Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Paul Paetz on Thu, May 28, 2009
Thinking and Awareness Needed to Stop Crime, Not Just Tech
Recently, a targeted crime spree hit Staten Island with 250 Sovereign Bank customers caught up in a never-ending technological arms race between criminals and the rest of us. This time it wasn’t the latest hacker sitting at a far away computer in the middle of the night. Rather it was a small gang that used skimming technology and video cameras to compromise the accounts and make off with over $500,000. But for the alertness of Microsoft “evangelist”, Sean Siebel who spotted the scam while doing his own personal banking, it probably would have been millions lost before detection.
According to banks, skimmers are rarely spotted in the wild, yet after seeing Sean on the news, another New Yorker spotted another skimmer at a Chase branch. The branch manager hadn’t heard of the scam.
We see national news headlines about breaches and individual customer information being stolen by faceless entities in far-away lands. We assume these scams require tech prowess and amazing skill, but it usually turns out to be as simple as a mirror and hidden video camera. Many times the response to these attacks is to add more features and functionality to our technology. In the case of credit cards, the focus has been on Chip and PIN, especially in Europe. Soon, even more sophisticated 2-factor authentication is coming through cards with built-in single use PIN generators.
Unfortunately, as this story shows, even the most advanced technology is easily subverted by cheap tools you could purchase at Best Buy or download for free, together with a small amount of ingenuity. 
The problem is that we place too much trust in the technology, and not enough in being alert, observant and careful. In fact, the more we rely on technology to do our thinking for us, the more complacent and vulnerable we become.
The lesson: if your security approach is purely based on a better technology mousetrap, you are a breach waiting to happen. Don’t forget to educate your people, understand the risks you face, and always assume that the criminals will find a way around whatever technology barriers you erect.
Posted by Andre Edelbrock on Tue, Jan 27, 2009
The high-profile revelations last week about the Heartland data breach are a stark reminder that incursions by hackers into financial systems, and the fraud that results, have become mainstream news events. And end-of-year reports for 2008 show the news about security breaches keeps getting more worrisome.
Perhaps the worst of it is their increasing frequency and size. As we discussed recently here, experts such as the Gartner Group’s Avivah Litan believe recession and fraud increases go hand-in-hand as skilled minds lose legit employment and go to the dark side.
But whatever the source, there is certainly more of it.
CIFAS in the UK reports there has been a 207% rise in facility takeover fraud (i.e., account takeover fraud) in 2008 where legitimate accounts are hijacked by various means: “…the sheer scale of the increase is truly alarming. Fraudsters are clearly adapting to current conditions. They know that lending criteria have become more stringent as a result of the credit crunch, and that application fraud is likely to be unsuccessful. They are, therefore, turning their attempts elsewhere…”
ITRC (the Identity Theft Resource Center in the US), starting its 10th year, reports data breaches jumped in 2008 by 47%. ITRC says in this report on 2008 breaches that the bigger number has a couple sources: “two things are happening - the criminal population is stealing more data from companies AND that we are hearing more about the breaches.”
Of course, the Heartland data breach news of last week, in the wake of the high-profile RBS and Hannaford breaches, and the massive TJ Maxx breach two years ago tells us this is a momentum-gaining dark trend no one wants to be caught up in.