Tuesday, May 18, 2010

Cybercriminals phone it in

The mobile phone provides additional customer security for financial transactions. Either by voice or text, banks–in real time–may question account holders about large transfers of funds, potentially stopping fraud in process. While attending a recent public-private summit for the financial services industry, however, I heard of several ways that criminals are using the financial services’ own call centers to circumvent these security controls.

The criminals start by acquiring your account information, either by placing keystroke loggers on your desktop or by deploying sniffer programs on the network or by using traditional phishing campaigns, which entice you to volunteer personal data. The criminals then masquerade as the account holder in a call to the customer service representative (CSR) at the targeted financial service institution.

In the past fraud at the ATMs has been relatively out of reach; the criminal might get your account number but not the associated PIN. One call center scam involves calling the CSR to change the PIN on an ATM card. By providing the call center with a name, address, even the 9-digits of a social security number and the targeted account number, the criminal is able to reset a 4-to-6-digit ATM or Credit Card PIN. After burning the stolen account data onto a blank magnetic stripe card, the criminal is then able to use this new PIN at any ATM.

Another way cybercriminals are using the call center is to simply change the contact phone number on an existing account. Most of us may not be accustomed to having banks contact us over the phone, but when there’s a particularly large transaction pending that is atypical most institutions will call or text to confirm. Now the criminals are changing the contact number on record to their own. Then, when the bank calls to confirm, the criminals approve the transfer because the financial institution has called them and not you. But the financial institutions are aware of this scam and have now started calling both the new and the old phone numbers for confirmation.

The criminals, of course, are one step ahead.

In one case, documented by Kim Zetter over at Wired, a doctor’s home, office and cell numbers were jammed with repeated calls. Some were solicitations for sex websites, others pure silence. When customers complain to their telephone carrier , some telephone companies are now warned that there might be a financial crime associated with these calls.

All of these attacks expose weaknesses in the call center’s authentication of account holders. Financial institution call center customer service representatives often rely on the Automatic Number Identification (ANI), a phone number that appears with each incoming call. ANI is unrelated to CallerID, based on billing data, and thus can be captured by a CSR system even if the caller has blocked CallerID. Cybercriminals can and do manipulate ANI, making their call appear to be from anywhere, including the original registered contact phone number for a stolen account.

Challenge-response questions aren’t the answer either. Cybercrminals can search for and often find the answers to many common questions online. For example, the password to Sarah Palin’s Yahoo e-mail account was reset by someone guessing that she met her husband in high school.

Instead, institutions should use more than one type of call center authentication — ANI plus challenge-response questions where the questions are derived from past financial interactions with the customers (“Where was your last ATM transaction?”). Better yet, a mutually agreed upon password. Additionally institutions should automatically enroll account holders a package of security-based e-mail, text, and voice alerts including, but not limited to, changes to the physical address, the addition of a new person to an existing account, changes made to the contact phone number, and changes made to the PIN on an account.

In theory the average account holder should never see these alerts. But when they do hopefully they’ll realize that they’ll need to react and stop the fraud in real time.

Originally published in Forbes.com

Thursday, April 29, 2010

The Dangers in Following the Crowd

When Benjamin Jun received a winter catalog in the mail from Nike with a personal URL on the cover, he didn’t realize the wealth of information that would soon be available to him online. Jun, Vice President of technology at Cryptography Research, said that once online he was able to access a database showing what those he knew had purchased at various Nike stores. The site (and the entire winter campaign) is now down, but social media mashups such as this raise serious questions about companies that combine various databases–often without our direct consent.

This week Facebook has come under scrutiny for its new social media network. While logged into Facebook a simultaneous visit to one of Facebook’s partner sites will reveal what your Facebook friends think of content on that site. The application also allows you to be interactive with your Facebook friends on the partner site, extending your social media experience.

However, the application also allows third parties to collect data about you and your friends, making public (in some cases) data that you may have marked as “friends only” within the privacy settings on the Facebook side. More ominously Facebook is allowing its partner sites to store this demographic and marketing information indefinitely.

On Monday, four senators –including Charles Schumer of New York, Michael Bennet of Colorado, Mark Begich of Alaska and Al Franken of Minnesota—wrote to Facebook CEO Mark Zuckerberg with several privacy concerns, including asking why is it so difficult for customers to opt out of this new networking platform? Indeed, there are multiple settings within Facebook that must be tweaked in order to restrict private information.

Facebook has responded that it takes privacy serious, though it offered no specifics. Facebook, to its credit, has launched a new safety page, designed to better educate its users around sharing passwords and other factors, but it does nothing to mitigate the potential privacy and security risks inherent within Facebook’s proposed privacy policy changes.

The true dangers lie beneath the surface, beyond the mere marketing information of likes and dislikes.

In his talk last month at the 2010 RSA Conference, Jun spoke about the underlying assumptions being made by the site designers (not just at Nike and Facebook or their partners) who are incorporating mashup strategies–assumptions that might not be true. For example, the process of authorization for credentials on a social networking site is very different from the process of obtaining credentials on an e-commerce or online banking site. Site developers might be tempted to accept the APIs from a popular social media site as a way to increase revenue. Jun says the application designers should instead avoid or at least carefully consider the information being passed to them from another source.

To prevent unintended access, Jun advocates the creation of a “session manager,” one more hoop in the security chain. While it’s always controversial to propose slowing down the consumer experience, the session manager would receive credentials from a third-party site, vet the data, then prompt for additional authentication if necessary.

Simply passing credentials from one site to another without reevaluating is dangerous, said Jun. He cites, in particular, the three R’s of application development: redirects, renegotiation and reconnections. It is within these that gaps of trust among different systems that could allow bad actors access to sensitive data without proper authentication. Jun says in the case of the Nike solicitation for authentication there was only a unique URL on the cover of the catalog. Anyone reading the mailing could have gone online as him.

I for one do not need to know what news stories my friends are reading right now—let them surprise me later in a real (not virtual) conversation. Nor do I need to see what my friends are buying from an e-commerce site; really, I’m probably the last person to go online, learn that someone I know bought a pair of blue running shorts, size medium, and say “Hey, order me a pair also!” Just because the crowd is doing something doesn’t mean I’m going to do it.

But for many, social networking is a way of life, a connection to others. For them, let’s get the security right. With online data leakage occurring in new and surprising ways these days, why take the chance of sharing databases without providing additional back-end controls?

Originally published in Forbes.com

Tuesday, March 23, 2010

Be Careful Who You Know

Beyond date of birth, what other personal information are we giving away on social network sites? In a talk a few weeks ago at the 2010 RSA Conference, security researcher Nitesh Dhanjani explored some non-traditional ways social networking could be used to profile individuals. He says just by studying your social networking presence one can identify, for example, pending business deals.

Dhanjani , who says his exploration is just a hobby, says he created a LinkedIN account for friend who didn’t yet have an account—we’ll call him “Jack”— then invited a mutual friend to join Jack’s LinkedIn network. Within a short time, Jack acquired over 80 connections. What’s surprising here, says Dhanjani, isn’t that people linked to this fraudulent LinkedIn profile, but what information he as an impostor was able to glean about Jack’s sphere of influence and business.

For example a competitor cybersquatting as Jack could now see Jack’s clients. And, if Jack’s company was about to be acquired (and that information was not yet public), an outsider might further see a recent influx of new connections from several people at a rival organization. The lesson here is to establish a presence on the major social networks, if only to stake claim to your name and reputation.

Even legitimate social networks can be hacked: someone could friend you just to get access to someone else you know. A law enforcement officer could be seeking information on a person of interest who happens to be part of your social network. According to the Electronic Freedom Foundation, social networks are being used by federal investigators, and last week the privacy organization released a 38-page PDF training course (obtained through the Federal Freedom of Information Act) that the EFF said was used for conducting investigations via social networks. While federal agents can’t legally pretend to be someone else, they can request to be your friend and thus see all your posts, as well as those of others in your network. The EFF has been studying the privacy issues associated with this new form of surveillance. Often we accept people into our social networks by extension of trust, i.e. a friend of a friend, so a good rule of thumb might be to question how well you really know a person before accepting a new friend request.

But one doesn’t have to join a social network to define your social network.

In his RSA presentation Dhanjani also demonstrated how outsiders can use publicly available social network information to define spheres of influence around a targeted individual. Popular social networks display the top 8 friends for a person as means of identifying exactly which John Smith you’re currently looking at. By comparing the 8 friends on MySpace with the sample 8 friends on FaceBook, Dhanjani says he can map who are the critical contacts for the targeted individual. And by going one step further, by looking at the friends of those friends, one can further map who has the most influence with a targeted individual, their “posse” if you will, and do so without joining the network. A hacker using social engineering could then contact the targeted individual and say “Jane said I should contact you about Alice.”

Some may see all this as nothing new. Kevin Mitnick pioneered social engineering years ago. But now the means to profile someone is much more convenient. Be careful who you know and what you post online. You never know who might be listening.

Orginally published in Forbes.com

Tuesday, March 16, 2010

Device Fingerprinting to Fight Real-time Transaction Fraud

On Tuesday ThreatMetrix unveiled its new cloud-based transactional fraud network. Using its global database of device fingerprints—unique details about the PC, mobile phone or other Internet connecting device–the company says it can detect fraudulent transactions without the need for acquiring personally identifiable information. By correlating incoming TCP/IP information with its database, for example, the company was recently able to identify and stop one malware-infected computer from making an online transaction.

ThreatMetrix, a Los Altos, California-based company, has been working on its fraud network for four or five years, says Alisdair Faulkner, chief product officer at the company. What’s different from other transaction-based fraud networks is that ThreatMetrix uses device fingerprinting not necessarily transaction details for its fraud detection, providing a new set of tools for organizations to verify new accounts, authorize payments and transactions, and authorize user logins. Faulkner describes the new network as “fraud middleware” in that it is designed to complement and integrate with existing fraud solutions.

It is very different solution from the approach taken by other transactional fraud networks such as ID Analytics, a San Diego, California-based company that uses data mining of consumer purchases to address identity fraud. By collecting transaction data, ID Analytics says it can profile a customer’s typical purchasing behavior and flag an abnormal transaction as a possible fraudulent transaction. Unlike the credit bureaus which look at static elements of a person’s profile (SSNs or open accounts) transactional fraud networks look at the live transaction data instead.

What ThreatMetix brings to the table is a proprietary device fingerprinting methodology that is able to probe beyond mere cookies and browser data to identify the machine being used for online access.

Clearly there is a need for such alternative analysis. Cybercrminals have shown increasing technical sophistication year after year. Being able to mask one’s hardware identity seems mere child-splay today–unless one has the sophisticated tools to analyze the output from a compromised machine.

By cataloging devices internationally, ThreatMetrix says it can see through a typical TCP/IP proxy and learn that a machine pretending to be a Windows XP machine located within the United States is in reality a Linux machine located in Vietnam. This could be a machine set to emulate a legitimate user. Or it could indicate a possible man-in-the-middle attack as well, where a third party is eavesdropping on a user’s online session.

ThreatMetrix has also seen one device log into multiple financial services accounts within seconds of each other as well as numerous devices attempting to log into the same online account. This could indicate the use of a botnet, a rogue network of compromised PCs.

Despite the new avenues for fraud taken by cybercriminals today it’s nice to the see the security industry thinking outside the box and offering innovative solutions.

Orginally published in Forbes.com

Wednesday, March 10, 2010

With ISP offline, criminal malware infections drop dramatically

On Wednesday, RSA alerted its customers to a substantial decrease within the last twenty four hours in Trojan horse activity on the Internet as the result of a key Internet host going offline. Criminal enterprises use such hosts as a common point of contact. On the front end, it is the Internet address that thousands of infected computers worldwide point to in order to download the latest version of malware. On the back end, the bad guys connect through such a common network to mask their true locations. Removing the network breaks the connection between the infected PC and the criminal enterprise. Additionally, Cisco reports that there was a flood of last minute malware activity prior to the shut down which could have been the criminals seeking to change IP addresses.

The facility, known as AS Troyak (Russian slang for “Trojan”) is believed to be the source of several major strains of Trojans currently active on the Internet. AS Troyak is home to Rock Phish gang’s JabberZeus drop server, Gozi Trojan servers, among other lesser known Trojans. Zeus is a new class of banking Trojan that uses stealth in ACH transfers to defraud its victims.

A dramatic example of the impact of the loss of AS Troyak can be found on the site Zeus Tracker (this site uses a generic certificate so your browser may need to add site as an exception), which reported a substantial drop in Zeus infections on Tuesday evening.

Source: Zeus Tracker http://www.abuse.ch/

Source: Zeus Tracker http://www.abuse.ch/

In the past bullet-proof hosting facilities have used AS Troyak. Bullet-proof hosting means the owners are likely to be involved in some criminal activity themselves and thus ignore requests by law enforcement to shut down any illegal activity on the server. That isn’t to say all of AS Troyak’s clients are engaged in illegal activity, only that those that are likely to find safe haven with these facilities.


According to RSA the range of IP addresses affected by the AS Troyak shutdown include:

The exact cause of AS Troyak’s demise is not known, nor does the team at RSA think it is likely to be long-lived. The server could, for instance, be moving to a new physical location, or the shutdown could be the result of a technical failure. Or the party operating it may have decided not to continue with the service. It is also possible, though unlikely, that a coordinated effort by law enforcement and/or the security community may have shuttered AS Troyak.

“While the excitement is likely to be rather short-lived,” said Sean Brady, product marketing manager for RSA’s IPV Team, “seeing a wholesale throttling of a significant volume of online fraudulent activity provides a valuable glimpse at how to perform large-scale crime prevention efforts. It’s akin to the traditional methods of taking on organized crime – if you can go after the money, or in this case, the infrastructure, you can do more damage to the organization’s activity than going after individuals or individual resources.”