$9 Million ID Theft Scheme Alleged

Duo Charged in Retail Scam that Spans 15 Years

For 15 years, a pair of identity theft fraudsters swindled $9 million from 8,000 victims undetected. The arrests of the duo in Atlanta and Roswell, GA uncovered more than the authorities had bargained for. The collaboration between the U.S. Secret Service and the local Cherokee County Sheriff’s Office Criminal Intelligence Unit made it possible. This successful gigantic arrests demonstrate how due diligence and collaboration in the pursuit of perpetrators are key to solving information security or financial fraud crimes. As the scope of the arrests spans across so many years, another major or the “biggest identity theft takedown” by U.S. District Attorney’s Office in Queens, NY, spans across the globe. The NY case uncovered a 16-month crime period costing over $13 million across Asia, Africa, Europe, and the Middle East.

As indicated by McAfee’s Robert Siciliano, shared information between financial institutions and retailers enhances monitoring capabilities and create more understanding for merchants on how to mitigate financial losses. Shared responsibilities among all communities of interest, not just technological surveillance, will always be the greatest weapon against cybercrime, financial fraud, identity theft, information security threats, etc.

For more success in the future, Julie Ferguson, a board member of the Identity Theft Resource Center and co-founder of Merchant Risk Council buttressed the point by encouraging consumers to do better jobs of reporting incidents of identity theft. Moreover, the closeness of the timing between the two incidents in NY and GA would be attributed to the roles played by people not necessarily technology. Just as people are the greatest threat to information security and electronic related crimes, people are also the greatest asset needed for the mitigation and solving identity theft, financial fraud, cybercrime, and information security threats.   

http://www.bankinfosecurity.com/articles.php?art_id=4164&opg=1

Mobile: Combating Malicious Apps

ENISA Says Vendors are Key to Smartphone Security

  It is quite comforting to know, according to Giles Hogben of the European Network Information Security Agency (ENISA), that when comparing browsing risks, mobile security is still much better than other areas of cyber security threats. For example, for the number of malware risks it is something around 1,000 times less than the threats which are on PCs, he wrote. Nevertheless, Hogben also made it clear that, despite its lower risk level, more usage of smartphones will cause an increase in emerging threats of mobile malware.

 Hogben’s main concerns were basically focused on lack of encryption in smartphones data, and “loseability,” which he coined from the ease at which consumers lose their phones. Areas he discussed included “challenges of detecting and blocking malicious apps on mobile devices; conflicts between mobile OS and HTML permissions in mobile browsing; and what the market can expect If HTML 5 becomes the standard.” Public API, for example, involves image gallery, the accelerometer and the address book. The accelerometer data is used to grab peoples’ passwords by just observing the way the phone wiggles as different soft keys are pressed during usage. Sloppy coding, besides malware, also leads to data vulnerabilities.

 Furthermore, fingerprinting is another area of concern that must be addressed when considering mobile browsing risks. Users’ fingerprints were identified by the particular kind of headers they transmitted when they looked at headers coming from the browsers.

 With such exposures and various risks associated with smartphones, Hobgen concluded that vendors are the main key to smartphone security. But, the question remains, who bears the liability of legal implications of that responsibility? Is it the vendor or the consumer?

http://www.bankinfosecurity.com/articles.php?art_id=4140&opg=1

Sony Discloses Attempts to Access Customer Accounts

Mikeknsah: Information Security News Update!

93,000 Accounts May Have Been Exposed

Sony’s CISO alerted the customers and the rest of the world to know that some 93,000 of its networks accounts suffered from unauthorized intruders. The number translated to less than one-tenth of one percent of Sony’s IDs and password authentication accounts. Upon detecting the breach, Sony decided to lock down the accounts and notify affected customers to reset their login information with hard-to-guess passwords.

To keep the minds of affected customers at rest, Sony assured them that credit cards associated with those accounts were not at risk. However, the next statement following the ‘assurance’ said that they “will work with any users whom we confirm have unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.” Then, the question remains, why would Sony put the ‘cat before the horse?’ How could Sony claim that no credit card associated with users accounts were affected, and with the same breath say it will investigate to confirm any unauthorized purchases? Would it not have been better to investigate for fraudulent purchases first before asserting that no credit card accounts were at risk?

This disclosure about attempts to access customer accounts has, once again, put Sony’s networks and the company’s vulnerabilities in the global spot light. Given Sony’s size and industry, it would serve the company better if it makes aggressive pursuit and investment in more robust attack prevention tools the number one goal. Such tools should also be integrated with information security models (SSE-CMM), and lead in protecting information assets. Sony could be successful in achieving this goal by staying ahead of the ‘bad guys’ and stop playing catch up.

Retrieved October 13, 2011, from http://www.bankinfosecurity.com/articles.php?art_id=4149&rf=2011-10-12-eb&elq=e76b966101084f92a34f1df2453f1fb8&elqCampaignId=567

Mobile Security: Your #1 Threat

Mikeknsah: Information Security News Update!

New Trojan Targets Androids, But Experts Warns of Other Risks

What seemed like a happy marriage between Google and Android may be under attack by an outside force driven by “a new Trojan aimed at hijacking banking credentials from users of Google’s Android mobile device.” For example, the SpyEye Trojan known as SpitMo lured users to phony apps. After successfully installing the apps, users’ bank account information are stolen, and then financial transactions are directed by text messages. The world of mobile security has witnessed some assaults lately from all sides. According to Google officials, device-specific information of its Android users was hacked in March of this year. The attackers were able to publish numerous malicious apps on Google’s Android Market causing users some major concerns. Google down played it by saying that the company took steps to protect those users who download malicious application to prevent attackers from accessing other data.

Then, in September the hackers hit Android users again. This time Google blamed it on open-source apps. More specifically, it claimed that users browsing and texting behavior – social engineering - led to the mobile security compromise. Granted, the hackers may have relied on social engineering as their vehicle of operation, but is the users’ subscription and apps downloading fees not supposed to be used to create and build robust protection to shield users against such vulnerability attacks? Google says “it supports its open-source environment.” Of course, it would, because open-source drives the Android Market. It was indeed a wise move on Google’s part not to comment about the September attack except provide some general measures it has taken to protect the integrity of its mobile software, platform and apps. Technically, Google is protecting its image.

 Some experts say that giving consumers, with lack of disciplined mobile-use behavior, so much control should be “the industry’s biggest worry, not the proliferation of malicious apps.” But shouldn’t consumers control be the essence and joy of owning the device in the first place?

http://www.bankinfosecurity.com/articles.php?art_id=4103