Cybercriminals phone it in

The mobile phone provides additional customer security for financial transactions. Either by voice or text, banks–in real time–may question account holders about large transfers of funds, potentially stopping fraud in process. While attending a recent public-private summit for the financial services industry, however, I heard of several ways that criminals are using the financial services’ own call centers to circumvent these security controls.

The criminals start by acquiring your account information, either by placing keystroke loggers on your desktop or by deploying sniffer programs on the network or by using traditional phishing campaigns, which entice you to volunteer personal data. The criminals then masquerade as the account holder in a call to the customer service representative (CSR) at the targeted financial service institution.

In the past fraud at the ATMs has been relatively out of reach; the criminal might get your account number but not the associated PIN. One call center scam involves calling the CSR to change the PIN on an ATM card. By providing the call center with a name, address, even the 9-digits of a social security number and the targeted account number, the criminal is able to reset a 4-to-6-digit ATM or Credit Card PIN. After burning the stolen account data onto a blank magnetic stripe card, the criminal is then able to use this new PIN at any ATM.

Another way cybercriminals are using the call center is to simply change the contact phone number on an existing account. Most of us may not be accustomed to having banks contact us over the phone, but when there’s a particularly large transaction pending that is atypical most institutions will call or text to confirm. Now the criminals are changing the contact number on record to their own. Then, when the bank calls to confirm, the criminals approve the transfer because the financial institution has called them and not you. But the financial institutions are aware of this scam and have now started calling both the new and the old phone numbers for confirmation.

The criminals, of course, are one step ahead.

In one case, documented by Kim Zetter over at Wired, a doctor’s home, office and cell numbers were jammed with repeated calls. Some were solicitations for sex websites, others pure silence. When customers complain to their telephone carrier , some telephone companies are now warned that there might be a financial crime associated with these calls.

All of these attacks expose weaknesses in the call center’s authentication of account holders. Financial institution call center customer service representatives often rely on the Automatic Number Identification (ANI), a phone number that appears with each incoming call. ANI is unrelated to CallerID, based on billing data, and thus can be captured by a CSR system even if the caller has blocked CallerID. Cybercriminals can and do manipulate ANI, making their call appear to be from anywhere, including the original registered contact phone number for a stolen account.

Challenge-response questions aren’t the answer either. Cybercrminals can search for and often find the answers to many common questions online. For example, the password to Sarah Palin’s Yahoo e-mail account was reset by someone guessing that she met her husband in high school.

Instead, institutions should use more than one type of call center authentication — ANI plus challenge-response questions where the questions are derived from past financial interactions with the customers (“Where was your last ATM transaction?”). Better yet, a mutually agreed upon password. Additionally institutions should automatically enroll account holders a package of security-based e-mail, text, and voice alerts including, but not limited to, changes to the physical address, the addition of a new person to an existing account, changes made to the contact phone number, and changes made to the PIN on an account.

In theory the average account holder should never see these alerts. But when they do hopefully they’ll realize that they’ll need to react and stop the fraud in real time.

Originally published in Forbes.com

Microsoft SMB patch addresses 3 flaws

Today Microsoft issued a patch that resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol, a protocol used for sharing files, printers, serial ports, and other communications.

MS09-001 is rated by Microsoft as critical, its highest rating, for users running Windows 2000, XP, and Server 2003, and moderate, its second highest rating, for users running Windows Vista and Server 2008. It replaces the SMB patch MS08-063 issued last October. Installation of the patch will require a system restart.

Microsoft says although there are three flaws address, they are unlikely to produce exploitable code because the first two (CVE-2008-4834 and CVE-2008-4835) only allow for one fixed value (zero) to be written and controlling what data is overwritten will also be difficult. The third vulnerability (CVE-2008-4114) affects all Windows systems and allows for a Denial of Service attack.

The patch today is the only one for Microsoft's January 2009 Patch Tuesday release. The patch may be obtained from Windows Updates or via the bulletin itself.

HBGary announces FastDump Pro for physical memory investigations

HBGary, a computer security firm in Scramento, California, today announced FastDump Pro, the first memory acquisition software to offer 32- and 64-bit support for all supported versions of Windows with more than 4 gigabytes of RAM. FastDump Pro allows organizations and investigators to preserve and analyze physical memory snapshots of 32- and 64-bit editions of Windows.

“Based on feedback from Fortune 100 and government customers, computer intrusions into physical memory were one of the top security concerns in 2008," said Greg Hoglund, CEO of HBGary, Inc in a press release. "Some malware is not visible anywhere on the computer but in physical memory."

FastDump was first released as free download in April 2008 for 32-bit systems. The company reports that since its release, several Fortune 100 corporations and 20 of the top 30 government agencies have downloaded the product. The product announced today will be free to HBGary customers with Responder licenses or purchased separately at $100.

Emergency IE patch due today

On Wednesday, Microsoft will issue an emergency, out-of-cycle security bulletin for a critical flaw affecting all versions of Internet Explorer.

The bulletin is in response to a growing threat. Since the first week in December, the AZN Trojan has been exploiting a known flaw in IE. Visitors to infected Web sites could become infected with a Trojan horse that can download malware onto a user's system.

Microsoft normally issues patches on the second Tuesday of each month, "Patch Tuesday." But out-of-cycle patches are not without precedent. Recent examples include the flaw in how Windows handles remote procedure calls (RPC) in October,the Windows Animated Cursor Remote Code Execution Vulnerability in April 2007, a vulnerability in Vector Markup Language in September 2006, and a vulnerability in the Graphics Rendering Engine in January 2006.

The patch will be automatically distributed to Windows users with Automatic Updates enabled. The patch is also available via Microsoft Update or the individual bulletin for MS08-078 (available after 11 a.m.Pacific Wednesday).

Scams top predictions for ID theft in 2009

Real estate scams and credit card scams will top the ways ID thieves will attempt to steal personal information in 2009, warned the ID Theft Resource Center (ITRC) on Tuesday in its annual predictions for the upcoming year.

The center's Linda Foley said in a statement that as people find themselves strapped for cash and falling behind, they may become prey for opportunistic scam artists proposing relief. She recommends talking with your bank or mortgage company before talking to strangers. "Your home, while fully paid for, could even be entangled in a second mortgage without your knowledge."

With credit card scams, thieves might advertise the ability to get a new card even despite poor credit or lack of a Social Security number. The center warns of companies seeking to consolidate debts or renegotiate your interest rates. Again, talk to your credit card company or bank, not strangers.

Additionally the center warns of continued "targeted" attempts to steal person information. Thieves are using sophisticated means to mine personal data, including "skimming" credit cards by making duplicates of them at point of sale stations or using fake hardware at ATM machines.

Is there hope? The center points to the Red Flag Compliance Laws that will take effect in July 2009. These are a set of regulations that will help financial organizations audit their security programs. However, it is up to the organizations themselves to enforce the regulations.