Friday, February 27, 2026

Racing for AI ...

I wonder if the complicated, unpredictable, and generally unreliable aspect of our behavior that is known as "personality" simply results from an enormous number of race conditions within our supposed cognitive circuitry.

If so, of course, in order to obtain *true* artificial intelligence, we should not be *too* careful about preventing race conditions among the huge number of processors in the data centres running genAI.

(Of course, in order to explain that thought, I would have to explain what a race condition is ... )
Posted by at No comments:

Wednesday, February 25, 2026

Sermon 73 - Muster station, safe and secure

Sermon 73 - Muster station, safe and secure


Proverbs 24:11-12

Rescue those being led away to death;
    hold back those staggering toward slaughter.
If you say, "But we knew nothing about this,"
    does not he who weighs the heart perceive it?
Does not he who guards your life know it?
    Will he not repay everyone according to what they have done?

2 Corinthians 1:4

who comforts us in all our troubles, so that we can comfort those in any trouble with the comfort we ourselves receive from God.


Recently, at a church, I saw a sort of a an observation, a kind of a meme, illustrated with a picture of the cross, with a sign low on its upright, indicating "muster station."  The observation went on to note that for us (Christians definitely, but possibly all human beings in general), our muster station was at the cross.

It is a lovely and possibly inspirational note.  But it probably deserves a bit more examination in terms of what a muster station actually is.

First of all, there is the word muster.  Muster is to gather, to assemble, particularly in the face of a threat.  The word muster is used in the Bible.  The concept definitely is.  The trumpet sounds, and the people come together to face a problem or an assault.  This is probably most clearly outlined in the book of Nehemiah.  The people were rebuilding the wall of Jerusalem, and they definitely had some enemies who did not want this to happen.  So Nehemiah gave instructions that the people who were working on the wall would work with one hand holding a sword or a spear, and the other doing the actual construction work.  They would also have trumpets, and, if any part of the wall was attacked, those who were being attacked would sound the trumpet, and all the other workers would assemble, with their weapons, ready to repulse any attack. That is mustering.

Mustering also took place, through the ages, when a sample of the local populace would be called to support the lord or king in a war, either of defense or of conquest.  Those who had more experience in battle, and possibly weapons, would muster, or assemble, and would then travel to muster, or assemble, into a larger army.

These days we don't do that.  We have a standing army, a professional army, and those people have means of communication, and will receive orders to assemble in support of whatever project the army is engaged in at the moment.  So we still have mustering, but most of us know the word muster in terms of a muster station.

The muster station is a place of assembly in the face of a threat.  But we are not necessarily assembling to fight the threat, regardless of what the threat is.  In our day and age, a muster station is a place where an office, or a building, or a school, or any group or subgroup of the population, is under threat.  There are muster stations on ships, in case of some problem with the ship that might render it unseaworthy.  There are muster stations outside of buildings, in the case of fire.  So, it isn't anymore primarily a human threat, of an enemy come to attack us, but it's a threat nonetheless.

But we are not asking the people who are mustering to prepare to face the threat.  These days, mustering at a muster station is primarily about ensuring that everyone is safe.  It is about safety.

And, at this point, I want to digress to a topic in this regard.  Generally speaking, when we get to a muster station, one of the first things that happens is a headcount.  We count that everyone is here.  That everyone is out of the burning building.  That no one is locked in their ship's cabin.  We count to make sure that everyone is here, and therefore safe.  With us.

And this is an important point.  I'm going to come back to it to a certain extent but this business of counting your people, checking on your people, making sure that everyone is safe, is an important point, and probably one that I should address in a completely separate sermon as well.  How often do we see someone, week in, and week out, coming into our church, and leaving, looking somewhat despondent, and we never check on them.  We need to count our chicks.  We need to check on those who come to us.  Maybe it's someone who comes and goes, and nobody talks to them.  Maybe nobody knows even knows what their name is.  Why don't we know what their name is?  Why don't we know why they are looking despondent?  Why don't we know why they never talk to anyone?  We need to check that these people are safe.

We want to make sure that everyone is safe and secure.

Safe and secure.  We use that phrase all the time.  We don't really realize how strange that phrase actually is.  We see safe, and secure, as synonyms.  That safety and security are the same thing.  And, for those of us who actually do know about security, that is definitely not the case at all.

To explain how strange the phrase safe and secure actually is, and even to explain the concept of security, we have to talk about failure.

When I published my first book, after having talked about computer viruses and what they were, and given a little bit of the history and some examples of computer viruses that had been doing the rounds, I started in on the chapter on protection.  And I started off the chapter by saying in order to protect your system, you have to assume that you are going to fail.  Or, at least, you must never assume that you are going to succeed.

That may sound strange to those of you who do not work in security.  Actually, this was fairly early in my security career, so I'm a little bit surprised, myself, that, at that early point, I did understand this concept.

When somebody asks you to secure their systems, or their premises, or their enterprise, or whatever it may be, and you ask them how much security they want, the answer is pretty much always the same: 100%.  Of course, for those of us who actually know anything about security, we know that there is no such thing.  There is never 100%, guaranteed protection.  It just doesn't exist.  It flies in the face of the laws of physics, and any other universal laws that there may be.  You just can't have perfect.

Of course, as Christians, we should understand this.  We are called to be perfect, just as our Father in heaven is perfect.  But we also know that we can't be.  We are imperfect.  We are sinners.  We can never, by our own efforts, achieve holiness, or righteousness, or perfection.  We are sinful, and that is it.  And, as we have fallen, so nature has fallen.  The entire world, the entire universe, has fallen and is imperfect.  Possibly in heaven you can have perfect security, and possibly in heaven you can have a perfectly reflecting surface: I don't know what God has done about the laws of physics in heaven.  I don't know whether you *need* any laws of physics in heaven.  But, here on this fallen earth, we cannot have perfection.  And, we cannot have perfect security.

So, in our imperfect world, we, as imperfect security experts, in our attempt to provide what security we can, we have to assume that any particular security protection will be imperfect, and will fail at some point.  So we build what we refer to as defense in depth, or layered defense.  We look at the protection that we are putting in place, and try to figure out the most likely place, and extent, to which it will fail.  And then we put another protection in place, which will, hopefully, catch some of the threats that get past the vulnerabilities in the first protection.  And we may put a third protection in place, and possibly other multiple layers of protections.  Knowing, all the while, that while we are increasing the level of protection, and increasing the security, and decreasing the threat of an attack actually succeeding, we are never going to get to 100%.  We are never going to get perfect security.

So we turn to another concept in security, again based on the idea of failure.  We look at the different protections available to us, and we decide whether we want the system to fail safe, or fail secure.

To fail safe means that, even if the system is damaged, it will still function to a certain extent.  So, do we want our computer system, say, to continue to operate, even if the access controls are not working quite right.  This means that the system is failing safely.  This means that the information, and possibly certain functions, are still available to us, even though they might not, anymore, be protected against other people.

The other option is fail secure.  Fail secure means that, if the system is damaged, it will protect our assets and keep them from being obtained by anyone else, even if that means that we can't get at them, either.

Now that may sound somewhat academic when we are talking about a computer system.  After all, while just about all of you will interact with a computer at some point (pretty much every day these days), you don't necessarily manage the computer system.  You weren't responsible if someone breaks in and steals some information.  But the concepts of fail safe, and fail secure, don't apply just to computer systems.  They can apply to other things as well.

So, for example, let us consider a fire door.  What do you want to happen if there is a fire in the building?  Most buildings, most large businesses or commercial enterprises, will have magnetically locked doors.  The doors are held closed by electromagnets.  If the power in the building fails, then the doors are unlocked, and anyone can enter.  But, by the same token, anyone can leave, as well.  Therefore, if the building is on fire, you want all your employees and possibly customers to be able to leave the building as quickly as possible, in order to get to the muster station and be safe.

That's fail safe.  But there are some situations where we use fail secure, even on a fire door.  If you are on a in a high security military installation, and you are near a fire door, and the fire alarm goes off, get away from the doorway.  High security military installations, and, generally speaking, Navy ships, are built on a fail secure concept.  Fire doors in those types of situations will shut, relatively soon after the fire alarms start going off.  It's important that they shut.  It keeps the installation secure.  And if you are in the way of one of those doors, and the doors start to shut, then the doors will shut.  Regardless of whether or not you are in the way.  That is definitely not safe.  It *is* secure.  That is why safe and secure are not synonymous.

Okay, we want to return to assembling in the face of a threat, and muster stations.  Now there are some pretty constant threats in our environment, as Christians.  We are under constant threat from the temptations of the world.  We are under threat from the false idols of the world.  We are under threat from God.  After all, God is God, and God is holy and righteous, and we are sinners, and God has every right to destroy us for our sinfulness.  But God has covered that, so we need not fear it.  But that does give us a bit of an indication of where "at the cross" would be.

I mean, we talk about meeting God, or meeting Jesus, at the cross, all the time.  We don't really think about what it means.  Individually, yes, we are coming to God in humility and gratitude for the sacrifice of Jesus that brought us salvation.  But that isn't assembling.  That's us individually.  So, fairly obviously, "at the cross," in terms of mustering and assembling for safety, is the church.

And this brings up an important point about what the church should be.  A muster station is kind of the ultimate definition of a safe space.  We are assembling in the face of a threat.  Therefore, we want a space where people will be safe from threats.  And so that gives us an important idea of what the church should be.  The church should be our monster station.  The church should be a safe space.

We use that phrase, safe space, quite a lot.  It's likely that we have kind of forgotten what it should mean.  The space should be safe.  It should be safe from threats.  It should be safe from *all* threats.  And, because the space is a space for gathering, for assembling, then that means that the space should be safe from us, as well.  Anybody who inhabits the safe space has to respect the safety of the space.  They have to respect the fact that other people have needs, and fears, and triggers, and that you have to be gentle, and non-threatening, with anyone in the safe space.  Even if you are in the safe space, yourself.

The church should be fail safe, not fail secure.  We do not need to keep the church, the safe space, the space that keeps us safe from threats, secure.  Yes, we have to keep it safe.  We do have to provide protection against threats, even threats from ourselves.  But we do not have to secure the church.  After all, what is the church?  As we frequently point out, the church is not a building, or even, really, an institution.  It is not the rules that we create, even though we create rules to help maintain the church, and to keep it safe for those within it.  But the church doesn't have to be secured.  The church is, quite simply, all the people of God.  Wherever two or three are gathered in His name, that is the church.

We do not have to secure God, or God's holiness and righteousness.  Even to entertain that thought sounds a little bit like blasphemy.  After all, God is God.  God is secure, in and of himself.  God is who He is.  His holiness, and His righteousness, are inherent in God's nature.  And, after all, what could we possibly do to protect God?  God is all powerful.  We are pathetically weak.  God is Holy.  We are sinners.  God is righteous.  We are imperfect and fallible.  There is nothing we can possibly do to protect or secure God.  And, indeed, nothing that we need to do to protect God, or secure his holiness.  God is God.

We couldn't do that anyway.  And the church should be safe for sinners.  God calls sinners.  Jesus came for those who were sick and needed a physician, not those who were righteous.  Which is a good thing, since we are all sinners, and none of us are righteous.

God does not, of course, need us to keep people safe.  God can keep others safe, and even secure, in the same way that God is, Himself, inherently secure.  God doesn't *need* us to do anything.  However, God has offered us the opportunity to help keep people safe.  Are we going to take that opportunity, or are we simply going to ignore it?


Posted by at No comments:

Monday, February 23, 2026

It couldn't possibly be a scam, could it?

Background: the Widowed Village organization (associated with Soaring Spirits International) has a "pen pal" offering.  (Someone asked if Widowed Village is, itself, a scam.  I doubt it.  They do seem to have taken steps to protect their members, although those steps seem to be insufficient.  I believe the organization is honestly wishing to do service to those in distress, although, as with all too many such, I wonder if they have put enough effort into ensuring that their services are actually helpful, or sufficiently address the possible risks.)  I've been "matched" with six pen pals, only one of which has continued beyond two transactions (one stopping immediately after a mention of my research into grief scams).  However, I've noted that he (all the matches seem to be the same gender, presumably as a minimalist protection against romance/grief scams) hasn't really said much about himself, although he always commended me on being so honest and open.

"Edmund" is 49 and has an 18 year-old daughter who means the world to him (but whom he never otherwise mentions).  I told "him" a lot about myself (including the fact that I was a security expert), and even more was available in my blog.  "He" was always appreciative.  The only thing he really mentioned about himself was a major road-building contract coming up in the Middle East, which needed investment.  (Hey, I'm a professional paranoiac.  At this point I'm starting to see signs of a potential scam.  But I keep going.)  

So, after eight transactions back and forth, today I received:

***
Meanwhile, I met a woman here in Turkey who is in her early 60s. She’s a gemstone trader and is currently facing a difficult situation. She came to Turkey to purchase some gemstones to bring back to the United States but was held at the airport for not having the required export license. Now, she’s facing the possibility of a four-year jail sentence.

She explained that she has a trust fund left to her, which she needs to claim in order to get the finance needed to resolve her issues. The trust has a mandate that it must be claimed with a man present in her life. She is a widower, and I want to be clear that I cannot get involved with her personally.

Would you be interested in communicating with her or offering any assistance?
***

1)  Hands up those who think that this is a variant but fairly classic grief scam, with an initial approach by someone presenting as male to get around the system's grief scam protection, and then redirecting me to the scam?

2)  Hands up those who think that this guy is, himself, as a widower, being grief scammed, and I should warn him?

3)  Hands up those who think that I have let my professional paranoia run away with me, and I am throwing away a golden opportunity to meet, aid, and fall madly in love with this age-appropriate and wealthy woman who needs my assistance?

Anyway, I carried on, although I did note that neither gem trading nor legalities were my specialties.  (OK, I lied a bit about not being familiar with the law.)  Now, at this point, "Edmund" seems to get impatient, and (as I had asked him about his daughter) seemed to mess up his response:

***
My daughter is doing well, and I plan to see her when I leave Turkey.  I hope you might have the chance to get to know each other. I know she is looking for a trustworthy man to help her with a power of attorney so she can have easier access to the trust fund left for her.
***

So I messed with him a little on that score, but kept going.  However, by this time I had also alerted Widowed Village, and they had started an investigation, so I suspected that that scared him off.

Oh, but wait!  Before he disappeared, he gave my email address to "Debra."  In "her" second message to me, "Debra" noted that "she" was keeping an open mind as we get to know each other as life has taught "her" that meaningful connections often begin with simple conversations, and "she" looks forward to learning more about me.  Outside of work, "she" enjoy simple pleasures.  "She" likes taking walks, listening to good music, reading, and spending quiet time reflecting or enjoying nature.  "She" also enjoys travelling when "she" can, trying new foods, and having relaxed conversations with good company.  "She" values honesty, kindness, and a good sense of humor.  (I note that this seems to be copied directly from "How to Write A Generically Attractive Dating Profile in 25 Words or Less.")

My colleagues have been interested enough in this tale to ask me to continue the conversation, so I'm updating the progress of the scam here in expanding this posting over time.

"Debra" had been quiet for a couple of days, and I was wondering if "she" had twigged to the fact that I know that this is a scam.  But today she sent me a picture!  (Of a woman who, five years ago, was running a vintage fashion business.)  She also responded to my email, praising everything that I wrote--and saying almost nothing about herself.

In her most recent two messages, "Debra" has included additional pictures with each.  I'm learning more about Google Lens and the reverse image search capabilities, but the additional pictures provide little to go on.  The pictures could be of the same woman, but, given the "similar" pictures that Google pulls up, they could just be "blonde woman, older but still socially active and visiting the hairdresser quite regularly."

I'm falling down on the job: I should be posting more analysis of the content of the emails.  The primary characteristic is "frictionless."  The emails are as polite (and pretty much as content-free) as a conversation with a genAI chatbot.  (It is not beyond the bounds of possibility that an AI tool is involved.)


To be continued ... (possibly ...)



Online scams, frauds, and other attacks (OSF series postings)


Posted by at No comments:

Sunday, February 22, 2026

Presentative dissonance

 A man may smile and smile and yet be suicidal ...

Posted by at No comments:

Wednesday, February 18, 2026

Woke

When did the word for being a conscious and thinking entity become an insult?

(And why?)
Posted by at No comments:

Monday, February 16, 2026

Isaiah 49:20-21

The children born during your bereavement
    will yet say in your hearing,
'This place is too small for us;
    give us more space to live in.'
Then you will say in your heart,
    'Who bore me these?
I was bereaved and barren;
    I was exiled and rejected.
    Who brought these up?
I was left all alone,
    but these—where have they come from?'
Posted by at No comments:

Thursday, February 12, 2026

Wrong place

I figure that I am always the wrong person in the wrong place and situation.

I am a scientist who believes in God.  I am a believer in discourse and consensus, in a world full of division and denial.  I am a devotee of lifelong learning, in a church that has reached new heights of anti-intellectualism.  A protector of those who think that they are too street-smart to be tricked or trapped.  I am a believer in donating everything that you can, in a world that believes every need is an opportunity for a side hustle.  A teacher in a society where most people avoid learning anything they can.  I am a believer in partnership and relationship, in a society which believes everything is a transaction.  A specialist in information security, in a world where no one wishes to take any account of risk.  I am a specialist in information integrity in a world which no longer believes in the truth.  I am a depressive in a society that worships positivity (even if toxic).
Posted by at No comments:

OSF - 3.20 - spam - packages

Package scams are probably yet another variant in the general class of advance fee fraud.  Packages, as well as various gift and lottery, scams have been around for quite a while, but they really picked up during the pandemic, when everybody was ordering things online.  Online ordering, and delivery services, are still quite active, and so package scams are still around.

I have a possible advantage over the scammers, in regard to package scams.  At one time I did a lot of reviewing of technical books, and so I was receiving an awful lot of packages, of books, through the mail, or via the various delivery services.  Therefore, I was more aware than most people of the announcements that you would, and would not, receive from delivery services, and so I was more able to identify the variations that indicated that something was a scam.

As with any advance fee fraud, there is the promise of a benefit to come, dependent upon you paying some kind of fee in advance.  In the case of packages, or the free gifts mentioned earlier, the fee is generally fairly small.  Usually, package scams are a kind of a one-off fraud, rather than the ongoing requests for a constant stream of fees or assistance that are part of the classic advance fee fraud.  However, it is possible that some of the package scams may involve an initial small fee, perhaps five or ten dollars, and only later report that you need to pay extra taxes or duty.


Package scams very often come via text, rather than email.  In this case, it offers us a bit of a twofer, in terms of red flags.  The first message is for a delivery scam.  How do we know?  Well, Canada Post isn't likely to host its rescheduling Website in Hong Kong (.hk).  So that's one indication, for a start.  However, as chance would have it, these particular scammers seem to be involved in a number of different scams.  You'll notice that both messages came from the same number, and one is for a completely different scam (threatening that you have not paid your Disney+ account).


These texts didn't come from the same number: this is from my reporting of spam to a research account.  However, you can see that there are a variety of package scam attempts: one purportedly from Canada Post, one from DHL, and one unnamed.  Notice also one mention of a "border fee."


I really love this one.  They've put a bit of thought into the social engineering: in order to prove that they actually have a package for you, they've sent you a *picture* of it!  Relatively few people would think to question the fact that the picture isn't clear enough to indicate who sent it, or to whom it is addressed.  I mean, it's not possible that someone just took a picture of *any* package and sent it to you, is it?


Posted by at No comments:

Wednesday, February 11, 2026

OSF - 3:15 - spam - red flags 3

A few more issues that can indicate that you should maybe not trust this message.


One of the things that you should watch for is any indication that the party that actually sent the message is not the party that the message is supposedly from.  In the case of this message, it is supposed to be from Shaw, who provide my Internet service.  Obviously I want to continue my Internet service, but, in this case, the message doesn't come from Shaw (a Canadian company), but from BTConnect, a British company.  Obviously a Canadian Internet provider would have no need to route their email via a different provider in Britain.

But there is another factor here, and that is a problem with Shaw.  Shaw, in providing an interface for email, should be providing its users with the information about who sent the message.  Shaw does not.  The creator of this message has crafted the message such that the "personal name field" shows "Shaw."  But Shaw, in presenting the message, does not provide the actual email address, only the personal name field.  The only reason that I was able to quickly figure out that "Shaw" wasn't the actual sender was that the images in the message were stored on an external server, and the email system balked at displaying them.


There are a bunch of fairly obvious red flags in this message.  Supposedly it is in regard to a Google Workspace.  Right off the top, we should suspect that nobody who works for Google would need, or even be allowed, to use an obviously external email server such as defence-s.org.  Then there is the fact that VCN (and particularly my account on it) isn't run by Google.  In addition, the link to contract.lisojea.contractors is extremely suspect.

However, note that the user interface for this system does at least give you this information rather than hiding it.


Posted by at No comments:

OSF - 2.40 - scams - naive AI?

In a posting about recent activities on Moltbook, someone made the observation that AI agents are pretty naive.

The observation was in regard to the ability of agents to successfully perform various tasks, but my professionally paranoid mind immediately went in another direction.

As we use them more, and particularly as we use them on the Internet, AI agents are going to get scammed.  Since I'm writing up a bunch of material on scams right now, this is kind of top of mind for me.

OK, probably most AI agents don't have any money, so, I can hear you say, how can they get scammed?  Well, they do have access to something of value: they have a lot of information about *you*.  In order to make them more useful to you, you've given them a lot of information about you.  You've probably given them access to a lot of your online accounts.  (Possibly you've given them access to your bank accounts and credit cards, in order that they may make purchases for you?)

And this, of course, is only one way in which AI agents could be scammed.

Somebody could claim to *be* you, and give them new orders.  Botnets on steroids?

I suspect somebody needs to think about this ...




Posted by at No comments:

Tuesday, February 10, 2026

OSF - 3.10 - spam - red flags advance fee

OK, most of these will have something to do with variations on advance fee frauds.


First of all, we've got this one.  You may not recognize it as advance fee fraud, because, in this initial message, it just says that you have won the lottery.  However, lottery winnings, particularly for a lottery that you have never entered, have become a very common come-on for advance fee fraud.

This is, of course, very fancy and official looking.  After all, nobody could go online and get the logo for FIFA in order to create a fake, could they?  It's even got a barcode, so it *must* be official!  (There are lots of sites on the Internet that will help you create all kinds of barcodes.)  In terms of lotteries that you have never entered, it says that it is your *email* address that has won.  That sounds reasonable, right?  Well, it has become an indicator that this is, in fact, an advance fee fraud.  That particular rationale has been used in a lot of examples of this type of fraud.

You will notice that it does not, initially, mention any kind of fee.  But you'll also notice that there are all kinds of oddities in regard to releasing the funds to you.  For one thing, it says to keep this confidential.  That is common in order to discourage people from discussing this message with others, and possibly being warned that it *is* a fraud.  Also, the money is to be released to a bank in South Africa.  This then allows the scammers to claim all kinds of bank transfer fees, and you'll have no way to verify that, because it isn't likely that you live in South Africa.

They seem to want a lot of information about you.  Even if you only replied with that data, and refuse to pay any fees, They could likely collect and use, or sell, that information for subsequent phishing scams.

Then there is the fact that, even though this is supposed to be associated with FIFA, the contact email is a GMail account, which anyone can create.  Then there is the verification of the winning number, which is to be via the PowerBall lottery in the United States.  (They probably pick a combination of numbers that *has* been drawn in the PowerBall lottery.  Which would have nothing to do with a FIFA lottery.

Oh, and the FIFA lottery?  You don't win money in the FIFA lottery.  You win the chance to pay FIFA a lot of money in order to buy tickets for one of the FIFA games ...



This is a message I received, recently, that was the opening of the gift card variation on advance fee fraud.  I replied to it, wondering what it was about, and got this in reply:


I did a bit of digging on this one, and this person is, actually, Senior Pastor at the church noted above.  But the message is undoubtedly not from him.  I have received messages in a similar vein, from unknown people, people that that I do know, and even relatives.  In this case, their email address and account have been obtained, probably through a phishing attack, and then is used for this type of scam.  As with the grandparent scam, the rush and urgency will require, at some point, that you send the gift card numbers, probably in another email, and then, as previously noted, the value is used and gone.



In this list, notice that several mention cash or benefits.  Once again, supposedly you have come into some kind of windfall, and you only have to claim it!  (*After* you pay the fees, of course.

But also notice that at least four of the messages are addressed to "Josefina."  One of the things that I am very used to is people incorrectly giving *my* email address as *their* email address.  So I have lots of email messages addressed to Ralph, Rufus, Roger, Ruth and others instead of my actual name.  And I'm used to spammers trying to *guess* at what my name might be.  But how do you get "Josefina" out of my name, or email addresses?  So I started to suspect that this is actually deliberate.  The scammers, trying to trick the greedy, and deliberately addressing a name that is very uncommon.  Social engineering comes into play again, since they assume that some people will feel that they can get in on cash that is rightfully Josefina's!  (And, figuring that they are pulling a fast one, will not be as aware of the fact that they are the ones getting taken ...)


And this is probably something along the same line.  The greedy will possibly assume that they can get away with someone else's Bitcoin purchase, by intercepting the email invoice that has gone astray.  And they are less likely to be watching for the indications that this is, in fact, a fraud.


At one point they were doing a lot in this regard with casino winnings.



Another very common variation in the advance fee space is in regard to inheritances.  Someone has died, and you are part of the estate.  Sometimes somebody has died, and you actually *aren't* part of the estate, but an unscrupulous barrister is willing to split the takings with you.  Beware of all enterprises involving the purchase of new identities.


Posted by at No comments:

Monday, February 9, 2026

OSF - 3.05 - spam - red flags 1

OSF - 3.05 - spam - red flags 1

So, here are some indications that the email, or text, that you have received may have some issues that you might be concerned about.


Actually, here's one to be concerned about, regardless of whether it's a text or a call.  Supposedly I have received a call (which I didn't pick up) from 604-555-1212.  If you watch a lot of TV or movies, you will recognize the 555 exchange.  It is, in fact, a reserved exchange, regardless of the area code it is under.  There are some numbers in it that are used purely by the telephone companies, for internal purposes.  There are no legitimate numbers that will call you from the 555 exchange, and that is why TV and movie phone numbers always use that exchange: nobody does, and nobody will.  (555-1212 was, at one time, and in some areas, used as a directory information number.)


This comes under the heading of, "if it seems to good to be true, it probably is."  All (well, *almost* all) of these messages are offering you something for free.  You have won a free prize, and all you have to do is confirm your account (which lets them steal your account) or pay the shipping fee, or the handling fee, or both fees, one after the other, and then possibly an additional fee after that ...  Sometimes this is a version of advance fee fraud, and they will be after you for multiple fees.  Sometimes they are after your account, and you may think that your account is of no value: after all, it's not a *bank* account.  But email accounts, social media accounts, and other "free" accounts can have a lot of value, even beyond the nuisance value of having to get a new email account and contact everyone.  For example, these days, a great many other accounts are tied to your email account, and you could lose all of them, as well.

This type of attack is a kind of subset of the larger class known as phishing attacks.  These are messages that attempt to obtain information from you, that can be used in other attacks.  Very often the information is about you: person information, but not necessarily *too* personal.  For example, what were your parent's names at birth?  Since many systems suggest that you use your mother's maiden name as a security question, this is information that can be used to break into your accounts.


This particular spam came via text, but it points up a warning that applies to texts, email, and even Websites.  The message says to make a claim at https://bit.ly/ICBCcove .  There are a couple of points to make.  The first is the https.  Some people may have been told, or believe, that this provides for some level of security.  It doesn't provide any security against scams or frauds.  The second issue is with regard to the site bit.ly.  This site is a URL redirector.  It is usually used simply to shorten URLs, but it can also be used to specify a particular name.  So, just because it *says* ICBC, it doesn't really mean that ICBC has anything to do with it.  Since it is a redirector, all it really means is that you have no idea where this link is sending you.  Always be somewhat suspicious of these types of links.


This is a fairly common type of spam, and scam.  These particular people are trying to steal your email account, and, as noted above, there are a variety of uses and values that they can obtain from it.  The red flags here start with who this email is from.  on the top line, towards the right, you will notice that the email is from someone at AOL.  I really can't see why someone in authority to remove your account, at Microsoft (*not* Micro Soft), needs to use an AOL account for email.  Also, as I pointed out, Microsoft is unlikely to spell or format their own name incorrectly.  The 48 hour time limit is yet another use of social media to panic people and get them to make decisions in haste, and without considering these factors.  (The "Dear Customer" salutation is also a bit of a flag.  If you actually *are* a customer, presumably they know who you are.)  The mention of the account not being updated on their servers is another oddity: *you* don't need to update *their* servers.

This particular message came to an Outlook ( Microsoft) account that I have and do use.  Outlook is particularly bad at spam filtering, and (rather oddly) particularly at identifying and filtering this kind of messaging attacking their customer's Outlook email accounts, which are often tied to other Microsoft services.  As noted, I do receive legitimate email on this account, but much of the time I find that at least three quarters of the messages I receive via Outlook are attacks on the Outlook account itself.  (Just something to consider when you are choosing email services.)

More to come ...


Posted by at No comments:

OSF - 2.35 - scams - discord attacks

OSF - 2.35 - scams - discord attacks

Once again, as I did before when I talked about how organized these groups and attacks can be, I have to be very careful when discussing discord attacks.

This can be very easily seen as political, primarily because it actually *is* political, although not necessarily in the ways people think about political issues.  A number of the examples that I am going to use are related to nation-state actors, and you may think that in the first place I am attacking certain countries that may be identified with this type of activity, or that, not being a nation state yourself, this doesn't apply to you and you don't need to worry about it.  These ideas are not correct.

As I have said, for almost forty years, I have been researching, and working in, information security.  And I get to talk to people in related communities, like the intelligence community.  Those are the spies.  And the counterspies.  And we talk about things like disinformation.

Now there's misinformation, which is just when you make a mistake, and you believe something that's wrong.  That's bad enough.  But disinformation is when somebody deliberately tells you a lie, designed so that you will believe it.  This has been happening for as long as people have been fighting, and that goes back an awfully long way.  As a matter of fact, possibly we can go right back to Cain and Abel.  God comes to Cain and says, where is your brother  And Cain tries to tell a lie, without even telling a lie.  He just says, am I my brother's keeper?  But God, of course, sees through this and it doesn't work.

Now, when you are dealing with human beings, and not God, it works a little better.  So, someone tells you a lie.  And they tell the lie that they know you are going to believe.  Because it's a lie about someone you don't like.  And the person who tells you this lie, knows that you are going to believe it, because you are willing to believe the worst about the person that you don't like.  So, you believe that lie.  And you repeat that lie.  You tell that lie to other people, because, of course, you want to cause trouble for the person that you don't like.  Or, at the very least, you want to warn other people about the person that you don't like.

So, you have now become a liar.  Oh, maybe you will object that you don't know that it's a lie, but you're repeating a lie anyway.  So, in fact, you are a liar.  And you know what else you are  You are now a weapon.  You are the weapon of the person who told you the lie in the first place.  That's what disinformation does.  It weaponizes lies, and it weaponizes people.  And if you believe, and repeat those lies, you become the weapon.  You become evil, or at least a part of evil.  You are working for evil.

You didn't mean to, of course, but that's the way things ended up.

Now, one of my other fields is emergency management.  We deal with disasters.  And one of the things that we know about disasters, is the disasters bring out both the best, and the worst, in people.  There are going to be people who try to help during a disaster.  And then there are those who are going to try and take advantage of the situation.

But the pandemic has been different.  For me, personally, the pandemic has been very disappointing.  The pandemic seems to have given everyone permission to be their very worst.  To misbehave, although misbehavior is far too weak a term for what we have seen during the pandemic.  The pandemic has given everyone permission to be racist.  To consider anyone who believes in a different political party or stance to be evil.  To allow people to engage in violence on the streets because they don't like another person's skin color, or facial characteristics, or the political symbol that they put on the back of their car, or they don't like the fact that somebody has an "I got vaccinated" sticker on their shirt, or they don't like the fact that somebody has a vaccines kill bumper sticker on the back of their car.  And everybody just seems to think that because you don't agree with me, I have the right to beat you up or run into your car, or post lies about you.  Oh yes, we're dealing with the lies here.

We'll come back to the lies in a bit here.

As I've said I've been very disappointed during the course of the pandemic by the way that people have been misbehaving.  And I expressed this to a friend and she said, well, it's because they're all grieving.

Now, of course, one of the other things that I am is a grieving widower.  And I have been studying grief.  And I have been studying the ways that people behave when they are grieving.  And in discussing this with a friend, she said, that's because they are grieving.  And suddenly, because of what she said, everything came into focus.  Yes, people have been grieving.

Grief is about loss.  And, during the pandemic, everybody has lost something.  Maybe it wasn't a close friend or family member who died.  Maybe you lost a job.  Maybe you just lost an opportunity.  Maybe you just lost the ability to go down to the pub anytime you wanted for a beer.  But everybody has lost something.

Those who are grieving experience a range of emotions.  But one of the most common is anger.  We are angry about our loss.  But, as human beings, we are not particularly good at identifying why we are feeling anger, or indeed any good at identifying any strong emotion that we are feeling and what it actually is.  Our brain tries to find a reason for the strong emotion that we are feeling.  The reason that it generates doesn't have to be correct.  It doesn't even have to make sense.  It's just a presentation that our brain makes to us about why we are feeling some strong emotion.  So, very often, we feel that we are angry at God.  Or at the universe.  (Or even the person who died, which makes no sense at all.)  Or at that person who has skin of a different color.  Or at that person who holds a different political view.  It's their fault.  Whatever it is.

Thus, we have a whole bunch of people who feel very, very strongly that those people over there are responsible for my pain.  They are angry.  Whether they have any valid reasons or not, they are angry.  And they are taking it out on those people over there.  Maybe they won't actually perpetrate physical violence against them.  But they are certainly willing to believe anything bad about them.  And to repeat any lie that they hear about them, as long as it paints them in a bad light.

There's another thing about grief: desperately intense loneliness.  If you are grieving, you are not just grieving the loss of relationship with one particular person.  You seem to be grieving the loss of relationship in general.  And, therefore, it's almost a cliche that when mom dies, dad, all too soon, falls for some inappropriate female, and forms an inappropriate attachment.

And so what have we seen during the pandemic  We have seen all kinds of people, joining all kinds of groups, groups espousing all kinds of weird conspiracy theories, just so that they can belong.  To anything.  With anyone.

And so we come back to the lies.  Because of the anger, people are willing to tell lies.  They're willing to believe lies.  Because of the loneliness, they're willing to join with other people who believe lies.

And how does all this fit together?

Well, like I told you, some of my friends are spies.  And they have been noticing, that during the pandemic, the campaigns, by various foreign governments, to try and make trouble for those of us who live in democracies, have stepped up the disinformation campaigns.  Because, right now, with everybody angry, and everybody joining with cults and conspiracy theories, everybody is willing to spread lies.  There are all kinds of people who are willing to become weapons of disinformation campaigns.  It's become so prevalent that the intelligence community has a name for it they call it discord attacks.  People who are our enemies are sowing lies knowing that a large number of us will believe the lies, and spread the lies, and even amplify the lies.  Thus making disinformation campaigns very much more successful recently than they ever have been in the past.

Now, as I have said, a lot of the information and research in this particular area involves nation state actors.  And, you may be saying thinking that I am saying that certain nation states are attacking our nation state with particular sets of lies.  And you may be thinking that that is unfair.

The thing is, I am not saying this only about other countries attacking us.  Telling lies, in terms of nation states, is basically known as propaganda.  It is a part of what is known as "soft power."  Soft power is an attempt to influence other countries, without actually threatening or attacking them.  Sometimes soft power can be a positive thing.  For example, most countries are involved with foreign aid: sending money and or aid to other countries.  Obviously, this is an attempt to influence the other countries.  It is an attempt to influence them by doing something positive for them, but there is another term for that: it is often called bribery.  Regardless, it is an attempt to influence other countries, on a nation-state basis, and everybody does it.  It's part of soft power.

Well, discord attacks are soft power as well.  Sometimes it's outright propaganda, but the discord attacks are a little bit less obvious.  Discord attacks are mounted, in terms of propaganda, against different groups in the country that you are trying to influence.  These will be groups that do not agree with each other.  So, what a discord attack will do is to create and submit lies, disinformation if you will, aimed at being targeted in a negative way, against one group, but really, in fact, targeted at the opposite group, by being a lie that the opposing group will want to consume.  It is something that they will want to believe, because it says something bad about the other side.

As I say, so far I have been talking and using illustrations about nation state level discord attacks.  The thing is, it's not just nation states that do these things.  In recent years, this has become extremely common in propagandizing, and attempting to influence either committed groups, or the general public, even within small communities.  People are using discord attacks very frequently, and unfortunately very effectively, particularly within social media.  Some of these discord attacks are aimed at political groups, and, since politics touches pretty much every human activity, I guess you could say that all of this is politics, or political activity.  But this is not necessarily just about right-wing parties versus left-wing parties.  Sometimes it is targeted at small groups within a town, and even within an individual organization.  Anytime there is a division, it seems that people are selling lies to one side, in order to get them inflamed against the other side.

And selling is very often an operative word here.  Particularly in regard to social media, some people are just in it for the money.  Online advertising is still a very significant source of revenue for social media platforms and pretty much anybody else who has a presence on the Internet.  The social media platforms, all of them, push for engagement: the attempt to get the social media user to stay on their platform, read their postings, and spend time reacting to their postings, or forwarding those postings on to other people.  Unfortunately, it does seem to be the case that, for a variety of psychological reasons, the most effective way to keep people engaged on social media is to promote hatred.  To get one group of people upset at another group of people.  And it doesn't seem to matter what the groups are.  As long as somebody is stirring up trouble, and spreading malicious gossip, social media users consume it, and spend more time on the platforms.  That makes the owners of the social media platforms happy, and it enriches the bank accounts of the people who create and spread lies about various issues and groups.

And this is really the entire point that I am trying to make about this kind of attack.  When you read something that upsets you, please do not simply automatically share it with all of your friends.  Find out whether it has any basis in fact, first.  If you are spreading malicious gossip that has been created falsely, purely for the purposes of stirring up trouble, and possibly partly for the purpose of enriching somebody who makes up lies for a living, then you are promoting discord attacks yourself.  You are helping to spread the lies.  You are lying.  You are also helping to enrich the people who create this deceitful disinformation, and do it just because it makes them money.


Posted by at No comments:

OSF - 2.25 - scams - advance fee

OSF - 2.25 - scams - advance fee

In calling it advance fee fraud I'm trying to use the most neutral term here.  It's also the most descriptive.  These scams (and there are a great many variations on this scam) relies upon getting people to pay you money, in advance, with the promise that they will receive an enormous return, at a later date.

No, this isn't an investor scam, but it does tend to turn on the same theme and idea.

But this scam also has a number of other names.  Most people would know it as the Nigerian scam.  It is also known as the 419 scam, which is a reference to the section of the Nigerian criminal code that makes this type of scam illegal.

They sent me to teach in Nigeria.  (Twice.  I think they were trying to kill me.)  Do not joke about the Nigerian scam, if you are in Nigeria.  They don't have any sense of humour about it.  After all, how would you feel, say, as an American, if people started talking about an American prince or other leader and rich person, who promised people lots of money, or possibly that they would provide them with favorable new regulations and relief from taxation or tariffs, as long as they sent him a bit of money now, say, investing in his corrupt and fraudulent cryptocurrency scheme, and referring to it as "the American scam?"  You probably wouldn't like it either.

Fortunately, I was an invited speaker to the First International Conference on Advance Fee Fraud, which was arranged by the Nigerian government.  When I informed the class in classes in Nigeria about this, then they were okay with it, and we could have a reasonable discussion of the fraud.  But they don't like it being called the Nigerian scam, for obvious reasons.

So, I will use an even older name for it: The Spanish Prisoner Scam.  For all I know that there are even older versions of it, dating back to the Peloponnesian war, or even the Trojan war.  But I'll stick with the Spanish Prisoner scam.

So, in that version, you would probably receive a letter telling you this story, that a knight, eager for riches and glory, had left his vast estates, and headed out to the Holy Land for the Crusades.  He did, indeed, cover himself with glory, and obtain great riches, in the ensuing crusade.  However, on the way home, somehow he ended up in Spain, and was taken prisoner.  (Spain, at this time, was frequently under Moorish control, and the Moors couldn't be expected to have much sympathy with someone on the Christian side of the Crusades.)  He is being held for ransom.  If you will send the money to pay his ransom, you will be richly rewarded, many times over, when he gets home to his vast states, and great wealth, and the enormous additional wealth that he has piled up from his activities during the crusade.

See?  You pay a fee, for something, now (the ransom), and you will be richly rewarded later, many times over and above the fee that you are paying for the ransom.  This is the basis of the advance fee fraud.

During the 20th century, a lot of people were receiving letters from Nigerian princes, or people who were head of the Nigerian oil development department, or various other entities, probably based on the fact that nobody was really terribly familiar with the country of Nigeria anyway.  That's how it came to be called the Nigerian scam in recent years.

With the classic advance fee fraud, involving somebody in a foreign country, generally speaking there is a request to help pay the financial transfer fees.  This may be fairly small, perhaps as small as $1,000.  However, after paying that initial fee, then there will be some other difficulty: possibly some additional financial banking fee that needs to be paid before the transfer can be completed.  This time the fee is possibly $2,000.  And then there is another fee, and another, generally increasing every time.  Over time, of course, you end up paying tens or even hundreds of thousands of dollars.  And the reason that people end up paying this amount of money is, once again, social engineering.  Once you have invested a certain amount of money, confirmation bias and other psychological factors tend to kick in, and you become prey to the "sunk cost fallacy."  You have already paid a certain amount of money, you have invested in this process or scheme or project, and so therefore, it stands to reason that you need to continue paying, in order to get your massive reward at the end.  It becomes harder and harder to convince people who are involved in this that the massive reward at the end does not, in fact, exist.

(Sometimes the scammers make it easy for you.  Recently I received an email message from a "Mrs. Oligarch" ...)

I actually received a printed letter version of the scam in the distant past, and I wish I had held onto it over the years. It was fancy, with embossed and gilded letterhead.  Email scammers don't have to go to the same lengths these days, although some do.


This illustration is a kind of variation on the theme: you have won a huge prize, and just have to pay an administrative fee to get it released.  These guys obviously feel that having graphics and logos (and even a barcode!  It *must* be official!) and looking impressive will distract people from the flaws in this letter.  (Again, we'll go into these ones in details when we get to the "spotting spam" topics.)

There are an enormous number of variations on this.  There may be a rich prince from a foreign country.  There may be somebody who is the head of some development corporation, with access to large amounts of cash.  There may be the wife of some political figure, usually now a widow.  Generally speaking there is some kind of a sob story associated with it.  Very often the people involved are trying to move their vast fortune out of the country in which they currently reside, and are asking for your help in paying financial transaction fees in order to do so.  Or, sometimes, they simply want to use your bank account in order to transfer their great wealth into your bank account, and then you will pay them the bulk of their fortune, once they get out of the country, retaining a large percentage of it as a payment for your help in this matter.  The stories are endless, and, most recently, have turned on vast fortunes that the holder wishes to donate to charity, but is being prevented from doing so by the evil government in their country, and this is why they need to get their Fortune out of the country and need your bank account in order to do it.

As I say, the stories are endless.  But they all have the one central theme: somebody needs you to pay money now, and you will be paid back, and richly rewarded, at some future date.


I have recently found a minor variation on this theme.  Once again, as with the grandparents scam, and various others, this involved gifts cards.  Somebody will contact you, and ask if you do business with Amazon, or if you can help them out with some matter, and, once you have replied to the initial message, (and there is some additional social engineering involved here: when you have replied to the message, you have a tendency to believe that you are part of the ongoing transaction, and you have a greater propensity to go along with their further requests), then in a subsequent message they will say that they are trying to reward some people in a charity, or an organization, and they are asking your help, because they would like to get gift cards, but are not currently in town, and so would you go and buy gift cards for them, and keep some of the cards for yourself, and they will of course pay the entire bill.  Later.

So, sometimes advance fee frauds are relying upon people's greed.  Or, sometimes they are relying on people's wish to help in a difficult situation. Or, sometimes they are based on people's wish to aid in a charitable endeavor. Like I say, the variations on the scam seem to be endless.

Because of the promise of a reward at the end of the process, there is a regrettable propensity, on the part of law enforcement personnel and agencies, to consider that "you can't cheat an honest man," and that victims of advanced fee scams are at fault in the matter.  In some cases, there may be some validity in this.  But this does not take into account the skill in social engineering that goes into a great many of these frauds.  As I say, many times the appeal will not necessarily be solely to the reward that the person will receive.  Often times the story will concentrate on the sufferings of the person who is in distress, and wants to transfer money.  Or, sometimes the version of the advanced be fraud will emphasize a charitable endeavor that is to be established once the funds are transferred.  One of the extremely common versions of this scam that I have seen, for many years, in my spam collection email accounts, talk about transferring money to your bank account, so that that you can then retransfer this money to people who are either an established charity, or are setting up some kind of charitable institution.  In this case, of course, you may not necessarily be asked to pay upfront fees, but, of course, in giving access to your bank account as a repository for these funds, your bank account may be drained.  In another version of this bank account sub-variant of the scam, an actual deposit may be made to your account, and you then transfer out the bulk of that money to another account, and only then, with the machinations and clearances involved in bank transfers, does it become apparent that the original deposit to your account was, in fact, faulty, and no money has been deposited to your account, and you can't get the money back that you transferred out of your account, because you did that transfer legitimately, and the bank can't get your money back because the account you transferred the money to has now been closed down, and so you owe the bank the amount of that transfer.  (See discussions of how these scams are organized.)

(There are also details of variants in the section on spotting spam:


Posted by at No comments:

OSF - 2.20 - scams - organized

OSF - 2.20 - scams - organized

Now, at this point, I want to fulfill my promise to talk about how criminal enterprises, in terms of online scams and frauds operate.

First of all, all the stuff all the movies and TV shows that you have seen about rum runners during the Twenties and the Great Depression, and all the movies that you have seen about drug traffickers in the more modern age, will not be particularly helpful.  This is not about Vinny and his gang walking into a shop, and saying to the owner, "Nice bridal salon you got 'ere gov'n'r.  Be a pi'y if somebody stampeded an herd of cattle through it."

Criminal gangs of all sorts tend to have contacts with each other.  And, of course, some of them will specialize in certain areas, and can sell this expertise to other criminal gangs, who may need that particular service, while operating in a related sort of business.  So, it is entirely possible, and even probable, that gangs who are in the business of drug trafficking, human trafficking, and other elicit activities of that type maybe using the services of specialists in online crime.  For one thing, human traffickers will probably turn to scammers and spammers in order to identify targets that they will want to kidnap, or to advertise false recruiting services.

However, in terms of protecting yourself, it is probably more useful to know that the tasks involved in committing a fraud, and then stealing from someone, laundering the proceeds, or extracting a value from a credit card or a gift card involve a number of different specialties, with different specialized specialists performing different functions in the overall theft.

In the case of the theft of credit card information, your credit card is probably not simply going to be duplicated.  Once you realize that false charges are being made on your credit card, you will probably simply call the bank and cancel that credit card, and be reissued a new one.  Therefore, the credit card will only have value for a short time.  Instead, the organization, which may not be completely under one body, but may be an amalgamation of a number of different groups, each specializing in a different task, may have some people who specialize in social engineering, and therefore handle the fraudulent calls made to you, the people who take the credit card information, and, fairly quickly, make purchases of resaleable items, and have them shipped to people to hold for resale.  The people holding the goods, the people to whom the goods are shipped, and therefore the people who are identifiable in the fraudulent transactions, are, in all likelihood, not criminals at all.  They are, themselves, victims of fraud, recruited by yet other specialists, who have convinced them that they are a part of a legitimate home based business, receiving merchandise, which has been purchased off the Internet, and then reselling and reshipping the merchandise to people who want to buy it.  The management of these holding and reshipping parties, is yet another criminal specialty.

Similar things may happen with regard to gift cards.  If the gift cards are from shops, once again, holding parties, and reshippers, may be dispatched, with the gift card numbers, to purchase resellable items from those shops.  Other types of gift cards will have different means of extracting the value from the card, and laundering the financial benefits.

(These are not the only processes, functions, or specialties that are used in the commission of online frauds.  But these things happen behind the scenes, and knowing about them doesn't help you very much in taking precautions or protecting you against fraud.  The most important point to take away from this is that you are not only up against the person on the phone with you, but a number of others, whom they may not even know.)

As I said, the old movies about rum runners, and the newer movies about drug smugglers, are not very helpful in this in regard to understanding these systems.  However, there is one movie that I can recommend: "The Beekeeper."  Yes, for most of the run of the movie, it's your standard shoot-'em-up.  But, right at the beginning of the movie, there is a five minute segment that really does explain how some of these online fraud organizations work.  The scene has the leader of one such group training conducting a training session for the actual call takers, and goes, step by step, through one particular way of getting someone to install malware onto their computer, and allowing the organization to get access to bank accounts.  (Here ae two versions of video clips from that scene in the movie.)

There are a couple of points that I need to make, but need to be very careful about making.  The first is in regard to theft from bank accounts, and banks.  I am quite sure that just about everybody who works in any banking and financial institution that you will ever encounter are nice people.  However, The Bank, as an entity, is not run by those people. The Bank, as an entity, is run by the owners of the bank, and by policies and procedures.  The people that you will meet, at the front lines, are subject to those policies and procedures.  And The Bank, as an entity, and the people who own The Bank, hire lawyers, and pay other lawyers on retainer, to stay up nights, writing those policies in order to ensure that, if it is a matter of The Bank losing money, or you losing money, The Bank is not going to be the one who loses money.  While the people that you deal with on a daily basis at the bank may very well be very nice people, when it comes to you losing money The Bank, as an entity, very profoundly, does not care.  When The Bank talks about security, it is *their* security that they are talking about.  Yes, I know, The Bank, even as an entity, will make all kinds of statements about keeping your money safe.  And, The Bank, even as an entity, is trying to do that.  But, as I say, if it is a matter of you losing money, or The Bank losing money, The Bank is not going to lose money.

This comes into play in some very interesting ways.  I frequently tell people, in my seminars on online fraud, to prefer using credit cards, to debit cards.  Many people don't even know what the difference is between a credit card and a debit card.  And, the differences in charges to the merchants, have ensured that merchants are making every effort that they can to encourage people to use debit cards, rather than credit cards.  I am on the boards of enough charitable organizations to know that the differences in fees charged, when somebody pays their annual dues with a credit card, versus when they pay their annual fees with a debit card, to understand why merchants do this.  The thing is that credit cards, in Canada at least, provide you with an extra layer of protection.  If somebody makes a fraudulent charge on your credit card, the law in Canada ensures that your liability for that fraudulent loss is limited.  If somebody makes a fraudulent withdrawal using your debit card, that money is gone.  You will not get it back.

The other point that I have to make with regard to the organization of online fraud, is with regard to nation state actors.  Yes, we have had the idea that hackers, and we tend to believe that the online fraud is committed by hackers, are loners, living in a basement somewhere.  With the organization of online frauds and scams, that tends to not be the case any longer.  These are businesses, even if illegal and illegitimate, and tend not to be conducted by loners, but by groups.  Some of the groups may be quite small.  But some of the groups may be quite large.  And, in some cases, there are various nations which have come to terms with this, and even employ these groups that are involved in frauds and scams.

And this is where I have to be careful, because every time I talk about this, somebody thinks that I am making political statements, and blaming certain countries.  I am not trying to be political about this.  Yes, I do identify certain countries, because that is where the facts point.

The facts are that, because of the organized nature of online frauds, and the variety of specialties that are in use, and the extra layers of protection that communicating across jurisdictional boundaries provides to the groups who are operating in this criminal area, groups of criminals involved in the various specialties of online fraud exist around the world, and pretty much every country.  But there are certain countries where the governmental authorities have seen benefits in making connections with these groups.

How do I know this?  Well, I work in information security.  A lot of the technologies that we use are either used by, or of great interest to, people who are working in the intelligence communities.  No, nobody has ever been foolish enough to give me any kind of security clearance.  After all, I'm a teacher.  It would probably be a bad idea to give me actual classified information.  But, I have an awful lot of colleagues, who are working in the intelligence communities, and I've even taught some of them.  Let's face it, a lot of my friends are spies.  No, they are not going to give me classified information.  However, we do discuss related issues, and, while they are not going to give away any secrets to me, you can pick up an awful lot by listening, and, when you make observations about these kinds of things, in that kind of world, sometimes your friends are good enough to let you know when you are right (or, when you are wrong).

Like I said, this is organized.  But the functions may be organized in a variety of ways.  We know that there are camps in places like Bangladesh, Cambodia, and Myanmar, where people who have been recruited and trafficked, are, basically, kidnapped, and held in boiler room type situations, where they are given scripts, and forced to make fraudulent calls.  This is one type of group that can exist in a variety of places.  But sometimes the government takes a more direct hand.



Of these two buildings, one is in Moscow, and one is in St. Petersburg.  Both of them are office buildings and home to a variety of companies.  Both of them are home to a variety of specialized types of businesses.  Businesses involving hacking and online fraud.  The Russian government is happy to contract services from these organizations, and the businesses registered in these buildings.  The Russians may use the hacking services to attempt to gain access to secured information systems for espionage purposes, or they may be probing using hacking services to probe into infrastructure control systems, in order to see if such services can be disrupted.  And, of course, some of the businesses in these buildings are also specialists in certain functions with regard to online fraud.


This picture is of a type of concentration camp in China, in the Uyghur area.  This particular camp is believed to be a center for forcing the conscripted workers to perform hacking and online fraud functions.

China has an interesting, and somewhat schizophrenic, relationship with hackers.  More than two decades ago, we started to realize that China saw hackers in two different ways.  There were the black guests, as the Chinese called them, who were the standard types of hackers that we always considered to be the case in the West: loners, not connected with anyone in particular, and not particularly important.  But there were also the red guests, as they were referred to, who had connections in Chinese business, academia, and even the government and military.  These people would be used by the Chinese government in various espionage operations, and the connections, and uses of these specialists, have only increased over the years.  Therefore, the people who say that dealing with Chinese technology companies is fraught with peril do have significant evidence for their position.

I should say that acting as a hacker, or a fraud operator, in connection with the Chinese government does have its own difficulties.  Recently, a series of operations, that were conducted primarily in Myanmar, had had connections to official Chinese government operations over the years.  However, even more recently, these operations had been conducting attacks against Chinese citizens, and the Chinese authorities finally got fed up with it.  A number of the leaders of this organization were arrested, and the Chinese conducted a number of show trials in bringing these people to justice.

North Korea has been involved in online scams of various types, but has specialized in the theft of cryptocurrency. At this point, a significant proportion of the countries gross domestic product results from that activity.


Posted by at No comments:
Subscribe to: Comments (Atom)