What is “Social Registration”?

Social media has evolved into the fifth major form of media: print, radio, television, Internet, social. While social media functions on the Internet, there’s no denying that it is its own platform. It encompasses most forms of media in one tight and neat package. Some social networking sites have more users than number of residents in some countries.

In the process of this explosive growth, a few social networking websites like Facebook, Twitter, and LinkedIn have risen to the top. And in each frontrunner’s quest to be the biggest, fastest, and strongest, each wants to be your “single sign-on” in the form of a registration. Webmail providers Google and Yahoo also want you to log in to other sites using their credentials. This means when you visit any other site with a registration requirement, they may ask for your username and password but also give you the option to login in using your Facebook or Google credentials.

This same process can also link your different social media communities with each other and facilitate cross-posting.

The idea behind social registration is that each user has a somewhat established online identity. Over time, the user’s various identities in each community or platform begin to merge for purposes of shopping, communicating, and connecting to different devices. This can allow you to hop from one place to another without having to enter multiple usernames and passwords.

All that said, rarely will I engage in social registration. If one account is ever compromised, and it’s linked to others, then the hacker accesses multiple accounts with a single hack. If the accounts are of low security value then it may not be a big deal, but once email credentials are involved, the risks increase. There are security measures behind the scenes that protect you in some ways. I’m just not so trusting.

Look at it this way: does your online banking interface allow you to log in via Facebook? I didn’t think so. Of course, if anyone wants to walk me through their bulletproof process and change my mind, I’m listening.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses hackers on social media on CNN. (Disclosures)

Why You Need to Pay Attention to Credit Card Statements

Despite what silly James Bond-esque credit card commercials may imply, credit card companies don’t really protect you to the degree you expect. If a credit card company detects irregular spending on your credit card, they may freeze your account or call to verify your identity. While these measures do help secure your card to an extent, but they cannot prevent or detect all types of credit card fraud.

The Federal Trade Commission recently filed a lawsuit describing a criminal enterprise responsible for “micro charges,” fraudulent charges ranging from 20 cents to $10, to as many as one million credit cards since approximately 2006. Because the amounts were low, most of the fraud went unnoticed by cardholders. Money mules were used to divert the funds to Eastern European countries. (“Money mules” are typically individuals who are recruited to assist in a criminal enterprise via help wanted advertisements on job placement websites. In this case, the mules believed they were applying to be financial services managers.) These mules opened numerous LLCs and bank accounts. They also set up websites with toll free numbers, creating an apparently legitimate web presence. Thanks to this facade, the websites were granted merchant status, allowing them to process credit card orders.

The victims of this scam would see the fictional merchant’s name and toll free number on their credit card statements. If they attempted to dispute a charge, the toll free numbers would go to voicemail or be disconnected. Most frustrated consumers may not bother to take the additional step of disputing a 20 cent charge with the credit card company.

The money mules involved in this scam have been located, but the true scammers have yet to be identified.

If you fail to recognize and dispute unauthorized transactions on your credit card statements, you take responsibility for the fraudulent charges. While 20 cents may not seem worth the bother, these seemingly minor charges are certainly funding criminal activity, and perhaps even terrorism. So take the time to scrutinize those charges every since month.

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses credit card fraud on NBC Boston. (Disclosures)

Giving Your Credit Card to a Hotel? Watch Your Statements.

Personally, I don’t particularly enjoy staying in hotels. Sure, after a long day of travel, the hotel is a relief, but in most cases, I’d much rather sleep in my own bed. Criminal hackers, on the other hand, love hotels.

According to a recent study, 38% of all credit card breaches occur in hotels. Despite several high profile breaches that recently affected payment processors and banks, the financial services industry only accounts for 19% of breaches. Retailers came in third at 14%, and restaurants fourth at 13%.

Over the past five years or so, I’ve noticed a trend in which criminals go after the most likely targets, and those victims beef up their defenses in response. So the bad guys move on to the next most likely target – one that hasn’t learned from others’ mistakes.

Hotels are easy targets because they are all credit card-based. It is possible to reserve a room without providing a credit card number, but they don’t make it easy. And hotels themselves certainly aren’t fortresses designed to keep bad guys out. They’re designed to be open and inviting, with, at best, a bellman whose focus is assisting guests rather than guarding the front door. Maybe that mentality exists in hotels’ IT security departments, too.

The root of the issue is the hotel industry’s insufficient security measures to prevent data breaches. Many rely on older point of sale terminals and outdated operating systems, which are more vulnerable to hackers. When the recession hit, many hotels cut back and decided to hold off on upgrades. While their defenses were down, hackers slithered into their networks to steal guests’ personal financial data. Once thieves have accessed this data, they can clone cards with the stolen numbers and use them to make unauthorized charges.

As a consumer, your only recourse is to pay close attention to every single penny charged to your credit card, and dispute any fraudulent or incorrect transactions, no matter how small. Check your statements frequently and be sure to dispute all unauthorized charges within two billing cycles, or 60 days.

Canada and Mexico have adopted smart cards, which use “chip and PIN” technology, making the credit card data useless to potential identity thieves. Eventually we may see the adoption of smart cards in the U.S., which would put an end to this madness.

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. (Disclosures)

Old Credit Card Technology Facilitates Skimming Fraud

Credit and debit cards in the U.S. use old magnetic stripe technology. The magnetic stripe is the black or brown band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store data such as your account number. When the card is swiped through a “reader,” the data stored on the magnetic stripe is accessed. Card readers and magnetic stripe technology are inexpensive and readily available, making the technology highly vulnerable to fraud.

One extremely prevalent example of such fraud is ATM skimming. Skimming occurs when a criminal copies the data stored on your card’s magnetic stripe and burns the stolen data onto a blank card, creating a clone can that be used like any normal credit or debit card.

According to the Smart Card Alliance, twenty-two countries, including China, India, Japan, Mexico, Canada, and many in Western Europe and Latin America, are migrating to encrypted microprocessor chip and PIN technology for credit and debit payments. These new “smart cards” contain an embedded microchip and are authenticated using a personal identification number, or PIN. When a customer uses a smart card to make a purchase, the card is placed into a “PIN pad” terminal or a modified swipe-card reader, which accesses the card’s microchip and verifies the card’s authenticity. The customer then enters a four digit PIN, which is checked against the PIN stored on the card.

The U.S. has yet to adopt the new smart card technology, possibly due to the higher cost. According to consulting firm Javelin Strategy & Research, converting to chip and PIN technology would cost the U.S. payment card industry about $8.6 billion, which doesn’t sound so expensive to me, considering that identity theft is a reported $50 billion problem.

U.S. travelers are encountering difficulties when attempting to use old magnetic stripe credit and debit cards abroad, since their cards do not contain the new microchips. This is especially problematic at automated kiosks, which are common in Europe. Vending machines at regional rail stations, bicycle rental racks in Paris, parking meters in parts of London, toll roads, and gas stations only accept chip and PIN cards. Visa claims that most payment terminals in countries that have adopted chip payment technology can still process old magnetic stripe U.S. cards, and, “in the rare instance that a card holder encounters a problem” at a self-service machine, Visa advises American travelers to present their cards to attendants.

My dad has U.S.-based magnetic striped cards, and he travels all over Europe and has yet to encounter a problem paying at a restaurant or in any scenario in which the card is processed by a person. However, CreditCards.com reports that the European Payments Council, the governing body responsible for achieving a single payments market throughout Europe, is considering a ban on old technology magnetic stripe cards. This would cause major commerce problems in Europe and raises the question of whether U.S. credit card merchants will make the switch.

In the meantime, if you travel to Europe, make sure to carry cash. And if you are likely to use a kiosk that can only process cards with chip and PIN technology, do your homework ahead of time to determine whether an alternative payment methods is available.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Hackers Play “Social Engineering Capture The Flag” At Defcon

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to identify and resist the more common attempts to trick them into letting down their guard. Criminal hackers use social engineering as a very effective tool and as part of their strategy when gathering information to piece together the parts of their scams. They often target company executives via phone and email. Once they have extracted some data from the top, accessing networks or whatever end game they had in mind is much easier.

Social engineering has always been a “person to person” confidence crime. Once the con man gains the mark’s trust, the victim begins to provide all kinds of information, or to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I suppose we would need to be able to trust one another in order to survive as an interdependent communal species, otherwise fear would prevent us from relying on others to nurture us until we are tossed out of the nest.

Defcon is a conference for hackers of all breeds. There are good guys, bad guys, and those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack. InfoWorld reports, “This year’s Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies — over the telephone instead of the Internet.”

Defcon is known for its antics but it’s also an event where hackers of all flavors improve their skills. The game they are playing this year is a social engineering fun-o-rama called Social Engineering CTF, referencing the game “Capture the Flag.” “This contest will borrow elements from the convention’s traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered. Competitors then use that data during the actual tournament to fuel their social engineering attack. They have twenty minutes to call unsuspecting employees at their target companies and obtain specific bits of (nonsensitive) information about the business for additional points. Participants aren’t allowed to make the target company feel at risk by pretending to represent a law enforcement agency.”

Recognize that online predators use these tactics to get what they want. They consider you, the innocent computer user, their natural prey.

So always question authority, or the appearance of authority. Don’t automatically trust or give the benefit of the doubt. When you are contacted via phone or email, or approached in person, proceed with caution. Always be suspect of external or internal communications, and consider that you could be the target of a phishing scam. Never click on links in the body of an email, and if an email prompts you to divulge a username and password, pick up the phone to verify the legitimacy of the request. The best defense is effective policies coupled with ongoing awareness training.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Data Breaches Persist In Health Care

In September 2009, the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, requiring hospitals and other health care organization to beef up client data protections. Despite this, a recent study found that health care data is still hemorrhaging from peer to peer networks.

A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts).

In simple terms, P2P is software installed on your PC and others PCs that allows the sharing of data from each others computers.
Computerworld reports, “One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.”

In my own research, digging through P2P networks, I’ve uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire families. I’ve found Christmas lists, love letters, private photos, videos, and just about anything else that can be saved as a digital file.

It’s no surprise data is still leaking. File sharing technologies are easier and more user friendly than ever. Faster broadband connections coupled with faster PCs and bigger hard drives make downloading files a snap. Insurance companies, doctor’s offices and hospitals all have computers and those computers are operated by people who like things that are free. Any bored employee who wants to listen to that song he heard on the way to work can simply download Limewire, eDonkey, BearShare, or any other P2P network. Within minutes, that song is on playing on the employee’s iPod, and his employer’s clients’ data is being shared with the world. This type of breech resulted in blueprints for President Obama’s private helicopter being leaked online.

The House Committee on Oversight and Government Reform has asked the Department of Justice and the FTC to help prevent illegal use of peer to peer networks, and in the same letter, asked what the government is doing to protect its citizens. But ultimately, it’s up to you to protect yourself.

Don’t install P2P software on your computer. If you aren’t sure whether a family member or employee may have installed P2P software, check for new, unfamiliar applications. A look at your “All Programs Menu” will show nearly every program on your computer. If you see one you don’t recognize, do an online search to see what it is you’ve found. You should also set administrative privileges to prevent the installation of new software without your knowledge.

If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.”

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses Medical Identity Theft on CBS Early Show. (Disclosures)

Credit Card Data Breaches Cost Big Bucks

Javelin Strategy & Research estimates that credit and debit card issuers spent $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches.

In 2009, an estimated 39 million debit cards and 33.3 million credit cards were reissued due to data breaches, for a total of 72.2 million. An estimated 20% of those affected by the breaches had more than one card replaced. I had my MasterCard replaced twice.

Javelin’s survey shows that 26%, or one out of four U.S. consumers received a data breach notification last year from a company or agency holding their personal data, including credit and debit card or checking account information.

What is very interesting is of those notified (which is required by law in most states), 11.5% were victims of identity fraud compared with only 2.4% who weren’t notified.

I’ll say this again and then explain what I think this means. They say a consumer who has been notified that his credit or debit card number was compromised is five times more likely to become a victim of identity fraud than a person who doesn’t get such a notice.

The report’s reasoning behind this is that data breaches lead to fraud. Okay, yes, I’ll agree that data breaches do lead to fraud, and my belief is that the people who were notified simply took a closer look at their statements and recognized unauthorized charges. If they weren’t notified they are no less susceptible to fraud, they are just blissfully unaware they are paying for an identity thief’s Las Vegas bender, and the fraud goes undetected.

DigitalTransactions explains, “Data breaches are one obvious pathway to fraud, but a breach alone doesn’t mean an affected consumer will become an identity-fraud victim. Banks often give free credit-report monitoring services to customers whose data may have been compromised.”

The flaw here is that credit monitoring only makes the consumer aware of new account fraud, when a Social Security number is used to open a new account. Credit monitoring has nothing to do with credit card fraud in which an existing account is compromised. Furthermore, in my experience credit monitoring is hardly ever provided when a credit card number has been compromised. Credit monitoring doesn’t help when an existing account is taken over.

“There’s a disconnect,” Javelin tells Digital Transactions News. Consumers “should pay attention to your credit reports after you’re notified, because you’re more vulnerable.”

Yes, it’s true that if you are notified that your Social Security number has been compromised, you are more vulnerable to fraud, but not more vulnerable to fraudulent charges on an existing credit card, since the bank will replace a card that is known to have been compromised. And monitoring a credit report does nothing to prevent credit card takeover fraud.

The only way to combat credit card account takeover fraud is to pay close attention to credit card statements, while credit reports and credit monitoring are essential to prevent or detect new account fraud.

I recommend checking your credit card and bank statements every day, or at least once a week, from a secure PC.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on MSNBC. (Disclosures)