A video from Jonathan Miller of Channel 4 News clearly shows a tense situation for foreign journalists in Libya as they try to get around their “minders”. He says they not only struggled to record the situation but they also fought in vain to assist a woman named Eman al-Obeidi they noticed crying and screaming for help in their Tripoli hotel:

There was nothing that anybody standing here could do about it… They threatened us. We were unable to protect her. We have no idea what her fate will be now.

These men are Gaddafi’s thugs. The Financial Times correspondent, Charles Clover, who had just learned that he was to be summarily deported, bravely challenged the minders and the hotel staff, demanding they back off and leave Ms al-Obeidi alone.

For this Mr Clover was roughly manhandled, pushed and thrown to the floor and kicked. Another government minder, who had previously tried to interfere with our filming, punched me in the face and pushed me backwards over a chair.

I landed on my back, only to have another scuffle break out above me as the CNN crew grappled with other minders who were attempting to seize their camera.

The camera smashed and broke into pieces and the minders grabbed the memory cards.

A bank in South Africa recently announced the “breaking news” that a PIN to withdraw cash from an ATM can be sent via SMS to cell phones. Bank cards are not needed in the transaction.

First National Bank (FNB) today announced its latest innovation – a Cash Withdrawal solution using Cellphone Banking. A first in South Africa, Cash Withdrawal will allow FNB Cellphone Banking customers to withdraw cash directly from their FNB transactional account at an FNB ATM without the use of any bank cards.

The bank card is something you have and the PIN you registered with the bank is something you know. Here are some thoughts on how a cell phone compares.

The cell phone is also something you have, but it is better than a card because you probably constantly know its whereabouts. FNB says their customers come into the bank for cash because they have forgotten their wallet at home. Apparently they always have their phone. Imagine a customer walking up to a teller and saying “My name is X and my account is Y but I have forgotten my wallet”; at which point the teller would pick up the phone and dial for X. If the customer’s pocket starts ringing, the teller would continue the transaction. The disadvantage is that phones tend to be fragile and have spotty service. I suspect service will not be an issue at the ATM location because many ATMs are now being deployed with cellular capability instead of POTS (plain old telephone service).

A PIN sent to the phone is something you know. It is better than the card PIN because it can be pushed (to something you have) by the bank and therefore is easily updated. The disadvantage is that phones can end up in multi-user environments yet lack even the most basic multi-user protections. That is probably why the FNB PIN is only valid for 30 seconds. Even if someone were to find an SMS with a PIN on a phone it would very quickly have become invalid. It also is why you might be able to specify that the PIN only be sent by voice (Interactive Voice Response – IVR). I wonder if the bank also revokes used PINs so they are never valid again.

Another disadvantage is, although you don’t have to register a PIN with the bank, you now have to register a phone number with the bank. If they do not secure the process to register a number properly or you do not keep your list of numbers up to date, an attacker can prompt the bank to send them a PIN instead and they could access cash from your account. Phones are easy to clone and tap so an attacker could wait by another ATM for a PIN to be sent. The bulletin also mentions a login to the Cellphone Banking from the phone to request a PIN for cash withdrawal. It begs the question of communication security between the phone and Cellphone Banking interface, as well as protection against account recovery fraud or social engineering. Several new threats may appear because of the login requirement and PIN request, including remote/hidden attacks, compared to the bank card.

Some might get comfort to know that the concept for ATM withdrawals with a cell phone is not new.

In 2001, NCR announced its Freedom concept, demonstrating the use of a mobile phone or personal digital assistant to obtain cash from a futuristic egg shaped ATM. With the Freedom concept, mobile devices would replace the magnetic-stripe cards in a consumer’s pocket.

This system differs from many of the original ideas because the phone does not communicate directly with the ATM but instead replaces the bank card as a factor for authentication. It sounds like a good idea, and less revolutionary than a direct connection, but it also introduces many new risks.

The NYT reports that GE has hired insiders from the IRS and Congress to tell it how to circumvent tax laws in America.

Its extraordinary success is based on an aggressive strategy that mixes fierce lobbying for tax breaks and innovative accounting that enables it to concentrate its profits offshore. G.E.’s giant tax department, led by a bow-tied former Treasury official named John Samuels, is often referred to as the world’s best tax law firm. Indeed, the company’s slogan “Imagination at Work” fits this department well. The team includes former officials not just from the Treasury, but also from the I.R.S. and virtually all the tax-writing committees in Congress.

This seems like a fun example of an insider attack being leveraged from the outside. Insiders leave an organization and then find they can make a handy profit explaining how to get around all the controls they know or even designed.