Saturday, May 13, 2006

FBI Site to Report Corrupt Civil Servants

The FBI is tired of corruption in government. It's hard to blame them with the amount of it recently reported in the news.

In their own words from the FBI site:

Public corruption is one of the FBI’s top investigative priorities—behind only terrorism, espionage, and cyber crimes. Why? Because our democracy and national security depend on a healthy, efficient, and ethical government. Public corruption can impact everything from how well our borders are secured and our neighborhoods protected…to verdicts handed down in courts of law…to the quality of our roads and schools. Here you can find more information on how we investigate cases of corruption across all levels of government and details on our strong national program to address these crimes.

To go directly to where you can report public corruption, link here.

You can also report dishonest "public sector" activity with a simple telephone call. A list of telephone numbers can be obtained, here.

On their main site, there a a list of stories referencing the prosecution of corrupt civil servants. These can be viewed by clicking on the title of this post.

Remember that when someone in the government steals, it's our tax money that is being abused and with looming deficits, we need every dollar going where it is supposed to.

After all, tax money is for the good of the people and that is all of us!

Wednesday, May 10, 2006

Are We Addressing Cyber Crime from the Wrong End

Deb Radcliff is a noted author on cybercrime and it's implications. Recently, Deb did a very enlightening post suggesting that our current problems with cybercrime are caused by approaching security "Ass Backwards."

Please note that she got this perspective from someone, who knew little or nothing about the world of cyber crime or fraud. Although fraud has been around since the beginning of time, there is little doubt that technology is enabling it to grow more quickly than ever before. There is also little doubt that the Internet, which provides a lot of anonymity is a enabling factor, also.

Here is the "thought process" Deb and her friend came to:

Oh I see what you're saying! It's like we've got two ends of the same business working against each other," I said as I grabbed a notepad and started writing things down. "On the back end, we've got all these information security experts working their tails off trying to close the vulnerabilities. But on the front end, we've got systems that are laying bare our financial identities."

For example, why, after all these years in not-present mediums, are the credit card issuers unable or unwilling to unequivocally vet new applicants to ensure they're issuing the card to a real person with a legitimate identity? Why, at the very least, is the application not tied to a customer phone number for verification?

So now I'm looking at the bigger financial identity framework and I'm seeing all kinds of gaps.

Let's start with the credit reporting agencies who are responsible for our credit ratings and yet they prevent us from getting the information we need to protect our ratings by not alerting us to new accounts opening under our identities. The reporting agencies have the system in place to do this. But they've made it so hard for consumers to order this service (and when they do, they can only get it for 90 days unless they can prove fraud). Why? Because they make much more money processing our financial identities in real-time than they would if they imposed wait times to get approvals.
For the rest of the post on Deb's blog (On line Crime Bytes), link here.

For more on Deb and where you can read her articles, link here.

When we look at too good to be true Internet crime schemes, greed is always one of the factors a fraudster uses to hook a victim. Could it be possible that it isn't only individual(s), who are guilty of letting greed cause a large part of the problem with cybercrime?

To take this thought process further, could the criminals be taking advantage of "corporate greed," which values profit over the people being victimized? After all, up until now, these companies have been able to pass the cost of fraud on to their customers and make a tidy profit.

Forget the "zero liability" public relations programs, we are being sold. The fact is fraud losses are being added into the "cost of the product." These companies are in the business of making a profit and wouldn't be operating otherwise. They are even trying to add to their income streams by pushing "identity theft products," which some consider a little "questionable," also.

I'm always amazed to note that many of the same companies, who have lost massive amounts of information are marketing identity theft insurance. Some of them probably helped create the need for this service.

Until the financial, information and now even retail sectors are forced to take action, I fear the criminals will continue to take advantage of an "Ass Backward" approach to protecting information.

Bruce Schneier, another well-known security expert echoes this sentiment and has an interesting perspective on what is needed to address cyber crime. He recently wrote:

Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.

For more on Bruce Schneier and his work, link here.

Let's face it, cybercrime by all estimates continues to grow. The criminal element seems to be very adept at beating current security systems and are beating new measures, daily.

Until some "forward thinking" is applied to address this problem, we will never find an effective solution.

Tuesday, May 09, 2006

Fraudster Gangs Deal a Blow to Chip and PIN

Picture of ATM skimming device using a hidden camera.

While North America was under attack in the Debit Card breach a few months ago, Britain rolled out Chip and PIN technology. At the time, the experts promised "Chip and PIN" cards would stop fraud dead in it's tracks.

Criminals are already beating this technology with skimming devices, which are mounted on ATM machines. AND it gets even scarier, the latest devices don't need cameras to record a PIN and can be built from parts ordered over the Internet.

Wikipedia already has an extensive section on Chip and PIN. I was amazed to discover that they were very up to date regarding potential security issues.

Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Sean Poulter of the Daily Mail reports on the recent Chip and PIN fraud:

Cloned cards belonging to Britons have been used to withdraw more than £1million in cash from machines in the UK, Paris, Sri Lanka, India and Hong Kong.

One card holder is believed to have lost as much as £25,000.

The police and banks have suggested that the problems at Shell petrol stations, which have centered on Surrey, emerged over the last eight weeks.

However, one Daily Mail reader from that area said his card details were cloned - he believes at a Shell outlet - in July last year.

Other readers believe their card details, including PINs, were stolen at garages operated by other companies, including BP and Esso. Cards have also been cloned at cash machines on at least one Total forecourt and at Tesco stores.

Full story, here.

Reading this, I had to reflect on the recent Debit Card breaches in North America. Early in the story, skimming devices were brought up a potential source. As the compromise spread across the continent, we heard rumors (still never confirmed) that retail systems were hacked. In the end, a few people were arrested and the story faded away.

Quite simply, it seems that the financial industry isn't commenting.

Whether the intention of not commenting is to protect the public, or the financial industry; it is clear that something needs to be done about this in the near term. Hopefully, the lack of information being released on these cases is because a strong investigative effort is underway.

It will be interesting to see what information is released on this latest case and how many more victims this latest caper will claim.

Here is a previous post, I did on the Debit Card breach:

Debit Card Breaches, A Growing Problem

Sunday, May 07, 2006

Internet Crimes are On the Rise and Deadlier than Ever

Panda Software recently issued it's quarterly report, which comes to the frightening conclusion that 70 percent of all malware they detected in the first quarter of 2006 is related to cyber crime. Activity also seems to have hit record numbers!

Here is their summary:

This report confirms the new malware dynamic based on generating financial returns. Spyware, Trojans, bots and dialers were the most frequently detected types of malware between January and March 2006. Trojans accounted for 47 percent of new malware examples during the first quarter of 2006.

Seventy percent of malware detected during the first quarter of 2006 was related to cyber crime and more specifically, to generating financial returns. This is one of the conclusions of the newly published PandaLabs report, which offers a global vision of malware activity over the first three months of the year. Similarly, the report offers a day by day analysis of the most important events in this area. This report can be downloaded, free of charge, here.

Since this statistic interested me, I jumped over to the Anti-Phishing Working Group's page to see what they had to say. Please note that Panda, along with Websense and MarkMonitor share information with the APWG. They confirmed Panda's report that crime on the Internet seems to be at an all time high.

Here is a tickler from their report:

The total number of unique phishing reports submitted to APWG in March 2006 was 18,480, the most reports ever recorded. This is a count of unique phishing email reports. March 2006 continues the trend of more phishing attacks and more phishing sites. The IRS phishing attack doubled in volume in March as compared to February (in the USA, the tax filing deadline was April 17 in 2006, as the usual April 15 deadline fell on a weekend this year.)

Link, here.

Two of the most concerning forms of malware being used are Keyloggers and Redirectors. Keyloggers are a form of spyware, which record all the strokes on a computer and transmits them to back to the person (criminal), who installed the malware. They are normally used to steal financial information, used in identity theft schemes.

Sadly enough, Keyloggers are legal and easily bought anywhere, including the Internet. They allegedly have legitimate uses like spying on other people?

Perhaps, the FTC should go after some of these vendors like they recently did with the Private Investigators selling telephone records?

Redirectors are a trojan, which once installed on a computer, redirect the user to malicious sites, where their financial information is stolen. The sites are also known to download more malware (crimeware) on systems. Redirectors are extremely dangerous because there is little indication you are being hijacked.

The Anti-Phishing Working Group has some excellent educational information on this subject, including what to do if you become a statistic:

How to Avoid Phishing Scams

What To Do If You've Given Out Your Personal Financial Information

Too many people (who know what to look for) ignore and delete phishing attempts. There are a lot of places you can report activity and make an impact. In most cases, it only takes a minute or two to do so.

You can report phishing activity to the APWG, here. Activity can also be reported to PIRT, which is a joint venture by Sunbelt Software and CastleCops.

Another resource to report activity is the Internet Crime Complaint Center, which is associated with the FBI. You can report it a lot of places, but it is important to report it. If everyone took the time to report one phishy email a day, it would probably have a significant impact.

By reporting the activity that we see and taking advantage of the mostly volunteer efforts to fight it, we might make the Internet a safe place for everyone again. As access becomes cheaper and more widespread, the number of potential victims is growing at a record rate.

Continuing to ignore all those "Phishy" e-mails will only encourage the Phishermen to move forward with greater frequency. Additionally, the attacks are becoming more sophisticated and "how to kits" are being sold on how to do these dirty deeds. This will undoubtedly bring more and more Phishermen to the (already) murky waters of the Internet.

Of course, we can also take the time to educate newer users, also. In fact, awareness protects people more effectively than anything I've seen, thus far.