Time To Finish Up: Lessons Learned!

Information Security News Update!

My first experience blogging has been very exciting and rewarding. My final take: I plan on researching for an opportunity to be a regular contributor on cyber-security and cyber-crime issues in the financial sector.

The first couple of weeks were a little shaky due to the fact that I needed to get my feet wet in the blogging arena. Once the dust settled and the kinks were smoothened out, it became so much fun to read and blog on the various topics that I found interesting.

Throughout the blogging weeks I wrote about a variety of topics. However, most of my blog materials were about the financial/banking industry cyber-crimes from Bankinfosecurity.com website. The topics covered hacking, viruses, ID theft, credit card skimming, cyber fraud, information security threats and ways to combat them, etc.

Initially, I did not choose to write on these topics but cyber-crime in the financial sector picked my interest as I began to read about how it impacted my current field of work, and the millions of dollars being lost due to financial cyber-crimes around the world. Also, as the course progressed I gained better insight about cyber security issues. Another source that I used was Networkworld News website.

I feel that this type of blog is a very useful tool and a great learning experience for information security and banking industry professionals. One of the lessons I learned was that my materials sources kept me abreast of current issues in the cyber security & cyber-crime world. It also made me more aware about how the Federal, States, and local authorities are combating cyber security frauds and financial cyber-crimes.

Skimming Stopped by Bank, Merchants

Pay-at-the-Pump Scheme Launches 10-Month Spree

Combating Pay-At-The-Pump Skimming

Some years ago, words like skimming, phishing, spamming, etc., were not common in the electronic world vocabularies. How the world has changed electronically is amazing. The more sophisticated technologies get, the men/women of the information age underworld get even super sophisticated at challenging the advancements and pose more cyber threats.

The financial/banking industry is one of the most vulnerable areas susceptible to different types of attack. Probably because “money is king” as the saying goes, therefore systems, devices, or persons that have access to it must be more prone to attacks.

Gray Taylor, a security and compliance expert for National Associations of Convenience Stores (NACS) says it bluntly; “the U.S. payment system is broken …, the magnetic stripe is the culprit.” Recently in Orlando, FL, a U.S. District court charged two suspected fraudsters for credit cards pay-at-the-pump skimming. The skimming fraud resulting in thousands of dollars spanned over 10 months of numerous fraudulent retail transactions with 175 credit cards at least. The good news is that the fraudsters were finally busted by a retail store’s surveillance and “banks’ transactional fraud-detection systems” when the suspects were making a $73,500 purchase. Other skimming crimes were committed at gas stations in Orlando suburbs.

Some of the banks that were victims included Chase and American Express. These cases are examples indicating that hacking and skimming U.S.-based magnetic-stripe accounts by criminals are growing. According to Jeff Lenard, NACS spokesperson, “pay-at-the-pump skimming is an issue the convenience-store and petrol industries are taking seriously.” To help retailers mitigate potential security breaches, NACS has launched WeCare Decals, tamper-evident labels for quick identification. They also recommended that retailers install video cameras for better surveillance, inspect pumps regularly to monitor tampering, and change pump dispenser locks because the older pump locks have same keys and inspection and collaboration are the best response to POS attacks. Hopefully the “WeCare Decal” mechanism and other recommendations would provide some desperately needed solution to curb magnetic-stripe cards skimming fraud.

http://www.bankinfosecurity.com/articles.php?art_id=4225&opg=1

http://www.bankinfosecurity.com/articles.php?art_id=4218&search_keyword=skimming+stopped+by+bank%2C+merchant&search_method=exact

EMV: It's About Reducing Fraud

Silicon Valley Bank Plans to Expand Chip Card Program

The combined global effect of the identity theft fraudsters that swindled at least $9 million from 8,000 victims in a period of 15 years (Atlanta, GA) and a 16 month period ID theft crime costing over $13 million across Africa, Asia, Europe, the Middle-East, and the United States (Queens, NY) may cause those opposing the Europay, MasterCard, Visa (EMV) standard to rethink their stance on the chip and PIN card technology. According to Pradeep Moudgal, who oversees global cards and merchant services for Silicon Valley Bank (SVB) in California, chip and PIN card technology migration by U.S. financial institutions will be expensive. However, considering the cost already inflicted on the accountholders and the issuing banks, what more evidence is needed to convince the U.S. card issuers to support EMV and implement chip and PIN. No one knows.  

The vast majority of ID theft crimes are attributed to the magnetic stripes on the back of the cards, says Avivah Litan, a Gartner analyst. This Achilles heel of the global card industry could finally be eliminated with the implementation of chip and PIN card technology. As the first U.S. commercial bank to implement EMV, SVB is proving that fact as it rolled out EMV cards with its elite business cardholders. Following that will be SVB’s more affluent clienteles who travel overseas.

The embarrassment of card rejection overseas and increased global ID security vulnerability, in the long run, far outweigh the cost of chip and PIN card technology implementation. Moreover, the reduction of ID theft fraud, as evidenced in the U.K. and some parts of Europe and Asia, should be a strong motivating factor to those in the U.S. still gauging the cost and benefits of the new technology. If chip and PIN could become a positive tool to mitigate cybercrime, financial fraud, identity theft, information security threats, etc., why not give it a shot. Any takers?

Reference:

http://www.bankinfosecurity.com/p_print.php?t=a&id=4187

$9 Million ID Theft Scheme Alleged

Duo Charged in Retail Scam that Spans 15 Years

For 15 years, a pair of identity theft fraudsters swindled $9 million from 8,000 victims undetected. The arrests of the duo in Atlanta and Roswell, GA uncovered more than the authorities had bargained for. The collaboration between the U.S. Secret Service and the local Cherokee County Sheriff’s Office Criminal Intelligence Unit made it possible. This successful gigantic arrests demonstrate how due diligence and collaboration in the pursuit of perpetrators are key to solving information security or financial fraud crimes. As the scope of the arrests spans across so many years, another major or the “biggest identity theft takedown” by U.S. District Attorney’s Office in Queens, NY, spans across the globe. The NY case uncovered a 16-month crime period costing over $13 million across Asia, Africa, Europe, and the Middle East.

As indicated by McAfee’s Robert Siciliano, shared information between financial institutions and retailers enhances monitoring capabilities and create more understanding for merchants on how to mitigate financial losses. Shared responsibilities among all communities of interest, not just technological surveillance, will always be the greatest weapon against cybercrime, financial fraud, identity theft, information security threats, etc.

For more success in the future, Julie Ferguson, a board member of the Identity Theft Resource Center and co-founder of Merchant Risk Council buttressed the point by encouraging consumers to do better jobs of reporting incidents of identity theft. Moreover, the closeness of the timing between the two incidents in NY and GA would be attributed to the roles played by people not necessarily technology. Just as people are the greatest threat to information security and electronic related crimes, people are also the greatest asset needed for the mitigation and solving identity theft, financial fraud, cybercrime, and information security threats.   

http://www.bankinfosecurity.com/articles.php?art_id=4164&opg=1

Mobile: Combating Malicious Apps

ENISA Says Vendors are Key to Smartphone Security

  It is quite comforting to know, according to Giles Hogben of the European Network Information Security Agency (ENISA), that when comparing browsing risks, mobile security is still much better than other areas of cyber security threats. For example, for the number of malware risks it is something around 1,000 times less than the threats which are on PCs, he wrote. Nevertheless, Hogben also made it clear that, despite its lower risk level, more usage of smartphones will cause an increase in emerging threats of mobile malware.

 Hogben’s main concerns were basically focused on lack of encryption in smartphones data, and “loseability,” which he coined from the ease at which consumers lose their phones. Areas he discussed included “challenges of detecting and blocking malicious apps on mobile devices; conflicts between mobile OS and HTML permissions in mobile browsing; and what the market can expect If HTML 5 becomes the standard.” Public API, for example, involves image gallery, the accelerometer and the address book. The accelerometer data is used to grab peoples’ passwords by just observing the way the phone wiggles as different soft keys are pressed during usage. Sloppy coding, besides malware, also leads to data vulnerabilities.

 Furthermore, fingerprinting is another area of concern that must be addressed when considering mobile browsing risks. Users’ fingerprints were identified by the particular kind of headers they transmitted when they looked at headers coming from the browsers.

 With such exposures and various risks associated with smartphones, Hobgen concluded that vendors are the main key to smartphone security. But, the question remains, who bears the liability of legal implications of that responsibility? Is it the vendor or the consumer?

http://www.bankinfosecurity.com/articles.php?art_id=4140&opg=1

Sony Discloses Attempts to Access Customer Accounts

Mikeknsah: Information Security News Update!

93,000 Accounts May Have Been Exposed

Sony’s CISO alerted the customers and the rest of the world to know that some 93,000 of its networks accounts suffered from unauthorized intruders. The number translated to less than one-tenth of one percent of Sony’s IDs and password authentication accounts. Upon detecting the breach, Sony decided to lock down the accounts and notify affected customers to reset their login information with hard-to-guess passwords.

To keep the minds of affected customers at rest, Sony assured them that credit cards associated with those accounts were not at risk. However, the next statement following the ‘assurance’ said that they “will work with any users whom we confirm have unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.” Then, the question remains, why would Sony put the ‘cat before the horse?’ How could Sony claim that no credit card associated with users accounts were affected, and with the same breath say it will investigate to confirm any unauthorized purchases? Would it not have been better to investigate for fraudulent purchases first before asserting that no credit card accounts were at risk?

This disclosure about attempts to access customer accounts has, once again, put Sony’s networks and the company’s vulnerabilities in the global spot light. Given Sony’s size and industry, it would serve the company better if it makes aggressive pursuit and investment in more robust attack prevention tools the number one goal. Such tools should also be integrated with information security models (SSE-CMM), and lead in protecting information assets. Sony could be successful in achieving this goal by staying ahead of the ‘bad guys’ and stop playing catch up.

Retrieved October 13, 2011, from http://www.bankinfosecurity.com/articles.php?art_id=4149&rf=2011-10-12-eb&elq=e76b966101084f92a34f1df2453f1fb8&elqCampaignId=567

Mobile Security: Your #1 Threat

Mikeknsah: Information Security News Update!

New Trojan Targets Androids, But Experts Warns of Other Risks

What seemed like a happy marriage between Google and Android may be under attack by an outside force driven by “a new Trojan aimed at hijacking banking credentials from users of Google’s Android mobile device.” For example, the SpyEye Trojan known as SpitMo lured users to phony apps. After successfully installing the apps, users’ bank account information are stolen, and then financial transactions are directed by text messages. The world of mobile security has witnessed some assaults lately from all sides. According to Google officials, device-specific information of its Android users was hacked in March of this year. The attackers were able to publish numerous malicious apps on Google’s Android Market causing users some major concerns. Google down played it by saying that the company took steps to protect those users who download malicious application to prevent attackers from accessing other data.

Then, in September the hackers hit Android users again. This time Google blamed it on open-source apps. More specifically, it claimed that users browsing and texting behavior – social engineering - led to the mobile security compromise. Granted, the hackers may have relied on social engineering as their vehicle of operation, but is the users’ subscription and apps downloading fees not supposed to be used to create and build robust protection to shield users against such vulnerability attacks? Google says “it supports its open-source environment.” Of course, it would, because open-source drives the Android Market. It was indeed a wise move on Google’s part not to comment about the September attack except provide some general measures it has taken to protect the integrity of its mobile software, platform and apps. Technically, Google is protecting its image.

 Some experts say that giving consumers, with lack of disciplined mobile-use behavior, so much control should be “the industry’s biggest worry, not the proliferation of malicious apps.” But shouldn’t consumers control be the essence and joy of owning the device in the first place?

http://www.bankinfosecurity.com/articles.php?art_id=4103

The Worst Security Hack Ever

Mikeknsah: Information Security News Update!

The Worst Security Hack Ever

Breach Extends Beyond the Victimized Company

Hackers at their best yet! They stole the private key of trusted digital certificate issuer to fool internet website visitors.

“The Worst Security Hack Ever” sent some chills down my spine simply because it spanned beyond the usual territory of the victim’s environment. Now the long arm of the breach effect, like an octopus, is threatening the very trust of the e world. The far reaching impact of the hackers’ success is that the foundation of INFOSEC – confidentiality, integrity and availability – is being shaken to its roots. That the hackers could break into DigiNotar’s computers is nothing novel, but the sophistication of the hacker’s operation and the carefully selected extended victims (the CIA, British and Israeli intelligence services, Google, Microsoft, Facebook, Twitter, Wordpress, and Equifax) according to preliminary audit, makes it scary.   

 The question that remains is whether the perpetrators will ever be brought to justice. And how long will it take, and at what cost, to deter another disaster of DigiNotar’s magnitude. Especially disheartening at this juncture is that other hackers have been emboldened by the success of DigiNotar attackers. The hackers have gained global publicity by bringing DigiNotar to its knees. So, what and who is next?

http://blogs.bankinfosecurity.com/posts.php?postID=1068&search_keyword=The+worst+security+hack+ever&search_method=exact

US agencies making progress on cybercrime, officials say

Mikeknsah: Information Security News Update!

But criminals continue to target U.S. businesses, with the FBI currently investigating 400 wire transfer cases!

The rise in cybercrime and the level of sophistication of the crimes have caught the attention of the U.S. Secret Service, the FBI, the Department of Homeland Security, and the Congress due to high volume of cases being investigated by the FBI. Sources of the cases are mainly in the financial industry. Tops on the list are payment processing breaches, ATM skimming, stock trading, and mobile banking attacks. Despite the fact that the FBI has made combating cybercrime one of its top priorities over the past decade, cyber attacks continue to be a major threat globally. For example, as much as $388 billion has been lost in time and money in a period of one year compared to about $288 billion lost in heroin and cocaine trading combined. It makes one to wonder what the cost of would have been if all the government agencies were not as committed to fighting the war against cybercriminals. Also, with rising global internet usage and the ease of sharing information, is the amount of resource capital – human and monetary – sustainable? It seems like the more the government agencies improve on their information sharing amongst themselves, the more aggressive the attackers get.      

http://www.networkworld.com/news/2011/091411-us-agencies-making-progress-on-250908.html?source=nww_rss

Pentagon unveils five steps for better cybersecurity

Mikeknsah: Information Security News Update!

In the fast and dynamic internet age, the only way to maintain a safe and secure information environment is by staying ahead of the bad guys. The United States Department of Defense (DoD) – Pentagon – is working overtime to ensure that the information age rouges will always be playing catch up. The DoD is working tough balancing act since it must guard the U.S. interest on land, sea, air, and space fronts. While attempting to defend the cyberspace, the DoD has to avoid being perceived as militarizing the cyberspace and violating the citizens basic freedoms, according to the department’s Deputy Secretary. But for how long can this balancing act be played with 100% success? One virtue that the bad guys always possess is the gift of patience.

http://www.networkworld.com/news/2011/071511-pentagon-unveils-five-steps-for.html?page=1