Follow Our Podcast
Recent Episodes
Unseen Money 12: Keeping hackers out of your DeFi wallet
The decentralised finance (DeFi) market is booming—but the world’s best hackers are on a constant look-out for ways to steal your crypto tokens.North Korea, which recently committed the largest theft in cryptocurrency history, is probably top of the hackers’ game. What do crypto users need to know about the risks in this unregulated but fast-growing market?In the latest episode of Unseen Money from New Money Review, Timur Yunusov and Paul Amery are joined by Arseny Reutov, chief technology officer at Decurity, a security audit and ethical hacking firm specialising in DeFi.During the podcast, we discuss:Malware, ethereum and the recent $1.5bn Bybit hackState-of-the-art techniques in DeFi hacksMixers, cross-chain bridges and the laundering of stolen fundsHow North Korea became the world leader in crypto hacksWays of detecting flaws in DeFi smart contractsWho audits DeFi?Incentives to report, rather than exploit smart contract flawsIs DeFi security improving?
Unseen Money 11—a bad bird on your wire
Most scams where the victim is tricked into paying money to fraudsters originate on social media—often on Facebook, Instagram and WhatsApp.But in the UK around one scam in five—and nearly half by the total value stolen—exploits weaknesses in our telecommunications infrastructure.That could be someone spoofing the number of a legitimate entity, such as the tax office or your bank, when calling you. It could be a scammer exploiting security vulnerabilities in the mobile network to compromise and intercept voice and SMS messages. In a rapidly rising form of fraud, criminals impersonate the nearest cell phone tower and send messages that look like they’re from your bank or mobile service provider. One click on a link and you’re soon handing over valuable personal information or downloading malware that gives the scammers access to your payment app or crypto wallet.In the latest episode of Unseen Money from New Money Review, my co-host Timur Yunusov and I are joined by telecom cybersecurity expert Dmitry Kurbatov, chief executive of UK-based company SecurityGen.In the podcast, Dmitry explains how criminals can spoof a trusted entity’s phone number when calling you. We look at SIM swap frauds and discuss who bears responsibility for the continuing security flaws in mobile networks. We highlight in which countries users are currently most exposed to mobile phone-based frauds. We look at the recent SK Telecoms breach in South Korea, which exposed the personal and financial data of up to 23 million users. And we describe the ever more ingenious methods being used by scammers to subvert telecoms networks.Some technical terms used during the podcast:“SIP trunking” is the digital method of making and receiving phone calls and other digital communication over an internet connection.“SIP protocol” is a signalling protocol used for initiating, maintaining, and terminating multimedia sessions, including voice, video, and messaging.“SIM farms” or “SIM boxes” bridge the internet and cellular networks, enabling the routing and redirection of calls or messages through multiple SIM cards.“Rich Communication Services (RCS)” are a messaging protocol that enhances traditional SMS by offering richer features like multimedia sharing, group chats, read receipts and typing indicators.“Drive-by smishing” is where fraudsters use fake base stations to force victims’ phones to connect to a fake mobile network and then use SMS messages to distribute malicious links or initiate scams.In “software-defined radio”, components that are conventionally implemented in analogue hardware (e.g., mixers, filters, amplifiers, modulators/demodulators, detectors) are instead implemented by means of software on a computer.A “global title” is an address used in SCCP (Signalling Connection Control Part, a network-layer protocol in telecommunications) for routing signalling messages on telecommunications networks.“SS7” is a set of telecommunications protocols that are used to exchange information between different telephone networks.“IPX” is a telecommunications interconnection model for the exchange of internet protocol-based traffic between customers of separate mobile and fixed operators.
Unseen Money 10: The UK—open for (dodgy) business
The UK’s company formation process is fast, easy and cheap. The net result of being open to almost any business is that up to half the companies on the UK’s Companies House register may have no legitimate purpose. Instead, those companies are used by fraudsters as a vital tool in scams and money laundering schemes. Many are set up using fake identities and addresses. Often, they break the reporting rules and never file accounts. And Companies House has become a honeypot for organised crime groups from around the world.In the latest episode of the Unseen Money podcast, Timur Yunusov and I are joined by dark money expert Graham Barrow, who has exposed some of the worst failings of the UK’s company formation regime.Belatedly, the UK government is acting to address those failings. But will new legislation go far and fast enough? Listen to the podcast to find out.
Unseen Money Episode 9: Should QR codes scare us?
In the latest episode of Unseen Money, Timur Yunusov and Paul Amery talk about the role of QR codes in scams and whether these popular barcodes may lull users into a false sense of security.Also in this episode:team Trump's Yemen fiasco, Signal and Telegramhow scammers can mass-blast SMS phishing messagesbrowser-within-browser attacks and their possible use in scamswhy the trend of limiting bank compensation to scam victims was inevitable
Unseen Money Episode 8: Blaming the victim of (card) fraud
There’s a big security loophole affecting plastic payment cards—called a replay (or pre-play) attack. Banks have known about this loophole for years. But they may still blame you, the victim, if a scammer makes use of it.In a 2022 fraud, a former British soldier holidaying in Brazil found that £20,000 had been charged to his bank card in eighteen separate transactions. The ex-soldier, Henry Williams, said he’d only used his card once and that most of the money had been taken from his account without his knowledge.His bank, a well-known British high street name, initially refused to compensate him, arguing he must have authorised all the payments. Only a year later did the bank agree to refund him—partially and with a grudging apology.Even after one of the UK’s best-known security experts intervened on behalf of the victim, the UK’s financial ombudsman, which is supposed to settle complaints between consumers and financial services businesses, sided more with the bank.How does a replay attack occur? Most plastic debit (or credit) cards contain a chip which is used to identify and authenticate the user. The chip comes into action when the user taps the card on a contactless payment terminal (or inserts the card into the terminal and then enters a PIN code).At this point, the payment terminal generates a number that is supposed to be unpredictable, ensuring that each payment transaction is a fresh one. Unfortunately, payment terminals can be tampered with and the supposedly unguessable number can be manipulated. This opens the door to replay attacks—and to more paydays for criminals.As many as half of all payment cards and half of all terminals may be vulnerable to exploitation, says my Unseen Money co-host Timur Yunusov, who demonstrates a card replay attack in this YouTube video.In the latest episode of Unseen Money from New Money Review, we explore replay attacks: how they occur, why the vulnerability is still there more than a decade after it was exposed, and why the payments industry is so reluctant to address the issue.
POWERED BY BLUBRRY
