comment 0

The safest place for your money is under the mattress

money-under-mattress

When I was in school, we joked about people who kept their money under the mattress, that somehow those who didn’t use banks were less intelligent than people who did.The general thinking was that smart people kept their money in the bank, where it was safe from theft, fire and flood, while still collecting interest.

In the 80’s this was a compelling argument, when interest rates were high and banks really did provide security,but is that thinking still applicable today?

In June of 2000, Maybank launched their ‘new’ internet banking platform, Maybank2u, which allowed their customers to do their banking online, outside of traditional branches or even ATMs. Few years later, it begun offering online purchases and soon after the mobile app was launched.

But while online banking platforms brought convenience, they also introduced new security threats — and it wasn’t clear whose job it was to secure against those new threats, and who would be liable for inevitable financial losses.

Was it going to be bank who assumed liability, just like they did before, or would it be the account holder, or possibly a mixture of both?

The answer depends on who gets attacked, because not all attacks are equal.

Not all attacks are equal

There’s two types of attack, one where the bank itself is attacked, and another where the account holder is targeted instead.

When someone walks into a bank  with the threat of violence, and walks out with $30,000 of the banks cash, the bank absorbs all the loses. After all, that’s why your money is in their safe and not under the mattresses.

507d7acb92f46ed8d8779be14e3f2051But there exist another class of attack–customer impersonation, where the attacker isn’t threatening violence or even ‘attacking’, but trying to fool the bank into believing they are the rightful account holders. In other words, the attacker is trying to impersonate you, to get to your money.

And in the digital world, customer impersonation is far more common. Consider the case of ATM fraud.

ATMs identify a user by verifying their ATM cards, and then prompting them for the PIN. More specifically, the ATM first authenticates the inserted ATM card (is this card real?) and then proceeds to ask the user for the PIN (is the person the accountholder?), once an ATM is satisfied, it then proceeds to grant the user access to the account.

Hence if an attacker managed to steal your card and knows your PIN, the ATM has no way to differentiate between you and the attacker. Anyone could take your money from your account, by just having your ATM card and PIN, in contrast robbers attacking a bank would simply be taking the bank’s cash…not yours.

Credit Card fraud is another prime example, but at least in Malaysia end customers have their liability capped at RM250 provided they report their lost cards in a ‘reasonable’ amount of time. For debit cards and ATM cards are not protected in the same way. Which is strange because the poorer sections of society who need more protection usually have debit instead of credit cards.

But even credit card users need to be wary, because changes in the liability model are bound to happen when we introduce Chip and Pin. (read more here)

To summarize, customer impersonation isn’t the same as a bank robbery, when the bank issues you credentials (like PINs, passwords or ATM cards), the responsibility to secure those credentials are yours–and if those credentials are compromised, then you’ll have to shoulder some of the financial losses as well.

comment 0

Anonymity and IP addresses

anonymous_guy_fawkes

This week, I’ll put the final touches on my move from Malaysia to Singapore.

So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited  and completely useless advice on them.

It wasn’t easy shifting through a boat-load of gadget reviews masquerading as tech journalism (I guess some things are the same in every country), but underneath the hundreds of phone reviews and fiber broadband comparison, I found a little interesting report on illegal downloads.

The Singapore Straits time reports that:

A local law firm that started proceedings to go after illegal downloaders in Singapore on behalf of two Hollywood studios said it will cooperate with the local authorities to ensure no abuse of process.

It follows a rare intervention by the Attorney-General’s Chambers (AGC) in civil applications made by Samuel Seow Law Corp (SSLC) in the High Court last month.

“We will work with the local authorities to ensure that there will be no unnecessary alarm to consumers who receive the letters of demand we plan to send out,” Mr Samuel Seow, managing director of SSLC, told The Straits Times yesterday.

This is just a re-hashed version of what happened last year in Singapore, when the same law firm went after downloaders of another movie, the difference is that this time they’ll be doing it under the watchful eyes of the AGC.

There is something to be said here about copyright-trolling, the abuse of power and the bullying tactics usually involved. But, we’ll leave that discussion for another day.

Today, I want to explore a little bit about anonymity and how many people have a mistaken notion about what it is.

comment 0

Random thoughts

You’ve probably heard of the hackers who almost got away with $1 billion, only to be thwarted by a typo. (if it weren’t for those meddling keyboards!) What you probably didn’t hear was that they had already wired $100 million…

comment 0

2600 article

*A republication of my article on 2600, a hacker magazine* Greetings from Malaysia. This is my first time writing to 2600, although I’ve been a kindle subscriber for more than 2 years now. For my first article, I hoped to…

comment 0

Two years on, teaching coding in schools declared a success

teach-codingKLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.

The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.

Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.

“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.

Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.

One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.

Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.

Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’.

comment 0

More security theatre

So now, only actual travellers will be allowed into airports, and everybody else from your mother to your 3rd aunty twice removed has to say their teary goodbye at home rather than at the Airport KFC.

But why?

So that terrorist will now have to buy a ticket in order to blow up the airport? I can picture out now, “Al-Qaeda attempt to bomb KLIA foiled due to lack of funds for ticket purchase”

….riiiiggght!

Do these people even consider just how easy it is to circumvent some of the ridiculous ‘security measures’ they put in place these days.  If all it takes for a terrorist to gain entry into an airport is a plane ticket, it’s not a very tall order for them to go out and buy one, or just print a fake copy good enough to fool the security officers.

We’d be spending countless of man hours, for security personnel on entry points scanning through useless documents with no real security in return.

What a waste–just like those women only KTM coaches that do absolutely nothing.

comment 0

Just buy McDonalds

If you haven’t listened to it already, here’s a fantastic cut-down (no bullshit) version of Jim Comey’s testimony to congress, on why he recommended Hillary Clinton not be prosecuted for hosting her own e-mail servers. For the uninitiated, while Hillary Clinton…

comment 0

Technology saves lives, but it isn’t perfect

What do you do when the technology turns on you?

Or when the feature that’s built to save you, is the one that might just kill you?

There’s a stark similarity between the Takata airbag fiasco, that’s already taken 2 Malaysian lives, and the lady who died in self-driving Tesla.

Both involve the auto-industry and both are technology related, but together they represent a much deeper issue at hand–despite our noblest expectations, technology isn’t perfect–but it’s better than we had before.

We’ve all been trained by Hollywood to expect perfect technology, working all the time and in every scenario, but in reality technology sometimes fails, and newer technology fails more often.

Technology endures through failures, only by our good graces, but unless we grant that grace to it, we will not progress.

What should our response to a technical failure be?

Do we insist on removing ALL traces of the offending technology, or do we accept it as a price of progress, that the occasional failure is a tax we pay to get better technology.

But are some taxes just too high?

Society might accept failing antennas on an iPhone, or even bad Google searches, but an air-bag, that might blow a hole in your chest or a car that might crash you into a truck, might be too high of a price.

So is the tax for air-bags and self-driving cars just not worth the potential safety we get in return?

comment 0

Show notes for today

Your browser does not support native audio, but you can download this MP3 to listen on your device.   Some interesting links you might want to check out during my interview on BFM today, will tidy up this list later…