(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


BBC Radio4’s @MoneyBox programme is doing harm to #InformationSecurity & #FraudPrevention, and is providing propaganda for the OnlineSafety bill; with @DamianCollins, @paullewismoney & @kuriouskaf

2021-11-14 11:30:47+00:00

So a friend who works in big-name consumer fraud mitigation angrily pointed me this week’s episode of Money Box on Radio4:

Money Box has fresh revelations about criminal websites on the open internet. Two weeks ago we told you about the websites on which crooks buy and sell your confidential financial information. This week, Money Box reporter Kaf Okpattah has found another website which sells a do-it-yourself tutorial explaining how to bypass banking security by intercepting one-time passcodes, in order to steal money from accounts. The government is proposing an Online Safety Bill – but will it stop criminals taking our cash? We hear from Damian Collins MP, Chairman of the parliamentary Select Committee looking into it. https://www.bbc.co.uk/sounds/play/m0011jwx — Click through to play the episode, it’s the first item, 9 minutes long

Reporter Kaf Okpattah reports how criminals are stealing peoples’ credit card details and are placing orders for items using [e.g. your] payment details, inevitably running into the now-obligatory “3D-Secure 2.0” SMS passcode check.

What happens next is that the crooks use number-spoofing tech to phone the victims, and socially-engineer the SMS passcode from those victims, which they then use to confirm the order, defraud the vendor, and steal money from the victims.

So far there is (regrettably) nothing surprising about this, at least not to the average worker in information security and fraud prevention, or at least fraud reduction. There are legion issues with SMS passcodes, and as with the last few thousand years of history there is no way to protect a user who is open to being actively misled.

However: where it all goes wrong is that the Money Box team decides to blame this all upon the fact that there’s a website on the internet which tells people how to do the bad things, and which provides number-spoofing as a service.

Nothing about “maybe number-spoofing needs to be locked-down” or perhaps “caller-id should be switched off because it is being used to mislead people into false trust”; nothing about educating people to “take (continued) care when people call you out of the blue saying that they are your bank.”

This is bad. The problem is not that there are people who know how to do bad things. The problem is not that there are websites which explain or facilitate this. No amount of effort on earth is going to drive the knowledge of “how to do a badness” is going to stop the badness, otherwise we could prevent all murder by erasing it from the public consciousness.

The problem is that the systems and people are exploitable, and that false trust is fostered by those systems. This needs work, because it is a social-and-tech issue, and it probably best treated as more like a public health issue than a censorship issue.

Oh yes, and I do mean censorship; according to MoneyBox the problem also lies with “search engines” (Google, DuckDuckGo, Yahoo, Microsoft, …) for letting people look up how to perform this sort of fraud or how to access the services which facilitate this sort of fraud… as opposed to seeing this visibility as somehow useful for education.

This episode is entirely contrary to good security thinking as practiced by actual corporate and enterprise security experts and therefore it’s entirely expected that Damian Collins MP rides in on a white horse, to pitch the Online Safety Bill which — with the wave of the magic wand of regulation — will somehow fix this, by removing “illegal and harmful content from their systems”.

NARRATOR: “Regulation has never and will not fix the problems of people wanting and knowing how to commit fraud, nor of victims being apt to fall for it”

Paul Lewis presses Collins that the Online Safety bill does not refer (?) to frauds and scams as “illegal and harmful”, and Collins talks about “improving” the bill — but that’s not the point.

The point is that this package is entirely wrong-headed; I don’t know whether to blame Paul Lewis, Kaf Okpattah, or someone else entirely for this, but — excuse caps for emphasis — CENSORSHIP IS NOT THE WAY THAT YOU GET GOOD SECURITY.

The best disinfectant is fresh air and sunlight, in this case; trying to put a lid on the matter and drive it underground, will just cause it to fester, unseen;.

And it is not, and should not be, the job of social media sites and search engines to prevent people from learning that this kind of exploitation is possible.
[END]

[1] URL: https://alecmuffett.com/article/15437
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.