Saturday, December 06, 2008

Is the CheckFree Hack a New Information Theft Trend?

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

Wednesday, December 03, 2008

How to Legally Buy Hot Merchandise


(Courtesy of PropertyRoom.com)

Auction sites like eBay and Craigslist are frequently criticized for the amount of stolen and counterfeit items being sold on their sites. Even worse, stories about their customers being scammed have become Internet folklore.

Now there is a site that openly advertises that it is selling stolen merchandise. Even better, when you buy hot merchandise off this site, you need not worry about the authorities showing up at your door in the wee hours of the morning with a search warrant. The reason for this is that the site is stocked by over 1500 Police Departments and is run by former law enforcement types.

The site, PropertyRoom.com is an e-version of the more traditional auctions held by Police departments to get rid of unclaimed stolen property. "With distribution and service centers nationwide, PropertyRoom.com specializes in the auction of stolen, seized, found and surplus goods and vehicles. Serving over 1,100 law enforcement agencies nationwide, we offer a fraud-free marketplace with superior customer support." according to the "about us" page on the site.

I decided to surf the site and it contains a wide array of goodies at cheaper prices than what I've seen being fenced (speculative) on other Internet auction sites. For instance, desktop computers being auctioned were being bid at well under $100, laptops were showing bids of $100 to $400 and iPods were being bid anywhere from about $16 to $150. Of course computers aren't the only items available on the site, which hawks all kinds of electronics, watches, jewelry, tools, cameras, cars and a host of other high theft items.

It is well known that criminals like to steal high value items that are easy to transport. They also tend to go after items that are popular and easy to sell (fence). If you are looking for popular items, this site is a good place to buy them at an almost too good to be true price, legally.

PropertyRoom.com also is in the fund raising business and will help charitable organizations raise money. All the costs of putting on the event are covered by PropertyRoom.com. I should also mention that some of the proceeds of the sales on the site help fund law enforcement agencies, who like the rest of us, are dealing with ever-dwindling financial resources.

They also maintain the only nationwide registry available to the general public for recovering lost or stolen goods. This service is completely free. You can register items that were stolen already, or your high value items that might be stolen at a later date. If they receive an item that matches what you have registered — your property will be returned to you. Try doing this at any of the other auction sites!

The Internet has opened new avenues for criminals to fence stolen merchandise. This has made it easier to sell stolen merchandise and there are many who believe that it contributes to the problem. The most recent survey by the National Retail Federation estimates that Organized

Retail Crime is a $30 billion a year issue. Their most most recent Organized Crime Survey showed that e-fencing on traditional auction sites has grown by six percent. In response to this, they are even pushing bills in Congress to force the auction sites to allow more access to law enforcement and retailers, who are attempting to shut down this activity.

Even the government has found some of their stolen merchandise available for sale on eBay and Craigslist.

Please remember this doesn't even take into account the billions of dollars of property stolen from ordinary people. It also doesn't take into account the ordinary people who are scammed on auction sites, either. I wouldn't worry about getting scammed on PropertyRoom.com — I'm pretty sure they cooperate with law enforcement to the fullest extent.

We all know money is tight this Christmas season and there are a lot of people trying to stretch their limited resources. PropertyRoom.com is a place where you can do it and be certain that you are not contributing to a growing problem.