Malmö, Sweden has strengthens its position on the list of places with the greatest problems with hijacking and skimming of credit cards. Several Swedish newspapers write about the recent operation of the Malmö police, which applies to Toys R Us in Sweden, where it has uncovered sophisticated skimming equipment. While skimming of cards is nothing new, but what surprises me is that Toys R Us doesn’t have any kind of procedures in place to control their terminals at regular or daily basis so that these have not been tampered with.

That Malmö have problems with the skimming of the cards has earlier been notified by the Police in Malmö and in turn this problem has grown to such extend that it also has been discussed at political level in the city. The problem is so large that some foreign mail order companies now refuse to send packages to Malmo-based addresses.

Unfortunately, has the banks in Sweden been extremely slowly to implement chip-based cards to their customers. Already around 1997/1998 there was large procurement of new ATMs where there was the addition of so-called smart card readers to increase security. Something that all Swedish banks categorical opted out.

Let us also hope that affected customers already has been contacted by either the card issuer or by Toys R Us, Sweden (or the main company, Top-Toy A/S, in Denmark) in connection with this fraud when it was detected and not left nine days later to the media to suggest that customers should cancel their cards…

Kim Haverblad

[Swedish version of this entry can be found here]

Bookmark to:

Most people have heard about card skimming and other credit card fraud but in Swedish media there are several interesting articles regarding how a local branch office to Swedebank manage to stop a fraud transaction in the last minute. The Swedish police won’t talk about it but media claims that a bank employee took notice off that the mouse pointer on his system was moving by it self. He then quickly looked behind the computer and finally found under his desk a hidden device that was connected to the computer to remotely control his computer. Pulling the cables stopped a transfer of several million Swedish Kronor to vanish.

First question that comes in my mind is how did they manage to set up this equipment without any one taking notice? Well, according to the Swedish police there was a break in during August last year where nothing was stolen… Why didn’t that itself not raise a couple of questions? And better up; the alarm did not go off due to that the alarm wasn’t activated?!

The question that should be asked within this organisation is why would actually someone make an illegal entry with the risk of getting caught and steal nothing? Either was the person extremely stupid or didn’t find what he was looking for or they intrusion had another purpose of for example hide or tamper with the system at the bank office.

The group of seven men where arrested this Monday and Tuesday and are currently under suspicion for attempt to bank fraud and as well for preparing new similar actions.

So far the police has been very silent regarding the technology used during this fraud attempt. But a guess is that since the perpetrator had to hide an “unknown device” under the desk one could assume that they used standard available technology such as pico-itx motherboard together with either gsm or 3g modem to be able to call home or to contact the “unknown device” from remote host by for example using open available remote access software between the two computers. So actually the components used to build a tiny system is not hard at all and I highly doubt that we’re talking about James Bond technology here such as tiny keyboard logger devices with remote capabilities.

The technology is available and has been since many years to build your own equipment or buy spy kit – it’s just a matter how much money you’re willing to spend and to what extent you’re willing to hide your activities.

Keyboard loggers has been around for ages as well most interesting enough most people have actually never seen one. Keyboard loggers can easily be obtained via the internet or you can either build your own using a simple PIC16F84, and a NVRAM chip. The left images shows a home made keyboard logger and the middle shows what a typical keyboard circuit looks like and the right image what a typical keyboard logger looks like that you can get over the internet for around $80.

So once again I ask myself – why would someone make break into a bank and not steal anything without any questions asked?

Kim Haverblad

Bookmark to:

Have you ever been trying to get commercial smart card solution available on the marked to work with more than just one operating system? Then you might be familiar with that it’s not a walk in the park to get it to work. During my evaluation of both hardware and software I quickly noticed that trying to mix hardware and software from different vendors wasn’t that great idea and didn’t work out that well – So much for standards.

Having used OpenPGP for quite some time and earlier PGP (OpenPGP derives from PGP, first created by Phil Zimmermann) on various operating systems I’ve quite often been looking into the possibility of using some kind of token to keep my encryption and ssh keys safe and a simple USB-memory isn’t an option. Problem is that it hasn’t been that easy earlier and as well it also depends on what kind of token you chose. From that start I’ve been looking at using smart card solution and while evaluating different smart card readers it clearly looks like that USB CCID (Chip/Smart Card Interface Devices) based dongle reader seems to be the best and actually the easiest solution when having several operating systems in mind (drivers are available for two of the operating system that I use; Windows and Linux).

When starting to look into this topic I gave it a try with GemPlus PC400 smart card reader which works fine under Windows and Linux, but unfortunately missing drivers for OS2 which is another operating system I still use. Linux drivers for the GemPlus PC400 smart card reader can be found at LinuxNet and there is an active software bounty available at OS2 World for those who wants to continue on that track.

There are various smart card implementations available and one of the widely available solution for at least Windows and Linux system is U.S. Department of Defense CIC, Common Access Card which is a Java Card OpenPlatform card with GSC-IS (Government Smart Card Interoperability Specification) applets which is primarily used to access email with varying levels of support for the mentioned operating systems. There are various manufacturers that sells this kind of smart card. For larger corporation or due to customer demand the DoD CIC smart card might be the track to continue on when selection standard to build ones solution around.

In my case since I wanted to use GnuPG I’ve choosen to use the OpenPGP Card based on the ISO 7816-4,-8 specification for smart cards.

Features of this card are:

• 3 independent 1024 bit RSA keys (signing,encryption,authentication).
• Key generation on card or import of existing keys.
• Signature counter.
• Data object to store an URL to access the full OpenPGP public key.
• Data objects for card holder name etc.
• Data object for login specific data.
• Length of PIN between 6 and 254 characters; not restricted to numbers.
• T=1 protocol; compatible with most readers.
• 40mm * 10mm sized writable field on the front matter.
• Specification freely available and usable without any constraints.

There shouldn’t be any problem to use DoD CIC smart cards; but I haven’t had the possibility to verify this myself and how well this card works together with GnuPG and OpenPGP. But, it’s my understanding that it works as supposed.

The GnuPG client and plug-in used for the mentioned systems supports PKCS#11 and by this it’s possible to get everything, with some tweaking, to work all together with a single smart card with a RSA-key for signing and ssh key handling. Getting it to work with Thunderbird and Enigmail is really easy and works more or less out of the box.

So by looking at open source utilities I’ve achieved my goal to get a working solution for secure handling of my encryption keys for at least two out of three operating system that I use.

Kim Haverblad

Bookmark to:

Couple of month ago and after getting totally sick of all the spam in my mailboxes, so I changed the configuration and installed greylisting support on the mail server. So how does greylisting work? What happen is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a ”try again later”-message. This, in the short run, means that all mail gets delayed at least until the sender tries again – but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. That did the trick for while… but now during the last couple of weeks I have noticed that MSN Hotmail accounts are being used as sender and by that avoiding getting blocked by the greylisting – highly annoying! Then again, it’s was just matter of time before this would happened.

Question remains if Microsoft is sleeping or what – since these activities can’t really pass by without any notice by MSN. They should now have quite a few high volume users that send quite a few e-mails. Sending abuse reports to Microsoft seems to work (slowly) even if I don’t get any feedback from them; then again I guess that I’m not the only one with this problem. Having an anti-spam policy isn’t enough and doesn’t do the trick of blocking spam. Microsoft has also admitted that up to 98 percent of messages sent to Hotmail addresses are spam. Question is if not 98 percent of messages sent from Hotmail addresses are spam as well.

According to Sarah Lefko, MSN product manager, MSN has been very aggressive and proactive in protecting MSN Hotmail users from spam and together with SenderID blocking 20 millions e-mails per day. Problem is that it just doesn’t work.

What would the solution be then? Well, I’m really tempted to block Hotmail and don’t accept any e-mails from hotmail.com domain. Then again, it’s just really a bad work around of the problem. Also, how can it be that Google’s Gmail account isn’t abused? So far I haven’t received a single spam from gmail account….. yet.

Kim Haverblad

Bookmark to:

As a frequent flyer within Europe one takes notice of the increased and changed security activities due to the unprecedented events of 11 September 2001. Although there has been an increase in the level of security at many airports, the question is still if all airports have made the proper changes.

Let’s take Sweden’s largest airport, Arlanda, Stockholm, as an example and compare it with for example Heathrow Airport, London, UK. The fist thing that one notice at Heathrow is that you are informed that it can take up to 30 minutes to pass through the security controls. At Arlanda the LFV Group Swedish Airports and Air Navigation Services has in their contract with G4S (former Falck Security) stated that the maximum time to pass through the security area should be 5 minutes.

I have often passed through Heathrow airport with my notebook during the last 10 years and I have been numerous times been asked to turn on the notebook so that the security personnel could verify that it’s working system I’m carrying around and not a dummy. At Arlanda the only ask you to open up the notebook so that they can check that there is a keyboard (or what ever they’re looking for), but nothing about turning on the system to see if it actually works. Actually I’ve never been asked to turn on the notebook at a Swedish airport at all.

Shoes and belts that usually have some kind of metal and of course usually trigger the metal detectors have to be removed and x-rayed at Heathrow. At Arlanda you might be asked to unbuckle the belt to check that you’re not hiding anything, but that is more an exception than a rule.

During 2005 there were a number of incidents at Arlanda where both knifes and bomb bags, IED (Improvised Explosive Device), where missed out in the security controls; controls made by LFV Group. Both LFV Group and G4S got loads of unwanted media cover due to that both organisations was proven not to take the security activities seriously enough. An anonymous employee with G4S Security also went out in the Swedish press and informed that they during one day made 20 random securities check of hand luggage but in their internal reports wrote that performed 130 security checks just to fulfil the contract with LFV Group. Other anonymous G4S employees has reported that they have been informed an hour before when security checks would be performed by LFV Group.

Either has LFV Group and G4S not learned anything from earlier negative media coverage or it’s just that they have tighten up the information that could leak out to the media really hard. Since when travelling via any of the Swedish airports the security checks sometimes feels a bit random. So far Sweden haven’t had any major incidents. But, there is clearly a need for improvements at the Swedish airports.

Kim Haverblad

Bookmark to: