Gone Phishin’

You know what “phishing” is, right?  Ah, ah, ah!  Not all of you know or this wouldn’t still be the number one tool for hackers engaged in electronic fraud.  If you’ll allow me…


Phishing is when an ill-intentioned person tries to trick you into giving them personal information that can later be used in innumerable ways to screw you financially.  They “phish” for a person’s information by casting out untold thousands, even millions, of emails, hoping to trick just a few people into falling for the con.  This is also called “social engineering”, primarily when these attempts happen on the phone or even daringly in person.

In the early years of phishing, criminals used tactics like instant messaging systems to impersonate your Internet Service Provider (ISP), saying that they need your credit card number to keep you account open and if you don’t provide it right now, your Internet service will be cancelled in five, four, three, two…  Instant messaging cons still appear once in a while, but they are becoming easier to track, so most professionals have moved on.


Then there was email, using craftily written messages and anonymous re-mailers, asking for things like your bank account numbers and social security number etc, to commit identity theft or transfer your savings to their account in the Bahamas.

The current, wildly successful scam is to send an email, impersonating your bank or credit card company, saying that all your account info needs to be updated/verified.  The email will contain a link that says something like “www.citibank.com”, but actually takes you somewhere else.  Regardless, the web page is the spitting image of your credit card web site.  The only clue that this is not the true web site is the URL will be ever so slightly different (citi-bank.com or cittibank.com or whatever), but this doesn’t matter.  The URL could be “boogereaters.com” and the victim won’t know, because if they were naïve enough to click the link in the first place, they probably won’t be wise enough to verify the URL.  This fake web site will have a lengthy form asking for full name, account numbers, social security number, bank name, bank account numbers, passwords, PIN numbers, security questions, the whole lot.  Once the rube dutifully inputs all this information and presses “Submit” they are whisked to the genuine main page of the institution in question, never the wiser.  The penny drops when their bank accounts are cleaned out, their credit cards maxed out and collectors are calling and visiting demanding payment for the private jet you chartered to Bermuda, with a Ferrari in the cargo hold.

Why am I currently fixated on this subject?  Because I live in Romania, among some of the most talented hackers in the world.  Why are there so many hackers in Romania?  Because of the current job atmosphere.  Sadly, it is still very common for bosses to hire their nephew or the girl with the biggest tat-tas that will put out for their IT specialist position, rather than someone with a computer science degree.  After four years of brain damaging schooling, the best jobs many of these computer scientists can get is waiting tables or washing cars.  After a few years of this, they become understandably pissed off and turn to crime.


These guys are fantastically smart, resourceful, fearless and, ahem, cunning linguists allowing them to comfortably run scams in four languages or more.  Yet, it still ain’t easy work.  They have to decide what institution they are going to target, build the cloned web site, compile lists with millions of email addresses, compose an artistically perfect phishing email and send it out.  The thing is, these guys don’t really know who banks where yet, so they have to send out hundreds of thousands of emails just to hit a few people that actually do business with the institution they are impersonating.  From that tiny group, only one in 100 or so will be naïve, inattentive or drunk enough to follow through and fill out all the information on their fake web site.  The hackers take this info and, among other schemes, burn their very own bank cards, visit every ATM in town and clean out the victims.  It takes several days of work and hundreds of thousands of emails to get one hit.  But that one hit can be huge, paying off in thousands of dollars before either the individual or their institution intervene.

Unfortunately, several of these naïve, inattentive drunks bank at my bank and they have been hit hard and my bank has responded by instituting a full ATM blackout in Romania.  My card has been useless for months.  I have been living off monthly Western Union transfers.  This has been fine while I am at home here in Iasi, but when I hit the road for long-haul LP research I am going to be in a bit of a pickle.  I can’t afford to linger in one town for several days waiting for a Western Union transfer and I am really adverse to living off credit card cash advances, with fees that could buy me a week of groceries here in Romania.
There’s nothing to be done about it, but being personally involved and having medium-level expertise in this area (all that knowledge acquired during my Federal Reserve years does have real world applications!), I’ve decided to provide this public service.  Your bank/credit card company/PayPal/whatever will NEVER accost you and ask you to send any personal information through email or their web site or whatever.  If you make primary contact them via email (like I did when I first discovered that my card was no longer working) or on the phone and try to do some business, they might ask a few security questions, particularly if you are calling from an electronic fraud hotspot like Romania, but this will be limited to “what was your mother’s maiden name” or “what are the last four digits of your social security number.”  They will never ask you for your password or your PIN number or your full social security number.

Finally, whether your on the road or at home, there are basic precautions everyone should take with their personal information and finances.

     

  • Never carry all of your ID, cash, or sources of cash, in one wallet, purse, moneybelt or backpack.  Split it up logically, and securely. 
  •  

  • Write “see photo ID” on the signature line on the back of your credit card next to your signature (or the common abbriviation “CID”).  This is to signal merchants to not complete a purchase without a valid photo ID. Of course, your typical 16 year old at McDonald’s probably won’t have the wherewithall to follow through on this, but hopefully the guys at the Porche showroom will.
  •  

  • If you have to write down passwords or PIN numbers, do not keep them in the same place as the access mechanisms (cards, computers), including important passwords in your desk at home.  Lock them in a safe or firebox or buried under dirty underwear in another part of the house or something.
  •  

  • Your wallet/purse/moneybelt should be in you possession or locked up at all times.  Never laying on the bed, even for a second, or flung over the bedside chair when you stagger in drunk and pass out.  This applies to both hostels and top hotels.
  •  

  • Go to ridiculous lengths to shield your doings while at an ATM.  Use your body to block sightlines, be rude and insist that people standing too close back off, stay hunched over the machine until you have packed away all cash, cards and receipts, even if there is a long line of huffy people behind you.
  •  

  • Lastly, people please, treat PIN numbers and passwords like they are your life savings, because they provide access to the same.  No one needs them ever.  Not your bank, not your friend, not your grandmother, not your priest, no one.  It’s not that these people will rob you, but you have no assurance that they will institute the same level of security with your information as you do.

Thank you.  Now go forth and don’t be idiots.