The Null Device

Posts matching tags 'forensics'

2010/6/9

A discussion on Ask Metafilter about credit card fraud spawned a rather interesting comment from a former fraud detection department employee about what makes credit card transactions look suspicious:

Testing charges. These are usually online charges through known online vendors that a scammer can use to test a card number as valid. These have been mentioned before in the thread, but there were certain vendors that would fade in and out of popularity (I'm not naming names) that would allow very small (usually 1 dollar) charges on a card and produce some sort of digital product that allowed them to verify “yes this card works” or “no, this card is already being monitored”. They also told us that sometimes there were random guessing programs just trying to stumble across cards (as cards follow certain numbering rules, making it slightly more probable, and there being so many unused cards like college students get at football games and never touch). I'm not sure that I believe that last part, but that's what they told us. So Amazon MP3 followed by newegg... probably going to get called.
My first task was to take a look at the charge that specifically tripped the fraud alarm. I would look at it and first think to myself “Do they have a history of this?” I would compare this against demographics. An 80 year old woman who buys food for 6 months, and all of a sudden a charge coming through from steam? Probably not passing on that one. A 20 year old college student who charges everything from clothes to books, and then an iTunes purchase? Maybe they just got an iPod, I'll pass on it.
Cases weren't always cut and dried, so there's other things I can look at. I could see where plane tickets were purchased to and from. So if we have a plane ticket bought from BWI to LAX and sudden out-of-character charges for shopping in California, well... yeah, probably. I could see previous history through a comment log. Other operators (regardless of department) are obligated to comment each interaction with an account. For example, after working an account that I passed on I might write: “CHRGS COMING FROM OOS (out of state) BUT GAS TRAIL FROM HOME LOCATION TO CURRENT LOCATION PLUS HISTORY OF TRVL. N/A”

(via MeFi) credit cards crime deception forensics fraud 0

2010/2/27

When the Chumby One internet widget terminal was being assembled, the company noticed that one batch of memory cards, from Kingston, had a lot of defective cards. (The Chumby One's internal storage is a MicroSD card, like the ones used in mobile phones.) Kingston refused to replace them, as they had been programmed, and it looked like Chumby were out of luck. However, Chumby had an ace up their sleeve: one of their vice presidents is Andrew "Bunnie" Huang, i.e., the guy who cracked the XBox, and not someone one should count on being able to pull one over.

Anyway, Bunnie noticed some irregularities in the cards' markings and decided to conduct a thorough forensic investigation, examining the cards' serial numbers and manufacturing dates (where he found more inconsistencies; a lot of cards with implausibly low serial numbers and mismatched manufacturers' IDs) and then dissolving the cards' casings to examine their construction, and unearthed some answers:

First, the date code on the irregular card is uninitialized. Dates are counted as the offset from 00/2000 in the CID field, so a value of 00/2000 means they didn’t bother to assign a date (for what it’s worth, in the year 2000, 2GB microSD cards also didn’t exist). Also, the serial number is very low — 0×960 is decimal 2,400. Other cards in the irregular batch also had similarly very low serial numbers, in the hundreds to thousands range. The chance of me “just happening” to get the very first microSD cards out of a factory is pretty remote. The serial number of the normal card, for example, is 0×9C62CAE6, or decimal 2,623,720,166 — a much more feasible serial number for a popular product like a microSD card. Very low serial numbers, like very low MAC ID addresses, are a hallmark of the “ghost shift”, i.e. the shift that happens very late at night when a rouge worker enters the factory and runs the production machine off the books. Significantly, ghost shifts are often run using marginal material that would normally be disposed of but were intercepted on the way to the grinder. As a result, the markings and characteristics of the material often look absolutely authentic, because the ghost material is a product of the same line as genuine material.
After confronting Kingston and getting an exchange, no questions asked, Bunnie didn't stop investigating, visiting the dodgy bazaars of China and dealing with characters straight out of cyberpunk novels to procure a selection of variously dubious cards to investigate, and discovering various truths, some less savoury than others, about the memory card market. (For one, memory cards cost about as much as the raw memory inside them, but also contain an ARM-based microcontroller which is thrown in for free; the microcontroller handles error testing and saves the manufacturer the cost of dedicated testing gear, whilst also allowing the users of the card to get away with using regular filesystems on them. Secondly, some manufacturers, pressed to cut costs and increase profit margins, appear to be sanctioning (or at least turning a blind eye to) ghost shifts with dodgy materials and pawning the brummagem batches off on the kinds of weaker players they don't have much to fear from.)

Ghost shifts, and unlicensed extra items made on the side, are not unique to the memory card industry; this article describes several cases of contract manufacturers churning out extra copies of goods on the side, often in quantities large enough to flood markets, including a case involving shoe company New Balance.

Of course, you probably won't find ghost-shifted iPhones (as opposed to actual fake pseudo-iPhones, with built-in FM radios and entirely different firmware styled to look more or less iPhone-like) on the market any time soon, as Apple play hardball with their contractors, insisting on draconian security measures, dividing the manufacturing process up between different companies, and using nonstandard components.

(via MeFi) forensics hacks scams tech 1

2007/10/10

WIRED has a piece on the state of audio forensics today, or how much information can be extracted from an audio recording:

None of the sharp-eared audio professionals at the Javits Convention Center caught another edit on Allen's criminal-investigation tape. Allen digitally hid that edit behind a speaker's cough, and it was only revealed with the help of some sophisticated forensic software.
Catalin Grigoras, a forensic examiner from Bucharest, told the workshop how he uses the frequency signatures of local electrical power sources to pinpoint when and where recordings were made. According to Grigoras, digital recorders that are plugged into electrical sockets capture the frequency signature of the local power supply -- a signature that varies over time.
In one case, Grigoras claims to have identified the date of a recording broadcast in Europe, but made in the Middle East, "probably in the mountains, or in a cave," he says. He didn't mention any names, but it was hard not to think of Al Qaeda.

audio crime forensics tech 0

This will be the comment popup.
Post a reply
Display name:

Your comment:


Please enter the text in the image above here: