Saturday, July 28, 2007

iPhone hacked under laboratory conditions

There is no doubt that the iPhone, Apples new entry in the smart phone market, has received a lot of attention. I just had the opportunity to use one and they are truly an amazing toy, especially when compared to what else is out there.

Whenever something is popular, Internet outlaws normally try to figure out an angle on how to exploit it for their personal (probably financial) gain. In the interest of getting one step ahead of the bad guys - some of the good guys are trying to discover some of the potential issues with the iPhone before they occur.

Read a post written by Mike Gikas on the Consumer Reports Electronic Blog, which stated:

This week Independent Security Evaluators (ISE), a U.S. independent testing lab, dramatized the looming danger by piercing the defenses of the much-vaunted iPhone. (ISE is the lab whose help Consumer Reports seeks for our evaluations of security software. See our report on how we test antivirus software and look for our 2007 State of the Net report, which posts to ConsumerReports.org in early August.)

Apparently, ISE was able to hack New York Times reporter's iPhone by having it visit a website, which downloaded malware (malicious software) on the phone and gave the testers access to files and iPhone functions.

A visual presentation of this evaluation has been posted on YouTube:



Please note this was done under lab conditions and we've yet to see any hacking of the iPhone done in the wild (at least to my knowledge).

Nonetheless, hacking smart phones might become a new trend that people need to be made aware of. Just about any device can be hacked if hackers are motivated enough to do so.

My personal theory is that as smart phones become more common, we will see them exploited more often.

Perhaps, common sense when using any device that connects to the Internet is the best defense out there. Here are the tips offered from the electronic's blog:
1. Only visit Web sites you know.
2. Only use Wi-Fi networks you trust.
3. Don’t open Web links from e-mails.


And of course, don't fall for anything that is too good to be true, or doesn't make sense. Social engineering techniques (confidence tricks, fraud) normally are what lures anyone into a technology exploit.

Here is a previous post on some controversial software being sold that can invade someone's privacy (my opinion) by loading it on their smart phone. Thus far, they are not advertising software that is compatible with the iPhone.

FlexiSpy - software that spies on people via their smart phone

Full post from Mike Gikas on the Electronics Blog (Consumer Reports), here.

Certegy reveals their data breach is a lot larger than originally reported

Earlier this month, I blogged about the Certegy data breach, where a not very HONEST employee got caught selling information to an unidentified data-broker. Certegy was quick to assure the public that none of this information would be used to commit fraud because it was being used by "legitimate marketing firms."

Now the number of records (people compromised) has risen significantly after Certegy filed a report with the Securities and Exchange Commission.

The Tampa Bay Business Journal Reports:

An ongoing investigation has determined that about 8.5 million consumer records were stolen, according to a July 25 Securities and Exchange Commission filing by Fidelity National Information Services Inc. (NYSE: FIS), the Jacksonville-based parent company of St. Petersburg-based Certegy.
According to Fidelity, Certegy's parent company the investigation is continuing and this number could grow.

Florida Attorney General Bill McCollom listed some useful information for victims in a press release, which said:

For more information, consumers may call Certegy at 866-498-9916 or may visit their website at http://www.certegy.com. Affected consumers are encouraged to take the precautionary steps outlined in the Certegy letter, including obtaining a free fraud alert from one of the credit reporting agencies. Furthermore, if consumers believe at any time they are victims of identity theft, they should report this to the police and request that the national credit bureaus place a fraud alert on their credit reports. Consumers should also notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

If you received a letter from Certegy and you continue to receive marketing calls that you suspect result from this data breach, please report this activity to the Attorney General’s Citizens Services Hotline at 1-866-9-No SCAM (1-866-966-7226). Additional information about protecting yourself from identity theft is available online at http://www.myfloridalegal.com/identitytheft.


I've received a lot of comments on my original post, including some (anonymous) claiming their information was used for fraud. Unfortunately, I cannot verify this information, but someone with the e-mail address LPLong@Yahoo.com claims to be collecting victims to file a class action law suit.

My original post with comments, here.

Press release from Florida Attorney General (Bill McCollom), here.

Note this is probably the right place to verify information, if you receive a letter. If you believe you are fraud victim based on the Certegy breach, I would let them know about it, also.

Tampa Bay Business Journal article, here.

Thursday, July 26, 2007

Congress is considering a law to stop Social Security Numbers from being posted in unsafe places


I’ve written a lot about how the buying and selling of personal information enables a lot of identity theft to occur. This multi-billion dollar industry assures our most personal information is available to ANYONE, who wants to buy it, and stored in a lot of places that might, or might not be very secure.

With all the data breaches that occur, my guess is that it is stored in a lot of not very secure places.

The Consumers Union’s FinancialPrivacyNow.org is running a campaign, where you can write your elected representative and let them know how you feel about this subject:

No more Social Security Numbers on Medicare cards, checks, or on the Internet! The House Ways and Means committee has unanimously passed legislation that would accomplish just this. H.R. 3046 would stop the widespread and unnecessary sale, purchase and displaying of Social Security Numbers by government and businesses that has made consumers more vulnerable to identity theft. Twenty-five House members have already expressed support. Urge your House member to support H.R. 3046 and make sure that industry doesn’t create holes in the bill’s protections.


Link to where you can write your elected representative, here.

Because employers are checking applicants more carefully, many are saying that illegal immigrants will be forced to use real social security numbers to obtain employment. Here is a post, I wrote about that:

Will stricter enforcement cause more illegal immigrants to assume real people's social security numbers?

This might make a growing problem worse. Personal and financial information is already being stolen and sold in a lot of places, including chat rooms on the Internet.

Stopping one of the reasons information is too easy to steal could have a positive impact on what has become a very negative situtation!

Sunday, July 22, 2007

Disney learns (the hard way) that insiders can be the biggest threat to information security

In the world of data breaches, nothing is sacred, not even Disney. It has come to light that a subcontractor (Alta Resources, Inc.) had an employee, who sold credit card information to federal agents.

Jaikumar Vijayan, Computerworld reports:

A subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents.

The May 2007 incident has prompted Disney to send out letters to an unspecified number of customers informing them about the breach.
Jaikumar tried to get Disney to comment, but in standing with data breach protocol, they declined to do so. He was able to get one of the letters sent out to the customers, who were breached.

The letter reassured the "compromised" by stating:

Law enforcement officials have informed us that there is no indication that your information was used to make improper purchases or sold to anyone other than federal law enforcement agents," Flynn said in his letter. "Nevertheless, in an abundance of caution, we have informed representatives of Visa, MasterCard, American Express and Discover of these events."

Given the wholesomeness of Disney, their customers could be considered lucrative targets for identity theft. Most of them probably have good credit.

Either, the person involved was caught right from the beginning, or he isn't talking.

They are also saying that CVV/CVC codes were not compromised. CVV/CVC codes are three-digit codes added to a payment card as an extra layer of security.

I went to the site and didn't see CVV/CVC codes being asked for after pretending to buy some merchandise from them? Granted, I didn't click "buy," which would have sent my credit card information to them, but I completed the rest of the steps.

Not all merchants ask for this code, when someone makes a purchase, or payment over the Internet.

It amazes me how optimistically data breaches are presented.

In an Orlando Sentinel article about the breach, officials at Disney were quick to point out they had been "independently certified by under the Payment Card Industry Data Security Standard."

PCI data security protection standards are being pushed on merchants right now -- but as long as one dishonest person is given access, or is tricked into doing so -- no amount of security is going to protect information.

PCI data security protection standards are a step in the right direction, but need to be combined with other sound practices to protect businesses from being compromised.

PC World article, here.

Update: NetworkWorld's Buzzblog is quoting a Orlando Sentinel story that David Haltinner of Wisconsin has been charged in the case. They also have a link showing a copy of the official letter, here and a letter from a customer, claiming their card, which was on file with Disney had fraudulent purchases ($8,000.00 worth) put on it.

The writer of the letter did try to report this, but was told that it probably didn't tie into this breach. Finding the point of compromise in a credit card fraud case is difficult to say the least. Perhaps, this is why the recent GAO report on data breaches claims very little fraud is being tied into the compromises they studied?

With all the entities being compromised only revealing as little as they have to, there is a lot of plausible deniability.

The Buzzblog got the customer notification letter from someone at Attrition.org, who tracks data breaches on their site, here.

LA Gangs take a vacation in Hawaii using funny (counterfeit) money

I've read a lot about street gangs, who used to finance themselves by selling drugs, moving into the financial crimes arena. Some say financial crimes are a lot more profitable, and the punishment for getting caught isn't nearly as harsh.

Looks like some of them have gone West (Hawaii) to enjoy a little vacation financed with "funny money."

The HawaiiChannel.com is reporting:

Thousands of dollars worth of counterfeit $100 bills are flowing into Hawaii, most likely from Los Angeles-based gangs, according to Secret Service officials.

For the last week or so, $2,000 to $2,500 a day in counterfeit $100 bills have been passed at retail stores in Waikiki and across the islands, the Secret Service said.

Some high-end Hawaii retailers are taking a hit.

Apparently, the members of the Bloods and Crips involved in this (didn't know they were hanging out together) sometimes buy merchandise and then refund it a short while later. Refund fraud is a common way criminals launder money, or turn it into disposable income.

According to the article, counterfeit (funny) money is also being passed by members of the military coming back from the Middle East.

HawaiiNewsChannel.com article, here. There is a pretty good video on how to detect counterfeit money to the left of the article.

The article confirms what I've seen a lot of in the past couple of years, which is that a lot of the counterfeit money in circulation are five dollar bills washed into hundred bills. Because of this, the counterfeit detection pens, which most merchants use don't work.

The best way to detect them is to hold them up to the light and if the hologram is Abraham Lincoln instead of Benjamin Franklin, it is a counterfeit. The embedded strips will also state that they are five dollar bills, if they are counterfeit.

If you are in the money business, I recommend teaching your employees how to visually inspect money. Counterfeit detection devices are not 100 percent reliable.

The Money Factory (government site) has a lot of good information on how to detect counterfeit money, here.

The United States Secret Service also has a page on their site with a lot of information, here.