Credit Card Processors Targeted In Hacker Attacks

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

A European hacker broke into a U.S. company’s computer network and stole 1,400 credit card numbers, account holders’ names and addresses, and security codes. The hacker, nicknamed Poxxie, sold the stolen credit card data to other cyber criminals through his own website, CVV2s.in, for $3.50 per credit card.

The malicious software or virus cyber criminals used in these hacker attacks are often known as “sniffer” software used to intercept credit and debit card numbers.  “Sniffer” software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

Other hacker attacks targeting credit card processors are called “spear phishing”. When an employee receives a spear phishing email and clicks the link, a program beings to download disabling the company’s anti-virus and defeating all network security measures. This is why one must never click links in the body of an email. There are hardly ever links in emails that can’t be worked around either in the favorite menus or via manually typing in the browser.

Protecting small business customer credit card data starts with PCI Compliance and basic network security tips including:

Software: Antivirus, anti-phishing, antispyware. Total protection “all access” suites of protection and full disk encryption

Hardware: Routers, firewall security appliances

Physical security: Commercial grade solid core doors, security alarm systems, security cameras.

Email Security: NEVER click links in an email of a person or company you are unfamiliar with or have not requested information from. It’s shear laziness, naiveté or foolishness when someone clicks links in the body of an email from an unfamiliar address.

Ethical hackers: Get yourself and ethical hacker to test your network and see what damage he can do before the bad guy does.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Top 13 Halloween Safety Tips

The fall is here and Halloween is right around the corner. Fortunately for me I have two kids which means I’m going trick or treating and eating 20lbs of chocolate on November 1st.  Don’t worry I’ll give them a few pieces!

To prepare you and your family for a safe and secure Halloween follow these child safety tips from the Center for Disease Control:

  1. One basic Halloween safety tip is to avoid trick-or-treating alone. Walk in groups or with a trusted adult.
  2. Fasten reflective tape to Halloween costumes and bags to help drivers see you.
  3. Examine all treats for choking hazards and tampering before eating them. Limit the amount of Halloween treats you eat.
  4. Hold a flashlight while trick-or-treating to help you see and others see you. Always WALK and don’t run from house to house.
  5. Always test make-up in a small area first. Remove it before bedtime to prevent possible skin and eye irritation.
  6. Look both ways before crossing the street. Use established crosswalks wherever possible.
  7. Lower your risk for serious eye injury by not wearing decorative contact lenses.
  8. Only walk on sidewalks whenever possible, or on the far edge of the road facing traffic to stay safe.
  9. Wear well-fitting masks, costumes, and shoes to avoid blocked vision, trips, and falls.
  10. Eat only factory-wrapped treats. For your child’s safety, avoid eating homemade treats made by strangers.
  11. Enter homes only if you’re with a trusted adult.
  12. To prevent fires, never walk near lit candles or luminaries. Be sure to wear flame-resistant costumes.
  13. (Because 13 is a scary number) When I was a teen kids would be foolish and dangerous and douse someone’s head with hair removal products.  It’s dangerous, stupid and can cause irreversible damage to the eyes, and is poisonous if ingested.

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

Cybersecurity Matters in The Election

The term “cyberattack” or cyberwarfare is defined as “politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare although this analogy is controversial for both its accuracy and its political motivation.”

“Weapons of Mass Disruption” are a growing concern. The U.S. and many other countries are electrically and digitally dependent. Our critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack we’d be back to the dark ages instantly. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about when the power goes out in your house for a few hours. We’re stymied.

The New York Times reports “Defense Secretary Leon E. Panetta warned Thursday that the United States was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government.”

The threats of a cyberattack are real. Unfortunately tis is one of those “it’s not IF but WHEN” scenarios.

The AP reports “President Barack Obama wants owners and operators of essential U.S. infrastructure to meet minimum cybersecurity standards that the private sector and federal agencies would develop together.”And “Republican presidential candidate Mitt Romney says within his first 100 days in office he would order all federal agencies to develop a national strategy to deter and defend the country from cyberattacks.”

Whomever is elected president will face an unknown unseen digital enemy unlike any other president has seen in history.

Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

The Internet is incredibly powerful tool that must be used intelligently and cautiously. Do your part to protect your little network and we will all be that much safer.

Use antivirus software, spyware removal, parental controls and firewalls.

Back up your data locally and in the cloud.

Understand the risks associated with the wireless web especially when using unsecured public networks.

Protect your identity too. The most valuable resource you have is your good name. Allowing anyone to pose as you and let them damage your reputation is almost facilitating a crime. Nobody will protect you, except you.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

Social Media Security in the Workplace

Why someone would set up a fake social media profile? The answer correlates with news of cyber-attacks on businesses and other organizations being targeted with advanced persistent threats which has risen sharply over the past two years.

The Register reports “Social engineering via platforms such as Facebook can be one of the early stages of an advanced persistent threat (APT), the latest buzz word on the information security scene and a technique commonly linked to cyber spies operating from China.”

One highly publicized cyber-attack was on Supreme Allied Commander Europe (SACEUR) Admiral James Stavridis NATO’s most senior military official.

It is believed the social media account in his name was “attempt to trick colleagues, friends and family into giving away his personal secrets on the social network”

These cyber-attacks on social media are often used to gather intelligence to crack a password or to gain insight to knowledge based questions or challenge questions. For example:

  • What’s your favorite food?
  • Where did you honeymoon?
  • Your first pets name?
  • Name of your first car?
  • The name of your elementary school?
  • Your father’s middle name?
  • Your mother’s maiden name?

All these questions are meant to bypass social media security and replace that used-to-be-secret-obscure word that only you and your parents would know the answer to.

Officers of a company or anyone in a pivotal position like HR or accounting, need to recognize IT security risks and realize while they may not be a NATO commander they do have access to company and client data that may be worth serious money to a thief, competitor or foreign government.

Below are a few social media security tips on how to prevent cyber-attacks

  • Keep social media profiles all business
  • Limit “lifestyle” information and set your privacy setting to high
  • Don’t just friend anyone
  • Be cognizant that someone’s always watching and might be using what you post to access your company data

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Your Rights To Online Privacy

“Americans have always cherished our privacy. From the birth of our republic, we assured ourselves protection against unlawful intrusion into our homes and our personal papers. At the same time, we set up a postal system to enable citizens all over the new nation to engage in commerce and political discourse. Soon after, Congress made it a crime to invade the privacy of the mails. And later we extended privacy protections to new modes of communications such as the telephone, the computer, and eventually email.” The Whitehouse.

Corporations, without any FTC or privacy advocate oversight, would pretty much invade your online privacy.  Most major websites now install cookies on your computer, which, over time, help develop a profile that serves as your digital fingerprint. This is why, after searching for a specific product, you may notice advertisements for that particular product or brand appearing on various other websites. This is generally harmless.

A cookie is a small piece of text or code that is stored on your computer in order to track data. Cookies contain bits of information such as user preferences, shopping cart contents and sometimes user names and passwords. Cookies allow your web browser to communicate with a website. Cookies are not the same as spyware or viruses, although they are related. Many anti-spyware products will detect cookies from certain sites, but while cookies have the potential to be malicious, most are not.

With privacy watchdogs addressing this kind of advertising as a major concern, and the Obama administration now stepping in, we will surely see the implementation of some standards in this kind of marketing practice over the next few years.

The New York Times reports “The Obama administration and the nation’s chief privacy regulator pressed Congress to enact online privacy legislation, saying new laws would level the playing field between companies that already had privacy policies and those that lacked them, and thus escape regulatory oversight.”

The White House has put forward what it calls a Privacy Bill of Rights to provide basic online protection guarantees. Read up, and recognize you have rights.

The Obama Administration’s framework consists of four key elements: A Consumer Privacy Bill of Rights, a multi-stakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of the US’s international partners.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

Internet Privacy Tools for Online Safety

Drug dealers, child pornographers, terrorists and criminal hackers, are often sharing the same Internet privacy tools as law enforcement, domestic violence victims and citizens of oppressive governments who most likely use a “darknet” which is an anonymous secret internet designed to cover their tracks and protect them from internet surveillance. The “darknet” is used by both good and bad people with various intentions.

These internet security tools are designed to work like a private tunnel through the internet.

And then there’s the government funded “Tor” project. The Boston Globe reports “Tor stands for ‘the onion routing’ project, initiated by the US Naval Research Laboratory in the 1990s to camouflage government communications by sending messages through a system of computers. The project was expanded in 2001 by two Massachusetts Institute of Technology students who made the technology more accessible to civilians.”

Government officials say they support the project because it provides potentially life-saving online safety and privacy for the people who need it most.  “Tor is a publicly available tool. It is used by activists and bloggers, by average US citizens protecting against identity theft, and by military and law enforcement officers conducting investigations and intelligence gathering,’’ a State Department spokesman said.

Just because internet privacy tools can be used for bad reasons by bad people doesn’t mean they are bad. A baseball bat can be used for bad reasons too.

For someone who is a victim of a stalker or domestic violence, a privacy tool like this can be a lifesaver.

 

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

10 Ways To Protect Kids Online

Children engage in online shopping, social media, mobile web, and computers just like adults do. Many parents feel a bit overwhelmed by technology and often throw their hands in the air and give up. Unfortunately, that’s not an option. It is essential that parents educate themselves on safe, secure online practices in order to set a positive example and provide guidance for their children as they navigate the web.

Parents who lack experience with the Internet, computers, or mobile phones must learn the basics before they can adequately monitor their children’s habits. A parent’s discomfort or unfamiliarity with technology is no excuse to let a child run wild on the Internet.

As with any task, one should start with the fundamentals. Spend as much time as possible with kids in their online world. Learn about the people with whom they interact, the places they visit, and the information they encounter. Be prepared to respond appropriately, regardless of what sort of content they find. Remember, this is family time.

  1. Narrow down devices: Many parents set up the family computer in a high-traffic family area, and limit the time children may spend using it. This is still good advice, but it becomes less feasible as more children have their own laptops and mobile phones, which can’t be so easily monitored.
  2. Recognize predatory behavior: Teach children to recognize inappropriate behavior. Kids will be kids, but that doesn’t mean it’s okay to say mean things, send racy pictures, make rude requests, or suggest illegal behavior. If it isn’t okay in the physical world, it isn’t okay on the Internet.
  3. Use parental controls: Consider investing in computer security software with parental controls, which limit the sites kids can access.
  4. Discuss right from wrong: Decide exactly what is and is not okay with regards to the kinds of websites kids should visit. This dialogue helps parents and children develop a process for determining appropriate online behavior.
  5. Clamp down: Children should be restricted to monitored, age-appropriate chat rooms. Spend time with your children to get a feel for the language and discussion occurring on the websites they wish to visit.
  6. Stay anonymous: Do not allow children to create usernames that reveal their true identities or are provocative.
  7. Be secretive: Children should be reminded never to reveal passwords, addresses, phone numbers, or other personal information.
  8. Limit exposure: Kids should not be permitted to post inappropriate photos or photos that may reveal their identities. (For example, a photo in which a t-shirt bears the name of the child’s city or school.)
  9. No strangers: Never allow a child to meet an online stranger in person.

10. No attachments: Children should be taught not to open online attachments from strangers.

Robert Siciliano, personal security expert contributor to JustAskGemaltoDisclosures

Classified Ad Scams Target Pet Lovers

Classified Ad Scams Target Pet Lovers

I love my dog, 60lb German Shepherd. Small for a shepherd, but she was the runt. I’ve always rooted for the underdog. The underdog has more heart, more passion and often tries harder.

Anyway people love their pets, which is why it’s a multi-billion dollar a year business. Scammers know this too and they prey upon classified ad users who are seeking their next pet.

This story caught my eye, “A warning for internet users: an online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet.”

An ad was posted to a local online classifieds website by a man who claimed he was living in Florida. The seller said he had recently moved to Miami, and couldn’t keep his dog due to his new living conditions. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.

The couple sent a delivery service $220 by way of Western Union. The delivery service told the family to send another $820 or risk losing the dog. That’s when the couple realized they’d been scammed. They told the person on the other end of the phone the deal was off. But the caller kept calling, becoming more aggressive each time.

“He kept calling me saying the dogs here,” said the victim. “Making me feel like this poor dog is sitting somewhere unattended.” When the caller realized the couple wasn’t sending the extra $820 he threatened to turn them into authorities and charge them with animal abandonment. Officials determined the entire thing was a scam.

Scammers will say and do anything to get a person to part with their money. At first they had a sob story that sounded like a legitimate issue, new housing that wouldn’t allow a pet. When posted as a classified ad, it looks legitimate. Then they involved a “shipping company” that was a front for the scam. Once the victims were asked to send a money transfer, this should have been a red-flag.

It’s usually best to do business like this locally.

Never automatically trust anyone over the phone or via the internet.

Unless the business is one that is well established online, don’t ever send money that you can’t get back.

Many classified sites stop fraudulent ads from being published in the first place by incorporating device-based intelligence that helps them assess risk upfront. Fraud prevention technology offered by iovation Inc. not only helps these sites identify repeat offenders coming in under multiple fake identities, but they also detect when scammers are attempting to place multiple fraudulent ads using a variety of computers, tablets and smartphones to do so.  This greatly helps rid these sites of undesirables and protect their valued members.

Fraud analysts review thousands of transactions per month on auction sites. They watch for emerging schemes such as the popular “advanced fee schemes” where bad actors posing as sellers require down payments to be wired to them, and “text message fraud” where the legitimate sellers receive text messages that starts the process of being scammed.

Online businesses can see what kind of fraud records are associated with a device touching their website before accepting a new account registration, by tapping into iovation’s cybercrime intelligence network with over 10 million fraud events and more than 1 billion devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)

Be Proactive During Cyber Security Awareness Month

We use the web to search, shop and to connect with friends and family. And in the process criminals are trying steal from us.

It used to be that a person only had to know not to open a file in an attachment from someone they didn’t know. Today there are more ways than ever that your PC can be hijacked.

Today you can simply visit a website thinking you are safe and the bad guy was there before you and injected code on the site and now it infects your out-dated browser. That’s a “drive by” and it’s very common today.

Protect yourself:

Update your browser. Internet Explorer and Firefox are the most exploited browsers. Whenever there is an update to these browsers take advantage of it.   Keep the default settings and don’t go to the bowels of the web where a virus is most likely to be. Consider the Google Chrome browser as it’s currently less of a target.. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

Update your operating system. Computers with old, outdated, or unsupported operating systems like Windows 95, 98, and 2000 are extremely vulnerable. No matter what brand of computer you are on you have to update the critical security patches for your Windows operating system. Microsoft will no longer support Windows XP after 2014, so start thinking about upgrading to Windows 7 or wait for windows 8 (which is pretty sweet). Go to Windows Update. Keep your critical security patches up-to-date by setting Windows Update to run automatically as well.

Update Adobe Reader and Flash. Adobe PDFs and Flash Player are ubiquitous on almost every PC. Which makes them a prime target for criminals. To update Reader go to Help then Check for Updates. To update Flash go here.

Don’t be suckered into scareware. A popup launches and it looks like a window on your PC. Next thing a scan begins. The scan tells you that a virus has infected your PC. And for $49.95 you can download software that magically appears just in time to save the day.

Beware of social media scams. Numerous Twitter (and Facebook) accounts including those of President Obama, Britney Spears, Fox News and others were taken over and used to make fun of, ridicule, harass or commit fraud. Often these hacks may occur via phish email

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. And don’t engage in risky online activities that invite attacks.

Downloading pirated content from P2P (peer-to-peer) websites is also risky. Remember, there is no honor among thieves.

Make sure to set your antivirus software to update automatically. Use a paid product that provides antivirus, antiphishing, antispyware and a firewall.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

Skimming, Identity Theft and How Online Business Defend Against Cybercrime

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.

In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

SCMagazine reports “An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company’s network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft’s Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.

Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information?  They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office.  How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?

Many start by identifying the device being used to access their website, through advanced device identification technology.  Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device?  Is that a device that is already known to iovation’s cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?

iovation also helps its clients understand the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted. Many of iovation’s clients have more than 100 business rules on their site, that help them assess risk in real-time.  These business rules can trigger factors including velocity, device anomalies, proxy use, age of the device-to-account association, and more.

Last week at the Merchant Risk Council Platinum Meeting in Seattle, iovation demonstrated it’s ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)