Mr. Marino has been a tremendous resource for me and for all of the members of the North Carolina Electronic Crimes Task Force for many years. His willingness to share his decades of experience in the fields of electronic crimes investigation and in personal protection have been invaluable to the entire task force. He has been an excellent example of how beneficial it can be for non–law enforcement members to take the time to get to know and learn from these senior federal agents. Let's ask him a few questions so you can get to know him.
Low tech hacking interview with Tony Marino, U.S. Secret Service (retired)
Jack: Give me your best low tech hacking war story for how the bad guys might be using low tech tools and social engineering skills.
Mr. Marino: There may be several examples of basic low tech methods of attacks that utilized social engineering as the main ingredient in the application of an attack. The one I will recount here I found interesting because there was a perfect storm in effect that allowed the success of the attack. I will not divulge the parties that were victimized in this scheme, but I can say that the vulnerability has been remedied through hardware upgrades, internal procedures, and the advent of know-your-customers regulations that have been adopted.
• The background of this attack centered on a flaw in the design of a specific brand and model of ATM machine.
• The individuals exploiting the flaw obtained the information from the company involved in the manufacture of the equipment. The flaw was that a transaction could be canceled up until the moment that the customer physically pulled the bills from the dispenser. However, if the bills in the middle of the dispenser could be extracted, leaving the top and bottom bills, you could cancel the transaction, and the bills were placed in a transaction canceled bin without the number of bills being counted. The machine in effect presented the currency into view and allowed tampering with a check that the number of bills recycled into the bin was the number initially dispensed. The individuals who perpetrated this scheme traveled around the country to conduct the fraud.
• The last component was a convenience procedure in place at the particular financial institution in which a canceled transaction at the ATM did not affect the availability of funds for withdrawal on that date.
The enterprising criminals simply opened an account at the large financial institution with cash in an amount slightly above the daily withdrawal limit. They obtained a temporary ATM card, then after the branches had closed for the day, drove up to the ATMs, asked for the daily maximum they could withdraw, extracted the bills from the center of the stack, and cancelled the transaction. They then repeated the process, usually staying at the same ATM for hours, until the ATM had no more funds to dispense.
There are some other low tech social engineering schemes that come to mind. There was one where the subject used a phone book to come up with names and then called a major department store credit department posing as an associate of one of the stores. He would say he had a customer in front of him who forgot his credit card and would provide several addresses until he hit on an actual customer in the system. He would then use the information to make in-store and online purchases.
Jack: Do you think that the bad guys such as foreign spies and possible terrorists use many low tech tools for gaining access to critical information or locations?
Mr. Marino: I think it would be naïve to think that attack vectors would not follow low cost high success paths. Over and over again we have learned of critical information, or access, obtained though the most low tech methods, the most basic of which is the propensity for human beings to willingly provide access or information to those not entitled to have it. It could be from the granting of excess privileges to someone within the organization with no need for the additional access or more nefarious schemes from those seeking intellectual property, financial data, national security information, or any other thing of value. Being able to gain information socially has been around probably since verbal communication was invented. I would call it, if it has not already been called this, “the art of the talk.” Skillful communication most often results in gaining pieces of information that are key to success in whatever line of business or social environment that we humans engage in. So it comes as no surprise that skilled criminals use these same skills of social engineering to advance their schemes. It also comes as no surprise that often when more sophisticated attacks occur they are conducted using already identified weaknesses. There is sometimes this misconception that in order to be successful the criminals have to do expensive engineering to target my enterprise. In fact what most often transpires is that they either go for the weakest link, the human being, or they use already available tools.
From an enterprise perspective an attack may simply consist of a call to an employee getting them to relinquish logon credentials or could involve having them take an action that infects their system with malware. Even with good procedures and practices in place an enterprise may be only as safe as how well their employees adhere to these policies.
The attack may also take the form of harvesting public information on the systems in use and using known vulnerabilities to gain access. Unknowingly providing too much information on our systems provides a clear blueprint for a possible compromise.
Closer to home and directly related to us as individuals, I can think of many examples where in spite of wide-scale public education programs and public media articles, both print and television, people still fall prey to low tech schemes, many coming in the form of what is termed 4-1-9 advance fee fraud. To briefly recap what 4-1-9 stands for, it was the criminal code section in Nigerian criminal statute that addresses these financial schemes. These schemes, meant to extract financial payment from the victims, are probably hundreds of years old. Our modern communication methods have just made them cheaper and easier to perpetrate. There are a variety of schemes, the complexity of which are fairly basic, but the results are the same, to extract funds from the victim utilizing social means. Common variants are using a counterfeit check for purchase of an advertised item or for payment of a required fee to receive funds being secreted from a faraway country, lottery winnings, to receive an inheritance, romance angle, fraud recovery, job offers, just to name a few. Victims come from all social, educational, and economic backgrounds. However, they all share the same component, which is that they have to willingly take the action of sending money or goods to the criminal.
Jack: In
Chapter 1, I showed a picture (
Figure 1.12) of a portable credit card reader that I found at a flea market. I have been amazed at the number of people that I meet who have been victims of credit card fraud. Do you have any recommendation for people regarding the low tech threat of skimming that seems to continue to grow?
Mr. Marino: There is always the obvious: do not let your credit card take a stroll with another person. Skimming is still an extremely effective and profitable activity. The variety of devices that can be deployed are now leveraging multiple technologies, including Bluetooth, for rapid compromises of affected accounts. Where once we were more likely to encounter a handheld device used at a restaurant or similar establishment to harvest accounts, we now have devices that are specifically customized to particular point-of-sale locations. The effectiveness of this cannot be overlooked. The customer has a certain level of trust that the ATM machine at their local branch, the gasoline pump, or grocery store point-of-sale terminal is secure. Unfortunately this is not always the case. Skimming parasites have been deployed at all these locations in spite of inherent security measures in place. I do not mean to scare people away from using technology in completion of a transaction and reverting back to cash, but instead to use measures that will significantly reduce the probability of becoming a victim. You notice that I said “reduce the probability.” I meant to say that because there truly is no way to completely eliminate the risk. Technology alone has yet to completely eliminate the deployment of skimming parasites. From a technology perspective in the United States we still use legacy credit card technology. By this I mean that point-of-sale terminals at the millions of businesses in the United States are not capable of reading more advanced card data such as found in embedded chips in credit cards used throughout much of the world. These cards usually require a pin number used by the customer that authenticates the user at the time of transaction. Bringing all these legacy systems up-to-date is expensive for business owners. I will also note that these systems in use throughout Europe are not the magic bullet because other vulnerabilities can still be exploited.
Skimming to a certain degree is still an activity that succeeds in part on the ability of the criminal to socially engineer our actions. If you wonder why I make that statement it is because during the use at an ATM machine or a point-of-sale terminal where the card never leaves our possession we tend to relax. We come to believe and have faith that the transaction is secured. To a large degree it is secure, after the card data leaves the terminal, that is. However, if I inject a skimmer right here, at the card swipe location, you do the skimming for me and I simply intercept your transaction. Remember when I said earlier that the devices are customized?
Skimmers may be manufactured specifically for the specific target, whether to be inserted into a point-of-sale terminal or gasoline pump or made to go on top of a legitimate reader such as on an ATM. They may come in the shape of false fronts that can be placed over a legitimate ATM machine with an incorporated camera that, via Bluetooth, will transmit first the card data, and also the pin code, to someone or something nearby. I would suggest that when you walk or drive up to an ATM, examine your surroundings. Do so not only for someone “shoulder surfing,” (a “shoulder surfer” is a person who attempts to intercept your pin simply by looking over your shoulder as it is keyed) but also for an ill-fitting face on the machine or a small pinhole. Why not use one hand to cover the numbers on the pin pad while you enter your pin?
The solution to safeguard oneself against an embedded skimmer in a point-of-sale terminal or the use of wireless technology (encrypted or not) by the merchant to pass the credit card data to their system are much more complicated issues. We can ask questions of the merchant, we can choose to use a credit card with a strict limit, we can use gasoline company only credit cards at the pump, and of course we can follow all the steps recommended by the Federal Trade Commission in the publication “Take Charge,” securing your good name, which include opting out of pre-approved credit cards and monitoring of your credit history through the free yearly reports available from each of the three (3) credit reporting companies.
Jack: You know that I have been a firm believer in the value of groups (not technically associations) like the Electronic Crimes Taskforce started by the U.S. Secret Service. Tell us how the ecTaskForces got started and when.
Mr. Marino: I am very proud of my service with the Secret Service. I truly feel that it is a great organization rich in history and tradition. The Secret Service is an agency not only responsible for the security of the President and his family, the Vice President and his family, former Presidents and their spouses, and foreign Heads of State while visiting the United States, but also in safeguarding our financial infrastructure. Every law enforcement officer, state, local, or federal, I am sure is equally proud of their service and importance of their duties, and well they should be. However, what I truly loved about the Secret Service was that it relies on the expertise, cooperation, and goodwill of other law enforcement professionals and private sector partners to accomplish its dual role mission. In the investigations arena, this is so very evident in the Electronic Crimes Task Force initiative. Born out of an experiment by the New York Field Office to eliminate some traditional mistrust between law enforcement and those in academia and the private sector, it rose to life in the aftermath of September 11th. The Secret Service office at 7 World Trade Center was destroyed during the attack, and immediately offers of assistance came from their academic and private sector partners. The benefits of these relationships cannot be overstated. So much so that the Bush Administration took note and mandated as part of the PATRIOT Act that the Secret Service continue and expand on the Electronic Crimes Task Force initiative.
The office to which I was assigned in the aftermath of September 11th was one of the initial offices to expand on this model. The number of private sector companies that participated is too many to individually name here, but it encompassed individuals and companies from financial institutions, energy, telecommunications, technology companies, and many more. Today throughout the United States and Europe the Secret Service has approximately thirty (30) such task forces with representatives of all the critical infrastructures, leading academic centers, and of course many state and local law enforcement partners. It is an initiative I was honored to participate on.
Here is some information about the U.S. Secret Service (USSS) Task Forces taken directly from the USSS website. If there is an ecTask Force in your location, I highly recommend that you join them. Here's the link to their web presence with links to the respective groups throughout the country:
http://www.secretservice.gov/ectf.shtml.
“The concept of task forces has been around for many years and has proven successful. However, traditional task forces have consisted primarily of law enforcement personnel. The Secret Service developed a new approach to increase the resources, skills and vision by which local, state and federal law enforcement team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. By forging new relationships with private sector entities and scholars the task force opens itself up to a wealth of resources and communication. The agency's first Electronic Crimes Task Force (ECTF), the New York Electronic Crimes Task Force, was formed based on this concept and has been highly successful since its inception in 1995.
“While the Secret Service leads this innovative effort, the agency believes in partnerships with strong emphasis on prevention and education, in addition to traditional law enforcement measures. The task forces provide a productive framework and collaborative crime-fighting environment in which the resources of its participants can be combined to effectively and efficiently make a significant impact on electronic crimes. Other law enforcement agencies bring additional criminal enforcement jurisdiction and resources to the task forces, while representatives from private industry and academia bring a wealth of technical expertise and research capabilities.”
Jack: As you know, my business partner at TheTrainingCo., Don Withers, and I are certified Personal Protection Specialists (PPS), Nine Lives members, and graduates of the Executive Protection Institute. As a part of our training, we learned of ways to help prevent our protectees from becoming victims of low tech hacking exploits. Since most people won't ever have or need a personal protection detail, they will need to know how to protect themselves. Can you offer any personal suggestions from the protection side of your years of experience?
Mr. Marino: Personal protection is something that everyone should take extremely seriously. We are faced with many situations in which we assume nothing will happen and we take no precautions. The threats that exist are financial and physical in nature. Wearing a seat belt in our automobiles has not only become the law but a routine habit that most of us exercise every day and take for granted. However, some other behaviors may not come naturally. For instance, many of us travel routinely whether for work or pleasure, yet do we always take the time to familiarize ourselves with evacuation routes? To highlight what I mean I will use two examples.
The first is when we board an aircraft. During my career I boarded hundreds of airplanes, if not more. I notice how many travelers, probably because this is not their first flight, simply ignore the safety briefing; we all know how to buckle and unbuckle a seat belt after all. An early lesson learned in protection, personal or of a dignitary, is to train like we want to react and do not take anything for granted; prepare for the worst case scenario. I recommend that you place attention to the briefing, planes are built differently, emergency doors use different mechanisms. However, an additional detail that I focus on during the safety briefing is when the flight attendant states, “Locate the nearest exit, it may be behind you.” I not only locate that exit but I count the number of rows that are between me and the exit. I prepare myself, as should you, to maneuver in the dark by simply feeling the way in a cabin that could fill with smoke very rapidly.
The second example mirrors the first in that I repeat this same exercise when I check into a hotel, in this case by simply counting the number of doors from my room to the nearest emergency exit. To rely on a lighted sign at the ceiling level where smoke accumulates makes it extremely difficult in an emergency to orientate oneself to find the stairwell for quick evacuation. Extremely basic measures the likelihood of which we will never have to use, but one time that we are unprepared may be the last time.
There are also some very basic things that we can do to minimize the possibility of financial loss due to low tech hacking. The theft of personally identifiable information from the person of the victim is one of the most common attack vectors. Someone with the benefit of a personal assistant or physical security professional has safeguards and sometimes insulation between themselves and the general public. I recommend that under no circumstance, should one ever respond with personal information from an unsolicited, letter, telephone call, or email. Set limits for yourself as to the amount of information that is available on social media sites. When presented with the opportunity to opt out, do so. (Many “people search” websites that contain information about us allow you to opt out and have your information withdrawn, albeit with limited success especially in the case of state public records).
Practice physical security considerations that assist in safeguarding your personal information. Minimize the possibility of becoming a victim of petty crime. We are most at risk domestically and, even when traveling internationally, of succumbing to a property crime such as presented from a pickpocket. The amount of sensitive personally identifiable information or access to financial resources that we carry should not only be minimized, but also should be compartmentalized and placed in a not easily accessible location. For me it means lose the “George Costanza wallet” (a reference to the Seinfeld show where in one episode of the show Costanza's wallet was so full it made him sit on a slant and one day it exploded, sending all its contents into the street), maintain the minimum amount of information, minimum number of credit cards, never a social security card (unless you are on a job interview or starting a new job). If you travel internationally, keep your passport locked in the hotel safe and carry a photocopy instead. Many of the interactions that the U.S. State Department has with U.S. citizens abroad center on replacing a lost or stolen passport. Lastly, make sure that you maintain your personal financial belongings in a non–easily accessible location, which may mean not in your back pocket or a purse slung over the shoulder.
For excellent training in the field of executive protection, visit the website for the Executive Protection Institute at
http://www.personalprotection.com. I have made this statement at briefings and presentations for many years: “If you don't have your own personal protection team (and few people do), you need to at least understand what a protection detail would be looking at while protecting you and your family, and do as much of it as you can for yourself.
Jack: I'd like to ask you one final question about the growing problem of identity theft. I suspect that much of that involves some form of social engineering and other low tech hacking exploits used to gain enough information to take over someone's identity. Is the threat continuing to grow in your opinion, and do you have any suggestions for our readers preventing becoming a victim?
Mr. Marino: Absolutely, as I previously mentioned the theft of personally identifiable information is very common and very profitable as well. The Federal Trade Commission (FTC) maintains the statistics on the number of victims of identity theft and the sheer numbers, their estimate is nine (9) million Americans are victims each year, are in my opinion staggering. I also have to believe that to a certain extent these numbers under represent the actual number of victims. Many people are not aware that should they be a victim of identity theft it should not only be reported to the police jurisdiction in which they live, but it should also be reported to the FTC as the central depository of the information.
We hear in the news about a large database compromise at a particular location and start to think that is where the problem lies. The truth of the matter is that low tech hacking and social engineering attacks are extremely effective and require little to no technical skills. A great location to scour for information is what we place on social networking sites. You may be thinking, “but my site is private.” Password strengths vary by the individual, no different than the lock we choose for own home. If the password, or lock, is weak the criminal can enter your home or enter your computer and can become in essence the user or the “man in the middle” (“man in the middle” refers to a computer attack whereby the criminal sits in between the two intended users and controls the conversation or session). Besides the lock or password controls, risky web surfing habits can expose the user to any number of system vulnerabilities. The technical skill needed to deploy that vulnerability is really zero; you can buy off the shelf software tools (programs). So you see there are a number of ways that criminals could harvest entire address books in order to attempt social engineering attacks. The strength of any network, including our social networks, is only as strong as the weakest lock. One of the common attacks I have seen is where in this same scenario of the social network compromise, the address book was used to “spoof” (masquerade) an email pleading for cash, via a money remitter. The email appears to come from someone you know and they are pleading for funds because of an unforeseen travel emergency. Low tech, but effective, because of the human nature propensity to be trusting and helpful.
Make no mistake, however; methods used for identity theft are usually low tech, and unsophisticated. Though there may be variations to the schemes, the sources remain pretty constant. They include old-fashioned phishing attacks; theft of mail from our own mailboxes; rummaging through the trash; cold call pretexting, which is social engineering in the truest sense; and old-fashioned stealing of financial data by an insider with access or from our own person.
A lot of the power to protect us from identity theft resides with us. We can exercise good practices, some of which I mentioned earlier, and we can also exercise our own due diligence with tools at our disposal. The primary tool is our vigilance.
Jack: Thanks for always being there for us, Tony.