Upstream attack threatens Bank Customers

Sensei Posted in Identity Theft
0

Since Banks have been taking more security percautions hackers are shifting their focus to bank service providers and partners. In a recent attack, hackers obtained access to computers at ElectroNet Inc., a Tallahassee Internet service provider. ElectroNet Inc serves as the ISP (Internet Service Provider) for three Florida Banks, Capital City Bank, Wakulla Bank, and Premier Bank. Once they had access to all of the Internet traffic for the Banks the hackers redirected all Banks customer traffic to counterfeit web sites on servers the hackers controlled and setup to look like the real bank web sites (phishing). The banks immediately shut down the counterfeit Internet links and their own (real) websites access. The banks also informed the Florida Department of Law Enforcement and FBI who are currently investigating the incident. There is no word yet on how many customer’s data was stolen in this attack. If you are a customer of these banks and you have used their website between March 10th and March 17th you should contact your Bank and change your account information immediately.
Phishing is a popular and increasingly deceptive tool hackers employ to fool individuals and businesses alike. As the term implies it is related to “fishing” since the hackers set a wide net or trap to capture identity and account information. In this case the hackers presented the customers with a counterfeit web page where they are prompted to enter their account information and other sensitive data. Beware and be smart when entering information online, check the URL or site address to make sure it is exactly as expected. Source.

Self-Defense = Don’t Click on that Link!!

Sensei Posted in Identity Theft
0

Once again hackers are at it (actually they never stopped!). The security company FaceTime reported on March 17th that bots or hacked PCs are being used to harvest data stored in shopping carts (such as identity information, addresses, secret questions, credit card numbers). While not really anything new, this bot is called “the Carder” targets specific e-commerce shopping cart applications which contain vulnerabilities. Though it’s impossible to know exactly what shopping cart vulnerabilities are under attack since Carder is so customizable. The hacker’s gain control of people computers by tricking them into clicking on links sent to them via IM (Instant Messenger), email or posted on malicious or couterfeit web sites. FaceTime reports the current attack is being carried out by a botnet (group of hacked PCs) that control roughly 150,000 compromised computers! Source

Debit Card PIN scandal “worst hack ever”

Sensei Posted in Identity Theft
0

Citibank only — So far it is just the start. The unfolding debit card scam that rocked Citibank last week, and that has now struck both national and small banks, is far from over, said Aviviah Litan, Gartner research vice president, Thursday, March 9, as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.” “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things,” said Litan. The problem, she continued, is that retailers improperly store PIN numbers after they’ve been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with “at least a couple of thousand records, maybe more” and have cashed out to the tune of “millions already.” The victim of the hack attack isn’t yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated. Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
So what’s a consumer to do? “Security is tight at the ATM, but point-of-sale is a whole other story,” said Litan. “Look at your [debit card] account on a regular basis, and don’t use a PIN-based debit card at point-of-sale,” she recommended. “I never do.”

Microsoft Fingerprint Reader a Security Threat

Sensei Posted in Identity Theft
0

Microsoft’s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004. A security researcher with the Finnish military has shown how they could steal your fingerprint by taking advantage of a vulnerability in the Fingerprint Reader. Microsoft has never promoted the device as a security device, only as a tool to prevent unauthorized people from logging into your computer. The researcher was intrigued by a caveat about sensitive data Microsoft included with the device. This prompted Finnish military researcher, Mikko Kiviharju, took a closer look at the product. He presented his findings at the Black Hat Europe conference last week, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log in to a computer. Due to the transfer of the fingerprint in an unencrypted format the transfer could be stolen using various hardware or software technologies like sniffers.
Kiviharju’s report: [ 1 ] [ 2 ]

ALERT! PayPal Password-Stealing Trojan Circulating

Sensei Posted in Identity Theft
0

PayPal password-stealing Trojan mass mailed. Several million copies of a password-stealing Trojan horse were spammed to Internet users late last week, a security company said Monday. UK-based BlackSpider Technologies said that it had already intercepted more than 3.2 million messages with an attached Trojan, and claimed that it took 52 hours for the first anti-virus vendor to issue a signature that detected and deleted the malware. Clagger.h, as Sophos dubbed it (Symantec named it “PWSteal.Tarno.s”), comes with the subject head of “Notification: Your Account Temporally Limited,” and targets PayPal users. The associated e-mail claims that PayPal has detected unusual activity on the recipient’s PayPal account. If the user opens the attached file, Clagger.h silently installs. Not only does Clagger.h set a backdoor so the attacker can later add more malicious code to the PC, but it lurks in the background and nabs usernames and passwords from any window or Web page with text strings. Astute users will be waved off by a misspelling in the spam’s subject heading. In the message, the word “Temporarily” is misspelled as “Temporally.”

Social Security Administration warns of scam

Sensei Posted in Identity Theft
0

Officials from the Social Security Administration have issued a scam warning. The warning concerns an e-mail message addressed to “Dear Social Security Number and Card Owner”. It claims someone is using the number illegally and has stolen the recipient’s identity. It directs you to a website, where you’re asked for credit card and PIN numbers. Naturally it’s a scam, since Social Security would never ask you for such information, online or elsewhere.

!WARNING! – – Email Identity Theft Scam – – !WARNING!

Sensei Posted in Identity Theft
0

We’re taking action to warn you about an identity theft e-mail scam. There are e-mail messages being circulated addressed to “Dear Social Security Number and Card Owner” and purporting to be from the Social Security Administration. The message informs the reader “that someone illegally is using your Social Security number and assuming your identity” and directs the reader to a Web site designed to look like the Social Security Administration’s Internet Web site. Once directed to the bogus site, the individual is asked to confirm their identity with “Social Security and bank information.” Specific information about the individual’s credit card number, expiration date and PIN number is then requested. “Whether on our online Web site or by phone, Social Security will never ask you for your credit card information or your PIN number,” said Jo Anne Barnhart, Commissioner of Social Security. “I am outraged that someone would target an unsuspecting public in this manner. I have asked the Inspector General to use all the resources at his command to find and prosecute whoever is perpetrating this fraud,” Commissioner Barnhart said. The Social Security Administration reminds all consumers never to provide your Social Security number or other personal information over the Internet, by phone or through the mail unless you’re extremely confident of the source to whom you are providing the information. If you receive this scam e-mail or other suspicious activity, report it to the Social Security’s Office of Inspector General at 1-800-269-0271. (If you are deaf or hard of hearing, call the OIG TTY number at 1-866-501-2101). A Public Fraud Reporting form is also available online at www.socialsecurity.gov/oig.

Online Guide to Prevent Online Identity Theft

Sensei Posted in Identity Theft
1

BT, a UK communications solutions provider, has released a ten-point guide [PDF] to help prevent Internet users falling victim to online fraud and identity theft. The guide forms part of an Internet security report highlighting growing and future online threats, published in conjunction with Yahoo, the UK government’s Get Safe Online campaign, and the Metropolitan Police. The report found that 62 percent of consumers surveyed thought that online fraud could not happen to them. Over 40 percent said that they were not aware whether they had been victims of online fraud or not. Although only eight percent of those surveyed have been victims of online fraud in the last year, the problem is growing because consumers are unaware of the major new and rapidly growing threat of online identity theft. Consumers seem unaware that the Internet and not their trashcan is the place criminals are now most likely to use to steal personal information. Detective Chief Superintendent Nigel Mawer said, “Online identity theft and fraud are the latest techniques.” The report gives consumers a comprehensive overview of new and emerging online threats and a comprehensive list of where people can go to report cybercrimes.
Source

EFF: Don’t use Google Desktop

Sensei Posted in Identity Theft
0

The nonprofit Electronic Frontier Foundation (EFF) is urging everyone not to use the new version of Google Desktop. The high-profile privacy watchdog group (EFF) has a terse warning for business and consumer users. A new feature added to Google Desktop on Thursday, February 9, is a serious privacy and security risk because of the way a user’s data is stored on Google’s servers. The new “Share Across Computers” feature stores Web browsing history, Microsoft Office documents, PDF and text files on Google’s servers to allow a user to run remote searches from multiple computers, but, according to the EFF, this presents a lucrative target to malicious hackers. Google said users can use a “Clear my Files” button to manually remove all files from its servers or a “Don’t Search These Items” preference to remove specific files and folders from the software’s index.
Despite this claim by Google you have no way to verify that your data was removed from their server or their backups of that data. Just think for a moment about when ypu use the google search engine, have you ever noticed the “Cached” link? This is a link to the page that Google has stored on their servers despite the fact that the owner of the site has removed the site from the Internet. Now do you trust them? Remember use common sense, it is your best self-defense weapon.

Stop the Press!

Sensei Posted in Identity Theft
0

The criminals must be shaking in their boots. The Federal Trade Commission is going to hold hearings on identity theft THIS FALL! The hearings will focus on emerging technologies being exploited by Internet spies and identity thieves. The FTC last held similar hearings in 1995, when the technology to create now familiar problems such as spyware and spam was still in its infancy. “It is time to look ahead and examine the next generation of issues to emerge in our high-tech global marketplace…Ten years is an eternity for technology,” FTC Chairperson Deborah Platt Majoras said. The new hearings would include issues such as spyware, spam, radio frequency identification, and identity theft. Todd Davis, chief executive officer of LifeLock Inc., an identity theft prevention company, said the government had some catching up to do. “The thieves have advanced with the technology and we have not,” Davis said. Majoras said the hearings would take place sometime this fall, and would include business, technology, academic, and law enforcement experts. I’m glad to see they have a firm date in mind! The cogs of government never stop amazing me! [ Source ]