Wardriving cop warns of hackers in waiting

By Nate Cochrane on Mar 17, 2010 3:14 PM
Filed under Security

What kids post to social networks today could be used to steal from them tomorrow.

Online crooks are trawling the identities of children and teens through social networks, lying in a wait for a pay day when their victims turn 18 and get a credit card, a leading police cybercrime expert told a parliamentary hearing this afternoon.

Queensland Police Detective Superintendent Brian Hay told the House of Representatives standing committee on cybercrime today that although there was no evidence that online con artists were dealing in child pornography, it was his view that they were harvesting children's profiles in preparation for committing fraud against them.

"We haven't seen them [children] in the loss category yet because they don't have a lot to lose," Hay said.

"We know that crooks are out there harvesting identity data in social networks ... to build profiles of people."

"[Children] think they have nothing to lose [by updating their social media profiles] but they're surrendering their identity and that can come back to hurt them down the track."

Superintendent Hay has for several years warned of the dangers of online crime, even going as far as recommending the Queensland Police undertake 'wardriving' missions on behalf of the State's residents in the past.

Hay told the committee that online, black-market bazaars traded in credit card numbers for as little as 8 cents each in lots of 100 or $7 a card for its full details.

"Sufficient card data and identification data to change the billing address of a card, that could be $70-$80 each but given that average loss is $3000 that's a very small investment."

When asked why Australians still fell prey to Nigerian scammers, Hay pointed the finger at how they were schooled.

"We've all grown up in an environment where we learnt by reading textbooks so we're conditioned to believe what we read," he said.

"When we meet someone personally we make a determination about whether they're credible and whether we believe them? But when we go online without realising it we've disarmed ourselves of our protective leanings."

Australians needed a more realistic appreciation of the "dark side of the internet" and to take responsibility for their use of it, he said.

That could include industry working with a national anti-fraud investigation agency to black ball suspicious internet addresses. Hay said an internet dating company was daily turning down about 2500 profiles or 14 percent of those posted to its 23 romance sites because they came from blacklisted or suspicious IP addresses.

"If we had a centralised national database that people could validate known IP addresses of fraudsters and started building up this information resource where people could test the waters - maybe red-light, green-light is this a known fraudulent IP I'm dealing with?" Hay told the committee.

"It could fit in something such as national consumer fraud organisation in this country but that detail would be up to far greater minds than mine."

Wardriving cop warns of hackers in waiting

5 comments in this discussion

"Yeh sorry I shouldn't generalise a term like "spoofed" when it does have a specific meaning lol, I was just using it as a generic "method(s) used to hide your real IP" as opposed to a "fake IP" ..."

By Mordd

Tags

facebook, social media, identity theft, nigeria, scam, queensland police

Facebook unveils 'Home' software for Android

Facebook tweaks design with revamped newsfeed

Facebook launches Graph Search beta

Apple given permission to publish govt data requests

Breaking Stories

Symantec Australia targeted for alleged unfair dismissal

NSW Budget light on new IT projects

OECD seeks info sharing standard for tax evasion crackdown

Govt IT spending to outrank world average

SAP deployments found vulnerable

Comments: 5

Mordd Mar 17, 2010 5:08 PM	I like what Superintendent Hay has to say a lot of the time, and agree with most of it, but is he seriously alleging that a simple green light / red light system of marking IP addresses as safe / not safe is all thats really needed to make us more secure online? Just be to be clear Superintendent, you're talking about a white list / black list system right? Theres many good reasons as to why something that simplistic doesn't work though for IP monitoring, when IP's are spoofed, come from botnet machines, etc... its pretty easy to play the "you can't see my real IP adrdess" game if you are one of these criminals trading in the data. Its sad to see hay dumbing down the solutions to these problems so much, when proper education is really the key, not some system that gives people an entirely false sense of security.
deonast Mar 18, 2010 12:23 AM	Mordd I think you are mistaken on one point. It is very unlikely that IPs will be spoofed. IP communications relies on a handshake If I try to make a connection to your machine it must reply to me if my IP is spoofed the reply would never come back and a connection can't be established. Fundamentally IP spoofing doesn't work as it breaks communications. You could sort of carry out a denial of service with a spoofed IPs I'd suspect but this would not be relevant to identity fraud.
Mordd Mar 18, 2010 3:52 PM	By spoofed I meant people using a IP proxy, etc... if a white list / black list would be such an effective solution, then why do people still get their details stolen? Same reason people still get infected by malware, a system like that cannot ever be real time, and can only flag threats after discovery at which point the criminals move on. Apart from that how many legit sites have been hacked recently and had malware inserted which users of the site then downloaded, sites which would always be whitelisted. Fake positives and false negatives, theres a reason a system like that has only very limited use, and moreover creates a false sense of security more than anything else.
deonast Mar 18, 2010 8:31 PM	Ah fair enough Mordd proxy would indeed work for that purpose, I hadn't thought about using that.
Mordd Mar 19, 2010 2:27 PM	Yeh sorry I shouldn't generalise a term like "spoofed" when it does have a specific meaning lol, I was just using it as a generic "method(s) used to hide your real IP" as opposed to a "fake IP" which is what I was wrongly implying by using the word spoofed, you were right to call me on that lol.