How To Counterfeit Money

PhotoShop banknote block

Not with Photoshop (and apparently Paint Shop Pro), or your printer, anyway.

The counterfeit deterrence system

If you try to open an image of specific currencies (and I assume at a specific resolution or higher) in Photoshop, you’ll receive the same error message as above. It’s interesting to note that New Zealand’s money isn’t blocked from being opened. Probably because we’re too busy trying to stop our passports from being counterfeited.

You can test it out using images from Banknotes.com. This one and this one throw up the error for me.

Here is Adobe’s information page on their ‘Counterfeit deterrence system’. What Photoshop is looking for is apparently a Digimarc digital watermark, different from the EURion constellation printers, or at least colour photocopiers look out for.

How to get around it

So what if your counterfeiting plans were going well so far, and now you’re at a standstill because of Adobe? You can use Gimp. It opens banknotes without trouble. So do old versions of Photoshop. And Microsoft Paint.

Why did Adobe think it was a good idea to add this? Counterfeiters will already know that they can use an older version of Photoshop, or use other software to get around this additional ‘feature’ and will be doing that.

All Adobe is doing is pissing off people who are trying to use Photoshop for a legitimate reason.

The Rules For Use website the dialog box directs users to even lists situations where you can reproduce banknotes legally (e.g. at a certain size), but Photoshop blocks opening banknotes full stop.

Why is it included?

Adobe will have had to spend time and money on including this system, with no returns in the form of additional sales. I assume they were pressured to include it, or even paid to include it by the Central Bank Counterfeit Deterrence Group.

Perhaps more concerning is that Adobe apparently has no idea what they have actually included in their software on behalf of the CBCDG:

“The inner workings of the counterfeit deterrence system are so secret that not even Adobe is privy to them. The Central Bank Counterfeit Deterrence Group provides the software as a black box without revealing its precise inner workings, Connor said.”

Secrecy

If you’ve bought Photoshop, were you aware of this system at the time of sale? You bought the software to open and edit images, but there are limitations you wouldn’t have been told about.

Here’s the two places where this system is talked about on Adobe’s website. A forum post and the information post linked to above.Adobe search CDS

Where’s the information page linked to from on Adobe’s website? My guess is not very many places, because they should have come up in the search too.

Printers are in on this too

I tried to print United States banknotes from Banknotes.com too. And the job failed. Here’s a New Zealand banknote that printed (and scanned) fine, with one of the United States notes below, which stopped printing halfway through.

Printing money

Here’s the error message in the print dialog.

Banknote print error reading pixels

Error 9707 seems to be specific to the counterfeit deterrence system, but is only described as “reading pixels failed”.

So I guess every time I print something, either the printer or the driver is all: “IS THIS LOOK LIKE MONEY?! NOPE, SEEMS TO BE A GIRAFFE.”

 

What I wonder is what other, potentially less visible and transparent “features” are being included in systems because of pressure or money?

I don’t want manufacturers including these non-features in their products for me and I don’t want my technology making decisions for me.

PayPal Policy Update Strangeness

PayPal send out emails about policy updates. Here is one of them:

PayPal Policy Updates

There’s a few strange things going on.

1) I’m not in Singapore but get sent their Singapore address.

2) They link to their site when they could have just said “go to PayPal’s website”. Getting people into the habit of clicking on links asking them to log in, especially ones with weird extensions doesn’t seem good.

3) If you’re going to include a link, at least link to the changes. Why do I have to log in and go to notifications to see them?

4) On the same note, why aren’t the changes just included in the email to begin with?

Here’s one of the changes listed in notifications:

PayPal Policy amendment

It is the whole PayPal User Agreement. What has changed? Who knows.

To their credit, a more recent January change just has the part of the policy that has changed.

Maybe they’re learning.

“Hello, I’m calling from Microsoft…”

The “computer doctors” have been making their rounds in New Zealand. Consumer Affairs say about 17% of New Zealanders have been targeted by them. They called us, from Djibouti, from what seemed like a crowded call center. They knew our details, just like they’re listed in the phone book. I think they purposely tried to be hard to understand, using the assumption that overseas victims would think it would be rude to ask for clarification a number of times. The address they gave was actually a Border’s bookshop in Auckland. Eventually they hung up after repeated questioning.

Computer doctorThe story

Their story seems semi-plausible, but is fake: they’re calling from Microsoft or a computer repair shop and have noticed some strange activity from your computer. They tell you to go to a legitimate folder or the Windows Event Viewer and say that if there’s a lot of files or entries there (which there will be) that it’s very bad and means your computer is infected. But fear not! It can all be solved for a reasonable price, plus they’ll continue to support your computer. Just give them your credit card number to be charged a recurring fee and they’ll remotely fix your computer for you…

Don’t trust cold callers

NetSafe recommends asking for their company name and phone number and Googling them to see if they’re who they say they are. I haven’t heard of any legitimate tech support companies cold calling for customers and I don’t imagine it would be hard to create a professional looking website and redirecting a New Zealand phone number if someone overseas was truly determined. So I’d say don’t trust cold callers with remote access to your computer or your credit card information at all, even if they seem legitimate.

Legitimate help

If you need help with your computer there are people on online forums like Geeks To Go that will help you for free, or ask friends and family for a recommendation of a quality company you can visit in person.

The NetSafe post has some good links. NetBasics is an animated video series by NetSafe on staying safe online. The real Microsoft has an article on speeding up your Windows computer, another line the callers use. And the Event Viewer might seem confusing, but Microsoft provides a tool to look up what the entries mean.

Symantec’s experience

Symantec investigated a similar scam being run overseas, recorded the conversation and recorded what happened to the computer. The agent “Brian” gets Orla (who’s from Symantec and is pretending to be a novice computer user) to open the Event Viewer and tells her that she has a serious infection. But it’s alright, they can fix it!

A remote connection to the computer is set up using legitimate third-party software and it looks like their technician is doing something important by running check disk, disk cleanup and deleting some temporary files. Brian informs Orla that she has a lot of malicious files on her computer and gets her to sign up for a one year support contract to solve her issues. After receiving her credit card details insecurely via email, as well her name, address, phone number, email address, email password and getting her to fax a copy of her driver’s licence, the bad infection was “removed” by deleting the innocent items from the Event Viewer and turning off event logging. Of course, with unrestricted access to a computer, the people behind these operations have the ability to install malicious software they claim to be removing. The video is below. At the end the business is confronted about their misleading practices.

If you get called by these people, submit a report to NetSafe’s The Orb. Maybe you want to have some fun with them first. A Fair Go viewer said they apparently get very annoyed when after they’ve been trying to pitch you for half an hour you tell them you have a Mac instead of a PC.

Have you been called by these people?

Image credit: Tabitha Kaylee Hawk

The Life of a Spam Email

Cans of spamA group of researchers have published a very interesting paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain (pdf). Using three months of spam data and by purchasing over 100 products advertised by spam emails, the researchers followed the life of a spam email and investigated where the money from purchases actually goes. They found that the people behind 95% of spam-advertised pharmaceutical, replica and software products are using just a handful of banks for their merchant services. Anti-spam efforts focus on the delivery aspect of spam, but there is potential for the quantity of spam to be significantly reduced if the banks the spammers are using are targeted.

Purchasing from spam emails

The researchers collected spam-advertised URLs and data about the hosting infrastructure and DNS of the spammed websites. They grouped the sites by content structure, category of goods and affiliate program and/or storefront brand. The most popular goods advertised in spam: pharmaceuticals, replicas and software were focused on. Pornography and gambling weren’t focused on for “institutional and procedural reasons”.

Purchases were made from each major affiliate program or store “brand” and they tried to order the same types of products from each site to try to gain insights into the differences or similarities in product suppliers that are used. A specialty issuer of prepaid Visa cards teamed up with them and let them use a different card and obtain the authorization and settlement records for each transaction. For legal reasons pharmaceutical purchases were limited to non-prescription goods like herbal and over-the-counter products. Software purchases were limited to products which the researchers already possessed a license for.

120 purchases were made, 76 of which were authorized and 56 of which were actually settled, though half of those failed orders were from one affiliate program which researchers attribute to the large order volume raising fraud concerns.

The honest spammers

A finding I found interesting from the paper is that the likelihood is quite high that you’re not going to be ripped off when ordering through spam emails.

Out of the 56 “successful” orders, 49 of the products were delivered and received. Only seven of the products weren’t delivered. Out of those seven: four sites either sent packages or said they’d send packages after the mailbox lease had ended, one said that the money had been refunded (however the refund hadn’t been processed three months later). Only two “lost” orders received no follow-up email.

The researchers explained the reasoning behind actually fulfilling orders would be so the site would get any potential repeat orders and because their relationship with payment providers could be jeopardized if chargebacks were made by customers who didn’t receive items.

Update: One of the researchers, Stefan Savage, confirmed to me that none of the Visa cards used on the spammed sites were subsequently used fraudulently. It also looks like the pharmaceutical products were legitimate. He says “we only ordered a small subset of goods so any results aren’t representative.  However, we did some limited mass spec testing of a few pills against reference samples and the active ingredient was found to be the same and in a similar proportion — note we only tested for the active ingredient and didn’t look at things like binders, contaminants, etc.” Software was pirated, but malware free.

Research done by F-Secure supports this: almost all of their goods ordered from spam emails were delivered, none of the credit cards they used for orders were “stolen” and email addresses used to order the goods didn’t receive an increase in spam.

New Zealand’s fulfillment role

By volume, most herbal products shipped from the United States, but China and New Zealand were also in the mix.

Spam Shippers

A Christchurch based company turned up in results—Etech Media Ltd. Ironically, this: Etech Email is the email address listed in their whois record.

Perhaps unsurprisingly, the company in question and its owner aren’t new to the spam game. Sole shareholder and director, Shane Atkinson was fined $100,000 in 2009 for sending spam under the name ‘Herbal King’. His occupation listed in the 2005 electoral roll was “pro spammer”. The Herald “understands” that Etech Media’s office was one of the addresses searched in spam raids in 2007. In 2003, Shane admitted to sending up to 100 million spam messages a day, that spamming allowed him to have a nice car and house and said he “had no qualms about it”. “In a later interview, Atkinson said he had given up spamming.”

Perhaps not entirely?

I’ve emailed Etech Media to see if they’d like to comment.

The spam bottleneck

The researchers tried to identify bottlenecks in the spam value chain—stages where few alternative options are available and ideally where switching costs for spammers are high. Which intervention would have the most impact?

For the 76 authorized transactions, there were only 13 banks acting as “acquirers”. Herbal and replica purchases generally cleared through St. Kitts & Nevis Anguilla National Bank. Most pharmaceuticals through Azerigazbank in Azerbaijan and DnB Nord (Pirma) in Latvia. And most software purchases through Latvia Savings in Latvia and B&N in Russia.

Spam BanksThe researchers say that the banking/payment component of the spam value chain is the most critical. Payment infrastructure has “far fewer alternatives and far higher switching cost”.

  • Only three banks provided payment services for over 95% of the spam-advertised goods in the study:

    Spam Bank Stats

  • There are only two main payment networks in Western countries—Visa and MasterCard.
  • The replacement cost of a bank is high in setup fees, time and overhead. Acquiring a merchant account requires a lot of coordination and time. Banks used by the major affiliate programs were either still the same four months later or had changed to another one in the set identified above (only one new bank appeared four months later—Bank Standard in Azerbaijan).

Perhaps a solution is for banks that issue credit cards in Western countries to refuse to settle certain transactions with banks that support spammed goods with specific Merchant Category Codes when the card is not present. All software purchases were coded as Computer Software Stores and 85% of all pharmacy purchases were coded as Drug Stores and Pharmacies. There were some exceptions however “generally speaking, category coding is correct”. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods.” Similar policy has been implemented with MasterCard and Visa not allowing US-based customers to transact with online casinos.

The paper concludes: “the payment tier is by far the most concentrated and valuable asset in the spam ecosystem, and one for which there may be a truly effective intervention through public policy action in Western countries.” However spam is probably profitable for banks and payment processors too, so they might be hesitant to do anything about it.

How much spam do you receive at the moment and how much makes it to your inbox? Do you know anyone who has bought something through a spam email?

Image credit: freezelight