Home Depot Replacement Card Misfire

Today, I received a new credit card from The Home Depot. (In the picture, the top one is my old one and the bottom is, obviously, the new one). The first thing I noticed was the new card was attractive and that they added a chip. I thought that was fantastic that a store card would go through the work. I then dug a bit further, and was less happy.

Behind the card, there is a mag stripe still. The Home Depot (“Home Depot”) cards are not valid at other stores (like a Visa, MasterCard, etc). This means that they control the entire payment ecosystem. My local Home Depot has chip technology, as have a few other locations I’ve been to. This means that they could have issued strictly chip cards and done away with the magstripe entirely. This would make them a clear leader in payment technology and I would have really been impressed. Sadly, they didn’t. Oh well, most companies don’t even have chips, and the big banks universally issue mag+chip cards.

The next issue I noticed (honestly, it is kind of a nice feature even it if it incredibly insecure) was that the card comes activated, ready to start using. I don’t need to call from my home phone, I don’t need to activate online. Just go and start buying lumber, screws, or even a garage kit… Oh, and look — the credit limit is printed right on the paperwork!

The next issue is that the entire card number is printed on the flyer attached to the card. You might believe that this is a bit pedantic because, after all, the card is attached. If somebody stole the mail, they’d surely have the card #.

Sadly, this makes it much easier to shine a light through the envelope and see the entire card number unmolested. Likewise, after disposing of the document (if unshredded), now your entire card number is in the bin somewhere.

The final issue is that this was an unsolicited bulk card reissue. I didn’t lose my old card, I didn’t know a new card was on its way. The issue with all of these vulnerabilities is magnified when an event like this happens. Somebody like me can receive a card, realize these issues, and then start grabbing these documents out of the mail. Postal workers can bring a flashlight and a cellphone to work and start capturing these numbers enmasse. The chip was a nice addition, and the new card looks great. The security, however, leaves much to be desired.

Scanning IDs — Making Fakes Easier

Not long before I procured my wonderful license, they were printed pieces of paper with a photograph attached, then laminated.

For both security and durability reasons, the state (Illinois) had moved away from this technique of identification. It was trivial to make fake IDs, and people knew it.

I used to smoke, up until November of 2016, and as part of being a smoker, I would have to engage with store clerks. My receding hairline was usually enough evidence that I was old enough to buy them, but the occasional pedant would request proof anyways. Being a cashier at a gas station years ago, I understand the request and the problems with not doing so, therefore I obliged the request. They view the license, DOB, expiration date and make sure it matches me. Transaction success.

A strange new behavior has developed where companies are forcing cashiers to scan in the driver’s licenses. I’m not sure what they stand to gain, are you hiring people so incompetent that you can’t trust them to read dates off of a license? (You also trust them with the entire shifts income, sans-drops). If I were a cashier, I’d be insulted by this policy.

This is where it becomes interesting. Driver’s licenses have a plethora of features, holograms and colored stripes that cross over both the date of birth, as well as expiration dates. More modern licenses even have underage kids with a vertical orientation and different colored banners.

The holograms and stripes are to prevent bleaching, a technique where a legitimate, government-issued identification is otherwise modified to indicate a different date.

There are a few barcodes on the back of an Illinois license, one of them looks similar to the barcode on a can of tomatoes (this is your license number). The more complex one that looks like a long QR code — this one is what they usually scan.

The Problem with Scanning Identification Cards

Bar codes look secure, high tech, and modern to people who are none of the above. Barcodes are as easy to read and write as basic English given the “write tools” (punny). They are really hard to find. As a matter of fact, I used to host a driver’s license number generator on this site, and it turned out a few banks actually used it to validate that people were presenting real IDs!! The License number in IL is really easy to figure out. From the last 5 digits, for example, I can tell your date of birth and gender. The first four are encoded with soundex, and the middle three are from a lookup table from your first name.

Generate a License Number

The entire number is generated from just a few facts about you:

A123-4567-8900

A123 – Your last name, encoded with Soundex. Try me!

456 – Your first name and middle initial, compared against a lookup table

7-8 – The year of your birth (1978)

900 – This is your month of birth, minus one, times 31. Then you add the days. So for somebody born on January 25th, 1978, you would get: ((1-1)*31)+25 or 025. If you are a female, you add 600 (and get 625).

Make it a Bar Code

So you now know how the number is decided, and lucky for you the American Association of Motor Vehicle Administrators (AAMVA) is a standards organization that specifies exactly how to format the barcode on your license (how to structure the data), and how you should use the PDF417 styled barcodes. Really though.

So if you don’t think you can trust that person reading a driver’s license, remember you’re now trusting the bearer to present it honestly, and it is much easier to trick a computer than a person. We call this “client-side security.” You’re letting them forge variables with impunity.

What about the consumer?

I stopped by a BP station in my neck of the woods a few years ago to buy some of my Marlboros. I wanted to feel like a real rancher that day. They insisted that they scan my ID, which I politely declined, explaining that my address is not pertinent to my purchase of cigarettes. The clerk told me “well you paid with your credit card, and they have your information.”

I was surprised he didn’t see the distinction. A company that I have made a financial partner would, obviously, have my information to contact me about payments and debts. A gas station does not require an ongoing level of trust. I pay, they provide, and I leave.

The large barcode contains everything from your address to your eye color. It is trivial to log more information than simply checking your DOB and expiry.

Nobody benefits

In the end, retailers are put at increased risk while causing consumers more privacy invasion issues. Nobody is the winner here. I’m not cool enough on the internet to drive enough interest to my blog to see change happen, however you can. Throw tape over the barcode. If you get pulled over, either pull it off or make the officer type it in manually. If you buy smokes and they’re willing to hire people they don’t trust, why are you trusting them not to swipe your card in a square reader of their own?

 

Free Corporate Security Training

(Link is at bottom of post).

Every company should have a certifiable online security training, from how to handle documents to different techniques such as phishing, social engineering, etc.

I am an avid certification collector, so long as I don’t have to pay for it (and some I did). The United Nations offers several great courses in cyber security, active shooter response, and security in the field.

The two we’re going to talk about today are the foundational and advanced certificates:

Information Security Awareness - Advanced
Information Security Awareness – Advanced
Information Security Awareness - Foundational
Information Security Awareness – Foundational

The Certifications

The courses and training do have some UN-specific elements, such as reference documents within the UN pertaining to retention periods, classification and destruction of data, and UN or military-related scenarios.

I found it trivial to relate the work being done in the scenarios to my day-to-day tasks, and I find most people will not struggle with the material. There’s nothing against taking notes, but I did not need to at any point.

The foundational course is a prerequisite to the advanced course, and then there is a third one (that I have not completed) that deals with additional training.

The training reinforces best security practices:

  • Verifying encryption is being used (VPN or HTTPS)
  • Prioritizing cell-phone based hotspots instead of public wireless if possible, or falling back to encryption.
  • Scenarios demonstrating who you should share your password with and how they are social engineered from people (yes, even your manager should not have your password).
  • Password complexity rules, and entropy (how adding characters adds time to crack a password).
  • How to spot phishing sites (paypal.example.org, etc).
  • Navigating away from browser-based virus popups instead of installing the software.
  • Always reporting errors and security issues to the IT staff.

Obviously, there’s a lot covered, as you will see. The course is offered free to everybody, so I cannot see why this would not be a good solution for small companies that cannot afford proctored exams or the development of training material.

Has anybody else found great employee-level solutions for security training? I’d love to hear about it!

Here’s the link! United Nations Information Security Portal

 

Goo.gl Virus (Well, Phishing Scam)

First off, I want to be very clear that this is not actually a virus. This is a phishing scam.

I also want to make it clear that just seeing the domain https://goo.gl/ does not mean it is a scam, likewise not seeing that domain does not imply it is safe.

Sadly, the local community college would rather tell people about art than about data security and privacy, and the term “goo.gl virus” is a term people often use for these things.

What is this Goo.gl Site?

It is a URL shortener, similar to bit.ly, bit4.me, and others. In lieu of telling a friend to visit “https://robert-lerner.com/wildSpEllingandCaps123/123/4” you can create a short link, and tell them that instead.

That’s where the utility ends, and the scam starts. Link shorteners allow masking the actual destination of the URL, and thus, makes it harder to determine if the destination is legitimate. This site: CheckShortURL allows you to paste in the short URL and see where it is going. Always do this.

How does this scam look?

It could be anything from a friend to a post in a garage sale site. Below is an example of one I seen on a garage sale site just today:

Facebook Phishing Campaign

If you see something that sensational, it’s probably going to be fake. It has no place in a garage sale group. Another good indicator is that commenting is turned off. Why would you share news and expect no reactions? Simply put — it’s because they didn’t want the scam unveiled.

Sadly, this user probably fell for this trick, and lost her account which is now posting this in all of the groups she’s in. It may even be requesting money from friends and so on.

Facebook does not provide a good avenue for reporting this sort of issue, and garage sale group admins aren’t always online. I went after the hosting company itself “Wix” to see if they can approach it, but at the time of writing no action was performed.

So, I clicked the link to see where it goes…

… I did it safely though, using a Liveboot of a Linux distro inside of a virtual machine. This sandboxes the attack from any valid sessions I may have open. At this point I didn’t understand the attack, so I was extra cautious.

At first, the link takes you to this page:

Broken Video
Pretend broken video

Looking here, you can see the image is warning you of gruesome content — you probably expected this consider it would show people hurled off of a roller coaster. (Alright, so it’s kind of sick you’d click this, but whatever). Simply hovering over the pretend video player reveals it takes you to another site entirely… but it isn’t what you think:

Not-Facebook
Not-Facebook

Here, I left the URL bar partially visible. You can see obviously that you’re not on Facebook, but it is looking for your login. This is where people fall victim, they enter their e-mail and password to see the video. At this point, the attacker gets a copy of this.

I did a “whois” inquiry, which may allow me to see who owns this hacking domain, but the owner was hidden. The registrar was Namecheap.com (this is where they bought the domain). All of them have abuse@namecheap.com style e-mail addresses to report the phishing scams, though the turn around for these sites is often low.

How do I know if it is Facebook asking for my login?

When in doubt, don’t log in. In this case, it is obvious that the site is not Facebook. In some circumstances you can specify a fake email and password. If you don’t get a “bad username or password” message, it’s probably a bad site. (This is a guide, not a rule).

So I’ve been scammed, they have my FB login, but do I get to see the video?

Imgur wtf
Imgur wtf

Nope, rather hilariously, they dump you on imgur — at a “page broken” image. There is no video, there’s only you and your vacated account.

Update!

I worked with Namecheap.com’s abuse contacts (who is the registrar of the domain) and they acted promptly and cleared all of the DNS records for the domain, effectively taking it down.

Unfortunately, I had also reached out to Wix about the initial hosting domain, and as of this update the page is still live, and they offered to “report it” even though it is one of their own customers. Obviously, clicking the link below exposes you to part of the phishing site:

 

 

 

How to Scam Garage Sale Sites with Gift Cards

PLEASE TAKE NOTE: The title is correct, this is how to scam users of garage sale groups. The intended audience, however, is victims and group administrators. The goal here is to convey how easy it is to defraud people into purchasing gift cards, and why they should not be allowed for sale in these groups.

You should never purchase used gift cards from anybody without the authorization of the selling store, and their support transferring your balance to a new gift card.

Short Version of the Scam

When you purchase a gift card from somebody on the Internet, you may find that paying $50 for $100 of merchandise credit is a fantastic tradeoff. The fact is, you will pay $50 and they will keep the $100. Leaving you out money.

How this scam works

This is nothing new, it is very similar to how credit card fraud has worked for years, however there are many site admins and potential consumers unaware of this tactic.

How Payment Cards Work

Your older credit cards, and the majority of gift cards in the world use a magnetic stripe (the black line on the back of your card). This mag stripe, from a fundamental level, operates exactly like old cassette tapes. When you swipe your card, the equipment reads the card and a special number comes up. This number does not include your balance, but does generally contain the card number, expiration, the name of the card holder, and a few other pieces of information.

This information does not ever change. This is the problem with credit cards, and why EMV “chip” cards were introduced, they reduce the attack surface and greatly increase the complexity of this issue.

The scammer’s shopping list…

The scammer will buy a valid gift card (let’s say it’s $100 worth), and a card reader / encoder. The latter device is roughly $30 from Amazon, and there are plenty of legitimate reasons to sell and own these devices. At this point, an attacker has all of the tools they need.

The scammer reads the card’s data into a computer, and encodes it (sort of like saving a file) onto an extra card that they picked up.

Selling the Gift Card

The card will be listed for sale in multiple areas, usually for some money off the face value, and with the caption “Got this for (insert holiday), don’t shop there” or similar. Sometimes this will be backed up with a picture of the register receipt.

A buyer is found through one of these garage-sale groups, and you meet up. You first call the store to verify the $100 balance, and sure enough — the card is loaded legitimately. You gladly pay your $50 for the card, and you both leave happy. You may head straight to the store, you may wait a few days, or you may be extra hilarious and gift this card to somebody.

Hook, Line and Sinker

As soon as you leave, the attacker has a duplicated gift card of yours and can call a friend at the store to purchase another gift card, food, clothes, or anything else with that card. By the time you get to the store, that card will have a $0 balance, and the Facebook / Craigslist / etc account will be long gone.

Buying Gift Cards Legitimately

The majority of stores expressly prohibit transferring cards between people, and for this reason. The best way to do this safely is that both you and the seller meet at the store in question, and you purchase a new gift card with the card they’re selling, you can then dispose of the depleted card, and your new card will not be vulnerable to this scam, as the seller will not posses a duplicate of your gift card.

There are also websites that may have additional mechanisms for exchanging gift cards, though you should always keep in mind how this works. Companies will often state directly on the cards “TREAT THIS CARD LIKE CASH”, claiming that losing the card or other conditions will prevent them from issuing a balance. Furthermore, as far as the store is concerned, you spent the balance, and store clerks will almost never check a gift card for validity. Even if they do, there’s embossers for that.