Category Archives: Digital Crime
For Your Eyes Only
Whilst reading an excellent article this morning in The Age ‘Keeping Out Smart Phone Snoops, by Brian Chen I noted the underlying theme of his article was locking your smartphone, where the article clearly stated: ‘One of the easiest ways to add a layer of security to your smartphone is requiring a password to get past the initial lock screen’.
Having read the article and agreeing with its range of valuable tips on protecting your data in your smartphone, I thought it prudent to bring to subscribers of Cyber Guardians Online the background of a common criminal activity known as ‘Shoulder Surfing‘ that surfaced in the early 1990′s.
I personally came across shoulder surfing as a Federal Agent, where as one of the inaugural members of the newly formed Computer Crime Unit in Sydney, a significant file came across my desk involving an Australian traveling on business in New York City and coming home to a home phone bill in excess of $2 Million. It was early in the 1990′s, pre mobile phones, where travelers could opt to link a home phone account to a ‘Calling Card‘. Calling cards were great, go to any phone in the world, call a local dedicated number and either tell the operator or on some occasions just key in your calling card number and personal identification number (PIN) to make a call anywhere and have it recorded on your home phone bill.
One major problem back then was that phone companies did not have safeguards built in to detect simultaneous calls from the same calling card that were being made from various locations around the globe and as such fraud was rife. The manner in which the fraud was conducted was quite simple, all one had to do was obtain the calling card number and PIN and all calls were made at the account holders expense.
Free international phone calls in a multicultural city like New York City was a commodity that was extremely valuable on the black market, where a person with just one calling card number and PIN could on sell the details hundreds of times a day usually for $20 and of course the purchaser of that calling card number and PIN would also then on sell the details as well. Furthermore, the illicit transaction could be guaranteed with all parties ‘testing’ the cards validity at a local phone box.
Obtaining the Account Number and PIN
As you could imagine obtaining calling card details became very lucrative and this is where criminal enterprises resorted to some basic surveillance 101 tactics of which I will refer to here in dot point form:
- Standing behind the person at the payphone and memorizing the persons account number and PIN (clearly an apprentice card counter in the making)
- Using telephoto lenses and video taping persons entering personal details into the payphone
- Standing close by or on the other side of the row of payphones in airports, bus interchanges and railway stations and writing down account details and PIN’s as customers spoke to a calling card operator.
As you can see it was not that hard to obtain such personal details and turn a simple few numbers into a positive cash flow operation within minutes and generally the card would remain active until the unsuspecting victim received a telephone bill he/she could not jump over.
Yes, phone companies became smarter over time and introduced safeguards similar to what banks have in place now with ATM card transactions. However, the above scenario was the breeding ground for producing ‘Shoulder Surfing’ experts who now operate with a view to obtaining your mobile/cell phone after securing your PIN from Shoulder Surfing.
Locking Your Phone Is Not Enough
Hence the underlying theme of this post is to warn you that locking your phone with a PIN is your first level of defense, your PIN needs to protected with vigilance. How many times do you sit in the open and enter your PIN without covering your actions whilst:
- At Bus/Train stops?
- On public transport?
- At bars/cafes?
- Walking along crowded streets?
- Opposite a work colleague?
Furthermore, how many of you have your mobile/cell phone PIN’s set the same as your bank ATM cards? Surprisingly a high majority do so and this opens a whole new Pandora’s box, with ATM and credit card fraud.
All it takes is for the person who has acquired your phones PIN code to obtain your phone and ATM cards either through pickpocketing, bag snatch and or surveilling you home or to work and obtaining your phone and cards where at times you may not notice the theft until the morning or at the end of your workday. The domino effect can lead to your suffering severe financial loss as banks are reluctant to reimburse funds to persons who do not protect PIN numbers.
Finally what other data is stored on your phone as The Age article highlighted and as indicated here in this post, crime gangs the world over have had years to perfect the simple art of ‘Shoulder Surfing’ and it is re-emerging as a criminal activity that will capitalize on unsuspecting citizens going about their daily business.
The Age, Chen, B., Sunday April 5 2013,
The current government for over seven years has stated that Internet Service Provider (“ISP”) filtering is a key component of the Australian Government’s cybersafety plan. Filtering of online material at the ISP level reflects the view that ISPs should take some responsibility for enabling the blocking of such content on the internet.
This is consistent with the recent child online protection guidelines issued by the International Telecommunications Union. The guidelines state that the strategic objective for the internet industry for child internet safety should be to reduce the availability of, and restrict access to, harmful or illegal content and conduct.
ISP-level content filtering is already occurring in other countries, including Canada, Denmark, Finland, Norway, Sweden and the United Kingdom and the government wanted to ensure a similar level of protection for internet users in Australia.
So, what internet content falls within ISP-level content filtering?
ISP-level filtering of Refused Classification Material
Several years ago the government announced that it will introduce legislative amendments to require all ISPs in Australia to use ISP-level filtering to block overseas hosted Refused Classification (RC) material on the Australian Communications and Media Authority (ACMA) RC Content list.
As reported on the Department of Broadband Communications and the Digital Economy web site, content is defined under the National Classification Scheme as Refused Classification (“RC”) and includes child sexual abuse imagery, bestiality, sexual violence, detailed instruction in crime, violence or drug use and/or material that advocates the doing of a terrorist act.
The RC Content list was to be based on public complaints to the Australian Communication Management Authority (“ACMA”) and assessed using existing criteria set out in the National Classification Scheme.
ACMAin one of its roles, liaise with highly reputable overseas organisations to identify lists of child abuse material suitable for incorporation into the RC Content list, following a detailed assessment by the ACMA of the processes used to compile those lists.
The Australian newspaper on November 10 2012, reported in an article titled ‘Mandatory web filter ‘would never have worked’, where the Coalition and the Greens said that: “LABOR was forced to abandon its promised mandatory internet filter because it would never have worked and would not have passed through parliament.”
It was further reported in The Australian that the Communications Minister Stephen Conroy dumped the proposed filter five years after it was promised by Labor, following an outcry from civil libertarians and technology businesses.
He said the government instead would force internet service providers to block sites on Interpol’s “worst of” child-abuse list.
“Given this successful outcome, the government has no need to proceed with mandatory filtering legislation,” Senator Conroy said.
The minister said the decision was in line with a 2010 Australian Law Reform Commission recommendation that the government’s previous internet “black list” was too wide and did not reflect community expectations.
So where does that leave us now? Cyber Guardians Online will be reviewing the outcomes of this monumental ‘backflip’ and will be featuring some legislative analysis of where ISP’s are now positioned.
Furthermore, Cyber Guardians Online will assess if Australia’s adoption of the 2009 INTERPOL General Assembly Resolution (AG-2009 Res-05), a Resolution that limits the online distribution of child sexual abuse images whilst encouraging member countries to promote the use of all the technical tools available, including access blocking of websites containing child sexual abuse images is sufficient in preventing such images being accessed in Australia.
As INTERPOL is tasked with leading this work by providing a list of domains containing the websites that disseminate the most severe child abuse material worldwide where they work in tandem with international police forces in the construction of the “Worst of”-list of domains, Australia needs to ensure that all internet users are protected from explicit images and content.