Thursday, April 29, 2010

Be Your Own Best Advocate: Mortgage Fraud Prevention

Mortgage Fraud: Education Key to Prevention

Mortgage fraud is a giant problem in certain parts of the country. Whether your institution is located in the worst states for it or not, you have to realize that this type of fraud is everywhere. And the best way to stop it is by preventing your customers from falling for the unscrupulous scammers looking to cash in on other people's misfortune.

The scenario is a familiar one: Desperate homeowners who are falling behind on mortgage payments want to find help. They find a scammer instead.

Examples of common mortgage fraud schemes are outlined in the booklet, such as signing incomplete documents or making payments for foreclosure rescue services that are otherwise free through government programs, such as the Homeownership Preservation Foundation and their HOPE Hotline.

Common mortgage fraud scams include property flipping, real estate investment schemes and reverse mortgage scams. The booklet also includes examples of foreclosure rescue scams that prey upon individuals who are in danger of losing their homes, and recommends that consumers contact their lender or non-profit organizations, which can assist the consumer before they fall victim to this fraud.

One resource institutions can point their customers and consumers to is the new booklet Be Your Own Best Advocate: Mortgage Fraud Prevention by BITS, the technology division of the Financial Services Roundtable. The booklet educates consumers about mortgage fraud and gives simple solutions they can use to protect themselves. As Leigh Williams, President of BITS notes in a recent interview, "Preventing fraud in products such as mortgage lending is an issue for many institutions. Anything that hurts a homeowner is bad for the homeowner and the institutions."

Sunday, April 25, 2010

iPhone SMS database can be hacked

Security Researchers Hacked iPhone

The University of Luxembourg's Ralf-Philipp Weinmann and Zynamics' Vincenzo Iozzo chained existing code bits using the "return-into-libc" or "return-oriented-programming" technique to compromise the iPhone during the PWN2OWN hacking contest in Vancouver, Canada.

The security researchers were able to bypass the iPhone's code signing and data execution prevention technologies a year after previous contest participants were unable to hack into the device. Iozzo and Weinmann were able to execute code on the iPhone when a user visits a malicious Web site, and the attack code steals the iPhone’s SMS database.

Refer here to read more details.

Saturday, April 24, 2010

What if someone hacked into medical system and sent his blood sugar levels plummeting?

Scientists Work to Keep Hackers Out of Implanted Medical Devices

Researchers are developing ways to prevent hackers from accessing and remotely controlling medical devices that emit wireless signals. For example, Oak Ridge National Laboratory's Nathanael Paul is designing a more secure insulin pump that cuts some of the wireless connections between parts of the system. Other researchers are looking for security solutions for pacemakers and cardiac defibrillators.


Some researchers have suggested protecting the devices with passwords, but doctors and nurses would have to be able to control the devices in the case of an emergency. "If you have a patient that's unconscious on the ground, you really don't want the medical staff to have to figure out what security system they're using," said University of Washington's Tamara Denning at the recent CHI 2010 conference.

The passwords could be tattooed in the form of a barcode on the patient's skin, either with visible ink or ink that can only be seen under ultraviolet light, Denning said. Security issues for medical devices will increase when these devices are connected to phones, the Internet, and other computers, notes University of Massachusetts at Amherst professor Kevin Fu.

Refer here to read more details.

Thursday, April 22, 2010

Fraudsters Swapping Out POS Devices, Stealing Card Data

Data at Risk

Once the device has been swapped, the amount of data to be stolen is related to the amount of time the compromised terminal is in place at the retail location. It also depends on the number of cards that transact during that time. It can run into thousands of cards.


In most of the POS terminal compromises Urban says he has seen in the U.S. that the data is stored on the POS terminal until the terminal is swapped back out. But there is a trend where card compromising devices will broadcast data via Bluetooth or other wireless protocols.

The Hancock Fabrics data breach continues to raise new questions about the security of point of sale (POS) devices at retail stores.

In March, the national fabric store chain publicly confirmed the breach it suffered last summer, sending an open letter to its customers, revealing: "PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units. This may have allowed criminals to capture - or "skim" -- payment card data during transactions."

Hancock didn't reveal the locations or number of stores where point of sale scanners were compromised -- nor the number of customers who had their card data taken -- but at least 140 reports from customers in California, Wisconsin and Missouri show the pervasive nature of the fraud.

The lesson here: It is relatively easy for fraudsters to tamper with or even swap out POS PIN Entry Device (PED) pads, and these types of incidents are likely to increase, putting retailers, consumers and banking institutions at risk of future card-related fraud.

According to Bank Info Security, It is conceivable that the data captured can be Track 2 data plus the user's PIN, "which means the criminal may be able to manufacture fake debit cards," says Chuvakin. This data with full access to bank account withdrawal up to a daily limit of $500 could inflict real damage to individual victims - with banking institutions then footing the bill to replace cards and/or monitor accounts.

Prevention and Education

The Hancock Fabrics breach points to several steps that retailers can take to prevent this kind of crime from happening to them:

Ensure PCI Compliance -- Making sure all POS terminals are PCI compliant, using Derived Unique Key Per Transaction (DUKPT). Securely install terminals with unique hardware as a deterrent, and visibly inspect them along with the registers every day.

Educate Employees -- Security awareness training for all store employees would be a great start. Newer pin pads that have more built-in security measures like device tamper resistance can help, but it's important to keep spare PIN pads locked away, and employees should periodically check them while at work to make sure the device ID still matches.

Auditing the PEDs -- on a regular basis, recording them and cross checking the serial numbers. Chuvakin, who recommends retailers follow PED Security Guidelines and review the condition and placement of internal CCTV systems to cover all till areas.

Watch Your Staff -- The PCI Security Council's PIN Transaction working group also recommends performing background checks on employees, as well as keeping a complete record of any work done on the POS pads by service providers. If a service engineer arrives at the store unannounced to do work on the PEDs, the working group recommends that before any work is performed that their identity be confirmed by contacting the service company.

Tuesday, April 20, 2010

Chinese cyber attack hits Optus customers

China launched a successful distributed denial of service attack against one of the telco's financial services customers

Optus declined to reveal which customer was targeted by the attack, but it is understood the firm in question is a multinational company. Last week an undetermined number of Optus's corporate customers -- including AAP and The Australian's publisher News Ltd -- were affected by the outage as internet traffic slowed to a trickle.

It's understood that the attack caused major email outages for companies using US-based spam-filtering services. As the link slowed down, hundreds of thousands of messages were caught in a backlog that delayed email service by hours.

To stop the attack, Optus had to work with an international telecoms carrier to block the point of interconnect on its international transmission link -- which travels from Australia to the US via China. This cyber-attack is just one of many originating from China in recent months. Last month, Google withdrew from the communist state after similar attacks and restrictive freedom of information laws impinged on the company’s ability to conduct business there.

It is thought the Australian government was targeted by cyber-attacks from China on several occasions in 2007.

At the time, China was accused of attempting to hack into highly classified government computer networks in Australia and New Zealand as part of a broader international operation to glean military secrets from Western nations. “It's a serious problem, it's ongoing and it's real," a senior government source said then. (Australian IT)

Friday, April 16, 2010

Emerging Cyber Security Threats and Issues

Summary of AVG Web Intelligence Report

On 2 November 1988 a 22-year old Cornell University student called Robert Morris released an internet worm capable of exploiting vulnerabilities in the UNIX operating system. It is estimated that it infected 10 percent of the internet. Twenty years on, the scale of the malware problem has grown astronomically.

Today’s internet attacks are organized and designed to steal information and resources from consumers and corporations. Although there have been instances of attacks driven by politics and religion, the main motivation is financial.
The web is now the primary route by which cybercriminals infect computers, mainly due to the fact that increasing numbers of organizations have secured their email gateways.

As a consequence, cybercriminals are planting malicious code on innocent websites. This code then simply lies in wait and silently infects visiting computers.
The scale of this global criminal operation has reached such proportions that on average Anti-Virus companies discovers one new infected webpage every 4.5 seconds – 24 hours a day, 365 days a year.

The past years have proved that malware is more than just a Microsoft problem. Although the sheer number of Windows threats far outweighs attacks against any other platform, cybercriminals are turning their attention to other operating systems such as Apple Macintosh, and vulnerable crossplatform software.
This seems likely to continue in up-coming years, with the increasing popularity of portable devices such as the iPhone, iPod Touch, Google Android phone and ultra-mobile netbooks.

In order to combat with the latest security threats, AVG conducted series of research and released their Web Intelligence report for April 2010, I was pleased to review this report and find some interesting facts and figures.
In their report, they have shown how hackers managed to infect computers with their malware while taking advantage of an unpatched Internet Explorer vulnerability (zero-day) that was disclosed to the public. They also exposed the epidemic of this zero-day vulnerability on the web and the impact it has on users browsing the web without protection. They advised in their research that a public disclosure information about an un-patched vulnerability (zero-day) leads to a swift response by hackers.

The disclosed information was embedded in an Exploit toolkit known as Neosploit and used by several cybercriminal gangs around the globe. The exploit toolkit Neosploit is software written by hackers and sold online to cybercriminals who use it to infect innocent web users with their malware. The toolkit includes everything the cybercriminal needs to operate its attack – the malware, the exploit code, the statistic reports etc. (AVG Web Intelligence Report).


The complex security questions were answered in this report, such as:


How the compromised Website serves the exploit?

How the malicious Code Hackers tries to install malware on the End-user PC?

How can users be protected from such common security attacks?


In summary, AVG was managed to visualize what happens between the time that a vulnerability is discovered and used by hackers in-the-wild, until a security patch become available by the product vendor. Knowing that users’ PCs are vulnerable, hackers are rushing to ‘color’ the Web with their attacks. Even non technical hackers can join the ‘party’ by distributing the exploits using readily available attack toolkits software packages.


Computer users will continue to face challenges in securing and controlling their computers, as criminals attempt to capitalize on new technology to make money and cause disruption. In addition, threats like identity theft and fraud will still occur far into the future because of human mistakes. However, if managed properly, the problem should not be insurmountable. Sound security practices, up-to-date protection and an active commitment to keep informed can all help defend business networks in the year ahead.

The good news is that security software is getting better all the time. Proactive detection of new, unknown malware threats is at an all-time high, and computer users who are sensible and properly defended can dramatically reduce the risks.

Wednesday, April 14, 2010

Film's opening-weekend can be predicted by monitoring tweets.

Twitter: A new box-office oracle?

HP Labs researchers have developed a way to use Twitter to gauge real-time interest in movies and accurately predict how they will perform at the box office on opening weekend. HP Labs' Sitaram Asur and Bernardo Huberman developed computational formulas that analyze Twitter feeds and use the rate at which movies are mentioned in Twitter updates to predict the first-weekend returns.

The research also showed Twitter could be used to predict other events, such as how major products will be received and the outcomes of elections, according to Huberman. HP Labs studied nearly 3 million Twitter updates that mentioned 24 major movie releases over the course of three months. The researchers factored in the release date and the number of theaters the movie would be shown in, to predict the opening weekend box office performance with 97.3 percent accuracy.

They also developed a system that evaluates the sentiments of Twitter updates as positive, negative, or neutral, to predict the following weekend's returns with 94 percent accuracy.

Refer here to read more details.

Tuesday, April 13, 2010

Chinese government involvement in Cyber-attacks?

Researchers Trace Data Theft to Intruders in China

Over the past eight months a team of U.S. and Canadian researchers have spied on a gang of intruders that stole sensitive information from the Indian Defense Ministry and traced them to China. A report from the researchers indicates that the ring extensively employed Internet services such as Twitter, Yahoo! Mail, and Google Groups to automate the control of computers once they had been commandeered.


The investigators gained access to the control servers used by the gang to monitor the theft of a broad spectrum of material, and traced the attacks to intruders that appeared to be based in Chengdu. Among the stolen material were documents related to the travel of NATO forces in Afghanistan, which demonstrated that many nations can be put at risk of exposure by a single computer security hole.

I quote from the news:
"An important question to be entertained is whether the [People's Republic of China (PRC)] will take action to shut the Shadow Network down," the report says. "Doing so will help to address long-standing concerns that malware ecosystems are actively cultivated, or at the very least tolerated, by governments like the PRC who stand to benefit from their exploits though the black and gray markets for information and data."
Please refer here to read more details.

Friday, April 9, 2010

Staying Anonymous in a Time of Surveillance

Read digital books? Then your e-book provider probably knows which titles you’ve read

From Googling to e-mailing to social networking, every day millions of Internet users unknowingly leave behind digital breadcrumbs while surfing the web, sometimes at the risk of compromising their anonymity. But while there’s technology available to stay anonymous in a time of surveillance, experts say policies and legislation won’t protect us from privacy invasion or being attacked in cyberspace.

As a medium, the Internet has allowed its users an unprecedented level of anonymity. Usernames and avatars hide names and true identities in online forums and communities, and anyone can choose how much to disclose to others in cyberspace. However, while most understand how posting personal information could have severe consequences, very few realize their online activity can be monitored and cross-referenced to reveal clues about their identity.

It’s important to think about every time that you interact with a third party online, they have information about you. You may buy your books online–lots of people buy things online. It’s not just social-networking sites where we volunteer this information; we volunteer it in a lot of ways.


Take the simple task of doing a web search, for example. In 2006, The New York Times reported how
leaked records from AOL revealed how users’ search-engine queries could be linked to their identities. By collecting and analyzing a user’s web searches, AOL’s researchers peeled away the many layers of cyber anonymity, unveiling the identity of user No. 4417749: Thelma Arnold, a 62-year-old widow who lived in Lilburn, Ga.

During a three-month period, Arnold typed into AOL’s search engine sentences such as “60 single men,” “landscapers in Lilburn, Ga” and “tea for good health,” clues that led AOL researchers to her. Commenting on AOL’s practice of storing users’ information, Arnold said to The Times, “We all have a right to privacy … Nobody should have found this all out.”

Search engines are just one of many places that–unknowingly to most–track users’ activity. Traveling through cyberspace, you provide information to others almost every click of the way, including to the ISP that knows your IP address, the browser that tracks which sites you’ve visited, and the cookies that store login or registration identification and user preferences.

How you read and gather information can be very sensitive. People often go on an intellectual journey where they really discover and explore fringes of political thought or other thoughts. It’s not hard to imagine a young person reading up about homosexuality, for example, if they have questions of their sexual orientation. That’s something that’s far from illegal but something they don’t want the world to know.

However, while anonymity allows people to express themselves freely without the fear of retaliation or persecution, there is always a darker side to it: It breeds criminal behavior.

From phishing and spam to botnets and DDoS attacks, global crime rings have been able to form in an environment that fosters concealment. While anonymity in cyberspace is “generally a good thing,” one imminent problem is how criminals are using it in combination with the borderless nature of the Internet to develop international crime rings.

Cyber crime is an international problem and the lack of true authentication leads many to fall victim to scams–419 advance fee frauds, for example. Criminals can freely and openly do business via web forums because they are able to cloak themselves.

As the majority of today’s cyber threats are profit based, criminals don’t want to be caught or have their businesses hampered, either by law enforcement or by competitors, so almost all cyber threats work to be untraceable. Compromised computers act as proxies and/or illicit bulletproof hosting is used to mask true sources. Unless serious investigations are made, at best, most cyber threats can only be traced to a proxy.

The future may bring a realignment of the Internet and its network of networks–untrustworthy networks that provide cloaking for criminals may be disconnected. Businesses that are attacked from anonymous sources may well decide to pull out of those countries that allow for such attacks to [be] carried out. Google is now a prominent example of this.

Wednesday, April 7, 2010

6 Steps to Reduce Online Fraud

What Must Be Done to Protect Business Accounts

What can - and should - a banking institution do to help protect its business customers?

Current Fraud Trends

There are three variations of fraud that is commonly seen as particularly prevalent now:

First Party - where criminals open accounts and use them as pass-through accounts to move money. Additionally, there also may be legitimate business owners who are kiting -- they create additional float so they have additional line of credit. They're not meaning to defraud the bank, but creating float type of credit.

Internal - where employees sell information about a business' accounts to outside organizations. Another scenario is where the small business employee who is accessing the business accounts moves out money and then leaves town. One twist to detecting internal fraud is the possibility that employees who perform the transactions will muddy the trail by saying their account credentials were taken in a phishing email. They can almost use that as an excuse, and it can't be proven unless the business has internet web logs, So it is hard to prove if the employee was colluding with outsiders, or their account actually was phished.

Third party - where most of the warnings are coming in via phishing, social engineering or spear-phishing. There are even infected webpages that can compromise a user's PC. Criminals attack the business, compromise the online credentials and move money out of the accounts.

Areas to Improve Security

Many institutions impose transaction limits as a way to stop fraud. This is a "stop gap measure" and these additional steps should be followed:

Account Level Check - Look at the types of transactions that are happening -- what is typical behavior, logins, when they happen. Then if they start logging in at night or over weekend, that's a red flag to hold transactions until you can talk to the business owner, stopping fraud from taking place. The key is to use analytics to scope "out of the ordinary" transactions. Look across all of the customer's behavior to spot what is unusual for that account holder.

Create Unique Account User IDs - Make sure users all have different log-in identification. Do not let them use the same user name and password. There should be a unique user names for each person in order for the institution to be able to create unique profiles of use for each of the users. This is similar to the PCI requirements; for anyone who accesses data, they each need a separate log-in.

Dual Control - Have two unique users approve transactions. If you can implement that, it goes a long way in reducing the chances of criminals stealing from the SMB account with a single user logon, and it also stops the threat of internal fraud as well.

Multi-Factor Authentication - Even though this solution is susceptible to man-in-the-middle and man- in-the-browser attacks, it is still an effective layer of protection. A lot of times business owners will ask 'I have so many users on the account' how many tokens will I need?' You need a unique token for every user."

SMS Messaging - This out-of-band message to users and account owners is important. It can be bypassed if a criminal can get into and change numbers or email contacts. But an institution can get around that by contacting the old number or email when a change is requested to verify that it was the account holder -- not a criminal -- making that request. This is something that banks already do with address changes. You need to realize that criminals will go in and change email and phone number contact information, so it is a heads-up that something is taking place.

IP-Email Address Controls - Only allowing certain email address/IP locations to go to the bank's online website to do transactions is another good control to put in place. It can be overcome, but it is another good layer of control. What's the risk that someone has just changed their phone and email contact information and is coming in from another email IP location to make these transactions? If they're coming in from another IP address, by looking at the risk, the institution can stop and look at it and question the transaction.

Tuesday, April 6, 2010

Social networking is driving hacker attack strategies

Study says that changes in online user's behaviour – driven largely by the rise of social networking – is pushing hackers to develop ever more sophisticated attack strategies

The report, from Blue Coat Systems, which tapped the data pool generated by its WebPulse security service, says that hackers are developing broader attack strategies, including complex blended threats, faster malware lifecycles and search engine manipulation.

According to to Blue Coat, malware is starting to be adapted by hackers in relatively rapid lifecycles – the average lifespan of a typical piece of malware dropped from seven hours in 2007 to just two in 2009, notes the report.

As a result of this faster malware lifecycle, the study says that defences that require patches and downloads are simply unable to keep pace.

Increased reliance on social networking for communication, says Blue Coat, means there is less reliance on web-based email, which dropped in popularity from fifth place in 2008 to ninth place in 2009.

And, the report adds, exploiting user trust drives most common threats. The two most common web-based threats in 2009 – the fake antivirus software and the fake video codec – both exploited user trust on the internet, search engines and social networks.

According to Blue Coat, these were not the 'drive-by' attacks of recent years, nor did they require a vulnerability to exploit other than human behaviour.

Download the report to read the detailed study and findings.

Sunday, April 4, 2010

iPhone Poses Biggest Smartphone Security Risk

57 of respondents in nCircle survey believe the iPhone carries the greatest security risk

iPhones present the greatest smartphone security risk to the enterprise, according to a recent survey from nCircle, a network security and compliance auditing firm.

The online survey of 257 security professionals was conducted between February 4 and March 12, 2010. In addition to smartphones, the survey covered a range of security topics including healthcare, cloud computing and social media.

Key findings include:

* 57% believe that the iPhone carries the greatest security risk * 39% ranked Google Android as presenting the highest risk * 28% named Blackberry the riskiest * 13% ranked Nokia as having the highest risk * 58% of respondents have a corporate smartphone security policy in place * 65% of enterprises with a smartphone security policy enforce it.

The Director of Security Operations for nCircle, Andrew Storm, mentioned:

"The general consensus is that Apple continues to do only the absolute minimum to address enterprise security and supportability requirements, We haven't seen any new enterprise iPhone security features from Apple since the summer of 2009 when they introduced their new hardware level encryption, which was almost immediately subverted. This is not the kind of behavior security professionals want to see in vendors."

"The good news from this survey is that a greater number of companies are starting to understand the security ramifications of mobile devices. It is encouraging that a majority of companies have a smartphone security policy and enforce it."

Thursday, April 1, 2010

What is 'Reasonable Security?

What is considered "reasonable security?"

When it comes to protecting your organization and your customers from a data breach, what is considered "reasonable security?"

This question is at the center of several ongoing lawsuits, and how the courts answer it may be one of the biggest stories of 2010.

Shedding light on this hot topic is David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association's Information Security Committee. In an exclusive interview, Navetta discusses:

Current regulatory trends, including the HITECH Act;
Legal issues surrounding "reasonable security;"
How to use existing standards to establish "reasonable security."

It's worth reading interview, please refer here to read further details.