another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Sunday, May 22, 2005

VISA admits credit cards not secure against hacking

VISA Secure Credit Cards (from cnn.com)

Visa is hoping to simplify the process of paying with plastic with a new payment technology it introduced Thursday. With the company's new "contactless" system, consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required.

The technology will be more convenient for merchants and consumers alike by reducing checkout times and lines, Visa executives said. It's also designed to be an easy alternative to cash for small purchases such as a soda or pack of gum.

"Our hope is that the contactless payment feature will drive added convenience and speed to consumers," said Niki Manby, vice president of market and technology innovation at Visa USA. "You no longer need to swipe or hand over your card."

But don't go waving your credit and debit cards around just yet. Visa must first convince merchants and card issuers to use new equipment. For merchants, that means purchasing new card readers. For banks, it means introducing special cards capable of transmitting account data via radio signal rather than magnetic stripe. So far, no card issuers are offering them, Manby said.

With 5.6 million merchants in the United States, Visa will need some time to phase out its old system.

"It's not something retailers will do lightly overnight," said Pennie Gillespie, a Forrester Research analyst.

Visa is not alone in the endeavor. MasterCard and American Express also are experimenting with contactless cards. MasterCard has been doing field tests in Florida, while American Express is doing trials in Arizona and New York. The companies are using compatible technology, so merchants can use the same card readers for all three systems. Merchants just need to install an extra bit of software to make it all work together, said Patrick Gauthier, senior vice president of new product development at Visa.

Visa and its rivals have some obstacles to overcome before the technology becomes more mainstream, Gillespie said. Not only must they convince merchants to buy new readers, they must assure consumers that the new-fangled cards are every bit as secure as the old ones in an age of identity theft and high-tech hacking.

"Security is a question," Gillespie said. "How easy is it for someone to interact with a wireless communication and pick up a number?"

Visa designed its system to be highly secure, with multiple layers of encryption and fraud detection, Gauthier said. Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said. In addition, consumers have no liability for fraudulent charges with the new cards as with the old ones, Gauthier added.

"Security is at the core of our business," Gauthier said. "We are fully confident that the platform we have developed is as secure as any form of Visa cards today."

More data security tapes hacked

Time Warner employee data missing

Tapes with information on 600,000 current, ex-workers lost in transit by outside data storage firm.

May 2, 2005: 1:58 PM EDT (source money.cnn.com)

NEW YORK (CNN) - Time Warner Inc. said Monday that data on 600,000 current and former employees stored on computer backup tapes was lost by an outside storage company and that the Secret Service is now investigating.

Kathy McKiernan, a spokeswoman for Time Warner, told CNN that the tapes contained names and Social Security information on current and former Time Warner employees and some of their dependents and beneficiaries dating back to 1986.

The tapes may include information on employees of Time Warner and any of its affiliated companies between 1986 and the present. Time Warner is the parent company of CNN/Money.

"Time Warner retains that information to administer retirement, compensation and other benefits information for its employees," McKiernan told CNN. She would not say what other information was on the 40 tapes that were lost with the missing container, citing the integrity of the ongoing investigation.

Time Warner said the tapes did not include personal data on its customers. McKiernan said that the Secret Service is involved in an active investigation of the matter, working closely with the company and Iron Mountain Inc., the data storage firm that lost the tapes.

Data security 1.2 million card hacked

Bank's Tape Loss Puts Spotlight on Backup Practices

February 28, 2005
By Paul Shread (from Enterprisestorageforum.com website)

Bank of America's admission on Friday that the company lost data tapes containing federal workers' customer and account information will likely bring renewed attention to data security issues.

The bank confirmed that "a small number of computer data tapes were lost during shipment to a backup data center. The missing tapes contained U.S. federal government charge card program customer and account information."

The Washington Post reported that the lost data tapes included personal information on 1.2 million federal employees, among them Sen. Patrick Leahy (D-Vt.).

Bank of America said it notified federal law enforcement officials, and added that "the investigation to date has found no evidence to suggest the tapes or their content have been accessed or misused, and the tapes are now presumed lost. Government cardholder accounts included on the data tapes have been and will continue to be monitored by Bank of America, and government cardholders will be contacted should any unusual activity be detected. No unusual activity has been observed to date."

On top of a recent disclosure that data warehouser ChoicePoint had compromised the personal data of 140,000 consumers, the Bank of America admission will likely bring renewed scrutiny of data security and backup processes.

"Very few people encrypt backup tapes, which means that they rely on the security of the backup and off-site rotation process," said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group. "Here's a clear example of the risks of doing this."

The result will likely be a jump in business for companies that encrypt data, Oltsik told Enterprise Storage Forum. "I expect that the phones will be ringing at Decru, Kasten-Chase and Neoscale on Monday," he said.

The recent data security breaches are likely to bring renewed attention to efforts by Sen. Dianne Feinstein (D-Calif.) to craft national identity theft legislation expanding on California's Database Breach Act, or state law SB 1386, which requires state agencies and businesses that collect personal information from California customers to promptly disclose security breaches or face severe penalties. The California law exempts encrypted data.

Feinstein reiterated her call for such national legislation last week after the ChoicePoint disclosure.

Phishing attacks threat to banking transactions

What's phishing? How to be safe?

December 20, 2004 (source rediff.com)

Phishing scams have rocked Internet users for some time now.

But phishing attacks especially intensified in 2004, making them a very serious emerging threat that rides on the surge of e-commerce and e-banking transactions through fraudulent means, says a study conducted by anti-virus software specialist Trend Micro.

What is phishing?

Phishing means sending an e-mail that falsely claims to be from a particular enterprise (like your bank) and asking for sensitive financial information.

Phishing is sending out a 'bait' in the form of a spoofed e-mail that closely mimics most bank notifications.

The fraudulent mail is socially engineered to convince recipients to divulge sensitive information such as credit card numbers, PIN, social security numbers and some such information, says Trend Micro.

*
60% of all e-mail messages are spam!
*
30 PC viruses played havoc in 2004
*
Computer virus: 7-point warning for 2005

Some phishing mails include a legitimate-looking URL that actually conceals the phishing URL, or the site where the stolen information is stored, while some include an image, which when clicked, directs the affected user to the phishing site.

There are ways to 'spoof' an e-mail so that it appears to have come from someone other than the person who is actually sending it. An e-mail can be spoofed by tweaking the settings of e-mail clients like Outlook Express, Netscape Messenger and Eudora. E-mail spoofing is a popular way of scamming online.

How to be safe

Trend Micro lists out the ways in which you can keep yourself safe from phishing scams:

* Be wary of e-mail messages that ask for personal or financial information such as user names and passwords, credit card numbers, and other sensitive personal information, especially those that are alarming and upsetting in tone.
* Do not click any links inside an e-mail that is suspected to be spoofed. Instead, go directly to the valid company's site then log on from there or call the company directly.
* Ensure that any Web site visited is secure when submitting sensitive information such as credit card numbers. One indication that a Web address is secure is if it starts with https:// rather than http://. Another indication is a padlock icon at the bottom of the screen, which when clicked, displays a security certificate.
* Ensure that your browser is up-to-date and security patches are always promptly applied. For IE (Internet Explorer) browsers, a special patch relating to certain phishing schemes can be downloaded at http://www.microsoft.com/ security/.
* Avoid opening any file attachments of suspected phishing e-mail messages as it might execute a 'malware' programme that can steal personal information.
* Consider installing a browser extension such as SpoofStick which can help detect a spoofed Web site. This utility is available at: http://www.corestreet.com/spoofstick/
* Consider installing security software such as those offered by anti-virus specialists like Trend Micro, which can help detect malware programmes (antivirus), filter spam (spam filters), and/or ensure secure Internet usage (firewalls). These kinds of software can help preempt any damage to your system and can help protect you from hackers and scammers alike.
* Knowledge is still the best protection from getting scammed. It is important to educate oneself on Internet fraud. There are several Web sites dedicated to giving free education regarding Internet fraud, one of which is Trend Micro's site on anti-phishing.
*
If you receive any suspicious e-mail but are unsure of what to do, there are several organisations that can help check out the e-mail for you. Trend Micro offers this kind of service free of charge.

How to find out if an e-mail is genuine

However, finding out whether an e-mail is genuine or not is not very difficult. Every e-mail message contains headers that have the following information:

*
Origin, which shows information about the machine that sent it,
* Relay, which shows the sender machine relaying it to another, and
*
Final destination, which shows the machine that receives it, the IP address and the domain name.

Check out this URL: http://www.lse.ac.uk/itservices/help/e-mailheader.htm for an example of what the different things in an e-mail header mean.

By learning how to identify what the header components are you can distinguish whether an e-mail is genuine or spoofed.

From May 2004 to November 2004 alone, Trend Micro registered a total of 9,709 phishing mails. July generated the most number of phishing mail incidence with 2,932 received samples, which is a huge leap from the total of 104 phishing mails recorded in May.

Most phishing attacks from May to November 2004 targeted Citibank, covering a little more than half of the entire phishing incidence recorded. Citibank has banking, lending, and investment services worldwide making it a prime target for these types of attack.

US Bank, one of the largest financial services holding companies in the United States, comes in second in the list of most targeted banks, with 21 per cent.

Suntrust (one of the largest commercial banking institutions in the US) and Ebay (an international online "marketplace") are next on the list with 10 per cent and 8 per cent, respectively.

Even in India, ICICI Bank, Citibank and other financial institutions have been targetted by 'phishers.'
A legitimate financial institution will never ask for details of your account via an e-mail. You must never e-mail financial information over the Internet as it is not a secure method for transmitting such sensitive information.

Weak information technology laws help terrorists

Govt out to fight cyber crime

April 18, 2005 15:55 IST (source rediff.com)

Warning that terrorists were increasingly using hi-tech methods to transfer money across borders, Deputy National Security Advisor Vijay Nambiar on Monday said the government was creating a 'robust legal environment' to fight cyber crime.

"Terrorists have taken to new technology to commit crimes and are increasingly using information technology to transfer money across borders,' he said inaugurating a two-day legal seminar of the Indo-US Cyber Security Forum here. Inadequacy of international laws to fight cyber crime was partly responsible for this trend, he added.

Nambiar, recently appointed the Deputy NSA, said the Indian government was taking steps to strengthen its mechanism to fight cyber crime.

"The Information Technology Act 2000, along with other laws, provides a reasonable framework to protect against cyber crime. While we are creating a robust legal environment, we have also taken other measures against cyber crime such as setting up the Computer Emergency Response Team -- India (CERT-IN),' he said.

Eminent US cyberspace security strategist Howard Schmidt said greater partnership was needed between India and the US in an era in which the 'economic viability' of nations may depend on their ability to check cyber crime.

"There is a need to have an international watch-and-warning system for this purpose,' Schmidt, who served as the Chairman of the US President's Critical Infrastructure Protection Board and is currently the Chief Security Strategist of US-CERT, said.

Underlining the 'borderless' nature of cyber crime, Nambiar said rising number of cases of identity theft was causing losses of billions of dollars to companies and was a cause for worry for administrators around the world.

However, Indian business process outsourcing (BPO) companies, 70 per cent of which conduct business with US firms, used an "array' of technological measures to protect personal and financial data of customers, he said.

Nambiar said cyberspace security would be ensured only if legal framework and technology reinforced each other.

"Training of judiciary in complexities of cyber crime is being given priority,' he said.

Schmidt emphasised that end users of technology would also have to be educated and laws continually 'refined' if cyber crime was to be tackled.

"Customers have to be told that the idea of user IDs and passwords has long since passed,' he said.

A large number of delegates from IT and legal fields from India and the US are attending the third plenary of the Indo-US Cyber Security Forum which will provide recommendations to strengthen security measures to both governments.
The Forum is being organised by the National Security Council Secretariat and Confederation of Indian Industry.