Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
With Doug Aamoth and Paul Ducklin.
Intro and outro music by Edith Mudge.
READ THE TRANSCRIPT
DOUG AAMOTH. Tech scams, bad guys arrested, and 2FA – what could possibly go wrong?
All that, and more, on the Naked Security Podcast.
Welcome to the podcast, everybody.
I am Doug; he be Paul…
…and Paul, I’m going to be the first to wish you happy tax scam season, my friend.
PAUL DUCKLIN. Oh, dear.
I guess it’s particularly relevant to the US just right now, isn’t it?
DOUG. Yes: we are girding our financial loins, collectively getting ready to file our taxes.
DUCK. Of course, any time of the year kind of works for a tax scam, doesn’t it?
If you’re in the UK, the tax year is April to March; South Africa, it’s March to February; Australia it’s July to June.
So everywhere there’s *something* going on.
But in the US, it probably fits in quite well now – so do be on the alert!
DOUG. Yes: we will talk about our first of possibly many tax scam stories shortly.
But first, we like to begin the show with a Fun Fact, and I found this fact to be very fun.
The etymology of the word helicopter may not be what you think.
It is not a combination of heli- and -copter, but of helico-, the derivation of helix, in this case meaning spiral, and -pter, from the Greek “pteron”, meaning wings or feathers, commonly used to describe flying creatures such as the pteranodon and pterodactyl.
So it’s helico- plus -pter!
How do you like that?
DUCK. That’s great, Doug!
Like helicobacter. That’s the screw-shaped bacterium that two Aussies… whose names I forget; they got the Nobel Prize after being laughed at for many years when they discovered that ulcers are caused by bacteria.
Because nobody believed that bacteria could live in the gut: “Too acidic.”
And everyone laughed at them and said, “It’s not a bacterium. Forget it!”
And they found helicobacter pylori…
DUCK. ..the “screw-shaped bacterium of the stomach”. And I’d never connected that back with helico…pter!
DOUG. A free and interesting bonus Fun Fact – it’s always welcome on the Naked Security Podcast.
DUCK. Love your work, Doug!
DOUG. Love your work.. and let’s talk about someone else getting to work.
You got your first tax scam of the year, and it is an odd tax scam that doesn’t really ask for much….
DUCK. That’s correct, Doug.
I thought I would write about it just because, as you say, it’s that time of year for people in the US.
In previous years, when we’ve written about tax scams, they’ve always been either high pressure – “something bad will happen; if you don’t click this link login and fix this, you could get audited”, and who wants that? – or like the one that I got personally last year, apparently from the UK Tax Office, Her Majesty’s Revenue and Customs: “a tax rebate of £278.44 has been issued to you; click here”.
We spoke about this on the podcast; it was a perfect facsimile of the HMRC login page, or an almost perfect facsimile.
Now this one, this year, this was obviously US based because it mentioned W-2. (In the UK, the equivalent form is the P60: that’s the thing you get from your employer that says, “This is how much we paid you, and this is how much tax we’ve already taken away and paid to the Revenue.”)
And it just says, “2021 new client fillings”… they mean *filings*, obviously… “I intend to change CPA.” (For people outside the US, CPA is a CA, a Chartered Accountant.)
“I intend to change CPA for 2021. Would like to know if you’re taking new clients. I’ve got all the documents. I just haven’t quite got my W-2 yet.”
In other words, I’m nearly there. Then it says, “Kindly advise on how to proceed, and if I can send forth all the available documents. And what are your fees for individual returns? Thank you.” And then the person claims to be a Managing Director.
So it’s basically fishing for a little bit of business friendship, I guess, Doug.
DOUG. It is odd, because I am reasonably sure you are not an accountant.
So this seems like a spray-and-pray, sent to who knows how many people in the hope that some of them are accountants.
And of those that are responding and saying, “Oh yes, I can help you out. Let’s talk business.”
DUCK. I’m sure that another part of this, Doug, is that it just looks like somebody who basically emailed the wrong business/person.
So you can imagine people going, “Oh, you must have made a mistake. I’m not a CPA. You’ve got the wrong person.”
In other words, although it’s spray-and-pray, the pray is not, “If the person doesn’t click the link, then the scam isn’t going to work.”
It feels to me like a kind of romance scam – it’s an interesting way to start a conversation that gets people to identify their willingness to communicate.
DOUG. We’ve got some advice, the first of which is – you touched on this a little bit – “Be aware before you share.”
DUCK. Yes, because every little bit that you give away about yourself – it might not feel that it matters individually, but it does help somebody who has your worst interests at heart to build a backstory that gels with you and maintains your interest, in just the same way that romance scammers do.
If you come along and say, “I like the movies of XYZ director”, they don’t say, “Oh, no, I hate that person!”
The romance scammer just adapts their behavior, their backstory, their made up life, to match the things that will keep you on the hook.
DOUG. As we’ve said before many times, “If in doubt, don’t give it out.”
Simply put, it if it feels like a scam, maybe just back yourself: assume that it is!
DOUG. And, “No reply is often a good reply.”
DUCK. Yes, I think a lot of people, perhaps older people more – although with younger people, there’s always that FOMO, isn’t there: Fear of Missing Out?
Perhaps, for older people, there’s a sense that the idea that you would just “show someone the hand” and just not reply… that’s seen as being a bit difficult or maybe a bit pretentious.
If that’s the way you feel in real life, then you’re probably a nice person to meet and know!
But online, it just means that you’re probably a bit too likely to give away stuff that you shouldn’t.
DOUG. I did learn this week that the opposite of FOMO is JOMO, the Joy of Missing Out, which is perfect for an introvert like me.
I do like missing out on things – so it’s the opposite of FOMO!
DUCK. I’m going to adopt that!
I think it could be very uplifting – thank you for that, Douglas!
DOUG. You’re welcome.
And finally, “Listen to friends and family.”
DUCK. If friends and family – we said this last week – are advising you that maybe you are in over your head; maybe you are talking to somebody who is out to fleece you… remember: JOMO!
If they’re right and you listen to them, you will be much, much happier!
DOUG. Okay, great tips.
Especially in light of this being Data Privacy Week, and Data Privacy Day on Friday.
DUCK. Yes. It’s what we always say with those days.
It’s like Quit Smoking Day: it’s the day you start not smoking anymore. It’s not just one day in the year where you give it a break, and then the rest of it you carry on as normal.
And I know you can get tired of all these special days, but data privacy is important, because once you’ve let it out, it’s kind of hard, and takes a lot of time, to recapture what you didn’t want to leak.
So, yes: forget the FOMO. Love the JOMO!
DOUG. Very good.
That is: Tax scam emails are alive and well as US tax season starts, on nakedsecurity.sophos.com.
And now, let us talk about this alleged carder gang mastermind, and three acolytes, under arrest in Russia.
This is like cutting off a few heads of a Hydra and then they grow back, I’m guessing?
DUCK. Certainly seems so, Doug.
This is a gang known as the Infraud Organisation.
That was their name, and their motto was “In Fraud We Trust”, which I presume is a poor-taste joke on… what does it say on the $1 bill? “In God We Trust”, isn’t it?
DOUG. It is.
DUCK. And 36 people were alleged to belong to this gang by getting themselves listed in an indictment in the US back in 2018.
Unfortunately, they were only able to arrest 13 of those people, and they were spread across seven different countries.
As we’ve often said before, it’s as if “cybercrime abhors a vacuum”.
The rest of the gang, it seems, formed back up, as you say, like a Hydra growing back heads, and the whole thing carried on.
Anyway, one of the people mentioned in that indictment three years ago was a chap by the name of Andrey Novak.
UniCC was one of his handles; Faxxx-with0three-Xs; Faxtrod: those were his online handles.
Apparently, he has now been busted in Russia, along with three other people.
I don’t have their names handy, but they weren’t on the original charge sheet – sounds like either they weren’t known before, or they’re people who have come to fill the vacuum left by the departure of others.
So, it’s an interesting reminder, as you say, that cybercrime does have this Hydra-like property.
Often, you can chop off even quite a lot of heads, and they’ll sort-of grow back or reappear with other names, other faces, other places, and carry on.
And even back in 2018, the US DOJ [Department of Justice] was claiming that they had $500 million worth of fraud, an amount that they could essentially prove as what they call “actual losses”. Then they had another $2 billion that were referred to as “intended losses”.
So that gives you an idea of the scale of this operation.
It’s as big as, or bigger than, modern ransomware gangs that we hear about.
But still, three years ago, they were already apparently $500 million to the good. Thus, “In Fraud We Trust.”
Maybe that motto just got a little bit more tarnished with this bust in Russia…
DOUG. All right, that is: Alleged carder gang mastermind and three acolytes under arrest in Russia, on nakedsecurity.sophos.com.
And it is time for This Week in Tech History.
This week, on 26 January 1983, Lotus 1-2-3 was released: the spreadsheet plus database plus graphical charting program – hence the “1-2-3” – was believed to play a large role in the success of IBM PC compatible computers throughout the 1980s, quickly surpassing the Apple-centric Visicalc in sales.
Lotus was slow to respond to the Windows 3.0 graphical user interface, and was effectively killed off by Microsoft Excel in the early 1990s.
And Paul, please tell me you have some stories about the glory days of Lotus 1-2-3…
DUCK. The only one I can think of off the top of my head – going back, I guess, to the 1990s – was a joke that my wife told me.
She was going through the newspaper… remember them?
DOUG. [LAUGHS]. Barely!
DUCK. And she got to the classified ads, where somebody was looking for help with their computers.
This person obviously had a deep misunderstanding of what they are after, because they were looking for someone who knew dBase, if you remember that…
DUCK. …but also they wanted someone who knew Lotus One, Lotus Two *and* Lotus Three.
DUCK. So I presume they figured, “I don’t know which version we’ve got. You’d better know all of them.”
DUCK. That was one of our household jokes for quite some time.
All right, let’s talk about Crypto.com.
So, this was a 2FA bypass – and I thought 2FA was supposed to be impenetrable.
Let’s talk about what happened, and then we’ll go through the myriad ways that 2FA can actually go wrong.
So, what happened in this theft?
DUCK. [IRONIC] Well, “Cryptocurrency company suffers unexpected behaviour of website”, Doug.
DUCK. That doesn’t happen often, does it?
DOUG. [IRONIC] Uh-uh
DUCK. Anyway, this is a company, it’s actually, I believe, called Foris DAX MT Ltd, of Malta, but they’re better known by Crypto.com, which is the domain they own: they’re a cryptocurrency trading company.
And it seems that earlier in January 2022, 483 customers of theirs experienced what I guess you could call “phantom withdrawals”, or “ghost withdrawals”.
In other words, it wasn’t just one or two people: there was a sudden spate of withdrawals where people said,”No, I definitely didn’t do that.”
Of course, “That’s easy for you to say”, but, apparently, when they investigated, they realised that these withdrawals were very unusual indeed.
And ultimately, anyone who lost money in this way, Crypto.com is claiming they’ve been reimbursed, or they will be reimbursed.
But the important thing is that they put out a security breach report.
Good on them!
Sadly, in many cases, if it’s a cryptocurrency scam where people put in money and then there’s a breach and everyone disappears, the only report you get is everyone else saying, “Oh dear, they did a rug-pull; they took the money and ran off.”
So, in this case, they did come up with a security report that explained what I just said.
They said, “All accounts found to be affected were fully restored.” They also said transactions were being approved “without the 2FA authentication code being inputted by the user”.
And that was all they said – they didn’t say how or why.
So I found that data breach notification very underwhelming.
Go and read it – it’s a good example of what *not* to say, because it just raises 20 more questions.
Importantly, what *did* go wrong with the 2FA in this case?
And that left me thinking: what kind of things could go wrong, if you’re someone reading this story and thinking, “Yey, I’ve got a 2FA solution; where should I be focusing my attention?”
DOUG. Well, let’s talk about the ways that 2FA could go wrong.
You have five ways here.
The first being: “A fundamental flaw in the underlying 2FA system.”
DUCK. That’s one way that it could go wrong: the system just doesn’t work.
And one way that it might not work is this: let’s say you’re using SMS-based 2FA, and the code that comes up is random.
But let’s say there’s actually a flaw in the code, and it’s possible – say from the time of day, or the country you’re in or some other background circumstance… let’s say you can make a jolly good guess of what the next random number coming up is going to be.
It’s well worth having a go at someone’s account.
You can only really fix this by going and patching the 2FA code itself, but that’s not commensurate with “the 2FA didn’t require anybody to input a code.”
So that’s one way that it can go wrong: visibly it’s working; somebody’s entering a code; everything in the logs will look right… but it wasn’t the right person entering the code, because somebody was able to guess.
DOUG. Okay, then we’ve got: “A breach of the 2FA authentication database.”
DUCK. Yes, that’s another way that 2FA could go wrong.
Let’s say you’re not using SMS 2FA; you’re using one that’s based on one of those TOTP authenticator apps.
You seed them by scanning in a QR code, or typing in some weird Base32 combination of letters and numbers, when you set up an account.
That’s stored securely in your phone, or so you hope.
That sounds great, except that it means that, at the other end, it’s not like storing a conventional password.
We’ve spoken about this on the podcast; written about it on Naked Security many times – we’ve got a fantastic article from a few years ago about how to store passwords safely.
When you’re dealing with someone typing in a password, you don’t need to store the real password: you can store a hash – a salted-and-stretched hash of the password.
But with 2FA based on code sequences, both the client and the server need to have access to the plaintext “starting seed” – that QR code you scanned in at the beginning.
And so, if the server gets breached and someone gets hold of those starting seeds for a whole load of accounts, basically they can then set up their own phone to generate exactly the same sequence as somebody else’s.
And that would be a complete bypass of the 2FA.
But the 2FA would still be apparently doing its job in the logs.
*Somebody* would be inputting the code, and it would show up that *somebody* inputted the code; it just wouldn’t be the right person.
DOUG. Okay. Next way: “Poor coding in the online login process.”
DUCK. Basically, in your login process, there are typically many ways you can do it, even if you have 2FA and even if it’s mandatory.
Most accounts have some kind of password reset system, or they have some kind of “I don’t have my phone, I want to use one of the backup codes that I printed out and put in my safe.”
So they have typically a number of different ways in which the front end of the authentication system can interact with the back end, including the part that does 2FA.
And it is possible that the 2FA system itself could be working perfectly; that the SMS codes have perfectly random numbers; that the generator sequence seeds have not been stolen… but that there’s some way – say from the website: some weird header you can add to a web request, or some extra secret parameter you can add to the request – that somehow indicates, “I want to skip that part.”
And it’s up to the back end whether it actually calls on the 2FA or not.
The 2FA system itself doesn’t protect the system that it’s supposed to protect if it’s never called upon to do so, due to some kind of mistake!
DUCK. Okay. And then this one is always a challenge: “Weak internal controls to detect risky behavior by support or IT staff.”
The so-called “insider attack”, as it were.
DUCK. Memories of the Twitter attack of 2020, if you remember that one.
What was it? Elon Musk, Joe Biden, Barack Obama, Bill Gates, Apple Computer: about 40-something very high profile accounts all got compromised at the same time.
And it seems that the ultimate reason is that some person or persons unknown inside Twitter.., it didn’t look as though they were corrupt, or they did anything wrong.
They were just too helpful, and they gave the crooks enough information that the crooks were able to do password resets on those accounts and come in with or without 2FA.
So you can keep 2FA going, but actually lock out the real user and lock yourself in instead, in which case you’d still be inputting the code, but once again it would be the wrong person.
And, as you said, this is a very, very hard thing to defend against, particularly – and perhaps ironically – if you genuinely *do* have a really helpful support department.
Unfortunately, somebody could get into the *spirit* of that inside your organisation without complying with the *letter* of it, and they could let the side down, even though their motivation was the very best.
They weren’t corrupt, they weren’t crooked, they weren’t lazy; they were actually almost trying *too* hard.
DOUG. A nice segue to our final point, and an interesting one: “Fail-open behavior in the authentication process.”
DUCK. I guess that’s the technological version of someone in support being, if you like, too helpful.
When you think about security systems (cybersecurity systems or physical security systems), they’re generally expected to fail cleanly in one of two ways.
Fail open: things like electric circuits.
When your mains trips, it fails *open*, so the current is *off*.
And there are other things, like bank vaults: you’d normally expect them to fail *closed*.
Otherwise, if there was a power failure, someone could sneak in and steal all your gold bars!
And, sometimes, it’s hard to know which is the right one for which circumstance.
For example, if your 2FA back end is relying on some cloud based service and it completely breaks… do you want *nobody* to be able to log in, and you just say, “We’re really sorry; logins are suppressed until we fix this”?
Or do you actually think, “Well, we’re only treating 2FA as an add-on extra, to to avoid people getting too antsy, we’ll just not ask for the number. Until we fix the backend, we’ll fail back to 1FA.”
And that means, if you have 2FA yourself and you want to go and review, “Hey, am I doing it right?”, it’s not just enough to go, “Did I buy the right product? Did I install it correctly?”
You can’t just to a trial login and say, “Yes, it’s fine”… because there are all the ancillary things about how you integrate it into your business, into your technology, into your customer workflow, that could let you down as well.
And there’s nothing worse than something that gives you an inflated sense of security…
…when in fact you don’t have anything at all.
DOUG. Okay, well, as Crypto.com says, they have migrated to a completely new 2FA infrastructure.
[DRAMATIC] And they did this, Paul, out of “an abundance of caution”, wouldn’t you know?
DUCK. I’ve never got on with those words.
DUCK. I know that they’re a must-have in modern data breach notifications.
But if someone’s telling me about a data breach they’ve had, I don’t want to think they’re suddenly having “an abundance of caution”, because it implies they’re just doing things in the hope that they might add some security magic.
That’s how it sounds to me.
And in this case, if they go, “Hey, don’t worry, we’ve got a completely new 2FA backend”…
Making that change in this case, because they’re not saying how the bypass happened, it’s not clear whether changing the underlying technology will make *any* difference at all.
I would prefer, in a data breach notification, when it talks about what you have done, that you have taken *appropriate* precautions – ones that you know work – and that you aren’t wasting your time doing things that aren’t going to help but sound good.
Not that I feel strongly about it.
DOUG. [LAUGHS] And we have some advice, and this is a good one: “If you’re looking at adding 2FA to your own online services, don’t just test the obvious parts of the system.”
DUCK. Yes, as I said (I hope it wasn’t an overreaction to the words “abundance of caution”), “Hey, we had 2FA problems, so we ripped out the whole 2FA system and put in a brand new one.”
That seems like an obvious fix, but that’s like saying, “You know what: my flat [apartment] got burgled, so I’ve had a new front door put in.”
And then later you find out that actually the person climbed in over the balcony, and it’s your balcony doors – that you leave open all the time – where the problem was.
If you have had a data breach of this sort, then: fix what you’ve got; take appropriate precautions to deal with what happened this time; and then go and review everything, including the things that you might not have thought about before.
Because the only thing worse than suffering one data breach is suffering another data breach shortly afterwards.
DUCK. If trust in your business was dented before, you might say that it’s had a hole punched in it the second time.
DOUG. And this is a great one: “If you’re in PR or marketing, make sure the whole company practises how it will react if a breach should occur.”
Have a breach response plan, in other words…
In the old days, we used to say to people: when it comes to building your anti-virus policy (when it was all about malware and self-spreading viruses), you need to think about what you’re going to say if it turns out that *you’re* the company that’s been massively spreading the next LoveBug…
DUCK. …and all the fingers are pointing back at you, and you look very bad.
Because that was an extra-super-bad look, when you were the Typhoid Mary: your business was okay, but everyone else is getting hammered by you.
And of course, if that were to happen, even back then, it was much too late to go and think, “I wonder how we should deal with this.”
And it’s even more important now that data breach notifications have both a moral necessity for your customers and a legal necessity from the regulator.
You can’t afford to have time eaten up – when your techies are actually trying to deal with a breach that has just happened – figuring out: who you need to contact; what you’re going to say; who’s going to say it; how you’re going to say it.
So, planning what you would say if there were an attack… is not an admission that you expect an attack to occur.
It’s just being wise, and recognising that preparation is by definition, *only ever something that you can do in advance*.
DOUG. All right, that is: Cryptocoin broker Crypto.com says 2FA bypass led to $35 million theft.
And, as the sun begins to set on our show for the week, we leave you with the Oh! No! from Reddit user CityGentry, who writes:
“One from a colleague of mine who looks after support for our telephone and conference equipment.
User calls and says they can’t dial into a phone conference because their phone doesn’t have the correct button on it.
They explain they can dial the general conference number, but they can’t enter the five-digit code to connect them to their specific conference call.
So, colleague asks them for the number and for permission to connect as a test.
User agrees; colleague connects without issue.
Colleague is puzzled and asks the user to go through it again step by step with them, saying what buttons they’re pressing as they’re pressing it.
Everything’s OK until the user gets to the five-digit code, which has a nice sequence: 7-8-9-10.”
[AMUSED] You can see where this is going…
“Easy to remember, easy to type. However, the user explains that their phone keypad only goes from 0 to 9, so they don’t have a ’10’ key.”
DOUG. “The colleague goes on mute for a few seconds, and once they’ve stopped laughing, they diplomatically suggest that someone may have given them an incorrect code and to try ‘one-zero’, not ‘ten’.”
That is a very diplomatic reply – good on them!
DUCK. That is *very* well done.
DUCK. But that’s tech support, isn’t it?
DOUG. It is!
DUCK. For anyone who’s ever done it, “Mysteries never cease.”
DOUG. So true!
All’s well that ends well… and if you have an Oh! No! you’d like to submit, we’d love to read it on the podcast.
You can email email@example.com; you can comment on any one of our articles; or you can hit us up on social media: @NakedSecurity.
That’s our show for today; thanks very much for listening…
For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time, to…
BOTH. …stay secure!