Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Demo Hack Against African Micro-Finance Accounts

Posted by timothy on from the and-such-small-portions dept.

mask.of.sanity writes "Security researchers have shown how to raid Africa micro-finance bank accounts en masse using fake audio one time passwords. The banks use audio one-time passwords to authenticate users logging into their accounts, but failed to implement properly security controls across numerous systems. Crucially, the researchers did not reveal how they cracked the encryption in order to protect users."

52 comments

  1. A *lot* of microfinance is just a scam by crazyjj · · Score: 3, Informative

    I know this is somewhat off-topic, but I was a big supporter of the whole micro-finance thing at one time myself. Sounds like a great idea and all, right? But then I saw former micro-financier Hugh Sinclair's BookTv segment and read his book and it opened my eyes to how much of this micro-finance fad has become a feeding ground for scammers, con men, and other vultures in the countries they're ostensibly supposed to be helping--and how much corruption there is in many of these "charitable" non-profits and financiers that sell the idea of micro-finance to well-meaning supporters.

    Again, I know it's not directly related to the hack. But every time micro-finance comes up, I like to point out this info--since the vast majority of people still think of the subject in very naive and rosy terms, oblivious to the deep corruption that has become so pervasive in its execution.

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
    1. Re:A *lot* of microfinance is just a scam by TheCRAIGGERS · · Score: 1, Insightful

      Meh, as an American, I've become desensitized to corruption. Yes, even more so than I have to violence.

      Hearing that there is corruption in finance is like hearing water is wet.

    2. Re:A *lot* of microfinance is just a scam by Trepidity · · Score: 5, Informative

      I think this is on a slightly different use of the term "microfinance", though there's overlap. The books you link are about microcredit specifically, a hyped-up approach to poverty reduction based on very small loans spread throughout a community, which Grameen Bank made famous. But the kind of microfinance this article talks about is more about regular banking: accounts and transactions, usually via a mobile phone. It's become popular in Africa because of the lack of traditional financial networks, and the increasing ubiquity of mobile phones as the main link into modern systems.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    3. Re:A *lot* of microfinance is just a scam by h4rr4r · · Score: 4, Insightful

      The entire thing is a scam and they are quite upfront with it.

      I the charitable 1st worlder give free money to some bank in the 3rd world who supposedly gives a loan to a needy person.

      This means I make no profit and a bank gets to charge interest to another person. Why the hell would I ever do that?

      If it is my capital I want at least half the interest or just give the guy the money, either way at least some banker is not getting rich for free off my money.

    4. Re:A *lot* of microfinance is just a scam by girlinatrainingbra · · Score: 5, Insightful

      yep, it's the same as the "mother teresa" scam, in which the PR is such that everyone thinks that this "saint" is helping out the poor, but the reality is that the poverty is being continued and no actual help is being given out, and the dontations taken in are used to perpetuate and strengthen the infrastructure of the so-called "charity organization".
      .
      Wait a minute, that's the same type of scam pulled by the Red Cross and the United Way: they all come out of the woodwork during disasters and ask for a lot of donations and money (because they can skim off the top [heavily skim] of money, but not of actual goods) which can be put towards expensive cherry desks and mahogany paneling and half-a-million-dollars-per-year executive salaries.
      .
      Sadly, the business and MBA types find every possible way that people like to part with their money (whether it's for food you need, or toys you want or lust after, or donations you gladly give to help others or assuage their own consciences) and insert themselves into the equation to take the majority of the money as "overhead costs" for running the schemes themselves.

    5. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 1

      A lot of people don't even realize that the blood they're donating to the Red Cross is then *sold* by the Red cross to hospitals *at the market price*, with the money going into Red Cross coffers.

      And they also don't realize that most donations for specific disasters go into the Red Cross *general fund*, and not towards that disaster. This became so controversial a few years back that I believe that had to change their policy to allow donors to earmark donations for a specific disaster, but *only* if the donator specifies it.

      I have always been wary of the Red Cross. I remember my grandfather telling stories about how they charged combat soldiers for coffee and donuts during WWII. No money--no food, tough luck G.I. He used to cuss like a sailor at anyone asking for a Red Cross money or blood donation.

    6. Re:A *lot* of microfinance is just a scam by girlinatrainingbra · · Score: 1

      Thanks for the info and details! I know about the specific information about the cherry-wood-desks and the mahogany paneling because the CEO of the local Red Cross and United ways here in San Diego got caught spending hundreds-of-thousands of dollars on a desk (yes, "a" singular desk) and wood paneling for his office, along with raking in a crazy high salary. There's also something weird with how they get "volunteers" to do all of the work for "driving patients and the elderly from their home to their doctors appointments" but get paid as an institution (red cross) about $50-$100 per trip, while the volunteer gives their time and their gasoline costs and their insurance costs. In fact, my mom rails about how much more the cross gets in money for driving patients to their appointments than she gets for actually seeing diagnosisng and treating the patients.!!!

    7. Re:A *lot* of microfinance is just a scam by h4rr4r · · Score: 1

      So then why don't the hospitals collect blood themselves and cut out the middle man?

    8. Re:A *lot* of microfinance is just a scam by h4rr4r · · Score: 1

      Who pays this money?
      What does it take to get it?

      Can't your mother hire some pizza delivery folks who are probably not busy during the day and collect it?

    9. Re:A *lot* of microfinance is just a scam by crazyjj · · Score: 3, Insightful

      I once heard someone say that you can tell how corrupt a charity is by the kind of car its director drives. If a charity's director is driving a new Mercedes, it's a pretty safe bet that most of your donations aren't going to feed hungry children. So now that's my rule of thumb for a charity: look into the intentions and lifestyles of the heads of the charity and you will probably see its true heart.

      --
      What political party do you join when you don't like Bible-thumpers *or* hippies?
    10. Re:A *lot* of microfinance is just a scam by NatasRevol · · Score: 1

      What if the head is a volunteer billionaire?

      More or less corrupt?

      --
      There are two types of people in the world: Those who crave closure
    11. Re: A *lot* of microfinance is just a scam by mspohr · · Score: 1

      More corrupt.
      How did he get to be a billionaire?

      --
      I don't read your sig. Why are you reading mine?
    12. Re:A *lot* of microfinance is just a scam by Errol+backfiring · · Score: 1

      What if the water is dry?

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    13. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      Yes, shame on Bill Gates for donating his own fortune to help people. SHAME! Hurr durr group think.

    14. Re: A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      Lol only silly people think that people like bill gates and oprah control their money. They are brands beholden to their shareholders. So they might claim that money but only retards believe it is theres to spend and donate.

    15. Re:A *lot* of microfinance is just a scam by Dishevel · · Score: 1

      I give my charity contributions to The Salvation Army.
      Sure. They are religious. But...
      The bang for the buck is awesome and they do not tie their help to what religion the beneficiary is.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    16. Re:A *lot* of microfinance is just a scam by alexander_686 · · Score: 1

      Mod Trepidity up.

      And, to put a slightly finer point on this, we are (mostly) not talking about banking but using phone minutes as an alternative currency. As long as you know the other party’s phone number you can transfer minutes – you can be outside the country so you don’t have to worry about exchange rates – neither party needs a bank account, etc.

    17. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 1

      Somebody somewhere said something about heaven and a camel and the eye of a needle. It pretty much covers this situation.

    18. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      by the "same type of scam" i'm assuming you mean mother teresa's order is yet another big, bloated bureaucracy? she wasn't living the lifestyle of some half-million dollar executive with expensive cherry desks and mahogany paneling, and i have friends who have volunteered with them (giving out medical help, although by no means ending anyone's poverty), so it's really sad that the organizations are comparable in any sense... but thank you for pointing it out. i personally never realized how competitive "non-profits" could be until i signed up for the red-cross. organizations do need to make money to sustain/grow, but should be transparent, especially in regard to their financials. makes me wonder what the record is for the longest-lived charity organization that didn't have a budget for lawyers...

    19. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 1

      http://www.snopes.com/medical/emergent/redcross.asp

      There is truth to one of the rumors, however. During WWII the American Red Cross did indeed charge American servicemen for coffee, doughnuts, and lodging. However, it did so because the U.S. Army asked it to, not because it was determined to make a profit off homesick dogfaces.

        The request was made in a March 1942 letter from Secretary of War Henry L. Stimson to Norman H. Davis, chairman of the American Red Cross. Because American soldiers were fighting as part of the Allied Forces, matters had to be considered on a Force-wide rather than solely American basis. The Red Cross was asked to establish club facilities for U.S. servicemen overseas where Allied troops would be welcome. Because English and Australian soldiers were being charged for the use of such facilities, it was deemed unfair that Americans were to get similar benefits for free, especially in light of their pay already being higher than that of their Allied counterparts. For the good of the alliance, the American Red Cross was persuaded to exact nominal charges from American GIs for off-base food and lodging.

        This act resulted in the Red Cross' coming to be regarded by numerous GIs as having profited off them. Bad feeling exists to this day over the decision to charge American servicemen for these services, with any number of such soldiers and their families carrying long-lasting resentments against the service. Yet while that ire might have been merited, it was misdirected — the culprit was the U.S. Army, not the Red Cross.

        General Dwight D. Eisenhower, Chief of Staff, United States Army, addressed the controversy surrounding this issue in a statement to the press on 10 April 1946: I am surprised to learn that one of the reasons [for Americans not contributing to the American Red Cross] is the complaints being leveled at the organization’s overseas operations by returning servicemen. For the most part these criticisms have grown out of a Red Cross policy of making nominal charges to our forces for food and lodgings in fixed Red Cross installations abroad. These complaints are distressing to me since this particular Red Cross policy was adopted at the request of the Army, so as to insure an equitable distribution among all service personnel of Red Cross resources.

        I know the Red Cross. I have seen it in action. Overseas it performed with the precision of a well-trained army. It would be grave injustice to the splendid work of the Red Cross if its campaign should be retarded anywhere by mistaken criticisms.
        Even after World War II, the Red Cross continued to be dogged by false tales about their imposing fees on military personnel for basic humanitarian services, such as the following 1952 rumor that claimed the organization had charged a U.S. serviceman interest on money he borrowed from them to attend his mother's funeral: A recent rumor to the effect that a serviceman had been loaned money by the Red Cross at 6 per cent interest so he could attend his mother's funeral was revealed by the local chapter.

        When the rumor proved to be unfounded, said a local Red Cross official, the serviceman wrote to deny the story: "I have not been asked to pay 6 per cent interest on this loan nor has it ever been suggested by anyone employed by the American Red Cross that I pay interest," he said. "It was through the joint effort of the Hartford Chapter and the office of the field director that I was granted a leave ..."

        The story of the interest charging went through a nearby summer resort "like wildfire," reported the official.

        The Red Cross' version was this: the local serviceman had just been inducted and was beginning his service at an Air Force base. The Red Cross notified him of his mother's death, and since the serviceman was without enough money for the trip, the chapter advanced him more than $100 which he agreed to pay over a prolonged period — without interest.

    20. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      > A lot of people don't even realize that the blood they're donating to the Red Cross is then *sold* by the Red cross to hospitals *at the market price*, with the money going into Red Cross coffers.

      So what? The Red Cross has costs. Those little baggies that hold your blood cost money. So do needles. So do the chairs that you sit in while donating. They have offices. They have staff. They have utility bills. They have marketing costs. The Red Cross has to pay for things just like everyone else.

    21. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      If there is no deception, how is it a scam? True, there is potential for abuses such as loans to cronies who will default on repayment, but that's not so different from the risk that a traditional charity would overpay a crony for supplies in country. The donation of capital itself though is not a scam. The idea is that rather than donating one-time money, it makes more sense to donate capital to be loaned out to many different people in succession and stimulate sustained economic growth, the only long term way to raise the 3rd world out of poverty. Which will provide more growth for the country - increasing local capital by retaining the interest or paying the interest back to you? Alternatively, rather than using interest rates to increase capital, interest rates could be reduced to subsidize the loan, in the same way that some college loans are in the US.

    22. Re:A *lot* of microfinance is just a scam by magic+maverick+ · · Score: 1

      Really? So they don't insist on prays before meals? Are they still rather obnoxious about anyone who isn't straight? E.g. do they still refuse help to gay and lesbian couple? I bet they still lobby against marriage equality.

      A couple of pages with further information:
      The Bilerico Project - Why You Shouldn't Donate to the Salvation Army Bell Ringers
      Don't Donate to the Salvation Army @ The Stranger

      --
      HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
    23. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      Actually there are two different things they do.
      Their community help for the poor and disasters are given with no regard to religion or sexual orientation.
      Then there is their drug and alcohol program. Very nice program. Does require attendance at some religious based services.
      Also requires work. Does not require belief, acting like you believe, and allows dissenting opinions to be voiced.
      For a religious outfit they do a lot of good.

    24. Re:A *lot* of microfinance is just a scam by tehcyder · · Score: 1

      I once heard someone say that you can tell how corrupt a charity is by the kind of car its director drives. If a charity's director is driving a new Mercedes, it's a pretty safe bet that most of your donations aren't going to feed hungry children. So now that's my rule of thumb for a charity: look into the intentions and lifestyles of the heads of the charity and you will probably see its true heart.

      The counter-argument is that it is better for a charity to have one billion in donations and pay the director a million, rather than to have one million in donations and pay the director nothing.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    25. Re:A *lot* of microfinance is just a scam by gmhowell · · Score: 2

      I have always been wary of the Red Cross. I remember my grandfather telling stories about how they charged combat soldiers for coffee and donuts during WWII. No money--no food, tough luck G.I. He used to cuss like a sailor at anyone asking for a Red Cross money or blood donation.

      Wonder if he knew my grandfather or my great uncles. They did pretty much the same thing after seeing this (and worse) behavior by the Red Cross during WWII in the South Pacific.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
    26. Re: A *lot* of microfinance is just a scam by tehcyder · · Score: 1

      Lol only silly people think that people like bill gates and oprah control their money. They are brands beholden to their shareholders. So they might claim that money but only retards believe it is theres to spend and donate.

      What does that even mean? Bill Gates made his money from Microsoft. Microsoft shareholders do not therefore control what he does with his money. Do you really think that an insurance company (or whoever) with a large block of Microsoft shares is going to want to fund polio vaccinations in Africa?

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    27. Re:A *lot* of microfinance is just a scam by hackertourist · · Score: 1

      I disagree. Microfinance organisations operate in a middle ground between charity and commercial banks. They offer a way to stretch your money. Instead of your $100 donation helping one person with a gift, the same $100 can be recycled dozens of times to help people via loans. It's the 'teach a man to fish' meme put into practice.

      Any interest paid on the loan goes toward the operating cost. I don't mind this. In comparison, my commercial bank charges me ~$ 100/year for two accounts, a debit card and a credit card.

    28. Re:A *lot* of microfinance is just a scam by tehcyder · · Score: 1

      I give my charity contributions to The Salvation Army. Sure. They are religious. But... The bang for the buck is awesome and they do not tie their help to what religion the beneficiary is.

      The fact that they are religious disqualifies them from my help. If they're religious, why can't their fucking god do something about the misery around them?

      Ooh, I know, evil atheists want babies to die in the streets rather than support god-botherers.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    29. Re:A *lot* of microfinance is just a scam by girlinatrainingbra · · Score: 1
      re Mother Teresa: Fox, Robin (1994). "Mother Theresa's care for the dying". The Lancet 344 (8925): 807
      --- s. The Lancet and the British Medical Journal reported the reuse of hypodermic needles, poor living conditions, including the use of cold baths for all patients, and an approach to illness and suffering that precluded the use of many elements of modern medical care, such as systematic diagnosis.[77] Dr. Robin Fox, editor of The Lancet, described the medical care as "haphazard", as volunteers without medical knowledge had to make decisions about patient care, because of the lack of doctors. He observed that her order did not distinguish between curable and incurable patients, so that people who could otherwise survive would be at risk of dying from infections and lack of treatment. Dr. Fox makes it a point to contrast the term "hospice", on the one hand, with what he calls "Mother Teresa's Care for the Dying" on the other hand; noting that, while hospice emphasises minimising suffering with professional medical care and attention to expressed needs and wishes of the patient, her approach does not. http://en.wikipedia.org/wiki/Mother_teresa#Criticism http://en.wikipedia.org/wiki/The_Missionary_Position

      Pretty much look up her name and "criticism", and see the results, including believing that the poor need to suffer in order to get closer to christ and god, and helping them achieve that suffering by not using any painkillers and not actually trying to treat the ill and by actively discouraging the treatment of the ill in "their care".

    30. Re:A *lot* of microfinance is just a scam by Anonymous Coward · · Score: 0

      They seem to have a bunch of money coming in and going back out.
      So, my guess is that if there is a God he is doing a decent job for them.
      You do not have to give to things you do not agree with.
      But damn man. Slow down on the hatred. You will live longer and like it more.

  2. they logged in 10k times and checked stats... by girlinatrainingbra · · Score: 1
    The linked article itself mentions brute force breaking into the voice-mail accounts and "bluff verfication", forcing the bank to check the victim's voice mail accounts: The final step required a means to automate the playback of the fake one time passwords and bluff verification. To achieve this, the researchers brute-forced their way into victim voice mail accounts and replaced greeting messages with the generated tokens.

    .

    The bank could be forced to voice mail -- and the fake audio token -- by setting a phone number diversion within voice mail, or by simply calling the victim to make the line engaged.

    The article also points out that they created 10-thousand fake accounts in order to create 10k "voice token" one-time-passwords which they recorded and analyzed using open-source audio-software. (sounds like Audacity used in a way to show the spectral characteristics: the fourier transform built into it for spectral/frequency analysis and display)

    1. Re:they logged in 10k times and checked stats... by gl4ss · · Score: 1

      it's a bit bullshitty because what they claim to have done would land them in jail no matter if it was for research or not, brute forcing voicemails etc.

      if you go as far as to redirect victims phone you can do all kinds of scams.

      the article could have been a bit more clear though about how these voice tokens work.

      --
      world was created 5 seconds before this post as it is.
  3. Count Zero by Darth+Snowshoe · · Score: 1

    Once again, William Gibson was here first.

  4. someone should sue this place by Anonymous Coward · · Score: 0

    one fo the parent articles form yesterday gave me some redirect virus i cant get rid of....
    now half my websites show up as blocked because of malware

    fucking jerks
    cmi.netseer.com

    drop that add and post a fix or ill hack this place and do a fix

    1. Re:someone should sue this place by h4rr4r · · Score: 1

      So you have either malware or a virus infecting your computer that you cannot get rid of, but we are to believe you have the technical prowess to hack this website.

      The fix you are looking for is here http://www.ubuntu.com/download/desktop

      Good luck with your hacking there dummy.

    2. Re:someone should sue this place by Anonymous Coward · · Score: 0

      So you have either malware or a virus infecting your computer that you cannot get rid of, but we are to believe you have the technical prowess to hack this website.

      The fix you are looking for is here http://www.ubuntu.com/download/desktop

      Good luck with your hacking there dummy.

      No, this kid doesn't need a desktop OS, he is clearly in the mobile generation.

    3. Re:someone should sue this place by Anonymous Coward · · Score: 0

      Get an OS that has better malware protection.

      And one that does spell checking.

    4. Re:someone should sue this place by Anonymous Coward · · Score: 0

      Step one: Adblock plus.
      Step two: Noscript.

  5. Violation of Principal by Anonymous Coward · · Score: 0

    Crucially, the researchers did not reveal how they cracked the encryption in order to protect users.

    Undoubtedly, numerous Slashdotters will consider this to be a breach of Open Information protocol whereby any and all weaknesses of any and all systems should be published in full in the interest of free and open information.

  6. Re:Violation of principle by Anonymous Coward · · Score: 0

    Damned!

    Did it again! principle principle principle principle

  7. William Gibson's Count Zero by HollandoF · · Score: 1

    William Gibson's Count Zero. "The Wig reasoned that all that obsolete silicon had to be going somewhere. Where it was going, he learned, was into any number of very poor places struggling along with nascent industrial bases. Nations so benighted that the concept of nation was still taken seriously. The Wig punched himself through a couple of African back- waters and felt like a shark cruising a swimming pool thick with caviar. Not that any one of those tasty tiny eggs arnounted to much, but you could just open wide and scoop, and it was easy and filling and it added up.

    1. Re:William Gibson's Count Zero by idontgno · · Score: 1

      Came here to say this. No mod points, alas.

      Even at his bleakest and most inventive, Gibson is surprisingly prophetic.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  8. No they are not all scams by schneidafunk · · Score: 1

    I microloan is just a loan that is smaller in amount. They charge interest rates, the banks do make profits, it is NOT free money.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:No they are not all scams by h4rr4r · · Score: 1

      It is free money to the bank.
      They want me to donate it so they can lend it out.

      See kiva.org for an example.

  9. some charitable organizations do it right by Chirs · · Score: 1

    where the organization itself acts as the "bank". That way the interest on the micro-loan goes back to the charitable organization and is used to fund more loans.

  10. so steal the money by slashmydots · · Score: 0

    So steal it! It's all our money anyway, lol. I guarantee the vast majority of those funds were stolen via fraud, from selling stolen items, or from selling illegal items. It's so bad, Africa shouldn't be allowed to have computers or money at this point so why exactly is this exploit not being released at this point?

    1. Re:so steal the money by ub3r+n3u7r4l1st · · Score: 1

      By same logic, Wall Street shouldn't be allowed to have computers or money at this point.

      --
      New Economic Perspectives
  11. Whistling by ThatsNotPudding · · Score: 1

    I wonder if they just whistled the sound of a dialup modem.

    1. Re:Whistling by Anonymous Coward · · Score: 0

      It would be very difficult to whistle beyond 1200 baud. See here for the individual steps for modem handshake:
      http://windytan.blogspot.fi/2012/11/the-sound-of-dialup-pictured.html

  12. That is what Zidisha is. by Idou · · Score: 1

    Zidisha allows you to invest directly and collect interest (at the rate you choose, which can be 0%).

    --
    Sdelat' Ameriku velikoy Snova!
  13. Source of The Story by Anonymous Coward · · Score: 0

    This Was The Subject of a New Zealand Kiwicon Talk in November 2012, By Graeme Neilson and Shingirayi Padya called Attacking Audio One-time Passwords
    Very interesting concepts behind the methods , for more info on the sujbect refer to aurainfosec.com under publications