Banks ‘not doing enough’ to protect against bank-transfer scams

Banks ‘not doing enough’ to protect against bank-transfer scams • The Register

Banks ‘not doing enough’ to protect against bank-transfer scams

UK banks have been told they needed to go further protecting consumers against money transfer scams – a growing form of fraud.

The Payment Systems Regulator said institutions must improve the way they respond to bank transfer scams and do more to identify fraudulent payments without advocating changes in liability for fraudulent losses, which currently fall on consumers.

Consumers conned into transferring money to a fraudster by bank transfer have no legal right to get their money back from their bank. Credit card and direct debit payments, by contrast, offer guarantees to consumers.

PSR’s response to a super-complaint by Which? on bank transfer scams “has let the banks off the hook” the consumer group said.

Which? has pledged to keep on campaigning about the issue. Changes in liability for fraudulent transfers would likely need a change in the law, something the banking industry regulator is unconvinced about supporting, at least in the short term. The group said:

We have concluded that there was not sufficient evidence to justify a change in liability, i.e. making banks liable for reimbursing victims of APP scams, and we are aware of the possible unintended consequences of doing so.

However, we did note that, as work progresses and additional evidence comes to light, we will consider whether it is appropriate to propose changes to the obligations or incentives that banks have for these types of scams.

The PSR has agreed a programme of work with Financial Fraud Action UK aimed at reducing fraudsters’ ability to perpetrate scams, improve consumer education and in boosting the chances of being able to recover fraudulently transferred funds. Measures will include confirmation of payee.

The banking industry was instructed to come up with more robust scam statistics in order to better access the scope of bank transfer scams, which result in consumers collectively suffering millions in losses. Two weeks after launching an online scam reporting tool in November, more than 650 people reported to Which? losses via bank transfers to totalling £5.5m.

The PSR has promised to review banking industry progress in combating money transfer fraud during the second half of 2017.

According to Which? the regulator needed to go further or else victims will continue to get fleeced.

Alex Neill, managing director of Which? Home and Legal Services, said: “While recognising that the industry is not doing enough, it [the regulator] has failed to adequately address the issue of liability and has let the banks off the hook, giving them little incentive to do more to protect their customers.” ®

1-Billion Yahoo Users’ Database Reportedly Sold For $300,000 On Dark Web

1-Billion Yahoo Users’ Database Reportedly Sold For $300,000 On Dark Web

Recently Yahoo disclosed a three-year-old massive data breach in its company that exposed personal details associated with more than 1 Billion user accounts, which is said to be the largest data breach of any company ever. The new development in Yahoo!’s 2013 data breach is that the hacker sold its over Billion-user database on the Dark Web last August for $300,000, according to Andrew

Reliably Exploiting Apport in Ubuntu [feedly]

Reliably Exploiting Apport in Ubuntu

[Donncha O’Cearbhaill] has successfully exploited two flaws in Apport, the crash report mechanism in Ubuntu. Apport is installed by default in all Ubuntu Desktop installations >= 12.10 (Quantal). Inspired by [Chris Evan] work on exploiting 6502 processor opcodes on the NES, [Donncha] describes the whole process of finding and exploiting a 0-day on a modern linux system.

One of the flaws, tracked as CVE-2016-9949, relies on a python code injection in the crash file. Apport blindly uses the python eval() function on an unsanitized field (CrashDB) inside the .crash file. This leads directly to arbitrary python code execution. The other flaw, tracked as CVE-2016-9950, takes advantage of a path traversal attack and the execution of arbitrary Python scripts outside the system hook_dirs. The problem arises when another field (Package) from the crash report file is used without sanitizing when building a path to the package hook files.

CVE-2016-9949 is easily exploitable, if an attacker can trick a user into opening a specially crafted file (apport .crash file), the attacker can execute the python code of his/her choice. Two details make it a very interesting exploit.

The first thing to note is the exploit’s reliability. Given that it is pure python code execution, an attacker doesn’t have to worry about ASLR, Non-Exec Memory, Stack Canaries and other security features that Ubuntu ships by default. As the author notes:

“There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.”

Another interesting detail is that the exploit file doesn’t need to have the .crash extension, as long as its content starts with the string “ProblemType: ” and the file extension is not associated already with other software, Ubuntu considers it being of mime-type type=”text/x-apport” (for example, .ZlP or .0DF). This significantly improves the chances of an unsuspecting user being fooled into open the file.