—We’ve been warned for years: Our online behavior puts us at risk for having our accounts emptied, our data misused, and our identities stolen. But as an Albany, N.Y. Times Union article reports, court documents unsealed on 13 September in a U.S. federal court show that some computer users have absolutely no hope of avoiding becoming the victims of hackers. The evidence, presented in a computer fraud case filed by Microsoft against Chinese Web domain 3322.org, revealed that brand new computers, right out of the box, are sometimes infected with malware. The instant the machines are turned on for the first time, the software directs the computer to attack websites and steal money and information.
How could this happen? According to the Times Union, an investigation by a team of Microsoft researchers in China revealed that in the interests of greater profitability, “less reputable computer manufacturers and retailers may use counterfeit copies of popular software products"—particularly the operating system—"to build machines more cheaply.” The bogus software contains the malware within itself. Maintaining a tight rein on the supply chain, says the article, “is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals” who embed the malicious code into counterfeit versions of Microsoft’s Windows. Cybercriminals "are out to get you," Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, told PC World. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do," said Boscovich
—On 12 September, a group of Cambridge University researchers presented a paper at a cryptography conference in Belgium wherein they report a serious vulnerability arising from the way cash machines authenticate transactions before dispensing money. Surprisingly, the flaw concerns the supposedly more secure cards that contain microchips, as opposed to old-fashioned ones that use magnetic strips.
Europay, MasterCard, and Visa, the firms behind the eponymous EMV chip-and-pin standard developed to put a stop to fraudulent transactions, put so much trust in its efficacy that when a chip-and-pin card is used to conduct a transaction, the cardholder is on the hook for the charges unless he or she can prove beyond a doubt that they did not present the card and did not authorize the purchase. There have been an increasing number of incidents where victims of credit card fraud had their requests for refunds refused by the issuing banks on the grounds that there is no way to explain the card having been authenticated without the cardholder’s involvement.
The weak link that can let a hacker clone the so-called “chip-and-pin” credit and bank cards stems from the fact that, as the Cambridge researchers showed, the EMV scheme has, in too many cases, not been carried out as planned. The authentication process, as originally envisioned, was supposed to depend on the issuing bank to generate a random number for every unique transaction. In practice, where saving money often trumps security, it was left to point-of-sale terminals or cash machines to generate the number. The researchers discovered to their horror that in half the machines they looked at, the supposedly random numbers were generated by counters or timestamps and were, therefore, not random at all. This makes it all too easy for a hacker. “If you can predict [the number], you can record everything you need from momentary access to a chip card and play it back and impersonate the card at a future date and location,” said Mike Bond, one of the Cambridge researchers, in a blog post. “You can as good as clone the chip.”
—According to a Business Standard article published on 12 September, security firm Norton has released a report saying that over the past year, more than half of adults in India who have Internet access have been the victims of cybercrime. The report, based on computer user surveys, notes that cybercriminals have adjusted their tactics to now focus on such increasingly popular computing avenues as mobile devices and social networks. All told, the losses suffered by the 42 million Indians who were affected by cybercrimes in the last 12 months were US $8 billion.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.