Our normal scope here is on information based security, but this you gotta see. A new lock-picking technique called “bumping” renders almost all traditional tumbler locks useless with very litte skill or tools.

A bump key is a key in which all the cuts are at maximum depth. The picture below shows bump keys for various locks. Bump keys are sometimes called ‘999′ keys because all cuts are at maximum (9) depth.

Once you get a properly cut key ($10 on eBay) they are easy to copy, and it takes about 1 minute to train someone how to do it. Most importantly this technique works on most very expesive locks as well. Also, it seems to be virtually undetectable:

Given that the insertion of a bump key isn’t much different from inserting a regular key, we’d suspect no special scratch marks would be found other than maybe some miniature dents and deformations caused by the impacts. Until more is known, we think it is diligent to assume that any lock that can be bumped can also, with some care, be bumped without leaving any telltale traces.

This YouTube Video shows bumping in action because we had to see it to believe it:

Bumping locks (pdf) [Netherlands Open Organization of Lockpickers]

Evidently the criminals that utilize stolen credit card and ATM numbers for profit are called Cashers. Wired profiles a former Casher, and this is my favorite part:

It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, “a big-time eBay seller,” sent him a link to Counterfeit Library, a website that catered to fraud artists.

“She knew I was into that stuff,” Dillinger says. “I used to send her these huge $150 gift baskets every Mother’s Day (paid for) with someone else’s credit-card number. So she pointed this (site) out to me.”

Who needs criminal help when you have a mom?  Good read on the in’s and out’s of phishing and other credit card related cyber crime.

Confessions of a Cybermule [Wired]

Not that this kind of thing couldn’t happen on on the traditional land-line network, but this is a terribly interesting VoIP attack:

To evade detection, Mr. Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeering its unprotected servers to re-route phone traffic through them. These steps made it appear as if this company was sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook.

Coincidentally, Net2Phone is located in Newark.

Hacker Said to Resell Internet Phone Service [NY Times]

If you haven’t been under a rock, you’ve heard about the theft of the personal data of 25 million Americans from the home of a Veteran’s Administration employee. Some are now estimating up to $500 million to clean it up.

Some Perspective on $500 Million:

• That’s only $20 per person whose data was stolen.
• That equals more than 1/3 of their entire IT budget
• But it’s only about 1/2 of 1% of their entire 2006 Budget
• It’s estimated to be the amount all Phishing scams cost consumers in 2004.

Use this case as a wake-up call to your company. How much would it cost to notify all your customers that their data was lost or stolen? Figure out that number and you can justify a lot of projects.

VA data theft may cost $500 million [zdnet/reuters]

Highlighting the issue of data theft via portable media, yesterday Samsung banned the use of their new SCH-B570 phone from use within their own company. At issue: it’s 8G storage capacity that is,

…more than enough to steal all confidential data about our company.

The company had previously banned their own camera phones from some locations.

Samsung Bans SCH-B570 From Internal Use [Gizmodo]

With statistics being bantered about upwards of 10 million identity theft victims per year, law enforcement is overwhelmed. Private industry needs to do our part, and GE sets a good example:

Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. “You’ve got to make it easy, you’ve got to make a point,” he says.

It’s often hard to justify the need for a world-class forensics or investigations team. This idea helps make the case. If you can make your less of a target by aggressively supporting production of offenders everybody wins, including the bottom line.

One of my key security principles is “Make it easy to do the right thing.” This rings true for law enforcement, too.

GE security exec shares tips to reduce security risks [ComputerWorld]

Requiring a signature on credit card transactions is a joke. This guy proves it:

The Credit Card Prank [zug.com]

Thieves in So. Louis are breaking into gas pumps and setting them to dispense gas for free. They’ve hit two stations already. Evidently it’s some what of an inside job, since only the people who service the pumps should have the keys and codes necessary to hack the pumps.

With such a small number of potential suspects, and all the video cameras at a gas station, I bet these crooks will be caught in a week.

Video: Hackers Give Away Free Gas [So. Louis TV Station KSDK]

The nerds guys over a RSA examine all the players in the Phishing game. Some of them are obvious, the email addresses are bought from email harvesters, and the sites are usually hosted on bots. But interestingly, based on their monitoring of internet chat rooms, they’ve found that harvester and the exploiter of the account info are usually different people:

BigCriminal42: hi everyone, Jolly good evening to you. I'm buying credentials of top UK banks. Anything goes, especially [... here comes a list of banks]

BankBuster007: hello bigcriminal I have good credentials of [... a few of UK's finest financial establishments]. How much you want

It’s interesting to me that the tradecraft has become so developed that people specialize in different aspects of the fraud. Plus, you have to love their usernames.

Phishing Supply Chain: Part 1, Part 2 [RSA Security Blog]

BMW’s X5 SUVs seem to have a slight <cough>flaw</cough> in their authentication systems. The net effect: Thieves have used laptops to steal two of European soccer star David Beckham’s X5’s.

Because the decryption process can take a while - up to 20 minutes, according to Hart - the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham - the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

Now that’s strong encryption.

Maybe Mr. Beckham should stay away from wireless technologies all together.

Gone in 20 Minutes: using laptops to steal cars [Left Lane News] (via Engadget)