Prompt payment of debt can build trust with financial institutions. A pair of men, in coordination with a third, managed to use this trust model to build profiles for fictitious identities and achieve $500,000 in credit in just one year. They then spent all the credit without any intention of paying it back. They almost got away with it for longer.

It started with a Dentist’s office employee who extended the two men loans and then reported their payments to Experian. He was the inside connection — the tip of this trust iceberg.

According to the government complaint filed in California federal court, which summarized the investigation, the brothers, along with Hyde, made up hundreds of fake social security numbers to establish false identities. The men then began reporting loan information and on-time payments for fictitious dental services to Experian.

Once the fake credit profiles had high credit scores, the men opened credit cards and took out loans, fooling issuers like Bank of America (BAC, Fortune 500), Capital One (COF, Fortune 500), Wells Fargo (WFC, Fortune 500), US Bank (USB, Fortune 500), Chase (JPM, Fortune 500) and Discover (DFS, Fortune 500). In all, the government estimated that the men duped at least 21 financial institutions.

They were caught because their fictitious identities became too hard to believe (loans too large for dental work were not geographically dispersed), which led someone at Experian to investigate and notify the FBI. Hindsight is 20/20 but the article suggests that if they had asked for smaller loans over a longer period they would have gone unnoticed. We also could probably guess that if they had pulled $500K in a year and skipped town instead of buying fancy, flashy cars they also would not have been caught.

The case illustrates that while some basic controls you might expect (SSN verification) seem to not be in place, other more sophisticated controls are working (e.g. geographic visualisation by loan amount and industry). Maybe it looked something like this, but in 3D and controlled by waving hands in the air at a bank of large flat screens.

It also shows how an industry’s chain of trust can suffer from numerous weak links and unclear responsibilities.

This has been coming up a lot lately, so here are some notes for future reference. GOpenVPN is basically a Linux rendition of the Tunnelblick app for OpenVPN. Here are steps to install it on a fresh Ubuntu 10.04 Maverick Meerkat workstation.

0) Install OpenVPN package (10.04 is the current latest version)

1) Review prerequisites for GOpenVPN

• subversion
• autoconf
• glib-2.0
• gtk+-2.0
• glade-2.0
• gnome-keyring
• gksu
• gedit
• intltool

2) Install prerequisites

sudo apt-get install subversion autoconf libglib2.0-dev libglib2.0-data libgtk2.0-dev libglade2-dev libgnome-keyring-dev gksu gedit intltool

3) Download source

svn co https://gopenvpn.svn.sourceforge.net/svnroot/gopenvpn gopenvpn

4) Build

cd gopenvpn/trunk/gopenvpn/

./autogen.sh

intltoolize

./configure

make

5) Install

sudo make install

6) Run

/usr/local/bin/gopenvpn

…and you should see an icon appear in the top panel. Right click to configure and watch the log.

Alternatively, the network manager OpenVPN plugin also does the job:

sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome

I just read that a vast network of ATMs will soon allow transactions without a card (PDF).

Payment Alliance International (PAI), a leader in electronic payment processing solutions, and MagTek, a global leader in secure mobile payments technology, jointly announce the deployment of MagTek’s Qwick Codes across PAI’s nationwide network of over 50,000 ATM machines.

…solution that consumers can use everywhere without actually carrying a payment card.

First question: if ATM stands for automated teller machine then what is an ATM machine? I’m not trying to be picky; I just figure a press release from the leader in electronic payment processing with 50,0000 units might be on to something new and pushing the envelope (pun not intended).

But seriously, I think I should not call this a card-less system. It is an ATM without the need to swipe the card; the transactions still need a card. The need to carry the card is related to a card carrier’s ability to plan ahead and generate tokens. With the new system data is transferred from a card to a phone so the card does not need to be swiped at the ATM machine (or ATM).

Qwick Codes Mobile Wallet is an easy-to-use application that runs on a PC, Apple iOS device or Android smartphone with a Secure Card Reader Authenticator peripheral attached. All consumers need to do to generate a unique Qwick Code is swipe any traditional magnetic stripe payment card they already carry in their wallets through the Authenticator and a one-time, disposable account number and PIN are generated. Consumers use their Qwick Code and PIN at supported ATMs to withdraw cash, eliminating the need to physically carry a payment card while reducing exposure from skimming and related fraud.

The goal is to avoid skimming attacks at the ATM. I have written about that security issue before. In this case I have my doubts about the security of the link between the application on the computer and the Secure Card Reader Authenticator. I also notice that they claim support for a PC and Apple iOS. Who wants to bet that they mean Microsoft Windows OS when they say PC? Not a good sign.

From Felipe Martins

Note that this post intends to show only vulnerable applications used to be exploited, not the tools used to exploit them.

Interesting that the goal is to setup an environment that is vulnerable in order to test out the web penetration tools. I guess I have become so used to things being the other way around (setting up attack tools to test vulnerabilities of an environment) that this seems like a novel idea to me.