The UK government has launched a specialist cyber-enforcement team and allocated extra funding for Trading Standards  as part of a campaign designed to clamp down on online scams.

OFT figures suggest online scams claim 3m UK successes yearly to result in losses of £3.5bn. Approaches most often arrive in the form of scam emails.
Accordingly government is investing £4.3m over three years in a bid to clamp down on this growing source of crime. The money will allow training and selecting specialist trading standards enforcers in every region of England, Scotland and Wales as well as the establishment of local computer labs.

Online ticket scams and scam websites that offer goods but deliver nothing in return will be main focus for the new teams. The OFT teams will target the most serious cyber-scams.

Cases will continue to be passed to the police, Serious and Organised Crime Agency and other investigative agencies. The role of the OFT can be roughly compared to that of the US Federal Trade Commission with smaller budget and resources.

Consumer Minister Kevin Brennan said: "Our investment will help the OFT and Trading Standards to put in place the new specialist teams, training and technology required to take the fight to these criminals."

"We're waiting to hear back from the Department of Business on how many cyber-enforcers the OFT will have and clarification on who will tackle reports of auction fraud, one of the most prevalent types of cybercrime."

Government recently established the National Fraud Reporting Centre (NFRC) and the National Fraud Intelligence Bureau , which will be run through the City of London Police, to tackle the most serious and harmful fraud.

Meanwhile the recently established Police Central eCrime Unit within the Metropolitan Police will tackle large-scale internet crime, including internet–enabled fraud.

The OFT teams are focused on dealing with consumer reports of cyber-crimes which might otherwise slip through the net. Victims of fraud are advised to contact Consumer Direct.

Chip and pin seriously vulnerable
University of Cambridge security expert Professor Ross Anderson (right) has blasted the Elektromagnetische Verträglichkeit (EMV) system used worldwide for credit and debit card transactions, and  known in the UK as Chip and PIN, after his research team discovered a serious vulnerability. The group were able to carry out purchases using a card, even without knowing the associated personal identification number (PIN), by using a "man-in-the middle" attack.

Retail terminals at the point of sale require the cardholder to insert their card and enter their secret PIN before a transaction can be authorised. They then communicate with the microchip built in to the card itself, which holds the PIN. If the correct number has been given, this chip returns a standard verification code (0x9000) to the terminal.

In the researchers' attack they inserted a genuine card into a second reader, connected to a laptop. The laptop is linked by thin wires to a fake card, which is inserted into the retailer's terminal. The laptop relays the communications between the terminal and the stolen, but genuine, card, up until the stage where the PIN is to be checked.

At this point it intercepts and responds with the verification code, no matter what number was entered. The retailer's terminal then believes that the correct PIN has been entered, and the card can be told that a signature was used to verify the cardholder instead.

The technique has been tested successfully on cards from Bank of Scotland, Barclaycard, Co-operative Bank, Halifax, HSBC and John Lewis.

The group say that not much technical skill is required for the attack, and suggested the equipment needed could be kept in a backpack, with the wires to the fake card running down a user's sleeve. They believe the equipment could be miniaturised to the size of a remote control.



"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," said Dr Steven Murdoch (left) who worked on the project.

Professor Anderson claims the attack could already be in use by criminals. "We have many examples of people who have had their cards stolen and then purchases made using the chip and pin," he said. "They are adamant they didn't use it but if the banks say chip and pin has been used you have to pay. I think many of these people would have been victim of the kind of technique we have developed."

He was scathing about bank claims that the system was secure. "The banks are wrong. All the banks are lying...... The system is not fit for purpose."

Consumer group Which?  also called for an investigation, stating that in a recent survey 1 in 7 people said that money had been taken from their accounts without authorisation. Around half of these did not have the money refunded by the bank. Over 90% of UK card transactions at point-of-sale use chip and PIN, according to the UK Payments Administration. The attack does not affect ATM transactions, which use different standards.

Mark Bowerman,(right)  spokesman for the UK Cards Association, said that there was no evidence the attack was in use and emphasised that card fraud had fallen with the introduction of chip and PIN. "We are taking this paper very seriously, as maintaining excellent levels of card security is paramount," he said. "However, we strongly refute the allegation that chip and PIN is broken."

The research paper has been made available as a working draft, due to be published at the IEEE Security and Privacy Symposium in May 2010. Members of the banking industry were informed of the vulnerability in early December.




Defense cordons off networks
The  Defense Information Systems Agency (DISA) plans to cordon off its unclassified networks from public Internet access, creating a "demilitarised zone" (DMZ) isolating Web-based servers and applications from other defense systems.

Its procurement budget for fiscal 2011 includes $6m to construct a bypass around public Internet portals for users of the Unclassified but Sensitive IP Router Network (NIPRNet). The demilitarised zone (DMZ) would eliminate “the need for most DOD assets to directly connect with the public Internet, which greatly reduces its surface and exposure to attacks,” the DISA budget stated.

The DMZ was designed to provide an infrastructure to implement data segregation to protect private, controlled and classified data from publicly accessible information. The funding will procure hardware and software to move Web-based application servers into the DMZ. “These servers separate networks that should have access to the Internet from those that should not,” the budget stated.

The project is part of DISA’s Information Systems Security Program (ISSP), for which $14.6m total was budgeted for 2011. Other projects under ISSP include nearly $1.8m for its host-based security system to counter cyber threats on Defense Department  computers and “accomplish configuration and management control across all endpoints.”

Other funding includes: • $2.3m to bolster DOD’s classified Secure IP Router Network (SIPRNet) firewall against external attacks. • $2.2 m for Insider Threat capability that addresses potential internal attacks. • $2.5m for the Cross-Domain Enterprise Service to securely transfer information between NIPRNet and SIPRNet,  to safely disseminate information while reducing costs.