Privacy and Identity Theft

Financial Services Technology magazine has published my new article, “The 21st Century Trojan War”. In it I talk about the new corporate banking trojan threats, and how the cyber-underground is advancing their attacks against the financial services infrastructure by infiltrating the computers of finance professionals inside corporations and government agencies.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.

The FBI’s Internet Crime Complaint Center (http://www.ic3.gov) received Internet fraud complaints from consumers in 2009 totaling losses of $559.7M. This half a billion dollars of losses is double the $264.6M in Internet fraud losses reported to the IC3 in 2008. Clearly Internet crime is rising exponentially!

These reports do not include financial losses incurred by banks and other financial institutions from phishing and malware. Nor do they include losses, financial or of intellectual property, sustained by enterprises or government agencies.

You can read the 2009 IC3 report here.

The Federal Deposit Insurance Corporation (FDIC) will hold a day-long symposium to examine the threat of commercial payments fraud posed by cyber criminals targeting small and midsize businesses on May 11, 2010. The FDIC has observed an increase in this type of fraud over the past several months, which has resulted in millions of dollars in losses, frayed business relationships and litigation affecting both banks and businesses.

The Federal Bureau of Investigation in accordance with a seizure warrant obtained by the United States Attorney’s Office for the Southern District of New York, has seized the domain CallService.biz.

They allege that CallService.biz was an online service that aided and abetted online fraudsters to raid money from the bank accounts of consumers who’s login credentials had been stolen by phishing or malware.

The service, which was widely advertised in the criminal underground, supplied identity thieves with people who spoke English and German, and who would call financial institutions posing as authorized account holders. They would confirm fraudulent wire transfers, withdrawals and other transactions.

It is thought that the service assisted 2,000 identity thieves to carry out more than 5,000 instances of fraud.

Last week two perpetrators were arrested in the Czech republic and Belarus, at the request of US authorities.

Democratic Senator Joe Simitian has reintroduced a measure to SB-1186 that would require that data breach notification letters contain specific information about data loss incidents, including the type of personal information exposed, incident description, type of personal information exposed, and advice for consumers to protect themselves from identity theft.

“This new measure makes modest but helpful changes to the law,” Simitian said in a statement. “It will also give law enforcement the ability to see the big picture, and a better understanding of the patterns and practices developing in connection with identity theft.”

Last October, Schwarzenegger vetoed a similar bill because he said there was no proof that the additional information required in the breach notifications would help consumers.

The US Department of Justice has announced that computer fraudster ALEKSEY VOLYNSKIY was senteced this week to 37 months in prison for hacking into the online brokerage accounts of Charles Schwab customers and laundering over $246,000. Using usernames and passwords that were collected by malware spread on user’s computers, Volynskiy would log into these user’s accounts and wire funds out of them. They would send money to “drop” accounts, and then forward much of the funds to co-conspirators in Russia.

Connecticut Attorney General Richard Blumenthal announced last week that he is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees. A further portion of the complaint is that Health Net failed to promptly notify consumers that their data was breached.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”

This is the first legal action by a state attorney general involving violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to Tom Kellermann, a former senior member of the World Bank’s Treasury security team, “Ninety-eight percent of bank heists are now occurring virtually and not in the real world.”

He also said that the industry is “hemorrhaging funds” as a result.

These statements were made in response to an unsubstantiated report in the Wall Street Journal that the FBI is investigating an online fraud of tens of millions of dollars from Citibank. It’s alleged that the Russian Business Network (RBN) is behind the attack.

In an interview with The Register, Mark Stokes, head of the London Metropolitan Police’s Digital and Electronic Forensic Services (DEFS) said that crooks are too lazy to use cryptography.

“I think it’s just not easy to use. You’ve got to keep the password, people forget their passwords, and generally human beings are lazy and they can’t be bothered with it,” he said. “It’s just human nature to think they’ll never get caught.”

I personally think the very same human nature applies to corporate IT systems and personal laptops and USB thumb drives. People think “it will never happen to me”. They think they won’t lose their laptop or mobile device, or think that if it’s lost or stolen, the data won’t be meaningful to someone else.

Sprint/Nextel’s Electronic Surveillance Department has provided GPS location data about its wireless customers to law enforcement over 8 million times. In fact, Sprint has over 100 employees who are tasked with providing customer data to law enforcement agencies. They even have an online portal where law enforcement personnel can log in and request the GPS location of any Sprint/Nextel customer.

< href="http://www.wired.com/threatlevel/2009/12/gps-data/">