Boing Boing has scooped the press by reporting Citibank is under some sort of fraud attack.
AND in keeping with what seems to be a growing trend, it appears debit cards are being targeted.
Jake Appelbaum, who is currently in Toronto with a useless debit card, wrote:
"The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud."
"Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed."
"She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem."
Poor Jake, stuck in Toronto with no way to get cash and he will have to cross the border to get his PIN number fixed. A testament on how fraud victims are treated, which from what I hear is a frustrating experience for all.
I did some checking and Carla ID#CRU194 was right. This doesn't seem to have hit the mainstream media. I probably should let the people at Boing Boing know that the company (bank), who has been breached tends to be very tight lipped about it.
Maybe if they provided better customer service to Jake, it still would be a deep dark secret.
Interestingly enough, here is a post, I wrote a couple of days ago:
Debit Card Breaches, A Growing Problem
The Privacy Rights Clearinghouse tracks data breaches, the number and velocity of them are pretty scary:
A Chronology of Data Breaches Since the ChoicePoint Incident
Here is my rant on the lack of sophistication in some of these data breaches:
Stealing Data Shouldn't be so Darned Easy
For the full post by Jake and Boing Boing, click on the title of this post.
Sunday, March 05, 2006
Saturday, March 04, 2006
Internet Privacy is Becoming a Growing Concern
Recently in the news, ISPs (Internet service providers) have been faulted for releasing private information to the NSA (National Security Agency). In fact, we can probably expect to see a lot of legal action over this in the near term.
Given the amount of potential terrorism, the NSA is dealing with, I speculate they have little time to interfere in a normal citizen's privacy. To me, the real issue is the so-called "Information Industry," which has been gathering personal information (for resale) on all of us for years.
The result of this data harvesting has been a record number of data breaches, where massive amounts of people's personal information is compromised.
Tor, which is sponsored by the Electronic Frontier Foundation is a free option for those people, who do not want to have their personal information exposed.
According to Wikipedia:
"Tor is an implementation of second-generation onion routing - an anonymity system enabling its users to communicate anonymously on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor became an Electronic Frontier Foundation (EFF) project in late 2004."
Tor (anonymity network) is a " toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features."
"Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."
While this technology has the potential for abuse, as long as businesses gather this information and criminals steal it, a person should have the right to defend themselves. The criminal element on the internet probably already has access to this technology and is known to use other methods, such as using stolen identities, taking accounts over and even bot-nets to conceal their true identities. The reality is that criminals already use more than this to cloak their true identities and the solution is to identify the root causes of why they are able to do this.
We also need to accomplish this without making the common person vulnerable to abuse.
Given the amount of potential terrorism, the NSA is dealing with, I speculate they have little time to interfere in a normal citizen's privacy. To me, the real issue is the so-called "Information Industry," which has been gathering personal information (for resale) on all of us for years.
The result of this data harvesting has been a record number of data breaches, where massive amounts of people's personal information is compromised.
Tor, which is sponsored by the Electronic Frontier Foundation is a free option for those people, who do not want to have their personal information exposed.
According to Wikipedia:
"Tor is an implementation of second-generation onion routing - an anonymity system enabling its users to communicate anonymously on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor became an Electronic Frontier Foundation (EFF) project in late 2004."
Tor (anonymity network) is a " toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features."
"Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."
While this technology has the potential for abuse, as long as businesses gather this information and criminals steal it, a person should have the right to defend themselves. The criminal element on the internet probably already has access to this technology and is known to use other methods, such as using stolen identities, taking accounts over and even bot-nets to conceal their true identities. The reality is that criminals already use more than this to cloak their true identities and the solution is to identify the root causes of why they are able to do this.
We also need to accomplish this without making the common person vulnerable to abuse.
Debit Card Breaches, A Growing Problem
Last month, 200,000 debit card numbers were breached in the Western United States. News reports speculated that the breach was either at Sam's Club, or Office Max.
Here is one of the posts, I did on this scenario:
Office Max Denies Being Hacked in Debit Card Breach
Now activity seems to be moving to the middle of the country and even to the East Coast.
Indiana's NewsCenter16 Reporter, Kimberly Torres reported on 03/02/06:
"Banks and credit unions, including some here in Michiana, are sending out letters to warn their customers. Someone got into the database of a nationwide store chain, although Visa won't say what store. They stole Visa credit card/debit numbers, and soon after, ATM transactions popped up overseas."
Contact 16: Visa card numbers stolen, Michiana affected
The same day, the Indiana story broke, the Boston News Channel reported:
"Officials said Leominster and Fitchburg area residents are being stung by debit card fraud in amounts of from hundreds of dollars up to almost $2,000."
Towns Stung By Debit Card Fraud
Of course, there is no way to tell if this activity ties in together, but the similarities are amazing. It appears that retailers, debit cards and hacking seem to be involved in most of the scenarios.
This supports the story on February 23rd that Debit Card Fraud Causes FBI To Widen Its Probe ZDNet, which stated:
"Federal investigations into a debit card fraud that has affected about 200,000 cardholders in the western US have been extended to other parts of the US in an effort to identify common factors. In the past week, Bank of America, Wells Fargo and Washington Mutual advised that the debit cards of certain customers would be replaced following an unconfirmed card security breach in which cardholders' names, debit card numbers and PINs were obtained. Fraudulent charges at Wal-Mart's Sam's Club division and at office retailer, OfficeMax, are receiving particular scrutiny in investigations."
No one is saying (directly) how the systems at retailers are being compromised. One thing that has been spotted, with increasing frequency, is the use of skimming devices (often wireless) on ATM machines. Here is a post, I did awhile back with some interesting pictures:
ATM Machines That Clone Your Card
It appears that debit card breaches are a growing problem for both the financial and retail industries. Everyone seems to be extremely tight lipped on how the breaches are occurring and it's hard to say, whether this is because of the ongoing investigation, or for other reasons.
Fox News recently reported:
"Consumer advocacy groups say the public isn't getting the full story on debit cards, which have become so popular that 127 million are in use today."
"Debit cards are the pot of gold at the end of the rainbow for banks," said Ed Mierzwinski of the U.S. Public Interest Research Group (U.S. PIRG), a consumer watchdog organization. "They're a big risk for consumers."
"Mierzwinski said the bank makes $2 on every $100 spent with a debit card, but banks don't tell consumers how difficult it is to reclaim their funds after a theft."
Here is a scary story from MSN Money, Banks hang fraud victims high and dry by Liz Pulliam Weston. In this story, she writes:
"The rules are somewhat different for bank accounts. When a fraudulent debit charge or automatic payment is reported, a section of federal law known as Regulation E requires banks to investigate within 10 days. But banks can extend that period to 45 days if they credit the disputed amount or $2,500, whichever is less, to the customer's account. (Paper checks offer even less protection, as I discussed in "Your paper check is a thief's best friend.")
"But a bank can decide there was no fraud, experts say, and take the money back as long as it provides a written explanation to the customer. That's what happened to the Hendersons and to Los Angeles Times columnist Steve Lopez, who recently wrote about his bank snatching back the $2,020.50 it had restored to his account after a theft."
Problems with debit cards aren't confined to the United States, breaches are being regularly reported throughout the world.
Here is an interesting article from the Canadian Broadcasting Company, which illustrates the growing problem in Canada, also:
CBC News:Debit card fraud an 'epidemic'
Here is one of the posts, I did on this scenario:
Office Max Denies Being Hacked in Debit Card Breach
Now activity seems to be moving to the middle of the country and even to the East Coast.
Indiana's NewsCenter16 Reporter, Kimberly Torres reported on 03/02/06:
"Banks and credit unions, including some here in Michiana, are sending out letters to warn their customers. Someone got into the database of a nationwide store chain, although Visa won't say what store. They stole Visa credit card/debit numbers, and soon after, ATM transactions popped up overseas."
Contact 16: Visa card numbers stolen, Michiana affected
The same day, the Indiana story broke, the Boston News Channel reported:
"Officials said Leominster and Fitchburg area residents are being stung by debit card fraud in amounts of from hundreds of dollars up to almost $2,000."
Towns Stung By Debit Card Fraud
Of course, there is no way to tell if this activity ties in together, but the similarities are amazing. It appears that retailers, debit cards and hacking seem to be involved in most of the scenarios.
This supports the story on February 23rd that Debit Card Fraud Causes FBI To Widen Its Probe ZDNet, which stated:
"Federal investigations into a debit card fraud that has affected about 200,000 cardholders in the western US have been extended to other parts of the US in an effort to identify common factors. In the past week, Bank of America, Wells Fargo and Washington Mutual advised that the debit cards of certain customers would be replaced following an unconfirmed card security breach in which cardholders' names, debit card numbers and PINs were obtained. Fraudulent charges at Wal-Mart's Sam's Club division and at office retailer, OfficeMax, are receiving particular scrutiny in investigations."
No one is saying (directly) how the systems at retailers are being compromised. One thing that has been spotted, with increasing frequency, is the use of skimming devices (often wireless) on ATM machines. Here is a post, I did awhile back with some interesting pictures:
ATM Machines That Clone Your Card
It appears that debit card breaches are a growing problem for both the financial and retail industries. Everyone seems to be extremely tight lipped on how the breaches are occurring and it's hard to say, whether this is because of the ongoing investigation, or for other reasons.
Fox News recently reported:
"Consumer advocacy groups say the public isn't getting the full story on debit cards, which have become so popular that 127 million are in use today."
"Debit cards are the pot of gold at the end of the rainbow for banks," said Ed Mierzwinski of the U.S. Public Interest Research Group (U.S. PIRG), a consumer watchdog organization. "They're a big risk for consumers."
"Mierzwinski said the bank makes $2 on every $100 spent with a debit card, but banks don't tell consumers how difficult it is to reclaim their funds after a theft."
Here is a scary story from MSN Money, Banks hang fraud victims high and dry by Liz Pulliam Weston. In this story, she writes:
"The rules are somewhat different for bank accounts. When a fraudulent debit charge or automatic payment is reported, a section of federal law known as Regulation E requires banks to investigate within 10 days. But banks can extend that period to 45 days if they credit the disputed amount or $2,500, whichever is less, to the customer's account. (Paper checks offer even less protection, as I discussed in "Your paper check is a thief's best friend.")
"But a bank can decide there was no fraud, experts say, and take the money back as long as it provides a written explanation to the customer. That's what happened to the Hendersons and to Los Angeles Times columnist Steve Lopez, who recently wrote about his bank snatching back the $2,020.50 it had restored to his account after a theft."
Problems with debit cards aren't confined to the United States, breaches are being regularly reported throughout the world.
Here is an interesting article from the Canadian Broadcasting Company, which illustrates the growing problem in Canada, also:
CBC News:Debit card fraud an 'epidemic'
Friday, March 03, 2006
How Effective is the Do Not Call Registry
Kevin Poulsen of Wired News wrote an interesting article about Caller ID spoofing. In it, he writes:
"If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's Caller ID display when you phone them, the U.S. government would like to know who you are."
"Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.
Here is the full article, with links to some of these dubious services:
FCC Probes Caller-ID Fakers
The Federal Trade Commission (FTC) has it's National Do-Not-Call Registry, where you can register your telephone numbers, which makes it illegal for businesses to call you unsolicited.
Of course, it's still legal for businesses to call you, if you have a relationship with them. This means that you are still vulnerable to their marketing campaigns, whether you want to be, or not.
Lately, I've noticed that businesses that are allowed to call me, also spoof their numbers with caller ID logos, such as "800 services." Today, I got one that was a recorded ad for one of the clothing retailers, I shop at occasionally.
Additionally, charities are exempt from this and many charities hire third-party call centers to solicit donations for a commission. Often, if I answer, they will swear my wife made a pledge and when I ask her, she knows nothing about it. In fact, charity fraud was quite the buzz word in the recent hurricane disasters.
Let's face it, spoofing caller ID's is becoming the norm and if you don't know who called, it's going to be difficult to file a viable complaint. Making this activity legal, also provides a valuable means for criminals AND (unethical business people) to invade people's privacy and WORSE.
Here is another clear example of where laws need to catch up with technology.
"If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's Caller ID display when you phone them, the U.S. government would like to know who you are."
"Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.
Here is the full article, with links to some of these dubious services:
FCC Probes Caller-ID Fakers
The Federal Trade Commission (FTC) has it's National Do-Not-Call Registry, where you can register your telephone numbers, which makes it illegal for businesses to call you unsolicited.
Of course, it's still legal for businesses to call you, if you have a relationship with them. This means that you are still vulnerable to their marketing campaigns, whether you want to be, or not.
Lately, I've noticed that businesses that are allowed to call me, also spoof their numbers with caller ID logos, such as "800 services." Today, I got one that was a recorded ad for one of the clothing retailers, I shop at occasionally.
Additionally, charities are exempt from this and many charities hire third-party call centers to solicit donations for a commission. Often, if I answer, they will swear my wife made a pledge and when I ask her, she knows nothing about it. In fact, charity fraud was quite the buzz word in the recent hurricane disasters.
Let's face it, spoofing caller ID's is becoming the norm and if you don't know who called, it's going to be difficult to file a viable complaint. Making this activity legal, also provides a valuable means for criminals AND (unethical business people) to invade people's privacy and WORSE.
Here is another clear example of where laws need to catch up with technology.
The United States and Canada are Becoming Borderless in the Cyber Crime Wars
The Federal Trade Commission and Canadian consumer agencies are designating March as Fraud Prevention Month.
"Officials from the Federal Trade Commission and Canadian consumer protection agencies met in Ottawa today to kick off March as Fraud Prevention Month. The initiative is part of an international effort to raise public awareness worldwide of the dangers of fraud, while educating the public on how to recognize and report it. The representatives from the FTC, Canada’s Competition Bureau, the Royal Canadian Mounted Police, and the Ontario Provincial Police explained how cross-border partnerships are key in fighting the global scourge of fraud."
Fraud Prevention Month will be a theme on OnGuardOnline.gov, which can also be viewed in Espanol (Spanish) at Alerta en Linea.gov.
Both of these sites have a lot of "user friendly" information on how to avoid fraud on the internet.
You can also report fraud to the FTC by filing a "complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm."
Canada also have a similiar service, Phone Busters, which is accessible in English or Francais (French):
Welcome to PhoneBusters
There is no doubt that in recent years, we have seen a lot of fraud go both ways across the border. Cyber criminals often do this to avoid prosecution AND it's great to see TEAMWORK in fighting this activity.
For a Canadian perspective on this from Government of Canada news, read:
March Declared "Fraud Prevention Month" in Canada and Around the World
"Officials from the Federal Trade Commission and Canadian consumer protection agencies met in Ottawa today to kick off March as Fraud Prevention Month. The initiative is part of an international effort to raise public awareness worldwide of the dangers of fraud, while educating the public on how to recognize and report it. The representatives from the FTC, Canada’s Competition Bureau, the Royal Canadian Mounted Police, and the Ontario Provincial Police explained how cross-border partnerships are key in fighting the global scourge of fraud."
Fraud Prevention Month will be a theme on OnGuardOnline.gov, which can also be viewed in Espanol (Spanish) at Alerta en Linea.gov.
Both of these sites have a lot of "user friendly" information on how to avoid fraud on the internet.
You can also report fraud to the FTC by filing a "complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm."
Canada also have a similiar service, Phone Busters, which is accessible in English or Francais (French):
Welcome to PhoneBusters
There is no doubt that in recent years, we have seen a lot of fraud go both ways across the border. Cyber criminals often do this to avoid prosecution AND it's great to see TEAMWORK in fighting this activity.
For a Canadian perspective on this from Government of Canada news, read:
March Declared "Fraud Prevention Month" in Canada and Around the World
Thursday, March 02, 2006
Websense Security Trends Report for Second Half of 2005
Websense has published their report on internet criminal activity for the second half of 2005.
They are seeing an increase in the number of malicious websites containing crimeware on the rise. Phishing attacks are also changing (mutating) to account for greater awareness and defenses out there against them. One of the mutations is spear phishing, where specific groups are targeted, often (allegedly) with the use of inside information, which was probably stolen. They are also seeing an increase in attacks against non-finanical institutions, which were the traditional targets of this sort of activity.
The conclusion in the report is:
"The use of the web to launch attacks increased during the second half of the year, and the variety of methods used to launch attacks mirrored this increase. We saw criminals adapt to changing conditions by creating new exploits, capitalizing on inherent vulnerabilities, increasing the quality and stealth of their exploits, and cooperating among themselves."
"We saw browser and operating system exploits used more frequently and more effectively in H2 2005. These included zero-day exploits targeting browser and operating system vulnerabilities. Cyber criminals improved the timing of such exploits in H2 2005 by detecting vulnerabilities, designing attacks, and launching them before the vulnerabilities were widely known, and before patches could be provided for computer users."
"Infections resulting from visits to websites surpassed other infection methods during the second half of the year. We determined that this method of infection has begun to be used in combination with other methods."
"Hand-in-hand with the increased involvement of organized criminal groups, we saw a movement away from nuisance attacks toward exploits and malicious websites intended for criminal purposes. Successful exploitation of these vulnerabilities enabled attackers to execute code on the workstations of unsuspecting users without their knowledge or consent — even fully patched workstations. We also saw an increased use of affiliates to spread infections."
"New targets for exploitation appeared in the second half of the year, as cyber criminals compensated for increased sophistication and wariness among computer users who have become more aware of luring techniques. Spear phishing was introduced in an effort to deliver more convincing lures to targeted audiences."
"Attacks were increasingly launched against smaller domestic financial institutions in H2 2005, and more frequently against non-financial targets. We saw an increase in cyber extortion attacks in which money was requested to resolve problems introduced by those requesting money for the repairs."
Internet crime is on the rise. In fact, it seems that it is becoming more organized and that it is becoming more devious to thwart recent awareness campaigns. Recently, when addressing the RSA conference, FBI Director Robert Mueller called for greater cooperation between business sector and law enforcement to combat cyber crime throughout the world. If we fail to heed this wise advice, I fear the consequences could be serious.
On a personal level, I would like to commend the good folks at Websense, who are part of the business sector and seem to be contributing to the atmosphere that Director Mueller speaks of.
They are seeing an increase in the number of malicious websites containing crimeware on the rise. Phishing attacks are also changing (mutating) to account for greater awareness and defenses out there against them. One of the mutations is spear phishing, where specific groups are targeted, often (allegedly) with the use of inside information, which was probably stolen. They are also seeing an increase in attacks against non-finanical institutions, which were the traditional targets of this sort of activity.
The conclusion in the report is:
"The use of the web to launch attacks increased during the second half of the year, and the variety of methods used to launch attacks mirrored this increase. We saw criminals adapt to changing conditions by creating new exploits, capitalizing on inherent vulnerabilities, increasing the quality and stealth of their exploits, and cooperating among themselves."
"We saw browser and operating system exploits used more frequently and more effectively in H2 2005. These included zero-day exploits targeting browser and operating system vulnerabilities. Cyber criminals improved the timing of such exploits in H2 2005 by detecting vulnerabilities, designing attacks, and launching them before the vulnerabilities were widely known, and before patches could be provided for computer users."
"Infections resulting from visits to websites surpassed other infection methods during the second half of the year. We determined that this method of infection has begun to be used in combination with other methods."
"Hand-in-hand with the increased involvement of organized criminal groups, we saw a movement away from nuisance attacks toward exploits and malicious websites intended for criminal purposes. Successful exploitation of these vulnerabilities enabled attackers to execute code on the workstations of unsuspecting users without their knowledge or consent — even fully patched workstations. We also saw an increased use of affiliates to spread infections."
"New targets for exploitation appeared in the second half of the year, as cyber criminals compensated for increased sophistication and wariness among computer users who have become more aware of luring techniques. Spear phishing was introduced in an effort to deliver more convincing lures to targeted audiences."
"Attacks were increasingly launched against smaller domestic financial institutions in H2 2005, and more frequently against non-financial targets. We saw an increase in cyber extortion attacks in which money was requested to resolve problems introduced by those requesting money for the repairs."
Internet crime is on the rise. In fact, it seems that it is becoming more organized and that it is becoming more devious to thwart recent awareness campaigns. Recently, when addressing the RSA conference, FBI Director Robert Mueller called for greater cooperation between business sector and law enforcement to combat cyber crime throughout the world. If we fail to heed this wise advice, I fear the consequences could be serious.
On a personal level, I would like to commend the good folks at Websense, who are part of the business sector and seem to be contributing to the atmosphere that Director Mueller speaks of.
Subscribe to:
Posts (Atom)