Fraud Numbers in Australia. Are we secure?

“UPDATE: Arno Brok, who works with met at Accenture, has just sent me this interesting article about a new credit card that is being developed and tested in Australia.

Thanks Arno!”

The Australian Bureau of Statistics published in June this year its Personal Fraud Survey, which was conducted between July and December 2007.

There are some very interesting numbers:

– A$ 615 million were lost due to credit card fraud in Australia last year;

– The median, or most common loss was A$ 450 per person, but the mean loss was over A$ 2,000 per person, and 3 percent of victims lost over A$ 10,000.

– 75.5% of people targeted reported the loss; and

– 57,800 of 383,300 people were defrauded by phishing scams.

It is the first time I have seen this type of information shared with the public. Banks around the world do not generally make their internal statistics on fraud public. One of the reasons is the potential loss of confidence from customers and the market.

It is simple like that: Banks and other businesses make multi million dollar savings by automating services to customers. Those savings come, for example, from less staff and less branches/tellers. Also, many consumer retailers have moved into the online selling world, where you can save a significant amount by minimising stock and costs related to brick and mortar stores.

For all to work, consumers need to be confident in using the system. A consumer will not send his/her credit card information online if he/she knows that it is going to be stolen and subject to fraud. Andrew Wallis, a Gartner Analyst, said the following on the Sydney Morning Herald edition of 7 October 2008:

“It’s a classic thing. How do you get people moving into something? Well, you don’t tell them it’s dangerous. You don’t mention the negative side. You’ll extol the virtues and benefits”.

And that’s what banks have been doing. There is now a sense that online transactions are secure!

I beg to differ… if 5% of the Australian population aged 15 years and over suffered some type of fraud over the last 12 months then I would say that it is not that secure. However, we do have to look at it from a risk point of view.

From the banks perspective: if they spend A$ 615million, would they bring the amount of fraud to zero in Australia? Is it sensible to assume that A$ 615million is the acceptable risk banks are willing to take and pay customers back (as they do) so they keep the confidence in the system?

I’m not saying that banks should not invest in controls to address frauds. As a matter of fact I think it is the right thing to do. One example is the ANZ Falcon, which does not only mitigate the risk of losses due to fraud but is a marketing tool for ANZ credit card services. However, there is a limit to which you can mitigate the risk – there will always be a residual risk.


From the customer perspective: all we are worried about is not losing money, so as long as the banks are paying for the fraud we should be happy.

Banks might not pay customers in some isolated cases of misuse, however I believe that they will keep paying off most frauds as a cost of business, due to the fact that the savings of automating transactions and increased credit card usage will cover most of these expenses.

Banks will also keep investing on implementing fraud countermeasures, but the residual risk will always exist and, as long as the banks are paying for it, consumers shouldn’t be worried.

Posted in Information Security | Tagged | Leave a comment

SaaS (Software as Service) Risks

There’s been a lot of discussion recently around Software as a Service, or SaaS. Although some may say it is new concept, SaaS has been around for some time – since 2000, I believe – and used to be referred as ASP, or Application Service Provider. The idea seems to be working well: IDC recently forecasted that worldwide spending on SaaS will reach $10.7 billion by 2009.joke SaaS

The need for SaaS has evolved from the increasing licensing and maintenance costs of applications, which became prohibitive for some organisations. The cost for upgrades is also avoided, as the business model that SaaS providers operate imply on a periodic (usually monthly) payment instead of traditional application licensing. Further to this, SaaS providers run the software on their own infrastructure (hardware, operating systems, network, etc… ) avoiding other costs with infrastructure, datacenter operation and maintenance. Most SaaS providers also offer 24 x 7 technical support, physical and electronic security, and built-in support for business continuity.

SaaS definition can be simplified as nothing more than a pay-as-you-go outsourcing model where your internal application is hosted, managed, maintained and operated by a service provider across the Internet.

Of course, such arrangement has its challenges. customers relinquish control over software versions or changing requirements; moreover, costs to use the service become a continuous expense, rather than a single expense at time of purchase.

SaaS also has the same fundamental risks as outsourcing, as the client data is stored and processed by a third party. There are some interesting articles and checklists available on the subject. Some of them include:

– Gartner “Critical Security Questions to Ask a SaaS Provider”
Financial Industry Shared Assessment Program (Third party review questionnaire developed in the US to assess third service provider security in line with ISO 27002)

I have also written an article to SANS about outsourcing which might be helpful. You can find it here.

The key thing for organisations considering SaaS is to perform appropriate due diligence over the provider. This means that, in order to mitigate inherent security outsourcing risks, it needs to get assurance over the ability of the SaaS provider to support business requirements and the controls that exist on the environment.

There are auditing standards that can help, such as SAS70, which brings some assurance and comfort over a third party service provider controls. However these are just a start when an organisation is considering SaaS and not sufficient to ensure that business requirements will be consistently addressed.

For a comprehensive assessment, an organisation should consider a decent baseline. A good start is CobiT and APRA. Also, consulting companies such as <selling hat> Accenture</selling hat> have frameworks to perform such assessments for a fee. 🙂

Hope you find the post useful. I am still reading about the topic, so would appreciate your comments with your views on SaaS and experiences with providers.

Posted in Information Security | Tagged | 2 Comments

Clean shaved photo

Dear all,

Second day on Movember and my mo is growing slowly. As promised, below a clean shaved photo from this Saturday, 1 November:

The Movember website wasn’t accepting donations for a while, but it is back online. If you can donate, please do at this address.

Thank you for your support!

All the best,


Posted in Other | Tagged , | Leave a comment

Movember is back!

I am not sure you have heard about Movember, which is an annual charity event held during November to raise money to benefit men’s health – specifically prostate cancer and male depression.

At the start of the month guys register with a clean shaven face. The Movember participants, known as Mo Bros, have the remainder of the month to grow and groom their Mo. Mo Sistas (ladies who support their guys or just love Mo’s!) also help Mo Bros and helping to raise funds.

So, during Movember (the month formerly known as November), I’m growing a Mo. That’s right… I’m going to look ridiculous but I believe it is for a good cause.

Men lack awareness about the very real health issues we face. There is an attitude that we have to be tough – “a real man” – and are reluctant to see a doctor about an illness or go for regular medical checks. Movember aims to change these attitudes and make men’s health fun by putting the Mo back on the face of fashion and in the process raise some serious funds for key men’s health issues, including:

– Prostate Cancer: because every year 2,900 Australian men die from prostate cancer and over 18,000 men will be diagnosed with prostate cancer.
– Depression in Men: because one in six men experience depression at any given time but most don’t seek help.

To donate to my Mo you can either:

1.    Click this link and donate online using your credit card or PayPal account, or
2.    Write a cheque payable to ‘Movember Foundation’, referencing my Registration Number 1421956 and mailing it to:

Movember Foundation
PO Box 292
Prahran VIC 3181

Remember, all donations over $2 are tax deductible.

The money raised by Movember is used to raise awareness of men’s health issues and donated to the Prostate Cancer Foundation of Australia and beyondblue – the national depression initiative. The PCFA and beyondblue will use the funds to fund research and increase support networks for those men who suffer from prostate cancer and depression.
Hope you can contribute!

Posted in Other | Tagged , , , , | 1 Comment

The Coolooli

This weekend I have joined some friends to dive the Coolooli. The shipwreck is a bucket dredge that was sunk in 1980 as an artificial reef and now lays at 48msw.

Trip from the Coolooli to Rose Bay Wharf plotted on a map

Trip from the Coolooli to Rose Bay Wharf plotted on a map

The wreck location is roughly in front of dee-why beach, in the northern suburbs of Sydney. It is a great spot for technical divers to train and have a great start of the day.

I usually dive on the Scubaroo, the boat owned and manned by our French friend Yves, one of the funniest skippers in Sydney. The ride to the site takes about 45 minutes, as it is approximately 8 miles away from the pickup point at Rose Bay Wharf. The boat normally leaves at 6:45 in the morning, so I usually have to mind the drinks on Friday night.

The trip to the site is stunning, with the sun rising on the horizon and the sight of the heads while going outside of the Sydney Harbour.

The dive is always good, even when it is murky at the surface. The bottom rarely has less than 8 meters visibility (I have dived there at least 5 times and never got less than that) with average 15 meters. As the wreck has been cleaned before sinking there are heaps of space for penetration. You can easily get in at the bottom and make your way through the wreck to exit close to the line at the shallowest point around 36 meters.

Due to the depths, I dive and recommend divers to use Trimix. Also, as decompression is required, proper tech diving training is strongly recommended. Further to this, the use of a dry suit is a good idea as the dive run time can be as much as one hour on 16oC water during the summer (it was 14oC at the bottom yesterday)

You can find more information about the Coolooli on the Michael McFayden website, which is a great source of general information about Sydney diving.

Also, I have embedded below a video from Andrew Cronan that was shot with the DiveFrontier crew. These guys are a group of GUE certified divers in Sydney who are involved in a number of interesting diving projects. But this is a topic for a future post… 🙂

Posted in scuba diving | Tagged , , , , | Leave a comment

Problem solved! No more foil needed in your pocket!

When I sent an e-mail to friends and colleagues about reactivating the blog, some of them wrote to me asking about privacy and RFID.

RFID wallet has a Faraday cage emdedded into it!

RFID wallet has a Faraday cage emdedded in it!

While getting up to date on the topic I found something amusing. The “Think Geek” website is selling a “RFID Blocking Wallet”, which is like a normal wallet but with a Faraday cage embedded in it. This way any RFID chips in your credit cards or ID are protected against readers that might try to get personal information without your knowledge.

Although I am not buying one (I don’t have any RFID enabled devices in my wallet) I couldn’t help finding it an interesting gadget for paranoid geeks. And don’t we all have a bit of paranoia an geekness?

More info at the Think Geek Website

Update: They also have a passport holder that blocks RFID! This one seems a bit more useful to me! 🙂

Posted in Information Security | Tagged , , , , | 1 Comment

Pissed off Engineer

One of the things that I hate on some professionals such as doctors, IT professionals, lawyers and economists is their tendency to speak about their areas of knowledge using very specific acronyms and terms, making simple concepts impossible to understand.

My father always said to me that a good professional can make complex things seem simple and easy. A good example is gymnasts, who make all those pirouettes seem very easy… as if they didn’t spend weeks or months to master each one of those moves.

When I first saw the cheque below, I wondered if this engineer wasn’t pissed off with the same thing. I loved the way he was mathematically correct and at the same time gave a hard time to whoever got the cheque (and the bank!)

Absolutely loved it! Hope you guys enjoy it as well…

Posted in Joke | Tagged , , , | Leave a comment

Yes… I’m back!

Dear readers,

I was thinking about the reasons that it took so long to post again and, besides arriving to the conclusion that having a blog is just too much work, I think that maybe focusing the topic of the blog too much on Information Security might be the problem.

So I decided to give it a try and open the topic a little bit. Maybe if this is a space to publish information about some of my passions my posts will be smaller, more relevant and more frequent.

To start I have added a quick video from my trip to Truk Lagoon and Palau. As some of you might know, this is one of the top diving destinations in the world and I had the pleasure of diving some of the most amazing shipwrecks around.

Well… hope you enjoy it and welcome back to my blog!

Posted in Uncategorized | Tagged , , , , , | 1 Comment

SANS Conference in Sydney!!!

Hey guys,

SANS is comming to Sydney. It is a great opportunity to get good training with top instructors and cutting edge technology!

I have attended to two conferences in Europe and highly recommend. If you want more info you can click on the link below:

SANS Sydney Website



Posted in Information Security | Tagged , | Leave a comment

How easy is to break WEP?

I would like to start this post with an apology. It’s been a little more than a month without any post or updates. This is due to the fact that I have just started a new job at Ernst & Young. Now I am part of the Security & Technology Solutions practice within the Technology and Security Risk Services group (which is part of Risk Advisory Services). Besides the “cool corporate names”, I am now working on Security Advisory, Pen Testing and eventually Audit. I am very proud to have joined the team and I can say that E&Y have an excellent group of professionals delivering first class services! You can take a look at the group webpage at

Ok… enough “cheap marketing”…:)

I have been doing a little research on wireless. Everybody says that it is pretty easy to break WEP, and even knowing how that works I have never tried a “live” test.

I spent some time playing around with some different tools, including KisMAC (a type of wireless Swiss knife tool for MACs), airodump, aireplay and aircrack. I was a little surprised on the results.

40 bit WEP keys can be broken very easily. The main thing is that an attacker don’t need a lot of data packets (that are collected when a client is actively using the network) to perform an FMS attack (which is a statistical test that you can use to figure out the key). 128 bit key on the other hand require quite a bit of traffic. An average of 700k to 1 million packets is required. For you to have an idea, I tried to break a 128 WEP key on a Centrino 1.6Ghz 1024MbRAM laptop with Backtrack with 500k keys and 47 minutes went by without figuring out the key. The same computer took 17 seconds to find the key with 1 million packets.

AircrackHow much traffic are 1 million packets? The traffic capture was about 2,5 Gb… an attacker can either wait for the user to download the latest episode of south part over Kazaa (that will take a while – maybe a week) or have the alternative of injecting packets on the network. Injecting packets is about replaying an encrypted packet on the network and generating replies, since that packet is a valid one. These replies will be errors, but they will be “fresh” or “new” packets with new IVs, thus valid for a FMS attack. The way you do this is by using attributes as size to figure out if a packet captured on transmission is a packet prone to injection. The most common type is an ARP request, which is done for example when a client is sending a DHCP request. It has 68 bytes of size. What you do is run a tool called aireplay that listens for packets with 68 bytes of size (you can virtually try to “guess” any packets, but arp requests are a good choice because are easy to find and every request generates at least two responses – on from the DCHP and an error from the client) and, when one is captured, it replays it on the wireless network.

To “force” a client to do an arp request what an attacker can do is to spoof a deauth packet from the AP to the client. The client will disconnect from the network and connect again, generating the arp request that will be replayed. The aireplay will capture that and will replay the arp request, making both the client and the DHCP server exchange 2 packets for every packet aireplay injects on the network. You should be running a sniffer tool that can be either wireshark/ethereal or airodump to capture all this traffic. In my tests, I took almost 1h30min to generate 1 million packets.

Bottom line was: I could crack wep, but I had to use 2 laptops (one to capture the traffic – wireless card in monitor mode using airodump) and other to do the aireplay attack. The aireplay had to use a prism chipset card (I had to buy one on e-bay, couldn’t find it anywhere) to be able to reinject packets and KisMAC didn’t work…

My conclusion is that WEP is vulnerable, but you have to be fairly skilled to break it. Not that a script kiddie can’t break WEP by reading the numerous tutorials on the web, but I doubt someone that is not a geek will spend time to break in the neighbours network. We can have hackers war driving all around, but what is the point of doing that when internet access costs you so little!? You probably spend more on gas than with the internet bill…

Companies, of course, are other subject. But they can afford to have a RADIUS with decent authentication protocol running and thin APs that are manageable and upgradeable, meaning that they can upgrade to WPA/WPA2 easily.

Given those two scenarios I caught myself wondering what is the big fuzz about wireless security. My impression is that we have achieved a reasonable level of security with the latest standards… at least for now…. 😀

Posted in Information Security | Tagged , , , | 7 Comments