Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

If You use these Passwords, You will get hacked

Have you heard of iDict? It’s a tool that hackers can use to get passwords via what’s called brute force attacks. It’s designed to crack into iCloud’s passwords, and supposedly it can circumvent Apple’s anti-brute force attack security.

5DBut iDict doesn’t have as big a bite as you might think. A long, strong password is no match for iDict. But if you have a password that’s commonly used (yes, hundreds of people may have your exact passwords; you’re not as original as you think), then it will be a field day for iDict.

Some examples of passwords that iDict will easily snatch are:

password1, p@ssw0rd, passw0rd, pa55word—let me stop here for a moment. What goes on in the heads of people who use a variation of the word “password” as a password? I’m sure that “pa$$word” is on this list too.

And here are more: Princess1, Michael1, Jessica1, Michelle1 (do you see a pattern here?) and also John3:16, abc123ABC and 12qw!@QW. Another recently popular password is Blink182, named after a band.

Change your password immediately if it’s on this list or any larger list you may come upon. And don’t change it to “passwerdd” or “Metallica1” or a common name with a number after it. Come on, put a little passion into creating a password. Be creative. Make up a name and include different symbols.

For additional security, use two-factor authentication when possible for your accounts.

Though iCloud has had some patch-up work since the breach involving naked photos of celebrities (Don’t want your nude pictures leaking out? Don’t put’em in cyberspace!), iCloud still has vulnerabilities.

And hackers know that and will use iDict. If your password isn’t on the top 500 list from github.com, but you wonder if it’s strong enough, change it. If it has a keyboard sequence or word that can be found in a dictionary, change it. If it’s all letters, change it. If it’s all numbers, change it.

Make it loooooong. Make it unintelligible. Dazzle it up with various symbols like $, @, % and &. Make it take two million years for a hacker’s automated password cracking tools to stumble upon it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Feds warn of more Online Predators

What goes on in the home life of a 14-year-old girl such that she feels there’s nothing better to do than send nude photos of herself to a man whom she’s been corresponding with online? Though this goes well-beyond the parents not bothering to find out what their kids do online, another huge issue is the proliferation of online predators.

2WAnd for parents who DO care enough to monitor their kids’ cyber activities, here’s some unsettling news: A 2013 survey called  Digital Deception: Exploring the Online Disconnect between Parents and Kids revealed that 69 percent of the young respondents reported they knew how to conceal their online activities from their parents. The study also showed that 80 percent of the parent-respondents said they wouldn’t even know how to figure out what their kids’ online activities were. Conclusion: Parents are clueless.

This makes it easier for predators to find victims. There’s the case of a girl who, at age 13, sent an image of herself to a 26 year old man who for the next five years cyber-harassed her, demanding more images. The girl was driven to two suicide attempts and finally alerted authorities who found him.

Another predator tricked a 15-year-old into sending him photos who turned out to be a 50 year old man. They do this by sending photos of younger cuter boys around the same age as their victim females. Parent need to have ongoing dialog with their kids that this is going on everyday somewhere and “it can happen to you too”

These act can often be prevented which once again, brings to mind what kind of parenting or lack of parenting is going on. Though parents can’t monitor their kids’ activities every second, something has to be said about why a young person’s life would be so empty that they end up sending out nude photos of themselves—even if the victim thinks the recipient is the same age!

What Parents Should Do

  • Educate kids about online predators
  • Educate yourself about online predators
  • Warn kids about never sending images into cyber space
  • Make sure kids understand that they will never be shamed for reporting a perilous situation
  • Tell kids that no matter how aggressive or threatening a cyber predator seems to be, they ultimately don’t have that much power; they’re ground meat once the authorities find them.
  • The less time kids spend tinkering around on the Internet, the less likely they’ll meet up with a predator. Get your kids involved in confidence-building activities that develop independent thinking skills and assertiveness.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Fingerprint hacked by a Photo

You can’t change your fingerprint like you can change your password. But why would you want to change your fingerprint? The thought might cross your mind if your fingerprint gets stolen.

8DHow the heck can this happen? Ask Starbug. He’s a hacker who demonstrated just how this could happen at an annual meeting of hackers called the Chaos Communication Congress, says an article at thegardian.com. His “victim” was defense minister Ursula von der Leyen.

Starbug (real name Jan Krissler) used VeriFinger, a commercial software, with several photos of von der Leyen’s hands taken at close range. One of the photos he took, and the other was from a publication.

And this gets more fun, total and complete James Bond stuff: The conference showed that “corneal keylogging” can happen. Reflections in the user’s eyes occur as they type. Photos of these reflections can be analyzed to figure out what they typed. This is another lovely gateway to getting passwords.

But back to the fingerprint thing. In 2013, says The Guardian article, Starbug took a fingertip smudge from a smartphone, and using a few clever techniques, printed an imposter finger. He used the fake thumb to get into the phone. This shows it’s possible to crack into a mobile device with a stolen fingerprint—obtained without even having to be near the victim.

Biometrics is a groundbreaking advance in security, and it was just a matter of time before hackers would figure a way to weaken it. All is not lost. Hacks like this aren’t easy to accomplish and there’s always multi factor authentication available as another layer of protection.

Biometrics can certainly be a replacement for passwords, but again should include, a second-factor authentication. Passwords are secrets, stored inside people’s heads (ideally, rather than written on hardcopy that someone could get ahold of), but biometric features, such as fingerprints, photos and voice IDs, are out there for all to perceive. Though it’s hard to imagine how a hacker could figure out a way to fool voice recognition software, don’t count this out.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

In with the New, out with the Old

If you plan on getting a new smartphone, have you ever thought of what the next user of your old smartphone will find on it?

7WThis assumes you’ll be selling or donating it, of course. Are you SURE those risqué photos are totally gone, or that your diary entries have been wiped clean? Experiments have been conducted in which someone buys used smartphones for the sole purpose of seeing how much personal data was left behind by the previous owner. I’ve done one, it wasn’t pretty. We found data on half the devices we bought in the second hand market.

It’s unbelievable how much data was retrieved in these experiments, including addresses, e-mails, passwords and text messages. A factory reset is not a totally reliable way to wipe clean your smartphone, either, as shown by the fact that some Android phones, despite the factory reset, still contained the previous user’s data.

Before taking the first step in getting rid of your mobile phone, back up all of its data. This can be done with a flash drive or automated PC service. For Android and iOS, use Apple’s iCloud or Google’s Auto Backup.

Next, wipe your phone squeaky clean. No, not with a rag and bleach, but “wipe” means destroy all the data using a specific method. This is NOT done by hitting the delete button or even reformatting the hard drive. What you don’t see isn’t necessarily not there.

A reformatted hard drive can still contain your data. To wipe an Android or iOS, use Blancco Mobile. To wipe a Mac computer, use the OS X Disk Utility or WipeDrive. For Windows PC use Active KillDisk. If you use a factory reset for a smartphone, remove any SIM cards too.

What if you can’t wipe your device? If you don’t wish to give it to someone else, then literally destroy it. Don’t just toss it in the trash. Take out the hard drive and mutilate it with a hammer. If you do want to sell it or donate it (get the receipt if you do donate it for an IRS return), realize that your data will still be on it. You never know who will end up getting their hands on the device.

If the idea of hammering at the hard drive isn’t your cup of tea, then find out from the recycling company who conducts the downstream recycling. You don’t want your device—containing your data—getting into a foreign landfill. The recycling company should be part of R2, or “responsible recycling,” or be part of e-Stewards certification programs.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Hacking 2015 and Beyond

2015 brings us no closer to putting the lid on hackers as any other year has. The crime of Criminal hacking will prove to be as big as ever in the new year. Here’s what we have to look forward too:

4DBank Card Breaches

There will always be the bank card thieves, being that stealing data from magnetic stripe cards is relatively easy to pull off and there are different ways to do so. This includes tampering with card swiping devices, then retrieving the stolen data later on when nobody’s around.

The U.S. is moving towards replacing the magnetic stripe with chip ‘n PIN technology, but this will take time and money. Another issue is poor implementation of this technology, which makes a hacker’s job easier. It will be a while before efficiently implemented Chip and PIN technology rules the U.S.; expect lots of more bank card breaches.

Nation-State Attacks

Governments hacking governments was big in 2014 and it’s expected to continue rising. Criminals engaging in this type of threat involve interference with encryption and gaining entry to systems via “back doors,” kind of like how a robber gets into one’s home by removing a screen in the back of the house. One of the tools to accomplish this cyber assault is called a RAT which is a form of malware, and it’s predicted that this tool will be used even more (among others) to invade government and private company networks.

Data Destruction

It’s incomprehensible to the average Joe or Jane how someone (usually a team, actually) could wipe out data on the other side of the world, but it’s happened, such as with computers in South Korea, Iran and Saudi Arabia.

And this was on a large scale: banks, media companies and oil companies. Even if all the data is backed up, there’s still the monumental issue of rebuilding systems. And it’s no picnic trying to make sure that the saved data doesn’t carry malware residue that can reinfect a rebuilt system.

Extortion

Special malware (ransomware) can block a user from accessing data or a corporation from accessing its system, until money is paid to the hacker. This happened to the Sony company (data was stolen but also deleted), but the motives aren’t crystal clear. A cyber extortion requires a skilled attack, and don’t be surprised if this happens to more big companies.

Critical Infrastructure

This type of hack hasn’t really occurred big-scale in the U.S. yet, but experts believe it’s only a matter of time before it does. Cyber criminals will carry out a critical infrastructure attack, infecting networks and gaining control of them, all designed to shut down electricity, disrupt communications and poison water among other disrupting activities.

Third-Party Breaches

A third-party breach means hacking into entity “A” to get to “B.” An example is Target: Hackers got into the HVAC company that Target was contracted with to access Target’s network. Bigger third-party breaches have occurred, and experts have no reason to believe they’ve stopped, even though tighter security has been implemented (and busted through by hackers, not surprisingly).

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Winter Vacation Home Security

Planning a trip? Thinking of having your snail mail and newspaper delivery placed on a vacation hold so that thieves casing your neighborhood won’t see a pile-up of these items?

2HWell, there’s a better option, because what if…just what if…a crook works for the post office or newspaper company and keeps track of all of these vacation holds? They’ll know for sure you’re gone and will rob you, or at least try to. Have a trusted adult retrieve your mail and newspaper.

Next up for protecting your possessions is a rule that cannot be said too often: Never post your travel plans on social media! The number of people who do this daily is alarming, and this includes posting while on the vacation as well, putting up photos of the beach and boasting about the weather, scenery, etc. A thief reading this is like a dog watching you put steak in his bowl.

Another tactic is to install timed lighting devices so that your house isn’t perpetually dark, or perpetually lit up, which looks almost as suspicious.

Are you still continuing to put off getting a home security system? For as little as about $10/month your home can be monitored, but more provisional systems are still reasonable at $30 a month. The system should alert law enforcement if someone breaks in. Complement the home security with video surveillance. Today’s systems allow you to access them remotely.

Additional Tips for Home Security While You’re Away

  • Lock up all your valuables in a safe.
  • Deactivate the garage door opener.
  • Set up automatic timers that turn lights on and off.
  • Inform the police and a trusted neighbor of your travel plans.
  • Record a message on your voice mail that implies you’re home but busy.
  • Ask a neighbor to park their car in your driveway.
  • Have your grass cut to prevent overgrowth while you’re gone.
  • Make sure your car, if you’re using it to travel, is equipped for the long trip.
  • Load up the car under the cover of night or inside your garage so that nobody sees you’re prepping to be gone.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

5 Home Security Myths

If you’ve decided to avoid getting a home security system, I’m banking that the reason is at least one of the myths described below. Check them out:

1S“I have nothing valuable inside.” First of all, unless a burglar has X-ray vision, he’s going to have to break in to find out you have nothing valuable. He might be so pissed at this that he trashes the place before fleeing.

Secondly, a burglar knows that your “blue collar neighborhood” probably isn’t replete with alarm systems, but rather, lots of doors with simple locks and lots of windows with broken locks or already-torn screens.

Finally, what may not seem of value to you may be the burglar’s ticket to his next drug fix—anything he could quickly take off with and sell on the street or even eBay. They also like simple stupid stuff such as clock radios, DVDs, ornaments, even unopened bottles of vitamins.

“It’s too expensive.” Of course, the high-end, super sophisticated alarms that movie stars have for their mansions cost an arm and a leg, but home security companies know that they can make a tremendous profit off of selling less fancy systems for the average working class Joe and Jane. Why sell only to the rich? Some systems come as low as $9.95/month for monitoring. If you can’t spare $10 a month, see what vice you can give up that costs you at least $10/month.

“My neighborhood is safe.” If you think your neighborhood is safe, chances are it’s upscale. But that’s exactly where many burglars like to steal! They’re skillful at figuring out who doesn’t have the alarm system, while some know how to get past the alarm system. They want high-end valuables and won’t find them in “bad” neighborhoods too easily.

“Hide a spare key outside the door under a flower pot or welcome mat.” Even the world’s dumbest criminals know to check the rock that just happens to be by the front door for a key underneath. Either have a trusted person hold onto a spare key, or use keyless technology.

“Don’t let anyone know you’re traveling.” Actually, this means don’t blab about your trip indiscriminately, but do secretly tell a trusted adult so they can keep tabs on your house.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

SSN and Its Afterlife

What’s one billion? That’s about the number of possible permutations of the Social Security number. Which begs the question: What happens to an SSN when someone kicks the bucket?

8DCurrently, SSN’s are never repeated when they’re issued by the Social Security Administration. As of June 2011, the SSA made the issuance entirely random (previously, for example, the first three numbers were determined by place of birth).

With nearly a billion permutations, there’s no point in any number surviving the holder’s death and being reissued. Now in theory, the combinations will eventually run out, because eventually, a billion people will have been born in the United States. But this isn’t exactly in the near future. Why worry?

Nevertheless, some people like to plan way ahead. Maybe this scenario can be mitigated with a 10-digit number. Maybe numbers will stay at nine but be recycled. But for now, your number is as unique as your DNA. But, unlike DNA, a SSN can be used fraudulently.

The three credit bureaus maintain a list of the deceased based on data from the Social Security Administration’s Death Master File Index. Sometimes it takes months for bureaus to update their databases with the Social Security Administration’s Death Master File Index.

Here’s how to avoid identity theft of the deceased:

  • Report the death yourself by calling the Social Security Administration at 1-800-772-1213.
  • Contact the credit bureaus directly to report a death and request the information to be recorded immediately.
  • Right now, before anyone perishes, get the person a credit freeze. Upon death (as in life), the person’s Social Security number will be useless to the thief.
  • Invest in identity theft protection. This is a layer of security that monitors one’s information, including Social Security number, in the wild. Have it activated for six months to a year after death.
  • The Identity Theft Resource Center suggests, “Immediately notify credit card companies, banks, stockbrokers, loan/lien holders and mortgage companies of the death. The executor or surviving spouse will need to discuss all outstanding debts. If you close the account, ask them to list it as: ‘Closed. Account holder is deceased.’ If there is a surviving spouse or other joint account holder, make sure to notify the company the account needs to be listed in that surviving person’s name alone. They may require a copy of the death certificate to do this, as well as permission from the survivor.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Beware of scary WiFi Virus

It’s called Chameleon—a computer virus—but maybe it should be called FrankenVirus. You wouldn’t believe what it can do: literally move through the air, as in airborne—like a biological pathogen.

2WAnd like some Franken-creation, it came from a laboratory, cultivated at the University of Liverpool’s School of Computer Science and Electrical Engineering and Electronics.

Chameleon leaps from one WiFi access point to another. And the more access points that are concentrated in a given area (think of them almost like receptor sites), the more this virus gets to hop around and spread infection.

The scientists behind this creation have discovered that the more dense a population, the more relevant is the connectivity between devices, as opposed to how easy it was for the virus to get into access points.

Access points are inherently vulnerable, and Chameleon had no problem locating weak visible access points from wherever it was at, and it also avoided detection.

“When Chameleon attacked an AP it didn’t affect how it worked, but was able to collect and report the credentials of all other WiFi users who connected to it,” explains Professor Alan Marshall in an article on Forbes.com. He added that this malware pursued other WiFi APs to connect to and infiltrate.

The scientists made this virus subsist only on the network—a realm where anti-virus and anti-malware systems typically do not scavenge for invaders. Protective software seeks out viruses on your device or online. Thus, Chameleon earns its name.

Think of this virus like the burglar who goes from house to house overnight, jiggling doorknobs to see which one is unlocked. WiFi connections are like unlocked doors, or locked doors with rudimentary locks.

Chameleon’s creators have come up with a virus that can attack WiFi networks and spread its evil fast. The researchers now want to come up with a way to tell when a network is at imminent risk.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.