Bluetooth Hacking Headsup

[Indian Brave]

Came across a "new?" threat to mobile phone users last week.

Eldest lad works in a busy Casino - and has a mobile phone with no limits on usage - just pay for what you use - which probably represents many peoples account with their telco relationship situation - the telcos happy to sell you as much usage time as they can. His account includes internet connection facility.

 

At the Casino - they aren't allowed mobile phones on their person while working - they must be locked away in their staff locker within a secured area of the casino under camera surveillance etc.

 

Usually they get 15 minute break every few hours & during this time Son checks his phone for any text messages.

 

Well - he always leaves his phone switched on, to receive said incoming texts and messages, which has proven to be a mistake.

 

It turns out someone has brought their palm pilot or whatever (laptop?) into the building with them - and managed to blue-tooth into his phone and use it to UPLOAD huge amounts of data to the net, running up a total bill in excess of $1500, within the period of just the one work shift.

 

Son wasn't the ONLY one caught out either - turns out 2 other telco users got caught on the same day at the same locale according to the telco. They have decided to wipe 2/3rds of the usage cost, BECAUSE the phone was locked inside a locker with full security tape coverage for the claimed period of use - showing that no one actually had physical access to his phone, however the telco claim that he had a responsibility to "turn it off" when not using it to prevent unauthorized blue-tooth connectivity.

 

So - I know I'm not one of those people to ever turn my mobile off unless in a movie theatre or meeting - it stays on 24/7/365 mostly.

 

I always work on a minimum $20 = $40 pre paid account so that no one can run up any large bills on my phone even if they do steal it / hack it or blue tooth it, but many kids tend to just get a plan with a telco and pay for what they use - leaving themselves open to such theft on a big scale.

 

Hopefully this heads-up might save others from getting similarly ripped off.

 

If our NOT using your mobile phone (physically on your person for any period of time - then TURN IT OFF to prevent bluetooth theft.!

 

Combined, the 3 phones intercepted that night at the casino ran up over $6K worth of debt in less than 8 hours.

 

Cheers

[Scottdog]

That's fucked up!

[joel3078]

Don't know about ALL phones but EVERY bluetooth device I have used has the ability to be on, with bluetooth off via two ways. Bluetooth is a short range (about 35 feet for phones & 100 feet for newer laptops) wireless network protocol. Here are the typical setups.

 

1) Device (phone, gps, laptop, etc.) on, bluetooth networking on, discovery mode on.

2) Device (phone, gps, laptop, etc.) on, bluetooth networking on, discovery mode off.

3) Device (phone, gps, laptop, etc.) on, bluetooth networking off, discovery mode off.

 

Bluetooth on AND discovery mode on is the only way another NEW device can hook up to yours. AND when you are in the full on mode, you typically have to confirm/allow the NEW connection AND enter a password key. If any of these situations are not present, connection (aka pairing) does not happen. On the flip side, if a pairing has previously happened, and both have bluetooth on, they will automatically connect to each other. No need for discovery mode and connect confirmation.

 

Now for the casino story to be true, they devices had to be close to each other, previously paired, and both be on. Uploading data from one device to another via blue tooth has NOTHING to do with the teleco phone company. The data stream would not go through their network. The upload data stream would go from one paired device to the other paired device via bluetooth. Remember, bluetooth is its own network.

 

This IS a good story about bluetooth safety for your device. But the casino story and the billing from teleco has some serious holes in it. And yes there are ways to hack into wifi and bluetooth devices. However if you turn off bluetooth and turn off discovery mode when not needed it won't happen to you.

Edited November 1, 2009 by joel3078

[Moon Killer]

What the hell is a "Bluetooth"?

Me & the wife don't own or even want a damn cell phone so I don't know this stuff. And how do I get rid of that "Shout" feature, it's very annoying.

[joel3078]

Learn about bluetooth here

http://en.wikipedia.org/wiki/Bluetooth

 

 

You will see them as device stuck in people's ear. Lets them drive a vehicle safer as their hands are free to do other things like hold on to the steering wheel.

http://images.google...on&cd=2&start=0

 

 

On the red shoutbox header line, there is a small - (negative symbol) on the right side of your screen. click the - to turn it off. Click the + to turn it back on.

Edited November 1, 2009 by joel3078

[whadayawant]

What the hell is a "Bluetooth"?

Me & the wife don't own or even want a damn cell phone so I don't know this stuff. And how do I get rid of that "Shout" feature, it's very annoying.

Old people are so resistant to change.

[Vintage229]

however the telco claim that he had a responsibility to "turn it off" when not using it to prevent unauthorized blue-tooth connectivity.

 

I attended a few cybersecurity briefings this month and it's amazing what's being done on the internet. And some of it is just blatant, in your face, nefarious activity. We were shown websites where credit card numbers and bank accounts (with dollar amounts available) were listed for sale. The seller even provided a guarantee that if the account was closed before you could use it the seller would provide you with another account of equal value.

 

We had a very interesting briefing from McAfee and he gave some startling statistics and very informative information and how these hackers operate. One intresting statistic is that McAfee finds upwards of 10,000 fake websites a month. All for the purpose of hacking into your computer. Examples are:

 

* Hackers use the news to their advantage. McAfee had stats showing major spikes in new (fake) websites on days of major news events. For example, when Michael Jackson passed away hackers would buy as many key words as possible so when you "google" his name (and related words) their fake website is at the top of the list so that you hit their site which of course would have all sorts of hidden code.

 

* They showed statistics on what technology is targeted the most. So basically the more popular the browser and operating system (Microsoft) the more they are targeted. Internet Explorer and the current Windows operating systems of course being at the top. And for those of you with Apple computers rest assured you are still vulnerable to virus and maleware attacks. It's just that hackers don't target that platform because it's just not worth their time coding against that system when there are millions upon millions of Microsoft apps. (But I expect that will change over time.) If you have an Apple, get it protected with an anti-virus application.

 

* Hackers will get to your computer through your children. One example would be that kids are usually not as security conscious as adults and will click on ANYTHING. Since many of them are on-line gamers they reduce the security protocols on the computer so as not to degrade their gaming capabilities. Hackers take advantage of that weakness. Things like social networking sites, gaming sites, Youtube, or any other cool thing that kids may visit will be targeted for the sole purpose of gaining access to your information. This is based on the assumption that most computers are shared between the children and parents. So the hackers wait for you (the parent) to log onto that same computer where you do your on-line banking, E-baying, etc... etc.... (My son has his own computer and is not allowed to use mine on a regular basis.)

 

I could provide a lot more examples but it would be pages-upon-pages of reading. (And my notes are in the office. )

 

Ways to protect yourself are:

 

* Keep your Antivirus application up to date.

* Have your children on seperate computers if you can afford it. Have them use gift cards for things like i-Tunes purchase vice using your credit card. (My personal recommendation.)

* If you have a wireless router then set the usual security protocals but buy a 2nd cheap router and power it up (but not connected to your computer) so that it broadcasts. Set the same security protocals and hackers will focus their attention on that router instead of the one connected to your computer. (Be sure to shut off the broadcast on your live router.)

* Have a specific credit card with a low charge amount that is used for internet purchase only. (My personal recommendation)

Edited November 1, 2009 by Vintage229

[Moon Killer]

Old people are so resistant to change.

And grouchy too.

[joel3078]

I just retired last year (1985-2009) from running a small side business doing computer consulting, repair, wifi setup, latop rebuilds, etc. Kids provided a nice chunk of my business through their parents of couse. Between music, games, and social networking, teenagers would have a computer messed up in a matter of months if not weeks. Kids drive computers just like they drive cars...........fast and furious! Seniors drive computers like they have sex........they need a little "help" to get the thing up and running.

[Moon Killer]

I just retired last year (1985-2009) from running a small side business doing computer consulting, repair, wifi setup, latop rebuilds, etc. Kids provided a nice chunk of my business through their parents of couse. Between music, games, and social networking, teenagers would have a computer messed up in a matter of months if not weeks. Kids drive computers just like they drive cars...........fast and furious! Seniors drive computers like they have sex........they need a little "help" to get the thing up and running.

And I'm almost as senior as they get. Back in the day I built all my own computers & was a wiz with DOS 3.1 but in todays world I'm lost. The simpler they make them the harder they get.

[aikenscout]

I don't get it, as in whats the motive.

 

I can upload unlimited data 24/7 on my normal broadband account.

So why would I go sneaking around (and a casino of all places with more security than just about anywhere) to hack into a cell phone and upload crap. What is that important/valuable?

[joel3078]

I still have a IBM clone PC (may be a 8088 turbo) with 2 5-1/4" floppies, 10meg (not gig) hard drive, Dos (ver ?) Lotus 123, Word Perfect 5.1, a cool 3D chess game (cyris), a super slow network card, and a program that teaches ya what a PC is and how to use it Oh ya, one of the first color monitors that first came out too. Whole package still works. Know anybody that wants an antique computer that works, give me a yell.

[Moon Killer]

I have a couple like that also & tons of software on 5-1/4" floppys.

[maninbox]

I still have a IBM clone PC (may be a 8088 turbo) with 2 5-1/4" floppies, 10meg (not gig) hard drive, Dos (ver ?) Lotus 123, Word Perfect 5.1, a cool 3D chess game (cyris), a super slow network card, and a program that teaches ya what a PC is and how to use it Oh ya, one of the first color monitors that first came out too. Whole package still works. Know anybody that wants an antique computer that works, give me a yell.

 

 

Probably won't cost you too much to have someone take it away.

[Scottdog]

I don't get it, as in whats the motive.

 

I can upload unlimited data 24/7 on my normal broadband account.

So why would I go sneaking around (and a casino of all places with more security than just about anywhere) to hack into a cell phone and upload crap. What is that important/valuable?

Yea, but you still pay something for the use of the broadband.

Some people are just so cheap they won't even pay that.

[Doc]

What the hell is a "Bluetooth"?

Me & the wife don't own or even want a damn cell phone so I don't know this stuff. And how do I get rid of that "Shout" feature, it's very annoying.

 

 

What the heck is a cell phone?

[Doc]

I have a couple like that also & tons of software on 5-1/4" floppys.

 

 

and "Pong" I just know you're playing "Pong" ......

[Vintage229]

So why would I go sneaking around (and a casino of all places with more security than just about anywhere) to hack into a cell phone and upload crap. What is that important/valuable?

Maybe to hide your identity. Especially if you are doing some sort of illegal activity. Edited November 2, 2009 by Vintage229

[Scottdog]

What the heck is a cell phone?

Heh.... In my world it's the land line that doesn't make sense anymore.

Ditched mine years ago.

[Indian Brave]

The suggestion from Telco - about why hack into someone else's account to upload?

 

Most likely - it's to upload "unlawful content" (i.e Kiddie Porn or Terrorist info) that could get the sender some jail time as big bubbas new b!tch. If it is hacked into and sent from someone Else's account - it makes the person with the account LOOK like the perpetrator.

 

MUCH harder to then trace it back to the original sender who was of course the hacker.

 

While I am at it - another scam just unleashed on us utilizing EFTPOS (Electronic Funds Transfer Point Of Sale) "Skimming".

 

We started out a while back with Hole In The Wall (Bank Auto Teller Skimming), where a gang would set up skimming devices over the card slot of the auto teller late at night and a pin hole security camera into a bank brochures rack adhered to the teller machine with double sided tape, to film you entering your PIN number.

 

 

After many $million in losses, the banks got wise to that scam and started physically checking their auto teller machines for tampering regularly.

 

Now the new scam, is - thieves break in to any 1 business with a EFTPOS terminal. They steal it - and modify it internally with the skimming devices.

 

They hire or steal a white van and add Vinyl Lettering saying "EFTPOS MAN" Techincal services & repairs" with a mobile number etc to look like a legit business van. They wear overalls & hats with embroidery saying the same thing and even make up Fake ID cards with EFTPOS MAN details etc and false names that they wear openly on a lanyard round their neck - to LOOK legit.

 

They take the modified EFTPOS to MacDonalds store first, and walk in with the "replacement" EFTPOS machine in a cardboard box - and approach the inexperienced kid/s who manage the store, and say they have had a report of a faulty EFTPOS machine, that services the drive thru service window, and they SWAP the seemingly identical machines over,leaving the one with skimmer device inside and taking the perfectly well functioning one away, to similarly modify.

 

Then straight off to the next McDonalds store and swap another and so on and so on.

 

They got a string of about 16 Local MacDonald's franchises, then went to another 3 or 4 other franchises.

 

Turns out they got THOUSANDS of peoples card account numbers and PIN numbers and have run up $MILLIONS of debts online purchases with all these stolen accounts card & Pin details.

 

The Banks so far have sucked it up and repaid into peoples accounts all the funds stolen so far!

 

Police worked round the clock on it - trying to figure how they had hacked into the eftpos line etc - until finally ONE of the Kid managers said he/she remembered the EFTPOS man coming around and exchanging their machine for another etc - that's when all the skimming devices inside the terminals were discovered.

 

They haven't caught the perpetrators yet, but all businesses are now aware that there's no EFTPOS MAN that comes round to swap out your faulty terminal - so the jigs up.

 

Likely a LOT of the info for sale on the internet web sites of account numbers and pins to use, comes from such skimming operations.

 

It pees me off to the the max, that I'm not smart enough to think of such a scam!

I could grow accustomed to the easy life - tho I'm not so keen on the risk of getting caught & becoming Big Bubba's new B!tch! :D

 

There's always someone trying to figure a way to build a better mouse trap!

 

Cheers

[Indian Brave]

Weirder n weirder.

 

Later today I was speaking with my 2nd son (who as it happens also works at the same Casino as elder bro - but in a different capacity). He tells me that about 6 weeks ago - he got a $1500 account for "internet connection" from his phone while at work - and just assumed (because its a new phone) that he must have sat on a wrong button and somehow connected to the net by mistake.

 

He's been busy trying to pay down his debt to the telco every fortnight since, thinking it "somehow his fault", even tho he hasn't deliberately tried to connect to the 8internet with his phone (he has a laptop to do that).

 

So...

 

Now I have evidence of at least 4 people (My 2 sons) and two other telco consumers, who have ALL lost sums of $1500 approx via blue tooth fraud taking place at the same casino.

 

So...

 

Today I rang and had a little chat to the head of security at the casino concerned.

 

They had no idea it is was happening & were VERY thankfull for the headsup!

 

They have some MAJOR concerns, with it - not least because they don;t want their staff and customers being ripped off whilst in their premises - because it will harm their reputation - but much worse than that!

 

The concern is - they do not KNOW what Data ion vast quantities is leaving their building via this method of data transfer - so far we are talking a minimum of $6000 worth of data transfer cost / time.

 

The fear is - that it COULD be some kind of scam (or corporate subterfuge) where potential intellectual property - Bank account details profits etc are being sent outside for a white collar crime type "robbery" where funds get transferred out of the casino's or clients accounts, - it could be skimming data of clients credit cards and Pin Numbers, it could be some kind of system being used to cheat at tables by a crime gang - they just don;t know and they are WORRIED, seriously worried, now.

 

Guy promised a report back to me, when they get to the bottom of it.

 

Me thinks this is probably outside the realm of the usual "security type" operation the casino runs - they don;t know enough about the technology themselves to know what to do next - but I'm assured they will be hiring in expertise to get to the bottom of this and as quickly as possible.

 

I was surprised by how seriously the guy in charge of casino security took it all.

 

I just have a gut feeling that someone downloading kiddie porn could use up $6K+ worht of time and all the data is uploads not down loads which also doesn't make a lot of sense unless it is proprietary information maybe worth a lot of $ to someone.

 

Might be interesting to see where this leads.

 

First attack is to signpost all the locker areas with demands that all mobiles left in lockers are turned OFF for security reasons.

 

Probably not till they track whoever is responsible - they suspect it is one of their employees - that much they let slip.

 

Wait n see what transpires I guess.

 

Cheers