Saturday, August 23, 2008

Cost Plus Customers Compromised in Data Security Incident

Cost Plus World Market is another retailer, where customers were unknowingly giving criminals access to their bank accounts when they made a purchase.

On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.

Since then three additional stores have been identified as being compromised.

The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common, they had been used at Cost Plus.

I picked up this story in an article on SignonSanDiego.com published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.

Both the SignonSanDiego.com article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.

Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.

Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.

In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.

Since then my speculation is that the hacking methods being used have become more sophisticated and PCI data protection standards -- designed to protect merchants from data compromises -- might no longer be 100 percent effective.

Data compromises cost the victim affected, the retailer and the financial institutions issuing the payment cards.

I tend to write on behalf of the victim and I wanted to point to an excellent article by Tom Fragala, where he analyzes the protections offered when using credit and debit cards. General consensus is that it is a lot safer to use a credit card from a consumer point-of-view. Note I'm saying this from a security point-of-view because too much credit card debt isn't always a good thing, but that's a whole other subject.

Tom is a fellow blogger, and the CEO of a privacy friendly identity theft protection service (Truston) that just won another in what is becoming a long string of awards. They also offer a 45 day (completely) free trial to use their services.

As long as there is a lot of money to be stolen from payment cards, criminals are going to be motivated to defeat security fixes.

The recent news that one of these retail hacking rings were caught and put behind bars probably will go a lot farther in preventing data compromises than security fixes, which seem to be counter-fixed, fairly frequently.

The eleven Cost Plus Stores known to have been compromised were San Diego (372 Fourth Avenue, San Diego, CA 92101); Oceanside (2140 Vista Way, Oceanside, CA 92054); La Jolla (8657 Villa La Jolla Drive Suite 117, La Jolla, CA 92037); Mission Viejo (28341 Marquerite Parkway, Mission Viejo, CA 92692); San Dimas (638 West Arrow Highway, San Dimas, CA 91773); Valencia (25676 North The Old Road, Valencia, CA 91381); Palm Desert (44-439 Town Center Way, Palm Desert, CA 92260); Oxnard (221 Esplanade Drive, Oxnard, CA 93030); Westlake Village (Thousand Oaks) (160 Promenade Way, Westlake Village, CA 91362); Tucson East (5975 E. Broadway, Tucson, AZ 85711); and Tucson (4821 North Stone Avenue Tucson, AZ 85704).

Cost Plus also has a FAQ page for people, who think they may have been compromised.

Monday, August 18, 2008

Report Reveals That Internet Fraud Threatens E-Commerce

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?

Sunday, August 17, 2008

Cyber Warfare, Not Just a Theory Anymore?

Last week, the news of a cyber attack by Russia against Georgia made this type of warfare become a chilling reality. According to an article in the LA Times, it also revealed how ill-prepared most of the world is to deal with this new threat.

Most of the experts now agree that cyber attacks started well before lead started flying and were not very sophisticated by current standards. Most of the attacks were run of the mill DDOS (Distributed Denial of Service) type events designed to deface and shut down government sites.

One of the problems is that no one can actually pin the attacks to the Russians. As usual, botnets of zombie computers were used to facilitate the assault on the sites in question. Since these zombie computers are taken over by malicious software -- normally after an unsuspecting user clicks on a link in a spam e-mail -- the computers used in the attack probably resided in locations all over the world. Botnets are also used to send out the spam e-mails with the malicious links that turn systems into what are known as zombie computers, which add to the power of the botnet.

Researchers at Shadowserver, a volunteer group monitoring cyber attacks, have traced the attacks against Georgia as starting in July and being based out of the United States, according to an article in the New York Times. The Times article suggested that there might be ties in this attack to Russian organized cyber criminals.

It should be noted that the words Russia and cyber crime bring up pages of results on most search engines. Russian organized crime is also known to have a global reach so it is no surprise that some of the current DDOS attacks were traced to a server in the United States. Simply stated, these attacks can be made to appear as if they are coming from just about anywhere.

While this is one the first times cyber warfare has actually occurred, it's starting to become a topic of concern in government circles. As a matter of fact, in April it was a hot topic at the NATO summit and an EU conference. China is also known to be actively seeking a cyber warfare capability and gets accused of hacking into other government's websites all the time.

Last year, Estonia suffered cyber attacks, which were allegedly facilitated by Russian Hackers, also. In an interesting development, Network World reported that they are sending cyber defense advisors to assist the Georgians.

Wikipedia has an interesting article (Wiki) on cyber warfare. It cites that McAfee stated in their 2007 annual report that approximately 120 countries have been developing cyber warfare capabilities designed to disrupt financial markets, government computer systems and utilities. The article also lists several examples of attacks, which many suspect were facilitated by the Russians or the Chinese, that have recently occurred.

The McAfee report surmised that cyber attack capabilities are becoming a global issue as well as a threat to national security. Current events seem to be making that prediction turn into reality.