US Wins Gold in World Spam and Credit Card Fraud Competitions

Comments Off on US Wins Gold in World Spam and Credit Card Fraud Competitions

medalAs we’ve witnessed at the 2014 Olympics in Sochi, Russia, it is possible to be a winner without even winning a medal!  There are so many inspiring stories about athletes from all over the globe who passionately sacrifice years and time and money for the chance to compete in the Olympics.  With little chance to win any medal, these athletes still train hard and compete, giving their personal best. Without winning any medal, there are many winners – in the best sense.

Unfortunately, there are competitions where “winning” does not make a “winner”– in the best sense.  In fact winning can be evidence of not trying, of not doing the right thing, of not giving personal best. Here are two painful examples where winning is not done by winners and winning is not a cause for national pride…  And for my fellow American readers, this one is for US…

2013 Global “Spampionship”

Sophos Labs, a developer and vendor of security software and hardware headquartered in Boston and Oxford, UK, recently released its “Dirty Dozen” list – the top 12 spam producing countries for 2013.

And the Winner is — “the USA which earned the league’s top spot, generating 14.5 percent of the total spam volume sent during the last quarter of the year, giving it a clean sweep of top finishes for 2013. However, the gap to second place narrowed, with China re-emerging as a major player in the spam sending Dirty Dozen, leaping from 4.6 percent to 8.2 percent, while Russia’s spam contribution edged up from 3.0 percent in Q3 to 5.5 percent in Q4.” *

And how did the US win the “gold” as the country that generates the most spam?  Mostly by not trying – by not doing all the right things.

*http://www.sophos.com/en-us/press-office/press-releases/2014/02/dirty-dozen-spampionship-tables.aspx

US Wins the Global Daily Credit Card Fraud Competition

With only 25% of the global daily credit card transactions, the US accounts for a whopping half of the total daily global fraud activity!  That’s a blush causing percentage for a country that is supposed to be the world’s technology leader and a trusted haven in cyber darkness.

How did the US win this inglorious “competition”?  Well, it appears one more time that the US achieved this unsavory “win” by using a strategy of not doing the right things.

The Right Things

If the common thread of these tarnished wins is not doing the right things, then it seems reasonable that doing the right things is key to relinquishing these dubious titles.  So, what are the right things?

SPAM

In the case of spam, it is important to understand that spam is sent out by computers, not by countries.

The computers that send spam are unprotected, infected computers that have silently become part of botnets – zombie armies controlled by botnet managers to accomplish cyber-crime.  As the top spamming country, the US essentially has the most infected computers!  This is not a cause for pride!

There is no excuse for this situation since there are so many effective, free anti-virus and malware programs available for home users.  Corporate computers are not exempt from blame either; if there is not a corporate IT attitude of making computers on networks bulletproof with the best ongoing security practices, then those computers can be dangerous as well.

The right thing in the case of spam is to be sure your computer is protected with current, daily updated and effective anti-virus and malware protection.  Run a boot-time scan if your anti-virus program can do so; or at least run a regular full scan.  Get a good malware protection program and regularly run a full scan with that.  Get informed.  Ask questions from qualified professionals who are informed about today’s security practices.

The right thing to do to help your country lose the gold as top spamming country is to protect your computer and keep it secure.  The right thing is to help stop cyber-crime by not contributing to it with an infected, zombie computer.

Credit/Debit Card Fraud

Currently the US uses “sign and swipe” technology for credit/debit cards.  This is an “old” technology developed in the 1960s by IBM as a security pass card.  Ironically, today this technology lacks security.   We continue to use the “sign and swipe” cards only because they are convenient to use and cheap to produce.  What we continue to ignore is that this 50 year old technology is very easy to counterfeit and breach.  It is this choice of profit over security that keeps the US in the top fraud producing spot.

What would be the right thing to do at this point?  The easy answer is to get a more secure technology.  France has been using one since 1992, believe it or not – the EMV “chip and pin” type card.  Gismodo.com describes the card:  It’s a credit card that ”utilizes multiple layers of security – including a computer chip in each card that stores and transmits encrypted data, as well as a unique identifier that can change with each transaction. Cardholders also enter a PIN to authorize transactions. Total fraud losses dropped by 50 percent and card counterfeiting fell by 78 percent in the first year after EMV smart cards” were introduced there.  That sounds like it was the right thing to do.

In fact, 22 years later, the US is now considering this European technology.  Visa and MasterCard have set rollout dates for this type card by October, 2015.   However, costs and lack of clarity about who assumes liability when a breach occurs seems to underlie reluctance to adopt better technologies — the same old same old that keeps the US as the gold standard for fraud.   Oh, did you catch the wording, “when” not “if” a breach occurs?   We have to do better!!

And, we can do better!  We can all make choices to be informed and to do the right things…   If we do, we can all be winners — in the best sense.

Are You Now A Crime Target?

Comments Off on Are You Now A Crime Target?

TargtThis post is dedicated to alerting or even alarming all reader friends about the absolute need for CAUTION when using credit and debit cards – anywhere. If I could, I would shout from the top of the Internet Cloud — BE CAREFUL! BE CAUTIOUS! Your cards are not as safe as you think they are!

Well, that sounds a bit over-reactive, you might say. What’s bugging you, you ask? Still fretting over that Target thing way back on Black Friday, you sigh?

Guilty on all counts, I respond! If anything, I am not being reactive enough! Is something bugging me? – You bet it is! Actually I’m very bugged about what may be bugging, or hacking all of us, even as you read this! Fretting still over that Black Friday thing? Fretting doesn’t come close to what I feel as I continue to read about what really happened in the data breaches at Target, et al retailers….

I care about your security and I want you to be informed beyond the front page spin you get from the news. The retailers don’t want you to know all the scary details about their headlining data breaches because they can’t afford to lose your business. But you can’t afford to continue to do business as usual with them, because it is YOU who stands to lose the most. If you care about your safety and security, please read on…

What I want to share here are some under-reported details about the data breaches so that you can better understand your current and future threats. Then, in a coming post, I’ll try to help you learn about the new credit and debit card technologies and strategize about the realities concerning use of credit and debit cards.

Target Black Friday Data Breach

Please realize that Target thing was bigger than first reported! At Target alone, “instead of affecting approximately 40 million of their guests, Target now fears that the security breach could ultimately affect approximately 110 million people…. It turns out that the thieves didn’t just obtain your credit card numbers; they also have your names, phone numbers, mailing addresses, and e-mail addresses.”1 The credit and debit card data supposedly were dropped to servers in several places including Russia and Brazil. Knowing that some crooks in Russia have my credit card information AND know where I live is very disturbing!

Oh, by the way – that Target thing on Black Friday actually was a more prolonged activity than just Black Friday. The major news outlets gave some sanitized versions on the dates. It has been discovered that confidential information was harvested between November 27th and December 15, 2013. But here’s an even more creepy thought – the hackers were actually in the entire Target system, undetected, for weeks prior to the harvest, infecting POS (point of sale) systems and testing the efficiency of their malware. 2

Neiman Marcus and other Retailer Breaches

After the Target breach was made public, Neiman Marcus and two other yet to be named retailers reported their own breaches as well. The Neiman Marcus breach affected possibly a million customers. Although not confirmed, one of the other retailers could be Michaels.3  Michaels reported credit card breaches in 2010 as well. 4 Have you made any credit/debit card purchases at Neiman Marcus or Michaels since last fall?

White Lodging Data Breach

There are recent but under-reported breaches as well, like the one involving White Lodging, a hotel management group in Indiana which manages 168 hotels in 21 states, including Marriott, Starwood, Intercontinental and other brand hotels. In mid-2013, thousands of hotel guests’ credit and debit card information were compromised. However, information is just now (Feb. 2014) making back page news.5

In Technology We Trust – NOT

You might have noticed that details about the retailer breaches are slow to come forth. That’s predictable. Retailer’s sales are impacted by consumer’s trust in their brand. Negative news especially about inadequate security measures and technologies to protect the customer’s confidential data is a trust buster! Consider that it took Target 4 weeks to notify its customer about the data breach! And when Target did make a statement, its spin was on being a “victim” in the breach.

Well, that may be one way to look at it. But there is also a lot of high tech scrutiny about Target’s compliance (or non-compliance) to credit card standards as well as whether Target used “best practice” security technologies concerning its POS (point of sale) system and its network infrastructure. Lawsuits about these issues are already in the works.

For damage control, Neiman Marcus had to come forward about their data breach after Target’s breach announcement. Customer protection does not seem to be the motivator for the retailer confessions.

So please don’t get lulled into a false sense of security just because the news is not reporting any more details. The lack of reporting is not a sign that the storm is over.  It is not!  Who knows who the next retailer will be to confess a breach? Who knows how many more breaches are still unreported? That the US Secret Service is involved in some of these investigations might put some perspective on the severity of these breaches…

OK. Does any of this information cause a feeling of alarm in you? I hope so! And if so, I hope you understand the need for CAUTION!

So what do I do now, you ask? For starters, stay informed. What you don’t know can hurt you!

• Don’t let that thing at Target move off your radar screen. Keep watching how it plays out. Out of sight – out of mind is a dangerous attitude when it comes to self-protection.

• Be sure your information comes from current, accurate, informed and well documented sources.

• Understand that the speed of change in technology is mind boggling. Yesterday’s standards will probably not hold up under tomorrow’s threats and challenges. Don’t trust old information and technologies…

I’ll post soon more information about credit and debit cards – the “new” technology changes; what you need to understand about them to make informed choices; and strategies to be proactive in guarding yourself against credit and debit card fraud.

In the meantime —

Be Cautious. Be Aware. Be Informed.

 

1http://news.filehippo.com/2014/01/target-data-breach-much-worse-first-thought/
2 http://krebsonsecurity.com/2014/02/these-guys-battled-blackpos-at-a-retailer/#more-24517
3 http://www.nytimes.com/2014/01/26/technology/michaels-stores-is-investigating-data-breach.html?_r=0
4 http://www.massdataprivacylaw.com/crime-talk/michaels-data-breach-hits-massachusetts/
5 http://www.nbcchicago.com/news/local/White-Lodging-Investigating-Reported-Data-Breach-243230421.html

Clear Text – Why You Should Be Clear About It!

Comments Off on Clear Text – Why You Should Be Clear About It!

Don’t send personal information through e-mail because it is clear text!

You’ve probably heard and read that admonition so many times that you’ve tuned it out as just more geek speak – stuff only techie-types read and heed. Geek speak is not your language; and after all, you’ve been using e-mail for eons now without any real problems due to clear text…  So what’s the problem?

BB2Browsing Bowser now is thinking out loud: Clear text?  That doesn’t sound like geeky language. It sounds like normal English to me.  So why is there a warning about when it doesn’t seem dangerous?   Hmmm. OK. I have to admit, I’ve pretty much ignored the warning myself without giving it much thought. So I’ll bite – why is there a warning about clear text and why should I be paying more attention to it?

Glad you asked, Browsing Bowser! Because – simple as these two words sound, clear text is all about your security, protecting your personal information and cyber crime.

Let’s start with definitions and then try to explain why this warning is so vital to your security.   Text in the context of email commonly means written or printed wordsClear in this sense means visible as written.  Therefore, clear text is text that is visible as written.

Browsing Bowser here – So far, that doesn’t sound very profound… What’s the big deal?

Be patient, BB.  The “big deal” is the security issue surrounding clear text.  In security terms, clear text is unencrypted text – text that has not been altered in a way to make it unreadable without a decryption tool.

Browsing Bowser here again.  Decryption? Unreadable? I thought email was supposed to be easy to read?

Yes, it is, BB, but only after it arrives in the recipient’s inbox. Email in clear text can be a problem on the way to the recipient’s mailbox.  Because of the complex way that the email travels to its destination, it can be “sniffed” or discovered by someone with malicious intent.  If that happens, and the email is clear text, all its content can be read and used by the interceptor.

Sniffed? As a dog, I understand sniffing, says Browsing Bowser. But what does that mean in cyber terms?

Similar concept, BB. Sniffers – more correctly packet sniffers, are utilities used to discover and capture data over networks. Network administrators use them to monitor and diagnose network issues. That’s a beneficial use of packet sniffers. Packet sniffers can also be used maliciously to capture data, like email, across the internet (giant network), as I just mentioned. And “sniffer” utilities are easily available – to both network pros and cyber bad guys.

Starting to see a connection here to clear text and possible violations to your security? Not yet?

OK.  Here’s an analogy that is often used to describe the vulnerability of  email in clear text:

Envelope2You are sending a very personal and important letter to a friend through the postal system. The letter includes passwords, credit card numbers, bank account information, social security numbers, personal information, even gossip. But, you write your letter on the envelope, not in it. Anyone who handles your envelope can read your information!       (click on image to enlarge…)

So back to the warning –

Don’t send personal information through e-mail because it is clear text…

Clear?