Retailers’ Point of Sales Terminals “Slurped”

Electronic funds transfers at the point of sale (or EFTPOS) skimming is a relatively new scam that has become more prevalent over the past few years. This form of skimming involves swapping out the self-swipe point of sale terminals at cash registers, and replacing them with devices that record credit and debit card data.

Fast food restaurants, convenience stores, and clothing boutiques are being hit the hardest in Australia. Last year, EFTPOS devices at McDonald’s outlets across Perth were replaced with compromised versions designed to skim cards, cheating 3500 customers out of $4.5 million. The thieves actually replaced the entire device you see at the counter when you order your Big Mac! The problem is so severe that officials have urged people to change their PINs on a weekly basis to prevent their entire bank accounts from being wiped out. A similar scam was pulled off at United States supermarket chain Stop and Shop.

POS machines are particularly vulnerable because the magnetic stripe technology, which has been around for 40 years, is essentially defenseless against modern fraud techniques. Anyone can easily, and legally, purchase a skimming device for a couple hundred dollars.

This problem will continue as long as the current system of accepting magnetic stripe cards is standard in the United States. Our system needs a serious upgrade. In response to their skimming problems, Australian is turning to chip and PIN technology. Last year, Visa announced a four-year plan to shift all Australian cards to chip and PIN. Since this past January, all new Visa credit cards in Australia feature embedded smart chips, and in 2013, signatures will no longer be accepted at checkout.

You can’t protect yourself from this type of scam. But you can recover any losses by paying attention to your statements and refuting any unauthorized transactions within 60 days. And when swiping your card at any POS terminal, be alert for any details that seem unusual. If you notice anything odd about the machine’s appearance, such as wires or error messages, or if your card gets stuck, don’t use it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

New Jersey Home Robbery: One Unlocked Window Brings a Life of Pain

Robbery as defined in Wikipedia is the crime of seizing property through violence or intimidation. At common law, robbery is defined as taking the property of another, with the intent to permanently deprive the person of that property, by means of force or fear. Robbery differs from simple theft, a break-in or burglary on its use of violence and intimidation.

Many of us are told that when you are attacked to let it happen so it doesn’t get any worse. In some cases that may be your only option. Studies have also shown that fighting back might be a better option. Showing resistance and making it difficult for your attacker to do their job often helps you get to safety.

In New Jersey near Atlantic City “a woman, identified only as “L. L.” in documents, was asleep in her bed and a 28 year old man crawled in an open window at about 1:30 a.m. L.L. heard something fall, got up to investigate the noise and met the home invader  inside her home.

The predator is accused of beating and raping her, then filling a trash bag with personal items in order to derail an investigation before fleeing her home. Armed with a knife, police said, he threatened to kill L.L. if she talked with authorities.”

The best course of action is always to put systems in place to avoid having to confront a predator in the first place.

There are some things that can be done to reduce the chances that your home is targeted for robbery:
1. Install outdoor lighting that may keep the bad guy away

2. Lock all doors and windows always
3. Install security cameras
4. Install a home alarm system. Have a panic button for your home alarm that calls for help and sends a screaming alarm
5. Always run to safety when attacked. The worst thing you can do is nothing.

Robert Siciliano personal security expert to Home Security Source discussing home invasions on the Gordon Elliot Show.

Online Privacy: Fighting for Your Eyeballs

You may have noticed that the Internet is expanding. Major newspapers are publishing all their content online, because the readers expect and demand it. 23 of the 25 largest newspapers are seeing declines in readership. And if people aren’t buying newspapers, advertisers won’t place ads in them.

Newspapers hire journalists to investigate the issues that affect us on a daily basis. It’s these well-paid, experienced journalists who keep us informed, disseminating news that helps us make decisions in our own lives. We need these journalists to expose lies and uncover truth. Without quality journalism, the media’s influence will have an adverse impact on us all.

But if newspapers aren’t making money, journalists won’t have jobs. As newspapers shift their business models from local, paper-based distribution to online, potentially international distribution, their advertising strategy must change.

There are hundreds of new companies that understand this dilemma perfectly and have created technologies to capture your attention by knowing exactly who you are and what you want. This is where targeted Internet advertising comes in, and it has privacy advocates freaking out.

Most major websites now install cookies on your computer, which track what you do online. Over time, these cookies develop a profile, which becomes your digital fingerprint, to a certain extent. You may have noticed after searching for a specific product, advertisements for that particular product or brand appearing on various other websites you visit.

Microsoft, Google, Facebook, and most major newspapers, retailers, and advertisers are in on the game. These large companies are making decisions that affect your privacy. As a consumer, you pay close attention to these issues and consider how they might impact you personally.

The Wall Street Journal delves into these questions here, here, and here.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses oversharing on the Internet on Fox News. (Disclosures)

15 Break-ins at Boston Area Churches – Nothing is Sacred

Last year around the holidays I wrote about burglars preying on churches.

This year is no different. The Boston Globe reports You know things are bad when they start knocking off churches. And judging by the number of churches knocked off recently, things are very bad indeed.”

“I’m seeing levels of desperation out there I haven’t seen for a long while,’’ said the churches Priest. “Like most priests and ministers, he sees a lot of people who live on the margins. They come to the three churches he oversees for food and laundry money and help with the rent. They come because they don’t belong anywhere else.

And sometimes they come to steal. There have been 15 break-ins at Boston area churches in the last few months. And that’s just the Catholic ones.”

It doesn’t matter where, when or who, a burglar will go where there is easy access and easy money, or goods to be resold.

Often, it is those on the inside that have knowledge of how things work and where they are. So, it is important to beef up security to protect from the inside-out and from the outside-in.

In some cases burglars enter through unlocked doors; in others, broken windows and they will even bust doors off of their frames.

Theft happens. Protect against it.

  1. Lock up. Even if it’s an “open access” environment
  2. Have someone always watching the door
  3. Install visible motion sensitive security cameras everywhere recorded by a DVR
  4. Install hidden motion sensitive security cameras everywhere recorded by a DVR
  5. Install “Monitored by Video Surveillance” signs everywhere
  6. Lock doors and windows always
  7. Install glass break prevention film
  8. Install a monitored alarm system

9.     Be proactive with the help of wireless home security systems and new interactive smart home solutions that go beyond traditional security to a new level of control, accessibility and connection with the property.

Robert Siciliano personal security expert to Home Security Source discussing  Home Security and Identity Theft on TBS Movie and a Makeover.

Twitter Crime on the Rise

Twitter is now beginning to see a substantial rise in active users. A recent report found that the percentage of Twitter users who have tweeted ten or more times, have more than ten followers, and follow more than ten people rose from 21% to 29% in the first half of 2010.

Spammers, scammers, and thieves are paying attention.

In the physical world, when communities become larger and more densely populated, crime rises. This also applies to online communities, like Twitter and Facebook.

Twitter’s “direct messages” and “mention” functions are laden with spam, often prompting users to click various links. Why anyone would want me to “Take a Good Look at Hypnotherapy” is beyond me, but someone must be buying because the spam keeps coming.

Common Twitter scams include:

Hijacked Accounts: Numerous Twitter (and Facebook) accounts, including those of President Obama, Britney Spears, Fox News and others have been taken over and used to ridicule, harass, or commit fraud.

Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St. Louis Cardinals Coach Tony LaRussa, Kanye West, The Huffington Post, and many others have been impersonated by fake Twitter accounts opened in their names.

Worms: Twitter is sometimes plagued by worms, which spread messages encouraging users to click malicious links. When one user clicks, his account is infected and used to further spread the message. Soon his followers and then their followers are all infected.

DOS Attack: A denial-of-service attack left Twitter dark for more than three hours. The attack seems to have been coordinated by Russian hackers targeting a blogger in the Eastern European country of Georgia.

Botnet Controller: One Twitter account produced links pointed to commands to download code that would make users’ computers part of a botnet.

Phishing: Hacked Twitter accounts are used to send phishing messages, which instruct users to click links that point to spoofed sites, where users will be prompted to enter login credentials, putting themselves at risk of identity theft.

Twitter Porn: Please, “Misty Buttons,” stop sending me invites to chat or to check out your pictures.

Twitter Spam: The use of shortened URLs has made Twitter’s 140 character limit the perfect launch pad for spam, shilling diet pills, Viagra and whatever else you don’t need.

To prevent social media identity theft, take ownership of your name or personal brand on Twitter. Protecting yourself from other scams requires some savvy and an unwillingness to click mysterious links. In other cases, you’ll need to keep your web browser and operating system updated in order to remain safe. Make sure to keep your antivirus software updated with the latest definitions, as well.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hacking wireless networks on Fox Boston. (Disclosures)

Cross-Site Scripting Criminal Hacks

Secure computing requires an ongoing process, as you learn about risks and then implement processes and technology to protect yourself. Without a concerted effort to defend your data, you will almost certainly by victimized by some type of cyber-invasion.

JavaScript is everywhere, making the Internet pretty and most websites user friendly. Unfortunately, hackers have learned to manipulate this ubiquitous technology for personal gain. Java can be used to launch a cross-site scripting attack, which leverages a vulnerability often found in applications that incorporate Java. The vulnerability allows hackers to insert code into a website you frequent, which will infect your browser and then your PC.

Following links without knowing what they point to, using interacting forms on an untrustworthy site, or viewing online discussion groups or other pages where users may post text containing HTML tags can put your browser at risk.

Facebook, one of the most popular websites, is a likely place for JavaScript hacks, due to cross-site scripting vulnerabilities and the overall lack of security of Facebook users. This allows hackers to read a victim’s private Facebook messages, to access private pictures, to send messages to the victim’s contacts on his or her behalf, to add new (and potentially dangerous) Facebook applications, and to steal the victim’s contacts.

Beware of going down the rabbit hole when browsing the Internet. Once you start clicking link after link, you may find yourself on an infected site. And look out for scams such as contests that require you to paste code into Facebook, your blog, or any other site.

To protect yourself from cross-site scripting attacks, update your browser to the most recent version, with the most current security settings.

McAfee offers a free tool, SiteAdvisor, which helps detect malicious sites. In Firefox, you can install NoScript, a plug-in that lets you control when to enable JavaScript. NoScript also includes a list of good and bad sites. In Chrome, you can disable JavaScript in preferences, and in Internet Explorer, you can fiddle with the settings and adjust “Internet Zones,” but the default settings are best for most people. In Adobe Reader, JavaScript can be disabled all together, under “Edit” and then “Preferences.”

That being said, after messing with default browser or program settings, the reduced functionality may impede your ability to do anything online. The trick is to have the most updated security software and to avoid social engineering scams that ask you to click links or copy code.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Top 5 Vishing Techniques

“Vishing” occurs when criminals call victims on the phone and attempt to lure them into divulging personal information that can be used to commit identity theft.

The name comes from “voice,” and “phishing,” which is, of course, the use of spoofed emails designed to trick targets into clicking malicious links. Instead of email, vishing generally relies on automated phone calls, which instruct targets to provide account numbers.

Vishing techniques include:

Wardialing: This is when the visher uses an automated system to call specific area codes with a message involving local or regional banks or credit unions. Once someone answers the phone, a generic or targeted recording begins, requesting that the listener enter bank account, credit, or debit card numbers, along with PIN codes.

VoIP: Voice over Internet Protocol, or VoIP, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once the visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams, educate yourself. Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to be up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Black Friday Launches Holiday Fraud Horrors

The Christmas shopping season traditionally kicks off on Black Friday, the day after Thanksgiving. This also begins a time when criminals swarm the shopping malls as well as the Internet, seeking to take advantage of holiday opportunities.

When shopping in stores, keep the following in mind:

Employees: Seasonal employees are more likely to steal, from their employer and from the customers. It has been said that only 10% of employees are honest, 10% of employees will always steal and 80% will steal based on circumstances. So always count your change.

Credit Card Skimming: When a salesperson or waiter takes your credit card, they can run it through a card reader device that will copy the information stored on the magnetic strip. So when you hand over your card, watch closely to see where it is taken and what is done with it. It’s normal for the card to be swiped through a point of sale terminal or keyboard card reader. But if you happen to see your card being swiped through an additional reader that doesn’t coincide with the transaction, your card number may have been stolen.

Debit Card Skimming: Without the associate PIN, a skimmed debit card number is difficult to turn into cash. With the help of a hidden camera or a “shoulder surfer,” though, your PIN could be recorded at an ATM or point of sale terminal. Cover the keypad while you’re entering your PIN.

Pickpockets: Pickpockets slink through society, undetected and undeterred. They are subtle and brazen at the same time. They are like bed bugs, crawling on you and injecting numbing venom that prevents you from detecting their bite until it’s much too late.

Be aware of your surroundings, especially in crowded places. Pickpockets use distractions like bumps, commotions, and aggressive people. Sometimes a person will fall down, drop something, or appear to be ill.

Consider subscribing to McAfee Identity Protection, a service that offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Black Friday on The Morning Show with Mike and Juliet. (Disclosures)

How Much Longer Does the Magstripe Have?

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a rewritable burnable CD, using card burners that are easily available online.

The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud.

EAST, the European ATM Security Team, recently released European ATM crime statistics for January through June of 2010. Apparently, skimming at European ATMs increased by 24%, with 5,743 attacks reported in the first six months of 2010, compared with 4,629 during the same period in 2009. There haven’t been so many skimming attacks since EAST began measuring these statistics in 2004.

During this same time frame, however, while incidents of skimming have risen, the associated financial losses have dropped. This is because the cards being skimmed have an additional layer of security known as chip and PIN technology, or EMV, which stands for Europay MasterCard Visa.

But because these cards still have magnetic stripes, they are still being skimmed. The stripe is there for the convenience of cardholders who travel to the United States or the handful of other countries that still rely on the magstripe technology. Chip and PIN cards without magstripes are standard in Europe.  As skimming continues, the issue of whether to discontinue the magstripe is bound to come to a head. The European Central Bank’s most recent progress report states:

“In line with Europol’s stance on the future of the magnetic stripe and in support of the industry’s efforts to enhance the security of cards transactions by migrating from the “magnetic stripe” to “EMV chip” cards, the Eurosystem considers that, to ensure a gradual migration, from 2012 onwards, all newly issued SEPA cards should be issued, by default, as “chip-only” cards.”

In the United States the United Nations Federal Credit Union has adopted  chip and PIN technology and Walmart is demanding it. Further, Travelex, the world’s largest non-bank foreign exchange currency provider, introduced America’s first prepaid foreign “currency cards” available in Euros and British Pounds that utilizes chip & PIN technology.  And based on what is happening in Europe, change is in the air.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)

“Flash Attacks” Make Big Money for Debit and Credit Card Scammers

The latest ATM scam is so brilliantly simple, it’s hard to believe that it actually works. Apparently, banks’ fraud detection systems are unable to flag nearly simultaneous transactions from the same account. This leaves bank customers vulnerable to what’s been termed a “flash attack,” in which multiple scanners use a stolen debit card number to withdraw cash from the same account.

Once a victim’s debit card number has been successfully skimmed, the card can be cloned, say, 100 times, and the cloned cards can be distributed to 100 people. All 100 people can then use the cloned cards to withdraw cash from 100 different ATMs within a brief window of five or ten minutes. If 100 people withdraw $200 each from the same account, at the same time, the scam nets $20,000 in almost no time.

Your credit or debit card number can be skimmed in a number of different ways:

Wedge Skimming: The most common type of skimming occurs when a salesperson or waiter takes your credit or debit card and runs it through a card reader, which copies the information contained in the card’s magnetic stripe. Once the thief has obtained the credit or debit card data, he can then burn the card number to a blank card, or simply use the number to make purchases online or over the phone.

POS Swaps: Many people pay for goods or services by swiping a credit or debit card through the in-store point of sale machines. EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal has been replaced with a skimming device. In Australia, fast food chains, convenience stores, and specialty clothing stores have been common targets. McDonald’s, for example, has been hit with this scam.

ATM Skimmers: A card reader device can also be placed on the face of an ATM, disguised as part of the machine. It’s almost impossible for the average user to recognize a skimmer unless it is of poor quality, or the user has an eye for security. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror or car stereo looking speaker on the face of the ATM in order to extract the victim’s pin number. The device may use wireless Bluetooth or cellular technology built to obtain the data remotely. Gas pumps are equally vulnerable to this type of scam.

Data Interceptors: Rather than simply placing a skimmer on the face of a gas pump, some criminals place a data-stealing device inside the pump. Posing as a fuel pump technician, a criminal can use a universal key purchased on eBay to access the terminal. Once inside, they unplug a cable that connects the keypad to the display, and piggyback their own device within the mechanism, in order to capture all the unencrypted card data.

Dummy ATMs: ATMs can easily be purchased through eBay or other outlets, and installed in any heavily trafficked location. The machine, which might be powered by car batteries or plugged into the nearest outlet, is programmed to read and record card data. I found one advertised on Craigslist and picked it up at a nearby bar, for $750 from a guy named Bob.

Once credit card numbers have been skimmed, hackers can copy the data on to blank cards, hotel keys, or “white cards,” which are effective at self-checkouts, or in situations where the thief knows the salesperson and is able to “sweetheart” the transaction. A white card can also be pressed with foils, giving it the appearance of a legitimate credit card.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. In order for the $50 limit to apply to debit cards, fraud victims must notify the bank within two days of discovering the fraudulent transactions. After two days, the maximum liability jumps to $500.

When using an ATM, gas pump, or point of sale terminal, always cover your PIN.

As inconvenient as this may seem, regular debit card users should check online statements daily.

Consider limiting your debit card use. I use mine only two or three times a month, for deposits and withdrawals.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)