Privacy and Identity Theft

I was a member of Fly Clear, a system whereby you could get to the front of airport security queues by presenting an ID card that indexed to your biometric data (fingerprints and retina scans). You would pay $100 per year, and after going through a quick DHS blacklist scan, you were issued a Clear Card. This was a wonderful convenience when traveling from busy airports like San Jose or Los Angeles, where security lines can go outside the building and up 3 stories in the parking lot.

Fly Clear went bankrupt in June 2009, and there is a class action law suit against them. They sent their customers a letter stating that all customer biometric data would be deleted.

Now, Government Security News writes that the chairman and ranking member of the House Committee on Homeland Security have sent a joint letter to DHS Secretary Janet Napolitano asking her not to follow through on a Transportation Security Administration (TSA) plan to have “biometric data and unique identifiable information” of all Registered Traveler (RT) program participants deleted from the Registered Traveler Central Information Management System (CIMS) database.

This is disturbing news to those concerned with privacy, and those Fly Clear customers who registered with the operating company, Verified Identity Pass Inc. It’s in direct contravention of the company’s privacy policy. I can understand why TSA might want to keep the information around, as it could aid in counter-terrorism efforts. They claim that keeping the data around would allow another company to re-start the Fly Clear program.

Brian Krebs at the WashingtonPost.com has a great article today discussing the new variants of malicious software that are being used to hijack corporate online bank accounts and steal millions of dollars. Fraudsters over the last 6 months have increasingly been targeting small and medium businesses. New variants of malware are getting onto the machines in the finance departments of more and more companies. This malware, such as Clampi and Jabberzeus steals usernames and passwords.

Cyber-criminals are keeping an eye out for users who are infected, and are using online corporate banking systems. Not only is their malware stealing the usernames and passwords, but in the cases where online banking systems use one-time-password devices (like the RSA SecurID), the malware is stealing the one-time-password, and sending it in real-time to the attacker. The attacker can then log in quickly into the corporate banking system.

The costs to companies are not only the lost money, but all the time and administrative work to clean up the situation, try to notify the bank to recover some of the lost funds, and clean up computers that are infected.

Back in 2005 the FFIEC presented guidelines for banks to improve the security of their online banking systems. At the time it seemed to me that most banks were focusing on the security of their consumer banking platforms. It looks like the time has come for banks to take a fresh look at the security of their corporate banking platforms.

I’ve been thinking than a bootable IronKey, with a browser on board, where we can boot a clean OS every time, might be an easy to use answer for corporate banking users to ensure that their operating system is not infected. What do you think?

Today I received a phishing email purporting to be from PayCycle, a company that does payroll services for small and medium businesses. PayCycle is owned by Intuit.

What’s scary about this? If the cyber criminals get your login name and password for a payroll processing service, they can change the direct deposit instructions for your employees and route automated payments into their own bank accounts. Typically they would wait until a pay period, route payments from many companies into a few banks accounts (probably phished accounts at that), then when the payments come in, they would quickly transfer the money out of those accounts to another account at another institutions. Forward the money a few times, and then it will be pretty much untraceable an un-cancellable.

Another thing they can do is to add fake employees to the payroll, and the company will likely automate payments to the bogus employees for several pay periods until it’s detected. Of course the cyber criminal would change the email address of the payroll administrator so that the admin doesn’t get any alerts or warnings or confirmation emails about the new “employees”.

Finally, the criminals would also have access to detailed personal information of all of a company’s employees, including names, addresses, health insurance, salary, banking details, dependents, etc.’

It’s a disturbing trend that could be far more dangerous than the traditional consumer oriented phishing that we’ve become accustomed to.

Here’s the text of the email:

Dear Easy Payroll Customer,

As trusted custodian of our clients’ payroll interests, we are committed to
protecting our clients’ entrusted information through PayCycle Online Payroll
secure access.

As part of our ongoing effort to improve online security, we have decided
to put an extra verification process to ensure only you have access to your
access. It is all about your security.

Please click on CONTINUE

Sign in to continue the activation process to ensure your account security.

Thank you.

Sincerely,
PayCycle, Inc.
Online Payroll Support Service

Facebook is being sieged by rogue apps that attempt to steal the login and password of Facebook users. This week Facebook removed 6 of these phishing apps, but as of today, 5 more have appeared: they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” .

Basically, these things get installed in your friend’s accounts, and then send message to you from your friend. You click on them, and the apps present a Facebook login page. If you enter your login details, the app steals them, prompts you to install the app on your account, and then starts attacking all your friends.

Read Rik Fergusons’ Trend Micro Security Blog about the Facebook Phishing apps.

I had to laugh when I saw the title of an IronKey Enterprise review today in Enterprise Networking Planet. “IronKey Locks Down the Treacherous Memory Stick”

It’s a good review of how the Enterprise product and remote management service work.

“Overall IronKey Enterprise is an effective platform for managing a large fleet of encrypted portable storage devices. It uses standard (and therefore well understood) cryptography in a fairly complex way to ensure security while doing a good job of shielding this complexity from both administrators and end users to make the system very easy to use.”

This is really cool. USAA, a privately held bank and insurance company, is releasing an iPhone app where you can deposit a check from anywhere using your iPhone. You take a picture of the front and back of the check, and the app scans it in and sends it to the bank. Image recognition software will automatically process the check for deposit into your account.

This technology has been used in corporate banking for some time – it’s called check truncation. It’s one reason why sometimes you don’t get cancelled checks back in the mail. You just get a printed image.

I wonder what the fraudsters will cook up to take advantage of this system?

Here is a great story in the New York Times about a man who applied online for a job, was accepted, and ended up losing thousands of dollars when payments for laptops and other work-from-home gear from the alleged employer turned out to be counterfeit. Instead of a good work-from-home job, the victim ended up owing his bank over $6,000.

It’s estimated that online job scams have increased 30% since last year.

Many of these fraudulent jobs are actually money laundering fronts for phishing and other electronic crime gangs. Some are so-called Mule jobs, where the hapless job seeker thinks they are working for an import-export company, where they receive packages and then forward them to other addresses, usually outside of the country. Typically it turns out that these packages contain electronics and computer goods that were purchased with stolen credit cards. Eventually the person reshipping gets arrested by the FBI, or sometimes ends up getting financially ripped off by the scammers.

Symantec has released a new phishing report that shows that Internet phishing identity theft scam email increased 52% in the month of July.

Here is a link to their “State of Phishing” report for August 2009.

http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_phishing_report_08-2009.en-us.pdf

The Army National Guard is notifying members that a laptop was stolen that contained the names, Social Security Numbers, incentive payment amounts and payment dates of up to 131,000 current and former Guard members.

The announcement can be found on the National Guard website here: http://www.ng.mil/features/identity/default.aspx

Members of the National Guard who have questions can call the National Guard Bureau at 877-481-4957.

It still amazes me that military agencies have laptops that are not encrypted.