Tag Archives: security

Installing DNSCrypt in pfSsense

I don’t think it takes a lot of brainpower to realize why Internet users need to proactively make every effort to protect their online privacy.

Every piece of data that can be extracted with regards to our behavior, will be harvested and sold, with various purposes, from behavioral modeling for targeted advertisement, to potential profiling by 3-letter government agencies that may not agree with that you are trying to view. On the same note, storage has become so cheap over time, that this data could be available for years to come, so searches made today, could conceivable put you in some list years from now.

And one of the most overlooked of all these data sources is DNS. Why do you think Cisco paid $635 million in cash to acquire OpenDNS? or why do you think Google has created an extremely fast and efficient public DNS servers? Out of the goodness of their heart?

ISPs also have vested interest in this data. It’s perfectly feasible for them to snoop on the content of DNS queries and use that data for their own purposes.

Introduction

In order to help mitigating these situations, the DNSCrypt protocol was created. DNSCrypt basically encrypts all DNS queries between your point of request and the DNS provider, making effectively impossible (or extremely expensive) for the interested party in obtaining that data.

Of course, that’s not the whole picture. You need to find a DNS provider that will also respect your privacy. The OpenNIC Project has taken that role for quite some time now, and they maintain a list of Tier-2 DNS servers for both, IPv4 and IPv6 that anyone can reach. A subset of those are DNSCrypt-enabled, and yet another subset, claims to keep no logs whatsoever, another important recommendation if security is your primary motivation.

Now, my router of choice these days is pfSense, but there isn’t a plugin available out of the box, so this guide will show you how to set it up manually. This has been validated in version 2.3.2.

Environment

My pfSense gateway is running as a VM on an ESXi box, connected to a Cisco SG200-20 that provides the VLAN segmentation. For this design, there are 3 VLANs, one external (along with the cable modem), one internal for the local systems, and one dedicated to guests and other untrusted devices (TVs, mobile phones, etc) for both, wired and wireless clients. The guest network does not provide IPv6, while the internal network is dual stack.

Since I use Comcast Business Class, I can request a /56 for prefix delegation, but for the moment, I’m sticking to a /64 to make things simpler to start.

Procedure

  1. From the main dashboard, execute all necessary updates before proceeding.
  2. ssh into the gateway. When prompted with the text-based menu, press 8.
  3. We first put the filesystem in rw mode with /etc/rc.conf_mount_rw.
  4. Next, we allow FreeBSD packages to be installed from non-pfSense repos by editing /usr/local/etc/pkg/repos/pfSense.conf and /usr/local/etc/pkg/repos/FreeBSD.conf. In both cases, change FreeBSD: { enabled: no } to yes. You should also verify that enabled: yes is present in /etc/pkg/FreeBSD.conf.
  5. We now install DNSCrypt with: pkg install dnscrypt-proxy. Say yes to the dependencies.
  6. Optionally, you can get back to no the FreeBSD repos you changed above if you want to be more strict.

At this point we have DNSCrypt installed, so the next step is to test it. For this, we’ll use 4 DNS servers, two with IPv4 and two with IPv6.

Given the ping round trip from my location near San Francisco, it took me a while to find 4 servers that 1) are properly working with DNSCrypt, 2) are stable enough for daily use, and 3) claim to keep no logs.

Keep open the list here. I selected the ones with the following DNSCrypt names:

  • 2.fvz-rec-us-ca-01.dnscrypt-cert.meo.ws (IPv4, Freemont, CA)
  • 2.fvz-rec-gb-eng-01.dnscrypt-cert.meo.ws (IPv4, England)
  • 2.fvz-rec-us-ga-01.dnscrypt-cert.meo.ws (IPv6, Atlanta, GA)
  • 2.fvz-rec-gb-eng-01.dnscrypt-cert.meo.ws (IPv6, England – same as above but on v6)

The list contains also all the relevant data, such as their actual IP addresses, DNSCrypt keys, and available ports. I’ve settled on using port 443 for everything since the chance of that port ever been blocked is close to zero.

So let’s test the first one:

/usr/local/sbin/dnscrypt-proxy \
  --user=_dnscrypt-proxy
  --local-address=127.0.0.1:54 \
  --pidfile=/var/run/dnscrypt-proxy.pid \
  --resolver-address=74.207.241.202:443 \
  --provider-name=2.fvz-rec-us-ca-01.dnscrypt-cert.meo.ws \
  --provider-key=FAC6:3B37:8485:5E43:3CC3:8BBC:FA84:5DCB:8DF0:B683:3BB3:A116:126D:0C29:95CD:899F

This command runs DNSCrypt in the foreground, with all relevant data being forwarded to the stdout.

If everything is working properly, you should see a message like this:

[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2015-02-15] to [2016-02-15]
[INFO] Server key fingerprint is 5B7F:9954:EBFD:8BC5:235D:698C:6F15:1E9F:22AC:5925:79DC:32C6:381A:D12A:8FA0:9179
[NOTICE] Proxying from 127.0.0.1:54 to 74.207.241.202:443

At this point we want to test DNS resolution, so either from a separate SSH session, or in the same after issuing a ^Z and bg, we test a single-server resolution: dig -4 @127.0.0.1 -p 54 slashdot.org. The output should be:

; <<>> DiG 9.10.2-P2 <<>> -4 @127.0.0.1 -p 54 slashdot.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22564
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;slashdot.org.			IN	A

;; ANSWER SECTION:
slashdot.org.		300	IN	A	216.34.181.45

;; Query time: 19 msec
;; SERVER: 127.0.0.1#54(127.0.0.1)
;; WHEN: Tue Jul 14 16:44:38 PDT 2015
;; MSG SIZE  rcvd: 46

which demonstrate this is actually working. We can now kill the instance and test each one of the other ones. For IPv6, the testing syntax is as follows:

/usr/local/sbin/dnscrypt-proxy --user=_dnscrypt-proxy \
  --local-address='[::1]:5353' \
  --pidfile=/var/run/dnscrypt-proxy3.pid \
  --resolver-address='[2600:3c02::f03c:91ff:fe84:dac2]:443' \
  --provider-name=2.fvz-rec-us-ga-01.dnscrypt-cert.meo.ws \
  --provider-key=F584:75C4:5693:317A:1D8E:4232:76E7:9E63:D286:B12D:B472:5FA2:92D3:E714:1E46:459B

This should provide a similar message as the one above. The testing command should be like this: dig aaaa -6 @::1 -p 5353 ipv6.google.com, and the result should be:

; <<>> DiG 9.10.2-P2 <<>> aaaa -6 @::1 -p 5353 ipv6.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14842
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipv6.google.com.		IN	AAAA

;; ANSWER SECTION:
ipv6.google.com.	77630	IN	CNAME	ipv6.l.google.com.
ipv6.l.google.com.	170	IN	AAAA	2607:f8b0:4002:802::1000

;; Query time: 76 msec
;; SERVER: ::1#5353(::1)
;; WHEN: Tue Jul 14 16:57:40 PDT 2015
;; MSG SIZE  rcvd: 82

Surviving a Reboot

At this point, we have tested all our 4 DNSCrypt connections and verified that they work fine. What we need to do now is to daemonize them, produce a static log file we can monitor, and make sure they will all come up upon reboot.

In order to run them as a daemon, all we need to do is add a -d to the command above. In order to add a log file, we need to append --logfile=/var/log/dnscrypt-1.log. Use different filenames for each daemon.

Next, create a startup script named dnscrypt-start.sh in the directory /etc/rc.conf.d and make it executable. This should contain the commands needed upon reboot to start all the daemons. Mine looks like this:

/usr/local/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy \
  --local-address=127.0.0.1:54 \
  --pidfile=/var/run/dnscrypt-proxy.pid \
  --resolver-address=74.207.241.202:443 \
  --provider-name=2.fvz-rec-us-ca-01.dnscrypt-cert.meo.ws \
  --provider-key=FAC6:3B37:8485:5E43:3CC3:8BBC:FA84:5DCB:8DF0:B683:3BB3:A116:126D:0C29:95CD:899F \
  --logfile=/var/log/dnscrypt1.log

/usr/local/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy \
  --local-address=127.0.0.1:55 \
  --pidfile=/var/run/dnscrypt-proxy2.pid \
  --resolver-address=178.79.174.162:443 \
  --provider-name=2.fvz-rec-gb-eng-01.dnscrypt-cert.meo.ws \
  --provider-key=8E14:C710:FA49:6F5E:18D7:DA15:6E80:5CDD:F666:299F:438E:5798:63F1:4513:68D1:9B3A \
  --logfile=/var/log/dnscrypt2.log

/usr/local/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy \
  --local-address='[::1]:5353' \
  --pidfile=/var/run/dnscrypt-proxy3.pid \
  --resolver-address='[2600:3c02::f03c:91ff:fe84:dac2]:443' \
  --provider-name=2.fvz-rec-us-ga-01.dnscrypt-cert.meo.ws \
  --provider-key=F584:75C4:5693:317A:1D8E:4232:76E7:9E63:D286:B12D:B472:5FA2:92D3:E714:1E46:459B \
  --logfile=/var/log/dnscrypt-v6-1.log

/usr/local/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy \
  --local-address='[::1]:5354' \le
  --pidfile=/var/run/dnscrypt-proxy4.pid \
  --resolver-address='[2a01:7e00::f03c:91ff:fe84:da61]:443' \
  --provider-name=2.fvz-rec-gb-eng-01.dnscrypt-cert.meo.ws \
  --provider-key=8E14:C710:FA49:6F5E:18D7:DA15:6E80:5CDD:F666:299F:438E:5798:63F1:4513:68D1:9B3A \
  --logfile=/var/log/dnscrypt-v6-2.log

I added mine manually to the end of /etc/rc. I have no doubt this can be done in a nicer way with variables and such, but I wanted to have an MVP1 and this qualifies. Refactoring comes later.

To test it, reboot the system. The dig commands should work just as before.

Local Resolver Integration

At this point, we have DNSCrypt up and running. We now need to setup a local DNS server that can act as a proxy against these instances, so our clients in the network don’t need to know anything about it.

For that, we’ll use the dnsmasq instance included in pfSense.

In the Web UI, select Services -> DNS Forwarder. Make sure the following check boxes are enabled:

  • Enable
  • DHCP Registration
  • Static DHCP
  • Prefer DHCP

This is assuming you use pfSense as a DHCP server for your network of course.

Under Interfaces, manually select:

  • LAN
  • LAN IPv6 Link-local
  • Localhost

My guests and untrusted devices don’t get service from this DNS system. They are forced out to Google.

Under Advanced, add the following lines:

local=/home/
rebind-domain-ok=/xip.io/
selfmx
cache-size=16384
log-async=5
domain=home
addn-hosts=/var/etc/dnsmasq/hosts
server=127.0.0.1#54
server=127.0.0.1#55
server=::1#5353
server=::1#5354

Now, not all of these entries are useful to everybody. .home for example, is the domain name I use in my home network. I also explicitly allow xip.io since I rely on it heavily for my home lab’s Pivotal Cloud Foundry installation.

The cache size will most likely be truncated to 10,000 due to a limitation of dnsmasq. I also add addn-hosts to manually select a number of host names and to include the PGL Yoyo list for ad servers.

The important part is the server= statements since they point to our local DNSCrypt instances.

Now go ahead and save the configuration. You can test it with the same dig commands against the selected interfaces from within the gateway and it should work like a charm.

Changing the Firewall Configuration

When you try to dig from a separate machine in the same LAN however, you will get no response. That’s because the firewall is only forwarding traffic. We need to add a rule that allows the local LAN to query the DNS server running on the LAN interface.

Add an IPv4 rule that Pass traffic from your local LAN (expressed as CIDR, for example 192.168.10.0/24) specifically into LAN Net on port 53, for both, UDP and TCP. Add a separate rule for IPv6 traffic, using your /64 prefix (or different if you have larger).

Try now a dig command from a separate machine in the local LAN and everything should work fine. For IPv6, you should test this site also: http://test-ipv6.com/ that should give you a 1010, particularly on the DNS side.

Awesome! but how can we prevent that some specific OSs or devices ignore our DNS settings and use their own? simple: add another firewall rule in the LAN interface denying access to any external server on port 53 TCP and UDP. If you want to be flexible, you can setup an exception rule with !allowed_devices that you should define as an alias with the IP addresses of the devices that are allowed to query external DNSs for whatever reason.

Conclusion

This setup provides a good shield against DNS visibility by third parties, potential censorship and domain blacklisting.

There is a lot of room for improvement. I would certainly like to see which DNS servers also support Namecoin with the .bit TLD. I would also like to eventually automate all this, in the sense that if one DNS server stops working, I can automatically recover setting up another one. That would be a great microservice to have as a resource in the Internet.

For the pfSense developers, I’d love to see DNSCrypt formally integrated in the system, not only with dnsmasq, but also with unbound to provide DNSSEC on top of it. It would also be great to have IPv6-compatible aliases, which currently don’t seem to work (IPv6 addresses are, well ugly). And finally, I’d love to have the YoYo lists (above) integrated as a standard option.

I hope this article is useful to someone. My next line of work will be How to avoid IPv6 leaking your location and ID when using a VPN

Buggy Domain Validation Forces GoDaddy to Revoke Certs

GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.

The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”

Part of the validation process involves registrar’s sending customers via email a validation code that the customer drops onto their site. Thayer explained that the system searches a particular spot for the code in order to complete validation.

“When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug.

The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials.

GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

“This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.),” Thayer said. “The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.”

Affected websites will still resolve, GoDaddy said, but customers may see untrusted-site error warnings.

Experts, meanwhile, caution that as more Certificate Authorities come online such as Let’s Encrypt, which provides free certs in an automated fashion, that more errors like this one could crop up.

“I only see more of them happening,” said Kevin Bocek, vice president of security strategy at Venafi. “We’re seeing faster and faster certification validation with organizations like Let’s Encrypt turning up the competition [among CAs]. And things like DevOps driving faster certificate issuance. And with organizations moving to the cloud, you’re going to have more machines doing these types of requests for new certificates.

“It’s all software,” Bocek said. “It could all have bugs. In the past year, we’ve seen more and more of these reports and the trend is going to continue.”

Let’s Encrypt has taken great strides toward fulfilling its promise of bringing free encryption and SSL to the web by simplifying and automating the process. Let’s Encrypt isn’t alone; Amazon, Cloudflare and others also offer free SSL certs in one form or another. Let’s Encrypt uses ACME (Automated Certificate Management Environment), an open API, to automate certificate requests and issuance. And it’s working; in October, Mozilla telemetry that was made public showed that for the first time, more than half of all traffic in transit is encrypted.

“There are going to be more demands on CAs and more and more machines doing requests,” Bocek said, adding that while ACME is great for efficiency, it is taking people out of the process. He recommends that organizations familiarize themselves with NIST guidance on preparing for and responding to CA compromises.

“Everyone,” Bocek said, “needs to have a plan and an automated way to get around this.”

Stolen Passwords Fuel Cardless ATM Fraud

Some financial institutions are now offering so-called “cardless ATM” transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime.
A portion of the third rejection letter that Markula received from Chase about her $2,900 fraud claim. The bank ultimately reversed itself and refunded the money after being contacted by KrebsOnsecurity, stating that Markula’s account was one of several that were pilfered by a crime gang that has since been arrested by authorities.

A portion of the third rejection letter that Markula received from Chase about her $2,900 fraud claim.

San Francisco resident Kristina Markula told KrebsOnSecurity that it wasn’t until shortly after a vacation in Cancun, Mexico in early November 2016 that she first learned that Chase Bank even offered cardless ATM access. Markula said that while she was still in Mexico she tried to view her bank balance using a Chase app on her smartphone, but that the app blocked her from accessing her account.

Markula said she thought at the time that Chase had blocked her from using the app because the request came from an unusual location. After all, she didn’t have an international calling or data plan and was trying to access the account via Wi-Fi at her hotel in Mexico.

Upon returning to the United States, Markula called the number on the back of her card and was told she needed to visit the nearest Chase bank branch and present two forms of identification. At a Chase branch in San Francisco, she handed the teller a California driver’s license and her passport. The branch manager told her that someone had used her Chase online banking username and password to add a new mobile phone number to her account, and then move $2,900 from her savings to her checking account.

The manager told Markula that whoever made the change then requested that a new mobile device be added to the account, and changed the contact email address for the account. Very soon after, that same new mobile device was used to withdraw $2,900 in cash from her checking account at the Chase Bank ATM in Pembroke Pines, Fla.

A handful of U.S. banks, including Chase, have deployed ATMs that are capable of dispensing cash without requiring an ATM card. In the case of Chase ATMs, the customer approaches the cash machine with a smart phone that is already associated with a Chase account. Associating an account with the mobile app merely requires the customer to supply the app with their online banking username and password.

Users then tell the Chase app how much they want to withdraw, and the app creates a unique 7-digit code that needs to be entered at the Chase ATM (instead of numeric code, some banks offering cardless ATM withdrawals will have the app display a QR code that needs to be read by a scanner on the ATM). Assuming the code checks out, the machine dispenses the requested cash and the transaction is complete. At no time is the Chase customer asked to enter his or her 4-digit ATM card PIN.

Most financial institutions will limit traditional ATM customers to withdrawing $300-$600 per transaction, but some banks have set cardless transaction limits at much higher amounts under certain circumstances. For example, at the time Markula’s fraud occurred, the limit was set at $3,000 for withdrawals during normal bank business hours and made at Chase ATMs located at Chase branches.

Markula said the bank employees helped her close the account and file a claim to dispute the withdrawal. She said the teller and the bank manager reviewed her passport and confirmed that the disputed transaction took place during the time between which her passport was stamped by U.S. and Mexican immigration authorities. However, Markula said Chase repeatedly denied her claims.

“We wanted to thank you for providing your information while we thoroughly researched your dispute,” Chase’s customer claims department wrote in the third rejection letter sent to Markula, dated January 5, 2017. “We confirmed that the disputed charges were correct and we will not be making an adjustment to your account.”

Markula said she was dumbfounded by the rejection letter because the last time she spoke with a fraud claims manager at Chase, the manager told her that the transaction had all of the hallmarks of an account takeover.

“I’m pretty frustrated at the process so far,” said Markula, who shared with this author a detailed timeline of events before and after the disputed transaction. “Not captured in this timeline are the countless phone calls to the fraud department which is routed overseas. The time it takes to reach someone and poor communication seems designed to make one want to give up.”

KrebsOnSecurity contacted Chase today about Markula’s case. Chase spokesman Mike Fusco said Markula’s rejection letter was incorrect, and that further investigation revealed she had been victimized by a group of a half-dozen fraudsters who were caught using the above-described technique to empty out Chase bank accounts.

Fusco forwarded this author a link to a Fox28 story about six men from Miami, Fla. who were arrested late last year in Columbus, Ohio in connection with what authorities there called a “multi-state crime spree” targeting Chase accounts.

“We escalated it and reviewed her issue and determined she did have fraud on her account,” Fusco said. “We’re reimbursing her and we’re really sorry. This small pilot we ran allowed a limited number of customers to access cash at Chase ATMs without a card. During the pilot we detected some fraudulent activity where a group of people were able to go online and change the customer’s information and get the one-time access code, and we immediately notified the authorities.”

Chase declined to say how many like Markula were victimized by this gang. Unfortunately, somehow Chase neglected to notify victims, as Markula’s case shows.

“It makes you wonder how many other people didn’t dispute the charges,” she said. “Thankfully, I don’t give up easily.”

Fusco said Chase had made changes to better detect these types of fraudulent transactions going forward, and that it had lowered the withdrawal limit for these types of transactions — although for security reasons Fusco declined to say what the new limit was.

Fusco also said the bank’s system should have sent out an email alert to the original email on file in the event that the email on the account is changed, but Markula said she’s confident no such email ever landed in her inbox.

Avivah Litan, a fraud analyst at Gartner Inc., says many banks see mobile authentication as the way of the future for online banking and ATM transactions. She said most banks would love to be able to move away from physical bank cards, which often need to be replaced several times a year in response to data breaches at various retailers.

“A lot of banks see cardless transactions as a great way to reduce fraud and speed up transactions, but not many are offering it yet as a feature to customers,” Litan said.

Litan said Markula’s case echoes the spike in fraud that some banks saw after Apple debuted its Apple Pay platform. Many banks chose to adopt Apple Pay without also beefing up security around how they validate new customers and new mobile devices. As a result, this allowed fraudsters to take stolen credit card numbers and expiration dates — data that previously was only good for fraudulent online transactions — tie those cards to iPhones, and use the phones to commit card fraud at brick-and-mortar stores that accepted Apple Pay.

“Identity proofing remains the weakest point in mobile banking,” Litan said. “Asking for the customer’s username and password to on-board a new mobile device isn’t enough.”

Litan said Chase should require customers who wish to conduct cardless ATM transactions to enter their PIN in addition to the one-time code. But she said even that was not enough.

Litan said Chase should have flagged the transaction as highly suspicious from the get-go, given that the fraudsters accessed her account from a new location, changed her contact email address, added a new device and withdrew just under the daily maximum — all in a very short span of time.

“ATM transactions should have much stronger fraud controls because consumers don’t have as strong protections as they do with other transactions,” Litan said. “If a customer’s card is used fraudulently at a retailer, for example, the consumer is protected by Visa and MasterCard’s zero liability rule, and they can generally expect to get their money back. But when you withdraw cash from an ATM, you’re not protected by those rules. It’s down to Regulation E and your bank’s policies.”

Under the Federal Regulation E, if a retail banking customer reports fraud, the bank must investigate the first statement of the activity plus 60 days from the date the statement was mailed by the financial institution. Unless the institution can prove the transaction wasn’t fraud, it must reimburse the consumer. However, any activity that takes place outside of the aforementioned timeframe carries unlimited liability to the consumer, as the financial institution may have been able to prevent the loss had it been reported in a timely manner.

Fusco added that consumers should beware of phishing scams, and consider asking their financial institution to secure their accounts with a special passphrase or code that needs to be supplied when authenticating with the bank over the telephone (a precaution I have long advised).

Also, if your bank offers two-step or two-factor authentication — such as the requirement to send a text-message with a one-time code to your mobile device if someone attempts to log in from an unknown device or location — please take advantage of that feature. Twofactorauth.org has a list of banks that offer this additional security feature.

Also, as the Regulation E paragraph I hope makes clear, do not count on your bank to block fraudulent transfers, and remember that ultimately you are responsible for spotting and reporting fraudulent transactions.

Litan said she won’t be surprised if this incident gives more banks pause about moving to cardless ATM transactions.

“This is the first case I’m aware of in the United States where this type of fraud has been an issue,” she said. “I’m guessing this will slow the banks down a bit in adopting the technology because they’ll see now how easy it is for criminals to take advantage of it.”

Security Now 591: Law Meets Internet

Leo and Steve discuss Russia’s hacking involvement in the US Election; that, incredibly, it gets even worse for Yahoo!, misguided anti-porn legislation in South Carolina, troubling legislation from Australia, legal confusion from the Florida appellate court, some good news from the U.S. Supreme Court, Linux security stumbling, why Mac OS X got an important fix last week, the Steganography malvertising attack that targets home routers, news of a forthcoming inter-vehicle communications mandate, professional cameras being called upon to provide built-in encryption, LetsEncrypt gets a worrisome extension, additional news, errata, miscellany… and how exactly DOES that “I really really promise I’m not a robot (really!)” non-CAPTCHA checkbox CAPTCHA work?