Posts

Security Expert’s Credit Card Hacked

An excellent way to improve one’s level of security intelligence is to follow the writings of Robert X. Cringley, one of my favorite technology know-it-alls.

Anyway, Cringley’s credit card was recently hacked. And if his card can be hacked, anyone’s can. Like many cardholders, Cringley received a notification from his credit card company’s fraud department, informing him that his card data was being used overseas, on an online dating website.

A scammer used Cringley’s credit card number to create a fake profile, posing as a woman named Katya to lure desperate, unsuspecting men into dating scams.

Cringley determined that the IP address associated with the fraud was anonymized, going through numerous channels to disguise its origin. A Russia-based email address may mean Russian criminals are involved in the hack.

Cringley’s card was used to purchase Badoo credits, which are used to unlock certain features of the dating website, such as chatting with another user or requesting photos. The scammer used Cringley’s card to buy Badoo credits in numerous countries, making her profile internationally accessible.

Cringley surmises that his card data may have been skimmed when he used an ATM or handed his credit card to a store clerk or waiter, or possibly stolen when used to make an online purchase. Even if you are giving your card number to a legitimate online merchant, there’s always the risk they may get hacked. It’s also possible than an unknown worm could have slithered onto Cringley’s PC and sniffed out a credit card transaction.

Even a security expert’s PC can fall victim to hackers, and even someone who knows plenty about security can get hooked. So you must be that much more alert, aware, and on top these issues.

Websites like Badoo can eliminate scammers with device reputation scanning. Real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for fraud, as well as expose all of the accounts associated with the suspicious device or group of devices, allowing websites to immediately shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

Hackers Cheat a Stock Market Game

Gaming websites, like banks and retailers, are forced to deal with online fraud and other abuses, which cost the industry hundreds of millions of dollars each year.

Many gaming sites have increased efforts to detect suspicious players, but savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

When players conspire to hack one game, they compromise the integrity of the entire website. Other players eventually realize that the deck is rigged against them and that the website’s fundamental security has been compromised. The website becomes useless to honest players, who take their business elsewhere.

Earlier this month, six buses transported online entrepreneurs to Austin for the South by Southwest conference, as part of the Startup Bus project.

As reported by CNET, “The coders and would-be Mark Zuckerbergs [took] part in a high-paced competition” in which they formed teams and competed to come up with “the best, and most viable, tech start-up” during the 48-hour drive to Texas. As it turns out, some “buspreneurs” collaborated (or conspired, depending on your perspective) to create automatic scripts that would effectively stuff the ballot box on behalf of three of the teams.

Elias Bizannes, who founded the Startup Bus project, explained, “The good news is that this exploit is no longer a problem and the fake accounts will be penalized. We’ve identified 1,300 fake accounts, with 900 from the same IP address, so not exactly done smartly by them. It’s a problem not with technology, but identity – which to be honest, is just a problem across the Internet.”

It is increasingly necessary for online gaming sites to deploy more effective security solutions, including analysis of information beyond that which is voluntarily provided by users. By leveraging a device reputation check from services like Oregon-based iovation, gaming websites can reject problem players within a fraction of a second, and avoid further problems from users whose devices are already known to be associated with fraudulent behavior.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another data breach on Good Morning America. (Disclosures)



Mobile Phone Operating System Insecurity

As more online retailers introduce mobile ecommerce applications, criminal hackers are taking notice. Existing mobile operating systems are under attack and, like standard PC operating systems, they sometimes fail to provide the necessary security to support a payment application.

Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination.

Mobile phone spyware has been a concern for years. Legitimate software companies sell mobile phone spyware that allows the user to monitor a spouse, kids, or employees. And criminals deploy mobile phone spyware, as well.

Beijing-based mobile security services firm NetQin Technology reports that an application called Xwodi, which allows third parties to eavesdrop on cell phone conversations, has infected more than 150,000 phones in China. Apparently, the malware targets mobiles running the Symbian platform, and monitors phones by silently activating the conference call feature or microphone.

One security company, Trusteer, informed The New York Times, “Mobile users are three times more likely to fall for phishing scams than PC users…because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot.” In the same article, another mobile security firm, Lookout, claimed that in May 2010, 9 out of 100 phones scanned for malware and spyware were infected. That’s up from 4 out of 100 infected phones in December 2009.

Protect yourself by refraining from clicking links in text messages, emails, or unfamiliar webpages displayed on your phone’s browser. Set your mobile phone to lock automatically and unlock only when you enter a PIN. Consider investing a service that locates a lost phone, locks it, and if necessary, wipes the data, as well as restoring that data on a new phone. Keep your phone’s operating system updated with the latest patches, and invest in antivirus protection for your phone.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses spyware on FOX Boston. (Disclosures)


Hackers Go After Points, Credits, and Virtual Currency

In a previous post I discussed virtual currency, which is used to purchase virtual goods within a variety of online communities, including social networking websites, virtual worlds, and online gaming sites. These virtual dollars and virtual goods have real value.

Virtual currency includes the points customers receive from retailers, merchants, airlines, hotels, and credit card companies through loyalty reward programs. These reward points are supposedly the second most traded currency on the planet.

Gizmodo reports that hackers have targeted Microsoft points, the currency used to purchase digital goods and gift cards for the Xbox and Zune. Someone cracked the algorithm Microsoft uses to generate codes for those gift cards, and released that information online. A website was used to generate more than a million Microsoft points worth of free gift cards, as well as other Xbox items, before Microsoft was able to shut it down.

In 2009, Facebook created a virtual currency called Credits, which users spend on games and other Facebook content. Facebook has worked with fraud fighters to test and structure this currency so as to avoid attracting criminals, but as with any virtual currency, criminal activity is inevitable.

Hackers even steal carbon credits. European carbon traders were fooled by a phishing email, which allowed hackers to access the victims’ online accounts and then transfer more than $50 million in carbon credits into their own accounts. Of course, the hackers promptly resold those credits for profit.

Virtual thieves can sell stolen points in online forums or on eBay, or they can try to exchange points for rewards. However, most online retailers, social media, and gaming websites recognize the thieves’ behavior patterns when cashing in stolen points. By analyzing the history of the device being used to access a website, the website’s operator can prevent fraudulent transactions.

iovation’s ReputationManager 360 is getting a lot of attention for preventing chargebacks, virtual asset theft, gold farming, code hacking and account takeovers. The service identifies devices and shares their reputation including alerting businesses to real-time risk. Online businesses use device reputation to prevent fraud and abuse by analyzing the computers, smartphones, and tablets being used to access their websites.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Man Arrested For Stealing 15,000 Social Security Numbers

Now more than ever, criminal hackers are hacking into databases that contain Social Security numbers and using the numbers to open new financial accounts. Criminals use stolen Social Security numbers to obtain mobile phones, credit cards, and even bank loans. Some victims whose Social Security numbers fell into the hands of identity thieves have even had their mortgages refinanced and their equity stripped.

WTEN.com reports an arrest has been made of an individual alleged to have illegally downloaded personal information, including Social Security numbers of about 15,000 people.

Police arrested a man “for stealing the collection of Social Security numbers from computers belonging to contractors working for the Office of Disability and Temporary Assistance, which is the New York state agency that decides some initial disability claims for Social Security.”

As in most cases of data theft, the Office of Disability and Temporary Assistance will notify and provide credit monitoring services to affected individuals.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen, for example “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

The fact that the entire population of the United States has had their information compromised more than 1.5 times, why wait for another breach to get personal information monitoring?

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information including use of Social Security number and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

This Holiday Season, Beware of Phantom Websites

A “fly by night” business is one that quickly appears and disappears, without concern for the quality of their product or service, or for legal regulations. These untrustworthy businesses often operate fraudulently. On the Internet, a fly by night business is called a “phantom website.”

Phantom websites exist to collect personal and credit card information. They can appear online any time of the year, but the holidays are prime time. They imitate the look and feel of a legitimate website, and many simply copy the web code from well-known online retailers, right down to the names and logos. They may also purchase domain names that resemble those of legitimate retailers, “typosquatting” to take advantage of mistyped searches.

Criminals may direct you to phantom websites using advertisements, even on major search engines like Yahoo and Google. These links or clickable graphics can either send you to a phantom site, or they may even directly infect your computer with malware.

Hackers and scammers also rely on black hat SEO to get their phantom websites ranked on the first or second page of search results, using the same search engine optimization techniques as legitimate vendors.

However, these scammers also game the system using techniques like “link farms,” “keyword stuffing,” and “article spinning,” which are frowned upon by search engines. Using these techniques to lure visitors will get them banned within a month or two, but that’s plenty of time to establish an online presence and scam plenty of victims.

And of course, phishing is in season all year long. Scammers send emails offering deals too good to be true, in order to draw visitors to their phantom sites. They’ll often take advantage of major holidays and significant world events to create an enticing offer. These emails are designed to trick recipients into entering account credentials, which allows the scammers to take over existing accounts or open new ones.

Protect yourself from phantom websites by only doing business with legitimate online retailers you know, like, and trust. Go directly to their websites, rather than relying on search engines, which may lead you astray. But do use search engines to check out a company’s name and look for ratings sites where customers have posted their experiences with a particular company. If you can’t find anything aside from the company’s own website, be suspicious.

And, never click on links in unsolicited emails. Just hit delete.

Use SiteAdvisor or a similar service to scan for infected links.

And invest in identity theft protection, because when all else fails, it’s nice to have a service watching your back. McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on CounterIdentityTheft.com. (Disclosures)

Digital Photos Held for Sextortion

This is a little over the top and if this story was happening to one person I may not even dare to discuss. But it seems to be happening to hundreds, maybe thousands and possibly tens of thousands. And the fact that kids today are posting anything and everything, it needs to be discussed.

Right now hundreds of cyber threat victims are coming forward, arrests are being made and court dates are set because criminal hackers in the form of weird men are breaking into women’s email programs and social networking sites and scanning their media for photos that show them as they were in their birthday suit.

The depraved men are then contacting these women alerting them to their dirty deeds and giving them an opportunity to save face before the photos are posted to Facebook by paying them off in money or more photos!

This is serious stuff, now while you may not participate in stupid activity like this someone you know and care for may. The Register reports One victim, who was 17 at the time, testified that she was so humiliated that she quit her summer job and dropped out of advanced college classes. Another victim attempted suicide.

The hacks occur when:

Users have simple and easy to guess passwords and their accounts are infiltrated

Malicious software is installed on the users PCs in a number of ways

The computer has Peer to Peer (P2P) file sharing programs that allow anyone to scan the computers hard drive.

Here’s the bottom line: If you don’t want the world to ever see it, then do not do it. Because if an ex-boyfriend, ex-husband, ex-girlfriend or ex-wife has an axe to grind it may go live. Worse, a devious criminal hacker may get it and “sextort” you. Otherwise you’re next consideration (if you just need to be a shutterbug) is to put all digital media on hard drives that are not connected to the internet.

Otherwise protect yourself with anti-virus, don’t install or remove P2P file sharing software and create passwords that are difficult to crack that have numbers and letters.

Robert Siciliano personal security expert to Home Security Source discussing hacked email passwords on Fox News. Disclosures.