IIA Security Portal

The Internet Industry Association Security Portal is supported by many of the leading security companies. We use these and other information to provide regular alerts about threats. Current warnings are summarised here. They are reviewed and regularly updated.

Its Tax Time

Time to watch out for emails trying to suggest that you have an unclaimed tax refund.

The Commissioner for Taxation, Michael D'Anscenzo, has warned of a rise in scams tp steal personal details, tax returns (Canberra Times 15 August 2010.

He said the scama which have been uncovered by the ATO include:

1. Job advertisements aimed at international students that ask students to supply tax number and date of birth.  The information in then used to lodge fraudenlent tax returns.

2. Fake calls from people claiming to work for the Tax Office saying that the recipient is entitled to a bonus payment of about $3600 for paying taxes on time. They are asked to provide bank details.

3. Fake calls from people claiming to work for the Tax Office offering a tax refund of $3000 where the recipient is told they need to make a donation to a specific charity and given a phone number to call to arrange it.

He adi remember that the Tax Officer never send email to people asking for personal or credit card details.

New attack on ATMs exposed

According to the ABC Online (1 August 2010) a computer hacker has demonstrated a technique to remotely make an ATM spit out cash using the internet.

New Zealand researcher Barnaby Jack publicly showed off the "ATM jackpotting" technique at the DefCon hackers conference in Las Vagas, in the United States.

Mr Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the US, but said the flaw likely exists in machines at well-known banks.

"You don't have to go to the ATM at all," Mr Jack said.

"You can do it from the comfort of your own bedroom."

Mr Jack says banks use remote management software to monitor and control their ATMs.

He says he used a weakness in that software to take control of machines over the internet.

He says his method bypasses the need to submit passwords and serial numbers to access ATMs remotely.

Once in the machines, he says he can command them to spit out cash or transfer funds.

He says he could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Mr Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software.

"It is time to find software defences rather than hardware defences."

Mr Jack did not reveal specifics of the attack to hackers at the conference, but did tell ATM makers about the flaw so they could bolster machine defences.