Posts

Skimming, Identity Theft and How Online Business Defend Against Cybercrime

Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS ) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those customer cards.

In one such case, Romanian hackers were indicted when they were charged with remotely accessed hundreds of small businesses’ POS systems and stealing enough credit card data to rack up fraudulent charges totaling over $3 million. The hackers’ targets included more than 150 Subway restaurant franchises and at least 50 smaller retailers.

SCMagazine reports “An Eastern European criminal syndicate has hacked into a small Australian business and stolen details of half a million credit cards from the company’s network. In both cases, the syndicate captured credit card details using keyloggers installed within Point of Sale (POS) terminals and siphoned the data through an insecure open Microsoft’s Remote Desktop Protocol (RDP) connection. The syndicate found its victims by scanning the internet for vulnerable POS terminals.

Card skimming is just one of many ways that cybercriminals obtain access to stolen identities. And what happens once they have this information?  They begin hitting many of the major brand websites to purchase products that are commonly found in our homes and office.  How can retailers, ticketing companies, gaming sites and credit issuers protect their businesses and customers from fraudulent transactions?

Many start by identifying the device being used to access their website, through advanced device identification technology.  Is it a computer, laptop, tablet, mobile phone or another Internet-enabled device?  Is that a device that is already known to iovation’s cybercrime intelligence network? If so, has it been involved in fraudulent or abusive activities in the past? Often times, known bad devices have a history of credit card fraud, identity theft, account takeover attempts and other abuses. If the device comes back clean, is it related to other known bad devices?

iovation also helps its clients understand the web of associations between related devices, which helps businesses identify and shut down entire fraud rings. Lastly, online businesses run their highly-customized business rules as the transaction or activity is attempted. Many of iovation’s clients have more than 100 business rules on their site, that help them assess risk in real-time.  These business rules can trigger factors including velocity, device anomalies, proxy use, age of the device-to-account association, and more.

Last week at the Merchant Risk Council Platinum Meeting in Seattle, iovation demonstrated it’s ReputationManager 360 fraud prevention service, and showed in simple terms, what happens during a real-time device reputation check.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

How to Defend your Small Business against Cybercrime

Brilliance, historically, is often expressed in the simplest of technologies; the wheel and the light bulb are perfect examples. Today, brilliance is often attributed to advances in technologies that cure illnesses, solve problems, and make our lives easier.

Over the past decade, coders, programmers, and hackers of all kinds have come up with some of the simplest and most brilliant inventions—inventions with the power to transform life as we know it. Unfortunately, when it comes to network security it’s the cyber criminals that seem to be the smartest in the room.

Forbes reports, “ZeuS, SpyEye, Sunspot, OddJob, Gameover. Villains in the next James Bond movie? No. These are names for sophisticated and dangerous crime-ware used by real villains—internationally organized gangs of cyber criminals—to hijack online bank accounts and steal money.” According to the Anti-Phishing Working Group, when it comes to online security an estimated 45% of all computers are now infected with malicious software designed to steal.

When banks began building out their IT infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which bad guys would scheme to separate banks and their clients from their cash.

One bank actually sued an accountholder who lost $800,000 to a digital heist in order to determine who shoulders the legal responsibility to protect online bank accounts from fraud. (The bank was able to recover $600,000 of the $800,000, which Italian and Romanian hackers had removed via unauthorized wire transfers.) The bank sought a legal acknowledgement of their systems’ security, while the accountholder argued that online security measures were inadequate.

In a similar case, a Michigan judge decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses.

Small businesses and banks are losing money via cyber-attacks on their online banking accounts. One way this happens is a cybercriminal send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links either install one of the software programs detailed above or steals the username and passwords the employees use to log in to their online banking accounts.

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. Downloading pirated content from P2P (peer-to-peer) websites is also risky.

Computers with old, outdated, or unsupported operating systems are extremely vulnerable to cybercrime. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

Follow these essential computer security tips to protect your small business against cybercrime. Update your operating system to XP SP3 or Windows 7. Make sure to set your antivirus software to update automatically. Keep your critical online security patches up-to-date by setting Windows Update to run automatically as well. Don’t engage in risky online activities that invite cyber-attacks.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Banks Blame Cybercrime Victims for Hacking

It’s Tuesday morning after a long weekend, the bookkeeper comes in a little late but hits the books right away. She comes into your office and asks you about a series of wire transfers you made over the holiday weekend to new employees who apparently live overseas. And then your heart sinks. Because you have heard about how small business bank accounts are hacked, but didn’t think it would happen to you.

It’s happening to the tune of around 1 billion dollars a year. Small business bank accounts are being hacked and the banks are pointing the finger at their customers. Why? Because in many cases there are no actual data breaches at the banks. Cybercrime is often taking place right in the small businesses offices on their own PCs.

Blooomberg reports “Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.”

However one bank fought back and won. iovation reports “one Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this cybercrime case.

Small businesses are under siege today and must know their bank accounts are being targeted by cyber-thieves. One solution is certainly a secure IT infrastructure and another, in some cases, may be moving to a bigger bank. Some smaller banks simply can’t handle the loss whereas bigger banks may have the resources to absorb them. If you bank with a small bank now is the time for a heart to heart talk.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Security Beyond the Desktop

A defensive posture no longer suffices for the protection of the devices and data that have become ubiquitous in today’s digital world. Rather than simply rushing to install defenses on computers, in networks, and in the cloud, we urgently need to step back and take a broader view of the security landscape, in order to take more calculated preemptive measures.

McAfee Security Journal is a publication intended to keep security executives and technical personnel informed about various cutting edge topics in order to help them make better-informed security decisions. Regular, everyday computer users can increase their security intelligence by having a read. The report details the following highlights on the evolution of cyber threats and the necessity of a more inclusive security strategy:

The human link: There is an ever-widening disparity between the sophistication of networks and the people who use them. When direct attacks on an organization’s defenses fail, cybercriminals often use social engineering toolkits to exploit unsuspecting employees. Educating employees on secure practices is not enough—organizations need to install a proper framework to empower and encourage employees to make a habit of using these practices.

Mobile is everywhere: Mobile attacks are becoming more sophisticated every year. Instead of rendering a device unusable, hackers are now finding ways to steal sensitive personal data that can be lucratively exploited. Hackers are also broadening their target range to include less common mobile systems, such as the GPS system in your car, for example.

Cloud-based apps on the rise: The popularity of cloud-based applications has made them an attractive target for hackers and other cybercriminals. However, the cloud is also a highly efficient way to scale security and protection for a business. Leveraged correctly, the cloud both helps reduce your security costs and can actually increase your overall security posture.

Data is king: Whether it’s stored on a smartphone, in the cloud, or on a network, cybercriminals are after your data. It is crucial that organizations take proper precautions to secure this data.

Learn from mistakes: For those who take the time to study it, history is a great teacher. Analytics help identify patterns, vulnerabilities, and even motives.

Understanding these concepts can help prevent attacks in the future. For a full copy of the McAfee Security Journal: Security Beyond the Desktop, visit McAfee.com.

 

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Feds Catch Carder

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

“Carders” are the people who test and sell credit card details (most likely phished) to other individuals who carry out the actual credit card fraud. Carders are the most visible of criminals who distribute and sell stolen data to whoever is willing to take it and burn it onto a white card or make purchases over the internet. “Dumps” is a term for the batches stolen credit card data they buy and sell.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers.  But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions?  Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle.  Having a defense-in-depth approach to fraud prevention is essential.  And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Think You’re Protected? Think Again!

In 1990, when only the government and a number of universities were using the Internet, there were 357 unique pieces of malware. The need for security began with desktop computing when the only means of compromising data was by inserting a contaminated floppy disk into a PC or opening an infected email attachment. That was the anti-virus era.

The need for security evolved with the Internet as more companies developed internal and external networks. That was the network security era.

Now as companies leverage the power of the web, information security has evolved yet again: We are in the application security era. And as big companies get better at locking down their software and protecting their data, criminals are targeting the little guy. Ordinary citizens’ every day digital lives are at risk via infected web pages, instant messaging, phishing, Smartphone viruses, text message scams and now hackers are targeting Macs in a big way.

In the past 20 years, e-commerce and social media have taken over. The numbers behind the explosive growth of cybercrime are astounding. In a little over two decades, we’ve gone from less than 500 pieces of malware to over 55 million annually. Cybercrime has evolved from nothing to a multibillion-dollar industry.

In 1995, 8069 unique pieces of malware were detected. One out of 20 emails were spam, and the Melissa virus infected hundreds of thousands.

In 2000, 56,342 unique pieces of malware were detected, mostly on PCs, but some began spreading to Macs. Then smartphones got the Cabir virus. The “I Love You” worm slithered its way onto millions of PCs, and the MyDoom worm slowed down the entire Internet by 10%, resulting in loses totaling 38 billion dollars.

In 2005, 164,000 unique pieces of malware were detected, including the first virus for Mac OS X and another 83 mobile viruses. 57 million U.S. adults fell for phishing scams via 17,877 different spoof websites. 80% of all email was spam. The Conficker worm, Zeus Trojan, Koobface, Applescript.THT, Storm botnet, and Ikee iPhone virus all made their debuts this year.

By 2010, 54 million unique pieces of malware were spreading to tablets, too. More than 90% of all email was spam. 27% of teens infected their families’ PCs with viruses in 2010. Almost 420,000 phishing sites were discovered. OpinionSpy, Boonana, and MacDefender infected Macs. Hackers commandeered Skype’s instant messaging service to deliver malware. The Gemini and Zitmo Trojans gathered location data and stole financial transaction information.

But if that’s not enough. In 2010, more than three million malicious websites were created, any one of which could infect your computer.

The question is are you protected? Are you using some free download by an unknown company to protect yourself? Or do you have a comprehensive multi layer approach to digital security protecting all your devices?

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing identity theft on YouTube. (Disclosures)

 

Check out this video to learn more about: The History of Malware

 

 

 

 

 

 

 

Financial Institutions Can Protect Their Clients Using “Defense in Depth”

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

McAfee Reports Most Malware Ever in Early 2011

Malware refers to malicious software, which includes computer viruses and rootkits. McAfee recently released the McAfee Threats Report: First Quarter 2011. With six million unique samples of recorded malware, the first quarter of 2011 was the most active in malware history.

In February alone, approximately 2.75 million new malware samples were recorded.  Fake antivirus software had an active quarter as well, reaching its highest levels in more than a year, with 350,000 unique samples recorded in March.

Mobile malware is the new frontier of cybercrime.

Malware no longer affects just PCs. As Android devices have grown in popularity, the platform has solidified its position as the second most popular environment for mobile malware, behind Symbian OS, during the first three months of the year.

Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting real or phony products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular, and in Australia and China, fake delivery status notifications were the spam of choice. So far this year, we’ve also seen a new trend of “banker” Trojans, malware that steal passwords and other data, using UPS, FedEx, USPS and the IRS as lures in their spam campaigns.

McAfee Labs saw significant spikes in malicious web content corresponding with major news events, such as the Japanese earthquake and tsunami, and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50% led to malicious sites, and on average contained more than two malicious links.

Protect yourself from these and other threats.

McAfee Wave locates, locks, or wipes your phone, and even restores your data when you trade it in for a new one. If necessary, you’ll be able to lock down your service remotely or wipe out important stored data to protect your privacy. You can back up your data directly or use the web to so remotely. You can access your data online from anywhere, or locate your missing phone and plot its location on a map. If it’s lost or stolen, SIM cards and phone calls can help get it back for you.

Invest in an identity protection service. There are times when you cannot withhold your Social Security number, but an identity protection service can monitor your personal and financial data. McAfee Identity Protection provides alerts if your information is misused, credit monitoring and unlimited credit checks, and if necessary, identity fraud resolution. (For more information, visit CounterIdentityTheft.com.)

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss mobile phone spyware on Good Morning America. (Disclosures)

 

A Good Decade for Cybercrime

Cybercrime is one of the most successful and lucrative industries of our time, growing by double digits year after year. Over the last decade, cyber crooks have developed new and sophisticated ways to prey on an explosion of Internet users, with little danger of being caught. Meanwhile, consumers face greater risks to their money and information each year.

A few famous exploits illustrate different eras of cybercrime:

“I Love You” worm’s false affection: $15 billion estimated damage

Emails with the subject line “I love you” proved irresistible in 2000. Millions of users downloaded the attached file, which was supposedly a love letter but was actually a virus. This infamous worm cost companies and government agencies $15 billion.

MyDoom’s mass infection: $38 billion estimated damage

This fast-moving worm, which first struck in 2004, tops McAfee’s list in terms of monetary damage. It delivered enough spam to slow global Internet access by 10% and reduce access to some websites by 50%, costing billions of dollars in lost productivity and online sales.

Conficker’s stealthy destruction: $9.1 billion estimated damage

This 2008 worm infected millions of computers. It went a step further than the other two worms on our list, downloading and installing a variety of malware that gave hackers remote control over victims’ PCs.

Some of the most common and nefarious scams include:

Fake antivirus software

Selling fake antivirus software is one of the most insidious and successful scams in recent years. Cyber criminals play on users’ fears that their computers and information are at risk, displaying misleading pop-ups that prompt the victim to purchase antivirus software to fix the problem. When victims enter their credit card information, it is stolen and, instead of security software, they wind up downloading malware.

Phishing scams

Phishing, or trying to trick users into giving up personal information, is one of the most common and persistent online threats. Phishing messages can come in the form of spam emails, spam instant messages, fake friend requests, or social networking posts.

Phony websites

In recent years, cyber crooks have become adept at creating fake websites that look like the real deal. From phony online banking to auction sites and e-commerce pages, hackers lay traps in the hopes that you will be fooled into entering your credit card number or personal information.

For your own peace of mind, consider subscribing to an identity theft protection service such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, alerts when suspicious activity is detected on your accounts, and access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

4 Reasons 2011 is the Year to Get Serious About Security

Prognosticators are silly. Or that’s how I’ve always viewed them, anyway. They combine past experience with their perspective on current trends to make predictions and pretend to be smarter than you.

Many prognosticators in the financial world have failed miserably, and we’re all paying the price now. Their current excuse is “irrational exuberance.”

But prognostication holds a bit more water these days, thanks to technology that can quantify and collate mass amounts of data to provide an educated guess.

Here’s me being a prognosticator: In 2011, unprecedented security issues will reveal just how vulnerable we are and highlight the flaws in our systems. In other words, we have a big challenge.

What makes me say this? Here are just a few reasons:

1. In recent months, “hactivisim” has become a popular term, even among non-technical people.

2. A new virus called Stuxnet has stoked anxieties about cyber warfare.

3. Cybercrime targeting the government has become bolder than ever.

4. Mobile phones are eclipsing wired phones, so software developers are more focused on mobile. But is your cell phone ready to be your bank?

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. (Disclosures)