Friday, September 27

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government.

One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches.

Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print.

There are some limits to this, as there is likely only going to be one print stored (Thumb in most cases) and the matching wouldn't be perfect (high false-accept and false-reject rates), and distributing a request for matching over public networks could potentially be discovered.  But, the pros of attempting matches across the entire iPhone population might outweigh these cons.

If anyone has more detailed information about the potential for this type of use I would like to hear about it.

Thursday, May 16

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.

$125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.

Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price.  What is though?  Well this online penny auction site claims to allow for purchases way below the value of the items being sold.

Including a not-so-obvious but intentionally generic newsreel video.

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items.  All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme.  What might be going on here?  Here is one likely scenario:

  1. The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too.  Including fake items and auctions.
  2. They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
  3. Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
  4. Ask for registration from the user which includes an email address and password.
  5. Use this email address and password to attempt to access the email provided.  Any that work add them to the list of people that scam messages are sent from.
  6. If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
  7. Wait a week or two then switch to another email address, URL, payment gateway etc
  8. If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them?  Plus what's to stop more from springing up all the time.

Three lessons for people:
1.  If something looks to good to be true, it almost always is.
2.  Follow safe browsing practices.  Be patient and don't rush into giving anyone your information or registering with unknown sites.
3.  If you fall for a scam, tell people about it and register it with local law enforcement (, Internet Crime Compliant Center (, and google's phishing report (