Breach Means More Retailer Card Fraud

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have figured out how to skim customer cards.

In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted for card skimming.

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar card skimming scam was pulled off at the Stop and Shop Supermarket chain.

 

The most recent large card data breach was from Barnes & Noble.   “Barnes & Noble has detected tampering with PIN pad devices used in 63 of its stores. Upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores, Barnes & Noble discontinued use of all PIN pads in its nearly 700 stores nationwide. The company also notified federal law enforcement authorities, and has been supporting a federal government investigation into the matter. Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store.  The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”

When the use of these stolen credit cards go online, iovation’s ReputationManager 360 helps banks and online merchants avoid fraud losses by detecting high-risk behavior and stopping cybercriminals in their tracks. iovation’s device identification and device reputation technology assesses risk on activities taking place at various points within an online site such as account creation, logging in, updating account information, attempting a purchase, or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Consumers must pay close attention to their statements and refute unauthorized charges within 60 days. I recommend going online at least weekly and looking closely at all your charges no matter how small they are.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Dating Extortion Scams On The Rise

The Internet Crime Complaint Center has recently received reports regarding a scam that baits individuals into intimate online conversations and then extorting them for financial gain. The scam was initiated after the victims met someone online, such as on a dating site, and were asked to connect via a specific online social network. Shortly after, the conversations became sexual in nature. Later, victims received text messages, either containing their names, asking if it was them or containing a statement that indicated their names were posted on a particular website.

The victims were provided a link to a page on the website that claimed they were a “cheater.” Photos of the victims and their telephone numbers were also posted. There was an option to view and buy the posted conversations for $9. Victims were also given the option to have their names and conversations removed for $99. Some were even told that once the payment was made, the information would be removed within an hour and the website would not allow anyone to post anything pertaining to the victims’ names again. However, reports do not indicate that the information was ever removed.

If more online dating sites incorporated device reputation checks for suspicious computer history and investigated for characteristics consistent with fraudulent use, they’d be able to deny criminals, often before the first time they tried to sign up.

If you use an online dating service, be on guard for scams. Stick to legitimate, well-known websites, and get referrals from friends who have successfully met romantic partners online. But never let your guard down.

When creating your dating profile, never post personal information, including your middle name, full address, phone number or entire birth date.

To vet potential dates, look for information about them elsewhere online, and confirm that it matches the information in their online dating profiles.

If a potential date asks for a loan or any financial information, report them to the dating website immediately.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

City Bank Account Hacked for 400K

KOMO reports “The city of Burlington (Washington) is warning its employees to check their bank accounts after finding out funds have been stolen. They believe computer hackers got access to the city bank account, which is used as a direct deposit to pay workers. It is unknown how much money was taken, but more than $400,000 has been transferred to several accounts over the past two days.”Any time that more than $400,000 actually moves out of a city of Burlington account, there can’t possibly be a joke involved,” said town administrator Bryan Harrison. “It actually is very chilling.”

Chilling indeed. Hacks like this often take place as a result of a virus getting into a machine that has access to the bank account. In one scenario the offending machine is not properly updated with antivirus and the virus allows a criminal remote access to the device or the virus acts as a “Man In The Middle” Attack.

RSA reports in one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

RSA further reports American banks are the major target.  “Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers.”

Multi-factor authentication, requires a username, password “something you know” and “something you have”—a personal security device separate from the PC. But that’s not even enough.

The Federal Financial Institutions Examination Council (FFIEC) states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Identity Theft Crime Ring Leader Gets 25 Years

The leader of a crime ring was sentenced to 25 years in state prison for stealing thousands of personal identities and counterfeiting credit cards to buy high-end goods to be resold on eBay and Craigslist. Christopher John Aragon, 52, Capistrano Beach, pleaded guilty March 26, 2012, to 50 felony counts including 33 counts of unauthorized use of personal identifying information, 13 counts of grand theft, two counts of counterfeiting access cards, and one count each of conspiracy to commit a crime and the sale or transport of a controlled substance. He also admitted to two sentencing enhancements for property damage over $1 million and aggravated white collar crime over $500,000.

Dude was a prolific identity thief.

Between March 29, 2004, and April 15, 2007, Christopher Aragon led a crime ring which included his wife Clara Aragon and six co-defendants. Co-defendant Shitrit was a hacker who obtained victims’ credit card numbers used to encode forged credit cards. Christopher Aragon and his co-defendants used credit profiles and personal identifying information of victims to make fraudulent California driver’s licenses, credit cards, and gift cards. The defendants encoded the magnetic strips of the credit and gift cards with stolen account information, and used the cards to purchase high-end merchandise, including designer handbags, jewelry, clothing, and electronics.

At Shirit’s Aliso Viejo apartment, investigators found a forgery lab designed to encode credit cards in the process of being set up, and credit card writers, and thumb drives with thousands of hacked and stolen credit card numbers.

In a similar bust, Kirkland Washington police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

Protect yourself:

Get a credit freeze

Monitor your credit card statements

Get a locking mailbox

Check your credit report at least every year.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Hackers: The Good, The Bad and The Money

The term Hacker was made popular by Steven Levy in his book “Hackers: Heroes Of The Computer The Revolution” published in 1984 was about those brilliant and eccentric nerds from the late 1950s through the early ’80s who took risks, bent the rules, and pushed the world in a radical new direction.

 

In the past decade there have been hundreds of data breaches resulting in millions of compromised records. The motivation behind these hacks? Identity Theft. Meanwhile dozens of new laws and government intervention to protect citizen data have emerged.

Black Hat (bad), White Hat (good) or Grey Hat (good by day bad by night), over the past decade the media has given the term “hacker” a negative connotation. Or is it hackers that gave the term a negative connotation?

Either way, whenever I’m talking bad guy hacker I’m careful to precede the word hacker with “criminal” so I don’t piss off anyone who considers themselves a good guy hacker.

Thomas Edison, Benjamin Franklin and Alexander Graham Bell were all hackers. Good ones too.

Today we are faced with a real issue of hackers attacking our financial systems, critical infrastructure and even our own PC’s. And now as we use our mobile phones for commerce hackers are going after them too.

John Haney, Sales Executive at iovation stated “With more people than ever conducting banking activities from mobile devices, being able to proactively detect risk and suspicious activity in real-time is essential to protecting financial institutions and their customers. Although mobile banking is a powerful tool, it can also be used as a weapon for cybercrime and we want financial institutions to be prepared to fight mobile fraud. This is especially poignant given the FFIEC guidelines that established expectations for companies to adopt a layered approach to prevent cyber-attacks.”

Through its ReputationManager 360 service, iovation tracks the reputations of everything from desktops to laptops, mobile phones to tablets, and gaming consoles to smart TVs. By utilizing iovation’s device reputation intelligence.

Meanwhile, as a consumer, you are directly responsible for the security of your own network and devices.

Install and update antivirus, antispyware, antiphishing and a firewall on your devices.

Update your operating systems critical security patches.

Encrypt your home/office WiFi connection

Beware of phishing, vishing and internet scams.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Bieber Fever Results In Fraudulent Ticket Sales

Bieber Fever is a sickness that has recently become more common, where a kid is extremely obsessed with Justin Bieber, and everything related to him. The act, or disease is most commonly found in girls, but occasionally a guy or two.

Example: Girl- Dude omgomgomgomgomg i loooooove Justin Bieber he doesn’t know it yet but I’m gonna marry him!” If you are 12, you probably caught it. If you have a 12 year old then you may have unfortunately got the bug from your kid. There is no known cure for this.

The fever sometimes make people do crazy things like buy Bieber tickets off Craigslist. Dallas News reports “Many go through different venues to try to find the best tickets and this can end up costing a lot more than they bargained for. According to the report several people have allegedly been scammed by the same man. Concert tickets like the ones for Bieber’s concert are the specialty of scammers due to the high demand for these. It is always advised to buy concert tickets from an authorized seller or venue.”

Avoid scalpers, period. Unless you know them personally, just buy tickets at the venue’s window. When purchasing tickets online, stick to legitimate websites. An online search will probably turn up plenty of options, but only buy from familiar, trusted brokers.

Scam artists often take advantage of online ticket companies by buying up blocks of tickets with stolen credit cards, either to counterfeit or simply to overcharge the public.

Fortunately, some ticket brokers have deployed device reputation, which allows them to uncover computers or other devices responsible for fraudulent activity or exhibiting suspicious behavior at the point of sale, and deny transactions from these devices. This kind of visibility gives ticketing services businesses a powerful advantage. More than ever, they can easily identify the scam artists where they’re coming from.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

FBI: Focusing on Hackers and Intrusions

Your tax dollars are being put to work in ways to secure your bank accounts and our critical infrastructure. But there’s still more work to do.

The FBI reports Early last year, hackers were discovered embedding malicious software in two million computers, opening a virtual door for criminals to rifle through users’ valuable personal and financial information. Last fall, an overseas crime ring was shut down after infecting four million computers, including half a million in the U.S. In recent months, some of the biggest companies and organizations in the U.S. have been working overtime to fend off continuous intrusion attacks aimed at their networks.

To that end, the FBI over the past year has put in place an initiative to uncover and investigate web-based intrusion attacks and develop a cadre of specially trained computer scientists able to extract hackers’ digital signatures from mountains of malicious code. Agents are cultivating cyber-oriented relationships with the technical leads at financial, business, transportation, and other critical infrastructures on their beats.

Richard McFeely, executive assistant director of the Bureau’s Criminal, Cyber, Response, and Services Branch was quoted saying “It’s important that everybody understands that if you have a computer that is outward-facing—that it’s connected to the web—that your computer is at some point going to be under attack,” he said. “You need to be aware of the threat and you need to take it seriously.”

When he says “you” he means banks, retailers, and just about everyone involved in eCommerce or anyone with a connection to the internet.

Smart businesses engaged in eCommerce are helping to stem the tide of cybercrime by incorporating device reputation into their transactions. iovation, is headquartered in Portland, Oregon, and has pioneered the use of device reputation to stop online fraud and abuse. The software-as-a service used by online businesses assesses risk of Internet transactions all over the world and recognizes if a device such as a PC, tablet or smartphone has a history of fraudulent behavior.  This helps organizations make educated decisions if they want to do business with the person using the device.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Classified Ad Scams Target Pet Lovers

Classified Ad Scams Target Pet Lovers

I love my dog, 60lb German Shepherd. Small for a shepherd, but she was the runt. I’ve always rooted for the underdog. The underdog has more heart, more passion and often tries harder.

Anyway people love their pets, which is why it’s a multi-billion dollar a year business. Scammers know this too and they prey upon classified ad users who are seeking their next pet.

This story caught my eye, “A warning for internet users: an online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet.”

An ad was posted to a local online classifieds website by a man who claimed he was living in Florida. The seller said he had recently moved to Miami, and couldn’t keep his dog due to his new living conditions. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.

The couple sent a delivery service $220 by way of Western Union. The delivery service told the family to send another $820 or risk losing the dog. That’s when the couple realized they’d been scammed. They told the person on the other end of the phone the deal was off. But the caller kept calling, becoming more aggressive each time.

“He kept calling me saying the dogs here,” said the victim. “Making me feel like this poor dog is sitting somewhere unattended.” When the caller realized the couple wasn’t sending the extra $820 he threatened to turn them into authorities and charge them with animal abandonment. Officials determined the entire thing was a scam.

Scammers will say and do anything to get a person to part with their money. At first they had a sob story that sounded like a legitimate issue, new housing that wouldn’t allow a pet. When posted as a classified ad, it looks legitimate. Then they involved a “shipping company” that was a front for the scam. Once the victims were asked to send a money transfer, this should have been a red-flag.

It’s usually best to do business like this locally.

Never automatically trust anyone over the phone or via the internet.

Unless the business is one that is well established online, don’t ever send money that you can’t get back.

Many classified sites stop fraudulent ads from being published in the first place by incorporating device-based intelligence that helps them assess risk upfront. Fraud prevention technology offered by iovation Inc. not only helps these sites identify repeat offenders coming in under multiple fake identities, but they also detect when scammers are attempting to place multiple fraudulent ads using a variety of computers, tablets and smartphones to do so.  This greatly helps rid these sites of undesirables and protect their valued members.

Fraud analysts review thousands of transactions per month on auction sites. They watch for emerging schemes such as the popular “advanced fee schemes” where bad actors posing as sellers require down payments to be wired to them, and “text message fraud” where the legitimate sellers receive text messages that starts the process of being scammed.

Online businesses can see what kind of fraud records are associated with a device touching their website before accepting a new account registration, by tapping into iovation’s cybercrime intelligence network with over 10 million fraud events and more than 1 billion devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)

Skimming, Identity Theft and How Online Business Defend Against Cybercrime

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.

In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

SCMagazine reports “An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company’s network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft’s Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.

Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information?  They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office.  How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?

Many start by identifying the device being used to access their website, through advanced device identification technology.  Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device?  Is that a device that is already known to iovation’s cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?

iovation also helps its clients understand the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted. Many of iovation’s clients have more than 100 business rules on their site, that help them assess risk in real-time.  These business rules can trigger factors including velocity, device anomalies, proxy use, age of the device-to-account association, and more.

Last week at the Merchant Risk Council Platinum Meeting in Seattle, iovation demonstrated it’s ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

14 Busted In Tax Fraud Identity Theft

Calling all identity thieves, stop wasting your time trying to open new credit card accounts or taking over existing credit card accounts, the money is in IRS tax related identity theft.

The IRS is struggling to keep up with all the fraudulent income tax returns coming in via US postal and online filings. Criminals are obtaining millions of Social Security numbers and filing under the victims personal information and collecting their refunds at an alarming rate.

Reuters reports “Fourteen people were arrested on Wednesday and charged with operating a long-running U.S. identity theft ring that filed thousands of fraudulent federal income tax returns to claim $65 million in illegal refunds, according to the U.S. Attorney’s office in New Jersey.”

Criminals are filing thousands of fake returns using real peoples information and collecting millions. The U.S. Attorney was quoted saying “The defendants in this case allegedly tried to steal $65 million using stolen identities to obtain refunds to which they were not entitled.” But they still managed to get $11.3 million. Many of the refund checks were being sent to the same addresses.

The Treasury Inspector General for Tax Administration reports over 2 billion dollars lost annually to tax related identity theft with victims doubling on 2011 to over 641,000. The Treasury also stated that $26 billion dollars could be lost in the next 5 years if the IRS doesn’t fix the problem. The problem stems from the IRS not being able to effectively determine if a return is being filed in good faith or fraudulently.

One way to determine if an online filing is legitimate is to check the reputation of the device issuing the tax return. If the PC, Mac, tablet or smartphone has a history of online criminal behavior or is exhibiting real-time suspicious behavior, the transaction could be flagged for review before the return is accepted or processed. By using advanced device reputation as the first check in the fraud detection process, the IRS would be able to stop many more fraudulent tax returns as well as downstream fraudulent activities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)