DISC InfoSec blogIdentity Theft Archives | Page 2 of 2

Oct 01 2009

Sophisticated phishing attack and countermeasures

Category: Cybercrime,Email Security,Identity Theft — DISC @ 12:36 am

phishing

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Below is an example of sophisticated phishing attack
Link to phishing email

It looks very legit, with all the correct data, logos, graphics and signatures.

One giveaway: the TSA rule change has nothing to do with rental cars. It only affects your airline ticket vs your photo ID (drivers license, passport, whatever.)

To verify that this is bad stuff, right click on the links. You get “http://click.avis.com/r/GDYHH9/16HY8/6V5I29/M93XX4/YCCJP/A5/h”, which looks OK on first glance, since it says “avis.com”. But myAvis should not send me to “click.avis.com”. I also noticed that all the other links send you to the same location.

The clincher (here comes the geeky stuff:)

To open a terminal window, press the “Windows key” and the letter “R”.

You will see the “Run Dialog Box”. Type “cmd”, and press “OK

Open a terminal window and run nslookup:

C:\> nslookup
> www.avis.com <<< check IP address of the real AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: www.avis.com canonical name = www.avis.com.edgekey.net. www.avis.com.edgekey.net canonical name = e2088.c.akamaiedge.net. Name: e2088.c.akamaiedge.net Address: 96.6.248.168 <<< get IP address of the real AVIS web site > click.avis.com <<< now check IP address of the bogus AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: click.avis.com canonical name = avis.ed10.net. Name: avis.ed10.net <<< not the same domain as the real AVIS domain Address: 208.94.20.19 <<< note IP address is in a totally different sub net > 208.94.20.19 <<< now do a reverse lookup of the fake AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 ** server can't find 19.20.94.208.in-addr.arpa.: NXDOMAIN <<< it should give you the web site name > avis.ed10.net <<< bogus AVIS web site name Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: Name: avis.ed10.net Address: 208.94.20.19 > 208.94.20.19

Moral of the story: be very careful with links in emails and web pages. To check the authenticity of the link, right click on the link, copy that to a text file and take a good look.
Don’t click on the phisher’s email. Type URL into web browser yourself

——————————————————————————————————————————–
In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.
——————————————————————————————————————————–
[TABLE=7]

Download a free guide for the following cloud computing solutions

Hosted email solution
Hosted email archiving
Hosted web monitoring
Hosted online backup

Tags: email archiving, Email Security, Identity Theft, online backup, phishing, phishing countermeasures, phishing threats, web security

Comments (0)

Jul 02 2009

Credit Card Primary Account Number and Encryption

Category: Information Security,pci dss — DISC @ 7:24 pm

50 Ways to Protect Your Identity and Your Credit: Everything You Need to Know About Identity Theft, Credit Cards, Credit Repair, and Credit Reports

Primary Account Number (PAN) is a
“12-digit or 19-digit numeric code embossed on the face side of a bank card, and also encoded in the Magnetic Stripe. The primary account number is a composite number containing: the Major Industry Identifier of the card issuer; an individual account identifier, which includes part of the account number; and a Check Digit or code that verifies the authenticity of the embossed account number.”

There are three pieces of information that are included in a financial transaction. Which are PAN, primary identification number (PIN) and card’ expiration date. The PAN is 12 to 19 digit number embossed on the front of the card.
For a successful transaction PIN, PAN and card expiration date are transmitted along with other information from the merchant, the merchant will transmit the information to merchant bank, the merchant bank will transmit the information to service provider (processor), the processor will transmit to the card issuer entity to authorize the transaction.

Credit card authorization process:
1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

The PIN is protected from malicious activity by encryption from POS terminal to all the way to the cardholder bank; However PAN is currently transmitted unencrypted. Valid PAN in wrong hands increase the possibility of credit card fraud. So the industry has decided that PAN must be protected. Below are the requirements for PAN protection.
cardapproval

Requirements for PAN protection
1. The PAN protection mechanism must support multiple source methods, including manual entry, magnetic swipe, chip, and NFC.
2. The PAN protection mechanism is encryption using an X9 or ISO approved algorithm.
3. Financial transaction message format and protocol standards must be modified to handle encrypted PAN data.
4. Transaction processing systems must be able to access some of the PAN digits.
5. For different transactions, encryption of the same PAN with a given encryption key should not predictably produce the same encrypted value.
6. For transaction routing by an intermediary between a sender and a receiver, the PAN must be translated from the sender’s encryption key to the receiver’s encryption key.
7. PAN translation must reveal some of the PAN digits for the intermediary to process the transaction.
8. PAN encryption keys must be changed periodically using X9 or ISO approved key management methods.
9. PAN encryption keys must only be used for their intended purpose.
10. Different encryption keys must be used for protection of PAN storage and transmission.
11. PAN encryption keys and the associated key encryption key (KEK) must be protected using X9 or ISO approved tamper resistant security modules (TRSM).
12. The customer must be advised in writing of the importance of the PAN with guidelines on the proper use of the card and the PAN.

PAN encryption is a major step forward toward protecting the card holder data.

New standard for encrypting card data in the works; backers include Heartland (computerworld.com)
Credit card authorization process weakness (deurainfosec.com)
PIN Crackers Nab Holy Grail of Bank-Card Security (wired.com)

Fake a Credit Card
httpv://www.youtube.com/watch?v=V3pElQD8UZg

Tags: Bank card number, Credit card, credit card encryption, credit card fraud, credit card privacy, credit card secure, credit card security, credit card theft, credit card transaction, encryption, Financial services, Identity Theft, Magnetic stripe card, Personal identification number, Primary Account Number, secured card, TRSM

Comments (10)

May 18 2009

Security breach and notification

Category: Security Breach — DISC @ 1:05 am

: Image by victoriabernal via Flickr

California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

notice

California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.

Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

Comments (4)

Mar 04 2009

HIPAA accountability and security program

Category: hipaa,Security Risk Assessment — DISC @ 7:34 pm

Last year the department of Health and Human Services (HHS) started penalizing healthcare organizations for security breaches and lack of security program. Healthcare stimulus bill says that HHS will post a breach of healthcare organization on their website. In both cases the intent is clear that HHS want to hold healthcare organizations accountable for security lapses.

World Privacy Forum (WPF) states in recent report that medical identity theft is on the rise and it leaves false information in medical records that can torment victims’ medical lives for years. Medical identity theft mostly carried out by insiders with legitimate access to medical and insurance billing. Patient medical files, and addresses can be changed to reflect phony medical care, and insurance payments are forwarded to different address.

HHS has given ample warning and time to healthcare organization to get their house in order. Healthcare stimulus bill which require digitizing healthcare records will demand even more stringent security program from healthcare organizations. Time is of the essence for healthcare organizations to start their security strategy planing now to implement their security program before HHS come knocking at their door.

Risk Management Process:

Like other compliance initiatives, HIPAA also require organizations to build a security risk management program to manage their daily risks. The process of risk management consists of risk assessment (analyzing the risks), design/select control, implement control, test control, maintain/ monitor control. At high level, risk management is accomplished by balancing risk exposure against mitigation costs and implementing appropriate countermeasures and controls.

Risk assessment states the security posture of an organization at a given point in time. Therefore organization should conduct risk assessment of their assets on a regular basis. Risk assessment looks at the impact and likelihood of threat/ vulnerability pair to assess the risk. What is the likelihood of a threat to exploit a given vulnerability and what will be the impact of the threat if the given vulnerability is exploited. If either likelihood/impact is low, the overall risk is low.

Performing vulnerability assessment of critical assets on monthly basis is highly recommend to find out new vulnerabilities and making sure the hardened systems configuration have not changed. Also any changes introduced to a system will require checking the necessary system configurations are intact.

A Five-step Roadmap to HIPAA Security Compliance

Related videos by youtube
httpv://www.youtube.com/watch?v=3Srhrow67f8

Tags: Health care, Health Insurance Portability and Accountability Act, Identity Theft, Risk management, Security, Security Risk Assessment, United States Department of Health and Human Services

Comments (2)

« Previous Page

DISC InfoSec blog

Sophisticated phishing attack and countermeasures

Download a free guide for the following cloud computing solutions

Credit Card Primary Account Number and Encryption

Security breach and notification

HIPAA accountability and security program

Follow DISC InfoSec blog

DISC InfoSec Titles

>>> DISC InfoSec Facebook Page <<<

DISC online store for recommended InfoSec products

vCISO as a service

Download a free guide for the following cloud computing solutions

Related articles by Zemanta

vCISO as a service