The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.

The Australasian Consumer Fraud Taskforce is running it's annual awareness campaign this week with the theme 'Online Offensive - Fighting Fraud Online'.

With identity theft often listed as the fastest growing crime, it's good to see the Government promoting awareness through sites such as scamwatch.

On a similar note, Bruce Schneier highlighted on his blog recently a facinating interview with a Nigerian Scammer that is well worth reading. It can be found here: part one, part two, part three.

A young queenslander has been charged with hacking* offences after 'hacking' several ATMs to withdraw $30,000 dollars in cash.

The article is short on detail about how these 'hacks' occured, but they do suggest he "found information on the internet and in an ATM manual that allowed him to change the machines' settings so he could make huge withdrawals of cash"

What sort of information in a product manual would allow you to do something like this? I'm betting it was some kind of default password.

It isn't stated what bank owned the ATMs or if they were all from the same bank - I'm guessing they may have been. After all if you have a trick to do something like this it probably only works on one model of ATM, and if it worked on one ATM from a particular bank, it probably works on another!

Default passwords and misconfigured devices are unfortunately all too common. I suspect the practice is even worse when people are with specialized, unusual devices like an ATM. This seems to be an example of security by obscurity at work, the incorrect assumption that the default password didn't need changing because only authorized personnel have access to the product manual. A quick google for ATM Manuals and default passwords shows plenty of results!

Security by obsucurity can be a controversial topic in security circles. At it's core is the idea of being secure by design, rather than secure because of secrecy. In a recent discussion I was part of with a group of security professionals from different backgrounds there were mixed opinions on the topic. Should your security design have no secrets? Should you publish it on the internet? Well to me the common sense answer there is no, as obscurity or secrecy does have a place in security design and implementation. The important thing is your security should not rely on the design being kept secret.

While I'm certainly not condoning or encouraging this type of crime and there is a degree of supposition on my behalf to assume default passwords were the cause, it would seem to fit. While the young man deserves the punishment for the crime, what about the failure of duty of care on behalf of the bank? The lax security procedures?

*I don't know if being able to google for an ATM manual makes you a 'hacker'....

Apparently the National Australia Bank (NAB) are looking at moving to three factor authentication. For those who are unaware, 'multi-factor' authentication involves authenticating a subject through a variety of different methods, most commonly 2 of the below:

• Something you know (eg: a password)
• Something you have (eg: a security pass or token)
• Something you are (eg: biometric security such as a fingerprint or iris scan)

and occasionally adding:

• Somewhere you are (only allowing access from a specific place, such as using a RAS call-back system)

Multi-factor is generally considered more secure than single-factor authentication as an impersonator must capture or reproduce more than just a password (the most common single factor authentication mechanism)

So if two factors is more secure than one then three must be even better right? Well that all depends on a number of factors (excuse the pun!).
The more factors you add to the equation, the more inconvenient authentication becomes to the end user. Convenience is important. This is why passwords are still so popular, despite being shown to be extremely weak security in that many people will give away their password for a candy bar (especially if you are a woman apparently!)

So when implementing two factor authentication, convenience needs to be taken into account. RSA tokens that can attach to a keyring and One Time Passwords (OTP) that are send via SMS to a registered mobile phone are examples of incorporating a reasonable measure of convenience into the authentication process. I know HSBC uses the RSA tokens for their internet banking login authentication and NAB take a different approach, using only a password for login, but a OTP sent via SMS to verify any money transfers (for personal customers anyway. Business customers get a token)

All sounds terribly secure right? Well no. As security guru Bruce Schneier commented back in 2005 in refernce to 2-factor security: "...it solves the security problems we had ten years ago, not the security problems we have today".
He was, and still is, right. Phishing attacks and Man-in-the-middle (MITM) attacks are examples of very old attacks that can defeat 2-factor authentication by targetting the user. If you can fool the user into providing you with the information you need, you can fool the authentication mechanism.

So if two-factor authenticaion is broken, three-factor authentication will save us! Right?
I'm not convinced. The original article mentions using voiceprint identification for the third factor (something you are). Hmmm.
Biometrics are tricky to say the least. Faces change over time as people age, gain/lose weight and other conditions such as lighting and distance can distort the image viewed by facereadering cameras and lead to false-positives or false-negatives. Fingerprints can change due to accidents or even minor injuries (papercut) and many fingerprint readers have been shown again and again to be easily defeated. Iris scans are very accurate and don't tend to change, but are hardly easily portable or suitable for mobile or home internet banking.
As for voiceprints, well ever had a laryngitis? No? A cold? Bad phone reception?
I'm not convincd they're the way to go and neither are some experts who state: "There is no such thing as a voice print, it's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does."

The other unanswered question is what does the NAB hope to achieve by adding a third factor to their authentication? "More security" is not much of an answer, is it anything more than a marketing one-up on their competitors? ("We're the only one who uses three-factor security! bank with us!")
It all seems a bit more like security theatre than real security. Perhaps NAB need to look at their internal security first...