In 1995 a film was released called the Net, starring Sandra Bullock. Her character is the victim of a program that hackers have slipped into the best-selling routers. As these Internet devices are installed at most companies, including banks, air-traffic control centers, telephone companies and the Federal Government, it has the potential to create major havoc. In this, somewhat cheesy, but maybe prescient movie, her identity gets stolen and transferred to someone else, and thus she vanishes from existence.
In 2008 cyber criminals rob computer users of an estimated $100 billion (the total GDP of a country like Peru), according to an estimate by the Organization for Security and Cooperation (OSCE) in Europe. Identities are traded online and the going rate for full personal details is around $120. In Saturday’s NY Times it is reported that a Russian company that sells fake antivirus software that actually takes over a computer pays its distributors as much as $5 million a year. Two of my bank accounts, one in Holland and one in the US, were hit with illicit ATM withdrawals in Odessa, Ukraine and some other towns in Eastern Europe that I didn’t know they existed until they appeared on my monthly statements. The Internet doesn’t take sides nor cares much about location. Hackers may operate from jurisdictions that don’t have the means or appetite to go after cyber criminals. It is a relatively low risk endeavor and pays extraordinarily well, judging from the amounts pulled from my accounts.
So-called “malware” is getting increasingly sophisticated and can operate on a large scale. It hides itself from anti-virus software installed on your PC and propagates through programs that spread out over the Net. Widely used programs like Facebook, have gaping holes when it comes to data protection. Any Facebook applications can pull profile information from every person that installs the program. The bottom-line is that everyone connected to the Net is exposed. This is about every company on the globe and every person with a PC or enhanced phone. Just making sure that you have the proper security software installed will not be sufficient.
You have to be conscious about the use and privacy you want to apply to your information. Start by categorizing your information with the traditional classification: public, confidential and secret. For confidential and secret data, you have to decide with whom you want to share this information. I assume that your credit card number falls in the category “secret”. However, in order to use it you have to share it with a trusted partner. Not everyone you deal with will keep your card data safe. In August it turned out that 40M credit card numbers had been stolen from the systems of reliable retailers, like Sears and Barnes & Noble. One way to address this risk would be to store your credit card number with a single trusted partner, for instance PayPal, and let them handle the payment to the retailer. For online purchases retailers should actually have an SMS based approval to avoid illicit charges being made from copied card numbers.
Passwords are “top secret”. They should authenticate the person who is logging on. Most new notebooks and keyboards now come with fingerprint readers. This technology is mature and cheap and therefore highly recommended to uniquely identify you.
At the other end of the spectrum is the public information. There is probably more of it about you than you had wished. Just go to White Pages and see what you can find on yourself. You can order a full background report on anyone for only $39.95! But these companies will give you the facts about you, not the information that you are not even aware of it existed. Companies like Experian, EquiFax and Fair Isaac are making a living from analyzing your life. They started out with credit scoring, assessing your credit worthiness, but moved way beyond this and are now profiling you to death. Google’s business model is based on very large scale data mining, analyzing the way you click, search and access information on the web, so that they can find the right ad for you at the moment, based on your profile and the current context. Your journeys on the web tell a story. By comparing you with similar users they start predicting your needs and preferences. Scary stuff.
It will be hard to always stay ahead of the hackers, data gleaners and analyzers. Close monitoring may alert to potential breaches. If someone withdraws money from an ATM every two minutes in Astana, Kazakhstan, it will be an indication of fraud. The Bank should block the card and send an SMS to the cardholder to verify that it’s her actually standing at the ATM of the First national Bank of Kazakhstan. Most banks use this type of “Fraud Early Warning” systems for their credit card operations, but haven’t installed it for their ATM and online banking systems. The future lies in this type of data-mining software that looks for extraordinary behavior on your computers or network. Like Fraud Early Warning, the behavioral analysis program notifies the user and inquires whether this is because of a conscious user action or suspicious activity of Bots, Worms, Viruses or other malware trying to pry information from your systems.
Meanwhile, keep your security software up-to-date, monitor your information and think carefully about what you want to put in on-line profiles and which pictures and comments you post online. This information will be used by someone, somewhere. Of course you have the right to remain silent online, but then you are missing out on some of the biggest opportunities of this age.
Sunday, December 7, 2008
Subscribe to:
Post Comments (Atom)
The problem with the current security scenario is that there are too many "keys and vaults" which is not manageable. Also in number of cases it lacks basic security strength. Take the case of credit card it had the number and 3 digit cvv number. Now the security strength has been increased but NOT many use it - for instance you can have password and virtual cards with limit. Most of the sites have not been designed or tested(real testing) for security, ethical hacking has missed some of the basic security hole. Internal security is still a distance away. Essentially there is no security "blue print" and most folks don't understand it. For the consumer the multiple identity and profile keeps propagating across the above services and eventually penetrated.
ReplyDeleteThe dangers of cyber terrorism or terrorists leveraging cyberspace are real and present. Here are some examples from this week's press:
ReplyDeleteEconomist: The internet - Attacks launched over the internet on Estonia and Georgia highlight the difficulty of defining and dealing with “cyberwar”. AS RUSSIAN tanks rolled into Georgia in August, another force was also mobilising—not in the physical world, but online. Russian nationalists (or indeed anyone else) who wished to take part in the attack on Georgia could do so from anywhere with an internet connection, simply by visiting one of several pro-Russia websites and downloading the software and instructions needed to perform a “distributed denial of service” (DDoS) attack. This involves sending a flood of bogus requests to an internet server, so that it is overwhelmed by the demand and becomes unusable
NT Times: Mumbai Terrorists Relied on New Technology for Attacks
By JEREMY KAHN
MUMBAI, India — The terrorists who struck this city last month stunned authorities not only with their use of sophisticated weaponry but also with their comfort with modern technology.
The terrorists navigated across the Arabian Sea to Mumbai from Karachi, Pakistan, with the help of a global positioning system handset. While under way, they communicated using a satellite phone with those in Pakistan believed to have coordinated the attacks. They recognized their targets and knew the most direct routes to reach them in part because they had studied satellite photos from Google Earth.
And, perhaps most significantly, throughout the three-day siege at two luxury hotels and a Jewish center, the Pakistani-based handlers communicated with the attackers using Internet phones that complicate efforts to trace and intercept calls.
More on the same subject, this one pertaining to wi-fi security is available in the form of a very useful e-book which is a free download on the site..
ReplyDeletehttp://www.sysman.in (click on books on top and it is the 3rd item in the list. Sorry the link is not clickable and I didn't know how to send it in as an attachment either..
The gist of the topic it discusses is given below:
"One of the tools, terrorists have used recently has been open and unsecured wi-fi networks. This can be reused by either terrorists and other anti-social elements. It is seen that citizens have installed wi-fi networks without knowing anything about their mis-use, specially by anti-social, anti-national and terrorist elements. The need of the hour is to create awareness amongst citizens, especially wi-fi users on - How to secure their wi-fi network. To address this need, we at CRPCC and Sysman Computers P Ltd., have written an eBook - "Securing WI-Fi network". The ebook is 44 pages of A4 size in pdf format. The book provides comprehensive details to secure your wi-fi / wireless network in Do-It-Yourself (DIY)"
Silence Can be Golden
ReplyDeleteWarren Buffett has long talked about staying away from the talking heads
and research has shown that information overload led trading leads to below average financial gains.
Many creativity gurus have long proposed Unplugging and spending time in solitude
allows one to listen to the inherent intuition and fosters creativity.
An early morning Caltrain/ Muni ride shows man with two or more devices leading
one to question - who is driving whom.
We have been assimilated - resistance is futile. The future looks more like The Matrix.
Concluding with a quote from The Tao Te Ching
"Those who know don’t speak. Those who speak don’t know.
Close your mouth, dull your senses, smooth what’s sharp, untie all tangles, shut out all glare, wipe away all dust.
This is your real Self.
Be on Heaven’s Way without desires or dislikes, benefit or harm, honor or disgrace.
This is being Heaven’s highest, for one under Heaven."
Silence can be Golden.
You must be already aware of this but still wanted to share what Microsoft's "Bizspark" program is doing to promote open source. This is on the previous post (on Open Source) but I was unable to leave a comment there, so please read on from here...thanks.
ReplyDeleteMicrosoft's new BizSpark initiative is being rolled out in 82 countries, and offers many types of incentives to developers and startups. It also steers people toward Microsoft's products, though, and challenges open source in several ways.
In Microsoft's BizSpark program, startups will get a three-year Microsoft Developer Network (MSDN) Professional subscription that will allow them to download Microsoft applications for building on Microsoft platforms. "Startups will also get free production licenses for application hosting and management servers, including Windows Server, Microsoft SQL Server, Microsoft Office SharePoint Portal Server, BizTalk Server and Systems Center and soon, Microsoft Dynamics CRM.
It is no secret that startups are very cost-conscious. Given the relative lack of cost-effective software solutions, they often tend to veer towards open source. In addition to being priced 'right', open source allows startups to maintain flexibility. Open source applications can be enhanced as desired, through access to the source code, where users are not locked into a proprietary solution. Microsoft understands the price-attraction of open source, and hence it is basically undercutting that advantage. Ultimately, this will be healthy for open source products as they will be forced to compete on value, beyond price.
effe proberen
ReplyDeleteI am suprprised that although banks had to comply with dual factor authetication for any web application that transacted or moved money, mandated by FFIEC to be done by the end of 2006, the additional level of protection has not been extended to cover many consumer banks or merchants who handle debit or credit card transactions. I guess some of the lawyers found a creative loophole to get out of it and avoid the investment to make these transctions more secure. Hopefully with mobile commerce, leveraging the mobile smartphone as the "electronic wallet" of the furure, with the additional level of smartphone with NFC technology and with the SIM card or custom application to handle additional layer of security, it will be more secure to reduce fraud.
ReplyDeleteMassive Theft of Credit Card Numbers Reported (PC World)
ReplyDeletePosted on Tue Jan 20, 2009 3:02PM EST
A payment processor responsible for handling about 100 million credit card transactions every month disclosed today that thieves had used malicious software in its network in 2008 to steal an unknown number of credit card numbers.
The company's information site on the incident, http://2008breach.com/, attempts to downplay the loss of data by asserting that no Social Security numbers, unencrypted PINs or other types of data were stolen. But according to some good reporting from Brian Krebs at the Washington Post, Heartland's CEO says a piece of spyware stole payment card data as it passed through the company network, including the data from the magnetic stripe that can be used to create counterfeit cards.
Heartland says it didn't discover the breach until Visa and Mastercard came knocking about suspicious activity involving card numbers processed by Heartland. Disheartening, to say the least.
It's all the more sad that we as consumers really can't do a darn thing to protect ourselves against this kind of theft. We can be incredibly careful with our own PC and data, but we have no control over how it's handled by the plethora of companies that store and process our information. All you can do is to keep an extra close eye on your credit card statements and credit reports for anything suspicious.
You can pick up free credit reports from https://www.annualcreditreport.com (avoid those slimy sites that try to get you to pay for them). Also, as you scan your credit card statements, be on the lookout even for small charges, possibly even less than a dollar. Such charges can be a sign that thieves are testing the account to see if they can pass a fradulent charge, and may signal a much larger charge to come.
For more info on the Heartland theft, see Krebs' Security Fix posting and the Heartland disclosure site. And yes, you have to wonder about disclosing this on a day when most everyone's attention is focused elsewhere.
Here's some more:
ReplyDeletehttp://blog.wired.com/27bstroke6/2009/02/atm.html
Global ATM Caper Nets Hackers $9 Million in One Day
By Kevin Poulsen February 03, 2009 | 2:43:39 PMCategories: Crime
A carefully coordinated global ATM heist last November resulted in a one-day haul of $9 million in cash, after a hacker penetrated a server at payment processor RBS WorldPay, New York's Fox 5 reports.
RBS WorldPay announced on December 23 that they'd been hacked, and personal information on approximately 1.5 million payroll-card and gift-card customers had been stolen. (Payroll cards are debit cards issued and recharged by employers as an alternative to paychecks and direct-deposit.) Now we know that account numbers and other mag-stripe data needed to clone the debit cards were also compromised in the breach.
At the time, the company said it identified fraudulent activity on only 100 cards, making it sound like small beans. But it turns out the hacker managed to lift the withdrawal limits on those 100 cards, before dispatching an global army of cashers to drain them with repeated rapid-fire withdrawals. More than 130 ATMs in 49 cities from Moscow to Atlanta were hit simultaneously just after midnight Eastern Time on November 8.
A class action lawsuit has been filed against RBS WorldPay on behalf of consumers.
A nearly identical cybercrime feeding frenzy targeted payment card company iWire in late 2007. From September 30 to October 1 of that year -- just two days -- four iWire payroll cards were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in losses of $5 million.
A similar MO was employed against Citibank account holders last year, after a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was breached. In that case, cashers converged on New York and withdrew at least $2 million from Citibank accounts, sending 70 percent of the take back to a mysterious hacker kingpin in Russia.
Could all three breaches be the work of a single wealthy cybercrook sitting on piles of cash somewhere in Moscow? Some of the cashers in the iWire and Citibank caper are cooperating with the FBI, so we may eventually find out.
What's clear is that this is a great time to be a hacker. In just over one year we've seen these kinds of breaches go from virtually unheard of into a multimillion dollar industry.
In September, Canadian police announced the arrest of Israeli hacker Ehud Tenenbaum for allegedly penetrating the Calgary-based financial services company Direct Cash Management and increasing the cash limits on prepaid debit cards he and his co-conspirators legitimately purchased. The caper allegedly netted the crooks the equivalent of $1.7 million U.S.
Despite much-ballyhooed payment card security standards, the industry responsible for protecting our money appears to be as leaky as a sieve. But, as always, consumers aren't responsible for fraudulent withdrawals that they find and promptly report to their card issuer.
Cyber Crook Pleads Guilty to Looting Citibank Accounts With Hacked ATM Codes
Three Plead Guilty in $2 Million Citibank ATM Caper
Israeli Hacker 'The Analyzer' Indicted in New York
"The Analyzer" Released on Bail; Mom Says FBI Out to Get Her Son
"The Analyzer" in U.S. Provisional Custody in Canada
Israeli Hacker Known as "The Analyzer" Suspected of Hacking Again ...
ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach
Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
Citibank Replaces Some ATM Cards After Online PIN Heist -- Update
Citibank Hack Blamed for Alleged ATM Crime Spree