ICT & Crime

1. ICT & Crime Introduction

2. Homework • read THREE stories from http://www.teach-ict.com/news/news_stories/news_crime.htm & produce a 3-fold leaflet describing/discussing the stories. • Due in Friday • These will be put on a display, so make sure you do a good job 

3. Activity 1 (5 minutes) Computers have changed many of the ways we do things over the past 30 years. But overall, is this a good thing, or a bad thing? Computers are commonly used to do things that are dangerous, repetitive, or which need a very high degree of accuracy. In groups, write down as many jobs as you can in these three categories which are done by or with computers. Don’t just think about things like traffic lights – think about office jobs and communications, too 

4. Introduction Where there are ways to make money, there will be criminals just waiting to take advantage.The growth of the Internet has provided criminals with a whole host of new and different opportunities to commit crime. Computer crime is defined as 'criminal activity directly related to the use of computers'. It could be done in order to: • steal money • steal data or information • steal someone's identity • damage or disrupt someone's system for revenge • cause general havoc for fun • copy software / films / music to avoid paying for it.

5. Using ICT to steal money Most internet purchases are paid for by credit card. How do thieves obtain credit card details? • Intercepting transactions • Insecure websites • Fraudulent websites • Till receipts • Card-cloning

6. Prevention • Secure websites (https://) • Not printing full card number on till receipts etc • Verifying billing address details with bank databases • Individual card-readers/TANs (Transaction Authentication Number)

7. Activity 2: in pairs (10 minutes) Find out the definition of one of the following and present it to the class: • Classic TAN • Indexed TAN • Indexed TAN with CAPTCHA (iTAN) • Mobile TAN (mTAN) • TAN generator

8. Classic Tan • The bank creates a list of 50 of unique TANs for the user - each TAN is six or eight characters long. The user picks up the list from their bank . • To make a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected. • The TAN has now been consumed and will not be recognized for any further transactions. • If the TAN list is compromised, the user may cancel it by notifying the bank. BUT – no protection against phishing or against “man in the middle” attacks

9. Classic TANs

10. Indexed TAN (iTAN) • Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use any TAN from the list, but to enter a specific TAN identified by a number (eg TAN number 11). The index is randomly chosen by the bank, so an arbitrary TAN acquired by an attacker is usually worthless. BUT iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a forged copy of the bank's website.

11. Indexed TAN with CAPTCHA (iTANplus) • adds a CAPTCHA to reduce the risk of man-in-the-middle attacks.[Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.

12. Indexed TAN with CAPTCHA

13. Mobile TAN • mTANs are used by banks in Germany, Austria, Poland, the Netherlands, Hungary and South Africa. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMS. BUT the security of this scheme depends on the security of the mobile phone system • SIM cloning • Mobile phone viruses

14. TAN Generators These generate an individual TAN “on the fly” for each transaction, suing an algorithm known only to the bank, so there is no risk of a TAN list getting lost in the mail or being compromised in another way. BUT no defence against man-in-the-middle attacks, or phishing/fraudulent websites

15. Other ways of stealing money The rise of online banking means that it isn’t just shopping that can be dangerous. Paying bills online can cost much more than just the price of the bill. • Interception of details • Phishing

16. Online banking & prevention of theft Step 1: Customer number (user name)

17. Step 2 • Security number: a 4-digit number known only to the user & the bank • User is asked to enter 3 random digits from this number in a random order • Hacker cannot get entire number/digits in the right order

18. Step 3 • Random characters from password • Hacker/keylogger cannot get entire password

19. Phishing • This is where a user is tricked into entering their user name & password to a fake website. • The website looks like the bank/ebay/paypal website, but belongs to a hacker.

20. Plenary (5 minutes)

21. Answer Computer crime, otherwise known as 'cyber crime' is using a computer to steal, embezzle or defraud people or businesses.