Thursday, July 29, 2010

Top 5 Fraud Threats

Malware, Breaches Share List with Check & Mortgage Fraud
Online crimes are increasing in complexity and reach, but they represent only a portion of the fraud trends that banking institutions will face over the next 18 months.
According to - despite high-profile incidents of ACH fraud and data breaches impacting financial institutions -- counterfeit checks and mortgage fraud still rank among the top fraud threats.
  1. Malware and Botnets -- These software agents or robots that take over a user's computer are often the root causes of commercial payments fraud, i.e. corporate account takeover. Malware has gotten on the computers of commercial customers and financial institutions, thereby compromising their log-in credentials and causing the criminals to be able to commit fraud by moving money through wire transfers or ACH.
  2. Phishing -- The crime has evolved from badly-written, bogus emails to well-crafted assaults via e-mail, telephone and text message. My worry is the next way that criminals will change phishing and be creative via social engineering.
  3. Data Breaches -- Despite that most data breaches have occurred on the merchant and payments processor sides of the business, financial institutions are still deeply impacted by these losses. They have to reissue cards and deal with the aftermath of credit card information getting out there, and how that can lead to the identity theft of their customers.
  4. Counterfeit Checks -- The circulation of checks continues to drop, but counterfeit check fraud remains prevalent. Cashier checks and bank official checks are most often the targets. [Criminals] understand Reg CC and know that those checks have faster funds availability, which allows them to get their money out of the scam faster.
  5. Mortgage Fraud -- These crimes committed against financial institutions, as well as mortgage rescue scams that affect consumers and mortgage holders, continue to rock the financial market.

Tuesday, July 27, 2010

What's Needed to Improve Strong Authentication

New Authentication Guidance Coming?

Out-of-band authentication - This method sends the additional authentication factor to the user via a different channel from the one he or she is using to access the bank site. For example, a one-time password sent via text message to the user's mobile phone when logging in with a web browser on a PC. The user has to enter the correct OTP within a short time window (usually a few minutes) in order to initiate the session. This authentication helps against man-in-the-middle attacks.

Out-of-band transaction verification - This sends a verification request to the user in the same way as out-of-band authentication, so that the user is required to review and authorize a high-risk transaction that takes place within an online banking session before the transaction is allowed to proceed. This authentication method helps against MITM and man-in-the-browser attacks.

Device identification - This authentication method uniquely identifies the software and hardware being used to access the online banking session. The device, in effect, becomes an authentication factor. This method helps against manipulation of this information by fraudsters such as spoofing IP addresses or deleting cookies.

Mutual authentication - This method is used in addition to authenticating the user to the site, authenticating the site to the user. The most prevalent way of doing this is with Extended Validation SSL certificates. EV/SSL causes the address bar in the browser to turn green when he or she is on the bank's actual website. Other methods include displaying electronic seals on the server and displaying of a user-selected icon in the browser when the user is accessing the genuine bank server. This method helps against phishing, DNS cache poisoning, and other re-direct attacks.

Transaction monitoring - This is not strictly an authentication tool, but monitoring online sessions for high-risk activity such as known trojan behaviors, both at initiation and while the session is in progress, is a very strong complement to these other various authentication techniques described here. Flagged activities have to be acted upon in real time - examples of appropriate responses include sending an alert to the user or an out-of-band transaction verification as described above, blocking access to the online account, or blocking the bank account. Helps against all types of fraud attacks.

Browser-based controls - Institutions can use client-side tools that lock down the user's web browser against malware infection and exposure of sensitive data. This approach helps against a wide array of online fraud attacks, particularly MITM and MITB.

While none of these techniques is completely "airtight" on its own, each one has its own strengths and weaknesses. When used together, they form a solid defense-in-depth approach to protecting the institution's "electronic front door".

Sunday, July 25, 2010

"Accountability What’s That?”

Pay-At-The-Pump Skimming - a Growing Threat

Card fraud is growing. At the root of the problem is skimming. This is a global challenge that impacts all types of card-reading machines, including ATMs and POS devices. The Secret Service estimates that in 2008 some $8.5 billion was lost as a result of skimming and phishing attacks.
A rash of attacks in Utah resulted in the compromise of 180 pay-at the-pump terminals with skimming devices and Bluetooth technology to transmit card data.
When it comes to the ATM, the global financial industry has invested heavily in solutions to thwart skimming. Visa and MasterCard have mandated several security precautions, such as encrypting PIN pads and Triple DES compliance, to ensure ATM deployers adequately protect cardholder data.

But what about unattended self-service devices, which have proven to be much more vulnerable?

Case in point: The pay-at-the-pump terminal.

Pay-at-the-pump terminals are targets because they can easily be entered with universal gas keys. Once the terminals are opened, skimmers can be placed inside, away from view. In comparison, ATMs are required to have unique keys and codes for service and maintenance checks.
Let's be fair. Unless a skimming device is found, or law enforcement notifies a business that its terminals have been compromised, a typical merchant would never see the fraud. The cards are skimmed, duplicates are created, and the fake cards are used at ATMs, online and/or at retailers globally.

But does that free the merchant from bearing some of the responsibility?

Friday, July 23, 2010

Securing Passwords with Secure Practice

“Passwords are often the first (and possibly only) defense against intrusion.” MacGregor (2002)

When the average person thinks of network security within a school they often think of the student trying to hack into the system to change their grade, to see if they can take over their friend’s computer, or to put a prank up on the school website. In light of the current network dangers these may be some of least of the school system worries.

Breached Passwords

There are many ways for people to get passwords. What they do once they have them can be devastating. The important first step in data security is for everyone to take password security seriously. Choosing good passwords, not posting it on your computer, making sure no one is looking when you are typing it in are all simple steps in password security.

Analysis of 32 million breached password

A recent study was conducted to analyse 32 million passwords exposed in the breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.

Key findings of the study include:

• The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

• Recommendations for users and administrators for choosing strong passwords.

Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

In corporate environment, password insecurity can have serious consequences. Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like “Country123”.

Securing Passwords with Secure Practice

Some secure password practices are built on commonsense where others take on a more systematic framework.

• Change passwords frequently.
• Do not reuse old passwords.
• Always keep passwords secret. Users should not document their passwords manually or digitally. Trust no one with a username/password combination.
• Do not use passwords that consist of dictionary words, birthdays, common series such as sequential numbers or repeated characters.
• Do not log into an account via a link in an email in case it is a case of phishing. Enter the normal URL, Uniform Resource Locator, in the web browser to check the identity of the party asking for information.
• Never disclose passwords to any other party by email, phone, or face-to-face interaction.
• Never write down a password. Commit it to memory. If one must write something down to remember a password, write a hint to the password, and not the password itself.
• Do not let anyone watch or stand behind the user when typing a password

Thursday, July 22, 2010

Vulnerability Discovered in Patched Windows 2000, XP

PowerZip version 7.2 Build 4010 has been identified as an attack medium for the vulnerability's exploitation

Secunia, an Internet security company, reports that another critical flaw has been found in Microsoft Windows. This time the flaw discovered in wholly patched Windows XP and Windows 2000, which hackers could exploit to execute harmful assaults.

Marking the flaw with a "moderately critical" label, Secunia says that it is due to a boundary error within the CFrameWnd class's "UpdateFrameTitleForDocument()" feature inside mfc42.dll. Moreover, the flaw helped in the creation of a heap overflow by passing of a very lengthy string of title to the attack prone feature.

If exploited, the flaw is capable of letting attackers execute malware assaults. The assaults helped in compromising end-users' PCs and grabbing sensitive data via social engineering tactics. Secunia disclosed that the flaw surely existed within wholly patched Windows XP SP2/SP3 and Windows 2000 Professional SP4 versions.

Since a patch isn't yet available to plug the hole, Secunia advises not to access software that allow the passage of user-regulated input onto the attack prone feature.

Notably, Microsoft states that it knows about the security flaw and is working to fix it.

Tuesday, July 20, 2010

Hackers masked as Team Gmail

Email claiming to be an official communication from Gmail is collecting account details to modify your web identity

If you have a Gmail account and happen to receive a mail claiming to be from the Gmail Team, asking for details like your password, date of birth and nationality, do not respond. It is a new trick adopted by hackers to fool the users.

The mails say that Gmail is working on total security on all accounts and for this, they require all Google members to verify their accounts with Google. It asks the user to click on the reply button and fill the information in the fields given within seven days of receiving the mail in order to prevent closure of their mail accounts.

A Google official said, “This is a phishing attempt. At Google, we take account safety very seriously and provide a number of features to help users avoid being hacked. We have a series of educational blog posts on choosing a smart password, Gmail account security tips and how to avoid getting hooked.”

Phishing schemes are a common method used to trick people into sharing their sensitive information. This is not a breach of Gmail security, but rather a scam to get users to give away their personal information to hackers. To keep your Google account secure, we recommend that you enter your Gmail sign-in credentials only to web addresses starting with and never click on any warnings your browser may raise about certificates,” he said.

“One thing you have to be sure of is that Google or Gmail will never ask you to provide this information in an email. If the message asking for it claims to be from us, don’t believe it.

Monday, July 19, 2010

Microsoft Security Bulletin MS10-042 - Critical

25,000 PCs Affected By Microsoft Zero-Day Vulnerability

Hackers have attacked 25,000 PCs affected by the Windows Help and Support Center zero-day vulnerability, patched yesterday. According to a post on the Microsoft Malware Protection Centre (MMPC) blog, the attacks on infected systems accelerated significantly after the company announced that it would be patching the vulnerability in this month's MS10-042 bulletin.

Writing on the MMPC blog, Holly Stewart wrote: “Early on, we saw attackers incorporate code to single out Windows XP targets, but more recently the attackers have been less discriminant, attempting this attack on a variety of operating systems.”

She said that the hackers had primarily targeted computers in Portugal and Russia, but that the UK had seen the most number of increased attacks on computer systems running Windows XP.

"Although Portugal has remained one of the most targeted areas, attacks on Russian systems have surpassed it over the past few weeks.  Russia has now seen more than ten times the number of attack attempts per computer in comparison to the global average." she wrote

"The UK, in particular, was one of the regions in which we witnessed a surge in attack attempts over this past weekend."

Wednesday, July 14, 2010

FBI Issues 2009 Mortgage Fraud Report

The total dollar loss attributed to mortgage fraud is unknown

According to the Federal Bureau of Investigation’s 2009 Mortgage Fraud Report, released today, mortgage fraud suspicious activity reports referred to law enforcement increased 5 percent to 67,190 during fiscal year (FY) 2009. The total dollar loss attributed to mortgage fraud is unknown. It’s estimated that $14 billion in fraudulent loans originated in 2009.

“Mortgage fraud is an insidious crime that has devastating economic effects on families, communities and the nation,” said FBI Director Robert S. Mueller, III. “The FBI remains committed to working with our law enforcement, regulatory, and industry partners to unravel these complicated fraud schemes driven by greed and bring their perpetrators to justice.”

Other key findings presented in the report include:
  • There are more than 2.8 million properties with foreclosure filings, a 120 percent increase from 2007 to 2009. The Las Vegas area reported the most significant rate of foreclosures, with more than 12 percent of housing units there receiving a foreclosure notice.
  • The top 10 states ranked by the number of foreclosure filings per housing unit were California, Florida, Arizona, Michigan, Nevada, Georgia, Ohio, Texas, and New Jersey. In April 2010, one in every 386 housing units received a foreclosure filing.
  • Prevalent mortgage fraud schemes in fiscal year 2009 include loan origination, foreclosure rescue, builder bailout, equity skimming, short sale, illegal property flipping, reverse mortgage fraud and loan modifications. Emerging trends include fraud involving economic stimulus plans/programs, property theft/fraudulent leasing of foreclosed properties and tax-related fraud.
The entire report is available on the FBI’s website.

Tuesday, July 13, 2010

Mortgage Fraud is on the rise

High-Profile Arrests Point to Troubling Trend of Costly Schemes

Last week's high-profile mortgage fraud arrests should serve as a chilling wakeup call to banking institutions, experts say. On Wednesday, authorities announced the arrest of Lee Farkas, once at the helm of wholesale mortgage lender Taylor Bean & Whitaker, charging him with a $1.9 billion fraud scheme tied to the government's Troubled Asset Relief Program (TARP) funds.

And then on Thursday, the President's interagency Financial Fraud Enforcement Task Force revealed that since March 1, Operation Stolen Dreams has arrested 485 people for their involvement in mortgage fraud losses exceeding $2.3 billion. The operation also has resulted in 191 civil enforcement actions, which have resulted in the recovery of more than $147 million.

Further, the FBI on Thursday released its 2009 Mortgage Fraud Report, which says reported incidents rose 5 percent (67,190 reports) in fiscal year 2009, when approximately $14 billion in fraudulent loans are estimated to have originated.

According to the FBI's new report, the most common mortgage fraud schemes include loan origination, foreclosure rescue, builder bailout, equity skimming, short sale, illegal property flipping, reverse mortgage fraud and loan modifications.

Emerging trends in mortgage fraud include the defrauding of economic stimulus plans or programs such as TARP, property theft or fraudulent leasing of foreclosed properties and tax-related fraud.

These events and numbers are staggering, but no surprise to industry experts who track mortgage fraud. The need for more due diligence and proactive measures on the part of mortgage lenders is painfully obvious - underscored by the latest trends.

Monday, July 12, 2010

Leadership Lessons in Disaster Recovery

BP and Toyota

No career is without its hiccups. No company goes straight up and to the right. Every successful executive and every company that’s been around has been to the brink of disaster at some point. What distinguishes the great ones is the way they handle it. Few are proactive and decisive. They recover. The rest, well, don’t.

Survivors see disaster as a wakeup call, an opportunity to learn and change. The rest try to sweep it under the rug, sugarcoat the truth, or make believe it isn’t really happening. Here are three anecdotes about companies and executives in crisis. Executives, leaders, managers, indeed everyone, listen up. Your time will come. You can count on it.

Toyota, once the king of quality, has recalled over 8.5 million cars and trucks over the past six months due to a laundry list of quality and reliability problems. And in J.D. Power’s annual Initial Quality Survey of new vehicles, Toyota fell to a dismal 21st place overall. I’d call that a wakeup call.

The situation is even more dire for embattled oil giant BP. The gulf oil spill has cost the company $100 billion in market valuation and the price tag for cleaning up the mess will likely be upwards of $20 billion. Throw in the global destruction of the BP brand and you can bet that top executive heads will roll when the leak is finally stopped and the crisis abated.
Each example provides a takeway for how companies and individuals can best recover from disaster:
  1. Leave no stone unturned in determining how to restructure. Nothing is sacred. Don’t decry lost efficiency, productivity, profits, or anything you have to sacrifice to get back on track. You can deal with that later. If you don’t fix what’s wrong, there won’t be any later.
  2. Wakeup calls can save your career, your company, your industry, but only if you actually wake up. That means being honest with yourself about your failure. That takes humility, courage, and perseverance, not coincidentally, all basic qualities of successful leaders.
  3. The sooner you realize what’s going on, the quicker you react, the better the recovery. Almost every company (and everybody) reacts tenuously or takes a wait-and-see approach. In virtually every case, that’s a bad idea. Be decisive and be quick about it. If you need to cut, cut early and cut deep. You can build back up as conditions improve.

Friday, July 9, 2010

PleaseRobMe website highlights information security threat

The PleaseRobMe website has been launched detailing the whereabouts of social network users, highlighting the fact they are not in their homes. was created by Dutch developers who say their website is intended to raise awareness, not to promote burglary.

Co-creator, Boy Von Amstel, told the BBC; "The website [PleaseRobMe] is not a tool for burglary. The point we're getting at is that not long ago it was questionable to share your full name on the internet. We've gone past that point by 1000 miles."

The website uses a compilation of feeds from social networking sites such as, Twitter and Foursquare to update their page labeled; ‘Recent Empty Homes’. A statement on the PleaseRobMe website said; “The danger is publicly telling people where you are. This is because it leaves one place you're definitely not... home. So here we are; on one end we're leaving lights on when we're going on a holiday, and on the other we're telling everybody on the internet we're not home.”

Charity organisation, Crimestoppers, has urged people to think carefully before revealing information on the internet, a spokesperson told the BBC; "We urge users of Twitter, Facebook or other social networks to stop and think before posting personal details online that could leave them vulnerable to crimes including burglary and identity theft."

Wednesday, July 7, 2010

BEWARE - Australian Taxation Office - ATO's scam being hit widely

Use common sense and also check the sender details carefully before responding to any emails
I just received this scam email. Check the sender email address, and secondly ATO will never send you such email asking to file something online.

I have removed the links, this scam will redirect you to another website whether it will ask you to provide credit card details so they can charge the required amount. Be Careful !!!

From: Australian Taxation Office []

Sent: Monday, 5 July 2010 8:46 AM
To: Joy Camilleri
Subject: Dear Applicant: ... Australian Taxation Office Refund
Dear Applicant:
After the last annual calculation of our fiscal activity we have determined that your tax refund was miscalculated.
Please provide us with payment details for your tax refund.
Tax refund pending: $ 1400 AUD
Please apply online to get it.
Atention this ChargeBack is available only if you apply online.
Please submit the tax refund and allow us 3-9 business days in order to process it.

Tuesday, July 6, 2010

Top Cybersecurity Threat Is Customers

Despite the best efforts of high-tech companies to deploy security defenses across public and private networks, end users often remain the weakest link

Cybersecurity is a complicated affair. In addition to the numerous and highly sophisticated technical tools in place to fend of malware and cyberattacks, so much of an organization's defense capabilities comes down to the habits of its employees, according to a panel of security experts recently convened in New York.

With data breaches making near-daily headlines and Congress in the midst of a lively debate on a major cybersecurity overhaul, the panel was timely. But what of the other factors that confound enterprise security, such as the precarious relationship between corporations and white-hat hackers?

When it comes to cybersecurity, the largest single threat to corporate and government networks is, according to some experts, customers' own risky behavior. It was certainly the assessment of a handful of Internet security and software luminaries gathered in New York City at a cybersecurity roundtable earlier this week. With new breaches in the news, and cybersecurity bills on the verge of enaction, the panel convened at a timely moment.

Yet for all the vast amount of technological resources available to those on the panel -- which included representatives from payment processor ADP, software players, including Microsoft, and security vendors, including industry leaders McAfee and Symantec -- the security issue, in many cases, still remains a people problem.

Read the full story at eSecurity Planet: Top Cybersecurity Threat Is Customers, Experts Say

Monday, July 5, 2010

Security is common sense and everyone should practice good security protocols

Wardriving police: password protect your wireless, or face a fine

Internet users in Germany, whose wireless networks are left password unprotected, can be fined up to 100 euros, according to a recent ruling by Germany’s top criminal court.

The ruling is in response to a musician’s lawsuit against a user whose unprotected wireless network was used for downloading and sharing music over P2P.

Just how realistic is the ruling, from a security perspective? Is a weak password protected wireless network, any different than the one with no password security at all?

Three years later, Mumbai’s police started implementing the practice, in response to the abuse of insecure wireless networks by Indian militants:
Additional Commissioner of Mumbai Police K Venktesan told Business Standard: “If the Wi-Fi connection in a particular place is not password protected or secured then the policemen accompanying the squad will have the authority to issue a notice to the owner of the connection directing him to secure it.”The police could issue a notice under section 149 of the Criminal Procedure Code (CrPC) to anyone found not securing their Wi-Fi connection and user may face criminal investigations.
The Queensland Police plans to conduct a ‘wardriving’ mission around select Queensland towns in an effort to educate its citizens to secure their wireless networks. When unsecured networks are found, the Queensland Police will pay a friendly visit to the household or small business, informing them of the risks they are exposing themselves to.
Although the problem with insecure wireless networks is often greatly underestimated, the big picture has to do with the fact that, when there are hundreds of thousands of password-unprotected wireless networks, this well known fact allows malicious attackers to efficiently propagate wireless malware. Related studies done on the subject, prove just how easy it is to execute such a malware campaign.

Refer here to read more details.