from a Nigerian prince/ politician/ businessman asking for your help in transferring large sums of money from their bank account? While this is in fact a very old scam, it has now moved online. The email would ask you to submit some money to get the money moving and would promise you a significant portion of it for your “trustworthiness” and “help”. However, there were never any funds that needed transferring. The money that you gave to get the funds moving would go to the persons who started the scam. Lots of people fell into the trap, and the criminals made a small fortune.
And now the scammers are getting smarter: A crafty message sent from the hacked e-mail account of the director general of the Pakistan’s Ministry of Information and Broadcasting’s External Publicity Wing played on the news of thugs attacking demonstrators and journalists in Cairo in the recent protests.
The e-mail sent from Director General Samina Parvez’s account to her contacts was typical. The message claimed Parvez had been robbed in Cairo and needed £600 to pay her hotel bills.
Parvez’s PA said the e-mail account was hacked but he did not know who was responsible. She joins a list of Pakistani officials and organisations — including President Asif Ali Zardari and the Pakistan Navy — that have recently faced the brunt of hackers. The director general has now changed her e-mail address.
Little Interest In Secure Solutions
While some of the above mentioned scams can be avoided with a degree of common sense, there are others that need a greater push from the financial sector.
I talked to some security experts in the IT field and they basically told me that while banks were willing to spend money on core banking solutions; their interest flags when it comes to securing those systems. They claimed that while banks were aware of the risks, they were not interested in purchasing software or services that would shore up their security. Part of the reason is that the purchase of licensed software in bulk would put a dent in the bottom line.
Surprisingly, quite a few banks do not even have disaster recovery sites; these are sites which house data backups of all the bank’s sensitive information such as customer account data. This makes them vulnerable to a great deal more than a hack-attack. An expert pointed out that in case of a catastrophe — such as their main server building blowing up — the banks would not be able to recover because they would have absolutely nothing left of their customer records. Much the same result may occur from a massive cyber-attack as well.
They also pointed out that Credit cards were not as secure in Pakistan as they were in other parts of the world, because a security standard called PCI-DSS which ensures a high level of credit card security has not been implemented for Pakistan. Thus far, Pakistan has been getting repeated exemptions, but chances are that won’t last forever and eventually a higher level of security will be implemented. Let’s just hope it happens before this new wave of crime becomes an epidemic.
Published in The Express Tribune, Sunday Magazine, April 3rd, 2011.