Privacy and Identity Theft

Pharmacy chain Rite Aid has been fined $1 Million for violating privacy standards of the Health Information Portability and Accountability Act (HIPAA). It is good to see that the Office for Civil Rights (OCR) put some teeth into the HIPAA act, and actually extract a meaningful fine for violating the personal privacy rules of the act. Apparently Rite Aid did not properly dispose of identifying information on pill bottles of customers.

I was in the United Kingdom last week. The UK government is said to be ready to sign a law that would permit police from other EU countries to demand details of UK citizens suspected of crimes in other countries. Details that could be released to foreign police include banking records, phone records, and even DNA samples.

This is happening under the auspices of the European Investigation order (EIO).

Civil liberties organizations are very concerned that UK citizen’s personal details could be shared with foreign police for such mundane offenses as not paying for a meal at a restaurant.

11 alleged Russian spies have been arrested and charged with conspiracy to commit an offense against the United States by not registering with the attorney general. 9 of these individuals have also been charged with money laundering. Details on the people arrested are here. One couple is based in Cambridge, MA.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

Police in Europe and the United States have arrested 178 people in 14 countries on charges of credit card fraud.

Apparently the investigation has found 120,000 stolen credit card numbers, and 5,000 cloned credit cards. Six card cloning labs have been seized.

Brian Krebs (krebsonsecurity.com) has posted an excellent blog post today. He’s even posted a picture of one of the credit card cloning labs, sourced from the Spanish Ministry of Interior.

The US Federal Bureau of Investigation is planning a major prosecution to bust up the operations that cyber criminals use to turn funds stolen online into readily available cash, a top bureau official said Tuesday.

The FBI is targeting the end of the criminal supply chain—the “money mules” who receive transfers of stolen funds in their banks accounts—to raise public awareness and dissuade people from becoming mules, said Patrick Carney, acting chief of the FBI’s Cyber Criminal Section.

Money mules are people who think they have a legitimate work-at-home job, where they receive goods or get money wired into their bank accounts, and their job is to forward the goods or a portion of the funds, to another person. These scams are usually presented as a work-from-home shipping clerk job, or perhaps a business consultant or an accounting administrator.

These jobs are posted on job boards like Monster.com and HotJobs.com They are sent out by spam. They are advertised online and even in newspapers.

But the reality is that these are scams, and are operated by the cyber underground as a way to launder stolen funds or goods purchased online with stolen credit cards.

We do not know how many people are working as “mules”, but it must be ten thousand or more in the USA. The anti-money-laundering website BobBear.co.uk lists hundreds of active fake companies that are fronts for money mules.

Financial Services Technology magazine has published my new article, “The 21st Century Trojan War”. In it I talk about the new corporate banking trojan threats, and how the cyber-underground is advancing their attacks against the financial services infrastructure by infiltrating the computers of finance professionals inside corporations and government agencies.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.

The FBI’s Internet Crime Complaint Center (http://www.ic3.gov) received Internet fraud complaints from consumers in 2009 totaling losses of $559.7M. This half a billion dollars of losses is double the $264.6M in Internet fraud losses reported to the IC3 in 2008. Clearly Internet crime is rising exponentially!

These reports do not include financial losses incurred by banks and other financial institutions from phishing and malware. Nor do they include losses, financial or of intellectual property, sustained by enterprises or government agencies.

You can read the 2009 IC3 report here.

The Federal Deposit Insurance Corporation (FDIC) will hold a day-long symposium to examine the threat of commercial payments fraud posed by cyber criminals targeting small and midsize businesses on May 11, 2010. The FDIC has observed an increase in this type of fraud over the past several months, which has resulted in millions of dollars in losses, frayed business relationships and litigation affecting both banks and businesses.

The Federal Bureau of Investigation in accordance with a seizure warrant obtained by the United States Attorney’s Office for the Southern District of New York, has seized the domain CallService.biz.

They allege that CallService.biz was an online service that aided and abetted online fraudsters to raid money from the bank accounts of consumers who’s login credentials had been stolen by phishing or malware.

The service, which was widely advertised in the criminal underground, supplied identity thieves with people who spoke English and German, and who would call financial institutions posing as authorized account holders. They would confirm fraudulent wire transfers, withdrawals and other transactions.

It is thought that the service assisted 2,000 identity thieves to carry out more than 5,000 instances of fraud.

Last week two perpetrators were arrested in the Czech republic and Belarus, at the request of US authorities.

Democratic Senator Joe Simitian has reintroduced a measure to SB-1186 that would require that data breach notification letters contain specific information about data loss incidents, including the type of personal information exposed, incident description, type of personal information exposed, and advice for consumers to protect themselves from identity theft.

“This new measure makes modest but helpful changes to the law,” Simitian said in a statement. “It will also give law enforcement the ability to see the big picture, and a better understanding of the patterns and practices developing in connection with identity theft.”

Last October, Schwarzenegger vetoed a similar bill because he said there was no proof that the additional information required in the breach notifications would help consumers.