Phishing: Cyber victims caught between the hammer and the anvil
Responsibility for Phishing, typosquatting, ransomhack, spear phishing, sim swapping, email and web Spoofing cybervictims is engaged.
There can no longer be any doubt, the responsibility of the Internet user is legally engaged with almost no recourse for the victims to obtain any refund!
Note that we most often find the English term “phishing” which translates “phishing” into French, as well as for the typosquatting that comes from the English “typosquatting” or spear phishing targeted phishing via social engineering techniques or Spoofing technique of spotting.
Following the 2015/2366 directive of the European Parliament and the Council of 25 November 2015, Order No. 2017-1252 of 9 August 2017 makes amendments to Articles L133-16 and L.133-19 of the Monetary and Financial Code for victims of bank card phishing.
Article L133-16 of the Monetary and Financial Code (below) states: “As soon as he receives a payment instrument, the user of payment services takes all reasonable measures to preserve the security of his custom security devices. It uses the payment instrument in accordance with the conditions governing its issuance and use. »
Article L.133-19 of the Monetary and Financial Code (below) states in paragraph IV: “The payer bears all losses caused by unauthorized payment transactions if these losses result from fraudulent conduct on his part or if he did not intentionally or grossly negligently satisfy the obligations referred to in Articles L.133-16 and L.133-17 of the Monetary and Financial Code.”
The judgment of the Court of Cassation of 25 October 2017 and that of 28 March 2018 form a case law on the liability of the Internet user victim of phishing by telephone via identity theft and/or via a fake website and/or a fake email.
The judgment of October 25, 2017, (cases of 25.10.17, No. 16-11 644)
Monde.fr press article: http://sosconso.blog.lemonde.fr/2017/10/26/elle-avoue-a-sa-banque-avoir-ete-victime-de-phishing
The judgment of March 28, 2018, (cases. of 28.3.18, No. 16-20 018)
The cassation courts reinforce the obligation of caution of Internet users in the face of phishing attacks that can be telephone, via SMS or e-mail, relating to the use of its bank cards or confidential codes.
- The March 28, 2018 ruling deepens the liability framework for the Internet user by stating that the failure, by gross negligence, to take any reasonable measures to preserve the safety of its personalised security devices.
- The user of a payment service who discloses the personal data of this security device in response to an email that contains clues allowing a normally attentive user to doubt its provenance is held solely responsible
- The bank is not required to inform its customers of the risks of phishing.
How do cybercriminals circumvent 3D Secure code authentication?
Step 1: The cybercriminal must obtain from his next victim the identifiers and passwords of his phone operator.
What for? To enable the cybercriminal to set up telephone referrals of messages received in particular from his bank. It’s easier than stealing the phone. Hence the importance of regularly changing your passwords from your operator’s account. This point becomes more and more crucial since the smartphone is a mobile payment and/or access control terminal.
Step2: The cybercriminal must now obtain all the information from the bank card. Several possibilities; or phishing by email, SMS, blackmail, phone by impersonation by an agent of the operator. The victim overconfidence gives him his information. She is not aware that the 3D Secure will also be sent to cybercriminals.
The cybercriminal only has to make the payment that he can validate himself instead of the victim.
The victim informed at the same time as the cybercriminal that there is a request to validate a purchase via his bank card thinks, since she has not validated the payment, that she is safe. She can object to her credit card. Only it’s already too late. The payment is irrevocable and the bank’s liability is cleared. This is the judgment of October 25, 2017.
In another case, the theft of the smartphone with the bank card may have the same result. In the same way when you pay physically with your bank card where you can see in clear the CCV or CVC composed of 3 to 4 digits used for payments on the internet.
It is advisable to use Freemindtronic Andorra EviAlpha technologies for personal use and EviToken or EviCypher for professional use that allow, after you have physically removed the CCV or CVC code, to make payments on the internet safely. In case of bank card theft, the cybercriminal does not physically have access to the CCV or CVC, the protection with Fullsecure solutions is immediate. This solution is not dependent on the time factor associated with reporting loss or theft for use on the internet. In addition, this solution is capable of managing multiple bank cards and is compatible with any type of bank card internationally, at no additional cost or financial commitment.
There are CCVs or CVCs that change dynamically several times a day. A new security that has an additional annual cost. Used for physical payments, the CCV or CVC is visible. The cybercriminal has only a very short interval of time to rob his victims before the automatic change of the CCV or CVC. In case of theft of this type of bank card, the time depends on the time and date of the declaration of the theft as for other bank cards.
Sim swapping: What does the Monetary and Financial Code say about Secure?sim swapping 3D codes
According to Article L133-23 of the Monetary and Financial Code, it is up to the bank to provide proof of the registration of this type of authentication which makes it possible to presume that the payment has been validated by the rightful holder. Failing that, according to Article L133-18, the transaction is deemed “unauthorized”, the bank is obliged to repay.
The 3D Secure code was developed by Visa and MasterCard to combat the risks of Internet fraud. This code is therefore sent by visa or Master Card’s digital services and is not known to the user until it is received. In fact, it cannot communicate it to a cybercriminal unless the latter has stolen the smartphone, managed to make a copy of the SIM and the most common access to the customer’s accounts of the telephone operator to make a call return to obtain the 3D Secure Code.
The Internet user must become an expert in phishing detection and typosquatting in the face of the ingenuity of cybercriminals
According to the case law, the Internet user must carry out a “watchful examination of the correspondent’s changing internet addresses or certain clues, such as misspellings… which should provide clues “of a sufficient nature to appeal to the Internetuser.”
However, the criteria adopted by the case law since 2015 are already obsolete because of the quality of counterfeiting of websites in perpetual increase, but not only.
Indeed, the only test to detect a“changing address”has become complex for #cybervictimes. These ingenious cyber criminals find many solutions to deceive their vigilance, especially by the use of special characters in the domain name.
Jurisprudential obsolescence in the face of the evolution of phishing by Unicode
Cyber criminals use special characters similar to the Latin alphabet, theunicode E100. They have more than 26 characters at their disposal (Ḁ ḁ Ḃ ḃ Ḅ Ḇ ḇ Ḉ ḉ Ḋ ḋ ‘Ḏ ḏ Ḑ ḑ Ḓ ḓ Ḕ’, ‘Ḏ ḏ Ḑ ḑ Ḓ ḓ Ḕ’, ‘Ṟ’, ṟ, ‘, ‘ Ṯ’, ṯ, Ṱ, ṱ’. All they have to do is buy a domain name similar to the original, and replace one of the characters with a unicode character, as similar as possible, with for example a dot below the character.
For example, we will use the websites of telephone operators and banks, just by replacing the letter “r” with“O”it can give this “f-ee.fr”orby replacing “b” with “ḅ” “ḅouyguestelecom.fr” or “ḅanquepopulaire.fr”.
A perverse new game that would be imposed by the jurisprudence that involves the Cyber-Victim to detect the hidden difference in the URL (address).
Are cyber criminals responding to my request? Indeed I had suggested to them in order to help the #cybervictimes to change their modus operandi to help them in the face of jurisprudence. “Please don’t make any more spelling mistakes, and if it’s not grammatically correct, make sure that the simple review of the changing address is not obvious on the exam alone.”
With the fake URL and once the counterfeit site is identical to the original, the trap is activated to capture future #cybervictimes.
Typosquatting “Typosquatting in English” another form of phishing
Almost identical to phishing, fake site, fake URL, with the big difference that the cybercriminal bets on the typos of #cybervictimes when the user informs the internet address. Examples include “fri.fr” without (ee) or “bouyguetelecom.fr” without (s) or “banque-populaire.fr” with the addition of a hyphen or “free.com” by changing the extension (.fr).
A new playground for cyber criminals, a fake address bar on Android phones that use the Chrome browser.
Google Chrome on Android smartphone only shows the title of the site visited rather than displaying the full address bar with the URL. A new feature for user comfort to make more room for content to be played. This allows the cybercriminal to pass a phishing page as a legitimate web page.
Spoofing over domain name extension makes many cyber victims, especially for domains in .com. The cybercriminal buys a .co domain name with a name identical to that of a known site, an example “www.amazon.co”. The cyber victim receives an email that appears to be from the original site. She is invited to log in via a link to the “www.amazon.co” mirror site. She’s not going to be careful that she’s not on the original site with a .co extension instead of .com. It is therefore with confidence that the cyber victim will enter personal information, especially his login ID and password.
How will the case law evolve to determine the threshold that will qualify the Cyber victim as “negligent”?
Natural protection against phishing and typosquatting
There is a barrier to phishing when the domain name extension is proprietary. This is the case, for example, of the extension of the BNP Paribas bank with its own extension “.bnpparibas” of the website “www.mabanque.bnpparibas”. In this case, it is a cost of around $185,000 and a binding procedure to obtain fromICANN its custom domain name extension that establishes a natural barrier against this type of attack. However, users of these sites still need to be informed of this distinction. Otherwise, the case law is unequivocal and will be imposed on cyber-victims. Indeed, it is difficult to explain that they did not see the different extension.
Learn more about custom extension
Is the overall level of computing so linear among Internet users that they are all able to carry out such a review?
I doubt it very much.
In the same way, to think that only insiders are safe from phishing seems to me a very risky shortcut.
It is becoming more and more difficult for the Internet user to differentiate between the true and the false.
Shouldn’t case law or a revision of the law take into account the quality of the forger as for the currency, to exonerate the responsibility of the victim?
Instant transfer payment, a new eldorado of cybercriminals?!
What will cybercriminals imagine to create new victims following the new implementation initiated by the ECB with the instant transfer payment system, in less than 10 seconds, irrevocably, achievable with a simple telephone number?
How does it work? (Source the tribune)
It is a transfer in euros that is initiated from the website of his bank or his mobile banking application by choosing the instant mode. Simply enter the IBAN or, less tedious, its mobile phone number (converted to IBAN by the bank), or even scan a QR code to send the money. The account is credited in less than 10 seconds and payment confirmation is sent by SMS within 20 seconds. The transfer is irrevocable. The service is usable 24 hours a day, 365 days a year. A ceiling of 15,000 euros has been decided at European level (the Netherlands has abolished it).
I predict an increase in cybercrime on this new SEPA Express system, if the security system is not equal to or greater than that of bank cards!
Innovation goes further and further to allow the machine to gradually substitute for human physical consent since currents of thought believe that man is more failing than the machine.
To this day, we cannot assign a machine to court. In fact, no one is safe from being between the hammer and the anvil.
‘Ransomhack’: blackmail to non-compliance RGPD
Cyber criminals also use phishing to steal private data, known asransomhack. Taken hostage, this data is being blackmailed by using the new European regulations (RGPD) to put pressure on victims. The goal is to get the ransom faster. It is enough to threaten the victim to make public the data if the ransom is not paid, weighing the risk of strong criminal and civil penalties incurred in the event of non-reporting to the CNIL of the theft of data.
Once again the technique of hammer and anvil becomes a formidable weapon in the face of the fear of double punishment, victim and criminally and civilly litigant.
The phishing technique is no longer the preserve of cyber criminals: it may be more or less legal!
It is difficult to establish statistics, as victims do not file complaints. It is very likely that many of you will recognize yourself in this situation.
Despite the new provisions imposed by the RGDP, online sites selling goods and/or services have found a way to obtain their customers’ bank card information. However, there is no reason for the client to provide this type of information.
Only here, it takes on a legal appearance, to get this valuable information from bank cards. In principle, legally you have the right to request their removal.
Now that we’re done with the theory, let’s move on to practice
As we have seen before, giving the information of bank cards is under the full responsibility of the Internet user.
Similarly, it is common knowledge that cyber criminals regularly steal private data, including bank cards from the databases of merchant sites.
According to the principle of prudence established by the Court of Cassation, could it not be taken up against the victim? Could the Court not consider that there is no need to inform the Internet user that there is a risk that his credit card information will be derogating? That he is in fact the only one responsible for the information he transmits!
Why do online sales sites need this credit card information? What do they really do with it?
I believe that in terms of the RGPD, you would be entitled to ask the question.
There are many good reasons that will be invoked, but these are not for the customer but for the service provider, especially when the service provider has a recurring payment system in place.
This credit card information becomes valuable for the quality of the outstanding accountable or EENE. If you want to know more(https://comptabilite.ooreka.fr/astuce/voir/609429/effet-escompte-non-echu).
What to remember: The expected effect is passed on to another creditor or bank. The higher the quality of the debt, the less expensive the cost of the discount. Even if rates are low, it is a gain.
Another interest is the forgetting and withdrawal of small sums that often go under the radar of customers. Agreements are established that provide for automatic renewal and anniversary dates with a minimum period of time to report the contract.
New: drown the fish under the guise of updates to the terms and conditions of sale! The service contract for which you consented is unilaterally amended. The trick is the criterion of trust. You are made to accept new conditions that cancel the previous ones.
Let us go even further in the violation of the rules of law.
If you cannot be accepted for a new document, a principle of law that does not exist in contractual matters is used. Just as a contract cannot be changed unilaterally, either by adhesion or synallagmatically, without the consent of the co-contractor.
Silence is not worth acceptance!
However, many service companies send you emails informing you that if you do not respond within a certain period of time, the contract will be considered accepted. If you refuse, you lose the service for which the provider had committed. However, the commitment may also include back-doors such as the subject of an update of general terms of sale.
The hammer and anvil method is activated!
This is a form of blackmail that is illegal, done digitally but does not rank in cyber crimes.
A beginning of response trail, because they act overdrawn and they are legally registered in corporate registers but not cyber criminals in principle.
The deterrent force of a recourse by the Internet user!
They also have a master asset, the cost of a civil or criminal action procedure in relation to the small amounts involved. The cost of obtaining a court order, such as legal fees, legal fees, time spent and the uncertainty of obtaining redress, is enough to make any desire for prosecution give up.
Even if the civil and/or criminal dol can be qualified, no one will ever know that you are also the victim of phishing by deception of the co-contractor to obtain the information of bank cards or private data.
However, when you show the teeth against cybercriminals, they trade without resisting too much. It will also depend on who you are in the fuse position. Ane against measure of the Internet user. This will also depend on the caller in the fuse position.
The balance of power through blackmail can be balanced. The risk of bad publicity on social networks, the CNIL Pro or Private,can have morecostly consequences than the sums incurred. In the same way if the Internet user has insurance that pays for legal and procedural costs. In this hypothesis the blackmail is reversed by the Internet user. The latter is no longer between the hammer and the anvil.
In the end, the amicable arrangement is better than a long trial. As a result, the risk of bad publicity on social networkscan have more costly consequences than the sums incurred. In this case, this form of threat may allow the Internet user to no longer be between the hammer and the anvil.
You want to know more about the deception of the co-contractor from a legal point of view.
Having the freedom not to give credit card information outside of a single transaction and under the exclusive control and consent of the payer, should not be a right to defend. Freemindtronic technologies such as EviToken or EviCypher with web browser extensions protect bank card information and counter phishing attacks. It is above all a tool to exercise this right to no longer give his credit card information on the internet to be saved.
To learn more about our credit card protection solutions, you can read the following articles on Linkedin:
Why are Freemindtronic’s #NFC Offline electronic safes already in compliance with the decree that will come into effect on 01/01/19?
A new cloud-free individual security service with anti-phishing to protect all types of bank cards from start to finish