fraud

London, UK 16^th October 2008 Research carried out by Infosecurity Europe has shown that 95 per cent of people would prefer to report online fraud directly to a dedicated e-crime agency, rather than having to go through APACS and/or the financial services firm with whom the fraud took place.

The research by the Infosecurity Europe show - which took in online responses from 359 visitors to the site - follows on from a debate in the House of Lords on e-crime and IT security issues.

In that debate, their Lordships noted it was anomalous for UK banks not being obliged - in law - to refund account holders who have been electronically defrauded.

Lord Broers, the Chairman of the House of Lords Committee on Science and Technology, said that the current situation is that account holders are only being refunded under a voluntary code, noting that that in today's environment, this is scarcely appropriate.

In addition, Lord Broers said, whilst customers currently report their e-frauds to the banks, it is not in the banks' interests to draw attention to the fact that their anti-fraud systems have failed.

Against this backdrop, their Lordships concluded there is a need for specific legislation - similar to the Bills of Exchange Act 1882 - which specified that if a bank honoured a forged cheque, the bank, not the customer upon whose account the cheque had been drawn, was liable.

Commenting on the results of the security debate and the Infosecurityadviser.com research, the Earl of Erroll, a cross-bench member of the House of Lords, said that he was not surprised that 95 per cent of people would like to be able to report online fraud directly to a dedicated body.

"I think that people instinctively realise that you cannot expect people or organisations to report their own shortcomings reliably," he said, adding that the industry must always have independent bodies looking after our interests.

"I am delighted that money is finally being put into out into the new National Fraud Reporting Centre and is actually going to be given some teeth in the form of the new Police Central e-crime Unit," he added.

Lord Erroll's comments were echoed by Mike Barwise, Editor of Infosecurityadviser.com, the online forum for the information security industry who noted Lord Broers' description ( "extraordinarily complacent" ) of the government's response to the August 2007 report on personal Internet security by the House Science and Technology Committee.

The House of Lords debate, he said, was fascinating, as it illustrated the degree of confidence that consumer must have in a system for it to flourish.

"Lord Sutherland of Houndwood's comments that Internet trading and purchase... depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal Internet security, highlights this fact," he said.

"As events in the financial world in recent weeks have shown, without an underlying level of confidence in a given market, that market will collapse spectacularly. The danger with e-trading security is that, if confidence fails, the e-trading market will similarly slump," he added.

For more on Mike Barwise's comments: http://www.infosecurityadviser.com/view_message?id=74

infosecurity europe, fraud, security

• say nothing (and wait for the press to find out...ticking, expensive bomb)
• say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
• do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...

There is a Feedburner hack available. It seems to let you increase the number of readers on your blog. WRONG - it increases the number SHOWN - thus only making your blog appear more popular than it really is.

Why would you even care for such a self fooling hack? I am pretty sure that some script kiddies and equally !mature creatures out there may use this tip to show off their number of readers to their friends, not realizing how easy it is to see through.

Personally, I prefer real readers who actually read what I write. So thank you - for reading!

• TJX – you have done a great job!

• TJX gives CC advice to their customers!!!

• TJX update and "How it was done"
  

• TJX economics - the price it is easy to calculate
  

• TJX - the Wall Street Journal article
  

• All posts tagged: TJX

I have used my PayPal account a fair bit these past months. Both receiving and making payments.

Thus, when I got this email with a payment that the PayPal Investigation had returned, I was on the alert. No, not the phishing alert - I was more worried about someone making a payment and me not getting it. The obvious victim for scams, I might add.

I did not recognize the payers name, and the amount of US$35 sounded a far bit strange to me. Puzzled, I started to read the fine prints, and decided that I needed to check my account to investigate further. I scrolled down the mail to find the link to the PayPal Log on page.

Need I say this was December 26? At the kitchen table, relaxing with my late breakfast. Oh, yes, it was a nice dinner last night!

Upon finding the link again, my mind kicked me in the back, and I decided to check the link before clicking. No surprise there - I was one click away from getting phished (phish, phishing, phisher, phished, - I have no clue of the correct phishing grammar, I must admit).

So Leo, Phishers do have a clue. They are getting better every single day. And if you let the guard down only a split second after a nice dinner party, you might find your account empty. As you note, some are still swearing to old tools and bad quality, but those who mean business adopts and research. And gets their rewards.

Take a good look at the images - they show the email I got. The first shows the standard PayPal template with the serious looking header.

This next picture shows the transaction information - the part of the email that made me believe the authenticity of the scam.

Terra Security closes all operations. So what, you may say, who are they?

Since you most likely do not know Norway and things going on here, a quick update is on its place. 

### 

A couple of weeks back, the news broke that four small municipalities had invested in a hedge fund brokered by a Norwegian investment broker, Terra Securities. Not only had they spent their cash on the investment, they had borrowed a large amount of cash to do so (10MUS$). 

Why? The Terra Security sales guy had showed they the prospect of a USA based high-risk investment opportunity. However, the translation removed some of the information - leaving high profit, not discussing high risk. So the municipalities claims that they only saw a great opportunity, not risky or even shady business.

So lets review this. A bank approaches you with a highly profitable investment opportunity. DING-DING! High profit means high risk. So be careful, right?

Next, the bank tells you that this opportunity is so good, and offers you a huge loan so that you can make a big investment. DING-DING!!! How is the bank making money? By lending money. By charging fees. By skimming your investment interests.

So - unless you are a vivid investor, and knows your way around gearing and other financial tools, you would back down and walk away, right? Most of us would.

But as always, some of us are dumber than others.  

And it may seems like the more stupid amongst the Norwegian population are located in the North. In four small municipalities who have lost some 100 M US$. And the number might double according to some reports. A large amount of cash. For most of us, and certainly for these municipalities. 

I am amazed. Ok, the bank most likely did break the law when marketing the hedge funds (as marketing hedge funds are illegal in Norway). And the sales guy most likely did push harder than he should have. But still, I bet the bell was ringing long and hard, and that he was the sales hero that year!

### 

So - for Terra Securities, this has gone from bad to worse.

What started as a pushy sale, has evolved into a nightmare. During the couple of weeks this has gone on in the media, the not so smart politicians turned the table and collected support from the media. You know:

"How could we know? We are poor, normal people. We do not know anything about investments!"

And media bought it. And kicked Terra Securities. And again, I am amused. The politicians clearly admits their error - making a stupid investment using borrowed cash. Still, they blame everything in Terra. 

"They should have known. They should have told us!"

Wrong. They are about making money. Not by making you a profit, but by making you buy their products. Which you did - both their lending services AND their investment services. A great sale, I would argue. 

You see, being a municipality means that you are responsible for your actions. It means you must accept that responsibility. You cannot invest millions of dollars one day, and then cry and blame your partner when you loose your money. That is just wrong. Stupid. Childish! 

One of the first principles of investment is to never invest more than you are willing to (or can afford to) loose. That is your responsibility - not your banks.

If I had done the same type of investment, I would have to accept the loss and move on. So should you.

###

This is it for now - I will keep sharing my opinion on this stupidity.

Bruce Schneier has a very nice post today which explains one of the challenges of the ever increasing speed of adopting new technology. 

This is a real challenge - behavior is one of the hardest things to change.

Oh, the TJX. No, I guess I never get tired of it!

This time, I will just point you to this important message from the president and CEO they made oct. 11.

There, Carol Meyrowitz, the President and CEO, says:

"To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below."

Sorry Carol, I do not think I trust TJX enough for your advices about CC information. At least not MY CC information.

Need I remind you that it never was your CUSTOMERS who messed up? Your customers decided to TRUST you and your companies to handle the CC information. I bet the customers did take necessary precautions and common sense - how could they be expected to be prepared for YOUR breach?

I advice you to do the right things - learn from your own mistakes and fix them - not divert the attention by teaching your customers how to do things they do much better than you ever did.

------------------------------------------------------------------------

Due to the nature of the document, I have pasted the text below too:

LETTER FROM TJX’S PRESIDENT AND CEO October 11, 2007 To Our Valued Customers: At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage. We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice. We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement. To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below. Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage. Respectfully, Carol Meyrowitz President and Chief Executive Officer     INFORMATION ABOUT PROPOSED CUSTOMER CLASS ACTION SETTLEMENT Click here to view Additional Information about Proposed Customer Class Action Settlement; Subject to Court Approval and Other Conditions. INFORMATION ABOUT INTRUSION(S) View Frequently Asked Questions (FAQs) Click here to view the 2/21/07 Press Release Click here to view the 1/17/07 Press Release Helpful Information for Customers: TJX has special, toll-free helpline numbers in the U.S., Canada, the U.K., and Ireland, to assist customers with concerns about the computer intrusion(s) and to answer questions about the proposed customer class action settlement, which is subject to court approval and other conditions. In the United States: Toll-free help line: 866-484-6978 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps Click here to view Other Resources Haga clic aquí para obtener información en español. In Canada: Toll-free help line: 866-903-1408 Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Cliquez ici pour des renseignements en français. In the United Kingdom and Ireland: Toll-free help line: Callers in the UK* should call 0800 779015 Callers in the Republic of Ireland should call 00 44 800 779015 * (England, Wales, Scotland, N Ireland) Available Monday through Friday from 8:00 am to 8:00 pm and Saturday from 9:00 am to 5:00 pm Eastern time. Click here to view Recommended Steps and Other Resources Any customers who would like to contact TJX Customer Service: Please email TJX Customer Service at: customerservice@tjx.com

Following my post asking about the SecurityNewsPortal, I have received information from Marq at Infosyssec.com - the owner of Securitynewsportal.com.

First, thank you Marq for taking the time and effort to resolve this issue, and baring over with this ignorant viking. Thanks to you, I now have access to your different services.

It turns out Marq has experienced problems with attackers and hackers using computers (botnets, perhaps?) originating from locations worldwide, including Norway. As a result, he made the decision to filter out IP-ranges of networks that seemed to be heavier on the attacks than others.

This is a very dramatic way of reducing the amount of problems. To Marq, this was a sound business solution, counting in the risk of keeping legitimate visitors out of the website. And of course the risk of ignorant vikings wondering about the quality of the services.

Another way to counter these kinds of attacks requires heavy investment in hardware, plus HA access solutions - the road I would suggest any business to take if they start experience the kind of targeted attacks. The only challenge taking this road is the potential heavy investment it takes.

Marq, thank you for your help. My readers, thank you kindly for helping out! Marcin, thank you for checking the URL yourself and reporting back. I hope you have access again, if not, let me know and I will relay you to Marq.