Saturday, March 04, 2006

Internet Privacy is Becoming a Growing Concern

Recently in the news, ISPs (Internet service providers) have been faulted for releasing private information to the NSA (National Security Agency). In fact, we can probably expect to see a lot of legal action over this in the near term.

Given the amount of potential terrorism, the NSA is dealing with, I speculate they have little time to interfere in a normal citizen's privacy. To me, the real issue is the so-called "Information Industry," which has been gathering personal information (for resale) on all of us for years.

The result of this data harvesting has been a record number of data breaches, where massive amounts of people's personal information is compromised.

Tor, which is sponsored by the Electronic Frontier Foundation is a free option for those people, who do not want to have their personal information exposed.

According to Wikipedia:

"Tor is an implementation of second-generation onion routing - an anonymity system enabling its users to communicate anonymously on the Internet. Originally sponsored by the US Naval Research Laboratory, Tor became an Electronic Frontier Foundation (EFF) project in late 2004."

Tor (anonymity network) is a " toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features."

"Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

While this technology has the potential for abuse, as long as businesses gather this information and criminals steal it, a person should have the right to defend themselves. The criminal element on the internet probably already has access to this technology and is known to use other methods, such as using stolen identities, taking accounts over and even bot-nets to conceal their true identities. The reality is that criminals already use more than this to cloak their true identities and the solution is to identify the root causes of why they are able to do this.

We also need to accomplish this without making the common person vulnerable to abuse.

Debit Card Breaches, A Growing Problem

Last month, 200,000 debit card numbers were breached in the Western United States. News reports speculated that the breach was either at Sam's Club, or Office Max.

Here is one of the posts, I did on this scenario:

Office Max Denies Being Hacked in Debit Card Breach

Now activity seems to be moving to the middle of the country and even to the East Coast.

Indiana's NewsCenter16 Reporter, Kimberly Torres reported on 03/02/06:

"Banks and credit unions, including some here in Michiana, are sending out letters to warn their customers. Someone got into the database of a nationwide store chain, although Visa won't say what store. They stole Visa credit card/debit numbers, and soon after, ATM transactions popped up overseas."

Contact 16: Visa card numbers stolen, Michiana affected

The same day, the Indiana story broke, the Boston News Channel reported:

"Officials said Leominster and Fitchburg area residents are being stung by debit card fraud in amounts of from hundreds of dollars up to almost $2,000."

Towns Stung By Debit Card Fraud

Of course, there is no way to tell if this activity ties in together, but the similarities are amazing. It appears that retailers, debit cards and hacking seem to be involved in most of the scenarios.

This supports the story on February 23rd that Debit Card Fraud Causes FBI To Widen Its Probe ZDNet, which stated:

"Federal investigations into a debit card fraud that has affected about 200,000 cardholders in the western US have been extended to other parts of the US in an effort to identify common factors. In the past week, Bank of America, Wells Fargo and Washington Mutual advised that the debit cards of certain customers would be replaced following an unconfirmed card security breach in which cardholders' names, debit card numbers and PINs were obtained. Fraudulent charges at Wal-Mart's Sam's Club division and at office retailer, OfficeMax, are receiving particular scrutiny in investigations."

No one is saying (directly) how the systems at retailers are being compromised. One thing that has been spotted, with increasing frequency, is the use of skimming devices (often wireless) on ATM machines. Here is a post, I did awhile back with some interesting pictures:

ATM Machines That Clone Your Card

It appears that debit card breaches are a growing problem for both the financial and retail industries. Everyone seems to be extremely tight lipped on how the breaches are occurring and it's hard to say, whether this is because of the ongoing investigation, or for other reasons.

Fox News recently reported:

"Consumer advocacy groups say the public isn't getting the full story on debit cards, which have become so popular that 127 million are in use today."

"Debit cards are the pot of gold at the end of the rainbow for banks," said Ed Mierzwinski of the U.S. Public Interest Research Group (U.S. PIRG), a consumer watchdog organization. "They're a big risk for consumers."

"Mierzwinski said the bank makes $2 on every $100 spent with a debit card, but banks don't tell consumers how difficult it is to reclaim their funds after a theft."

Here is a scary story from MSN Money, Banks hang fraud victims high and dry by Liz Pulliam Weston. In this story, she writes:

"The rules are somewhat different for bank accounts. When a fraudulent debit charge or automatic payment is reported, a section of federal law known as Regulation E requires banks to investigate within 10 days. But banks can extend that period to 45 days if they credit the disputed amount or $2,500, whichever is less, to the customer's account. (Paper checks offer even less protection, as I discussed in "Your paper check is a thief's best friend.")

"But a bank can decide there was no fraud, experts say, and take the money back as long as it provides a written explanation to the customer. That's what happened to the Hendersons and to Los Angeles Times columnist Steve Lopez, who recently wrote about his bank snatching back the $2,020.50 it had restored to his account after a theft."

Problems with debit cards aren't confined to the United States, breaches are being regularly reported throughout the world.

Here is an interesting article from the Canadian Broadcasting Company, which illustrates the growing problem in Canada, also:

CBC News:Debit card fraud an 'epidemic'

Friday, March 03, 2006

How Effective is the Do Not Call Registry

Kevin Poulsen of Wired News wrote an interesting article about Caller ID spoofing. In it, he writes:

"If you've ever used one of the half-dozen websites that allow you to control the phone number that appears on someone's Caller ID display when you phone them, the U.S. government would like to know who you are."

"Last week the FCC opened an investigation into the caller-ID spoofing sites -- services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

Here is the full article, with links to some of these dubious services:

FCC Probes Caller-ID Fakers

The Federal Trade Commission (FTC) has it's National Do-Not-Call Registry, where you can register your telephone numbers, which makes it illegal for businesses to call you unsolicited.

Of course, it's still legal for businesses to call you, if you have a relationship with them. This means that you are still vulnerable to their marketing campaigns, whether you want to be, or not.

Lately, I've noticed that businesses that are allowed to call me, also spoof their numbers with caller ID logos, such as "800 services." Today, I got one that was a recorded ad for one of the clothing retailers, I shop at occasionally.

Additionally, charities are exempt from this and many charities hire third-party call centers to solicit donations for a commission. Often, if I answer, they will swear my wife made a pledge and when I ask her, she knows nothing about it. In fact, charity fraud was quite the buzz word in the recent hurricane disasters.

Let's face it, spoofing caller ID's is becoming the norm and if you don't know who called, it's going to be difficult to file a viable complaint. Making this activity legal, also provides a valuable means for criminals AND (unethical business people) to invade people's privacy and WORSE.

Here is another clear example of where laws need to catch up with technology.

The United States and Canada are Becoming Borderless in the Cyber Crime Wars

The Federal Trade Commission and Canadian consumer agencies are designating March as Fraud Prevention Month.

"Officials from the Federal Trade Commission and Canadian consumer protection agencies met in Ottawa today to kick off March as Fraud Prevention Month. The initiative is part of an international effort to raise public awareness worldwide of the dangers of fraud, while educating the public on how to recognize and report it. The representatives from the FTC, Canada’s Competition Bureau, the Royal Canadian Mounted Police, and the Ontario Provincial Police explained how cross-border partnerships are key in fighting the global scourge of fraud."

Fraud Prevention Month will be a theme on OnGuardOnline.gov, which can also be viewed in Espanol (Spanish) at Alerta en Linea.gov.

Both of these sites have a lot of "user friendly" information on how to avoid fraud on the internet.

You can also report fraud to the FTC by filing a "complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm."

Canada also have a similiar service, Phone Busters, which is accessible in English or Francais (French):

Welcome to PhoneBusters

There is no doubt that in recent years, we have seen a lot of fraud go both ways across the border. Cyber criminals often do this to avoid prosecution AND it's great to see TEAMWORK in fighting this activity.

For a Canadian perspective on this from Government of Canada news, read:

March Declared "Fraud Prevention Month" in Canada and Around the World

Thursday, March 02, 2006

Websense Security Trends Report for Second Half of 2005

Websense has published their report on internet criminal activity for the second half of 2005.

They are seeing an increase in the number of malicious websites containing crimeware on the rise. Phishing attacks are also changing (mutating) to account for greater awareness and defenses out there against them. One of the mutations is spear phishing, where specific groups are targeted, often (allegedly) with the use of inside information, which was probably stolen. They are also seeing an increase in attacks against non-finanical institutions, which were the traditional targets of this sort of activity.

The conclusion in the report is:

"The use of the web to launch attacks increased during the second half of the year, and the variety of methods used to launch attacks mirrored this increase. We saw criminals adapt to changing conditions by creating new exploits, capitalizing on inherent vulnerabilities, increasing the quality and stealth of their exploits, and cooperating among themselves."

"We saw browser and operating system exploits used more frequently and more effectively in H2 2005. These included zero-day exploits targeting browser and operating system vulnerabilities. Cyber criminals improved the timing of such exploits in H2 2005 by detecting vulnerabilities, designing attacks, and launching them before the vulnerabilities were widely known, and before patches could be provided for computer users."

"Infections resulting from visits to websites surpassed other infection methods during the second half of the year. We determined that this method of infection has begun to be used in combination with other methods."

"Hand-in-hand with the increased involvement of organized criminal groups, we saw a movement away from nuisance attacks toward exploits and malicious websites intended for criminal purposes. Successful exploitation of these vulnerabilities enabled attackers to execute code on the workstations of unsuspecting users without their knowledge or consent — even fully patched workstations. We also saw an increased use of affiliates to spread infections."

"New targets for exploitation appeared in the second half of the year, as cyber criminals compensated for increased sophistication and wariness among computer users who have become more aware of luring techniques. Spear phishing was introduced in an effort to deliver more convincing lures to targeted audiences."

"Attacks were increasingly launched against smaller domestic financial institutions in H2 2005, and more frequently against non-financial targets. We saw an increase in cyber extortion attacks in which money was requested to resolve problems introduced by those requesting money for the repairs."

Internet crime is on the rise. In fact, it seems that it is becoming more organized and that it is becoming more devious to thwart recent awareness campaigns. Recently, when addressing the RSA conference, FBI Director Robert Mueller called for greater cooperation between business sector and law enforcement to combat cyber crime throughout the world. If we fail to heed this wise advice, I fear the consequences could be serious.

On a personal level, I would like to commend the good folks at Websense, who are part of the business sector and seem to be contributing to the atmosphere that Director Mueller speaks of.

Tuesday, February 28, 2006

eBay Claims Fraud Isn't a Major Problem

eBay and tales of fraud have been surfacing on the internet. (Computing Which?) was one of the magazines, who published one of these stories and eBay is responding to it:

Here part of their response to this article, as written in a recent E-Commerce article:

"eBay, however, said the magazine failed to distinguish between actual eBay sales and sales made outside of the eBay community by buyers and sellers who find one another on the site. The eBay user pages clearly warn against such sales, which happen outside of the protections of the community, such as the right of users to complain when a sale isn't completed or to stop payment when eBay's PayPal is used to consummate a purchase."

Here is the full response by eBay as published in the E-Commerce article:

EBay Disputes Report of Rampant Fraud

I have written numerous posts about fraud on eBay and have discovered that there are a lot of pretty upset customers, who have become victims of internet fraud.

These posts can be found by keyword "eBay" at the top of this page.

There is no doubt that eBay does work with law enforcement, but even they have even been quoted as saying that the information takes too long to get in order to be effective.

eBay and PayPal AND their customers have long been the target of phishing attacks, which lead to account takeovers and further criminal activity. The site is also used to sell a lot of counterfeit merchandise and reports abound of junk being sold via the site.

They argue that they do a lot to prevent fraud on their site, but as I have said, there are still a lot of victims being created, daily.

Perhaps, the answer is to spend a little of the money created by their growth on security, which should include a zero tolerance policy towards fraud. This should include a greater emphasis on creating awareness and apprehending those, who regularly use their business platform to commit fraud.

The very fact that the article from E-Commerce quotes them as saying their business continues to grow indicates that there is money to provide a safer environment for their customers.

If they were a normal retail operation and people were getting robbed when shopping inside their establishment, it wouldn't be long before they enhanced their security to provide a safe shopping environment. IF they failed to do this, they would suffer a loss of business AND or litigation.

Although, the four walls of the internet are slightly larger, the same principle should apply.

Sunday, February 26, 2006

Stealing Data Shouldn't be so Darned Easy

Ernst and Young, the accounting giant, can now join the growing list of companies that have lost sensitive and personal data via simple property theft.

In this breaking story by Ashlee Vance of the Register: Ernst & Young fails to disclose high-profile security breach, laptops were left unsecured and they promptly disappeared.

The Privacy Rights Clearinghouse tracks data breaches: A Chronology of Data Breaches Since the ChoicePoint Incident. If you look at the reasons, stolen computers seem to be a recurring theme.

Credant Technologies did a scary survey back in October, which stated:

"Everyone knows to guard their devices when they're traveling, but the results we found about the office were quite shocking," said Bob Heard, CREDANT Technologies CEO. "What we discovered were corporate environments that are careless and even reckless with laptops, many of which contain crucial company and personal data. And the ease with which these laptops are being stolen in the workplace is stunning."

Here is the full survey from Credant:

Survey Says ... Guard That Laptop at the Office!

Technology has made all of our lives a lot easier, however it has also exposed us to a growing crime wave. In addition to using "technology" to develop countermeasures, perhaps a little common sense should be added to the equation.

It shouldn't be so easy to commit a major breach of sensitive information!

California Continues to Lead the Fight in Terminating Identity Theft


California AND it's leaders have been instrumental in leading the way for legislation to protect it's citizens from identity theft. Interestingly enough, in a political world dictated by party ties, this effort has truly been a bipartisan effort.

SB 1386, which was the first law passed, requires disclosure of data breaches for any corporation doing business in California. This law has been credited with inspiring other laws throughout the United States and Senator Diane Feinstein is one of the sponsors of a similar bill before Congress, S 1789.

Unfortunately, this law is currently awaiting action in "committee."

This week, Governor Schwarzenegger, opened the second annual Identity Theft Summit:

02/23 - Schwarzenegger Opens Identity Theft Summit

Here is a list of California Identity Theft Laws, courtesy of the Privacy Rights Clearinghouse.

I did a previous post on Terminating Identity Theft in California, which illustrates the teamwork of California's leaders in battling this growing epidemic. Hopefully other "leaders" will follow the example and pass the necessary legislation to combat this problem on both a national and international basis.