Saturday, September 10, 2016

How Not To Do Security Research

Something came to my attention that’s a convenient follow-on to my previous post:

The overt message in this video is good. We should all be careful about how we handle our ATM, debit & credit cards. On the other hand, the power of the warning is lost on people like me who cringe at the behavior of the messenger. It’s hard enough for the good guys to navigate legal waters without people like this encouraging others to emulate their bad behavior.

Don’t get me wrong - I jiggle card readers at ATMs and gas stations all the time. Those are the top targets for the type of card skimmers depicted in this video. But that’s where the similarities between us end.

Mistakes this guy made:

- Removing the device without informed consent of the impacted financial institution and/or law enforcement, not ok. But wait, you say, it came off in his hand. However, he clearly had a cell phone. He could have stopped at that point and called the police, the bank or both. "Freeze the scene" is a fundamental in digital forensics.

- Walking away with evidence unlawfully collected, really not ok. Unless, of course, that walk is to the nearest police station or bank branch. Which it wasn't, we can surmise, as we listen to the next mistake...

- Intending to destroy evidence ("I'm gonna go see what I can do about reverse engineering this") without informed consent, egregiously not ok. Regardless of whether or not he did disassemble the reader, the whereabouts of that device between time of discovery to being turned over the to the police (see his first "Update" on the YouTube page) and what happened to it in the duration is undeniably called into question. It's no longer a viable piece of evidence in any court of law in the hands of a passable defense attorney.

What the creator of this video did by stomping all over the evidence of a crime ensured the bad guys got away it and victims will never see a dime in restitution. Most banks indemnify customers in this type of fraud to some extent. In the US, skimmer victims are typically liable only for the first $50 in losses. In the EU, where this video was reportedly shot, the victims would likely have been fully compensated.

I use this video now when interviewing job candidates. There’s more to threat research than technical skill. Critical thinking is just as important. Enthusiasm is great, obstruction of justice is a massive fail.