Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck IT

Researchers Demo Hack Against African Micro-Finance Accounts 52

mask.of.sanity writes "Security researchers have shown how to raid Africa micro-finance bank accounts en masse using fake audio one time passwords. The banks use audio one-time passwords to authenticate users logging into their accounts, but failed to implement properly security controls across numerous systems. Crucially, the researchers did not reveal how they cracked the encryption in order to protect users."
This discussion has been archived. No new comments can be posted.

Researchers Demo Hack Against African Micro-Finance Accounts

Comments Filter:
  • by crazyjj ( 2598719 ) * on Monday February 04, 2013 @09:22AM (#42785013)

    I know this is somewhat off-topic, but I was a big supporter of the whole micro-finance thing at one time myself. Sounds like a great idea and all, right? But then I saw former micro-financier Hugh Sinclair's BookTv segment [booktv.org] and read his book [amazon.com] and it opened my eyes to how much of this micro-finance fad has become a feeding ground for scammers, con men, and other vultures in the countries they're ostensibly supposed to be helping--and how much corruption there is in many of these "charitable" non-profits and financiers that sell the idea of micro-finance to well-meaning supporters.

    Again, I know it's not directly related to the hack. But every time micro-finance comes up, I like to point out this info--since the vast majority of people still think of the subject in very naive and rosy terms, oblivious to the deep corruption that has become so pervasive in its execution.

    • Re: (Score:2, Insightful)

      Meh, as an American, I've become desensitized to corruption. Yes, even more so than I have to violence.

      Hearing that there is corruption in finance is like hearing water is wet.

      • by crazyjj ( 2598719 ) * on Monday February 04, 2013 @10:21AM (#42785511)

        I once heard someone say that you can tell how corrupt a charity is by the kind of car its director drives. If a charity's director is driving a new Mercedes, it's a pretty safe bet that most of your donations aren't going to feed hungry children. So now that's my rule of thumb for a charity: look into the intentions and lifestyles of the heads of the charity and you will probably see its true heart.

        • What if the head is a volunteer billionaire?

          More or less corrupt?

          • More corrupt.
            How did he get to be a billionaire?

          • What if the water is dry?
          • by Anonymous Coward

            Somebody somewhere said something about heaven and a camel and the eye of a needle. It pretty much covers this situation.

        • I once heard someone say that you can tell how corrupt a charity is by the kind of car its director drives. If a charity's director is driving a new Mercedes, it's a pretty safe bet that most of your donations aren't going to feed hungry children. So now that's my rule of thumb for a charity: look into the intentions and lifestyles of the heads of the charity and you will probably see its true heart.

          The counter-argument is that it is better for a charity to have one billion in donations and pay the director a million, rather than to have one million in donations and pay the director nothing.

    • by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Monday February 04, 2013 @09:38AM (#42785145)

      I think this is on a slightly different use of the term "microfinance", though there's overlap. The books you link are about microcredit [wikipedia.org] specifically, a hyped-up approach to poverty reduction based on very small loans spread throughout a community, which Grameen Bank [wikipedia.org] made famous. But the kind of microfinance this article talks about is more about regular banking: accounts and transactions, usually via a mobile phone. It's become popular in Africa because of the lack of traditional financial networks, and the increasing ubiquity of mobile phones as the main link into modern systems.

      • Mod Trepidity up.

        And, to put a slightly finer point on this, we are (mostly) not talking about banking but using phone minutes as an alternative currency. As long as you know the other party’s phone number you can transfer minutes – you can be outside the country so you don’t have to worry about exchange rates – neither party needs a bank account, etc.

    • by h4rr4r ( 612664 ) on Monday February 04, 2013 @09:40AM (#42785163)

      The entire thing is a scam and they are quite upfront with it.

      I the charitable 1st worlder give free money to some bank in the 3rd world who supposedly gives a loan to a needy person.

      This means I make no profit and a bank gets to charge interest to another person. Why the hell would I ever do that?

      If it is my capital I want at least half the interest or just give the guy the money, either way at least some banker is not getting rich for free off my money.

      • Comment removed based on user account deletion
        • by h4rr4r ( 612664 )

          It is free money to the bank.
          They want me to donate it so they can lend it out.

          See kiva.org for an example.

      • where the organization itself acts as the "bank". That way the interest on the micro-loan goes back to the charitable organization and is used to fund more loans.

      • Zidisha [zidisha.org] allows you to invest directly and collect interest (at the rate you choose, which can be 0%).
      • I disagree. Microfinance organisations operate in a middle ground between charity and commercial banks. They offer a way to stretch your money. Instead of your $100 donation helping one person with a gift, the same $100 can be recycled dozens of times to help people via loans. It's the 'teach a man to fish' meme put into practice.

        Any interest paid on the loan goes toward the operating cost. I don't mind this. In comparison, my commercial bank charges me ~$ 100/year for two accounts, a debit card and a credi

    • by girlinatrainingbra ( 2738457 ) on Monday February 04, 2013 @09:44AM (#42785193)
      yep, it's the same as the "mother teresa" scam, in which the PR is such that everyone thinks that this "saint" is helping out the poor, but the reality is that the poverty is being continued and no actual help is being given out, and the dontations taken in are used to perpetuate and strengthen the infrastructure of the so-called "charity organization".
      .
      Wait a minute, that's the same type of scam pulled by the Red Cross and the United Way: they all come out of the woodwork during disasters and ask for a lot of donations and money (because they can skim off the top [heavily skim] of money, but not of actual goods) which can be put towards expensive cherry desks and mahogany paneling and half-a-million-dollars-per-year executive salaries.
      .
      Sadly, the business and MBA types find every possible way that people like to part with their money (whether it's for food you need, or toys you want or lust after, or donations you gladly give to help others or assuage their own consciences) and insert themselves into the equation to take the majority of the money as "overhead costs" for running the schemes themselves.
      • by Anonymous Coward

        A lot of people don't even realize that the blood they're donating to the Red Cross is then *sold* by the Red cross to hospitals *at the market price*, with the money going into Red Cross coffers.

        And they also don't realize that most donations for specific disasters go into the Red Cross *general fund*, and not towards that disaster. This became so controversial a few years back that I believe that had to change their policy to allow donors to earmark donations for a specific disaster, but *only* if the don

        • Thanks for the info and details! I know about the specific information about the cherry-wood-desks and the mahogany paneling because the CEO of the local Red Cross and United ways here in San Diego got caught spending hundreds-of-thousands of dollars on a desk (yes, "a" singular desk) and wood paneling for his office, along with raking in a crazy high salary. There's also something weird with how they get "volunteers" to do all of the work for "driving patients and the elderly from their home to their do
          • by h4rr4r ( 612664 )

            Who pays this money?
            What does it take to get it?

            Can't your mother hire some pizza delivery folks who are probably not busy during the day and collect it?

        • by h4rr4r ( 612664 )

          So then why don't the hospitals collect blood themselves and cut out the middle man?

        • by gmhowell ( 26755 )

          I have always been wary of the Red Cross. I remember my grandfather telling stories about how they charged combat soldiers for coffee and donuts during WWII. No money--no food, tough luck G.I. He used to cuss like a sailor at anyone asking for a Red Cross money or blood donation.

          Wonder if he knew my grandfather or my great uncles. They did pretty much the same thing after seeing this (and worse) behavior by the Red Cross during WWII in the South Pacific.

      • I give my charity contributions to The Salvation Army.
        Sure. They are religious. But...
        The bang for the buck is awesome and they do not tie their help to what religion the beneficiary is.

        • Really? So they don't insist on prays before meals? Are they still rather obnoxious about anyone who isn't straight? E.g. do they still refuse help to gay and lesbian couple? I bet they still lobby against marriage equality.

          A couple of pages with further information:
          The Bilerico Project - Why You Shouldn't Donate to the Salvation Army Bell Ringers [bilerico.com]
          Don't Donate to the Salvation Army @ The Stranger [thestranger.com]

        • I give my charity contributions to The Salvation Army. Sure. They are religious. But... The bang for the buck is awesome and they do not tie their help to what religion the beneficiary is.

          The fact that they are religious disqualifies them from my help. If they're religious, why can't their fucking god do something about the misery around them?

          Ooh, I know, evil atheists want babies to die in the streets rather than support god-botherers.

      • by Anonymous Coward

        http://www.snopes.com/medical/emergent/redcross.asp

        There is truth to one of the rumors, however. During WWII the American Red Cross did indeed charge American servicemen for coffee, doughnuts, and lodging. However, it did so because the U.S. Army asked it to, not because it was determined to make a profit off homesick dogfaces.

        The request was made in a March 1942 letter from Secretary of War Henry L. Stimson to Norman H. Davis, chairman of the American Red Cross. Because American soldiers were fight

  • The linked article itself mentions brute force breaking into the voice-mail accounts and "bluff verfication", forcing the bank to check the victim's voice mail accounts:
    The final step required a means to automate the playback of the fake one time passwords and bluff verification. To achieve this, the researchers brute-forced their way into victim voice mail accounts and replaced greeting messages with the generated tokens.

    .

    The bank could be forced to voice mail -- and the fake audio token -- by setting
    • by gl4ss ( 559668 )

      it's a bit bullshitty because what they claim to have done would land them in jail no matter if it was for research or not, brute forcing voicemails etc.

      if you go as far as to redirect victims phone you can do all kinds of scams.

      the article could have been a bit more clear though about how these voice tokens work.

  • Once again, William Gibson was here first.

  • William Gibson's Count Zero. "The Wig reasoned that all that obsolete silicon had to be going somewhere. Where it was going, he learned, was into any number of very poor places struggling along with nascent industrial bases. Nations so benighted that the concept of nation was still taken seriously. The Wig punched himself through a couple of African back- waters and felt like a shark cruising a swimming pool thick with caviar. Not that any one of those tasty tiny eggs arnounted to much, but you could ju
    • Came here to say this. No mod points, alas.

      Even at his bleakest and most inventive, Gibson is surprisingly prophetic.

  • So steal it! It's all our money anyway, lol. I guarantee the vast majority of those funds were stolen via fraud, from selling stolen items, or from selling illegal items. It's so bad, Africa shouldn't be allowed to have computers or money at this point so why exactly is this exploit not being released at this point?
  • I wonder if they just whistled the sound of a dialup modem.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...