Elvis is alive, and is in the building!

mugshotDear Diary,

When Sydneysiders think of PPPs (public-private partnerships), the first things which spring to mind are probably the sort of partnerships between government and the private sector which are not universally popular, such as the numerous toll roads and tunnels which criss-cross the city, and the rather expensive “station access fee” charged as a private levy on public transport to the airport.

But there are PPPs which cannot be faulted, and I am half way through one right now. I’m attending the Identity Crime Symposium – 2009, organised by the Queensland Police. Bringing together law enforcement from around the globe, computer security specialists, the financial sector, telecomms companies, academics and public servants, this event — one of three related events which the Queensland e-crime cops organise each year — is an ideal forum to meet, and greet, and learn from, fellow fighters against cybercrime.

Most conferences have one or two dud talks in amongst the papers which are accepted, but this conference is an exception. Picking my highlights is therefore slightly unfair, since all the talks have been thought-provoking, and, more importantly, encouraging. Sir Winston Churchill once famously remarked, “We shall go on to the end…we shall never surrender,” and this event is a modern equivalent of just such a speech, giving me renewed enthusiasm that we must, and can, continue the battle against cybercriminality, and that we can come out on top.

Nevertheless, my personal highlights so far in the Symposium have been the presentation by Elvis Tudose of the Romanian Police, examining the operation of Romanian ATM card skimming gangs, and the personal story of Dimitri, a quiet but articulate victim of identity theft who has been willing to come forward and to tell his story as an encouragement to other victims, and as a warning to possible future victims of phishing and identity scams.

Dimitri was ripped off despite using SMS-based two-factor authentication for his internet banking. SMS authentication relies on a transaction code sent to your mobile phone every time you bank online. You need to enter this code to proceed. This means that your username and password are no use on their own, as a unique transaction authorisation string is issued out of band. Keylogging of your username and password is thus rendered useless, because each transaction has a unique passcode of its own. SMS authentication is popular and convenient because you don’t need to carry a separate hardware device just for banking — your mobile phone acts as the authenticator.

The attack against Dimitri was low-tech. The crook simply persuaded a mobile phone company to transfer Dimitri’s phone number from another supplier onto a new contract with the new company. Apparently keener on earning commission from a new customer than on properly verifying that the crook had any right to take over Dimitri’s phone, the new mobile phone company effectively allowed the crook to thieve Dimitri’s number, and thus to receive all his calls and, more importantly, his SMS messages.

Worse still, when Dimitri noticed that his phone had gone dead (due to his number having been given to someone else!) and reported this to his own provider, he was told that this was as expected. He then had a tough job to convince his own mobile phone company that he had not authorised the so-called “number port” himself, thus giving the crook even more time to raid his account.

Incidentally, Sophos is one of the sponsors of this Symposium, and we’re delighted to support such a worthwhile co-operative effort. If you have anything to do with combating cybercrime, whether in Australia or overseas, do consider attending one of these Symposiums next year. Keep your eye on the Queensland Police website to find out what next year’s dates are. (Or keep reading this blog. I’ll remind you when next year’s dates are set.)