Credit Card Hackers Target Small Business

Robert Siciliano Identity Theft Speaker

Up until now, identity thieves have been hunting elephants. But that may soon change.

According to this study, small to medium size businesses (SMB’s) are the criminal hackers next target. This should come as no surprise, as large enterprise networks have gradually become better at defending themselves.

Over the past few years, criminal hackers have acted like hornets, attacking and swarming unassuming enterprise networks. Big business has responded by allocated billions of dollars in funding for technology and talent to thwart their sting.

In 2009, enterprise defense is the best it has ever been. It’s still lax, but now the path of least resistance has become SMB’s. Your mom and pop shops simply don’t have the resources, including deep pockets, to keep up.

Studies by the International Council for Small Business show that one fifth of small businesses aren’t even equipped with basic defenses, such as McAfee security software. Furthermore, as many as 60% don’t even have wireless encryption activated. What is most disturbing, but not surprising to this security analyst, is two thirds don’t have any type of security plan in place.

According to poll responses, these same SMB’s overwhelmingly believe that they aren’t targets, that only big businesses need to worry. However, this same study shows that 85% of fraud related to criminal hacks occurs within this exact group.

The National Retail Federation stated that Level 3 businesses are only 60% compliant and Level 4’s are even less secure.

PCI Compliance, a Visa based organization that regulates merchants in order to prevent credit card fraud, recognizes retailers at different levels. Level 1 retailers process 6,000,000 Visa transactions per year, Level 2 retailers process 1,000,000 to 6,000,000, Level 3 retailers process 20,000 to 1,000,000, and Level 4 retailers process fewer than 20,000.

Many security issues stem from the SMB’s lack of resources, coupled with their shift to online transactions and the handling and storage of their own data.

Some say that the responsibility of handling these transactions should be shifted back to the banks.

One additional recommendation for these Level 3 and 4s is to adopt a strategy in which the merchant never handles the credit data at all. The merchant would have an online shopping cart, but the credit card transaction would be diverted to the bank server, without ever being touched by the merchant.

I’m one of those Level 4 merchants and this is the strategy that I use. All orders are taken online and nobody aside from the bank handles client credit card data. PCI compliance is a breeze – no hiccups.

While this is practical for some SMB’s, it doesn’t work for others, so those retailers need to get their act together immediately, because criminal hackers are watching.

See identity theft speaker Robert Siciliano discuss data breaches here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Prevention is a People Problem

Robert Siciliano Identity Theft Expert

Every week we learn of a new hack, another breach, credit cards stolen and another identity theft victim.

Many have blamed the bad guy or criminal hackers for all the problems we have in the security world. And while the bad guy is certainly a problem, they are a small part.

The people responsible for their own physical or computer security or the security of others are often the guilty.

You wonder why your credit card company sent you a new card? Because some baboon didn’t do his job and your were compromised.

Chances are we could look at 7 out of 10 data breaches and point to someone who didn’t properly flip a switch or lock a door.

Recent studies polling companies with 1000 or more employees when asked to define the most important measures for protecting confidential data, nearly half of all respondents said, “communicating and training users on confidential data security policies.”

And when asked to rate their organizations performance with regard to, “communicating and training users on confidential data security policies,” more than one-fourth of security professionals gave their organization a rating of either “fair” or “poor.”

North Americans ranked 24% as being “poor” while Europeans ranked 38%. I suspect the North Americans are just lying and are just as lax. I read the papers and see the data. Pleeeeze. I have my eye on you Focker.

Security is not entirely an IT problem. There are many “to-dos”, policies in place regarding physical security that must be observed. And if followed properly, would reduce many of the breaches we see.

One plain and simple example is dumpster diving. How prevalent are shredders? I’ve gone though 4. Besides the copy machine or your desk/laptop, a shredder should be the most used home/office appliance.

Here is an infuriating video of a dumpster diver here, also a security professional who spent 3 minutes in the dumpster of a local bank. He found a laptop, wire transfers and Social Security Numbers. That’s not an IT problem. That’s a stupid-lazy-people problem.

How is anyone supposed to feel secure and protect their identity when others are responsible for our security? The fact remains we are an open sore and idiots keep pouring salt in the wounds.

Robert Siciliano Identity Theft Speaker discussing Idiots who didn’t secure a wireless connection and exposed 45 million credit cards Here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Recession Turns IT Workers Into Hackers

Robert Siciliano Identity Theft Expert

What a nasty headline for an article.

From ABCnews.com the journalist roasts IT professionals on a spit. And the comments were all inspiring.

As the recession rears its ugly head, disgruntled ex employees are in the best position to drop a bomb in the companies network or suck all the data out with a few terabyte drives.

A recent study by McAfee and Purdue University put the tally of fraud, data loss and damage done at 1 trillion dollars. A thousand billion sounds like a lot of money.

To paraphrase some of the comments;

No matter how you look at it, when heads start to roll, most people that are about to be let go feel unjust and express hostility towards the employer (often, rightly so). These are the same people who were loyal company employees for years. Unfortunately, these are no win-win situations when it comes to the downsizing and companies should take proper actions to address it.

Your system admin is the gate keeper. Anyone who has access to sensitive data can potentially abuse the privilege. The loan officer, the loan processor, the secretary, the human resources gal two cubes down the hall, the cleaning people that take out our trash at night… Without proper controls in place anybody can be the bad guy. On the other hand, with adequate management these issues can be avoided, even when it comes to IT employees.

Manage your end points, your USB devices, your computer ports, your printers… Segregate your system administration roles. Tools are there. And who is going to implement them? Your IT guy. (thank you Sashimi11)

With the incredible amount of layoffs occurring, companies are bound to layoff an employee who will exact some revenge. Some say “Companies whose knee-jerk response is to cut costs by canning employees deserve some wrath”. But, in the end, the wrath doesn’t get you your job back. (thank you Patches777)

Most are working individuals, doing what they do best. All the while staying under the radar, and afraid, just like everyone else, of the threat of layoffs. The latter doesn’t mean an internal flip is switched and they bug out and start stealing trade secrets. (thank you kyleratliff)

On another note, as budgets are cut and IT pros are let go, the show must go on.

Bill Lynch of RazorThreat said to me “We are encountering lots of very frustrated CIO’s who are caught on the horns of a dilemma…their IT budgets and headcount are being slashed but their CEO’s are simultaneously demanding that they reassure them and the Board of Directors that they are not vulnerable to the same kinds of cyber attacks that have plagued some big firms lately.

They know they cannot afford to buy complex, expensive and difficult to deploy new security software and the people to manage them and yet they have to stand before the Board and profess that their networks are secure”.

The fact is, data breaches will continue and IT will often be to blame. There is a light at the end of the tunnel. There are numerous technologies that won’t break the bank and will keep the BOD happy. Companies have to consider numerous threats of theft and mayhem. Review security policies and who has access to what and why. In the end make sure employees are let go with dignity and respect.

Robert Siciliano Identity Theft Speaker discussing Credit Card Fraud Here

Neighborhood Identity Thieves From Hell

Robert Siciliano Identity Theft Expert Speaker

Keep your friends close and your enemies closer. Unfortunately your enemies could be living in your home or across the street. As the economy tanks, people get desperate and thieves victims become those in their lives.

With all the hullabaloo about criminal hackers and identity thieves organizing as webmobs from all over the world, people often forget that it’s the people in our lives that are the closest to us who often perpetrate these crimes.

Especially in tough times, identity thieves could be someone in your inner trusted circle. I’ve consulted on stories where the dad stole his child’s identity. Those closest to us at home or work have direct access to our data.

“Familiar” Identity theft happens because the thief goes through a process of rationalizing their ability to commit the crime. The process is often referred to as the “Fraud Diamond”.

First they have Incentive. They say “I want to or have a need to commit this crime”. Next is Opportunity. They see a hole or weakness in the system they can easily exploit. And of course Rationalization; “I have convinced myself it is worth the risks”. Lastly, Capability; they determine they are the right person for the job and can pull off the scam.

Here a local neighborhood was terrorized by a drug addicted mom and dad who had a penchant for technology and used their skills to feed their habit.

Much of the crimes they committed could have been prevented.

1. Get a credit freeze or fraud alert
2. Invest in a locking mail box
3. Shred all throwaway paper work
4. Turn off the paper
5. Turn on WPA security for your wireless network
6. Pay attention to all your statements and refute unauthorized charges
7. As a national spokesperson for uni-ball, I recommend using a uni-ball® pen, which contains Uni “Super Ink” formula, to write checks and sign important documents. This specially-formulated ink won’t wash out and protects against check washing. Those closest to you have access to your canceled checks and can rewrite to themselves.

Robert Siciliano Identity Theft Speaker Expert discussing family identity theft Here

Identity Theft Crime Victims Bill of Rights

Robert Siciliano Identity Theft Expert Speaker

A consortium of a number of companies in the identity theft prevention space have banded together to create a “Bill of Rights” for victims of identity theft. A Bill of Rights would provide victims of identity theft the needed leverage in response to a breach of their information that leads to numerous forms of identity theft. The consortium has some work to do to get the attention of legislators before it becomes law. This is certainly a noble effort that if passed will provide significant relief to victims.

I speak to victims on a weekly basis and the stresses of being victimized takes its toll. When a thief is functioning in society as you, fraudulently, irresponsibly and of course illegally, they tarnish every aspect of your life. There is an overwhelming sense of helplessness for many victims due to the notion that they are guilty until proven innocent. While this will in essence “take an act of congress” to become law, a good faith implementation of the bill by industry and government would certainly provide needed relief to those affected.

The Santa Fe Group, a financial services consulting firm, and The Santa Fe Group Vendor Council, a consortium of leading service providers to the financial services industry, today released the first comprehensive Bill of Rights for victims of identity theft. The Bill of Rights calls for consistent processes for handling identity crime incidents in addition to amendments to privacy legislation and regulation so victims can more easily access and correct their personal information records.

The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available.

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:
• Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,” said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. “We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

According to Javelin Strategy and Research, 9.9 million Americans were victimized by identity crimes in 2008, an increase of 22% from 2007, with annual costs to consumers and businesses of more than $49 billion. In their journey to recover their identities, victims face a disjointed maze of privacy laws and information sources. Law enforcement processes are not always in place, and organizations often won’t share evidence with victims. As a result, a victim’s life can be disrupted for years.

“Victim empowerment is key to thwarting identity crime,” said Catherine A. Allen, Chairman and CEO of The Santa Fe Group. “With the Identity Crime Victims Bill of Rights, we’ve launched a national call to action, laying the groundwork for meaningful and much-needed legislation while building awareness of the issue in the media and among consumers and businesses. Our intent is that victims of all types of identity crime be provided with the same rights afforded to them via the FACT Act for resolving credit issues.”

Robert Siciliano Identity Theft Expert Speaker discusses identity theft victims Here and Here

Your Online Bank Account’; Criminal Hackers Hacking It

Robert Siciliano Identity Theft Speaker Expert

Why hack your online bank? Because thats where the money is!

White Hat Hackers (good guys) probably never anticipated whats happening. There are more viruses out there than ever. Black Hat Hackers (bad guys) are in full force. Back in the year 2000 some have said the white hats were about a year ahead of the black hats in technology. Meaning it would take about a year for the bad guys to crack the white hats stuff.

Others research shows by 2004 the black hats were about 2 weeks behind the white hats. Here we are in 2009. In many cases the black hats are years ahead of the white hats. The good guys are losing. Badly.

Many of the new viruses sit on your hard drive dormant, waiting to be “woken up” when they are signaled. Many of these Trojans are designed to sniff out when you are banking online. They sit and wait, then stike when you log on.

Consider that in our own bodies we already have numerous viruses that come alive when our immune system is down or when its woken up by coming on contact with another. Your PC is no different, there’s often something lurking in there. We get viruses on our PC simply by visiting a website, clicking on a link or downloading a program we think is clean, and many many more ways.

Studies show the amount of viruses quadrupled from over 15,000 in 2007 to almost 60,000 in 2008. The problem is the technology of the criminal hacker has evolved and is further evolving faster than the white hats. This means you have to be on your game. Don’t let your guard down and stay informed.

Basic stuff, again – basic;

Run Windows Update; Or it may be called “Microsoft Update” on your PC. This is a free update to your operating system that Microsoft provides. There are two ways to access this. Either click “Start” then “All Programs”, scroll up the menu and look for the link “Windows Update or Microsoft Update”. Click on it. Your browser (Internet Explorer) by default will launch taking you right to Microsoft’s Windows Update web page and will begin the process of looking at your PC and checking to see what security patches you don’t have. Follow the prompts and click “Express” and let it lead you in the direction it wants. The goal here’s for XP is to end up with “Service Pack 3” installed. Or go to “Control Panel” and seek out “Security Center”. And click “Turn on Automatic Updates” and let Microsoft do this automatically. In Vista the process is similar and your goal is “Service Pack 1”

Install Anti-Virus; Most PCs come with bundled anti-virus that runs for free for 6 months to a year. Then you just re-up the license. If you don’t, then every day that the anti-virus isn’t updated, is another opportunity for criminal hackers to turn your PC into a Zombie that allows your computer to be a Slave sending out more viruses to other PCs and turning your PC into a Spambot selling Viagra. You can also install a different anti-virus program for a fee or free. McAfee is great, Symantec is loosening their grip on the “bloatware” and getting better. Avast is free and good, but free scares me. Free means you have to manually scan your PC and most people don’t do manual very well. Theres also a paid version.

Install Spyware Removal Software; Most anti-virus providers define spyware as a virus now. However it is best to run a spyware removal program monthly to make sure your PC is rid of software that may allow a criminal hacker to remotely monitor you’re keystrokes, websites visited and the data on your PC. I like Lavasofts Ad-Aware Free www.lavasoft.com. There are plenty of good ones.

Run Firefox or Chrome; Microsofts Internet Explorer is clunky and the most hacked software on the planet. Mozillas Firefox is less hacked and more secure. The jury is still out on Googles Chrome browser, but it’s sweet! Maintain the default settings keep the pop-up blockers and phishing filters on.

Secure Your Wireless; If you are running an unsecured wireless connection at home or the office, anyone can jump on your network from 300-500 feet away and access your files. Serious. The router has instruction on how to set up WEP or WPA security. WPA is more secure. If this is a foreign language to you, then hire someone or get your 15 year old to do it.

Install a Firewall; Microsoft’s operating system comes with a built in firewall. But it is not very secure. Go with a 3rd party firewall that is prepackaged with anti-virus software.

Use Strong Passwords; Little yellow stickys on your monitor with your passwords isn’t good. Use upper case, lower case, alpha-numeric passwords that you change up every 6 Months.

PLEASE, you other security dudes or dudets, chime in. We need your guidance too.

Robert Siciliano Identity Theft Expert discussing online banking Here

Bankers Warned; Massive Credit Card Processor Breached

Robert Siciliano Identity Theft Expert

Hackers have breached another huge payment processor. Who? As of this writing they aren’t saying. A statement issued by the Community Bankers Association of Illinois states “Visa announced that an unnamed processor recently reported that it discovered a data breach. The processors name has been withheld pending completion of the forensic investigation” The Open Security Foundation posted a notice on its website Here

CBAI report here and highlights below

According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach.

An increase in card-not-present fraud suggests some BIN number have been targeted by criminals.

VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event.

The status of the processor’s PCI compliance is unknown at this time. Bankers. MORE TO COME….”

Why not go after processors, thats where all the data is!

Visa and MasterCard are in the process of notifying affected banks about what they say is a “major compromise”. So far this is not related to the Heartland Payment Systems breach where an expected 100 million cards have been compromised. Or it may be, we don’t know.

Initial reports say the criminal hackers planted malware, or malicious software on the processors servers. Malware of this type generally has some type of remote control component that allows a criminal hacker to remotely access the server and divert data underground.

Visa reached out to all affected banks on February 12th when they conducted a conference call disclosing the severity of the issue. Apparently the compromise occurred from February of 2008 till August 2008 the past few weeks.

At this point neither Visa or MasterCard haven’t disclosed which processor has been compromised nor have they disclosed the size of the breach.

Whether the unknown processor was compliant or not has also not been revealed.

Check your credit and banking statements carefully. Scrutinize every charge and refute any unauthorized charges within 30-60 days. Call your bank/credit card company immediately if you see any fraudulent activity.

Robert Siciliano Identity Theft Speaker Expert discussing another ugly data breach Here.

Phishing Attacks Rise Dramatically in 2008

Robert Siciliano Identity Theft Expert – Speaker

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No? So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Robert Siciliano Identity Theft Expert discussing Scambaiter in video Here

Nuclear Weapons, CyberSecurity and an Unlocked Door.

Robert Siciliano Identity Theft Expert Speaker www.IDTheftSecurity.com

What happens when you have an unlocked door at the home of and employee at the top U.S. nuclear weapons laboratory? How about 3 stolen computers with yet to be disclosed data, that was said to be non-classified. We hope. Were the computers stolen to be resold for crack? Or for nuclear weapons secrets? We may never know. Or we may find out the hard way.

At the Los Alamos National Laboratory in Santa Fe New Mexico dozens more (67 total) systems are currently listed as missing. Officials are conducting a full review of the lab’s policies and procedures governing the use of official computers at employees’ homes.

Situations like this are common in every industry with every conceivable form of data. We just wish it wasn’t data from a nuclear weapons facility.

Its important to point out that the facility has as many as 40,000 computers including desktops, laptops, PDAs, printers and so on. Do the math, less than a .25 percent lost or stolen. The lab has been documented at a better than 99.5 accountability rate.

We know there is no such thing as 100% security whether protecting from hardware or data thieves. Security is an ongoing, never ending, consistent, on your toes, don’t let your guard down, vigilant process.

And its not just criminal hackers causing big problems, lowly burglars looking for their next bag of dope stole a laptop computer from the home of a government employee containing 26.5 million Social Security Numbers, a US primary identifier. This $500 laptop cost millions.

Can you say your organization has a 99.5% success rate?

What policies do you have in place to foster a security minded culture? Here are just a few bullets as examples for you to add too.

# Cover all organizational systems used for processing, storing or transmitting personal information.

# Security risks faced assessed in the development of the policy

# Cost-effective measures devised to reduce the risks to acceptable levels

# Monitored and periodically reviewed.

# Staff and management made aware of the protective security policies and how to implement them.

Robert Siciliano discussing another hack Here