A 28-year-old Florida man has pleaded guilty to hacking into corporate computer networks and carrying out what US officials have described as the largest credit card theft in US history.
Albert Gonzalez, of Miami, pleaded guilty in the US District Court in Boston on Tuesday to two counts of conspiracy to gain unauthorised access to payment card networks, the Justice Department said in a statement.
Gonzalez and two unidentified Russian co-conspirators were accused of stealing more than 130 million credit and debit card numbers from firms supporting major retail and financial organisations.
More than 250 financial institutions were affected including Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.
Gonzalez was accused of leasing servers to other hackers who used the platforms to store malicious software known as `malware' and launch attacks against corporate victims.
Gonzalez is facing between 17 and 25 years in prison. Sentencing was scheduled for March 19.
"The Department of Justice will not allow computer hackers to rob consumers of their privacy and erode the public's confidence in the security of the marketplace," assistant US attorney general Lanny Breuer said.
"Criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account," Breuer said.
Gonzalez pleaded guilty in September to charges in two other cases related to hacking of major US retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and the Dave and Buster's restaurant chain.
Source: The Sydney Morning Herald,
Wednesday, December 30, 2009
Monday, December 28, 2009
Show Us the E-Mail
WE end this extraordinary financial year with news that the Treasury is in discussions with American International Group about selling the taxpayers’ 80 percent ownership stake in that company. The government recently permitted several banks to break free of its potential oversight by repaying loans made during the rescue. But with respect to A.I.G., the Treasury should not move so fast. There is one job left to do.
A.I.G. was at the center of the web of bad business judgments, opaque financial derivatives, failed economics and questionable political relationships that set off the economic cataclysm of the past two years. When A.I.G.’s financial products division collapsed — ultimately requiring a federal bailout of $180 billion — those who had been prospering from A.I.G.’s schemes scurried for taxpayer cover. Yet, more than a year after the rescue began, crucial questions remain unanswered. Who knew what, and when? Who benefited, and by exactly how much? Would A.I.G.’s counter parties have failed without taxpayer support?
The three of us, as experienced investigators and prosecutors of financial fraud, cannot answer these questions now. But we know where the answers are. They are in the trove of e-mail messages still backed up on A.I.G. servers, as well as in the key internal accounting documents and financial models generated by A.I.G. during the past decade. Before releasing its regulatory clutches, the government should insist that the company immediately make these materials public. By putting the evidence online, the government could establish a new form of “open source” investigation.
Once the documents are available for everyone to inspect, a thousand journalistic flowers can bloom, as reporters, victims and angry citizens have a chance to piece together the story. In past cases of financial fraud — from the complex swaps that Bankers Trust sold to Procter & Gamble in the early 1990s to the I.P.O. kickback schemes of the late 1990s to the fall of Enron — e-mail messages and internal documents became the central exhibits in our collective understanding of what happened, and why.
So far, prosecutors and regulators have been unable to build such evidence into anything resembling a persuasive case against any financial institution. Most recently, a jury acquitted Bear Stearns employees of fraud related to the collapse of the sub prime mortgage market, in part because available e-mail messages suggested the employees had done nothing wrong.
Perhaps A.I.G.’s employees would also be judged not guilty. But we would like to see the record to find out. As fraud investigators, we would like to examine the trading patterns of A.I.G.’s financial products division, and its communications with Goldman Sachs and other bank counter parties who benefited from the bailout. We would like to understand whether the leaders of A.I.G. understood that they were approaching a financial Armageddon, and whether they alerted their counter parties, regulators and shareholders to the impending calamity.
We would like to see how A.I.G. was able to pay huge bonuses to its officers based on the short-term income they received from counter parties for selling guarantees that, lacking adequate loss reserves, the companies would never be able to honor. We would also like to know what regulators knew, and what they did with the information they had obtained.
Congress wants answers, too. This month, during hearings on Ben Bernanke’s nomination to a second term as chairman of the Federal Reserve, several senators fumed about being denied access to his A.I.G.-related documents.
No doubt, some of the e-mail messages contain privileged conversations among lawyers. Others probably include private information that is irrelevant to A.I.G.’s role in the crisis. But the vast majority of these documents could be made public without legal concern. So why haven’t the Treasury and the Federal Reserve already made sure the public could see this information? Do they want to protect A.I.G., or do they worry about shining too much sunlight on their own performance leading up to and during the crisis?
A.I.G.’s board of directors, a distinguished group of senior business executives, holds the power to decide whether to publish the e-mail messages and other documents. But those directors serve at the behest of A.I.G.’s shareholders. And while small shareholders of public corporations generally do not have the right to force publication of internal documents, in this case one shareholder — the taxpayer — holds an 80 percent stake. Anyone with such substantial ownership has effective control over corporate decisions, even if the corporation is a large public one.
Our stake is held by something called the A.I.G. Credit Facility Trust, whose three trustees are Jill M. Considine, a former chairman of the Depository Trust Company and a former director of the Federal Reserve Bank of New York; Chester B. Feldberg, a former New York Fed official who was chairman of Barclays Americas from 2000 to 2008; and Douglas L. Foshee, chief executive of the El Paso Corporation and chairman of the Houston branch of the Federal Reserve Bank of Dallas.
Ultimately, these three trustees wield all the power at A.I.G., and have the right to vote out the 11 directors if the directors are unwilling to publish the e-mail messages. In other words, if these three people ask A.I.G.’s board to post the messages and other documents, the board will have no choice but to comply. Ms. Considine, Mr. Feldberg and Mr. Foshee have the opportunity to be among the most effective and influential investor advocates in history. Before A.I.G. escapes, they should demand the evidence.
The longer it remains hidden, the less likely we will be to answer many questions about the A.I.G. collapse and the larger economic crisis — including the most important one: how do we prevent a repeat? Time is the enemy of effective investigation; records disappear, memories fade. The documents should be released — without excuses, or delay.
Source:- The New York Times, By
China businesswoman gets death sentence for fraud
BEIJING — A Chinese businesswoman was sentenced to death Friday for cheating investors out of $56 million — the latest case in the country's struggle against widespread corruption.
The 28-year-old Wu Ying started out a decade ago with a single beauty salon but eventually built up a holding group, Bense Holdings, that was known around the country, the state-run Xinhua News Agency reported.
The report said Wu collected the $56 million from investors over two years and was arrested in 2007.
Video posted online of her sentencing had the petite, ponytailed Wu showing little emotion as she was led into the courtroom.
In China, the death penalty is used even for nonviolent crimes such as corruption or tax evasion. The country's highest court, which reviews all death sentences, this year called for it to be used less often and for only the most serious criminal cases.
The Intermediate People's Court in Jinhua city, eastern Zhejiang province, said Wu used the money for personal use and operating costs and to pay off loans.
The Xinhua report said Wu confessed but then retracted her confession in April.
Rights group Amnesty International has said China put at least 1,718 people to death in 2008.
Source: The Associated Press Report
Friday, December 25, 2009
Career Trends Survey Results: 2010 Promises New Roles, New Skills
Career Trends Survey Results: 2010 Promises New Roles, New Skills
1st Annual Survey Taps Risk Management, Cybersecurity, Fraud/Forensics as Growth Areas Across Industries
What will be the hot information security jobs in 2010?
How will professionals grow their skills - and will their employers foot the bill?
What are the minimum academic and professional requirements for information security
professionals and leaders today?
These are among the key questions answered in the first annual Information Security Today Career Trends survey. The goal of the research: to create the benchmark for information security careers - where the jobs are and what's required to fill them.
The challenge: to create this benchmark at a time when the economy is recovering, the threat landscape is shifting and organizations are re-setting their information security priorities.
But then this survey also takes advantage of a unique opportunity: Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. There is no better time to benchmark information security careers. And, frankly, there might not be a better time to start - or re-start - one.
Key Findings
There are three key findings from this inaugural study:
Risk Management, Cybersecurity, Fraud/Forensics are Top PrioritiesNo matter how you ask the question - "What skills are required?" "What training will you seek?" "What are the top 3 concerns for CISOs?" - the answer consistently comes back to risk management, cybersecurity and fraud/forensics investigations. These topics emerge among the top choices of skills, studies and job opportunities in 2010.
Information Security Professionals Want New Skills - and Organizations Will Foot the BillConventional wisdom is that when economic times get tough, training budgets take the biggest hit. But survey results tell a different story: that 42% of respondents will seek academic training in 2010; 62% will seek new certifications; and a whopping 79% of their organizations continue to fund that training at least partially.
Schools, Professional Groups Stand to Benefit in 2010. Committed to growing their professional competencies, information security professionals will invest their time and resources in certifications bodies, professional organization and academic institutions in 2010. Asked what kind of training they intend to pursue, 62% choose certifications bodies, while 54% say professional groups and 43% select schools. No surprise: People work crazy hours these days, and so 53% of respondents say they prefer a mix of online and face-to-face training.
Some other interesting takeaways from each of our major survey categories:
Education - 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession;
Background Checks - At a time when we're continually told that we're at greatest risk of insider crimes, only 26% of respondents say they have undergone a background check in the past five years.
Leadership - Asked where senior security leaders are recruited, only 34% of respondents say "promoted from within." 46% say their leaders are recruited externally.
About This Survey
This study was conducted electronically by Information Security Media Group (ISMG) in September 2009.
In all, there were 255 respondents,
47% of them from financial institutions,
12% from government,
9% from consulting and
9% from technology.
When you look at the breakdown of respondents by role and responsibility, you see:
34% compliance or technology professionals;
14% in senior management;
37% have been in their current role 1-3 years;
The main objective of the survey was to benchmark 2010 trends in information security careers across industries.
The survey was constructed specifically to assess:
Background - The academic, security and business background of today's information security professionals;
Duties and Critical Skills - The roles these professionals are filling today - and will be asked to fill tomorrow;
Training Strategies - What they need - advanced degrees, industry certifications, business experience - and where they turn to get ahead;
Source:- Bank Info Security, By Tom Field (Editorial Director)
1st Annual Survey Taps Risk Management, Cybersecurity, Fraud/Forensics as Growth Areas Across Industries
What will be the hot information security jobs in 2010?
How will professionals grow their skills - and will their employers foot the bill?
What are the minimum academic and professional requirements for information security
professionals and leaders today?
These are among the key questions answered in the first annual Information Security Today Career Trends survey. The goal of the research: to create the benchmark for information security careers - where the jobs are and what's required to fill them.
The challenge: to create this benchmark at a time when the economy is recovering, the threat landscape is shifting and organizations are re-setting their information security priorities.
But then this survey also takes advantage of a unique opportunity: Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. There is no better time to benchmark information security careers. And, frankly, there might not be a better time to start - or re-start - one.
Key Findings
There are three key findings from this inaugural study:
Risk Management, Cybersecurity, Fraud/Forensics are Top PrioritiesNo matter how you ask the question - "What skills are required?" "What training will you seek?" "What are the top 3 concerns for CISOs?" - the answer consistently comes back to risk management, cybersecurity and fraud/forensics investigations. These topics emerge among the top choices of skills, studies and job opportunities in 2010.
Information Security Professionals Want New Skills - and Organizations Will Foot the BillConventional wisdom is that when economic times get tough, training budgets take the biggest hit. But survey results tell a different story: that 42% of respondents will seek academic training in 2010; 62% will seek new certifications; and a whopping 79% of their organizations continue to fund that training at least partially.
Schools, Professional Groups Stand to Benefit in 2010. Committed to growing their professional competencies, information security professionals will invest their time and resources in certifications bodies, professional organization and academic institutions in 2010. Asked what kind of training they intend to pursue, 62% choose certifications bodies, while 54% say professional groups and 43% select schools. No surprise: People work crazy hours these days, and so 53% of respondents say they prefer a mix of online and face-to-face training.
Some other interesting takeaways from each of our major survey categories:
Education - 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession;
Background Checks - At a time when we're continually told that we're at greatest risk of insider crimes, only 26% of respondents say they have undergone a background check in the past five years.
Leadership - Asked where senior security leaders are recruited, only 34% of respondents say "promoted from within." 46% say their leaders are recruited externally.
About This Survey
This study was conducted electronically by Information Security Media Group (ISMG) in September 2009.
In all, there were 255 respondents,
47% of them from financial institutions,
12% from government,
9% from consulting and
9% from technology.
When you look at the breakdown of respondents by role and responsibility, you see:
34% compliance or technology professionals;
14% in senior management;
37% have been in their current role 1-3 years;
The main objective of the survey was to benchmark 2010 trends in information security careers across industries.
The survey was constructed specifically to assess:
Background - The academic, security and business background of today's information security professionals;
Duties and Critical Skills - The roles these professionals are filling today - and will be asked to fill tomorrow;
Training Strategies - What they need - advanced degrees, industry certifications, business experience - and where they turn to get ahead;
Source:- Bank Info Security, By Tom Field (Editorial Director)
Wednesday, December 23, 2009
Top 8 Security Threats of 2010
Top 8 Security Threats of 2010
Financial Institutions Face Risks from Organized Crime, SQL Injection and Other Major Attacks
It's a never-ending battle -- the list of naughty and downright evil security threats that challenge financial institutions and security professionals. From organized crime to SQL injection, here are the experts' choices of eight major security threats to watch in 2010.
1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."
2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.
3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.
4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.
5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.
6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.
7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.
8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.
Source :- BankInfo Security, By Linda McGlasson, Managing Editor
Financial Institutions Face Risks from Organized Crime, SQL Injection and Other Major Attacks
It's a never-ending battle -- the list of naughty and downright evil security threats that challenge financial institutions and security professionals. From organized crime to SQL injection, here are the experts' choices of eight major security threats to watch in 2010.
1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."
2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.
3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.
4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.
5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.
6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.
7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.
8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.
Source :- BankInfo Security, By Linda McGlasson, Managing Editor
Tuesday, December 15, 2009
10 Faces of Fraud for 2010
"The more things change, the more things stay the same." This old saying holds true when it comes to the different types of fraud hitting financial institutions.
In 2009, institutions were hit from every angle with fraud schemes -- some were old, and some were new variations. Here is a roundup of the 10 predominant types of fraud that institutions and their customers can expect to see in 2010, according to industry experts.
1. ACH and Wire Transfer FraudThe attacks against small and medium businesses in the ACH channel in 2009 were a wake-up call to institutions for the New Year. Businesses and institutions alike suffer when fraudsters penetrate and pilfer accounts via hacking into electronic transactions.
"It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place," says Gartner analyst Avivah Litan. "It is hard to tune fraud detection systems to detect this fraud in a timely manner -- especially wire fraud, since the data in a wire transfer instruction is not structured," she says. But good fraud detection systems can catch most of this activity.
2. Attacks on Institution NetworksThe level of protection provided transaction processing networks is often overlooked by institutions when it comes to servers outside of the "protected networks," says Mike Urban, Fraud Director at Fair Isaac, the provider of FICO credit scoring.
"I've seen this particularly with vendor-managed servers where their security standards may not be at the level practiced by the institution where they are deployed, including password management and patch management," Urban says. Identifying and managing all devices on corporate networks and protected transactional networks are critical to reducing the attack surface and eliminating weak links, he stresses.
3. ATM SkimmingThere have been multiple stories this year in the U.S. about ATM skimming crimes. Experts say this particular form of fraud will continue to grow, as criminals are targeting U.S. financial institutions with technologies shared from Eastern Europe. "We should also expect that other ATM frauds such as card or cash trapping and lower quality skimming devices will continue to be a problem," notes Fair Isaac's Urban. Criminals will also keep pressure on older point of sale (POS) terminals that are not PCI compliant, he adds.
4. Credit Account 'Bust-Outs'The bad economy has given rise to many types of fraud in the past couple of years, but credit "bust-outs" have been around for some time. This fraud type made the list earlier this year, but Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis, says the trend is still very much active in any bank she's talking with now. "By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit -- or who might be the party responsible," Geister says.
Fair Isaac's Urban sees this as "first-party fraud," where criminals create accounts and build credibility as a customer with a financial institution, and then "bust out" the accounts once they are fully leveraged. And it may spill over to financially pressured consumers, "who may get caught up in this type fraud with high unemployment and benefits starting to run out," Urban says.
5. Variations on Phishing SchemesThere have been many phishing attacks against financial institutions in 2009, so much that the Anti Phishing Working Group cites a 600 percent increase in overall phishing attacks over 2008. But there are more insidious types of attacks hitting institutions and their customers now, say experts.
Fair Isaac's Urban says businesses will be targeted with spear phishing and hacking efforts to compromise online banking credentials. Why they're targeting businesses, he says, is because "Criminals can then target those accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time." Business checks will also be targeted in counterfeit check scams, he adds.
There is a increased level of sophistication being seen in the phishing attacks, says Ori Eisen, former worldwide fraud director for American Express, now head of 41st Parameter, a fraud solution company. Eisen sees increased sophistication in phishing and use of SMShing attacks, similar to the text phishing attacks that have been circulating around the country, hitting banks and credit unions.
"Fraudsters are using more realistic emails and other points of contact to try to entice credentials from victims," Eisen notes, including the SMS approach. SMS was considered to be a solution to unauthorized account access, Eisen says, "Since it was assumed sending a one-time use password to a cell phone would cause a challenge for fraudsters trying to gain access to accounts." Instead, it has begun to offer them a new way to scrape credentials. "This happens because customers don't expect to be targeted in this way and have accepted the practice as safe when they see a message that appears to be from their bank," Eisen says.
6. Check Fraud on RiseIt seems that everyone is using debit and check cards these days, and although paper check volumes are continuing to fall, Urban says the dollar losses to check fraud continue to rise. "Online banking account compromises contribute to check fraud when criminals can see cleared check images and identify sequence numbers," he says. One reason for the continued proliferation of this fraud is that there is easier access to check paper stock and cheaper printers and scanners to create fakes.
Eisen says one area institutions should look to lock down is the check image viewing online ability for customers. "It's a one-stop shop for data harvesting. Online checks offer visibility to an unauthorized view the account number, personal information including the social security number (on checks in 19 states)."
7. Insider CrimesThis year has witnessed several widely publicized insider fraud crimes uncovered at institutions, and next year doesn't look any better. Tom Wills, Security and Fraud senior analyst at Javelin Research, sees the definition of "insider" has expanded as a wider variety of parties interact with institutions via their computer network. "RSA calls this the 'hyperextended enterprise,'" Wills notes. An insider can be thought of as anyone with authorized access to the bank's network resources, Wills stresses, "Not only employees and contractors of the institution, but those of suppliers and partners as well."
Internal fraud will continue at institutions and their partners, adds Fair Isaac's Urban, "where key information is compromised and used for personal use or sold to criminals who will perpetrate fraud on the institution or its customers." Many of these schemes will fall apart in a similar manner to the investment schemes over the last year, when financially pressured consumers are more diligent monitoring their accounts or come in looking to withdraw the money from those accounts.
8. Mobile PhonesWith nearly every bank and credit union throwing their hat into the mobile banking ring, the threat of mobile phone fraud is cause for concern. This crime is still in its infancy, but experts expect the risk will increase as malware applications are designed and spread onto mobile devices. Urban sees the most likely way fraudsters will target the mobile phones are through Trojans. "These Trojans will compromise information on the phones which may include online banking account information as well as other data stored on the phone. These compromises will be similar to the attacks on computers," Urban says. The major difference will be the sheer number of mobile devices and operating systems in the market today, as compared to a dominant computer operating system, such as Microsoft Windows. Another reason to fear mobile phone fraud is that anti-virus and anti-malware applications are not as mature on mobile devices as they are on computers.
9. Online ApplicationsThe ease of customer applications over the web comes with another set of headaches: Application fraud, which experts see as a growing area for criminals. Lexis-Nexis' Geister says that alternative channel application crimes, including the Internet, Kiosk and point of sale channels, "are continuing to drive nearly 50 percent of application frauds since criminals are finding ways to skirt around the even the most sophisticated controls."
The ease of online account opening makes the creation of "cash repositories" easy and convenient for criminals, adds Eisen. Many times they will use multiple accounts to keep balances from becoming suspicious, he adds. Criminals are also using online applications to create "valid" identities for future activity.
10. Prepaid CardsThe gift card market has always been a target for criminals say, and prepaid cards will continue to be purchased fraudulently with compromised credit cards, says Fair Isaac's Urban. "The absence of an indicator in the transaction message means a prepaid card purchase cannot be identified during authorization," he notes. The purchase of prepaid cards with stolen credit cards is an optimal way for criminals to get their hands on what they really want - cash.
Another more recent scam is where criminals will steal prepaid cards from the j-hooks at retail stores, chemically wash off the printed card number, emboss the card with information from a compromised card, and then erase the mag stripe. "They then will use the card and have the cashier key the transaction after the terminal swipe fails," Urban says.
Source:- CU InfoSecurity, By Linda McGlasson, Managing Editor
In 2009, institutions were hit from every angle with fraud schemes -- some were old, and some were new variations. Here is a roundup of the 10 predominant types of fraud that institutions and their customers can expect to see in 2010, according to industry experts.
1. ACH and Wire Transfer FraudThe attacks against small and medium businesses in the ACH channel in 2009 were a wake-up call to institutions for the New Year. Businesses and institutions alike suffer when fraudsters penetrate and pilfer accounts via hacking into electronic transactions.
"It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place," says Gartner analyst Avivah Litan. "It is hard to tune fraud detection systems to detect this fraud in a timely manner -- especially wire fraud, since the data in a wire transfer instruction is not structured," she says. But good fraud detection systems can catch most of this activity.
2. Attacks on Institution NetworksThe level of protection provided transaction processing networks is often overlooked by institutions when it comes to servers outside of the "protected networks," says Mike Urban, Fraud Director at Fair Isaac, the provider of FICO credit scoring.
"I've seen this particularly with vendor-managed servers where their security standards may not be at the level practiced by the institution where they are deployed, including password management and patch management," Urban says. Identifying and managing all devices on corporate networks and protected transactional networks are critical to reducing the attack surface and eliminating weak links, he stresses.
3. ATM SkimmingThere have been multiple stories this year in the U.S. about ATM skimming crimes. Experts say this particular form of fraud will continue to grow, as criminals are targeting U.S. financial institutions with technologies shared from Eastern Europe. "We should also expect that other ATM frauds such as card or cash trapping and lower quality skimming devices will continue to be a problem," notes Fair Isaac's Urban. Criminals will also keep pressure on older point of sale (POS) terminals that are not PCI compliant, he adds.
4. Credit Account 'Bust-Outs'The bad economy has given rise to many types of fraud in the past couple of years, but credit "bust-outs" have been around for some time. This fraud type made the list earlier this year, but Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis, says the trend is still very much active in any bank she's talking with now. "By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit -- or who might be the party responsible," Geister says.
Fair Isaac's Urban sees this as "first-party fraud," where criminals create accounts and build credibility as a customer with a financial institution, and then "bust out" the accounts once they are fully leveraged. And it may spill over to financially pressured consumers, "who may get caught up in this type fraud with high unemployment and benefits starting to run out," Urban says.
5. Variations on Phishing SchemesThere have been many phishing attacks against financial institutions in 2009, so much that the Anti Phishing Working Group cites a 600 percent increase in overall phishing attacks over 2008. But there are more insidious types of attacks hitting institutions and their customers now, say experts.
Fair Isaac's Urban says businesses will be targeted with spear phishing and hacking efforts to compromise online banking credentials. Why they're targeting businesses, he says, is because "Criminals can then target those accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time." Business checks will also be targeted in counterfeit check scams, he adds.
There is a increased level of sophistication being seen in the phishing attacks, says Ori Eisen, former worldwide fraud director for American Express, now head of 41st Parameter, a fraud solution company. Eisen sees increased sophistication in phishing and use of SMShing attacks, similar to the text phishing attacks that have been circulating around the country, hitting banks and credit unions.
"Fraudsters are using more realistic emails and other points of contact to try to entice credentials from victims," Eisen notes, including the SMS approach. SMS was considered to be a solution to unauthorized account access, Eisen says, "Since it was assumed sending a one-time use password to a cell phone would cause a challenge for fraudsters trying to gain access to accounts." Instead, it has begun to offer them a new way to scrape credentials. "This happens because customers don't expect to be targeted in this way and have accepted the practice as safe when they see a message that appears to be from their bank," Eisen says.
6. Check Fraud on RiseIt seems that everyone is using debit and check cards these days, and although paper check volumes are continuing to fall, Urban says the dollar losses to check fraud continue to rise. "Online banking account compromises contribute to check fraud when criminals can see cleared check images and identify sequence numbers," he says. One reason for the continued proliferation of this fraud is that there is easier access to check paper stock and cheaper printers and scanners to create fakes.
Eisen says one area institutions should look to lock down is the check image viewing online ability for customers. "It's a one-stop shop for data harvesting. Online checks offer visibility to an unauthorized view the account number, personal information including the social security number (on checks in 19 states)."
7. Insider CrimesThis year has witnessed several widely publicized insider fraud crimes uncovered at institutions, and next year doesn't look any better. Tom Wills, Security and Fraud senior analyst at Javelin Research, sees the definition of "insider" has expanded as a wider variety of parties interact with institutions via their computer network. "RSA calls this the 'hyperextended enterprise,'" Wills notes. An insider can be thought of as anyone with authorized access to the bank's network resources, Wills stresses, "Not only employees and contractors of the institution, but those of suppliers and partners as well."
Internal fraud will continue at institutions and their partners, adds Fair Isaac's Urban, "where key information is compromised and used for personal use or sold to criminals who will perpetrate fraud on the institution or its customers." Many of these schemes will fall apart in a similar manner to the investment schemes over the last year, when financially pressured consumers are more diligent monitoring their accounts or come in looking to withdraw the money from those accounts.
8. Mobile PhonesWith nearly every bank and credit union throwing their hat into the mobile banking ring, the threat of mobile phone fraud is cause for concern. This crime is still in its infancy, but experts expect the risk will increase as malware applications are designed and spread onto mobile devices. Urban sees the most likely way fraudsters will target the mobile phones are through Trojans. "These Trojans will compromise information on the phones which may include online banking account information as well as other data stored on the phone. These compromises will be similar to the attacks on computers," Urban says. The major difference will be the sheer number of mobile devices and operating systems in the market today, as compared to a dominant computer operating system, such as Microsoft Windows. Another reason to fear mobile phone fraud is that anti-virus and anti-malware applications are not as mature on mobile devices as they are on computers.
9. Online ApplicationsThe ease of customer applications over the web comes with another set of headaches: Application fraud, which experts see as a growing area for criminals. Lexis-Nexis' Geister says that alternative channel application crimes, including the Internet, Kiosk and point of sale channels, "are continuing to drive nearly 50 percent of application frauds since criminals are finding ways to skirt around the even the most sophisticated controls."
The ease of online account opening makes the creation of "cash repositories" easy and convenient for criminals, adds Eisen. Many times they will use multiple accounts to keep balances from becoming suspicious, he adds. Criminals are also using online applications to create "valid" identities for future activity.
10. Prepaid CardsThe gift card market has always been a target for criminals say, and prepaid cards will continue to be purchased fraudulently with compromised credit cards, says Fair Isaac's Urban. "The absence of an indicator in the transaction message means a prepaid card purchase cannot be identified during authorization," he notes. The purchase of prepaid cards with stolen credit cards is an optimal way for criminals to get their hands on what they really want - cash.
Another more recent scam is where criminals will steal prepaid cards from the j-hooks at retail stores, chemically wash off the printed card number, emboss the card with information from a compromised card, and then erase the mag stripe. "They then will use the card and have the cashier key the transaction after the terminal swipe fails," Urban says.
Source:- CU InfoSecurity, By Linda McGlasson, Managing Editor
Subscribe to:
Posts (Atom)