This week’s funniest spam email, and why a strong email password is good

I don’t normally see much spam thanks to the spam filters, but I did see this funny one a few days ago:

IMF APPROVED PAYMENT LETTER.

GOOD DAY TO YOU,

It is a great pleasure to contact you this day as i have just been appointed the new Chief of the International Monetary Fund (IMF) and on assumption in office i have seen your untreated transaction with my else while predecessor Dr Dominique Strauss Khan, i
have seen the records of all your payment made in the past to (IMF) and also have a complete files of yours here with me.

This mail is to inform you that i am here to release without any delay your outstanding contract payment of $10.7 usd as reflected here in my record to you within 24hrs from when you respond to this mail.

As i wish to inform you that there will be no fee needed for this transfer. but be informed that the only thing needed is the Affidavit of claim (AOC)of which you have to respond back to my e-mail and i will direct you to the right office for you to get the Affidavit of claim (AOC) so i advise you to get back to me as soon as you get this mail so that i can know what actually went wrong and why you weren’t paid along with others.

Re-confirm to me the followings information to enable the urgent processing of your payment.

1.Name
2.Phone,fax and cell number
3.Delivery Address.
4.Age,profession and sex.
5.Copy of ID.

Endeavor to call me as soon as you get this mail on my official number below in this mail.

Treat as top urgent.

Regards,

Dr.Mrs Christine Lagarde
Chief of the International Monetary Fund (IMF)
DIRECT E-MAIL: of-fice-m-ail01@msn.com

“Top urgent”! I didn’t realise the head of the IMF sent these emails out personally, and from an MSN account, but there you go.

Presumably this was sent from the IMF’s Nigerian branch office.

I can’t help thinking they meant to say $10.7 million usd — a mere $10.70 doesn’t seem like it’s going to convince many people to send in all their details.

On a more serious note, a friend of mine got his web email account hacked this week. Not only did his contacts receive an email allegedly from him, claiming he was on vacation (a term he and most Australians would never use) in Spain, had lost his wallet and his phone, only had email access, and was in desperate need of money — and could I please send funds via Western Union?

They also changed his Reply-To address slightly, so any replies were likely to go to the scammers (unless you noticed the change, which was quite subtle).

I rang him up, and he was quite definitely in Richmond, not Spain. He’s now changed his email password and Reply-To address.

It underscores the value of strong passwords, and also (if you are using a webmail provider that offers it, such as GMail) two-factor authentication — in GMail’s case, it means they confirm your logon once a month (or when you use a different computer) by sending you a text message. This means a hacker not only needs your password, they also need your mobile phone to get into your email, which makes things much safer. Here’s how to switch it on in GMail.

Myki “hacking”, and jumping at shadows – DON’T PANIC!

Some people got just a little too hysterical last week when news of a security vulnerability in Myki came out.

Wrong MykiThe story broke on Monday, but it wasn’t until Wednesday that the mainstream media got hold of it, with the Melbourne Times running it first, spreading rapidly to The Age, AAP, 3AW and others — and along the way a good deal of misinformation came into play:

MORE than 1.1 million Myki cards are set to be phased out as hackers have found a method of cloning the tickets.

Melbourne Times

Two problems with this:

They weren’t hackers. “Hackers” implies bad guys sitting in darkened rooms trying to find a way to defraud the system.

They were actually scientists at a German university, doing cryptography research — what some refer to as “white hats”. They did the right thing and told the card manufacturers (NXP) about the problem some six months before publishing their results:

In April 2011 the University of Bochum, Germany, informed NXP that their cryptographic research group, led by Professor Paar, had successfully attacked the MF3ICD40. The research group also informed us of their intent to publish the attack at the annual Workshop on Cryptographic Hardware and Embedded Systems (CHES), held September 28 to October 1 2011.

NXP Semiconductors

What some of the reporting also missed is that it’s not a simple task to perform the hack and clone a card. It requires some sophisticated (and expensive; apparently costing $3000 or more) equipment and many hours of processing. It’s highly unlikely that in the short term, anybody will do it “in the wild”.

It’s possible the technology will get cheaper and more available, of course… that’s the nature of tech. But it’s specialised equipment that doesn’t work quite along the lines of Moore’s Law — it’s hard to conceive that within the next few years, high-end oscilloscopes will be common or cheap.

And it’s worth noting here that the earlier version of the same card, “Mifare Classic”, used in some systems including (until recently) the Transport for London network (eg Oyster card) and Brisbane and elsewhere got hacked many years ago, but these networks have not been subject to widespread fraud. In fact, a quick search around the place shows reported instances of it are very difficult to find.

Of course, it’s probable that authorities would be reluctant to make such fraud public if the offenders are not caught. Still, it doesn’t seem that fraudulent cards are common.

Putting the boot in

Among those putting the boot into Myki was regular Myki-kicker David Heath, in another of his “comment-disguised-as-journalism” pieces for IT Wire:

Picture this: you obtain a brand-new Myki (in some suitably anonymous name) and load a $1000 credit onto it. All fine (although a tiny bit crazy) thus far. Next, you clone the card 1,000 times and sell the clones for $200 each.

iTWire has reported extensively on the whole Myki saga on numerous occasions. Through all this history, virtually nothing positive has come out of the entire project. We have seen function contraction, cost blow-out and foolishness time and time again.

IT Wire

Oyster in MelbourneNow I’m all for kicking Myki when it deserves it (heaven knows I’ve done it often enough myself). But surely anybody writing in IT must realise by now that it’s here to stay, that most of the people currently using it actually don’t mind using it, and that we’re way past the point of scrapping it and buying Oyster instead.

More importantly, a little research and rational thinking wouldn’t have gone astray here.

Firstly, you can’t load $1000 onto a Myki card. They have a limit of $999.

Secondly, it should be fairly obvious that any ticketing system with a little basic security will have safeguards against something like lots of copies of the same card being used around the system. As soon as the fraud was detected, that card number would be blocked for travel (as already happens when a card is reported lost or stolen).

Thirdly, who with a little common sense would buy a dodgy card for that amount of money? Would you even pay $100? $50? Would you buy one at all, knowing that the chances of it being detected and blocked, and worse (for you) that the ticketholder might well be caught and prosecuted? Would these theoretical criminals ever get their thousands of dollars of investment money back?

Surely punters aren’t that gullible. Hardcore fare evaders don’t use fake or cloned tickets. They jump barriers and dodge inspectors and other staff.

Hysteria aside, what’s the real situation?

ZDNet has some good coverage, which notes that in Myki’s favour (who’d have thought!) they didn’t actually skimp on the security:

Although this could have been a cost-cutting method, the TTA appears to have avoided cutting corners with respect to card security. There are four security measures that can be installed for the cards relating to key diversification, fraud detection, card blocking and card information binding. The TTA elected to include all four, pointing the issue further up the chain to the manufacturer.

Despite the cards being theoretically vulnerable, however, there isn’t a need to replace the cards as a matter of urgency. NXP stated that even if the lab equipment required to pull off the vulnerability is obtained, it could still take hours to days for the analysis of a card to be completed.

ZD Net: Myki gets upgrade as vulnerability emerges

So yes, there’s a problem. But there’s no need to panic.

My take on it

Given the information available so far, it doesn’t seem to me to be necessary to go and recall the million cards issued and replace them all with the newer version straight away. The existing cards are rated for a life of four years, and that means that unless it is shown that this or another attack are actually practicable outside a laboratory it would make more sense to just replace them with the more secure version as they come up for renewal, eg from late-2012, rather than panic and rush out replacements now.

After all, rush into it now (at great effort and expense) and you might find in 12 months that another theoretical attack becomes apparent, and have to do it all again for no good reason.

From the sounds of it, this is what the TTA is doing; planning a migration rather than rushing new cards out. Unless there’s a more major problem we’re not hearing about, this seems to me to be a pretty reasonable course of action.

PS. Thursday: I’ve had it confirmed that there is checking for duplicate Myki cards, with found duplicates being blocked from use (not immediately, but pretty quickly after detection).