ict & crime
DESCRIPTION
ICT & Crime. Introduction. Homework. read THREE stories from http://www.teach-ict.com/news/news_stories/news_crime.htm & produce a 3-fold leaflet describing/discussing the stories. Due in Friday These will be put on a display, so make sure you do a good job . Activity 1 (5 minutes). - PowerPoint PPT PresentationTRANSCRIPT
ICT & CrimeIntroduction
Homework
• read THREE stories from http://www.teach-ict.com/news/news_stories/news_crime.htm & produce a 3-fold leaflet describing/discussing the stories.
• Due in Friday
• These will be put on a display, so make sure you do a good job
Activity 1 (5 minutes)
Computers have changed many of the ways we do things over the past 30 years. But overall, is this a good thing, or a bad thing?
Computers are commonly used to do things that are dangerous, repetitive, or which need a very high degree of accuracy.
In groups, write down as many jobs as you can in these three categories which are done by or with computers. Don’t just think about things like traffic lights – think about office jobs and communications, too
IntroductionWhere there are ways to make money, there will be
criminals just waiting to take advantage.The growth of the Internet has provided criminals with a whole host of new and different opportunities to commit crime.
Computer crime is defined as 'criminal activity directly related to the use of computers'. It could be done in order to:1. steal money2. steal data or information3. steal someone's identity4. damage or disrupt someone's system for revenge5. cause general havoc for fun6. copy software / films / music to avoid paying for it.
Using ICT to steal money
Most internet purchases are paid for by credit card.
How do thieves obtain credit card details?– Intercepting transactions– Insecure websites– Fraudulent websites– Till receipts– Card-cloning
Prevention
– Secure websites (https://)– Not printing full card number on
till receipts etc– Verifying billing address details
with bank databases– Individual card-readers/TANs
(Transaction Authentication Number)
Activity 2: in pairs (10 minutes)
Find out the definition of one of the following and present it to the class:
– Classic TAN– Indexed TAN– Indexed TAN with CAPTCHA (iTAN)– Mobile TAN (mTAN)– TAN generator
Classic Tan• The bank creates a list of 50 of unique TANs for the
user - each TAN is six or eight characters long. The user picks up the list from their bank .
• To make a transaction, the user enters the request and authorizes the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.
• The TAN has now been consumed and will not be recognized for any further transactions.
• If the TAN list is compromised, the user may cancel it by notifying the bank.
BUT – no protection against phishing or against“man in the middle” attacks
Classic TANs
Indexed TAN (iTAN)
•Indexed TANs reduce the risk of phishing. To authorize a transaction, the user is not asked to use any TAN from the list, but to enter a specific TAN identified by a number (eg TAN number 11). The index is randomly chosen by the bank, so an arbitrary TAN acquired by an attacker is usually worthless.
BUT iTANs are still susceptible to man-in-the-middle attacks, including phishing attacks where the attacker tricks the user into logging in into a
forged copy of the bank's website.
Indexed TAN with CAPTCHA (iTANplus)
• adds a CAPTCHA to reduce the risk of man-in-the-middle attacks.[Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user's birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.
Indexed TAN with CAPTCHA
Mobile TAN• mTANs are used by banks in
Germany, Austria, Poland, the Netherlands, Hungary and South Africa. When the user initiates a transaction, a TAN is generated by the bank and sent to the user's mobile phone by SMS.
BUT the security of this scheme depends on the security of the mobile phone system– SIM cloning– Mobile phone viruses
TAN Generators
These generate an individual TAN “on the fly” for each transaction, suing an algorithm known only to the bank, so there is no risk of a TAN list getting lost in the mail or being compromised in another way.
BUT no defence against man-in-the-middle attacks, or phishing/fraudulent websites
Other ways of stealing money
The rise of online banking means that it isn’t just shopping that can be dangerous. Paying bills online can cost much more than just the price of the bill.
– Interception of details– Phishing
Online banking & prevention of theft
Step 1: Customer number (user name)
Step 2
• Security number: a 4-digit number known only to the user & the bank
• User is asked to enter 3 random digits from this number in a random order
• Hacker cannot get entire number/digits in the right order
Step 3
• Random characters from password
• Hacker/keylogger cannot get entire password
Phishing
• This is where a user is tricked into entering their user name & password to a fake website.
• The website looks like the bank/ebay/paypal website, but belongs to a hacker.
Plenary (5 minutes)
Answer
Computer crime, otherwise known as 'cyber crime' is using a computer to
steal, embezzle or defraud people or businesses.