1 August 2008

A Theft - but Stupid?

| cranky
Join the conversation
47

Discovered today that someone has overnight managed to empty one of my bank accounts to the tune of $1500+. Bank (ANZ) and Police advised.

In the absence of any other explanation, it would appear that access details were probably garnered by tapping into our home wireless network.

The transaction popped up as an Internet bank transfer, so both access code and password were required to do the deed.

If anyone knows of a Benjamin John McKay, the name of the apparent recipient of this transaction, who is walking around with a $1500 smile on his gob, the Police would be very interested.

I’ma bit less than impressed with the ANZ’s method of dealing with this occurrence. No feedback, and more interested that the fraud is in Police hands and stat decs (very carefully worded) are received than apparently tracking down the above perp.

Bank holiday Monday cannot help.

Police were excellent.

Join the conversation

47
All Comments
  • All Comments
  • Website Comments
LatestOldest

You are talking a load of rubbish, peterh. In the threat model under discussion (using a PC at an untrusted web cafe), you can trust NOTHING that the PC says to you. It’s trivial for the administrator of the PC to generate their own CA certificate and install that as a trusted certificate on the PC; hell, they could even have installed a their own hacked-up web browser that lies to you.

So all you know is, you are entering your username, pincode and tokencode into a web page that looks like your bank’s. If you are in fact talking to a proxy controlled by a malicious party, there is nothing stopping them from forwarding those authentication details on to the real bank’s server, and entering any transactions they wish from that point.

As I pointed out, the attack is time-limited – they can only authenticate to the bank as you during the time that the tokencode remains valid. “They would have to be pretty damn quick!” you say – well, I hear that computers are pretty good at doing things quickly.

Comments about “the complexity of the encryption” are just handwaving – you might well be using encryption, but that doesn’t help you if you can’t verify who is on the other end of that encrypted connection. The only way you can have any certainty of this is if your endpoint (that is, the PC you’re using) is secure.

Note that almost everything in the “PC owned by webcafe” threat model also applies in the “home PC 0wned by trojan” threat model.

It so happens that the system I manage uses RSA tokens (SID700s) to authenticate users, so I too know something of what I speak. Two-factor authentication can help, and it does increase the complexity of an attack, and it does ensure that attacks are time limited. But it’s also important to understand that it is not a magic bullet.

To cranky: I would not be 100% confident in the anti-spyware tool finding everything – some malware is pretty clever at hiding itself. Another possibility is that your ISPs nameservers are/were vulnerable to the recent “Kaminsky attack”.

Woody Mann-Caruso said :

What sort of spy software is involved, & how close to the computer do you have to be?

You pretty much sit anywhere within wireless range of your computer (which can be a long way away if you’ve got a decent antenna) and run something like Kismet. Bit by bit, your network gives up its secrets – it’s like listening to a conversation in another room, and slowly piecing together the number of people, their genders, who they’re talking to, what they’re talking about and so on. It can be pretty fast if you launch an active attack – something that makes your network generate more traffic than it usually would, thus giving up more information about itself more quickly. With dictionary attacks and hash tables, simple passes fall almost instantly, while even decent passes can fall in time. If it was somebody in your neighbourhood, they’ve had all the time in the world.

More likely that you’ve been owned by malware or phishing, though – or even through physical access to the machine. Who else has access to your computer?

Good luck!

the best defence, I have found is to run several AS / AM packages simultaneously. ad aware is a good one, if you want a basic protection package. avast! is another one, as is the commercial Symantec and CA products. I am extremely paranoid, and have dual av scanners, as & am scanners running on my system at any given time. The info on my home pc is both sensitive, and, as my wife runs a business from home, the client details she has are irreplaceable.

Madman said :

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

speak to your bank. I know, they may not be up on technology, but, considering that the Bendigo Bank, CBA, NAB and a few others have gone down this path, they may already be investing in the technology. The issue of kismet is defeated by the 2 factor authentication token. it is smart, but when confronted by a 3DES encryption algorithm, it is pretty much dead in the water.

I use symantec endpoint protection at home, as it provides me with the tools to back-trace an attack, and identify with WHOIS, once the ip address has been confirmed. It also prevents spoofing attacks, as well as some other insidious methods out there now.

I had by bank cancel my credit card a few months ago because I made a transaction in Fyshwick at a gas station then 2.5 hours later I made a transaction at another gas station in Nowra.

They thought it was a fradulent transaction as I had only just filled up with fuel in a different State – didn’t think of calling me to check and didn’t think that maybe I had driven there and the fuel was empty again…. GRRR!

At least I had enough fuel to get through the weekend and back home and enough money for food in my wallet to do with. They also re-ordered me a new card straight after cancelling the current one – so I only had to wait 4 days till payday!

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

tylersmayhem8:59 am 05 Aug 08

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

I have to say that I was very surprised to have so much to do with my new branch manager. Granted, we have recently taken out a mortgage with them – but he is available on the end of the line, or face to face with no trouble at all.

I really feel for you Cranky. I’d be so…well, cranky! And pissed off to the max. Keep on at the bank, go in to your local branch and sit there until you can talk to the manager. Ask them to refund the money to you on a good will basis so you can pay your bills, and if there is any reason that you are liable in the future, that they have the right to take the money back. While this sounds quite bull*hit, my bank in the UK did this when an international ATM debited my account, but dipensed no cash.

That was good advice by DJ to contact the ombudsman. Do that too!

Something came to mind yesterday, mind you I think you’ve already ruled this out. I received an e-mail from ANZ prompting me to update my details. The email looked very legit, and was sent from anz.com.au. Have you provided ANY updates to your details to an email from “ANZ”?

All this is good and sage advice and was going well till someone mentioned “Branch Manager”

I have had occasion over the years to ask for one of these, only to be told that they don’t exist anymore.

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

Seriously, though, good luck with the problem. As much as I wish I had some great advice, I can just hope it resolves in your favour.

Woody,

Thanks for that.

On the results of the anti (thanks JB) spyware software, I am happy that the PC itself has not been infected. I am also totally certain that I have not been ‘phished’. No one (other than the thief) has the account details/password. They have never been committed to paper, and I’m the only person (other than the thief) with the password. Family members have access to the computer, but all have their own, and I cannot conceive of a strike from them.

Having read the Wiki entry on Kismet, I am amazed that anyone (particularly the Banks) can feel confident that this sort of attack is not only inevitable, but a potentially massive problem. Right up the alley of bored computer nerd teenagers, some of whom are probably clever enough to get away with this type of crime. I hope the turd who got away with my dollars hasn’t been clever enough to cover his tracks.

Woody Mann-Caruso7:51 pm 04 Aug 08

What sort of spy software is involved, & how close to the computer do you have to be?

You pretty much sit anywhere within wireless range of your computer (which can be a long way away if you’ve got a decent antenna) and run something like Kismet. Bit by bit, your network gives up its secrets – it’s like listening to a conversation in another room, and slowly piecing together the number of people, their genders, who they’re talking to, what they’re talking about and so on. It can be pretty fast if you launch an active attack – something that makes your network generate more traffic than it usually would, thus giving up more information about itself more quickly. With dictionary attacks and hash tables, simple passes fall almost instantly, while even decent passes can fall in time. If it was somebody in your neighbourhood, they’ve had all the time in the world.

More likely that you’ve been owned by malware or phishing, though – or even through physical access to the machine. Who else has access to your computer?

Good luck!

Chin up Cranky – contact the Banking Ombudsman. The Police are probably waiting for the ANZ to give them details.

http://www.abio.org.au/ABIOWeb/abiowebsite.nsf

‘The fraud branch would be asking why I was trying to access the account’ – from the front counter officer. Isn’t the account yours? Do they think you don’t need to pay rent or buy food anymore? Ask to speak to the Branch Manager in person…

An update, and request for ideas.

4 days of stewing on this matter are reducing me to tears. There is no feedback from Police/Bank, and I am not enjoying having to explain to creditors. The account has been locked down by the Bank, and I have no way of establishing the value of further expected deposits. The branch could’nt distance themselves quickly enough from my enquiries – ‘The fraud branch would be asking why I was trying to access the account’ – from the front counter officer.

Can anyone explain the nuts and bolts of tapping into a (apparently protected, non contaminated) network and stealing the details required to access the account? I am not computer literate enough to fully understand the full gamut of the foregoing replies. What sort of spy software is involved, & how close to the computer do you have to be?

Is there any other way this theft could have been carried out?

i might like to mention, i don’t sell to the public, i work for an IT distributor. resellers sell to the public.

caf said :

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

i have to disagree. The other factors in play are that the webcafe would need to provide the bank with the authentication at the same time, ghosting your connection. the encryption keys are significantly complex, and the code is encrypted. (it appears as symbols, not numbers) if the bank’s authentication server doesn’t like the response, or the webcafe is too slow, it asks for a new code. the webcafe will fail, and the ip address is logged.

the authenticators on ebay, on the other hand, are just random number generators, they aren’t synced to the authentication server, as there isn’t one.

This technology is designed to prevent unauthorised access, at any time. The use of tokens is as complex as the backend. if the administrator is compromised, then the tokens will do little to prevent an attack.

in regards to the scenario,

Web cafe presents you with web page. the web page is your bank’s, it cannot be a dummy site, as the authenticator must communicate with the server at the bank, or it will fail.

You submit your username, password, passcode and tokencode. you use your standard login u/n & password, then the pin code and the authenticator code.

Web cafe sends you a “login failed” page. it cannot, as you have authenticated with the bank to gain the connection.

Web cafe passes on the credentials to the bank… and empties your account. unable to do so. they would need your username, password, pin code, and the current authentication code.

keyloggers cannot be deployed through your system if you have AV / AS installed.

If they’re doing it at all they’re probably well practiced.

tylersmayhem4:38 pm 04 Aug 08

Sorry, make that 30 seconds. I just counted mine. Still, they’d have to be VERY quick!

tylersmayhem4:36 pm 04 Aug 08

RSA token code change every 10 seconds. They would have to be pretty damn quick!

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

tylersmayhem4:04 pm 04 Aug 08

Caf – RSA tokens would take away that risk completely.

Two factor authentication doesn’t help a bit against a man-in-the-middle attack. If the web cafe owner is truly dodgy you can’t even trust SSL on those machines unless you know and manually verify the bank certificate’s fingerprint, because they could have fake root CA certificates loaded.

ant said :

It’s a puzzling case though. The wireless thing… they’d have to be located pretty nearby to catch your signal (although people often don’t realise how far their signal is broadcast… useful though when one’s internet goes down!).

Does the OP access their online banking through a saved “favourites” link? re advice abotu phising from other posters. My insitution allows access via a/c number and p/w, but you can’t move money out of the account without clicking on some pre-chosen pictures in a certain sequence, and the pictures are always in a different spot. I don’t know how strong that is, but apparently it’ll foil keyloggers?

The device Jonathan Reynolds mentioned also gets very good raps, I think my institution is moving to something like that, using one’s mobile phone and a text message. I’ll sign up for that.

the product is manufactured by RSA – I sell it. the tokens work on a random number generated code, so if you are at a web cafe, they can keylog you (if the cafe owner is a bit dodgy, not all are) and will get no-where after you have logged out.

the token is classified as two factor authentication, that is, you have a 4-digit pin code (something you know) plus the token’s generated number (something you have). Tokens have on average a 3-year life, after this point, they expire. Then, you need to buy a new one.

There are also software based tokens, that sms you a code for entry to the system. these have a window of 60secs for connection.

my wireless connection is secure, I have a firewall running behind the connection.

Norton 360 isn’t the best, but it does pre-fetch websites and check them for fraud.

tylersmayhem3:06 pm 04 Aug 08

Hmmm, that was pretty cool! I’ve recently become a St. George member and I transferred some money today to another Aussie bank account. While the transfer went through, they phoned me a couple of hours later to make sure I wanted this to happen. Not bad.

I guess it’s important to keep your phone details up to date then. Also, apparently if the transaction is more than $2500 – then you need to authenticate with your mobile for the transfer. also great – but better if you could choose what the minimum amount is for this service to kick in.

The NAB system is pretty good and I reckon the perfect way. All they need to do is veryify your phone number when you first set it up.

As for the UK way, yes on someways it is better, but in otherways it leads to more security issues as people are more likly to write their passwords down and choose an internet pin the same as their card pin.

Natwest for example ask for 3 of the 4 digits of your internet pin in a random order and then 3 of the letters/digits in order. If your password is Looser123 can you always remember what the first, 4th and 9th letters are? Natwest also use the card reader, it is a variation where you stick your card in, enter your cards pin, put in a code the bank gives and then put the response back into the bank. It only does it when you first set-up the details of an external payee.

I reckon the best ones are where you don’t type in the password, you just use a mouse. The NAB used to do this years ago, Westpac still does though.

NAB has one time use, passwords sent by SMS for inter bank transfers. Simple, works well

tylersmayhem5:42 pm 02 Aug 08

Some interesting comments here. I’m surprised that there are not more comments about the shoddy simple user name and password validation that most banks use in Australia. I spent about 5 years in the UK, and I could rant all day about how much better banks are over there, including the high level of security. They use several methods depending on the bank. Here are some examples:

1. Enter your DOB followed by your unique 4 digit customer code. Then enter 3 alternating numbers from your chosen internet pin number (i.e “enter the 3rd, 4th then 1st number – this alternates at each login). Then you do the same with your chosen 4-12 letter password using alternating letters). This guard well against key logging software.

2. The bank that used that method then upgraded to issuing free card readers which generate unique codes for the particular transaction.

These methods should be used by ALL banks, instead of the shoddy same username & password for each login.

P.S. Yes, I’ve left ANZ – never to go back. I recently took out a mortgage and the best for us was between ANZ and another bank. While ANZ were marginally better, I avoided them out of principal. Before leaving them a couple of years ago, I gave them an opportunity to resolve an issue and let them know I would avoid them as mortgage lenders in the future if they could not resolve the issue. They declined…I walked. They didn’t care!

I had trouble with ANZ over a mortgage. They convinced us to get a mortgage linked to a credit card, and to sign all our funds over to the credit card account, to offset the mortgage.

So we signed over all our money. Only to spend about a week waiting for these credit cards, and with no way to access our money.

The most annoying thing about it was that they claimed they were unable to help us, as we weren’t their customers til we received the credit cards – despite the fact they had all our money.

I would not recommend them.

You said :

Bad idea contacting the police first.

I had the same thing happen to my Commonwealth account a few years ago. I contacted Commonwealth immediately, they put me onto the fraud department, I answered a few questions (one of which was “have you contacted the police”) and then left them to it. A week later I was contacted by phone and advised that the problem had been addressed and the money had been put back into my account.

Bad idea offering advice like that which shows how little you know of the process of the reporting and addressing of criminal matters

anti-spyware software I hope?

Have installed spyware software today, and it discovered a couple of ‘low risk’ applications.

I therefore come back to my original suspicion that the keys have been logged from a site in the near vicinity. If so, someone has gone to a deal of effort for a fairly small gain, and I would suspect, a fairly high degree of prosecution.

“Bad idea contacting the police first”

When the bank asked if you had spoken to Police I bet they asked for a reference/report number. Did you make one up for the bank?

Stupid advice really.

Bad idea contacting the police first.

I had the same thing happen to my Commonwealth account a few years ago. I contacted Commonwealth immediately, they put me onto the fraud department, I answered a few questions (one of which was “have you contacted the police”) and then left them to it. A week later I was contacted by phone and advised that the problem had been addressed and the money had been put back into my account.

It’s a puzzling case though. The wireless thing… they’d have to be located pretty nearby to catch your signal (although people often don’t realise how far their signal is broadcast… useful though when one’s internet goes down!).

Does the OP access their online banking through a saved “favourites” link? re advice abotu phising from other posters. My insitution allows access via a/c number and p/w, but you can’t move money out of the account without clicking on some pre-chosen pictures in a certain sequence, and the pictures are always in a different spot. I don’t know how strong that is, but apparently it’ll foil keyloggers?

The device Jonathan Reynolds mentioned also gets very good raps, I think my institution is moving to something like that, using one’s mobile phone and a text message. I’ll sign up for that.

I’m pretty sure you’ll get your money back, as it was an un-authorised transation.

The same if someone stole your credit card and went on a shopping spree.

DJ said :

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. .

That is amazing. I was in Africa in 1997 with an ANZ card and had a similar issue when the ‘merchant’ (in this case a bank for a cash advance!) decided to process it with an extra zero on the end (old paper based transaction with the ‘clacker’). Only noticed when back in Australia and despite having my clear copy of the handwritten voucher I had enormous problems getting ANZ to reverse it. They said they could do nothing about it and the now accruing interest until they sighted the original from Africa which could take weeks (by now this was the only transaction left to pay on the account). I said fine, I just wont pay anything until you sort it out, they said we will have to apply penalty fees and it could affect your credit rating and could take you to court. I said yes please and they suddenly decided to place it in a ‘hold’ and then eventually reversed it. Needless to say I cancelled the account and have had nothing to do with them since!

About a year ago the bank (Commonwealth) spotted a fraudulent international call on my credit card and automatically refused the payment and froze the account.

Yes it was a pain getting the card re-issued but can’t fault them for dilligence.

Also the day I went to civic and bought $1,000 in clothes from John Hanna and a new Playstation it was nice to get a phone call from the bank checking it was me going on a shopping spree.

captainwhorebags8:56 am 02 Aug 08

Banks aren’t interested in fraud, unless they lose money themselves.

A friend of mine had a cheque taken out of her chequebook and then used to steal $2000. When she got the cheque back from the bank, the signatures were obviously completely different. The attitude of the bank was “not our problem, refer the matter to the police for court action”. So much for checking a supposed security device.

That being said, I once had some transactions charged to a visa card by an overseas party. No idea how they got the number, it could have been from a credit card generator (these were the days before CVV2 validation). When I rang Commbank they said to fax them a written declaration that they weren’t my purchases, and they put a hold on those specific items. I was told that they would request a signature for the purchases and if one wasn’t forthcoming that they’d be removed from my account. All very easy to deal with.

JC,

1) I would like some indication from the bank that they have the means to track the transaction.
2) I would like some indication from the bank on the chances of my being reimbursed the missing amount.
3) I would like to know if the bank is going to honour or bounce my rent cheque.

ANZ have a fairly effective wall between their fraud department and the customer. It would appear that all contact after the initial complaint is to be conducted by e-mail and fax.

I am 100% certain I have never been to a spoof page. I have a well developed scepticism for the strange.

VYBerlinaV8_the_one_they_all_copy7:27 am 02 Aug 08

Agree with JC here – the network used to access the bank website won’t have been particularly relevant simply because the SSL session encrypts the data (including logon credentials) independently of the network itself. You have probably been stung with a keylogger. These days, it’s critical to keep antivirus and antimalware up to date, and bear in mind that not all antivirus products are created equal, so ask around a bit to find one people generally regard as good.

All the wireless security advice is very valid, but when logging into a bank or any other secure site the data, including the passwords etc would be encrypted anyway so no great worry there. In cases like this it is more likly that a keylogger has found it’s way onto a PC used to access the bank or the person has gone to a spoofed web page where the deatils were stolen.

As for the bank, what do you want them to do? It is a police matter more than anything now.

The best thing you can do is, when you connect to your bank’s web page:

1. Make sure that the connection is using SSL.

2. Check the SSL certificate, and make sure it is valid matches the expected domain name for your bank.

Even this isn’t enough if your computer is infected with a keylogging trojan.

A few more things to ponder: “Benjamin John McKay” is quite possibly an innocent party, whose account has also been hijacking and is being used to launder the amounts, and the criminal(s) are quite possibly outside Australian jurisdiction.

It’d be worth checking your PC for spyware/trojans as well – it could be they got your details directly from your PC, rather than the network. In fact, given that the communication between you and your bank would be encrypted by HTTPS even over an unsecured wireless network, it’s the most likely line of attack. Try Lavasoft Adaware (which is free), Spybot Search and Destroy (which is free), or the Windows Malware removal tool (which comes with Windows). Bear in mind some of these sneaky little beggars will hide through all that.

If you really want to be sure, back up your data (just data, not programs), make a list of your applications, reformat the hard drive, re-install your OS and apps, update them (to patch up any security flaws) and then load your data back on.

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. In 2001 some smart cookie in Botswana started using it again. The ANZ eventually suspended the account after the same amount was charged five days in a row and then on the sixth the limit was reached and the transaction declined.

It took me over four months to convince them that it wasn’t me and that I wouldn’t pay them anything more than what the balance was before the African fraud occurred. They threatened court action and I welcomed it… they eventually advised me they were not proceeding and that I only had to pay the outstanding balance on my original purchases plus some interest… ok I said but when I asked for the calculations for the interest it included interest on the amount I was not responsible for! Eventually all was sorted but it wasn’t nice dealing with them.

mooliganbags19:31 pm 01 Aug 08

Keep at the bank. They’re usually pretty keen to maintain trust in their internet banking services and your case sounds like a breach of security beyond anything you could control or foresee.

I’d be interested to see what happens.

Hidden SSID’s can affect performance though and still can be found.

MAC addresses can also be spoofed.

Basically having WPA-PSK with a strong phrase (eg. This is a very long phrase!!! is better than cat) is what you want.

Tons of posts on Whirlpool about security.

Jonathon Reynolds8:10 pm 01 Aug 08

Base minimum for security for Wireless networks:

-turn off SSID (it doesn’t help to be openly broadcasting that you have an access point)
-turn on encryption (if your Access Point and wireless access nic that doesn’t support the newer WPA standards buy one that does)
-ensure that you only allow access via known MAC addresses (nothing to do with Apple systems – this is the “unique” identifier of the network adapter in your PC – if your access point doesn’t support locking down access by MAC address get one that does)
-ensure that you are using strong password encryption on the Access Point (the password you use to log in to your access point is something like “P@Ss\/\/0rd” – all your password should be ‘strong’)
-enable the event log on your Access Point (will allow you to see who and what is connecting and when)

The other thing to watch is “spoofed” internet banking login pages. It is a well know ploy for hackers to spoof the login page, you enter the correct details as if you are logging in. In this process the hacker grabs your login and password, directs your to a page as if you have entered the wrong details (in the mean time they have your details). You are then dropped back to the genuine log in page where you enter your credentials again and this time you get to log in. How to avoid this… make sure you are running latest Anti Virus, firewall and anti-spam software. Never accept that the bank will email you to update or confirm your details.

Finally the banks are just as much to blame by allowing simple authentication credentials. (just username/password). They could fix this by using insisting of token identification as part of the log in process. With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring. I enquired about getting something similar from my bank and they advised it was only available for a “business” account.

Hope that helps.

Cranky wrote “Police were excellent.” Nyssa76 please take careful note. I don’t believe there is anything ambisguous about this. ;P

I really don’t know. I’m checking – but I believe the network is well locked down.

Was your network encrypted Cranky?

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.