Tag: fraud

Google is warning users that Secure Sockets Layer (SSL) certificates purchased from Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL are not secure – raising questions for businesses using them.

SSL certificates are small data files that digitally bind a cryptographic key to an organisation’s details. When installed on a Web server, it activates the padlock and the https protocol and allows secure connections from a Web server to a browser.

Browser developers, including Google, have raised questions about the way Symantec issued SSL certificates, and have threatened to stop recognising them, a move that could hurt Symantec’s customers and worry visitors to the Web sites using the affected certificates.

Improper issuances
In March, Google accused Symantec of misusing at least 30 000 such certificates, potentially allowing attackers to masquerade as legitimate Web sites.

The Internet giant expects root certificate authorities like Symantec to validate domain ownership before issuing certificates and to secure their operations and infrastructure against signs of improper issuances as well as auditing logs to review issuance activity.

Google stated Symantec had not met these standards and had allowed outside access to their certificate infrastructure without proper oversight.

Symantec SSL certificates – estimated to make up one in every six SSL certificates currently deployed online – include certificates issued by VeriSign, GeoTrust, Thawte, Equifax and RapidSSL because Symantec bought their certificate authorities and they were subsequently added to the Symantec root.

The search-engine giant indicated last month that it has added a new feature under the “Developer Tools” menu item in the latest version of its Web browser, Google Chrome, alerting users that Symantec, VeriSign, GeoTrust, Thawte, Equifax and RapidSSL SSL certificates issued before 1 June 2016 will be considered distrusted from next March.

The core of the issue surrounding Symantec certificates – the business operates under brand names such as VeriSign, Thawte, Equifac, RapidSSL or GeoTrust – is that Symantec “entrusted several organisations with the ability to issue certificates without the appropriate or necessary oversight,” says Google.

The latest version of Google Chrome – the world’s most popular browser – called version 62 is scheduled to go live between 22 and 28 October. According to Net Market Share, Chrome dominates the browser market with a 59.61% market share.

The next big upgrade, called Chrome 66, is expected mid-April 2018 and visitors to Web sites using Symantec certificates issued before 1 June 2016 will receive warnings that the sites are “untrusted”.
Google has also indicated that Chrome 70 – estimated for roll-out in October 2018 – will distrust any certificate issued by Symantec’s old infrastructure, including those sold after 1 June 2016.

DigiCert deal
Following the impasse, Symantec has since entered an agreement with identity and encryption solutions provider DigiCert, which will acquire Symantec’s Web site security and related public key infrastructure solutions.
Under the terms of the agreement, Symantec will receive approximately $950 million in upfront cash proceeds and approximately a 30% stake in the common stock equity of the DigiCert business at the closing of the transaction.
However, Lauren Collier, SSL sales manager at cyber security firm LAWtrust, says while DigiCert – which is buying Symantec’s certificate authority business – is promising to issue replacement certificates from December this year, businesses should think carefully about how to proceed.

“One of the important parts of the SSL ecosystem is trust. If a certificate authority neglects to properly verify the legal existence and identity of an entity before issuing SSL certificates for domains, as Symantec has been accused of doing, this breaks the chain of trust,” she says.

Serious concern
For Jon Tullett, IDC’s research manager for IT services for Africa, SSL certificates are absolutely fundamental to modern Internet security. “They’re far from perfect – as this incident shows – but they are used to secure a tremendous amount of online activity.”

He explains that when a browser like Chrome removes a certificate, users will get a warning before they visit a site which uses that certificate to validate its identity.

“Google’s Chrome team has indicated serious concerns with a large number of the certificates in question, prompting this action, so it’s likely quite a number of sites and services may be affected – many thousands, potentially,” says Tullett.

Meanwhile, Manuel Corregedor, COO of information security company Telspace Systems, says digital certificates allow for the communication between the user’s machine and the Web site (server) to be encrypted.
“This makes it difficult for an attacker to intercept communications between the user’s computer and/or to masquerade as the authentic Web site.”

He notes organisations will have to replace their certificates or face potential reputational or financial harm.
“However, this is easier said than done especially for organisations that make use of certificates on devices or terminals that are hard to get to. In such cases, organisations will find it very difficult to update the certificates before the imposed deadline by Google,” says Corregedor.

By Admire Moyo for ITWeb

Unemployment pressures tempt fraud

With unemployment at its highest level, the youth are anxious, agitated and searching for creative ways to earn a living.

“In this environment, you cannot write off the temptation that confronts young people to commit fraud, when doors slam shut in their faces or do not even open in the first place,” says Manie van Schalkwyk of the South African Fraud Prevention Service.

The obvious temptation is CV doctoring, he says. By adding a few tweaks, candidates may make their application appear more professional than they actually are and increase chances for a job interview.

“Qualification fraud is simple enough to perform and with any luck an applicant may land an interview, even a job offer. But a few months into the job the employer will begin to wonder why the candidate’s skills and abilities do not match up to the qualifications he or she has presented on their CV. Questions will be asked. “When you are exposed as a fraud, you will have a criminal record,” Van Schalkwyk says.

For young people who are employed who wish to apply for store cards, credit cards or any type of credit, there is the temptation to stretch the salary or the length of time spent in a particular work place to increase their chances of credit approval or credit limit. Van Schalkwyk says, “Falsifying this information constitutes fraud.”

At another level, one of the first goals of a newly graduated student is to learn to drive and get a driver’s licence. So, they may be driving around in their parents’ or older sibling’s car, or they may have a car of their own.

In this case, the individual may wish to have car insurance. After phoning some insurance companies they may learn that their premium is higher than expected because of their lack of driving experience. They will persuade their parents to front for the policy, so that the policy is held in the parent’s name. This is falsely representing information as the younger person will be the primary driver of the vehicle being insured.

“A common illustration of this is alternative fact information given about who the regular driver of a vehicle will be,” says Deanne Wood, short term insurance ombudsman. “Older drivers pay significantly lower premiums than younger drivers.” The difference in premium can be significant.

“Certainly, significant enough to encourage consumers to provide inaccurate information about who the regular driver of a vehicle will be,” Wood says.

“Our office sees far too many claims being submitted where, for example, parents have represented that they will be the regular driver of a vehicle when in fact the vehicle was purchased by them for use by their child.

“Paying the lower premium is all well and good until a loss is suffered. Simple desk-top investigations using Facebook or other social media searches can all too easily reveal misrepresentations made by consumers who forget to cover their tracks when making misrepresentations to their insurance companies,” Wood adds.

Van Schalkwyk says, “Like all fraud, it’s only a matter to time until the perpetrators will be found out and could face prosecution. Starting out in a career with a criminal record is no way to build a future. I urge youth to stay on the right side of the law despite the many challenges of the current economic climate. Don’t put further obstacles in your path.”

Fraud alert warning from retail stationer

A local retail stationer has contacted My Office News with a warning of attempted fraud.

The instance began with a request to quote on Monday 15 May 2017 from a certain “George Miller” of Quality Service cc.
He requested a quote for two taping applicator systems and 1 000 PVC 70mm lever arch files.
The retailer immediately became suspicious, as clients usually approach a wholesaler directly for that quantity of stock.
The retailer then began to research the company and discovered that the company name did not match up with the phone number provided.
However, the retailer e-mailed the quote to the address provided and thereafter received a purchase order with an address listed in Bellevue East.
When the retailer googled the address, it was for Raleigh Court in Yeoville/Bellevue East.
The retailer then confirmed with “George Miller” once again via e-mail that full payment was required, and they had to collect from the retailer’s offices once the order was ready.
Following that, the retailer received a proof of payment (POP) via e-mail that looked nothing like other POPs received from Standard Bank:

The retailer then sent all the evidence to the bank. A representative from Standard Bank’s Fraud division responded, saying “We would recommend that no goods released and also no services be rendered as the proof of payment is not valid. If you would like to pursue the matter, you may report the suspects to the SAPS in order for them to continue with investigating the individual.”

Please be wary when receiving large orders from unknown customers.

Simple fraud questions MTN and Cell C cannot answer

Many South Africans have lost money through Internet banking fraud, with victims blaming their mobile operator for not protecting them against illegitimate SIM-swaps.

News reports emerged in 2016 that a crime syndicate had infiltrated the mobile operators and was performing SIM-swap and Internet banking fraud.

Continue reading

SA’s big banks go to court

Unhappy banking clients have instituted legal action against the banking ombudsman and a number of South African banks due to the manner in which they handle Internet fraud cases, according to a report by the Rapport.

20 Absa and Standard Bank clients, who have each lost between R1 million and R2 million to Internet banking or SIM swap fraud, want the banks to be held accountable for fraudulent action.

The ombudsman meanwhile, will not open a case of fraud against a bank unless clients can prove that the bank’s acted negligently. If no negligence can be proven by the bank, it unfortunately means that the complainant is negligent.

In 2016, only 22% of cases of Internet fraud in South Africa was ruled in favour of the customer, while the remaining 940 cases of Internet banking-related complaints went in favour of the banks.

According to the report, the banks and the ombudsman argue that where a PIN or a password is fraudulently obtained, the client must be responsible as they are the only persons privy to that information.

However the 20 clients claim they never acted negligently nor did they give out personal information that could have compromised their accounts. They also argued that they have no way of proving a breach took place through the banks or via a cellular provider meaning it was next to impossible to prove who was at at fault.

They pointed to a recent case in which one of the 20 customers instituting the action had to take both Absa and Vodacom to court in order to determine who authorised a SIM swap on her cell number and therefore had access to her Absa bank account.

It was only after the court ruled in her favour and ordered that the client be given access to the records and was able to build a case that she was not liable for the fraud, said the report.

Source: www.businesstech.co.za

Fraud, dishonesty on the up as economy faulters

First Standard & Poor, now Fitch have rated the South African economy “junk” with huge ramifications for South African citizens, with the poorest of the poor being the worst affected, economists agree.
Manie van Schalkwyk, executive director, of the South African Fraud Prevention unit said there would be much less money going around, a severe lack of international investment and potential job losses.

Continue reading

New PayPal phishing scam surfaces

Cyber-crooks are sending out spam emails that falsely warn recipients that their PayPal account activity has been temporarily limited, citing an account fraud issue.

A phishing email scam that warns PayPal users of possible fraudulent account activity in hopes of scaring personally identifiable information out of them is currently making the rounds.

According to a blog post from ESET, the phishing emails falsely inform recipients that PayPal has detected “unusual activity” on their accounts and has “temporary limited what you can do” until the possible security issue can be resolved. Clicking the log-in button on these emails redirects victims to what appears to be a legitimate log-in screen – it even displays an SSL certificate to sell its supposed authenticity – but is actually a fake PayPal web page hosted on a malicious domain.

After victims “log in,” the fake PayPal site displays another message informing victims that they will not be able to withdraw funds for 15 days, unless the issue is addressed further. Those who click a “Continue” button to proceed are then asked to enter even more detailed information, including their Social Security number, address, phone number, birthdate and mother’s maiden name.

As phishing scams go, this one is convincing, but there are still some clues that PayPal did not send this alert, ESET reported. For instance, the email contains minor grammatical and syntax errors, and the fake web page’s request to enter your home country is unusual, considering it also asks for your Social Security number, which only applies to the US.

By Bradley Barth for www.scmagazineuk.com

An internationally co-ordinated fraud attack involving forged bank cards used at ATMs in Japan has stripped Standard Bank of about R300-million.

Standard Bank and authorities remained mum on the progress of investigations and the whereabouts of the syndicate, as investors appeared largely unconcerned by the bank’s loss.

Spokesman Ross Linstrom of Standard Bank, which made just more than R22-billion in headline earnings across the group in 2015, said on Monday a sophisticated and co-ordinated syndicate had created a “small number of fictitious cards” and proceeded to draw a total amount of R300-million from ATMs in Japan.

He said investigations were at a sensitive stage, but that bank customers would suffer no adverse effects if their details had been stolen and used in the Japanese fraud.

Japanese media have reported that about 100 individuals hit 1 400 ATMs in just three hours on a day when banks are closed for business, with one withdrawal transaction at each ATM up to the daily limit amount set in Japan.

According to Japanese media, no arrests have been made and the individuals who made the withdrawals may no longer be in the country.

The fraud fits an international trend involving hit-and-run withdrawal schemes in which fraudsters may be jetting into countries in different time zones to buy themselves time to collect the cash and run.

The South African Banking Risk Information Centre confirmed the Standard Bank matter was under investigation, and CEO Kalyani Pillay said the local industry would provide full support to both the bank and law enforcement, where possible.

“The industry’s card losses for 2015 were in the region of R778-million across all card types for South African-issued cards.

“This was a 4% decrease compared to 2014. Banks have robust systems in place to monitor and detect fraud, but some risks lie with bank clients themselves,” Pillay says

Southern African Fraud Prevention Services executive director Manie van Schalkwyk said his organisation stops about R3-billion in fraud every year.

“Identity fraud is declining, and the main reason is the use of biometrics,” he says.

Van Schalkwyk said banks were making use of various databases and methods to try keep up with and combat such fraud, as criminals continued to evolve their modus operandi.

By Brendan Peacock for www.bdlive.co.za

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top