Day TWO BTO2017 | TEN
Giovedì 30 novembre
WORLD Hall
Catch me if you can
http://www.buytourismonline.com
Keynote Speaker
Max Uggeri NASDHACK
Umberto Rapetto Hkao Human Knoledge
Moderator
Rodolfo Baggio BTO2017 | TEN
1. CATCH ME IF YOU CAN!
(A DIVE INTO THE DARK WEB)
MAX UGGERI - BTO2017
2. CATCH ME IF YOU CAN
WHO’S MAX UGGERI?
▸ Hello, my name is Max, and I design interaction between
humans and technology with visual language and native
code.
I’m an Asperger, Bipolar, Sociopathic and Hyperactive.
And now I also have your credit card numbers too. (no, just
kidding)
3. CATCH ME IF YOU CAN
CHEATING THE OTA
▸ Everything started trying to arrange a trip, and I ended up on some
websites offering "second-hand" tickets/travel packages which are non-
refundable, already fully paid, but cannot be used and so are resold with
a strong discounts.
▸ I’ve bought one of them, and they ask me for payment in Bitcoin: seems
to me like a scam, but I put my Bitcoin in an Escrow, and it works.
▸ Mmmm, not exactly: at the end of my journey, a Koh Samui Airport, I’ve
forced to show the credit card used for the payment. Guess what? I’ve
payed for a new flight ticket.
4. CATCH ME IF YOU CAN
CHEATING THE OTA / 2
▸ First flight and hotel stay was perfect, but something goes
wrong at the end. Not a scam, but doubtless a fraud.
But who’s the cheated one?
The OTA (Agoda & Booking), the Resort, or me?
▸ When back home, I’ve start to investigate, and I’ve
discovered a dark world…
5. “IF YOU’RE A CARDER,
EVERYTHING WILL COST YOU
ONLY 15 EUROS”
a credit card dealer on dark market
CATCH ME IF YOU CAN
6. CATCH ME IF YOU CAN
THE OTA CHEAT US
▸ Ok, let’s start with some thoughts:
- Flight Company has been cheated for the first flight;
- Hotel has been TOTALLY cheated;
- I’ve paid a small amount in comparison with the real price (but I’ve
screwed up my savings with the return flight);
▸ It’s obviuos: the OTA does not protect anyone, but they took money
from everyone in the chain.
7. CATCH ME IF YOU CAN
SO, LET’S CHEAT THE OTA
▸ Ok, let’s start with some thoughts:
- Flight Company has been cheated for the first flight
- Hotel has been TOTALLY cheated
- I’ve paid a small amount in comparison with the real price (but I’ve
screwed up my savings with the return flight)
▸ It’s clear: the OTA does not protect anyone, but they took money
from everyone in the chain.
8. CATCH ME IF YOU CAN!
CHECKLIST - MISLEAD YOUR IDENTITY
▸ - change your MAC Address
- tunnel your connection trough a VPN / SOCKS5
- open a fake email account (protonmail is quite good)
- get a free bitcoin wallet with the fake email
- using a mixer/tumbler, clean some bitcoin and fill the
new wallet
9. CATCH ME IF YOU CAN!
CHECKLIST - GET THE WEAPON
▸ - get a TOR Browser
- go to a Dark Marketplace
- create an account and recharge your wallet with the “cleaned” bitcoin
- purchase a good credit card from the market
- use a BIN Checker and get bank infos of the credit card owner
- make some social engineering (facebook, likedin, etc.) to grab much
more infos
10. CATCH ME IF YOU CAN!
CHECKLIST - FUN JUST BEGAN
▸ - get some browser extension to clean everything (Cookies, History,
etc.) to avoid to be traced and to change browser fingerprint
- Make a registration on OTA site with credit card owner’s name
- make your reservation by saying “I’m purchase this for another
persone”
- receive your ticket in the new email
- that’s all, folks!
11. CATCH ME IF YOU CAN!
BUT WHAT REALLY HAPPENED?
▸ Credit card owner will be refunded after filing a complain;
▸ OTA’s anti fraud will activate ONLY after the complaint;
▸ Flight Companies have a strong insurance, and will be refunded: both
merchant, and credit card issuer bank are insured, and they start a bouncing
blame, keeping the complain open for weeks.
▸ The Resorts don’t have any kind of protection: the OTAs retains up to 18%
from transactions, and they don’t send money (or get automatically money
back) from Resorts.
▸ So, who’s the cheated one?
12. CATCH ME IF YOU CAN!
ARE OTAS DINOSAURS?
▸ Do you have heard about Blockchain and Smart Contracts?
Some facts:
- transaction fee are less than 1%;
- when a Smart Contracts is closed, is unalienable and non
repudiable;
- If something in the flow fail, no one can bounce back to other parts
(means: money are in your account);
▸ Do you still have doubts? ;-)