another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Monday, June 20, 2005

Worlds top Cyber Cop

About Schmidt

6/3/2005 5:00:00 PM - q&a He started off as a policeman, but the former head of IT security at Microsoft and eBay has learned a lot since then. Listen to his advice about internal threats, two-factor encryption and identity management

by Poonam Khanna

Howard Schmidt is a much sought-after expert in his field, and a quick glance at his career history makes it easy to understand why.

Schmidt has served as the chief security specialist for the U.S. Computer Emergency Readiness Team (CERT), as the CISO and CSO for Microsoft Corp., where

he spearheaded the trustworthy computing initiative and most recently as the CISO for online auction company eBay. Schmidt left that position last month to devote more time to his consulting work for CERT, other international governments and some corporations.

ITBusiness.ca recently spoke over the phone with Schmidt, who will be heading into Toronto on June 15 to speak at the Infosecurity Canada conference.

ITBusiness.ca: What are the biggest cyber security issues facing businesses today, and how are they changing?

Howard Schmidt: I think the biggest things are still the same things that we’ve been seeing in the past 20-some odd years, and that’s vulnerabilities in software and firmware within hardware that we are constantly creating in environments where we have vulnerabilities and holes that are oftentimes unpatched for a multitude of reasons. And what’s changing about that is that it used to be, for the longest time, particularly those involved in hacking and denial of service attacks on a regular basis, (that they) were generally attacking large enterprises. As we saw, the distributed denial of service attacks back in February of 2000, they were against large corporations and things of this nature. We’re starting to see now, the small and medium enterprise can be targeted as well as the consumers and the end users through a variety of different methods. Not only through vulnerabilities in their systems, but also the electronic version of social engineering, and with phishing and spyware, and things of this nature.

ITB: Do you have advice for other businesses on how they can deal with those issues?

HS: I think first and foremost, you need to have an organization that has senior leadership enough that’s on par with other executives in the business world. First and foremost, there’s a perspective in many cases in the business folks that security actually slows down one’s ability to generate revenue, slows down the ability to innovate and do business. That’s traditionally been the focus: That security is this necessary evil. You know, “We’ve got to have it, but try to avoid it at all costs.” In the recent past, in the past four or five years that the model, the way we do security has changed to where it actually becomes a business enabler and actually helps with the branding, helps with making sure that the functions are taking place as they should be — making sure the availability is there. So we’ve seen some change in there, but that’s only been because the position of security officers has been raised to the business unit executive.

ITB: Are vendors doing enough to address the issue of security?

HS: Well, vendors have changed dramatically over the past three years or so. I know when I was at Microsoft and we started the trustworthy computing group, that was, you know, a clear issue where the whole focus was shifting to security being priority No. 1, instead of just a priority. I know Oracle and Sun and Cisco and all the big IT companies are really, really focusing on doing a better job on security. The challenge we see right now is we’ve got a whole lot of legacy equipment out that’s out there, a lot of legacy operating systems and hardware that it’s tantamount to driving a 1950s car that did not have airbags, that did not have safety belts that did not have collapsible steering wheels. You can’t afford to buy a newer car with the new safety features. So even though vendors are doing more, they’re doing a better job, it’s going to take a while to transition to the safer operating systems, safer applications than we’ve seen in the past. Part of the challenge with that is some of the new technologies that are designed to help us be more collaborative — for example, instant messaging, some of the peer-to-peer activities. As we get better about security operating systems and better about networks, people are starting to look for things, like “Oh, gee, peer-to-peer — I can start attacking that and hit instant messenger,” for example. Now people are using it for business reasons.

ITB: What led to the trustworthy computing initiative at Microsoft?

HS: I think it was a couple of things. The CTO, Craig Mundy and I were talking about the security of our enterprise, and of course back in the year 2000 even Microsoft was the victim of a hack, even though we were doing a lot of things right. It turned out it was an external system which was insecure and it led to someone’s ability to come inside a corporate network. So the idea of having firewalls and all the other protections to keep someone out that came in appearing to be a legitimate user. And that’s what many companies have experienced. Most of the hacks we see are run that way, as a matter of fact. So, consequently, it was recognized, well, if the company with the IT resources that Microsoft has could be subject to that, can you imagine the people that had less expertise? So therefore it was decided to create the trustworthy security group and make that a company-wide priority.

And once again, just to be fair, it wasn’t not only Microsoft. That just happened to be the one we were personally involved in. At the same time, Mary Ann Davidson from Oracle, who’s the chief security officer there, who runs the product security component (did the same). Many of us were meeting and talking at the time about how there was no competition between us as security officers, it was all about “How can we make not only our own specific companies more secure, but how can we make the infrastructure more secure as well?”

ITB: Do you think there needs to be legislation to make sure security is an integral part of the efforts of vendors?

HS: Well, I think to some level, particularly in the U.S., we’ve seen some movement in that direction, for example, the Gramm-Leach Bliley Act on the banking and financial industries talks about the security of financial systems, and Sarbanes-Oxley, which was not designed to be an IT security tool. It was more around accountability — it was more around financial systems. It has indeed been translated into things relative to cyber security. So we do have the recognition. The government has created some legislation. I think overall, there’s not much the government can do to legislate these things, other than making sure the resources are available for law enforcement to successfully investigate and hold people accountable for doing these things.

Because these are not being done by corporate security people, these are being done by criminals. As long as there’s a way for a criminal to commit a crime and there’s an incentive for them to do so, they’ll continue to do it. So by putting some in jail and holding them accountable for their actions, sending a clear message, that, “Yeah, you may find someone who leaves their keys in their automobiles when they go to the shopping malls, because they forget or they weren’t thinking, or whatever, that doesn’t give you the right to go out and steal something.”

And so that’s the sort of thing the government can help in. And we’re seeing that internationally.

ITB: What kind of measures should companies put into place to guard against internal threats?

HS: Insiders always have and always will be a challenge. Number one, I think we fundamentally have to redo the way we do identity management in society. If you think about some of the recent things that have become available in the media about tapes that are becoming lost, insiders stealing tapes, ripping off bank accounts, not only domestically, but internationally as well. So these are the sorts of things that basically are successful only because we provide access to too much data for the wrong reason. For example, say you have tech support for an issue with your mobile phone, and you call tech support. Why would a help desk person need to have your Social Security number or your national ID number? Why would they need to have your date of birth, your credit card number, all of these other things? All they should know is that you’re a legitimate subscriber and here’s the level of service that you’re entitled to. We haven’t done a good job of looking forward on what people would have access to. Another example is issues around when people would open up fake businesses and then pull data down and do identity theft. That’s been going on now for almost 20 years. In 1986, when I was a policeman a lot of my first cases were like that. Because what happens is, we have a desire to aggregate data — whether it’s credit ratings or to make it easier to look things up on people legitimately. I think it was a fundamental failure to realize that this can also be used by bad guys to do bad things. So, number one, that’s what we need to do. We need to change the way we do identity management, the way we aggregate data, and only have that amount of data necessary to do, say, the tech support job or reset your password that one would need to do without providing more information than that.

ITB: So how exactly do we need to change the way we do identity management?

HS: Two-factor authentication clearly is one of the ways to go forward on this. Smart cards are one way, secure ID tokens. Some of the companies are coming out with mobile devices, for example, where you have the one-time password with rotating numbers so its also on a USB device. You can plug it into a USB device.

Now, as I think you fully realize, there is no such thing as 100 per cent security with any technology. But two-factor authentication clearly gets us to the next level.

The next piece after the strong authentication would be more granular authorization that we go to. And once again, I’ll give you a classic example. In many of the vulnerability assessments — the many security service companies — what they will do is they will walk into a company, whether it’s SMB or a large enterprise, or a government agency, as part of their testing, they’ll sit down in a conference room, plug into the network jack, and they’ll start perusing what they can get access to on the network. Often times, as a stranger, they get access to much more than they should have to begin with, but then they also have the ability to identify vulnerabilities that may exist, which oftentimes occur, identify those, exploit those, escalate privilege. And also, within a short period of time, they get access to data they shouldn’t have access to. So having very, very granular . . . and people say by the way, it’s very, very complicated to become very granular, that out of the 150 resources within a corporation, I can only have access to ten of ’em. That’s difficult to do. Well, it may have been at one point, but I think we’re getting much, much better about more granular authorization and resources within an IT system.

The third piece that I think we really, really need to take a strong look at, is encryption. I got some new eyeglasses last year — it was a little local eyeglass shop. I got a letter from them saying “We regret to inform you that your identity may be at risk because our computer system was stolen in a burglary.” It was a standalone PC, not networked to anything, but it still had my credit card information, my medical ID number, all these other things. My first question to them was, “Did you have any encryption on that so people couldn’t get access to it?” And, of course, the question was, “What’s encryption, and why would we need that?”

ITB: So when you talk about two-factor encryption, are you talking about just employees, or citizens as well?

HS: Society in general. And that’s one of the things that I think we really need to accelerate. If you look at some of the countries in Europe that are basically issuing smart cards as part of their national ID, some of the financial institutions, are mandating that in order to do online banking, you must do two-factor authentication. These are situations where normal citizens doing normal online transactions are using them and doing it successfully.

ITB: What about people who would express concerns about privacy?

HS: Clearly, by using strong authentication, you do as much for better privacy than you do for security. The classic example is when one uses a user ID and password, and say that user ID and password is compromised. That’s not a hard thing to do anymore, whether it’s spyware or key loggers. Once you get access to a person’s user ID and password, then the bad guys will try all the different online e-commerce sites, they’ll try the ISP sites. They’ll keep using the user ID and passwords on multiple sites till they find out what they can about you. And invariably, they can wind up finding out a great deal of information.

So, consequentially, two-factor authentication would help reduce the likelihood of privacy violation as well, as will encryption.

ITB: What have you learned from past mistakes?

HS: I think the biggest mistake that any of us in security have ever made is trying to sell security as a black and white issue, that basically, either you do this or bad things are going to happen to you. Because what happens is, particularly in the early days, a lot of executives, when something bad didn’t happen, they would say, “OK, you’ve been telling me that if we didn’t buy this antivirus software, we were going to lose our reputation in the industry. We had a virus come into the system, it took as seven hours to get rid of it, but we’re still doing good.” Clearly that’s an issue where talking about the sky is falling doesn’t help. So that’s one issue. The other one is basically not working with the business units as much as you should. Understanding what the business needs are and how you can help facilitate the business unit work, as opposed to saying, “No, you can’t do this because bad things are going to happen.” Clearly, those are the two biggest lessons that I’ve learned.

And the third piece is, there used to be a time where we in security would view security as something that you had to either do it my way or you shouldn’t be doing it at all. And clearly you have to learn that you really have to operationalize security — where security, particularly the security executive’s role is more about setting strategy, policy and not so much doing the day-to-day work, which the IT folks are very, very good at doing.

Comment: info@itbusiness.ca

Bank Frauds in India

Bank Frauds-A chronic Disease
Some relevant issues to tackle the bank frauds.
An INDIA FORENSIC approach.

BANK FRAUDS – A CHRONIC DISEASE, by
Anuradha A. Pujari

All the major operational areas in banking represent a good opportunity for fraudsters with growing incidence being reported under deposit, loan and inter-branch accounting transactions, including remittances.

A broad analysis of various frauds that have taken place throw up the following high-risk areas in committing frauds:
  1. Misappropriation of cash by dodging accounts.
  2. Unauthorized withdrawal or transfers of funds, mostly from long dormant accounts. These kinds of frauds involve the forgery also.
  3. Opening of fictitious accounts to misappropriate funds from illegal activities ie. Laundering through the fictitious accounts.
  4. Use of interbank clearing for accommodation, kite flying and misappropriation.
  5. Cheating in foreign exchange transactions by flouting exchange control provisions.
  6. Over valuations of the securities and tampering with the security documents, which has lead to many of the co-operative bank failures in the recent past.
  7. Fraud in collusion with bank staff in emerging areas and services under the computerized environment.

Frauds take place in a financial system only when safeguards and procedural checks are inadequate or when they are not scrupulously adhered to, leaving the system vulnerable to the perpetrators. Anecdotal evidence shows that whether the agency or individual committing the fraud works for the bank or deals with it, the culprit does careful planning before he attacks the system at its most vulnerable point.

The most effective defense banks could have against fraud is to strengthen their operational practices, procedures, controls and review systems so that all fraud-prone areas are fully sanitized against internal or external breaches. However, the huge expansions in banking transactions consequent to the transition of banks to mass banking and the large-scale computerization have played a major role in the perpetration of the frauds. Hence mere reliance on the internal controls is of no use.

Expect fraud. To expect the fraud one needs formal education to think on the given guidelines. Nowhere in the world the fraud can be avoided and the banks are no exceptions. It is a human tendency of taking the risk to commit the frauds if he finds suitable opportunities. So it is wise to expect the occurrence of the fraud. When the different schemes of frauds are classified it gives a broad idea of the fraud schemes that are possible in the country. Unfortunately no Indian body does this work. If the fraud is expected, efforts can be concentrated on the areas, which are fraud prone. Fraud is the game of two. The rule makers and rule breakers. Whoever is strong in the anticipation of the situations wins the game of frauds. Fraud is a phenomenon, which cannot be eliminated, but it needs to be managed.

Develop a fraud policy. The policy should be written and distributed to all employees, Borrowers and depositors. This gives a moral tension to the potential Fraudster. Maintain a zero tolerance for violations. The Indian bank needs to roar against the action that is taken against the Fraudsters. The media publicity against the fraudsters at all the levels is necessary. The announcement by US president George W. Bush that the “Corporate crooks will not be spared” gave the deep impact to the Corporate America. In India also we need to consider it as a sever problem and need to fight against it.

Assess Risk. Look at the ways fraud can happen in the organization. It is very important to study the trend and the style of frauds in the bank. The Basel-II accord deals in the assessment of various kinds of risk. Some of the big nationalized banks in India maintain the databases of the fraud cases reported in their banks. But the databases are dumb. They yield nothing unless they are analyzed effectively. Establish regular fraud-detection procedures. It could be in the form of Internal audit or it could also be in the form of inspections. These procedures alone discourage employees from committing fraud. In addition to this the Institute of Chartered Accountants of India has issued a “Accounting and Assurance standard on internal controls which is a real guideline to test internal controls. Controls break down because people affect them, and because circumstances change.

Segregate duties in critical areas. It is the absolutely basic principle of auditing a single person should not have the control of the books of accounts and the physical asset. Because this is the scenario which tempts the employee to commit the fraud. Hence it becomes essential to see that no one employee should be able to initiate and complete a critical transaction without involving someone else. Most of the banks in India have the well-defined authorization procedures. The allocation of the sanctioning limits is also observed in most of the cases. But still the bankers violate the authorities very easily. They just need to collude with the outside parties. However the detection of the collusions is possible in most of the cases if the higher authorities are willing to dig the frauds.

Maintain the tone of Ethics at the top. The subordinates have the tendency to follow their superiors. When the signals are passed on to the middle management about the unethical behavior of the top management the fear of punishment gets reduced and the tendency of following the superior dominates. Fear vanishes when the tendency of “If I have to die I’ll take along the superior and die” tendency rises.

Review and enforce password security. The incidences of hacking and the Phishing have troubled the Indian Private sector banks to a great extent. In addition to this most of the Indian banks are running behind the ATM and credit cards to compete with each other but have conveniently forgone the fact that ATM cards and the credit cards are the best tools available in the hands of the fraudsters. Inappropriate system access makes it possible to steal large amounts of money very quickly and, in many cases, without detection. Hence the review and the enforcement of the security policy is going to be a crucial.

Promote the Whistle blowing Culture. Many of the surveys on Frauds have shown that the frauds are unearthed by the “TIPS” from insider or may be from outsiders. Internal audits and internal controls come much later. The message about contacting the vigilance officers is flashed in most of the branch premises. However the ethics lines are very rarely seen. The ethics lines are the help lines to the employees or the well-wishers of the bank, which tells them whether a particular activity constitutes a fraud, or not.

Conduct pre-employment screening. Since the raw material of the Banks is cash the banker needs to be more alert than any other employer before they recruit. Only testing the aptitude of a person is not of any use. Know whom you are hiring. More than 20 percent of resumes contain false statements. Most employers will only confirm dates of employment. Some times post employment condition might create the greed in the minds of employee, hence atleast the bankers should test check the characters of their subordinates by creating real life scenarios such as offering the bribes by calling on some dummy borrower.

Screen and monitor Borrowers. Bad borrowers cause the biggest losses to the banks. What are they? Who they represent themselves to be? Look at their ownership, clients, references, and litigation history. In many cases the potential fraudsters have history of defaulting in some other bank or Financial Institution. The more realistic approach is to maintain the centralized databases of the defaulters and the properties offered by them, which would give the banks very easy access to the list of defaulters, which in turn could be used to take the decisions regarding the disbursements and all other issues.

This ten-fold approach to combat the frauds is an endeavor to reduce the operational risks of the banks in the wake of the coming BASEL-II norms. These norms have identified the operational risks to be one of the biggest threats to the progress of the banking sector. Complying with these norms yields the definite results.

Mumbai BPO cyber sex pictures

Courtesy: Hemal Ashar / Mid-Day

Mumbai, Jun 11: Sleazy photographs taken by a strategically-placed camera in a leading Business Process Outsourcing (BPO) unit has put the call centre in a quandary about how to react.

The call centre (whose name is being withheld) says it is looking at legal options about how to tackle the photographs doing rounds on the Internet as the sex pictures have their company name above them.

They show a couple having sex in an office cubicle with the headline: ‘Caught red-handed at’ and the BPO’s name. Text accompanying these pictures also admonishes: Indian Office Environment: Careful.

What can be seen

In the photographs, the woman is wearing a brown salwar-kameez and the man is wearing a white shirt and black trousers.

There are eight photographs, the first of which shows the couple kissing after which the series gets progressively more explicit.

The call centre mentioned is a very prominent one with branches in Gurgaon, Mumbai, Philippines and Bangalore. The centre was taken over by a multinational company in 2004 and currently has 10,000 employees, making it one of India’s largest BPOs.

Call centre reacts

The Mumbai branch is located in the city’s call centre hub in Malad.

Says a spokesperson from the BPO, “We are aware that these photographs have been posted on the Internet stating that they have been taken at our company. We deny that this has ever happened at any of our branches.

Also, the couple shown in the picture are not our employees and do not have any connection with the company. We just hope this dies a natural death.”

An employee stated, “This may be an attempt to discredit call centres at a time when India is becoming a major player in the sector. This is purely spam mail and has no credibility at all.”

What can a company do in a case like this?

Dr S Apranti, DCP, cyber crime cell, Mumbai police says, “In cases like this, one has to file a complaint with the cyber crime cell and the cell swings into immediate action. We will find out who has been sending these emails, connect the man with the machine and take action after that."

Cyber laws of India are 98% perfect says Government

Foolproof Cyber laws on par with global standards
Wednesday, June 08, 2005

BANGALORE: Cyber laws in India will soon be brought on par with global standards and made nearly foolproof.

A group of law firms in India, the U.S. and the UK, which was commissioned by the Nasscom to take close look at the cyber regulations in all the three countries and the kind of data security violations reported, has submitted its recommendations.

The objective of the exercise was to ascertain to what extent Indian cyber laws provided protection against cyber violations.

The comparative study found that all the four major Indian regulation like the Indian Penal Code, the IT Act, Contracts Act and Consumer Protection Act already addressed to 98 percent of all “committable” cyber crimes.

Nasscom has recommended to the ministry of information technology for a couple of amendments in the existing IT Act and IPC frameworks. Nasscom submitted its recommendation two weeks back to the ministry of IT, which is now expected to work with the ministry of law to make the required amendments in the IPC.

Nasscom has a problem of sorts at hand. Technology changes frequently and so do crime techniques and hence Nasscom has recommended the ministry of IT to set up an expert committee to review the IT Act on an annual basis.

Ovum on: CITIGROUP'S CUSTOMER DATA LOSS

Ovum on: CITIGROUP'S EMBARRASING CUSTOMER DATA LOSS

Citigroup said earlier this week that data tapes containing credit information on 3.9m of its customers have gone missing while in transit with UPS to a credit bureau. The data contains customer names, Social Security numbers and payment history information. Citigroup is writing to the affected customers, who are all in the US.
David Bradshaw, Principal Analyst and Practice Leader (CRM) and Graham Titterington, Principal Analyst, comment:

Comment: "Just when you thought that all the security problems that banks face came from the internet, up pops this news to show that data-security problems exist just as much in the physical world.

What next, will people start stealing money from bank branches? Seriously, it seems odd that banks don't use secure delivery services that take into account the fact that people might want to steal data. It reminds us of people who refuse to buy things from Amazon because the Internet isn't secure, but who'll happily hand over their credit card to a restaurant waiter they don't know.

Actually, the biggest security threat on the Internet is not the hacking of interactive transactions, but rather the risk that hackers will hack into merchant's customer databases, thereby harvesting thousands of customer records and credit card details in one swipe. The irony is that these databases may contain customer records for offline as well as online customers. And even merchants with no online sales may have hack-able databases, so customers who avoid shopping on the Internet are still at risk. There's no easy solution. "

Ukranians hacked my VISA credit card

Credit card frauds, an interview with Vladimir Golubev
Date: June 03, 2005
Source: Computer Crime Research Center
By: Vladimir Golubev

Roman, who is the victim, told us about this outstanding case. He is a manager with one of big companies here in Zaporozhye, Ukraine. He said his company set up a contract on salary cards project with the bank A. Employees have their personal credit card accounts and receive their wages through ATMs of the VISA Classic international payment system. Roman also used mobile-banking services. When a transaction on his account occurs, an immediate notification is sent to his GSM phone via SMS.

Roman told CCRC it happened on February 6th, 2005. On that Sunday evening he and his wife were at home. They were receiving guests when Roman got an SMS saying that $300 have withdrawn from his account, he continued. In a minute he received another message and another $300 were gone. The third message notified about the next inquiry for $300, which was not performed due to insufficient funds on the account. His wife also had an additional card on the same account. The first idea that came into Roman’s mind was that the cards were stolen. However they found all their cards. SMS also stated the place where the inquiries were performed. It was the ATM of the Privatbank.

Without any loss of time Roman dialed the hotline number of the bank A. Bank personnel confirmed the cash disbursement of $600. According to their words, his wife’s Visa card was used to withdraw money. Bank officials recommended him to turn to the central office of the bank A in Kiev, the capital of Ukraine.

Next day Roman came to the central office of the bank A in Kiev. There he put in an application and canceled the additional card. He was told that bank’s security service would carry out an investigation and take certain measures. The most interesting is that Roman travels very much all over Ukraine, being in different cities, using the card to pay in shops, withdrawing money via ATMs. Therein it is much more possible that his card could be forged rather than his wife's. His feme was a housewife, she used her card only in two or three ATMs. Noone knew she had an access to the account.

The bank was silent during the next month. Roman spent a quite sum on phone calls to Kiev, resulting in no outcome. He was only told that bank security service is engaged in the case. Thereafter it turned out that the materials on the case were brought to the local Zaporozhye bank office. He received no answers except endless “will you call back tomorrow?”

In the middle of March bank security service of the Zaporozhye office phoned Roman and told that they turned out incompetent, such case was new to them. All they could do for him was just to pass the case to police. At the end of their conversation bank officials blabbed out about a certain scandal in the Visa payment system. An alleged leak of data occurred, someone supposedly could have obtained access to card accounts and Roman was not the only victim. Policemen in the regional police department didn’t promise much. They only told if they found a person, it would be possible to give the money back. The bank dropped out of the game. Police argued that Roman was the owner of the account, thus the money was stolen from him.

Here are few comments on the case by Dr. Vladimir Golubev, director of the CCRC.

Q: Vladimir, you seem to deal with plenty of such cases. Can you explain us the case?

A: It will be clear if you carry everything happening to you in real life to the virtual world. How do people get robbed in the street? People are robbed in the Internet the same way. Criminals just use IT instead of a knife or a cudjel. Virtual criminals use the same schemes. The Internet, being an open and global information system, is not entirely adapted to these services acquired by our banks. Criminals will always be around where they catch a smell of money.
Thus information is stolen, money on bank accounts is stolen, websites are hacked, technical espionage and information war are carried out.

Q: What is carding?

A: Carding is not just a bunch of swindlers with plastic cards, it is a well-organized criminal community. They have special websites, blogs, forums. Newcomers are training and pros exchange useful information there. Anyone may know how it is organized on their sites.

There are many ways of carding. It's a credit card fraud. Carder is the player in such fraud. It is hard to get PIN-codes from real cards, though, it is possible. Carders use a wide range of tools like PIN MasterCard, PIN Visa card and other systems. They can also resort to systems of exterior videomonitoring over ATMs and key logging devices. Finally criminals could just peep your pin-code over your shoulder.

Q; How did they get the card?

A: It is a sure thing. Carders often use the so-called “white plastic”. It is a forged blank payment card with a magnetic strip. There is nothing labelled on it. All the data on the real card is written to this magnetic strip. So the criminal can use it only at the ATM. Salary cards are usually of no interest for criminals. They prefer credit cards with an overdraft option on the holder’s account.

There is a certain risk that data on the card could be read while paying for the goods in the markets. It is easy to make a slip, a copy of the card. There are also pocket devices designed to make a print of the card in a moment, and then criminals create a copy.

Q: Bank insiders also could be involved in this case, couldn't they?

A: We can’t rule this out. I will tell you more, in 70% of frauds with payment cards, a former or a present employee of the bank is involved with the criminal group. Here in Zaporozhye, Ukraine we had a case when a former bank official tried to transfer $1 million from the account of a local company last year.

Q: What are the scales of the carding in Ukraine, is there any official statistics?

I brought up a question of statistics at one of the latest conferences where employees of the National Bank of Ukraine were present. One of their officials told there was no such statistics and would never be. Bankers are not interested to divulge their incompetence to the public. Thus, we call such crimes latent.

Q: It is much more complicated to cope with secret threats. Therein I would like to know rights of victims.

A: I believe that in each specific case any bank should carry out an investigation and also recompense the damage to the victim if carding was proved. And it is a point of honor for police to go find and punish the criminal and then to pay damages to the bank.

And what is more, everything that the bank should and should not do is provided by a contract signed by both the bank and the client.

By the way, having read some blank contracts we surprisingly found out the presence of the following clause:

“Bank is not responsible for any operations performed with the payment card by third parties, for any money transfers perfromed using lost or stolen cards until the bank receives a notice of a loss. Such risks and responsibilities are laid on the client.”

Unfortunately this clause is typical in every contract. A carder who hacked the system and stole money could have been that third party.

But I still believe that Visa could have been compromised much more likely than the bank. Such case could have happened to any Visa holder.

Q: Then the Visa is not so reliable if it was hacked, right?

A: The point is that protection and hacking is the everlasting competition of the intelligence. Thus, if the security system was hacked today, tomorrow this flaw will be fixed. Somehow or other, any bank has its own security policy. I think such precedents will make officials to draw some certain conclusions about the information security. However it doesn’t mean that tomorrow will be no breaks-in.

Here are some recommendations for plastic cards holders:

• Take an interest in insurance policy at purchase of a card. Take insurance always. Most likely, money for this service is already paid.

• Never write a PIN-code on a card.

• Never store the written down PIN-code together with a card. Learn a code by heart and do not store it in written form at all.

• Leave a sample of the signature on the back side of a card at once after its reception.

• Never transfer a card to other person. In case of need it is possible to make, for example, a family card.

• Never inform somebody the PIN-code. None (workers of the bank, the attendants of a cash dispenser, the inspector) has right to demand it.

• Do not leave a card without supervision, for example, in the machine, on a table at restaurant and so forth.

• Never phone to anybody number of the card. It is not known how many the person will hear your conversation, and whether there is no among them the one who can use heard number in the mercenary purposes.

• At loss cards phone about it immediately. If you have lost a debit card, call in bank which has given out it. It is necessary to inform representatives of payment system and the bank which has emitted a card at loss a credit card.

• Ñheck movements of money on your card account not less often, than once a month. The special attention should be turned to operation after trips in which you used the card.

The safety precautions at a cash dispenser (ATM):

• Try to not use a cash dispenser in deserted places or in places where is the big congestion of people. You become too vulnerable object for a robbery in a deserted place, it is impossible to be confident, that nobody will see a PIN-code entered by you in crowd.

• Do not allow to extraneous people to see an entered PIN-code. It is quite possible, after that you will find out loss of a card, and hardly later and money from your card account.

• Be not mistaken at input of a PIN-code. Cash dispenser will detain your card after three erroneous inputs of a code.

• Be operative at use a cash dispenser. Certain time (30-45 seconds) is given on each operation. If during this time operation will not be completed, at the best the cash dispenser will return to you a card, in the worse - will detain it.

• Check up, whether you have taken away all from a cash dispenser. After finishing of operation you should have: a card, money, an extract about the made operation. If something does not suffice, and the cash dispenser did not inform you any additional information, here something wrong. Probably, you risk to fall a victim to swindlers. Do not trust anybody at a cash dispenser even if this person is dressed in the form of the employee of a cash dispenser service.

• Keep extracts on results of operation which are given out with a cash dispenser always. It will allow to keep account the taken off money and to supervise write-off of money from your account.

• Do not show somebody the wallet and money which you have received from a cash dispenser. It is not necessary to recalculate them before a cash dispenser. The machine is not mistaken, and if will be mistaken, will not answer you of anything intelligible.

The safety precautions at payment by a card in shop, restaurant, etc.:

• Never let out a card from a field of vision. It is access to your money. Imagine, that you give the cashier or the waiter all money at your account and ask him to take how many it is necessary.

• Never sign more than three checks at payment without the POS-terminal. The signature on the check is consent to write off the specified sum from your card account. At the place where you pay by means of a card without POS-terminal first check remains in the organization, second is sent by this organization to the bank and third remains at you as acknowledgement of made operation.

• Never sign check where the sum is not specified. Having signed such check, you enable to write off from your account more money than it is necessary.

• Ñross out all empty fields after sign the check. Thus you will relieve the cashier of a temptation to enter there something superfluous.

• Demand check cancellation at incorrect registration

The safety precautions when paying by card on the Internet:

• Do not leave your personal and the card data at unknown sites. Take an interest in certain conferences. Look, where is the organization which you are going to pay. If there is no address or you don't trust it, think, whether costs to pay?

• Do not use card on which you have large sums of money for payment in the Internet. It is better to get a separate card for such purpose.

• Pay attention to the various certificates confirming safety of settlement through the given site.

• Address to bank?at occurrence of the slightest suspicions about wrongful write-off of money from the account. You have certain term to refuse or challenge wrongful money write-off from your card account. Duration of this term should be specified in the bank which was giving out to you a card.

Sarbanes-Oxley for India. NOW !!

Security theft opens market for IT workers
By Charlie Anderson
The Business Journal of Kansas City
Updated: 8:00 p.m. ET June 12, 2005

Kris Drent leaps out of his seat and throws his body against a conference room door like a power forward boxing out an opponent for a rebound.

Drent, co-founder of Security PS Inc., actually is impersonating a CFO from a previous engagement. It was that finance chief's way of saying: "Nothing leaves this room."

Thus is the life of an information security professional, a cadre whose profile rises with each new revelation of data theft or loss, such as those reported by ChoicePoint Inc., Bank of America and CitiFinancial Inc. Fear of a breach in data security drives companies to pay people like Drent as much as $225 an hour to hack their corporate networks and expose holes that need plugging.

"As you can tell," Drent said, "we obviously love what we do."

There's demand for more like him. The number of information security techs is expected to double worldwide, from 1.1 million in 2003 to 2.2 million in 2008, according to a study commissioned by the International Information Systems Security Certification Consortium, which certifies security professionals.

It's unclear how many security techs work locally, but evidence suggests that the number is increasing.

That's good news for a tech work force that has been downsized, outsourced and dot-bombed in the past few years. It also provides a sexier career track for IT professionals who have grown weary of installing software for a living.

"It's intriguing," said Jody Brazil, vice president of FishNet Security Inc. "There's that James Bond appeal."

FishNet may be the best local example of the boom. The nine-year-old firm consults with corporate and government clients on IT security plans and then sells hardware and software to protect networks from attacks.

The company has grown to 110 employees nationwide -- 60 in Kansas City -- and reported revenue of $44.5 million in 2004. FishNet raised $12 million in equity investment earlier this year, and founder Gary Fish has said that he hopes to take the closely held firm public within three years.

Smaller companies, such as Security PS and Archer Technologies LLC, both of Overland Park, have sprouted up since 2000 with a singular focus on IT security.

Then there are the big accounting and consulting firms, such as Ernst & Young LLP, that are rapidly hiring security professionals to beef up their Sarbanes-Oxley Act compliance teams.

Archer Technologies CEO Jon Darbyshire ran Ernst & Young's national security practice from Kansas City before starting his software company. He said that in four years, Ernst & Young's security practice grew from zero to 1,500 people nationwide.

"We were bringing in 300, 400 people a year," Darbyshire said.

And that was before Sarbanes-Oxley, which requires CEOs and CFOs of public companies to sign off on the integrity of their companies' financial reporting systems. Most interpret this as including the security, as well as the accuracy, of financial data.

Companies don't want to be the next one in the string of headlines about data breaches, said Stephen Gillilan, an adjunct professor at the Keller Graduate School of Management at DeVry University. A California law requires notification after a breach; a national disclosure law is being discussed in Washington.

"Security is getting baked into everything now," Gillilan said.

The primary reason for heightened security awareness is the increased risk for companies doing business on the Internet.

Banks offer online bank statements, hospitals offer online billing, and retailers take credit cards on the Web. A decade ago, this data wasn't floating around cyberspace, where skilled criminals could pick it off.

At a local bank that he won't name, Drent said he was able to pull off something called "session-thefting," in which he jumped into someone else's online access to an internal system.

"I did a few things and became CFO of the company," he said.

That's chilling news for the software development community, which has seen its reputation sullied by such easy hacking of programs.

"I think we are doing a disservice if we don't teach security," said Deep Medhi, a University of Missouri-Kansas City professor of computer science from India.

Based on the job prospects for the sector, students may demand classes in security.
© 2005 The Business Journal of Kansas City.

Slashdot: Smart Card Hacking

Who says smart cards can't be hacked? Apparently all you need is a 50$ oscilloscope. ;-) rol..

Smart-Card Hacking?
Hardware Hacking
Privacy
Posted by Cliff on Saturday June 18, @11:45AM
from the what-exactly-do-they-put-on-these-things dept.
W3bbo asks: "With the ever-increasing information being stored on so-called 'Smart-Cards', including credit cards with the chips, how do we know what data is read by stores when you hand over your plastic? Seaching for 'smart-card hacking' just turns up satelite TV piracy websites and virtually nothing for (sort-of) legitimate investigation to our cards. So what methods are available to hack smart-card chips and see what information about us our banks store on our cards?"
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
it's called carding... (Score:4, Informative)
by da5idnetlimit.com (410908) on Saturday June 18, @11:56AM (#12851204)
(http://www.jadwio.com/ | Last Journal: Saturday October 30, @06:54PM)
so have a few searches on this term
http://www.kallipse.com/creaweb/galaad/carding.php [kallipse.com]

Also there is an open source project devoted to reading cards and chips, don't remember the name right now...

Was on slashdot, so have a check 8)
[ Reply to This ]

Re:it's called carding... (Score:5, Informative)
by Mattcelt (454751) on Saturday June 18, @12:56PM (#12851533)
(http://www.emprecords.com/)
One of the original smart card hacks was done by Ben Jun, Paul Kocher, and Joshua Jaffe, the guys at Cryptography Research [cryptography.com], using a technique called "Differential Power Analysis" which they did with a $50 HP oscilliscope to extract the private key stored on a smart card. You can find the white paper here. [cryptography.com]
[ Reply to This | Parent ]
o Re:it's called carding... by pbhj (Score:2) Saturday June 18, @08:32PM
o 1 reply beneath your current threshold.

Kind of Esoteric, But... (Score:5, Informative)
by fuzzybunny (112938) on Saturday June 18, @11:56AM (#12851205)
(http://www.zog.net/ | Last Journal: Friday December 12, @08:21AM)
The best way to learn is to latch onto someone who really knows their stuff (which is what I did on a previous project.) If you don't have that luxury, start looking at vendor pages (Schlumberger, ActivCard, Siemens, Utimaco, Gemplus, etc.) and chipset manufacturers (Infineon, Sagem or Giesecke & Devrient for example.)

Depending on how far down you want to dig (do you want to learn about applications? Circuit design? Interfaces? Security issues?) you should probably browse around related manufacturers' pages and related newsgroups. A good example would be looking at PKCS#11-related docs, Entrust implementation docs, the Javacard specifications, how Javacards differ from other implementations, docs on "Open Platform", types of card readers (class 1 through class 4, what is "middleware", how hardware key storage works, etc.)

A lot of card-related documentation and information is strongly vendor-specific, poorly documented and, to be honest, largely irrelevant for someone who wants to learn about it in a not-too-hardcore manner.

If you're professionally seriously interested, I recommend talking to one of the serious pros, such as Jerome Ajdenbaum [iteon.net] who really know their stuff. For starters, though, a quick google search on "smart card" +documentation turned up a number of good results, including from Microsoft [microsoft.com] (whose card interface for many manufacturers and variants is surprisingly well-written), ,a href="http://java.sun.com/products/javacard/refere nce/docs/">Java card docs from Sun, and the Open Card [opencard.org] platform.
[ Reply to This ]

* Re:Kind of Esoteric, But... by Cthefuture (Score:3) Saturday June 18, @12:26PM
Re:Kind of Esoteric, But... (Score:5, Informative)
by swillden (191260) * on Saturday June 18, @01:05PM (#12851572)

Along with PKCS#11 and Javacard, you should be looking at all the ISO 7816 specifications for technical information.

The ISO 7816 specs are generally not free. You buy them from your national standards body, which in the US is ANSI. It'll cost around $150-$200 to buy the whole set from ANSI.

However, much of the content of the 7816 documents is replicated in the EMV specifications. EMV stands for Europay Mastercard Visa and is a consortium for establishing smart card banking standards, so if you're interested in looking at your bank card chip, that's the more relevant set of documents anyway. You can find all of the EMV documents on-line, free, at the EMVCo web site [emvco.com]. You may still have to acquire some of the 7816 specs (parts 3 and 4 are probably the most important), but the EMV docs contain most of what you need. Word of warning: be prepared to plow through a lot of material. Smart card technology has acquired a lot of complexity through 30 years of incremental enhancements.
[ Reply to This | Parent ]
+ Re:Kind of Esoteric, But... by aminorex (Score:2) Sunday June 19, @02:20AM
o Re:Kind of Esoteric, But... by fuzzybunny (Score:3) Saturday June 18, @01:10PM
o Re:Kind of Esoteric, But... by AdamInParadise (Score:2) Saturday June 18, @04:31PM

Who else finds it funny... (Score:2, Funny)
by Toby_Tyke (797359) on Saturday June 18, @12:21PM (#12851347)
(Last Journal: Monday May 02, @02:43AM)
That the story below this one is "Security Breach Exposes 40M Credit Cards" ?

[ Reply to This ]

No "sort-of" about it... (Score:2)
by Saeed al-Sahaf (665390) on Saturday June 18, @12:59PM (#12851547)
...and virtually nothing for (sort-of) legitimate investigation to our cards...

I think it's important to understand that there is no "sort-of" about it. We have every right to know what information is contained on the cards that we use. Why wouldn't we? What can there possibly be there that is none of our business?
[ Reply to This ]

* Re:No "sort-of" about it... by tengwar (Score:2) Saturday June 18, @03:47PM
o 1 reply beneath your current threshold.
* Re:No "sort-of" about it... by vettemph (Score:1) Saturday June 18, @03:52PM

Maybe this is too obvious... (Score:1)
by WonderSnatch (835677) on Saturday June 18, @01:34PM (#12851739)
Have you tried calling your card company?

Brett
[ Reply to This ]

Card security attacks (Score:4, Informative)
by brejc8 (223089) * on Saturday June 18, @01:46PM (#12851787)
(http://www.cs.man.ac.uk/~brejc8/ | Last Journal: Sunday November 16, @07:21PM)
These break down to a few different kinds:
Information leaking e.g. power analysis: observe the power consumption of a divide to determine what operations it is executing and what data it is working on. Usually these will only tell you the number of bits which are on in a particular stage. I found the ARM 6 gave a very clear signature of the result of the adder and could determine the number of on bits down to the nearest 2.
Error introduction e.g. clock glitch attack: This is an asynchronous engineers favorite. Basically a method of inserting errors into the processor in a deterministic method. Say the processor stage calculating a compare operation is the worst case path, the attack inserts an early clock forcing the comparison to be incorrectly made. Place this in the "are the checksums correct" code. Usually though these are a little more difficult than that.
Brute force with limited tries e.g. Flash charge pump: So to crack your card it only takes as many attempts as there are pin code combinations. To stop people from just trying out the 10,000 or so combinations the card remembers how many tries you had. Before it writes something to the flash it needs to drive up a charge pump. This is visible using power analysis and at this point you cut the power and try again.

More interestingly why are these not investigated? Well because there is no money for it. The async community has been offering better methods but the companies who make the only get a tiny profit are not inclined to make them any better.
[ Reply to This ]

h1kari did some smart card work: (Score:1)
by undef24 (159451) on Saturday June 18, @02:19PM (#12851940)
http://www.dachb0den.com/projects/scard/smartcards .ppt [dachb0den.com]
[ Reply to This ]

Circuit Cellar (Score:1)
by AndroidCat (229562) on Saturday June 18, @05:14PM (#12852787)
(http://home.primus.ca/~ronsharp/)
Circuit Cellar magazine [circuitcellar.com] has articles on smart cards, RFID, etc, now and then.
[ Reply to This ]

MUSCLE project (Score:3, Informative)
by sgifford (9982) on Saturday June 18, @07:48PM (#12853469)
(http://www.suspectclass.com/~sgifford/)
Information from the MUSCLE smartcard-on-Linux project be useful:

http://www.linuxnet.com/ [linuxnet.com]

[ Reply to This ]

Frighteningly enough (Score:2)
by Dachannien (617929) on Sunday June 19, @04:58AM (#12855287)
There may be a potential DMCA violation involved with doing this, especially if credit card company-issued smart cards contain proprietary copyrighted information on them. In any case, the threat of a lawsuit (whether it's valid or not) may be enough to silence any efforts to figure out what sorts of personally identifiable info is stored on these cards.

[ Reply to This ]

Re:Legitimate Investigation? (Score:3, Insightful)
by FidelCatsro (861135) on Saturday June 18, @12:45PM (#12851470)
(Last Journal: Wednesday June 15, @03:08AM)
1:) finding out what personal data is stored on your card
2:) hacker(traditional meaning) mentality ,Some of us just can shake the urge to explore discover and create.
3:) setting up your own credit card reader to go into bussiness as a manufacturer

The real MasterCard data security story

The Irish Independent also reports that credit card giant MasterCard has sought to play down what has been called the biggest ever security breach which exposed more than 40 million cards to possible fraud.

MasterCard, which had 14 million of its credit cards accounts exposed to possible fraud, said only a small fraction of them were considered "at high risk".

But mystery still surrounds the nature of the security breach, and there is controversy over MasterCard's decision to go public about it.

MasterCard announced on Friday that the breach was traced to Atlanta-based CardSystems Solutions In, which processes credit card and other payments for banks and merchants.

CardSystems' chief financial officer, Michael A Brady, said his company was "blindsided" by the MasterCard release, adding that his company was told by the FBI not to release any information to the public. FBI spokeswoman Deb McCarley said they did ask CardSystems to not release details that might compromise the investigation - but denied asking the company not to disclose that the intrusion occurred.

"I'm not sure where they got that impression. It's important for the public to be warned so card holders can be more careful while checking their statements." But she declined to confirm reports that the breach was the result of internet hacking.

"I'm not going to get into details of what we have been able to determine right now," she said.

MasterCard spokeswoman Jessica Antle said only about 68,000 of its card holders are at "higher levels of risk", and should closely examine their credit or debit card accounts. Customers do not have to worry about identity theft, Antle said. "No, none at all," Antle said. "Social Security numbers, dates of birth, information like that are not stored on your credit card."

The incident appears to be the largest in a series of security breaches affecting valuable consumer data at major financial institutions and data brokers.

A few weeks ago, Citibank said it had lost the personal data on almost four million customers after delivery service UPS lost a box of tapes.

Like privacy ? beware RFID !

June 11, 2005

my view: Kelly Jones Sharp
If you like privacy, beware of RFID

Just because we can doesn't mean we should.

Manhattan Project scientists wrestled with this moral dilemma while building the atomic bombs the U.S. dropped on Japan in 1945.

Opponents of cloning, fearing a brave new world of test-tube automatons, have expressed similar sentiments.

Now, science brings us again to a moral crossroads. This time the dilemma is our privacy, and the technology in question is the radio frequency identification chip.

RFID is not new technology, but technology that is gaining momentum in a world where consumerism and terrorism rule both policy and zeitgeist. Rebranded for mass marketing as "contactless chips," RFID has wide-ranging applications and implications.

The microchips provide automatic identification of objects, animals and people. They are radio transmitters that can be as small as a grain of rice and have a transmission and detection range of less than an inch to almost 20 feet.

The "passive" type of RFID chip approved last October by the Food and Drug Administration for implant in humans has no internal power supply but gets its juice from a tag reader that enables the chip's antenna to respond with information, typically a serial identification number. These numbers lead the reader to more detailed information stored in databases.

Wal-Mart and other companies have been successfully using RFID for efficient tracking of merchandise within their supply chains. Pet adoption agencies, such as the Humane Society of Indianapolis, offer micro-chipping for dogs and cats.

Those things are fine, presuming that the chip on my Advil bottle won't be read from my medicine cabinet, and that Fluffy and Fido won't be programmed for evildoing. It's the potential for misuse and abuse of information within people applications that concerns me.

Consider some ways RFID chips are already being used. The chips are being embedded in toll road passes, library cards and ID badges. Recent applications include "contactless" credit cards and U.S. passports.

RFID also is being combined with the global positioning system (GPS) and with wireless fidelity (WiFi) for automobile fleet management and prescription drug tracking -- uses that also could be applied to people.

Some hospitals are now using RFID to tag patients for surgery and newborn babies for security.

In the case of medical records -- the use approved last fall by the FDA -- the chip contains an access code to a person's medical information and is inserted into the upper arm. The code points to databases that grant medical providers instant access to a patient's records.

It's easy to see benefits of automatic identification. No mistaking who you are. Not having to carry information. Never having to wait -- for credit approval, for medical histories or clearance to board a plane. Your preferences auto-profiled wherever you go, from the bookstore to the supermarket. It's life in the fast lane, only faster than ever.

But at what cost? Do we really want our movements tracked and our personal data scrutinized out of some intangible fears or to save a few seconds in the checkout lane?

In May, the Government Accountability Office released a report citing privacy concerns related to RFID use among 23 federal agencies. The report says, "The use of tags and databases raises important security considerations related to the confidentiality, integrity, and availability of the data on the tags, in the databases, and in how this information is being protected. Key privacy concerns include tracking an individual's movements and profiling an individual's habits, among others."

Technology does not necessarily beget security. Recently thugs hacked into LexisNexis, grabbing personal data, including Social Security numbers, on more than 310,000 people, 2,602 of them Indiana residents.

Some RFID chips are not only readable but "writeable," meaning that tag readers could alter information on them. Reader "collision" happens when two tag readers try to read the same microchip at once. Surely techno-geeks would find surreptitious reading and switching of information on RFID chips the ultimate challenge.

The slippery slopes of science always have been paved with well-intentioned scholars who pursue their ends despite the consequences. It's time we prevail on lawmakers to set limits, and on those who would exploit this technology to "do no harm."

Sharp is a writer who lives in Indianapolis. Contact her at kelly.jones.sharp@sbcglobal.net

1 million Japanese credit card data hacked.

UFJ admits customer data leak has led to theft from accounts


Personal information on Japanese credit card holders stolen from a data handling company in the U.S. has been used to steal money from some customers' accounts, UFJ Card Co. admitted Monday.

Company officials said personal information on the holders of some UFJ-Master Card joint cards was stolen when a U.S. company handling the data was hacked into.

Master Card notified UFJ Card of the identification numbers of joint cards whose information may have leaked to outsiders. UFJ subsequently checked their payment records to discover that some of the accounts had been accessed illegally.

The company has decided to replace the cards of cutomers whose personal information was stolen and fully compensate victims who have lost money to the thieves.

In their admission, the officials stopped short of clarifying the number of victims and the amount of money stolen saying they are still investigating the incident.

Moreover, personal information on up to 2,500 customers of consumer credit firm Central Finance may have similarly leaked, company sources said.

A number of other companies in the industry have also received information that personal data on some of their customers may have been stolen, and are currently investigating the allegations. (Mainichi)