Bankers Warned; Massive Credit Card Processor Breached

Robert Siciliano Identity Theft Expert

Hackers have breached another huge payment processor. Who? As of this writing they aren’t saying. A statement issued by the Community Bankers Association of Illinois states “Visa announced that an unnamed processor recently reported that it discovered a data breach. The processors name has been withheld pending completion of the forensic investigation” The Open Security Foundation posted a notice on its website Here

CBAI report here and highlights below

According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach.

An increase in card-not-present fraud suggests some BIN number have been targeted by criminals.

VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event.

The status of the processor’s PCI compliance is unknown at this time. Bankers. MORE TO COME….”

Why not go after processors, thats where all the data is!

Visa and MasterCard are in the process of notifying affected banks about what they say is a “major compromise”. So far this is not related to the Heartland Payment Systems breach where an expected 100 million cards have been compromised. Or it may be, we don’t know.

Initial reports say the criminal hackers planted malware, or malicious software on the processors servers. Malware of this type generally has some type of remote control component that allows a criminal hacker to remotely access the server and divert data underground.

Visa reached out to all affected banks on February 12th when they conducted a conference call disclosing the severity of the issue. Apparently the compromise occurred from February of 2008 till August 2008 the past few weeks.

At this point neither Visa or MasterCard haven’t disclosed which processor has been compromised nor have they disclosed the size of the breach.

Whether the unknown processor was compliant or not has also not been revealed.

Check your credit and banking statements carefully. Scrutinize every charge and refute any unauthorized charges within 30-60 days. Call your bank/credit card company immediately if you see any fraudulent activity.

Robert Siciliano Identity Theft Speaker Expert discussing another ugly data breach Here.

Recycle Your Phone? Sell it on eBay? Lose it? Still Have Your Data On It?

Robert Siciliano Identity Theft Speaker – Expert

Cell phones are the invention of the 20th century. Its a computer and a phone. Its as cool as the invention of the wheel. Its the single most effective communication tool since the land line.

Millions of cell phones are sold every year. Many are lost, stolen, millions more end up on eBay, recycled or tossed in the trash. Many of these phones still have enough data on them to commit identity theft or, in the wrong hands, make your life miserable.

A study done in December by Regenersis, a UK based recycler, tested a sampling of 2000 cell phones. They learned 99% had personal identifying data such as banking info, credit card data, personal emails, contacts, text messages, pictures, music, videos, calendar entries, notes, mailing lists, to-do lists, automatic log-ins for Twitter, LinkedIn, Facebook and more.

Studies show cell phones are replaced on average of every 18 months. Over the past 4-5 years Blackberrys, iPhones and countless other smartphone/PDAs have flooded the market. All of these devices technologies are upgraded within 6 months and the user wants the latest and greatest.

What kind if data is on your phone today? If it fell in the wrong hands would someone have access to all your social network sites? Usernames and passwords? Customer data? Corporate secrets?

Someone recently bought a Blackberry off eBay and scored phone numbers for Hollywood producers, writers and movie stars Natalie Portman, Julianne Moore and Jude Law. Not a huge deal, but in the wrong hands problematic for the affected.

What if someone got the names, addresses and emails for everyone in your life? Not good.

Its not just cell phones that often contain data. Thumbdrives, MP3 players, are also problematic. Credant Technologies surveyed 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners and got a figure of approximately 9000 USBs lost and found annually.

To protect yourself, consider some of the tips below, and this is not a complete list. Please feel free to add in comments.

Don’t store data that will be considered a “data breach” if lost, stolen, sold, recycled.

On phones have strong password protection. Lock it up.

Remove your sim card upon selling.

Reformat the phones operating system multiple times. This generally wipes off the data, but there are programs that do it more thoroughly. There is no universal way to reformat. It is different with every phone/manufacturer/operating system.

Robert Siciliano Identity Theft Expert discussing cell phone security Here

Phishing Attacks Rise Dramatically in 2008

Robert Siciliano Identity Theft Expert – Speaker

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No? So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Robert Siciliano Identity Theft Expert discussing Scambaiter in video Here

Nuclear Weapons, CyberSecurity and an Unlocked Door.

Robert Siciliano Identity Theft Expert Speaker www.IDTheftSecurity.com

What happens when you have an unlocked door at the home of and employee at the top U.S. nuclear weapons laboratory? How about 3 stolen computers with yet to be disclosed data, that was said to be non-classified. We hope. Were the computers stolen to be resold for crack? Or for nuclear weapons secrets? We may never know. Or we may find out the hard way.

At the Los Alamos National Laboratory in Santa Fe New Mexico dozens more (67 total) systems are currently listed as missing. Officials are conducting a full review of the lab’s policies and procedures governing the use of official computers at employees’ homes.

Situations like this are common in every industry with every conceivable form of data. We just wish it wasn’t data from a nuclear weapons facility.

Its important to point out that the facility has as many as 40,000 computers including desktops, laptops, PDAs, printers and so on. Do the math, less than a .25 percent lost or stolen. The lab has been documented at a better than 99.5 accountability rate.

We know there is no such thing as 100% security whether protecting from hardware or data thieves. Security is an ongoing, never ending, consistent, on your toes, don’t let your guard down, vigilant process.

And its not just criminal hackers causing big problems, lowly burglars looking for their next bag of dope stole a laptop computer from the home of a government employee containing 26.5 million Social Security Numbers, a US primary identifier. This $500 laptop cost millions.

Can you say your organization has a 99.5% success rate?

What policies do you have in place to foster a security minded culture? Here are just a few bullets as examples for you to add too.

# Cover all organizational systems used for processing, storing or transmitting personal information.

# Security risks faced assessed in the development of the policy

# Cost-effective measures devised to reduce the risks to acceptable levels

# Monitored and periodically reviewed.

# Staff and management made aware of the protective security policies and how to implement them.

Robert Siciliano discussing another hack Here

Bank Robberies Spike, Blame The Economy?

Robert Siciliano

Often I’m called to provide perspective on breaking news as it relates to personal security, violence and fraud. Tonight it was bank robbery. In Boston a white male suspect in his 20’s has robbed at least 4 banks since Feb. 3rd and two of those were done today within a few miles of each other.

In the first, he went up to a teller who was in training, startled, she said she did not have any money in the drawer and he left the bank without trying. Obviously he did not have an alternative plan.

Each time he has passed a note demanding money and implies a weapon, but no weapon is shown.

The local police department talked to the media about how more and more suspects are desperate because of the economy and not experienced bank robbers. They also said that a lot of them don’t care about the survelliance cameras or the jail time that they might face if caught. The FBI and local police departments are investigating these robberies.

In New York City Bank robberies have risen 54 percent compared with last year, with criminals committing more than 430 in the past year, according to the NYPD.

New Yorks Police commissioner was quoted saying “They’ve turned banks into cash machines”

Numerous studies certainly show crimes tends to rise when times are tough. Right now its pretty tough and getting uglier for many. But rob a bank? I know plenty of people who have hit hard times. I can’t think of one who had the epiphany “Today I’ll rob a bank”.

I saw a story recently about a guy who walked out of a grocery store and stole a full a cart of food to feed his family and was caught. He was quoted saying “it was worth the risk to feed my family”.

Illegal, wrong, understandable.

What’s more likely is people who are robbing banks have committed crimes before. Bank robbery is a desperate and aggressive act. Chances are this individual is like most, suffering from addiction, heroin, Oxy-contin, and is desperate for his next hit. People who rob banks have an equal amount of desperation and stupidity as they do huge balls.

Banks Robbers aren’t Robert De Niro in Heat or Jim Carey in Dick and Jane

I think it’s safe to say that while the economy may have people all jittery, you won’t see many executives from failed investment firms who were laid off go and rob a bank. This person hasn’t robbed four banks to pay his cable bill. He’s a mess.

These arent well thought out, rational, previously employed people. These are people who have been involved in criminal acts their whole lives and this is the next step for them.

I would gather that someone is doing a study somewhere and will conclude that in-fact there is a spike in robberies during hard times. We see the same thing around the holidays. People are emotional, they feel pressure and go a bit nutty.

Why not every bank on earth is equipped with an access control vestibule so criminals are prevented from entering with guns or trapped like this idiot

Robert Siciliano discussing bank robbers motivations Here

Quarter Million Dollar Bounty for Criminal Hacker

Robert Siciliano Identity Theft Speaker and Expert

In a Microsoft press release a global bounty has been offered for the arrest and prosecution of whoever has created and released the “conficker” virus.

Conficker was released in the last quarter of 2008 and has infected a wide estimate of 2 million to 10 million PCs. After issuing patches, Microsoft estimates approximately 3 million PCs globally are still compromised.

However none of the PCs infected with the conficker are displaying any of the characteristics generally exhibited by the recent spate of viruses offering a remote control component and often used to host spoofed websites and other malicious fraud related activities.

Although, this virus is designed to constantly ping some 250 different domains that were most likely controlled by the criminal hackers that created it. The virus acts like any software calling home looking for an update, checking time/dates stamps and what version is running.

It is widely believed that conficker is waiting for its next set of updates to unleash the endgame its writers had in mind. BRILLIANT!

Many who study conficker as it phones home have been monitoring the 250 domains looking for the next “update”.

Each of these top level domains include .com, .net and .org. All of which fall under Internet Corporation for Assigned Names and Numbers (ICANN), who heads up the domain registration industry. ICANNs rules prohibit such reserving of domains. ICANN then worked with registrars in heading off any future registration of conficker sought domains.

What has been out of the control of ICANN has been .ws and .cn (China) based domains and due to the ferocity of conficker and negocitions by ICANN, China and other global registrars have agreed to make it difficult for conficker to continue to control its 250 base domains or seek others along the string.

What we are seeing here is a global effort by international agency’s, security professionals from around the world and Microsoft working together to defeat an unknown attacker, that if left un-matched, could infect a significant portion of the worlds computers.

This story is not over.

Robert Siciliano Identity Theft Expert-Speaker video discussing rise in identity theft Here