Posts

Debit Cards Fraud Means Difficult Recovery

There are 437,000,000 debit cards in circulation, and their use is on the rise. Criminal hackers are paying attention. Credit cards offer some measure of protection when it comes to “zero liability policies,” as long as the cardholder refutes the charges within 60 days. But when a debit card is compromised, the stolen money is can be hard to get back.

I get unfortunate emails like this all the time:

“I was a victim of debit card fraud. I live in Las Vegas, NV and have a debit card and I know that not all rules apply for debit cards. We had a problem out here with “skimming.” Over $300.00 dollars was taken from my account and I still had the card  in my possession. It was done at 2 bank ATM machines, about 2 minutes apart on different sides of town. I contacted my bank and got no results. My bank said that I had to have given my card and pin number to someone. I fought and fought and lost. I know that there is or was a time limit of this but is there anything else I could have done?”

Federal laws limit credit card holder liability to $50 in the case of fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days after discovering the fraudulent transactions in order to maintain this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

Here is Regulation E in black and white:

ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Debit card fraud can happen a number of ways. ATM skimming, gas pump skimming, or point of sale skimming are a few. The key, of course, is the bad guy gets your PIN. In the end, the bank doesn’t want to believe that you were defrauded. It’s cheaper for them to conclude that you are lying.

Always cover up your PIN when entering in any POS, pump, or ATM.

As inconvenient as this may seem, if you are a regular user of a debit card, you should check your statements online daily.

Consider limiting your debit card use. I use mine for deposits and withdrawals. But I only use it around two or three times a month.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

More ATM Skimmers Being Used By Gangs

A report issued by the FTC finds that customers in the process of withdrawing cash from ATMs are more likely to be victims of ATM fraud than a direct, physical crime, and skimmer devices have recently been found on gas pumps and ATMs throughout Northern California.

ATM skimming occurs when a device is placed on the face of an ATM, often over the slot where the card is inserted. The skimmer, which may use Bluetooth or cellular technology to transmit the data to criminals wirelessly, appears to be a part of the machine. It’s almost impossible for ATM users to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror, or speaker on the face of the ATM, which is used to capture the victim’s PIN. Gas pumps are equally vulnerable to this type of scam.

Always shield the ATM keypad with your hand while entering your PIN. Be vigilant while using an ATM. Look around and beware of anyone lurking – they could be waiting to pounce, or shoulder surfing, trying to see your PIN. And if you ever sense that something is off about an ATM or gas pump, just leave.

Choose a PIN that’s not easily guessed but can be entered quickly. Using consecutive numbers or repeating the same numbers is never a good idea. Many new ATMs won’t allow you to choose a “soft” PIN anyway.

Don’t ever let anyone assist you at an ATM. It’s hard to envision what kind of scenario might require another person to intervene at an ATM. But consider this possibility: your card gets stuck and a stranger graciously peeks his head over your shoulder to help. He frees your card and helps you finish the transaction. In the process, he got your PIN and swapped your card with another.

Beware of ATM skimming and learn to recognize a skimmer. Here is an example of a particularly well-made skimming device, which would be easy to miss. Not all are as well crafted, but some are very good.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses dummy ATM scams on NBC Boston. (Disclosures)

Criminal Web Mobs Responsible For Most Cyber Crime

New reports confirm what we’ve been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up corporations’ and financial institutions’ networks. According to a new Verizon report, a staggering 900 million records have been compromised in the past six years. Up to 85% of the breaches were blamed on organized criminals.

The hackers who infiltrate these networks include brilliant teens, 20-somethings, all the way up to clinical psychologists and organized, international cyber criminals. Many are from Russia and Eastern Europe.

Motivated by money and information, they either exploit flaws in applications to find their way inside networks, or they target their victims psychologically, tricking them into disclosing usernames and passwords, or clicking malicious links.

Flawed web applications often make these types of hacks possible. Criminals use “sniffers” to seek out flaws, and when they find them, the attack begins. Malware is generally used to extract usernames and passwords. Once the criminals have full access to a network, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

To protect yourself, update your PC’s basic security, including Windows updates and critical security patches. Make sure your antivirus software is up to date and set to run automatically. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through. Run spyware removal software. And set up your wireless network with a “key” or passcode so it’s not open to the public.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another data breach on Fox News. (Disclosures)

A Viable Solution to Wave of Skimming and Point of Sale Attacks

Officials are reporting a wave of credit and debit card attacks targeting point of sale swapping, skimming of card data, and hacking into payment processors. Reports say the U.S. Secret Service, among others, are in the process of investigating a multistate crime spree.

The Oklahoma Bankers Association commented, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

Organized criminals have long been ramping up and coordinating multiple attacks. They continually find inventive ways to circumvent existing systems.

Electronic funds transfers at the point of sale (EFTPOS) skimming is when the POS is swapped out.

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, cheating 3500 customers out of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card PIN numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

Revisiting the Oklahoma Bankers Association’s statement, specifically, “It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment,” it sounds a little desperate to me. Credit and debit cards as we know them, with their magnetic strips, are easily compromised and frequently targeted by criminals. Now that Mexico and Canada are going chip and PIN, getting “creative” to save the mag stripe is going to take a lot more than a class in creativity. Sounds like a serious upgrade is in order.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

Seven Social Media Landmines to Watch Out For

In the early days of the web, cybersquatting was a concern among corporations who were late to the game in getting their domain names. I had a little battle with LedZeppelin.com that I regret, but that’s another story.

Today that same battle is being played out in social media. Anyone can register any brand or likeness on social media with very little difficulty, and it’s free. Once the scammer owns your name, they can pose as you, blog as you, and comment as you.

The basis of much of this social media identity theft, or “impostering,” revolves around social engineering. When a profile claims to represent a certain person or brand, it is generally taken at face value. Lies propagated from such a credible source are likely to be taken as fact for quite a long time, if not indefinitely.

1. Someone may want to seize your C-level executive’s name on Facebook, LinkedIn, or Twitter, posing as that person in order to gather marketing intelligence. Once they are “linked” or “friended,” they have access to that person’s contacts and inner circle.

2. Another tactic is to pose as a family member of an executive, since on Facebook, parents and children are often “friends.” Pretending to be the child of one executive “friending” another in order to gather information is an effective con.

3. Given the opportunity, companies will often take over social networking pages in the name of a rival company. The competition, unable to use the page for their own benefit, loses market share.

4. In other scenarios, the same social networking page or profile can be used to disparage or slander the competing company.

5. Or worse, it could be used to spread falsehoods or create fake contests or scams that inevitably damage the brand.

6. There have been companies and individuals whose names or variations of their names were hijacked in response to a customer service issue gone wrong. The person then uses that platform to slam the company using the company’s own name.

7. Employees who are unhappy with their jobs can use social media to vent their frustration about their boss or company. This can easily result in a public relations nightmare.

The best thing to do is gather every possible brand name and individual name that could be used against you. Even if you never use the site, you own the name. This can be done manually for free or by paying a small fee. I’ve done both. Manually is very time consuming. One site that can help you do it yourself for free or provide full service for a fee is knowem.com.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

mCrime Higher on Hackers’ Radar

This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data. Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts. Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you. That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures

What is “Social Registration”?

Social media has evolved into the fifth major form of media: print, radio, television, Internet, social. While social media functions on the Internet, there’s no denying that it is its own platform. It encompasses most forms of media in one tight and neat package. Some social networking sites have more users than number of residents in some countries.

In the process of this explosive growth, a few social networking websites like Facebook, Twitter, and LinkedIn have risen to the top. And in each frontrunner’s quest to be the biggest, fastest, and strongest, each wants to be your “single sign-on” in the form of a registration. Webmail providers Google and Yahoo also want you to log in to other sites using their credentials. This means when you visit any other site with a registration requirement, they may ask for your username and password but also give you the option to login in using your Facebook or Google credentials.

This same process can also link your different social media communities with each other and facilitate cross-posting.

The idea behind social registration is that each user has a somewhat established online identity. Over time, the user’s various identities in each community or platform begin to merge for purposes of shopping, communicating, and connecting to different devices. This can allow you to hop from one place to another without having to enter multiple usernames and passwords.

All that said, rarely will I engage in social registration. If one account is ever compromised, and it’s linked to others, then the hacker accesses multiple accounts with a single hack. If the accounts are of low security value then it may not be a big deal, but once email credentials are involved, the risks increase. There are security measures behind the scenes that protect you in some ways. I’m just not so trusting.

Look at it this way: does your online banking interface allow you to log in via Facebook? I didn’t think so. Of course, if anyone wants to walk me through their bulletproof process and change my mind, I’m listening.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses hackers on social media on CNN. (Disclosures)



Seven Smartcard Keys To The Internet

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC , as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world.  Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)


Stealing Secrets: Telling Lies Over the Phone

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack. Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected. Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why. Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

Robert Siciliano, personal security expert contributor  to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

Banks Need You to Partner in Security

Sticking your cash in a mattress has never been a good idea. That’s why we have banks. Banks have safes, insurance, and other systems in place to ensure that multiple layers of security protect your money.

In the past decade, however, as much as 80% of all banking has taken place online, compared to the hundreds of years of traditional banking. Clearly, this is all about convenience. And it has become apparent that these conveniences of technology have outpaced consumers’ security intelligence. It is possible to secure systems in a way that will defeat most online criminal activity, but that level of security comes with inconveniences that the consumer may not be equipped to handle.

According to American Bankers Association VP of risk-management policy Doug Johnson, “The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a continuous, almost daily, basis. That’s because PCs and smartphones have become the online bank branch for a lot of individuals. The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

When banks began building out their infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which the bad guy would scheme to separate banks and their clients from their cash. There are tens of thousands of viruses created every year to overtake users’ PCs and con customers into entering their credentials in spoofed pages.

While banks are fighting their own battles, working with the security industry to create new technologies to combat fraud and account takeover, it is imperative that the banks’ customers adhere to the fundamentals.

  • Set your computer’s operating system to automatically update critical security patches.
  • Make sure your firewall is turned on and protecting two way traffic.
  • Always run antivirus software, and set it to update virus definitions automatically.
  • Run a protected wireless network.
  • Never click links within the body of an email. Instead, go to your favorites menu or type familiar addresses into the address bar.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. (Disclosures)