There are many whiz kids among us. Octopus is money
which is the resource most
protected by everybody, especially the banks. IT data are
flowing securely in networks, and stored in everybody's and
every company's vault. But nothing is absolutely safe. The cat
and mouse game of IT security is a forever battle being
escalated everyday. The most recent horror story is the breach
of security of the Octopus reported below.
Money is a constant target to be faked. Counterfeit money is an
ancient crime found in many generations. Now we have a new
generation of electronic money. We suppose that it will have
the same level, if not higher, of protection. Transactions of
electronic money leave detailed records. These make them doubly
safe. So it is really a surprise that we now have fake Octopus.
The trick was quite complicated. The hackers did not hack the
Octopus computer. They hacked the Octopus cards. The reading
and writing of data on Octopus are proprietary technology. They
require a specially designed device. The hackers made one.
They were also clever enough to take advantage of the time gap
between transactions and the transmission of data to the Octopus
computer. It took the Octopus company quite some time to
realize that the accounts did not tally and much longer to
figure out that someone tampered with the cards.
How could they do that? There is a reasonable explanation, the
insiders did it. The daily job of these guys was the
maintenance of Octopus readers. There is no wonder they knew
the tricks and the loopholes. Notwithstanding the most
sophisticated IT security measures, you could not keep the
locked secrets from the key holder.
There is an unprotectable IT security loophole, which is from
within. There are many IT security breach incidents which were
the result of an insider job. A dissatisfied staff is a
possible danger. Even a satisfied staff can be a potential
danger because there is no way to know when the relation could
get sour. So, when it comes down to maintaining staff loyalty,
love them everyday no matter what.
The most unprotectable IT security loophole
is yourself. You can guard against anyone yourself, but you
cannot guard against yourself yourself. It is human nature that
keeping secrets give you some satisfaction; and there is always
an impulse to share the satisfaction with others, to the point
of boasting how clever one was, with some supposedly harmless
demonstration. Many secrets were leaked to unfamiliar persons
such as bartenders or one night partners. I read about the ways
hackers worked. Not all the tricks were sophisticated. They
said that the most useful trick was social engineering. They
could guess the common passwords, and could tempt the innocents
to tell their secrets with seemingly harmless email.
Despite the best designed systems and guidelines, eventually
someone will break the rules. It may not be the fault of the
systems. A person with ill intent is always the culprit. Just
look at the Bowtie case. Even with the water-tight
Anti-corruption Ordinance, Civil Service Regulations and
Administrative Order, nothing can stop the ultimate key holder
from opening the Pandora Box himself.
**********
Five arrested for Octopus scam
08-03-2012
The police have arrested five people and seized a homemade
device for adding value to Octopus cards. Officers said the case
is the first of its kind. The scam came to light after the
Octopus company detected unusual activities involving a series
of value-added transactions and contacted the police. A man was
detained along with his girlfriend, sister and parents.
**********
No comments:
Post a Comment