ID-theft

Benjamin Wright posted a comment about TJX case been an over reaction. He has also posted on this on his own blog.

First things first: let me welcome you to the blogosphere! Taking your expertise as a laywer, I probably should just shut up and not start to argue, but then again, what is the point of a discussion if we cannot share our opinions?

To you comment, I do not agree that there has been an over reaction. I think this depends on your point of view. If you consider only the known theft of money, you might be right.

However, if you consider the theft of privacy, the costs related to renewing CCs and the potential threat to the CC holder, I think the reactions so far has been anything but over reaction. I also think it is necessary to consider the time frame of the attack - this went on for quite a while, and I think it is important to consider that this was an important "wake-up" call to many shops.

You say that the Credit card issuers over reacted. I disagree. Their alternatives where:

• say nothing (and wait for the press to find out...ticking, expensive bomb)
• say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
• do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...

The TJX case, one of the largest ID- and CC-theft cases so far, has finally gone to court.

The Feds rolled up a large, international circle of criminals who are charged for hacking their way to access a wide array of personal data. According to Attorney General Michael Mukasey, this is the single largest and most complex identity theft case that's ever been charged in the US.

Companies that got hacked include major brands like the OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ's Wholesale Club and TJX Companies.

"They used sophisticated computer hacking techniques that would allow them to breach security systems and then install computer programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Mukasey said. "They caused widespread losses by banks, retailers and customers."

The TJX Senior Vice President Sherry Lang ensures that TJX has gone a long way in order to assist the investigation:

"With our customers always being our primary focus, TJX has gone to great lengths to secure its customers' data," Lang said. "However, broader action beyond retailers alone is required to protect consumer data. Banks and the U.S. payment card industry must join retailers and work together, including installing the proven card security measures in the U.S. that are already in use throughout much of the rest of the world."

I like Lang's request - there is no doubt in my mind that the more we integrate and consolidate technology, solutions and tools - into what we consider efficient communication - the easier it is to exploit those tools. Remember - a few years back, you had to hack into each shop. A little later, you could reach the HQ, as the shops started to interconnect. Today, you can reach almost anything, anywhere - just using your brains and a computer.

Compliance is one thing that may help, better understanding of the technology and it's potential is equally important. From a business point of view, I think it is very important to consider the upside of adopting new (young) technology against the potential damage the new technology may inflict.

I am looking forward to following this case!

Other TJX related information

• TJX – you have done a great job!

• TJX gives CC advice to their customers!!!

• TJX update and "How it was done"
  

• TJX economics - the price it is easy to calculate
  

• TJX - the Wall Street Journal article
  

• All posts tagged: TJX

Chris Pirillo made an update regarding his loosing US$450,- from his PayPal account.

The post of his includes some tips (known to most of us, but no harm in repeating) on how to stay (more) secure when it comes to PayPal and online shopping:

(cut'n'pasted from Chris' post)

1. The first thing, it all starts with a clean computer system. A computer system with viruses or keyloggers may be the cause unauthorized people to be inside of your PayPal account. Use security programs on your computer.
2. Make sure the site you are in is the verified PayPal site, and not a Phishing site. You can check this out by checking the domain name in the browsers url bar. You should see PayPal’s actual site address, and not something else.
3. Don’t keep large amounts of money in your PayPal account, because people can easily send your money to other accounts in a blink of an eye if they gain access to it. Instead of keeping it on PayPal, keep it inside your bank account.
4. Check your Paypal history on a daily basis. This way, you can stop money from being transfered if you see it happening when and where it shouldn’t be.
5. This may be common sense, but use a strong password! Use a mixture of lowercase, uppercase, symbols, and numbers. Make it harder for a hacker to guess to begin with! Reading this post by Chris may help.
6. When you’re buying something with PayPal, be sure to check that the site you are on is secure. Do this by checking the url bar. The site should contain “HTTPS”. This will help you determine if the site is fraudulent or not. You can also do research on Google about certain sellers that you may not be sure of.
7. Shop with well-known companies who have established a good reputation.

He explains the case here:



Do You Have a Problem with PayPal?

It seems PayPal makes it's own rules whether or not to accept that a customer has experienced unauthorized payments from his or her account. Not a good policy, IMO.

Take this story from Chris Pirillo.
A summary: someone was able to retrieve his iTunes password thanks to lax password retrieval security over at Apple. (Apple have now resolved the issue, according to the story). Using Chris' account, the fraudster was able to deduct US$450 from Chris' PayPal account - cash spent on iTunes Gift Cards.

With this background, and the backing by Apple, you would think Chris would get his funds back, right?

Wrong!

As it turns out, PayPal deems the deduction was


and decides that they will NOT return the funds stolen.

What should PayPal do? Should they turn around?
Perhaps it is time to use the Marketing Power, and stop using PayPal until they reach a better vetted stand?

And - is this the first time PayPal does this, or is Chris' case the last in a long row?

Can we trust a banking service that does not care for it's customers?

Do you think PayPal is taking the side of the fraudsters in this case?

In the previous part, we saw how you could use Facebook to collect e-mail addresses by offering something of perceived value to your victims. And you built a list of minimum 10 000 e-mails with only 5 minutes work.

This is part two of the How-to about collecting information of potential victims from sites like Facebook. This part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – I tell you how you can build a full profile of your victim!

Warning: This work is tedious, and requires attention to detail and long-term persistency.

BONUS: Build a complete victims profile, not only e-mails and names!

1. Make people add themselves to your group

Now, go to your group setting page on the Facebook Group you added in Part 1 of this How-to. Make sure that you set it up to Group Type: Open group. This will ensure that everybody can join the group, and then invite their friends to do the same.

 

Why do you want this? Simply by making your victims advertising the great offer you give, so more people will show up and give you their e-mails.

2. Start investigating your group members

This is easy. Just browse the list of members. When you see something pretty (as in potentially easily exploitable), take a look at the profile. If the profile is not available, take a look at their friends. Most people think that showing off their friends cannot give away anything about themselves, so it is safe. You know better, right? You will, read on!

 

Here we have a list of friends of a potential victim. We can see that this person is either very popular (618 friends), or is playing a game like yours – collecting!

Note the location of the friends, usually you will see that they tend to gather in one or only a few geographical areas. Also note the profile pictures, pictures can tell you a lot about the person. Look at dress code, location, styling and other clues as to who this person is.

3. Invite and collect

If you decide that you like the person (or you decide that he/she is a nice victim), you may invite him/her to be your friend. Say something like “Hi, I am the group manager of…I’d like to add you as a friend…” Most will say yes. Particularly if you hint that she/he is very close to get the prize, and you only need to confirm some info…Be creative!

Now you have full access to all the stuff this person shares with friends.

4. Harvest info

With full access, start to add to your database the following data:

• interests
• books read / enjoyed
• favourite quotes
• marriage status, birthday, age
• friends, and particularly those who communicate using Wall and similar applications

If you follow your victim for some time, you will start notice that you can start to know this person very well – only by viewing the information posted on the profile.

5. Use the info

You still in there, are you?

Why would you want this kind of information about someone you do not know?

These are some of the reasons we know others use when they do this kind of exercise:

• Looking for “easy” offers for sex or violence. Just read the newspapers.
• Finding out when you leave your home (vacation, work hours), and pay you a visit when you are not there. This is not a house calling, but a house clearing.
• Selling the information (spammers, criminals)
• ID-theft – the more I know, the easier it is to learn more about you
• Intelligence – companies, criminals and countries collect information that might be useful in the future
• Research (my excuse) – see how much you can learn without warning the victim

One example, found on the Register today, is lax control in banks and financial institutions:

“Merchant Securities Group Limited also failed to verify the identities of customers that contacted the firm by telephone. Instead, the firm relied on being able to recognise customers' voices and talking with them informally about personal matters such as holidays or hobbies. Personal account numbers which could be used with a customer's name to access account information were included in routine letters.”

See where I am getting? The more I know, the more I get. Now I got your money too!

Warning: Keep in mind that in some countries, what you are doing may be considered illegal.

Note: You do know what YOU share on your profile, right?

Facebook (and a number of other platforms in the Social Networking revolution) enables great minds to do great things. Many of us uses these services on a regular basis (daily, hourly, or even every moment of the waking hours). 

I for one is a huge fan of networking, and using networking sites enables me to communicate and stay in touch with old and new contacts easily. On the other hand, I recognize the security challenges - namely the ID-theft and the social engineering (SE) possibilities that is enabled through such services. 

One of the messages I try to convey in speeches and trainings is the threat that Facebook Apps may be. Granting an application access to your profile, automatically enables that application to harvest a huge amount of data about you and your friends. Now, most applications are "for real" - thus doing only the thing it claims to do. Still, imagine a business manager sitting on 10s of thousands of users and their data, in need for money. It would be extremely easy to use the data already harvested,  as well as rewrite the application to be more aggressive in it's harvesting. 

The other scenario is malicious apps appearing cool and fun and a "must have". These apps would offer you a service (chocolate) as a killer app - something you just have to have. And you would invite all your friends to use it too. By offering the coolest, it will become popular, and thus the road is open to harvest and use information. Information that you normally only would share with friends only.   

---

In enters the Social Engineer. Uses the information about you, collates it with other info shared on other sites, creating a complete profile of you, your interests, your family, friends, co-workers, neighbors and so forth. 

Perhaps one day he bumps in to you at the local mall. Or calls you because "someone said that you could be interested in ..." 

Having a complete profile of you, he (she) would know all the answers, and thrill you into doing anything. Given enough time, and a valuable target, there are no limits to what can be achieved. 

---

Given this outlook - perhaps it is best to continue as before - in ignorance. Hoping that "it will never happen to me".  

---

I gotta run.

Just got this incredible, almost unbelievable, opportunity! This complete stranger called me out of nowhere!

See you in a bit!  

---

Ka-zing. 

---

(Thanks to Liquidmatrix / Dave Lewis. And man, do I love that cartoon!)

Many website owners and companies do not spend enough time considering security. Things is slowly getting better, but not in the speed required to counter fraud and identity theft.

Gnucitizen made a clear post regarding how password recovery works (warning - it gets quite technical towards the end). It is a great explanation of the 4 different automatic password recovery/resetting methods, including pros and cons. The second part of the post also gives the interested a step-by-step description of how to automate the testing process.

If you still do not get the message - consider this:

You are able to automate testing in order to counter hackers. It is easy, and takes very little knowledge and effort, thus it is not very expensive. You may or may not choose to do it. One thing is certain, though - hackers and ID-thieves allready do this. As they have done for years. 

Your choice is simple: either test and alter your code as required, or wait until you are loosing data. Not a hard choice, is it?