Thursday, July 28, 2005

Small Lawfirms Take on Privacy Class Action Suits


Small Lawfirms Take on Privacy Class Action Law Suits because the laws are untested and were assembled piecemeal by different states as more cases were brought against credit reporting agencies and data aggregators. This story covers the developing story of privacy class action law and where it is headed, mentioning Milberg Weiss Bershad & Schulman, one of the country's biggest plaintiff firms and their involvement in the TransUnion privacy suit in Illinois Federal court. Once the smell of big damages is caught by the sharks in the water, it brings out the dangerous firms and real action starts. It's about time.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 6:45 PM 0 comments

Wednesday, July 27, 2005

PassMark's SiteKey & Bank of America Protecting Privacy?


PassMark's SiteKey - Answering The Wrong Question

In my article "Spear-Phishing - New Angles On An Old Game" http://www.cafeid.com/art-spear.shtml, I wrote about a variation on "traditional" e-mail phishing that has proved to be more effective than random casting of stink-bait into a vast pool of random e-mail addresses. The increase in effectiveness is the result of more focused targeting of potential victims through the use of real, usually stolen, corporate documents and so on that make the bait seem more legitimate to a much smaller group of recipients. This week, we take a look at PassMark's SiteKey, the first solution to be adopted by a major institution in its effort to combat phishing.

The Charlotte-based Bank of America is in the process of rolling out its plans to adopt the PassMark system in an effort to secure its online communications with its 13 million customers across the country. The Bank should be applauded for implementing such extensive changes to its online security model in spite of the fact that phishing is not yet, in and of itself, costing banks a great deal of money.

What it is costing the bank, however, is online-banking customers. ConsumerAffairs.com reported late last month http://www.consumeraffairs.com/news04/2005/gartner.html on a Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. For financial services companies like Bank of America that seem intent on removing the element of human contact once and for all from customer relations, that lack of confidence has to be disturbing.

As the practice of phishing becomes more and more sophisticated, so will the effort to combat it; and you can be sure that effort will be fraught with nominal solutions and opportunistic hand-waving that provide little more than a false sense of security. And while PassMark's system is better than nothing, it fails to address the roots of the problem and may give consumers the mistaken notion that the problem is someone else's to solve.

What Is SiteKey?

PassMark calls its system a "Two-Factor Two-Way Authentication"(TM) system. A two-factor system, according to the PassMark website, is one that relies on two identifying bits of information to authenticate a transaction. One factor might be a traditional password, and the second (the problematic one, apparently), might be a key fob or even some sort of biometric reader, items which are "not practical for the consumer market with millions of users." A two-way authentication system provides the capability not only for you to prove to the bank you are who you claim to be, but also for the bank to prove to you that it is really the bank sending you that e-mail or presenting you that website page.

To implement the two-factor system, PassMark bypasses traditional second factors like hardware devices that customers are apparently too dumb to maintain in their possession. "Even if you give them away for free," the PassMark website chides, "many users will forget them or lose them." Instead, the company takes a look at your computer and creates a unique "fingerprint" of the machine, consisting of things like HTTP headers, the IP-address, software configurations and even its geographic location (based on IP-address geomapping). It then has something to go by the next time you visit the site.

For two-way authentication, SiteKey assigns a secret image known, ostensibly, only to the customer and to the institution. Customers logging into the company's website will see the image and recognize it as a marker that the site is legitimate, and outgoing e-mail from the company to the customer will also carry the image to mark legitimate e-mail.

Sounds Great. What's Wrong With It?

The SiteKey system fails, according to IT Security Architect Doug Ross http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html, to address the fundamental problem of phishing because it leaves the customer susceptible to the classic "Man in the Middle" false-storefront attack. Since there's no way to distinguish the customer's virgin computer from a phisherperson's "malicious, zombie PC", according to Ross, "the zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim."

If Bank of America doesn't recognize the computer you're on, it will ask you one of your "secret questions" and a correct answer will display the SiteKey. Reasons it might not recognize your computer include, but aren't limited to, the possibility that you're on a different computer, that you're behind a firewall or that you don't allow it to place the secure cookie.

Even if SiteKey does recognize your computer, there's no indication that you're the one using your computer or that it is even in your possession. People lose laptops, too, in a variety of ways.

In addition, and this is probably the most worrying caveat, given the recent rash of massive security breaches at large storehouses of personal information, the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant's database. Compromise of this data would leave you just as vulnerable as you'd be if your login and password were obtained.

Toward A Real Solution

The PassMark system is better than a standard login/password authentication scheme when it comes to securing the communication between you and the institution. However, it is Bank of America's (and, to be fair, most other such institutions') efforts to cut costs by removing human contact almost entirely from the customer service equation that has made phishing more and more lucrative by driving more and more customers to banking online.

Still, there are ways to improve this process. Ross nails it in a sidebar relating to the Bank of America website: "isn't it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext ("http://"), not SSL ("https://). The first step to combat phishers is to provide an SSL connection... first time, every time. Customers need to get used to expecting a secure connection on every BofA page."

Here at Cafe ID http://www.cafeid.com, we agree wholeheartedly. If you have a secure certificate, actually using it will go a long way toward securing transactions on your site, certainly further than putting up a cute picture of a dog and asking the customer to take that as evidence of a site's legitimacy. Certificate authentication remains the best way for the company to prove its identity to the customer. Besides, there's no downside to securing your website, particularly for companies dealing in online transactions involving money.

With online banking, what customers gain in convenience and they lose in security. It may be time to consider stepping back a bit from technology's bleeding edge and just go down to the bank. But the convenience of online banking and bill-paying cannot be ignored. Customers want this capability, and they expect banks to work out a solution. Unfortunately, a real solution to the problem of phishing requires more than clever challenge-response systems. It requires, first and foremost, that the end-users take control of their online security rather than leaving it up to a third party.

How do you do this? Pay attention when you're online. No reputable companies are going to attempt to conduct important business via e-mail, and so answering e-mails alerting you to some problem with your account is generally a bad idea. Proceed straight to the company's website by typing it into your browser bar, and if you don't see a secure connection indicator in your browser, don't enter personal information about yourself.

The best way to deal with a bank used to be to establish a solid personal relationships with its human employees; unfortunately, however, this is becoming an increasingly unworkable option. I suppose we can hang up the idea of going back to the teller window; but until better controls are in place on both the way personal information is communicated and the way it is stored, suspicion will remain the most effective way of keeping yourself protected against phishing.

-----

About the Author

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:27 AM 0 comments

Tuesday, July 26, 2005

Data Security of Retail Stores Targeted by Hackers


Main Street retailers in hacker crosshairs for credit card information over unsecured wireless networks. This CNET news story by New York Times Eric Dash looks at a street in Miami where hackers routinely download customer credit card numbers and other private information from databases sitting on wireless networks with easily guessed passwords or completely unprotected, unencrypted wireless networks.

Suggesting that small shopkeepers should be schooled on network security if they handle credit card or other financial information over their computer network. This story points out how sales consultants for small business credit card terminals or simple sales tools used in small businesses don't tell shop owners about the risk that accompanies the use of wireless terminals or that using those wired PIN entry pads for debit card transactions puts data at risk as it crosses their already installed wireless network.

Multiple vendors of small business tools don't feel obligated to point out risks of these issues when their tool is itself secure when used securely. Data security is an arcane area that mom and pop store owners rarely understand. Even if they understand the risks, they know nothing of solutions. Many don't bother even using built in WEP (Wired Equivalent Privacy, a security protocol for wireless local area networks defined in the 802.11b standard) because they simply don't get the attendant geek speak that goes with implementing security in their tiny shops.

The story reviews how difficult it is to catch the hackers sitting in coffee shops on laptops, downloading sensitive credit card information from stores across the street from outdoor cafes with powerful networks broadcasting that information beyond store walls to grateful thieves sipping lattes at Starbucks and tapping keyboards as though they were doing something that ISN'T sinsister.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:55 PM 1 comments

Thursday, July 21, 2005

Warning: Free Credit Report Imposter Websites Springing Up on the Web


Warning: Free Credit Report Imposter Websites Springing Up on the Web

Copyright 2005 George Dodge

A recent amendment to the federal Fair Credit Reporting Act (FCRA) requires each of the nationwide consumer credit reporting companies to provide consumers with a free copy of their credit report, upon request, once every 12 months.

Access to the free credit reports has been phased in beginning last December in the West and will finally be nationwide by 1 September. This is good news to consumers.

However, a new form of phishing, is manifesting itself even before access to free credit reports is available for all Americans.

The new law that requires the three national credit bureaus to provide a free annual credit report to consumers, has met with the law of unintended consequences. Although the law was initially created to help thwart identity theft, the process for requesting the free credit reports may in fact contribute to further identity theft or loss of privacy.

While the intent of the law was to make it easier for consumers to check for errors and possible evidence of identity theft in their credit reports, according to a new report by the World Privacy Forum, more than 200 imposter websites have sprung up trying to exploit one of the methods made available for consumers to apply for their free credit reports.

One of the methods by which consumers can apply for their free credit reports is through a website that was established jointly by the three credit bureaus. The official website for applying for the free credit reports is at http://www.annualcreditreport.com

But, if the identity thieves and other unscrupulous internet swindlers have their way, part of the very process sent up in an attempt to curtail identity theft, will leave consumers vulnerable to further loss of privacy.

The online pilferers create websites with domain names that are very close to the official website www.annualcreditreport.com. By registering similar names or close misspellings, such as wwwannualcreditreport.com (note the missing dot), creditannualreport.com and www.freeannualcreditreports.com they hope to entice consumers to unwittingly enter their private information into online web forms, thinking that they are on the official website.

Depending upon the level of personal information detail captured from the imposter websites, the swindlers can then use the garnered information for illegal purposes, sell the information to purveyors of personal information databases, or they can simply send the unsuspecting consumer to commercial websites.

While the majority of imposter websites, simply gather names, addresses, and email addresses and then send the consumer on to advertising sites, some sites attempt to gather social security numbers, birth dates, and other sensitive information.

To guard against the possibility of entering personal information on an imposter site, consumers can go to the official website from a link off from the www.ftc.gov website or call the official toll free number (877-322-8228) to get the free copy of their credit report.

Note: Strange as it may seem, your free annual credit report does not contain your credit score. For more information on your credit score, what it is, how it is used, and why it is important, see the resource box below.

About the Author:

George Dodge has been developing on the Web since 1994 and is owner of http://www.The-Credit-Repair-Center.com a source of information on personal finance management. For information on how you can also get a free copy of your credit score (which is NOT included with your annual free credit report), click here -> http://www.The-Credit-Repair-Center.com/scores/credit-scores.html Your Credit Score - Do You Know What It Is?


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:30 PM 0 comments

Tuesday, July 19, 2005

Google Privacy Concerns


How much does Google know about you? I ignored this story when I first saw it at Wired News. Apparently the Associated press picked up the story and now we see it at CNN. So addressing privacy concerns at Google is clearly a large public issue since we have seen so many privacy breaches and data losses by large public companies. The story focuses first on hackers and Google employees with evil intent and points to the oft-heard Google mantra "Don't be evil" which has created a lot of goodwill for the company.

There is little that could stop serious hackers and Google insiders with a grudge against the company from seriously harming the image of Google by gathering and selling much valuable information held by the company.

It is not impossible to see a scenario where bad guys inside the company cooperate with external hackers or do some hacking themselves from inside - compromising the endless stores of data Google has on Gmail users, Google toolbar users, Google personalized search users, Google Desktop Search users, Adwords and Adsense users, Froogle shopping search users, Google Sitemaps users, Blogger users, Orkut users, etc. through the many Google company units.

As a user of all of those services, I shiver a bit when thinking of all that information gathered on my habits and client activities through each of those services all aggregated into one database. When you add to it, the payment services that Google is currently developing, it presents a very large target for bad guys.

Will we see a large scale Google security breach in the future. G - I hope not. What are you doing to prevent it Google?

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:29 AM 0 comments

Spear-Phishing - New Angles On An Old Game


New Security Article by Trevor Bauknight on an apparently new type of very targeted Phishing attack he has dubbed "Spear Phishing" since it is targeted rather than random. This method appears to be mostly corporate phishing, rather than wide ranging financial phishing we all experience. Frightening stuff considering how naive many are about these attacks.

Spear-Phishing - New Angles On An Old Game
by Trevor Bauknight

It usually doesn't take long for emerging trends in business IT security to reach the point at which a new name for a given phenomenon is required to set it apart. A relatively recent variation on the familiar e-mail phishing scams that targets small cells within a particular enterprise rather than millions of random people has reached that point. Last week, BusinessWeek reported on the growing phenomenon of "spear-phishing" and, while they charge for that information, we don't think you should have to pay to keep your sensitive information private.

A New Scam?

...Not really. If you know how phishing works, you already know how spear-phishing works. The difference lies only, as you might have guessed, in the skill and more focused target of the scammer. "Regular" phishing relies on casting a wide net knowing that, out of the millions of people who receive the e-mails, only a few will invariably respond. But spear-phishing relies more on the ability of the scammer to win the trust of a small group of people for at least long enough to grab all the sensitive information she can.

Different groups may be targeted, but the scheme seems to be most effective at targeting small groups within some large business enterprise network, and so this form of phishing has some characteristics that set it apart. Spear-phishing e-mail can be more difficult to catch because Subject and From headers are going to carry familiar text and because its circulation doesn't attract the attention of large clearinghouses of known scam information. Target e-mail addresses may be gathered from corporate directories, web sites and telephone conversations rather than from spammers dealing in huge lists of working addresses. The e-mails themselves may appear to be actual corporate documents but often carry trojan-horse keystroke-logging programs or links to fake websites set up to look like the real thing. The scammers could well be disgruntled former employees, vendors or others who have had access to the physical premises. And while some are using such techniques to target non-corporate groups like participants in eBay auctions, the goal of most spear-phishing scams is to collect sensitive commercial data.

Central to the success of a spear-phishing scheme is the artful use of what has come to be called "social engineering". Kevin Mitnick, notorious hacker turned security consultant http://www.mitnicksecurity.com, made the term famous with his seminal book on the subject _The Art of Deception: Controlling the Human Element of Security_. Briefly, social engineering is the art of winning the trust of a mark through familiarity, charm, feigned exasperation, the use of proper jargon and so on. Once convinced that the scammer is who he is pretending to be, the mark will reveal some useful bit of information that can then be exploited.

The textbook example of spear-phishing goes like this: A group or an individual obtains, through social engineering or physical or electronic access, some corporate document that can be used to convince even knowledgeable insiders to enter usernames and passwords at a faked extranet site or to open an attachment that contains a keylogging trojan-horse program. The e-mail goes to a small group within the corporate network and a much higher percentage of recipients respond because the source appears to be legitimate internal corporate communication. Armed with a few working logins, the spear-phisher accesses corporate intellectual property, personnel files or other sensitive data, which can fetch a high price on the black market.

Avoiding the Spear

It's probably true that no institution or enterprise is secured against all the possible variations on the phishing scheme, but there are several steps you and your business can take to guard against becoming a victim.

Business data security starts at the top and should permeate all levels of your IT structure. Establish policies of information exchange that preclude the ability of a spear-phisher to obtain key bits of data, such as internal documents, to which she is not entitled and don't veer from those policies under any circumstances. Eliminate unnecessary traces of former employees and turn off their electronic and physical access to your business properties. Above all, don't attempt to communicate with employees the same way the spear-phishers will try, such as through e-mail bearing links to internal websites or attached documents.

The most effective thing you can do to prevent your business from turning into a shallow pond is to keep informed and pay attention to things like abnormally slow computers, strange entries in e-mail logs (especially source-IP addresses that don't match those on your internal networks) and unusual patterns of website traffic.

Several groups have set up shop on the Web to provide you with as much up-to-date information as possible. We recommend, especially, the website of the Anti-Phishing Working Group http://www.antiphishing.org and the Trusted Electronic Communications Forum http://www.tecf.org/ . Here at Cafe ID http://www.cafeid.com , we maintain a one-stop shop of up-to-date resources and information on every aspect of Internet security and identity protection.

If you think you've already been a victim of some form of phishing attack, a great place to start undoing the damage is at the Internet Fraud Complaint Center http://www.ifccfbi.gov/index.asp . Local law enforcement is another excellent place to turn. If your customers' or employees' personal information is compromised, by all means notify them immediately of the potential trouble so that they can take the steps necessary to keep themselves safe from exploitation.

As businesses become more and more dependent upon the Internet and its protocols for both public and internal communications, it becomes more and more important to keep an eye on emerging trends like spear-phishing. But the best thing to keep in mind is that these sorts of problems aren't new and they rely on some of the oldest forms of deception known to man. Social engineering is as old as bureaucracy, and there's little reason to suggest that we're getting any better at dealing with it.

-----

About the Author

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:00 AM 0 comments

Monday, July 18, 2005

How much does a security breach actually cost?



How much does a security breach actually cost?
Article from theRegister offering overview of the costs of security breaches and who pays those costs. Ruminations from Mark D. Rasch, attorney and former head of the Justice Department's computer crime unit. Good overview of recent data breaches of financial and personal information losses by high profile companies. Good read.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:20 PM 0 comments

Online private eyes draw privacy complaints


Online private eyes draw privacy complaints according to this C|Net story by Elinor Mills Monday. It appears that it is becoming as simple as entering your credit card into a web form to gather location information, financials, cell phone logs and other private information on almost anyone. Privacy advocates oppose the ease of access to this information by anyone at any time. The biggest and most obvious concern is that of criminals (or anyone with a grudge) being able to track down targets with ill intent.

Beyond the bad guy scenario, it becomes possible for parents to check up on children, spouses track movements of their significant others and neighbors to effectively spy on the guy across the street or up the hall. Besides being simply creepy, it seems wrong for private information to be sold to anyone who feels a couple of hundred dollars is justified to dredge up details on a potential date or annoying neighbor.

Privacy advocates are suggesting that the firms that sell this information should be required to vet their customers to be sure that they aren't seeking information for ill intent and that they be able to justify their need of the information they purchase anonymously online. Though credit card records exist on these information purchases, it is only partially trackable to the credit card owner and is subject to the belief that the card used is in fact legitimately owned by the purchaser. Beyond that, the person being tracked and traced is nearly always unaware that their personal and financial privacy is being violated.

Shouldn't the person being investigated be notified that they are being monitored and followed? Data is truly too easily gained and we must tighten up on the easy flow of information of a private nature. This applies to data brokers of every sort, including credit monitoring agencies, public records and business information - all will easily sell what they know without hesitation to criminals - a la ChoicePoint.

It's not so much about big brother here. More like thousands of creepy little brothers, and friends, and neighbors, and estranged significant others and slimy small time creeps. Makes me shiver.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:36 AM 0 comments

Sunday, July 10, 2005

Data Theft: How to Fix the Mess


Indentity Theft: How to Fix the Mess - New York Times business section story by Joseph Nocera which outlines how to completely resolve the issue of identity theft and data security by making those businesses holding credit and financial information ENTIRELY responsible for abuse, loss, theft or leaks of that data.

EXACTLY my philosophy. Nocera argues that because the onus has been put on the consumer to fix the problem, nothing has happened to fix the problem. All that consumers can do is complain to the source of the leak or theft or loss - then spend years cleaning up the identity theft mess left by cavalier treatment of their financial information by those holding it. Data aggregators, credit bureaus and financial institutions are all making it too easy for us to become victims of theft or loss by holding little regard for security of that information.

The UPS loss of CitiFinancial backup tapes last week is a prime example of lack of security and complete carelessness with which companies treat our sensitive data.

If businesses handling, storing, transporting and accessing sensitive financial and personal data were held ENTIRELY responsible for any losses incurred. They would find a way to protect that data against loss, abuse or theft. Nocera suggests that if businesses - NOT CONSUMERS - are made responsible for all losses, then losses will stop, period.

I agree.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:04 AM 0 comments

Friday, July 08, 2005

Lawsuit seeks disclosure in credit card heist


Lawsuit seeks disclosure in credit card heist This story is further coverage of the San Francisco class action suit against CardSystems and Visa and MasterCard filed last Monday.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:42 AM 0 comments

Thursday, July 07, 2005

UPS Loses Financial Records of CitiFinancial Customers


UPS Loses Financial Records, But Has a Bigger Problem in the latest breach of security. According to this linked account. UPS lost a box of backup data tapes containing records on 4 million customers. Lets see now. 40 million customer financial and personal records lost by CardSystems, plus 4 million lost by UPS from CitiGroup Financial, 145,000 ChoicePoint victims, 310,000 Lexis/Nexis victims, 1.4 million DSW victims, one million victims of Bank of America data loss and do you think there is any overlap there? Of course there is!

This means that it may be unlikely you can figure out where your identity theft originated or how your financial or other information was obtained by crooks who abuse it - but it is extremely likely that you will be among the increasingly large list of victims of these seemingly endless data breaches.

Shouldn't events like the UPS loss of packages containing sensitive financial information on 4 million people require more of its transportation company than a brown uniform and hand scanners? Why should transport of that sensitive data be given to UPS? Wouldn't the sensitive nature of the cargo, in this and many other cases, recommend say - armored trucks and armed guards to protect the information? Isn't the increased expense justifiable considering the cost of lawsuits sure to result in huge expenses to every company that suffers the next data breach?

I think this casually treated and transported information should be treated with more respect than cash, since it involves potentially greater financial losses when theft or loss occurs. Financial institutions and data aggregators holding sensitive financial and personal information should increase their storage, transportation and security budgets to protect this data. The slew of leaks, thefts and plain careless losses has already cost public confidence that may never be regained.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:45 PM 0 comments

Friday, July 01, 2005


ChoicePoint overhaul completed, company says according to this linked ZDnet story. The huge ChoicePoint leak has been repaired, hopefully with more than a finger in the dike.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:23 PM 0 comments

Cardsystems Named in Class Action Suit


Cardsystems Named in Class Action Suit according to this linked Consumer Affairs story. So now the lawsuits begin to show up for identity theft and privacy issues of data handlers. More will inevitably follow. This case was filed in San Francisco.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:22 PM 0 comments