Software developer, cyclist, photographer, hiker, reader.I work for the Library of Congress but all opinions are my own.Email:
12012 stories

When Bank Communication is Indistinguishable from Phishing Attacks

When Bank Communication is Indistinguishable from Phishing Attacks

You know how banks really, really want to avoid their customers falling victim to phishing scams? And how they put a heap of effort into education to warn folks about the hallmarks of phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security best practices? Ok, that final one might be a bit of a stretch, but the fact remains that people have high expectations of how banks should communicate to ensure that they themselves don't come across as phishers:

So... banks will never do things that look like a phish? When I saw this last week, I first had a little internal chuckle then quickly decided I need to share 3 examples that show just how far off the mark this really is. I'll start with NAB since they appear in the tweet above and they very helpfully sent me some material on "how to spot a suspicious message" only a few months ago:

When Bank Communication is Indistinguishable from Phishing Attacks

Just great. This was a legitimate email sent from NAB. I contacted them about it to highlight the hypocrisy and they confirmed that it was indeed intentional. Well, everything except for the typo.

Further, only when writing this post now I realised that the entire body of the email violates the first bullet point too:

When Bank Communication is Indistinguishable from Phishing Attacks

So that's NAB, let's move onto St George.

It was a few years ago now, but I remember the call quite clearly. It began with a concealed number followed by a long, drawn out silence after I picked up the line. Eventually, a foreign accent comes across what was obviously a VOIP call and says:

Hi, this is St George, we'd like to verify your details before we proceed, could you please confirm your date of birth?

Ah, cheeky phisher! But I'm prepared for this sort of thing, so I turn the tables and ask them to instead confirm their identity first:

But we're your bank!

Yeah, right. Click.

The next day we do the same dance, but my patience is more limited. I suggest that I should call them back via the number on the St George website which, in my view, would verify their authenticity.

Oh, don't use that number, let me give you the correct number.

Nope. Click.

The next day it's the same thing again so I call them on it - I think this is a scam. It has all the hallmarks of a scam plus it's persistent so I'm going to call St George and report it. So I did, upon which they advised my account was overdrawn and they'd been trying to contact me for days. FFS...

But there's also a fun story off the back of the St George situation: I previously had some investment property loans with them and the account that was overdrawn was a savings account they took an annual fee out of for the financial package I was on. After learning that the callers were indeed actual St George operators, I lodged a formal complaint, spoke with a customer service operator and they summarily took a decent slice off my interest rate!

There's a supremely simple way of banks handling this situation and it was demonstrated by AMEX shortly after the St George incident when they called to verify an unusual credit card transaction. We did the "we want to verify you", "no I want to verify you" dance after which they simply said, "turn over your card and call us on the number on the back". How easy is that?!

Then there's ANZ who decided to announce their new app via email:

When Bank Communication is Indistinguishable from Phishing Attacks

The problem should already be obvious - they're sending an email with a link and asking customers to click it and install the thing at the other end of that link. Isn't this what NAB was warning us about - "download of data"? Tell you what, let's do that super tricky ninja thing of very carefully holding the finger down on the link then inspecting the URL it goes to:

When Bank Communication is Indistinguishable from Phishing Attacks

Yeah, nah. Not. Legit. Not only is it an insecure URL, WTF is! But hey, YOLO, let's see how weird this thing gets:

When Bank Communication is Indistinguishable from Phishing Attacks

Oh yeah, that's totally legit! At best it's Adobe Analytics, at worst it's just someone bouncing victims through redirects for god knows what purpose. Except that again, this was actually a legitimate email from ANZ. A terrible email, but intentional in every way.

So no, you can't trust banks to communicate in ways that don't appear suspicious. Unfortunately, where this leaves us is that we need to throw a bunch of the intentional bank comms into the same junk folder as the outright malicious phishing attacks because very often, they're simply indistinguishable from each other.

Read the whole story
Share this story

How FedEx Cut Its Tax Bill to $0

1 Share
How FedEx Cut Its Tax Bill to $0:

FedEx’s financial filings show that the law has so far saved it at least $1.6 billion. Its financial filings show it owed no taxes in the 2018 fiscal year overall. Company officials said FedEx paid $2 billion in total federal income taxes over the past 10 years.

As for capital investments, the company spent less in the 2018 fiscal year than it had projected in December 2017, before the tax law passed. It spent even less in 2019. Much of its savings have gone to reward shareholders: FedEx spent more than $2 billion on stock buybacks and dividend increases in the 2019 fiscal year, up from $1.6 billion in 2018, and more than double the amount the company spent on buybacks and dividends in fiscal year 2017.

A spokesman said it was unfair to judge the effect of the tax cuts on investment by looking at year-to-year changes in the company’s capital spending plans.

Read the whole story
Share this story

Official Monero website is hacked to deliver currency-stealing malware

1 Comment

The official site for the Monero digital coin was hacked to deliver currency-stealing malware to users who were downloading wallet software, officials with <a href="" rel="nofollow"></a> said on Tuesday.

The supply-chain attack came to light on Monday when a site user reported that the cryptographic hash for a command-line interface wallet downloaded from the site didn't match the hash listed on the page. Over the next several hours, users discovered that the mismatching hash wasn't the result of an error. Instead, it was an attack designed to infect GetMonero users with malware. Site officials later confirmed that finding.

"It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries," GetMonero officials wrote. "If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."

An analysis of the malicious Linux binary found that it added a few new functions to the legitimate one. One of the functions was called after a user opened or created a new wallet. It sent the wallet seed—which is the cryptographic secret used to access wallet funds—to a server located at node.hashmonero[.]com. The malware then sent wallet funds to the servers located at node.xmrsupport[.]co and 45.9.148[.]65.

A malicious Windows version of the CLI wallet carried out an almost identical attack sequence.

At least one person participating in a Reddit forum claimed to have lost digital coins after installing the malicious Linux binary.

"Roughly 9 hours after I ran the binary a single transaction drained my wallet of all $7000," the person wrote. "I downloaded the build yesterday around 6pm Pacific time."

The user said at the time that it wasn't clear if the malware carried out other nefarious actions on the computer itself. The person made a copy of the malware available for download so that researchers can analyze the code. Under no circumstances should people run this binary on anything other than a test machine that has no access to cryptocurrency wallets.

GetMonero's advisory didn't say the site was compromised or if the vulnerabilities that led to the hack had been fixed. Users should stay apprised of this breach in the coming days.

In the meantime, people who want to verify the authenticity of their Monero CLI software can check here for Windows or here for more advanced users of Windows, Linux, or macOS.

The incident is a graphic reminder why it's crucial to check summaries before installing software. The links in the paragraph above this one explain how to do that.

Read the whole story
Share this story
1 public comment
3 hours ago
Good thing there's a robust anti-fraud syst… oh, right.
Washington, DC

Bonkers pricing of “free” flu shots shows what’s wrong with US healthcare

1 Share
A chain pharmacy uses it sign to advertise flu shots.

Enlarge / Regardless of the crazy pricing, you should get your flu shot. (credit: Getty | Bloomberg)

The annual flu shots that are free to those with health insurance are not immune from the convoluted and contemptible price-gouging that plague the US healthcare system.

Health insurance companies pay wildly different amounts for the same vaccines depending on how negotiations go with individual medical providers across the country. In some cases, providers have forced insurers to pay upward of three times the price they would pay to other providers, according to an investigation by Kaiser Health News.

The outlet noted that one Sacramento, California, doctors’ office got an insurer to pay $85 for a flu shot that it offered to uninsured patients for $25.

Though $85 might seem like a trifling amount in the bloated scheme of the US healthcare system, such prices quickly add up as tens of millions of people receive a flu shot each year. And while the Affordable Care Act requires insurers to cover the full costs of all federally recommended vaccines, including the flu vaccine, any extra costs to insurers get passed on to patients through higher insurance premiums, economists told KHN.

Looking further at what insurers paid for flu vaccines, KHN found that costs spanned the whole range from $25 to $85. A doctor in Long Beach, California, got insurer Cigna to pay $47.53 for a shot, while a CVS in downtown Washington, DC, got $32 from Cigna for the same shot. A CVS just 10 miles away in Maryland got $40.

My insurance did a little bit better than those. My doctor’s office in the District of Columbia initially charged my insurer, Aetna, $35 for my flu shot, and Aetna paid them the negotiated rate of $24.50.

But that’s still significantly above federally negotiated rates. The Centers for Disease Control and Prevention negotiated a price just under $14 for the same shot. The agency reported a private-sector cost of around $18. Likewise, the Centers for Medicare and Medicaid Services pays out $18 for the vaccine.

Aetna paid around 35% more than that for my identical shot—and there was no way for me to know that before I got the shot. Hidden negotiated rates make it impossible for patients to shop around. And this isn’t just a problem for flu shots. Wild price variances occur for everything from diagnostic scans to surgeries.

“We don’t have a functioning health care market because of all this lack of transparency and opportunities for price discrimination,” Glenn Melnick, a health economist at the University of Southern California, told KHN. “Prices are inconsistent and confusing for consumers,” he added. “The system is not working to provide efficient care, and the flu shot is one example of how these problems persist.”

Read Comments

Read the whole story
Share this story

Ayahuasca alters brain waves to produce waking dream-like state, study finds

1 Share
A highly stylized drawing of kneeling people waving their hands.

Enlarge / A sketch drawn by study participant of visuals during their experience. (credit: Imperial College London/Chris Timmermann)

People under the influence of a psychedelic brew known as ayahuasca frequently experience vivid visual and aural hallucinations and also report feeling as if they are in a dream. Now a new study published in Scientific Reports has shown that the drug alters the user's waking brain-wave patterns to produce a mental state that the researchers describe as "dreaming while awake."

Ayahuasca is a bitter tea made from the Brazilian vine banisteriopsis caapi, colloquially known as the "spirit vine," used in shaman-led spiritual ceremonies among native people in the Amazon basin. Its primary active ingredient is dimethyltryptamine (DMT). That's the secret to ayahuasca's powerful psychedelic effects, which can also produce feelings of elation and fear or a sense of epiphany or psychological breakthrough. Those mind-altering properties come at a price, however. Participants in the ceremonies are often advised to bring a bucket, since nausea and vomiting (and sometimes diarrhea) are common reactions to the tea.

The brain controls perception and communication throughout the body via chemical neurotransmitters. Each neurotransmitter attaches to matching areas on nerve cells known as receptors. LSD, for example, targets the brain's serotonin receptors. Ayahuasca contains a compound (banisterine) that latches onto dopamine receptors in the brain. (That's why banisterine holds potential as a treatment for Parkinson's disease, which destroys dopamine receptors.)

Several prior brain-imaging studies involving humans have shown that psychedelics disrupt normal brain activity and boost the random firing of neurons in the visual cortex. For instance, a 2012 study by David Nutt and colleagues at the Imperial College London's Center for Psychedelic Research (CPR) scanned the brains of 30 subjects (all experienced users of psychedelics) while under the influence of psilocybin—aka magic mushrooms. The lab then compared those scans to scans taken after the subjects ingested a saltwater placebo. The overall brain activity dropped in the so-called "default mode," a collection of highly interconnected neuronal networks that typically fire together when the brain is at rest. Psilocybin disrupted that synchronization, which could cause the dissociative aspects—the oft-reported, disintegrating sense of self or ego—of hallucinogenic drugs.

In 2016, Nutt et al. published the results of a second fMRI study, this time with subjects under the influence of LSD, compared with a placebo. Once again, there was less synchronization (overall brain activity) among neurons in the default mode. But the researchers also found that certain disparate regions of the brain that normally didn't communicate with each other did so under the influence of LSD, particularly the visual cortex. This could explain the vividly intricate hallucinations experienced by people tripping on acid. The effect appears to be separate from that of ego dissolution, however; it's possible to experience one without the other.

Yet another study the following year in Scientific Reports found a sudden increase in randomness in brain activity in subjects under the influence of psychedelic drugs. This is possible evidence for a heightened state of consciousness commonly associated with psychedelics. And earlier this year, a team of Swiss researchers used MRI imaging to follow the brain under the influence of acid. The results support the idea that hallucinogens cause the breakdown of the system that helps the brain keep track of which information is coming from the real world and which is generated by the brain itself.

As Ars' John Timmer reported in February, "Instead of a general flooding of the cortex, they found that a limited number of specific regions saw increased activity. This suggests the states induced by hallucinogens are distinct from states like anesthesia and sleep, which lead to widespread changes in the cortex."

The current paper is the most recent study out of the Imperial's CPR. The study involved 13 subjects fitted with EEG caps and electrodes to monitor their brain activity while being given an IV infusion of DMT. The team found that the DMT caused a marked drop in alpha waves, a mark of wakefulness, along with a corresponding brief increase in theta brain waves, indicative of a dream state.

Furthermore, while brain activity has been shown to decrease in subjects under the influence of psilocybin and LSD, the Imperial College researchers found more chaotic brain activity in subjects while under the influence of DMT. That might be why ayahuasca users report more vivid visual effects and a greater sense of immersion than is typically experienced with other psychedelics.

"We saw an emergent rhythm that was present during the most intense part of the experience, suggesting an emerging order amidst the otherwise chaotic patterns of brain activity," said lead author Christopher Timmermann. "From the altered brainwaves and participants' reports, it's clear these people are completely immersed in their experience—it's like daydreaming only far more vivid and immersive, it's like dreaming but with your eyes open."

Future studies could involve extending the time subjects spend on DMT to gather even more brain wave data, or subjecting participants to fMRI imaging while on DMT, as has been done already with psilocybin and LSD.

"It's hard to capture and communicate what it is like for people experiencing DMT but likening it to dreaming while awake or a near-death experience is useful," said co-author and CPR head Robin Carhart-Harris. "Our sense is that research with DMT may yield important insights into the relationship between brain activity and consciousness, and this small study is a first step along that road."

DOI: Scientific Reports, 2019. 10.1038/s41598-019-51974-4 (About DOIs).

Read Comments

Read the whole story
Share this story

Stephanie Grisham, Trump press secretary, faces backlash over claim Obama aides left ?you will fail? notes - The Washington Post

1 Share
Read the whole story
Share this story
Next Page of Stories