Saturday, June 30, 2007

American Express phishing

Yesterday I received a promotional flyer from American Express Mexico to speed up the collecting of membership rewards. Either I call by phone and ask for the promotion or sign up myself at Internet.

The problem is, when you access the URL you're asked for your credit card number, no problem. I would give my number after checked the SSL certificate and double-check I'm at the correct American Express site; but wait a moment... I opened the source code at Firefox browser to get myself assured about the destination of my credit card data:

form name="forma1" action="http://extranet.ogilvy.com.mx/amexoptin/default.asp"

Am I wrong or is there a missing "s" after the "http"?

It's not the first time I got promotionals from American Express asking for my account number without encryption layer over the Internet. Last time I was supposed to send my credit card number via e-mail (no encryption at all) and I would get 500 membership rewards.

Last time I wrote down "It seems that American Express is phishing... their clients", now I'm pretty sure they are.

Friday, June 29, 2007

Wardriving

Like a month ago I was wardriving south of the city for a project at UNAM-CERT. I found a lot more networks than six months ago that I did a Wi-Fi reconnaissance; most of the networks were totally open like hotspots.

This is a growing problem in Mexico because wireless technology it's being recently widely adopted (with some years of delay respect to other countries). Everytime we do pentest we found the weakest link to be the wireless network, so bad.

Here some pictures of the kit for wardriving. (click for bigger image)




Saturday, June 16, 2007

Online fraud in Mexico

Last week, the UNAM's Computer Security Conference was held at the Palacio de Mineria in Mexico city. One of the sponsors was Bancomer and there was a discussion panel between Bancomer and Banamex.

The banks were trying to convince people that they do everything to protect your money online, the truth is, they just do the necessary to keep their business working and make profit of it.

One guy at the audience asked them, about an internet portal dedicated to online frauds of Bancomer, Banamex and many other banks with mexican clients (like HSBC, Santander, etc.)
I wrote down the URL (http://www.robosbancarios.com), and today I visited the site; I've been reading some of the affairs, needless to say, banks in Mexico SUCK BIG TIME.

I realized that I should asked to the bank guys why the hell they don't give details of the transactions to the affected clients, but I was busy with the conference organization. The banks justify saying they're following the "banking secret", the truth is they're just protecting criminals.

Another form of fraud in Mexico, and very common, is the social engineering. It would be interesting to hear why the banks call to your home/office offering new credit cards and ask for personal data that any criminal can gather to steal your identity, and it's perfectly legal. It's a form of phishing and banks do nothing to stop the modus operandi, they should adopt an anti-phishing policy for phone calls.

"Bancomer won't ask for personal information: Be suspicious of any unsolicited phone calls asking for your personal information", that would help a lot, but after all they are BANKS, they're more interested on getting new clients rather than protecting them.

Friday, June 15, 2007

Biometrics at UNAM-CERT

Finally, today the access control mechanism were setup at UNAM-CERT, consisting of proximity card and biometric (fingerprint).

This mechanism is part of the new policy for SOC (Security Operations Center) at UNAM-CERT, DGSCA. The proximity card device has been the de-facto standard for a while, but the biometric gives added security to the scheme.

Switching to blogger

This is an important day to this blog:

first, because I'm moving from my home-made blogging tool to blogger, and

second because I'm switching from spanish to english language.