New Targets for Online Criminals

For Small to Medium sized Business (SMB) owners, recent economic turmoil has challenged their very existence.  As if that were not enough, a new threat is emerging on the horizon which may prove to be the final bell for some SMBs.  It is cybercrime, and it stands as a tsunami, ready to wash unprepared SMBs clean off the map.

Hackers and computer criminals have been turning away from the complex and difficult to evade detection systems of very large corporations.  These large companies have spent significant portions of their revenue streams on security and pose too hard and risky a target when other low hanging fruits lay under-protected in the vulnerable and plentiful SMB sector.   The overall affect for business owners may be bankruptcy, and the ramifications could cause further harm to struggling local economies.  Action must be taken in order to insure financial security for small business owners.

Continue reading →

Hotels Are Hackers’ Playgrounds

Well, it’s a scary new trend for all the globe-trotting, business trip making, road warriors out there.  A study released this year by Trustwave coalition found that 38% of credit card hacking cases last year involved the hotel industry.  The hospitality sector was well ahead of the financial services industry (19%), retail (14.2%), and restaurants and bars (13%).

Why hotels?  Hackers hit hotels because that is where the richest vein of personal credit card data is, and they know that you are on the road when the incident strikes.  Hotels are notorious for inadequate data security, often offering free or low cost Internet connectivity, and simplifying connectivity by making the process of connecting to it as unencumbered (and by nature, insecure) as possible. 

Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit data.  The sophistication of computer and communications systems can vary widely from one hotel to the next, even within the same corporate chain.  The same is true of point-of-sale credit card swiping systems.  The Trustwave report says that “organizations large and small were found to be moving forward with plans to implement new technology, while leaving basic security threats overlooked.”

As the hotel industry hit tough economic times and hotel owners cut spending, security upgrades often lagged in priority.  Proper IT security requires software, hardware, firewalls and encryption programs, but also budgetting for staff training as well as constant monitoring of transactions and data access.  If you can’t keep up, you will most certainly fall behind.  The full extent of credit card fraud by those who breach hotel systems is unknown.  Anecdotally, data breaches in this sector occur with disturbing regularity.

• Today it was reported that 17,000 guests at the Emily Morgan Hotel had their credit-card numbers stolen and used in a 3-state shopping spree.  5 people were arrested in the largest identify-theft case ever in San Antonio history.   The suspects stole stacks of stolen credit-card receipts from a storage room at the hotel to make counterfeit credit cards.
• Last month, Destination Hotels and Resorts, a chain of luxury properties in the US, notified customers that credit cards “may have been compromised.”  ABC News reported that Destination was the victim of “an intense database attack that lasted over three months,” and quoted losses, which totaled hundreds of thousands of dollars, averaged $2,000 to $3,000 on each of the estimated 700 credit card numbers stolen.
• Wyndham Hotels recently sent customers a statement saying that a “sophisticated hacker had penetrated our computer system” at as many as 31 hotels from Nov. 7, 2009, to Jan. 23. Wyndham said it was improving its security technology.

These are just the most recent and memorable items that come to mind.  It often takes months for these attacks to be discovered by customers who may be on the road frequently and not monitoring card activity reports carefully, or by the hotels themselves.  Hackers often make multiple small charges to validate a card, probe its limits and test the vigilance of a cardholder before making bigger purchases.

So, what do you do to protect yourself?

• Use a hardware firewall.  Don’t laugh!  I travel with one.  It takes up less space than a mouse, and I _know_ many people can’t stand the laptop’s little finger mouse.  These things are so simple to setup, and they come with a bloody Quick Start Guide on a 6×8 card.
• Install and use a software firewall.  Too inconvenient for you?  Suck it up, buttercup.  Take the time to learn hwo to use it, or spend the time fixing your credit report.
• Install and update your Anti-Virus software.  You have heard it before, you will hear it again.
• Use a A/V software enhancer, like ThreatFire, or other product.  It takes Anti-Virus to the next level, not relying on signatures, but watching for unapproved software, configuration changes and unusual behavior.
• Setup a set of credit cards taht you use just for travelling.  Set the credit limit low, and monitor it closely.
• I don’t use credit cards at all, but that causes major inconveniences.  If my job changes to require me to travel more, I will opt for a reduced limit credit card, or one that requires a phonecall to my cellphone with a challenge and response phrase of my choosing.

Security is generally about trading in some measure of convenience for some degree of safety.

CreditCards.com

SMB Security On A Shoestring

I came across a fabulous articel on “Dark Reading” yesterday.  I share it here as it has useful recommendations for handling the challenges that small to medium sized businesses are facing, or will be facing very soon regarding online presence and security. 

It speaks about how an innoccuous email led to the compromise of an employee’s PC, and then the aftermath of what came to follow.  If you own a small business and engage in any type of e-commerce, or allow yourself or your employees to have access to email and/or the Internet, then pay attention.  This one’s for you.

DarkReading

ATM Security Talk Cancelled, Arrest Threatened

A talk on cash machine security, scheduled for the security conference Hack In The Box has been cancelled under threat of arrests.  Italian security expert Raoul Chisea, who works for various organisations including the European Network and Information Security Agency (ENISA) and the United Nations Interregional Crime and Justice Research Institute (UNICRI), had been planning to deliver a talk entitled “The Underground Economy”, showing how criminals are able to cash in by exploiting security vulnerabilities in ATMs.

H-online

17,000 San Antonio Hotel Guests CC Compromised

17,000 guests at the Emily Morgan Hotel in San Antonio had their credit-card numbers stolen and used in a 3-state shopping spree to buy farm and ranch equipment, tires, machinery, all-terrain vehicles and other goods.  Prosecutors unsealed indictments Thursday against 5 people in the largest identify-theft case ever in San Antonio history.

The suspects stole stacks of stolen credit-card receipts from a storage room at the hotel to make counterfeit credit cards.  Some of the victims — mostly tourists — didn’t realize their information was compromised until months or even years later.

The indictments charge Ruben “Hollywood” Costello; his wife, Elena Ramirez Fraga; Cody Quincy Jones; Randy Ray Flaharty; and Samuel Micha Dyer with conspiracy to commit identity theft fraud.

MySAnews

SMB Beware: ACH & Corporate Account Take-over Dangers Increase

Corporate Account Take-over – Is a legislative remedy needed to protect banks and businesses from online fraud?

We can’t stop Automated Clearing House (ACH) fraud, but we can stop commercial victims from being stuck with the losses from ACH fraud.  The American Bankers Association (ABA) and security services vendors offer diametrically opposed perspectives on this issue of how to prevent corporate account takeover attacks.

The ABA is currently lobbying for more protections for small business, pointing to the PlainsCapital-Hillary Machinery case, which revolved around the definition of “reasonable security”.   The ABA says banking institutions won’t provide commercial customers with more protection unless they’re forced to do so.   Current regulations protect only consumers – not small to medium-sized businesses.  It just sounds so implausible that banks would allow this to happen to their commercial customers.

The Electronic Funds Transfer (EFT) Act, also known as Regulation E, was implemented in the United States in 1978 to establish the rights and liabilities of consumers as well as the responsibilities of all participants in EFT activities.  Security vendors believe that amending “Reg-E” is a bad idea – one that would pit banks against their commercial customers.  Changes on the retail side of Reg-E would completely absolve a retailer from any responsibility, and you can see from a community banking standpoint how that might be ineffective.  When you place Reg-E protections in the business account environment, you potentially upset the business model, creating disincentives for the banks to provide basic products for commercial customers that they have come to expect.

Most vendors advocate stronger protections against database breaches coming from a more collaborative approach that takes banking and business interests into consideration.  They believe that Community banks have the ability to protect customers, just like other larger banks do.  The biggest risk with corporate account takeover is the damage it does to the financial institutions and their customers.  At the end of the day, it’s all about shared responsibility to protect accounts.

Related Links:

• 5 Indicted in California ACH
• Online Payments Best Practices
• Chris Mark Interview

Beware Vulbnerable Cisco WAP Configurations

Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to Core Security Technologies.

Cisco’s Aironet 1200 Series Access Point, which is used to power centrally managed wireless LANs, can be set to a WPA (Wi-Fi Protected Access) migration mode.   This mode provides wireless access for devices that use either the insecure WEP (Wired Equivalent Privacy) protocol or the more secure WPA standard, giving companies a way to gradually move from WEP to WPA without immediately buying all-new, WPA-capable equipment. 

While auditing the network of a customer who used the product, Core researchers discovered that even networks that had stopped using WEP devices could still be vulnerable, so long as the Aironet’s migration mode was still enabled.  Researchers were able to force the access point to issue WEP broadcast packets, which they then used to crack the encryption key and gain access to the network.

If you use the Aironet 1200 and similar devices on your network, best be checking and tightening up those configs!

NetWorkWorld

Visa Revokes PCI Approval From PIN Pads After Breach

In a move that seems to reflect a very different PCI approach coming from the world’s largest card brand, Visa has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach.  What makes this move especially interesting is how it undercuts two strongly held Visa positions, in terms of publishing the names of vendors whose products are engaged in PCI issues and in its position that no PCI-compliant retailer has ever been breached.

Behind all of this commotion are an increasing number of physical attacks against PEDs.

StoreFrontBackTalk

Stealing $10 Million, 20¢ At A Time

The US Federal Trade Commission (FTC) has stopped a $10 million international scam that was siphoning off tiny amounts of cash from more than 1 million credit and debit card holders.

The elaborate scheme allegedly used identity theft to place more than $10 million in fraudulent charges against  consumers’ cards.  Consumers were hit with one-time charges of between 20¢ to $10, and the payments were routed through fake comopanies in the US to Eastern European and Central Asia bank accounts.  The operation used an expansive network of money mules to move the money overseas.

Named as defendants are the 16 fake companies and one or more persons who are unknown to the agency at this time.  They are charged with making unauthorized charges to consumers’ credit cards in violation of Section 5 of the FTC Act.  The court ordered the defendants’ assets be frozen and for the organizations to stop operating, pending a final hearing.

They used phony company names resembling real companies, and US identity theft information to open more than 100 merchant accounts that process charges to consumers’ credit and debit card accounts.  They may have run credit checks on the identity theft victims first, to insure they were creditworthy. The accused scammers also provided each fake merchant with a virtual office address, a phone number, a home phone number for the “owner,” a web site pretending to sell products, a toll-free number consumers could call, and a real company’s tax number found on the Internet.

Most consumers either didn’t notice the charges on their bills, or didn’t seek chargebacks because of the small amounts.  Consumers who called the toll-free numbers that appeared on their bills either found them disconnected or heard recordings instructing them to leave a message.

At least 14 “money mules” were duped into responding to spam email pretending to seek a US finance manager for an international financial services company.  They were paid to form 16 dummy corporations, open bank accounts to receive the card payments, then transfer the money overseas.  They used debit cards linked to these bank accounts to set up telephone service, virtual addresses and web sites that helped deceive the card processors.    Payments were sent to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus, and Kyrgyzstan.  Most times, the money mules don’t realize they are part of a money laundering ring until their bank or law enforcement agencies contact them.  They are typically recruited, given some cover story, receive money transfers, take the money out and wire it internationally to a money drop, and the money then goes to the real criminals.

GarWarnerBlog

Adobe Alternatives

Adobe Reader is being actively attacked, and I currently recommend that if you CAN use an alternative program, DO.  At least until it is properly patched against this threat. 

• Google Chrome is very close to having its own self contained reader.  gPDF is a Firefox plug-in that intercepts calls to open a .pdf and uses Google viewer so that the .pdf is not executing on your system. 
• One suggestion for an Internet Explorer plug-in is Brava Reader.  Brava is a free tool that originated as a CAD/CAM drawing file viewer.  It now views and prints TIFF, PDF, XPS & CSF files.
• FoxIT is a great reader, also offering integration with IE, but it wants to install a toolbar and ebay icon.  You can install it using a sandbox program or select not to install the cruft, or you can even request a version without ads by email.
• Another suggestion is Evince.  It is a huge download and requires a lot of system access to install.  It demands system shutdown and debug privilege.  

I have settled on and installed one of these reader programs.  Until Adobe gets their act together and can deliver this patch and demonstrate that they are not going to allow themselves to be the target delivery vehicle of choice among hackers by eliminating some of the useless bloat in their code that enables this kind of behavior, and shows a record of delivering secure code, I’m happy to run another viewer.  This alternate viewer stands the same tests.  I will abandon any software0 (including my Operating System) if it is found to be conclusively and repeatedly insecure and the vendor slow or poor to react to security challenges.

• http://www.bravaviewer.com/reader.htm
• http://blog.arpitnext.com/gpdf
• http://www.foxitsoftware.com/pdf/reader/
• http://projects.gnome.org/evince/
• http://www.foolabs.com/xpdf/home.html
• http://blog.kowalczyk.info/software/sumatrapdf/index.html