Thursday, January 11, 2007

New phishing rod being marketed on Internet crime forums

A new and more dangerous "phishing rod" is being marketed and sold in Internet crime forums. This assures that this "phishing rod" will be readily available to all sorts of "i-jackers" (identity theives).

DigitalTransactionNews is reporting:

RSA Security Inc. on Wednesday announced its analysts had discovered a powerful new phishing tool fraudsters are selling via online forums and using to hoodwink consumers. The tool, which RSA calls a “universal man-in-the-middle phishing kit,” allows phishers to set up a URL that can interact in real time with the actual content of the Web site of a targeted brand, such as a bank or e-commerce site. In this way, the fraudsters can intercept any data consumers may enter at the log-in or checkout pages of these sites. They then send out phishing e-mails embedded with links that send recipients to the fake URL, where the user can see an organization’s legitimate Web site but where any information he enters will be hijacked by the fraudsters as he types it.

The new tool is especially insidious, says RSA, because of its all-purpose nature. Fraudsters can use it to target any Web site without having to customize or create a tool for each brand. Also, the tool collects all data users enter, including all information the user types in after logging in. Typically, phishing attacks gather only data they request, usually passwords, PINs, or credit and debit card account numbers.


DigitalTransactionNews article, here.

I first read about the man in the middle phishing attack when it was discovered at CastleCops by PIRT (Phishing Incident Reporting and Termination Squad) and reported by Internet crime writer Brian Krebs of the Washington Post, here.

PIRT is a great place to report suspected phish. They have a lot of dedicated personnel that fight phishing!

It's a shame that these Internet crime forums are allowed to continue operating. It's even been reported that one of them is being "hosted" in the Islamic Republic of Iran.

And Internet crime isn't the only problem that Iran is hosting. I'm sure some of our brave troops in Iraq and Afghanistan could attest to that.

Until we go after the sources of this problem, I have a "bad feeling" that Internet crime will continue to grow.

The FTC was recently given greater powers to follow Internet criminal activity across borders. Maybe laws like these will enable the "good guys" to start having a more "lasting" effect on the people behind the problem.

Will competition make it harder to write off fraud costs on auction sites?

Perhaps market forces will be what it takes to better protect buyers and sellers from fraud on auction sites? Competition dictates that the auction providers will have to offer a "better deal" to attract and maintain their customer base.

Internet auctions have become a "very" popular way to buy and sell goods, but they've also attracted a lot of fraud. And fraud seems to be motivating some changes at the most popular auction site, eBay.

eBay is limiting what types of transactions they protect and is banning Google's Checkout on it's site. In addition to this, they are increasing the dollar amount protected with PayPal.

Ina Steiner of AuctionBytes wrote:

eBay will double PayPal Buyer Protection on its site, offering up to $2,000 of coverage for qualified transactions on eBay.com, but is eliminating buyer-protection for non-PayPal transactions. The move is a dramatic effort by eBay to push buyers to use its PayPal online-payment service at a time when it faces increasing competition from Google Checkout, a method it prohibits sellers from accepting on its site.
AuctionBytes story, here.

The story also mentions that eBay no longer protects transactions with financial instruments, such as wire transfers, money orders and checks. Scams using these now "unprotected" financial instruments have been well documented in the auction world.

The message is that if you don't use PayPal, or a credit-card - you aren't protected on eBay.

Not sure if eBay is trying to limit it's own fraud exposure, or if they are marketing fraud protection?

Even though buyers might be getting "slightly" more protection - sellers seem to be more at risk of losing money from fraud than they were before. They are either going to have to limit their "accepted payment methods," or take the chance of losing more money.

And so far as credit cards - "sellers" still are and "always have been" at risk of receiving chargebacks from the financial institution involved.

It will be interesting to see how this progresses and how auction users react.

The auction business is getting more "competitive," and writing off the cost of fraud is going to become "increasingly more difficult."

Here are some previous posts, I've written on auction fraud:

Romanian Second-Chance eBay Scammers Busted

California Issues Alert on Emerging eBay Fraud Trend

How to Spot a Counterfeit on eBay

Bid Reaper, "TELLING IT LIKE IT IS" on eBay

Auction Fraud and the Romanian Connection

How to Protect Yourself on eBay

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Sunday, January 07, 2007

With all the data breaches - something needs to be done!

There have been a lot of large data breaches in the past year, where anonymous sources pointed to a retailer (merchant) as the point-of-compromise. Of course - as in most data breaches -rumors are often "downplayed" and in some instances, denied.

Card processors have been accused of maintaining information they shouldn't have, also.

The Privacy Rights Clearinghouse maintains a chronology of these incidents data breaches since 2005, which can be viewed, here.

And a business would have good reason not to disclose everything. It could create a lot of negative publicity, which would have a negative impact on their bottom line.

This is probably one of the better arguments for legislation requiring full disclosure, when people's personal information is compromised.

Could it be that a lot of these data breaches are being enabled by storing too much information in point of sale systems, which is poorly protected, and therefore - easily compromised (hacked) by criminals?

Last month, Visa International issued a press release offering $20 million in incentives to what they term Level 1 and Level 2 merchants to assist them in becoming compliant with the existing standard. It also mentions sanctions (fines) that will be imposed on merchants, who decide they aren't going to conform.

The press release states:

Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce."

According to the press release, "current PCI compliance among Level 1 merchants is at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance."

The bottom line is that it appears the card issuers (themselves) are getting pretty sick and tired of all the data breaches. My guess is that the banks -- who deal with the customer fall-out -- are getting pretty tired of it, also.

After one of the many posts, I've written about data breaches, I came into contact with a company called Security Metrics. Security Metrics provides a service to assist merchants in protecting their information.

Wen Free (Director of Business Development) told me that he believes breaches at the merchant level are becoming an "all too common" problem. Wen also told me that I would be shocked at how many merchants aren't in compliance, and are storing information - which isn't protected properly.

Wen pointed me to a tool developed by SecurityMetrics and MasterCard, where a business can run a Free-Scan (https://www.securitymetrics.com/eval_scan.adp) of their systems, to determine how compliant they actually are.

If these deductions are correct, it makes these merchants lucrative targets for hackers in search of people's financial information.

The fact that only 36 percent of the level 1 merchants and 15 percent of the level two merchants at Visa are "compliant" supports his contentions. And we have to remember that Visa isn't the only major issuer in the game and that most merchants offer multiple ways to pay for their goods and services.

With all the recent large-scale attacks on payment systems, it's going to be harder and harder for businesses to absorb losses from data breaches. Recent stories of carder forums - where this information is bought and sold on the Internet - point to the fact that there seems to be an abundance of (already breached) information available.

How the losses are allocated is normally kept pretty quiet, but my guess is that if the banks can charge back a merchant, they are doing so. But if the truth were to be told, these losses are eventually being charged back to all of us in the form of higher prices.

There are also customers stating that their fraud claims have been denied, and they are stuck with the loss. This can be especially true with debit-cards, if the loss isn't reported promptly.

Should everyone involved fail to solve this problem by themselves, my guess is that legislation will be the next step. After all, one of the most important asset in any business is the "trust and confidence" of their customers.

Here is a previous post, I wrote on this subject:

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?