Flying carpet

 

Image from Pixabay

On a drizzly Friday afternoon, one of those we've had so much of lately, the carpet ordered would be delivered. A showpiece for his new house, with a modern motif, no less than three by four meters in size. Just a little too big to take with you in the car, but luckily Ikea offered home delivery. And you don't have to count the screws this time, sir, and there is no Allen key either.

But in the course of that afternoon an email came in from “Post”. Subject: delivery issues. Content: “The product you ordered is still in our distribution center. You must first pay € 3.95 for customs duties. Click the button below to reschedule the delivery.” Payment had to be made by credit card. That was the point where our carpet enthusiast dropped out - if he could have paid with iDeal (a well-known payment system in the Netherlands), he would have done it, just to get rid of it quickly.

Now, however, he was going to call Ikea. There they told him that the message had not come from them and that the carpet would be delivered as scheduled. Exactly during that conversation, in which both sides quickly concluded that it must be phishing, another email arrived. This time it also mentioned an order number, which did not match the number of the carpet ordered.

The next day, both emails had miraculously disappeared. An unpleasant feeling came over our Ikea customer: had someone hacked his email account, seen the order and acted on it cleverly? Or was the retail chain perhaps hacked, or was there even a mole at the Swedish company who sold order data to cyber criminals? We'll probably never know - unless there are a ton of reports like that and the email provider or the store investigates and publishes the findings. But companies still tend to be quite introverted about such things.

I don't think any of these scenarios played out. Because that's how phishing works: you have ordered something and at exactly the right moment you receive a message that could very well apply to that order. Had you received that same message a few days earlier or later, you would have shrugged and ignored it. They use the shotgun approach, because it costs nothing anyway. And they always hit a few people for whom their message does have meaning entirely by chance.

What were the red flags, the signals that this could or should be phishing? To start with, the sender: not Ikea, not even PostNL (the Dutch postal service), but Post. I don't know a parcel delivery service by that name. Then Ikea was not mentioned in the entire post; usually the name of the sender is always mentioned in communication from a delivery service. And why customs duties? The carpet had been ordered in the Netherlands and there had never been any question that it would be sent directly from a carpet-making country. And then of course that order number, which had nothing to do with the rug. Plenty of red flags, I'd say.

After hearing this account, I started asking questions. First of all: have you already changed your email password? That is always the first thing you do if you have the slightest suspicion that someone has access to your mail. Your mail account is your most important account, because almost all “I forgot my password” procedures go through your mail. In other words: whoever has access to your mail can gain access to many other accounts. Next question: both emails have disappeared, but do you still have the web page in the browser? It wasn't there anymore, but it was still in the browser history: onlinecamp[.]top. The e.Veritas URL checker classifies this site as unsafe, and that “.top”, the so-called top-level domain (such as .com and .net) is special. In the internet administration, the target market is “general” and it is registered to Jiangsu Bangning Science & technology Co. Ltd., a Chinese domain registrar – a company where you can register your own internet domain. You can therefore reasonably assume that a link that ends with .top (possibly with “/abracadabra/xyz/etc”) will take you to a Chinese website. Ask yourself if you really want to go there.

So much effort to collect € 3.95? No. Payment had to be made by credit card. If you enter your details on their fake site, the criminals have your credit card details, which they can use to make a multiple of that amount disappear. Fortunately, that did not work out this time and the carpet looks nice.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• phishing does not always contain a link or an attachment nowadays.
• a British supplier of tools for criminals goes behind bars for a long time.
• this legitimate app suddenly got a new function.
• a poorly tested update can wreck your device.
• Chinese state hackers hack Kenya, presumably in relation to debt.
• you can’t share your Netflix password anymore.
• a British IT worker hijacked a ransomware attack on his employer.
• US authorities have published an update to their StopRansomware Guide.
• Facebook’s parent company Meta has to pay a huge fine for sending data from European users to the US. [DUTCH]
• Fingerprints can also be brute-forced.
• ransomware for charity is a new thing.
• Spain wants to ban the provision of end-to-end encryption in Europe. [DUTCH]

 

Misjudged

 

On October 22, 1895, the train you see in the photo left Granville on the Normandy coast at a quarter to nine in the morning with destination Paris. As the crow flies, that is about three hundred kilometers (186 miles), which takes a modern train three and a half hours. At the time, the journey took an entire day.

At 3:55 p.m., the train rumbled into Paris, but it was several minutes late. The very experienced driver, Guillaume-Marie Pellerin , thought that he could partly make up for this delay by braking only at the last moment. But this time, the brakes failed and the train crashed through the buffer and glass facade of Paris-Montparnasse station, where it came to a stop, as the photo shows, in an unreal position. There was one fatality to regret. Marie Augustine Aguillard wasn't even a passenger on this train – no, she was minding her husband's kiosk at the Place de Rennes for a while; he had gone to get the evening papers. She was killed by falling debris.

The American George Westinghouse had invented a brake based on compressed air some twenty-five years earlier. The brake engages when the air lines are deflated and will not release until a compressor has repressurized the lines. Because each carriage has its own brake, the entire train is braked. That system seems inherently safe: if something breaks, the pressure drops and the brakes kick in. However, on this train the Westinghouse brake failed anyway, and the brakes of the locomotive alone could not stop the train in time.

Engineer Pellerin took a risk. Has he thought carefully about what could go wrong and what the consequences could be – precisely at this location, a terminus? His train's inherently safe brakes gave Pellerin enough confidence to brake a little later than usual. If he had looked just a little further, he might have thought that if the brakes failed, it could have disastrous consequences in this very spot.

Risk is often expressed with the simple formula Risk = Likelihood x Severity. We often do not calculate with numbers, but with estimates: small, medium, large – both left and right possibly flanked by 'very'. The formula shows that an event, which is unlikely to occur (Westinghouse brake failure), can nevertheless lead to a high risk, because the expected consequences are very serious (deaths and injuries). The limits of the risks you want to take are determined by your risk appetite. Adventurous people have a greater risk appetite than cautious people, and manufacturers of hip technology products take greater risks than a government organization, just to name a few extremes.

You yourself also perform risk analyses every day, for example when you cross the road. You make an assessment of whether you will make it before that car reaches you, and you mainly look at the distance and speed of the car, and how well you are on your feet. But do you also consider the possibility of tripping? Do you still have enough time to get away, or does the driver have sufficient reaction time and is his braking distance long enough? We usually don't think about such a scenario, probably because it usually goes well. And that was precisely Pellerin's problem. It cost him a fine of fifty francs and two months of suspended prison.

Do me a favor and take care crossing the street when you go out later.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the FBI hacked Russian state hackers.
• this security company is very open about an attack on their systems.
• the British plead for more transparency in cyber attacks.
• Rian van Rijbroek's husband seems to be quite confused himself.  [DUTCH]
• you should watch out for fake windows updates. 
• you should also watch out for malicious QR codes.
• the emergence of AI and the possibility of cloning on the fly may lead to additional legal protection for individuals.  [DUTCH]
• YouTube is experimenting with banning ad blockers.
• many Dutch people can protect themselves better than they do now.  [DUTCH]
• phishing is the main form of cybercrime that citizens have to deal with.  [DUTCH]

Half a payment

 

Image from author

A beautiful ring with the well-known Greek blue eye and a bracelet. That was my daughter's loot in that nice little shop in Neos Marmaras. When paying with her card, the shop lady noticed that the payment had not been successful. Well then, good old cash to the rescue. A little later, the transaction was actually visible in the bank's app. That was the beginning of a curious series of events.

We were still in that village and of course we went back to the store. The shopkeeper was visibly shocked and immediately went to check both her PoS terminals. Look, she said, nothing. I saw some Greek letters on the displays, which could mean anything, but her words and facial expressions were convincing. Moreover, as we only noticed then, the ING app stated 'reservation' with the amount. We came to the conclusion that it would be fine.

A day later, the transaction was still in the app, but now without 'reservation' added to it – the money was now really gone. Oh dear. What now? I called the bank and explained the situation. The gentleman who spoke to me could see what had happened, but he couldn't help me. I would have to go back to the store and explain it there and ask for my cash. Well yes, I protested, that shop is not in our village, I would have to drive all the way there again. Then maybe call them? The telephone costs could be higher than the amount in question. Anyway, the ING gentleman couldn't do anything for me.

Wait a minute, I said; a bank transaction must either succeed or fail, but not something in between. Isn’t it unthinkable that a PoS says that the payment has failed, and that the payment is then made anyway? No, he agreed with me. But he still couldn't do anything for me. I mentioned that I wanted to make a complaint about this and asked him what would happen next. He could only write down the complaint and pass it on, otherwise it was out of his sight.

What to do? We are talking about an amount of just over two tenners – money from my teenage daughter, so a relatively large amount. That shop was about a twenty-minute drive from our stay, which was doable. And so we went there again that evening. Fortunately, the same lady was in the shop and she asked what was wrong right away. She called in her boss (from the store across the street), who let me take pictures of the PoS's printouts, which showed that no transaction had taken place for that amount. She even let me take photos of her banking app, which also showed no sign of my daughter’s payment. The attitude and helpfulness of this lady convinced me that she was in good faith.

That was Friday night. On Monday she would immediately call her bank to inquire, and then she would contact me by email. But on Saturday morning, when we were already on our way home, we noticed a strange entry in my daughter's account: 'PoS reversal payment'. The money was back! But how? Did an automated process take place here, whereby the Greek bank and our ING together established that there was 'half' a transaction? Or did someone from our bank get to work in response to my complaint? I can hardly imagine the latter, especially because of the timeframe (weekend). But I have not (yet?) received any feedback on my complaint.

In information security we talk a lot about the aspect of integrity. In our context, this concerns the correctness and completeness of data and processes. Nothing may change unjustly and everything must be complete. In the above story, that integrity was violated: money had disappeared from my daughter's bank account and that money had not arrived anywhere. Such a transaction should be binary: right or wrong. It can't be half. I hope someone from the bank will explain to me how this could have happened. Or maybe someone from the banking industry in my network (are you reading along, Oscar?).

The blue eye, which is on the purchased jewelry, is a symbol in Greece to avert disaster. That eventually worked. Not that I'm superstitious, though.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• many victims of ransomware are attacked again.
• malware masquerades as ChatGPT.
• not only the cloud, but also AI is just someone else's computer.
• you can now log in to Google more easily and more securely.
• you will receive security patches for your Apple equipment faster from now on.
• T-Mobile in the US recorded the second data breach of this year.
• earphones can also have a security vulnerability. [DUTCH]
• the Dutch police will remain active on TikTok, but on dedicated equipment. [DUTCH]
• In the fight against phishing/smishing, the Dutch Tax Administration now sends text messages to entrepreneurs themselves (without a link, of course). [DUTCH]