“Dept Of Homeland Security Attempt To Induce A Permanent State Of Fear & Paranoia!”
DHS encourages floks in public to spy on others for the sake of security?
http://www.youtube.com/watch?v=gjeMCCQlCPA
Aug 19 2011
If you See Something Say Something – DHS
Jul 08 2011
How to protect ourselves from Payment Fraud
Some basic advice has been issued by Apacs, and includes:
- * Don’t let your cards or your card details out of your sight when making a transaction
- * Do not keep your passwords, login details or Pins written down
- * Do not disclose Pins, login details or passwords in response to unsolicited emails
- * Only divulge card details over the phone when you have made the call or when you are familiar with the company
- * Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail
- * Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)
- * Always log out after shopping and save the confirmation e-mail as a record of your purchase
For more advice you can visit:
Spotting and avoid common scams, fraud and schemes online and offline
How the scam works and what you need to do about it.
and
Online payment Security and Fraud Prevention
Jun 05 2011
Hackers breach FBI partner’s site
LONDON — Nearly 180 passwords belonging to members of an Atlanta-based FBI partner organization have been stolen and leaked to the Internet, the group confirmed yesterday.
The logins belonged to the local chapter of InfraGard, a public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure, the chapter’s president said.
“Someone did compromise the website,’’ Paul Farley, president of the InfraGard Atlanta Members Alliance, said in an e-mail exchange. “We do not at this time know how the attack occurred or the method used to reveal the passwords.’’
Copies of the passwords — which appear to include users from the US Army, cybersecurity organizations, and major communications companies — were posted to the Internet by online hacking collective Lulz Security, which has claimed credit for a string of attacks in the past week.
In a statement, Lulz Security also claimed to have used one of the passwords to steal nearly 1,000 work and personal e-mails from the chief executive of Wilmington, Del.,-based Unveillance. Lulz Security claimed it was acting in response to a recent report that the Pentagon was considering whether to classify some cyberattacks as acts of war.
The FBI said yesterday steps were being taken to mitigate the damage.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
Jun 02 2011
Google blaming Chinese hackers for security breach
Image via CrunchBase
For the second time in 17 months, Google is pointing its finger at China for a security breach in one of its systems.
This time, Google says Chinese hackers were responsible for breaking into the personal Gmail accounts of several hundred people _ including those of senior U.S. government officials, military personnel and political activists.
The latest cyber attack isn’t believed to be tied to a more sophisticated one that originated from China in late 2009 and early last year. That intrusion went after some of Google’s trade secrets and triggered a high-profile battle with China’s Communist government over online censorship. (AP, ccg)
This seems pretty intrusive and targeted incident. I’m curious, what is a threshold trigger for declaring a cyber war between two countries. I understand this was not a very prolong incident but these small incidents here and there can certainly achieve some long term objectives for the other side. It is very difficult to prove the correct source of these incidents in the wild west of internet and also there is a lack of international law to pursue these cases as a criminal offense.
Apparently the pentagon recently concluded that computer sabotage can constitute an act of war and justify the use of military force, the wall street journal reported this week.
Well before the use of military force you have to prove beyond reasonable doubt that you are targeting the correct culprit nation. Well if this is the criteria to declare a war against other nation we better buy a good error and omission insurance. In cyber world it hard to prove and easy to spoof, where some groups will be eager to setup an easy victim to justify the use of military force…
Clinton: China hacking charge “Vey Serious”
Cyber War: The Next Threat to National Security and What to Do About It
Related articles
- China rejects Gmail spying claims (bbc.co.uk)
- ‘China hackers’ hit Google e-mail (bbc.co.uk)
May 27 2011
Hackers breach US defense contractors network
LONDON: Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other US military contractors, a source with direct knowledge of the attacks told this news agency.
They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.
It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.
Weapons makers are the latest companies to be breached through sophisticated attacks that have pierced the defenses of huge corporations including Sony (SNE.N), Google Inc (GOOG.O) and EMC Corp (EMC.N). Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate.
The Pentagon, which has about 85,000 military personnel and civilians working on cyber security issues worldwide, said it also uses a limited number of the RSA electronic security keys, but declined to say how many for security reasons.
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
EMC declined to comment on the matter, as did executives at major defense contractors.
Lockheed, which employs 126,000 people worldwide and had $45.8 billion in revenue last year, said it does not discuss specific threats or responses as a matter of principle, but regularly took actions to counter threats and ensure security. (Reuters)
Managing Information Security Breaches
Pentagon: Hack attacks can be act of war
Mar 28 2011
McAfee report: Cyber thieves target firms’ secrets
Alex O’Donnell and the 40 CyberThieves
sfchronicle.com by Marcus Chan
Social Security numbers and other personal information have been popular targets by cyber crooks. But a new report says thieves have shifted their focus to corporate data such as trade secrets and marketing plans, making it the “new currency” of the underworld economy.
The report, based on a global survey of more than 1,000 senior IT workers, follows recent headlines of hacker attacks on Nasdaq OMX Group, RSA Security and energy companies.
When it comes to these targeted attacks, many companies have taken the approach that “it won’t happen to us, and if it does, we’ll just pay for it then,” said Simon Hunt, a vice president and chief technology officer at McAfee, which is based in Santa Clara. “What’s become evident over the past year is that it’s happening more than people expected.”
McAfee, which sells cyber security products and services, authored the study with SAIC, a scientific and engineering company that works with national security agencies.
The potentially bigger payday from selling stolen proprietary data, along with the trend of businesses putting more of their information in the cloud, have made intellectual capital a bigger target, the report said.
To illustrate the impact of these targeted attacks, the report noted how a quarter of the companies said a data breach – or the serious threat of one – caused them to either stop or delay a merger and acquisition or a new product rollout.
The survey also found that when an organization suffers a data breach or loss, only 3 out of 10 report all such instances to government agencies or authorities, or stockholders. About 6 out of 10 “pick and choose” the incidents they report.
“Companies certainly aren’t doing all the reporting they should or that I think most people would like them to,” said Scott Aken, vice president for cyber operations at SAIC.
Businesses are also “generally trying to store their data in locations where they’re offered the best ability to pick and choose whether they have to notify (about) a breach or not,” he added. “Some countries’ laws are set up in such a way that maybe they don’t have to report.”
Further obscuring the full picture of data theft is the fact that many companies may not even realize they’ve been breached.
“Malware is really clever, hides itself well and is hard to detect,” said Fred Rica, a security expert and principal at PricewaterhouseCoopers. “We still see a lot of clients where we find evidence of a breach on their network, but they just didn’t know.”
Rica also said that amid cyber criminals’ efforts to steal intellectual capital, he’s still seeing a huge amount of personally identifiable information, such as credit card numbers, being stolen.
Among the report’s other findings:
— Lost or breached data cost companies more than $1.2 million on average. That compares to less than $700,000 in 2008, when a similar study was done.
— In the United States, China and India, organizations are spending more than $1 million a week on protecting sensitive data abroad.
— Employees’ lack of compliance with internal security policies was considered the greatest challenge to securing information.
As for the outlook, Aken of SAIC expects to see more of these sophisticated attacks.
“We’ll continue to see very well-coordinated attacks against big companies that have good security postures in place,” he said.
Mar 13 2011
Lessons from Anonymous on cyberwar
Image via Wikipedia
By Haroon Meer
A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal shows how deep the war goes
“Cyberwar” is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode.
Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction.
Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena.
Recent activities with one government contractor and Anonymous, however, show clearly that cyber operations have been going on for a long while, and that the private sector has been only too ready to fill the cyber mercenary role for piles of cash.
To read the remaining article and Anonymous vs. HBGary
Jan 25 2011
Cisco Security Report Says Unemployed Are Targeted By Money Mules
By Samuel Rubenfeld
Add another burden to being unemployed: Those seeking work are increasingly targeted by money mules for laundering operations.
The “Cisco 2010 Annual Security Report,” (pdf) released Thursday, says that alongside ongoing threats from phishing attempts, viruses, trojans and more, the unemployed–or the underemployed–may become unsuspecting conduits for money laundering. This can happen through “work-from-home” scams where a person’s “job” is to receive items, repackage them and ship them abroad, not knowing that the items were obtained illegally using stolen or fraudulent credit cards that further the money laundering operation.
“People scouring employment ads on legitimate, well-known job search sites also have been duped by these scams,” the report says, later adding: “Individuals who come in contact with these operations usually have no idea they are being recruited as money mules, and believe they are dealing with a recruiter for a legitimate company.”
Titles below explain how money laundering works…
Jan 19 2011
Zeus Toolkit Gangs Staging Mass Attacks on Banking Applications
Since 2007, illicit organizations have employed Zeus to launch damaging, highly publicized attacks targeting the login credentials and other personal data associated with millions of computers, thousands of organizations, and uncounted numbers of users and their accounts. Relatively small groups of sophisticated criminal bands based in various nations–particularly in Eastern European countries such as Russia and Ukraine–have stolen tens of millions of dollars. Computers in 196 countries have been subject to attack. The countries most affected include the U.S., U.K., Saudi Arabia, Egypt, and Turkey.
Jan 04 2011
Electronic Pick Pocketing with RFID
Thieves now have the capabilities to steal your credit card information without laying a hand on your wallet.
It’s new technology being used in credit and debit cards, and it’s already leaving nearly 140 million people at-risk for electronic pickpocketing.
It all centers around radio frequency identification technology, or RFID.
You’ll find it in everything from your passports to credit and debit cards.
It’s supposed to make paying for things faster and easier.
You just wave the card, and you’ve paid.
But now some worry it’s also making life easier for crooks trying to rip you off.
In a crowd, Walt Augustinowicz blends right in.
And that’s the problem.
“If I’m walking through a crowd, I get near people’s back pocket and their wallet, I just need to be this close to it and there’s my credit card and expiration date on the screen,” says Augustinowicz demonstrating how easily cards containing RFID can be hacked.
Armed with a credit card reader he bought for less than $100 on-line and a netbook computer.
Dec 13 2010
Cyber War: The Next Threat to National Security and What to Do About It
Richard Clarke’s credentials are well established, having been a national security advisor to presidents of both parties
“The major shock about the mischievous WikiLeaks—even more than the individual headline items—is that it dramatizes how vulnerable we still are. Digitization has made it easier than ever to penetrate messages and download vast volumes of information. Our information systems have become the most aggressively targeted in the world. Each year, attacks increase in severity, frequency, and sophistication. On July 4, 2009, for instance there was an assault on U.S. government sites—including the White House—as well as the New York Stock Exchange and Nasdaq. There were similar attacks that month on websites in South Korea. In 2008, our classified networks, which we thought were inviolable, were penetrated. Three young hackers managed to steal 170 million credit-card numbers before the ringleader was arrested in 2008.”
From Publishers Weekly
“On today’s battlefields computers play a major role, controlling targeting systems, relaying critical intelligence information, and managing logistics. And, like their civilian counter-parts, defense computers are susceptible to hacking. In September 2007, Israeli cyber warriors “blinded” Syrian anti-aircraft installations, allowing Israeli planes to bomb a suspected nuclear weapons manufacturing facility (Syrian computers were hacked and reprogrammed to display an empty sky). One of the first known cyber attacks against an independent nation was a Russian DDOS (Deliberate Denial of Service) on Estonia. Since it can rarely be traced directly back to the source, the DDOS has become a common form of attack, with Russia, China, North Korea, the U.S., and virtually every other country in possession of a formidable military having launched low-level DDOS assaults. Analysts across the globe are well aware that any future large-scale conflict will include cyber warfare as part of a combined arms effort. Clarke and Knake argue that today’s leaders, though more computer savvy than ever, may still be ignorant of the cyber threats facing their national security.”
Nov 29 2010
US shuts down file-sharing sites
- Image via Wikipedia
By BBC@MMX
More than 70 sites alleged to be selling counterfeit goods or offering pirated content have been shut down by the US government.
The action was taken by the Immigration and Customs Enforcement agency, part of the US Department of Homeland Security.
Domains seized included a BitTorrent search engine, music download sites and shops selling fake designer clothing.
Many of the sites who lost their domains have continued trading via alternative addresses.
ICE confirmed that it had taken the action to the New York Times but said it could not provide any details because the seizures were part of an “ongoing investigation”.
Anyone trying to visit the seized pages was confronted by a screen saying that the domain had been taken over by ICE and which quoted US laws on copyright infringement and trafficking in counterfeit goods.
Domains seized included louis-vuitton-outlet-store.com, burberryoutletshop.com, rapgodfathers.com, mydreamwatches.com as well as BitTorrent search engine Torrent-Finder.com.
ICE’s action involved gaining control of the domain name that sites were trading under. It did not involve removing any content from the sites affected or blocking the use of an IP address.
Many of the sites that lost their domains have moved to new names in a bid to keep running.
The seizures follows similar action earlier in 2010 against nine sites also believed to be involved in counterfeiting and pirating copyrighted material.
The action comes as the UK’s Serious and Organised Crime Agency seeks similar powers over .uk domains it deems are involved in criminal activity.
Related articles
- U.S. Shutters 82 Sites in Crackdown on Downloads, Counterfeit Goods (wired.com)
- Government Seizes 82 Sites In Piracy Sweep (informationweek.com)
- Courts Shut Down 82 Sites for Alleged Copyright Violations (pcworld.com)
Oct 01 2010
Stuxnet, world’s first “cyber superweapon,” attacks China
- Image by toastiest via Flickr
Stuxnet, the most sophisticated malware ever designed, could make factory boilers explode, destroy gas pipelines, or even cause a nuclear plant to malfunction; experts suspect it was designed by Israeli intelligence programmers to disrupt the operations of Iran’s nuclear facilities — especially that country’s centrifuge farms and the nuclear reactor in Bushehr; it has now infected Chinese industrial control systems as well; one security expert says: “The Stuxnet worm is a wake-up call to governments around the world— It is the first known worm to target industrial control systems”
To read the remaining article …..
Related articles by Zemanta
- Sean McBride: Stuxnet Computer Worm Has Vast Repercussions : NPR (npr.org)
- World’s first ‘cyber superweapon’ attacks China (newsinfo.inquirer.net)
- “Israeli Stuxnet Cyberweapon Taking Over the World?” and related posts (muqata.blogspot.com)
- Are ‘Stuxnet’ Worm Attacks Cyberwarfare? (npr.org)
Aug 30 2010
Cyber attacks against Water, Oil and Gas Systems
- Image via Wikipedia
“This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks were discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.”
Cyber Criminals Attack Critical Water, Oil and Gas Systems
Aug 27 2010
Cost of Cyber Crime
Despite widespread awareness of the impact of cybercrime, cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions.
Key highlights from this report (Ponemon Annual Cost of Cyber Crime Study) include:
Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet
Aug 18 2010
Card Skimmers let thieves steal ATM Info in Bay Area
More identity thieves using card skimmers
During a routine maintenance check in late February a 7-Eleven employee in Martinez found something that didn’t belong inside one of his gas pumps: a debit and credit card skimmer. Local authorities switched the device for a decoy, waited for the crooks to…
“We ended up getting 11 skimmers all together all over the Bay Area, the Peninsula and the East Bay,”
Card Skimmers let thieves steal ATM Information….
Jul 29 2010
Hacker finds a way into ATM computers
- Image via Wikipedia
Understanding and Managing Cybercrime
by Jordan Robertson
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.
The attacks demonstrated Wednesday at a security conference were done at stand-alone ATMs. But they could potentially be used against the ATMs operated by mainstream banks, the hacker said.
Criminals use many ways to tamper with ATMs, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, and even hauling the machines away with trucks in hopes of cracking them open later.
Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.
His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.
He showed off his results at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
In one demonstration Tuesday, Jack, director of security research for IOActive Inc. in Seattle, showed how to get ATMs to spit out money:
He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.
He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.
This article appeared on page D – 6 of the San Francisco Chronicle
Jul 10 2010
FTC Says Scammers Stole Millions, Using Virtual Companies
- Image via Wikipedia
100% Internet Credit Card Fraud Protected
by Robert McMillan
The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.
The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.
“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”
The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.
“We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.
Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.
Small Thefts Overlooked
The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.
U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.
As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.
“They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.
Similar Cases Show Trend
In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.
Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.
When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.
In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.
The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.
For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.
Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.
They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.
When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.
One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.
First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.
Aided by ‘Mules’
To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.
In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.
The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.
“Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.
Apr 28 2010
U.S. businesses face skimming fraud increase
Image by TheTruthAbout… via Flickr
By Angela Moscaritolo – SCMagazineUS.com
U.S. banks are grappling with a recent increase in skimming attacks, which are being carried out by Eastern European gangs aiming to steal consumer bank account numbers and PINs, according to a Gartner analyst.
These types of attacks are not new, but the scale and the organization behind them is, Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Tuesday. Over the past six months, fraudsters increasingly have been mounting well-organized and systematic attacks that involve placing skimming devices on not just ATM machines — the most commonly targeted device — but also point-of-sale systems and gas-pump card readers.
Litan said she heard about the increase in skimming at a recent fraud conference attended by numerous financial services companies. There, she learned that skimming is currently one of the top problems with which banks are dealing.
Last summer, Chris Paget, chief hacker for H4RDW4RE, a security consulting company that specializes in hardware and radio reverse engineering and assessment, unknowingly encountered a rigged ATM at the Rio All-Suites Hotel & Casino in Las Vegas. As a result, Paget, who was in town to attend the Black Hat hacker conference, lost $200.
In his case, the ATM contained no signs of tampering and apparently was internally compromised. But Paget, best known for his research around RFID technology, said externally placed skimming devices are becoming more advanced.
“Skimmers are reaching the stage now where it’s impossible to detect them reliably,” Paget said. “In most cases, the externally attached devices are made well enough that they blend in perfectly unless you know what to look for.”
According to a report issued early this month by Javelin Strategy & Research, nearly one in five debit or credit card fraud victims reported having their PIN information stolen in 2009 – which represents a “considerable increase” over 2008. The report also found that 10 percent of all fraud victims had cash withdrawn from their accounts via fraudulent ATM transactions.
And two weeks ago, the U.S. Secret Service in South Carolina issued a warning to consumers to be on the lookout for what authorities believe is an international operation to attach skimming devices to card readers, according to published reports. Authorities located roughly 10 skimmers at various ATMs, prompting the advisory.
In November, industry trade group the ATM Industry Association, which attributes $1 billion in annual global losses to skimming, called for tougher penalties for offenders.
The ATMs of major banks are being targeted with this type of fraud, and it is not only occurring in remote locations, Litan said. For example, skimmers have been placed on ATMs directly outside of bank branch locations in major U.S. cities. In addition, fraudsters have been systematically swapping out U.S. retailers’ point-of-sale systems with their own devices, which have been crafted to steal consumer information.
Banks are taking this issue seriously because they generally have to pay the fraud costs associated with skimming, Litan said. Banks incur skimming costs because they are liable for card-present transactions, or those in which the card and the cardholder are physically present at the time the payment is processed.
As a result, banks have been putting in place additional fraud detection measures and have begun reaching out to clients to educate them in ways they haven’t in the past, Litan said. However, it is often difficult to tune fraud detection systems so they don’t inconvenience customers by rejecting transactions.
“It’s a pretty sad sate all around that the average citizen is powerless to protect against,” Paget said. “You can only hope that your bank protects you when you do eventually get scammed.”
To increase the security of transactions, many countries have already begun or completed the transition to chip cards, which securely store a cardholder’s account number and PIN on an embedded micro-computer chip that is virtually impossible to skim, Litan said. The transition here because of the cost and the high number of banks and retailers that would have to support the initiative.
But the United States may move to chip cards sooner than expected if current levels of skimming fraud continue, Litan said.
Related articles by Zemanta
- 2 arrested in ATM tampering scheme (cbc.ca)
- ATM skimmers: man, these things are scary (boingboing.net)
ATM Security Breach News Video
« Previous Page — Next Page »
