Posts

Old Credit Card Technology Facilitates Skimming Fraud

Credit and debit cards in the U.S. use old magnetic stripe technology. The magnetic stripe is the black or brown band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store data such as your account number. When the card is swiped through a “reader,” the data stored on the magnetic stripe is accessed. Card readers and magnetic stripe technology are inexpensive and readily available, making the technology highly vulnerable to fraud.

One extremely prevalent example of such fraud is ATM skimming. Skimming occurs when a criminal copies the data stored on your card’s magnetic stripe and burns the stolen data onto a blank card, creating a clone can that be used like any normal credit or debit card.

According to the Smart Card Alliance, twenty-two countries, including China, India, Japan, Mexico, Canada, and many in Western Europe and Latin America, are migrating to encrypted microprocessor chip and PIN technology for credit and debit payments. These new “smart cards” contain an embedded microchip and are authenticated using a personal identification number, or PIN. When a customer uses a smart card to make a purchase, the card is placed into a “PIN pad” terminal or a modified swipe-card reader, which accesses the card’s microchip and verifies the card’s authenticity. The customer then enters a four digit PIN, which is checked against the PIN stored on the card.

The U.S. has yet to adopt the new smart card technology, possibly due to the higher cost. According to consulting firm Javelin Strategy & Research, converting to chip and PIN technology would cost the U.S. payment card industry about $8.6 billion, which doesn’t sound so expensive to me, considering that identity theft is a reported $50 billion problem.

U.S. travelers are encountering difficulties when attempting to use old magnetic stripe credit and debit cards abroad, since their cards do not contain the new microchips. This is especially problematic at automated kiosks, which are common in Europe. Vending machines at regional rail stations, bicycle rental racks in Paris, parking meters in parts of London, toll roads, and gas stations only accept chip and PIN cards. Visa claims that most payment terminals in countries that have adopted chip payment technology can still process old magnetic stripe U.S. cards, and, “in the rare instance that a card holder encounters a problem” at a self-service machine, Visa advises American travelers to present their cards to attendants.

My dad has U.S.-based magnetic striped cards, and he travels all over Europe and has yet to encounter a problem paying at a restaurant or in any scenario in which the card is processed by a person. However, CreditCards.com reports that the European Payments Council, the governing body responsible for achieving a single payments market throughout Europe, is considering a ban on old technology magnetic stripe cards. This would cause major commerce problems in Europe and raises the question of whether U.S. credit card merchants will make the switch.

In the meantime, if you travel to Europe, make sure to carry cash. And if you are likely to use a kiosk that can only process cards with chip and PIN technology, do your homework ahead of time to determine whether an alternative payment methods is available.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Hackers Play “Social Engineering Capture The Flag” At Defcon

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to identify and resist the more common attempts to trick them into letting down their guard. Criminal hackers use social engineering as a very effective tool and as part of their strategy when gathering information to piece together the parts of their scams. They often target company executives via phone and email. Once they have extracted some data from the top, accessing networks or whatever end game they had in mind is much easier.

Social engineering has always been a “person to person” confidence crime. Once the con man gains the mark’s trust, the victim begins to provide all kinds of information, or to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I suppose we would need to be able to trust one another in order to survive as an interdependent communal species, otherwise fear would prevent us from relying on others to nurture us until we are tossed out of the nest.

Defcon is a conference for hackers of all breeds. There are good guys, bad guys, and those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack. InfoWorld reports, “This year’s Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies — over the telephone instead of the Internet.”

Defcon is known for its antics but it’s also an event where hackers of all flavors improve their skills. The game they are playing this year is a social engineering fun-o-rama called Social Engineering CTF, referencing the game “Capture the Flag.” “This contest will borrow elements from the convention’s traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered. Competitors then use that data during the actual tournament to fuel their social engineering attack. They have twenty minutes to call unsuspecting employees at their target companies and obtain specific bits of (nonsensitive) information about the business for additional points. Participants aren’t allowed to make the target company feel at risk by pretending to represent a law enforcement agency.”

Recognize that online predators use these tactics to get what they want. They consider you, the innocent computer user, their natural prey.

So always question authority, or the appearance of authority. Don’t automatically trust or give the benefit of the doubt. When you are contacted via phone or email, or approached in person, proceed with caution. Always be suspect of external or internal communications, and consider that you could be the target of a phishing scam. Never click on links in the body of an email, and if an email prompts you to divulge a username and password, pick up the phone to verify the legitimacy of the request. The best defense is effective policies coupled with ongoing awareness training.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Wireless Security” is an Oxymoron, But There is Hope

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

Anyone using an open unsecured network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and to gain access to their information. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security protocol options. WiFi Protected Access (WPA and WPA2) is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security.

There are a few things you should do to protect yourself while using wireless.

Be smart about what kind of data you transmit on a public wireless connection. Only transmit critical data from secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.

If you have file sharing set up on a home network, when venturing to wireless hot spots you need to manually turn it off on your laptop.

Turn off WiFi and Bluetooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.

Beware of evil twins. Anyone can set up a router to say “T-Mobile” “ATT Wireless” or “Wayport”. These are connections can appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus software and operating system updated. Make sure your antivirus software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. (Disclosures)

Study Shows Tweens and Teens are Clueless About Privacy

The Secret Online Lives of Teens, a survey conducted by McAfee, reveals that tweens and teens are relatively clueless about online privacy. The study sheds light on this generation’s tendency to use the Internet in ways that translate to danger in the real world.

The fundamental problem is their belief that privacy is unimportant or irrelevant, which stems from their lack of understanding of what privacy actually entails. Most alarming is the extent to which they are willing to share certain types of information online, information which is often visible to complete strangers. In doing so, they make themselves easy targets for data mining by adults whose reasons are not always well intended.

While most adults are not predators or pedophiles, there are certainly many of them out there who prey upon the young and naïve.  Statistics show there are as many as half a million registered sex offenders in the U.S. alone. And many more simply haven’t been caught yet.

There always has, is, and will be a predatory element out there. Generally, most people don’t want to think about that or even admit that it’s true. Instead of acknowledging the risks, most people completely discount this reality, telling themselves, “It can’t happen to me or my kids.”

The Last Watchdog sums up the study as follows:

“McAfee commissioned Harris Interactive to query 955 American teens, including 593 aged 13-15 and 362 aged 16-17. Survey responses were weighted for age, gender, ethnicity and other variables. The McAfee/Harris poll found:

  • 69 percent of teens divulged their physical location
  • 28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

  • 43 percent shared their first name
  • 24 percent shared their email address
  • 18 percent post photos of themselves
  • 12 percent post their cell phone number

What’s more, girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents.”

It’s not just tweens who don’t understand that they’re living in a fishbowl. Young adults and parents are equally clueless. Channel 4 News in Jacksonville exposed a Florida mother who took a picture of her 11-month-old son with his mouth over a pot bong and posted it on Facebook. The mom’s behavior was obviously reckless, but what she and many don’t understand is that anything digital is repeatable.

Many now blame social networks for the erosion of whatever privacy we once had. Social networking sites aren’t inherently bad, but they are self serving entities, promoting transparency that ultimately leads to marketing and advertising dollars. For them it’s all about profit, and it’s to their advantage to gather as much information about you as possible, which allows them to fine-tune their offerings to advertisers.

My belief that people need to “live consciously,” making informed decisions about and ultimately taking responsibility for themselves, makes it difficult for me to blame anyone but users themselves for their lack of security. But I know the reality is that people are easily led, easily bamboozled, and they need to be told what to do and what not to do.

Studies like this bring much needed attention to these issues, hopefully raising awareness for teens and their parents. As a parent, I am as laser focused on the media my children consume, in all its forms, as I am on any food they eat. No responsible parent would allow their child to eat spoiled food, because they understand why it’s bad, but those same parents may allow their children to roam freely online without supervision. This is mainly because the parents don’t understand the risks.

When a quarter to a third of teens are revealing all their information to total strangers, it should give society pause. Understand that as this trend continues, more and more kids will be blindsided when they are solicited by adults who, with an additional twenty or more years of live experience, know how to con a kid.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Data Breaches Persist In Health Care

In September 2009, the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, requiring hospitals and other health care organization to beef up client data protections. Despite this, a recent study found that health care data is still hemorrhaging from peer to peer networks.

A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts).

In simple terms, P2P is software installed on your PC and others PCs that allows the sharing of data from each others computers.
Computerworld reports, “One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.”

In my own research, digging through P2P networks, I’ve uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire families. I’ve found Christmas lists, love letters, private photos, videos, and just about anything else that can be saved as a digital file.

It’s no surprise data is still leaking. File sharing technologies are easier and more user friendly than ever. Faster broadband connections coupled with faster PCs and bigger hard drives make downloading files a snap. Insurance companies, doctor’s offices and hospitals all have computers and those computers are operated by people who like things that are free. Any bored employee who wants to listen to that song he heard on the way to work can simply download Limewire, eDonkey, BearShare, or any other P2P network. Within minutes, that song is on playing on the employee’s iPod, and his employer’s clients’ data is being shared with the world. This type of breech resulted in blueprints for President Obama’s private helicopter being leaked online.

The House Committee on Oversight and Government Reform has asked the Department of Justice and the FTC to help prevent illegal use of peer to peer networks, and in the same letter, asked what the government is doing to protect its citizens. But ultimately, it’s up to you to protect yourself.

Don’t install P2P software on your computer. If you aren’t sure whether a family member or employee may have installed P2P software, check for new, unfamiliar applications. A look at your “All Programs Menu” will show nearly every program on your computer. If you see one you don’t recognize, do an online search to see what it is you’ve found. You should also set administrative privileges to prevent the installation of new software without your knowledge.

If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.”

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses Medical Identity Theft on CBS Early Show. (Disclosures)

Replacing Stolen Passports and Credit Cards

Travel season is upon us. Summertime is all about exploring new and exciting places. It’s the season of planes, trains, automobiles and…criminals. When you are out of your element and unsure of your surroundings, you are at a higher degree of risk. Travelers need to be on high alert for property crimes and identity theft.

Years ago, before my wife was my wife, she was traveling in Spain. She got off the plane, headed for the rental car terminal, rented her car, and drove off the lot. At the first stop sign, a man knocked on her passenger window and pointed, saying, “Tire, tire.” She put the car in park and walked over to the passenger side. The tire was fine and the man was gone. So she got back in the car and found that her purse had disappeared from the front seat. Her driver’s license, passport, cash, and credit cards were all gone. What a nightmare! When she went to the police, they asked, “Were you a victim of the flat tire scam?”

You’d think the rental car agency could have warned her. But the lesson here is that you cannot rely on others to protect you. You are ultimately responsible for your personal security.

Fortunately, she is a resourceful person and was able to handle the crisis quickly and efficiently. If your passport is ever lost or stolen in a foreign country, you can apply for an emergency replacement at the nearest embassy. Generally you’ll need to show up in person, and it helps to have a traveling companion to vouch for you. The embassy will need to see some type of verification of your identity, and they’ll likely request a copy of the police report.

When traveling, consider carrying your essential documents in a money belt or one that hangs from a lanyard around your neck, hidden under your shirt. You should always carry photocopies of your identification, but they won’t do you any good if they’re stored in the same purse that was just snatched from your rental car. One smart option is to scan all your pertinent documents in full color and upload them to a secure web-based encrypted digital vault. Some of these services are free, while others charge a small fee. In a pinch, you can download the necessary document from any computer with Internet access, and print a new copy.

For more information on coping with a lost or stolen password, see this list of frequently asked questions.

A lost or stolen credit card requires a different course of action, and its effectiveness largely depends on your preparation. Before traveling, call your card issuer and inquire about their policy for replacing a card. Pack a copy of your credit card that includes the front and back impression. If your credit card is lost or stolen, call the issuer and cancel the card as quickly as possible to mitigate any losses. In the best case scenario, the company should issue a replacement card and ship it overnight at no charge. Most card issuers will accommodate you, and if you find out ahead of time they won’t, find another card issuer.

In an emergency, you can always ask a friend or family member to wire you money. When a U.S. citizen encounters an emergency financial situation abroad, the Department of State’s Office of Overseas Citizens Services (OCS) can establish a trust account in the citizen’s name to forward funds overseas. Upon receipt of funds, OCS will transfer the money to the appropriate U.S. embassy or consulate for disbursement to the recipient. The State Department’s travel website offers more details on emergency money transfers.

And always be sure to carry some spare cash. Tuck it in that money belt so even if your purse or wallet is stolen, you’ll be in good shape.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses travel security on Fox News. (Disclosures)