Privacy and Identity Theft

Financial Services Technology magazine has published my new article, “The 21st Century Trojan War”. In it I talk about the new corporate banking trojan threats, and how the cyber-underground is advancing their attacks against the financial services infrastructure by infiltrating the computers of finance professionals inside corporations and government agencies.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.

A 12 year old boy found an unencrypted USB thumb drive memory stick in the parking lot of ASDA supermarket in Stenhousemuir, Scotland. To the surprise of the young lad and his parents, the memory stick contained patient records of mental patients at nearby Bellsdyke Hospital in Falkirk, Scotland.

The UK National Health Service issued the following statement: “We are very concerned to learn of this incident and are looking into it as a matter of urgency. We have clear policies in place on the safe use of portable data devices. We can confirm a member of staff has been suspended in connection with this incident.”

This is a clear example that policies in the workplace cannot guarantee compliance. For removable media, it is critical that healthcare companies and hospitals enforce always-on encryption by only using hardware encrypted portable storage devices such as an IronKey.

Yury Mashevsky of anti-virus company Kaspersky Labs has published a good article that outlines the state of the crimeware threat environment that we face in 2010.

Mashevsky illustrates the exploding number of financial crimeware/malware samples that Kaspersky has received on a quarterly basis since the financial crimeware industry got started in 2005.

This graph shows the increase in the number of unique malicious programs used to steal money from Internet users. Source: Kaspersky Lab

As banks roll out new security technologies and techniques, the criminal underground quickly develops means to defeat these technologies. The exploits are rapidly (often within 30 days) widely available in numerous crimeware variants that criminals can purchase over the Internet. Attacks are often hosted on computers in different countries that where the banks and their customers are located, making it very difficult to get websites that host malware or command & control servers taken down.

Mashevsky concludes that to make meaningful progress in the battle against an exponentially growing threat will require much tighter collaboration between financial institutions, their customers, the security industry, and government agencies.

The Medical Center in Bowling Green, Kentucky, is notifying over 5,000 patients that their personal data may be at risk, after an unencrypted hard drive containing their information was stolen from the hospital’s mammography unit.

The Medical Center is now stepping up their efforts to implement encryption for all mobile and portable storage devices, and is trying to centralize the storage of sensitive information on a protected internal network, rather than being stored on hundreds of computers throughout the facility.

Our Lady of Peace, as psychiatric hospital in Louisville, KY, is notifying over 24,000 individuals after an unencrypted flash drive containing their personal information was lost in April 2010. New data breach notification rules under the HITECH act add teeth to previous rules under the HIPAA act. Now organization that suffer data breaches exposing data of 500 or more individuals must disclose these breaches within 60 days.

The unencrypted USB thumb drive memory stick contained data on patients admitted since 2002, and patients assessed since 2009.

The Federal Deposit Insurance Corporation (FDIC) will hold a day-long symposium to examine the threat of commercial payments fraud posed by cyber criminals targeting small and midsize businesses on May 11, 2010. The FDIC has observed an increase in this type of fraud over the past several months, which has resulted in millions of dollars in losses, frayed business relationships and litigation affecting both banks and businesses.

Javelin Strategy has released a report about consumer financial fraud that shows that 10 percent of fraud victims fell victim to ATM cash withdrawls. Criminals are using skimming devices that they attach to ATM machines. These devices capture the ATM card information when you insert your card into the machine. Hidden cameras are typically used to see you enter your PIN number. Cyber criminals also will send text messages or even phishing emails to try to get ATM PIN numbers.

The Federal Bureau of Investigation in accordance with a seizure warrant obtained by the United States Attorney’s Office for the Southern District of New York, has seized the domain CallService.biz.

They allege that CallService.biz was an online service that aided and abetted online fraudsters to raid money from the bank accounts of consumers who’s login credentials had been stolen by phishing or malware.

The service, which was widely advertised in the criminal underground, supplied identity thieves with people who spoke English and German, and who would call financial institutions posing as authorized account holders. They would confirm fraudulent wire transfers, withdrawals and other transactions.

It is thought that the service assisted 2,000 identity thieves to carry out more than 5,000 instances of fraud.

Last week two perpetrators were arrested in the Czech republic and Belarus, at the request of US authorities.

Democratic Senator Joe Simitian has reintroduced a measure to SB-1186 that would require that data breach notification letters contain specific information about data loss incidents, including the type of personal information exposed, incident description, type of personal information exposed, and advice for consumers to protect themselves from identity theft.

“This new measure makes modest but helpful changes to the law,” Simitian said in a statement. “It will also give law enforcement the ability to see the big picture, and a better understanding of the patterns and practices developing in connection with identity theft.”

Last October, Schwarzenegger vetoed a similar bill because he said there was no proof that the additional information required in the breach notifications would help consumers.

The United Kingdom Prime Minister announced today that the UK Government plans to issue every voter a unique identifier and web page, where they can access government services such as applying for schools, GP appointment booking, claim benefits, get a new passport, pay council taxes and register vehicles.

It sounds like a very progressive move toward e-government, and in general I am very much in favor of this type of initiative, for it can save billions of dollars in paperwork and lost productivity.

However, has the UK government really thought about the security issues that would surround such an initiative? Let’s face it, the Internet continues to get more dangerous every day. There are no standards for strong authentication, malware is rampant, phishing and spear-phishing continues to grow, websites are easily spoofed, DNS is not secure, and the cyber criminal underground continues to grow in size and sophistication.

If the real Facebook, who has over 100 million users, cannot secure itself, how are we to expect the UK Government to create a “secure Facebook” for government services? Even the world’s biggest banks are facing serious security threats from financial malware that infects the computers of users of corporate banking services. Surely the criminal underground will rapidly turn their attention to a UK Government services system. It seems like a “target rich environment” for scammers and identity thieves to prosper.