Cybercrime threat rising sharply

The threat of cybercrime is rising sharply, experts have called for a new system to tackle well-organised gangs of cybercriminals.

Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

The internet was vulnerable, they said, but as it was now part of society's central nervous system, attacks could threaten whole economies.

The past year had seen "more vulnerabilities, more cybercrime, more malicious software than ever before", more than had been seen in the past five years combined, one of the experts reported.

But does that really put "the internet at risk?", was the topic of session at the annual Davos meeting.

On the panel discussing the issue were Mozilla chairwoman Mitchell Baker (makers of the Firefox browser), McAfee chief executive Dave Dewalt, Harvard law professor and leading internet expert Jonathan Zittrain, Andre Kudelski of Kudelski group, which provides digital security solutions, and Tom Ilube, the boss of Garlik, a firm working on online web identity protection.

They were also joined by Microsoft's chief research officer, Craig Mundie.

To encourage frank debate, Davos rules do not allow the attribution of comments to individual panellists

Threat #1: Crime

The experts on the panel outlined a wide range of threats facing the internet.

There was traditional cybercrime: committing fraud or theft by stealing somebody's identity, their credit card details and other data, or tricking them into paying for services or goods that do not exist.

The majority of these crimes, one participant said, were not being committed by a youngster sitting in a basement at their computer.

Rather, they were executed by very large and very well-organised criminal gangs.

One panellist described the case of a lawyer who had realised that he could make more money though cybercrime.

He went on to assemble a gang of about 300 people with specialised roles - computer experts, lawyers, people harvesting the data etc.

Such criminals use viruses to take control of computers, combine thousands of them into so-called "botnets" that are used for concerted cyber attacks.

In the United States, a "virtual" group had managed to hijack and redirect the details of 25 million credit card transactions to Ukraine. The group used the data to buy a large number of goods, which were then sold on eBay.

This suggested organisation on a huge scale.

"This is not vandalism anymore, but organised criminality," a panellist said, while another added that "this is it is not about technology, but our economy".

Threat #2: the system

A much larger problem, though, are flaws in the set-up of the web itself.

It is organised around the principle of trust, which can have unexpected knock-on effects.

Nearly a year ago, Pakistan tried to ban a YouTube video that it deemed to be offensive to Islam.

The country's internet service providers (ISPs) were ordered to stop all YouTube traffic within Pakistan.

However, one ISP inadvertently managed to make YouTube inaccessible from anywhere in the world.

But in cyberspace, nobody is responsible for dealing with such incidents.

It fell to a loose group of volunteers to analyse the problem and distribute a patch globally within 90 minutes.

"Fortunately there was no Star Trek convention and they were all around," a panellist joked.

Threat #3: cyber warfare

Design flaws are one thing, cyber warfare is another.

Two years ago, a political dispute between Russia and Estonia escalated when the small Baltic country came under a sustained denial-of-service attack which disabled the country's banking industry and its utilities like the electricity network.

This was repeated last year, when Georgia's web infrastructure was brought down on its knees during its conflict with Russia.

"2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes," one panellist said.

"It was like cyber riot, Russia started it and then many hackers jumped on the bandwagon," said another.

This threat was now getting even greater because of the "multiplication of web-enabled devices" - from cars to fridges, from environmental sensors to digital television networks.

The panel discussed methods that terrorists could use to attack or undermine the whole internet, and posed the question whether the web would be able to survive such an assault.

The real problem, concluded one of the experts, was not the individual loss.

It was the systemic risk, where fraud and attacks undermine either trust in or the functionality of the system, to the point where it becomes unusable.

What solution?

"The problems are daunting, and it's getting worse," said one of the experts. "Do we need a true disaster to bring people together?," asked another.

One panellist noted that unlike the real world - where we know whether a certain neighbourhood is safe or not - cyberspace was still too new for most of us to make such judgements. This uncertainty created fear.

And as "the internet is a global network, it doesn't obey traditional boundaries, and traditional ways of policing don't work," one expert said.

Comparing virus-infected computers to people carrying highly infectious diseases like Sars, he proposed the creation of a World Health Organisation for the internet.

"If you have a highly communicable disease, you don't have any civil liberties at that point. We quarantine people."

"We can identify the machines that have been co-opted, that provide the energy to botnets, but right now we have no way to sequester them."

But several panellists worried about the heavy hand of government. The internet's strength was its open nature. Centralising it would be a huge threat to innovation, evolution and growth of the web.

"The amount of control required [to exclude all risk] is quite totalitarian," one of them warned.

Instead they suggested to foster the civic spirit of the web, similar to the open source software movement and the team that had sorted the YouTube problem.

"Would a formalised internet police following protocols have been able to find the [internet service provider] in Pakistan as quickly and deployed a fix that quickly?" one of them asked.



http://news.bbc.co.uk/2/hi/business/davos/7862549.stm

Cyber criminals targeting small businesses

By LOLITA C. BALDOR (AP) - Sept, 14, 2009

WASHINGTON — Cyber criminals are increasingly targeting small and medium-sized businesses that don't have the resources to keep updating their computer security, according to federal authorities.

Many of the attacks are being waged by organized cyber groups that are based abroad, and they are able to steal not only credit card numbers, but personal information — including Social Security numbers — of the card holders, said Michael Merritt, assistant director of the U.S. Secret Service's office of investigations.

Merritt, in testimony prepared for the Senate Homeland Security and Governmental Affairs, said that as larger companies have taken on more sophisticated computer network protections, cyber criminals have adapted and gone after the smaller businesses who do not have such high-level security.

Phil Reitinger, the deputy under secretary at the Department of Homeland Security said there are many simple steps that businesses can take to protect themselves.

"Securing the entrances of one's factory or store is second nature to any business owner and so cyber security protections mu st become," he said in his testimony to the panel. He added that a recent study suggested that as many as 87 percent of data breaches could be avoided by installing simple to intermediate preventative measures.

Reitinger and Merritt said government agencies are working to coordinate more both with each other and with the private sector to improve cyber security.

But lawmakers working on cyber security legislation in several committees across Capitol Hill are pressing for the administration to do more.

"Security cannot be achieved by the government alone," said Sen. Joseph I. Lieberman, I-Conn. and chairman of the homeland security panel. "Public-private partnership is essential. Together, business, government, law enforcement, and our foreign allies must partner to mitigate these attacks and bring these criminals to justice."



http://www.google.com/hostednews/ap/article/ALeqM5irz01lk0wZFR1RjIr9rXOFrrM72gD9AN4P3G1

Is that ATM safe?

Monitoring all your accounts is important, but these days you want to pay particular attention to what's going on in your checking and savings accounts, because thieves increasingly target bank accounts.


The bad guys have found plenty of ways to steal all-important PINs. Some set up bogus ATMs or install skimming devices or cameras on legitimate machines to record account numbers and PINs.

A few may even have cracked what MSNBC technology columnist Bob Sullivan calls the "holy grail" of bank-account hacking, by stealing and decoding encrypted PINs from a retailer's database.

So the answer to question No. 2 is also "false." You don't want to write down your PIN, of course, but keeping it a secret won't necessarily protect your account.

What you need to do:

Avoid unfamiliar ATMs.

Consider using your credit card instead of your debit card for transactions.

Monitor your bank transactions at least once a week and question any unfamiliar charges.

If your accounts have been compromised, shut them down and open new ones. The bank may resist, but once the bad guys have access to your account, there's really no foolproof way to keep them out, except by shutting it down and starting with a new account number.

'Helping' you as they help themselves

Finally, you need to know about a twist on "phishing" scams called "vishing."

In a phishing scam, you get an e-mail purportedly from your bank or another financial institution, or a site where you have an account, such as eBay or PayPal. The e-mail typically warns of some security problem and tries to get you to provide personal information, such as your login ID and password.

Vishing is like phishing, except a phone is involved. You may get an e-mail directing you to call a phony customer-service line, which prompts you to input account numbers, passwords and other identifying information.

Or you may get a phone call purporting to be from your bank or credit card issuer and be asked to provide critical information, such as the security code on your credit card. The criminal may already have some of your account information, to create a false sense of security.

By the way, you can't trust caller ID to separate legitimate calls from vishing calls. The criminals often use Internet calling services with software programs that create bogus customer-service numbers, or they hack into legitimate companies' phone lines.

To fight back: If you get an e-mail or phone call purporting to be from your financial institution, don't provide any information. Dial your institution's main number yourself and let it know what's happened. If it's a fraud call, you'll be connected to the right people for further action.

In other words, be vigilant. Always assume the sender of the e-mail, the caller on the phone and the person standing behind you in line are out to wreak havoc on your financial life. A little suspicion can go a long way toward protecting your wallet and your identity.



Liz Pulliam Weston's latest book, "Easy Money: How to Simplify Your Finances and Get What You Want Out of Life," is now available. Columns by Weston, the Web's most-read personal-finance writer and winner of the 2007 Clarion Award for online journalism, appear every Monday and Thursday, exclusively on MSN Money. She also answers reader questions on the Your Money message board.



http://articles.moneycentral.msn.com/Banking/FinancialPrivacy/tough-times-are-ripe-for-ID-theft.aspx

MSN Money

Learn about the 'nuclear bomb' of identity-theft protection, the one way to freeze out ID thieves.


When the method the criminals used to steal IDs was known, old-school tactics were far more common than higher-tech approaches, according to Javelin. Here's how it broke down in 2007:

33% of the incidents were due to lost or stolen wallets.

23% of victims were "shoulder surfed" while conducting a transaction (the thief watched over the victim's shoulder as the victim punched in a PIN or used a credit card).

17% were victimized by family members or other people they knew. (Read "8 signs you may know an identity thief.")

12% were victimized online.

7% were victimized as a result of data breaches.

So the answer to the first question is "false."

Continued: How to protect your information

That's actually good news, since there's a lot more you can do to protect the information that's under your control than the stuff that's out there in somebody else's database.

Such as:

Program the following numbers into your cell phone so you can quickly report lost or stolen cards: American Express, 1-800-268-9824; Discover, 1-800-DISCOVER or 1-800-347-2683; MasterCard, 1-800-MASTERCARD or 800-627-8372; Visa, 1-800-VISA-911 or 1-800-847-2911.

Shield the keypad with your hand anytime you type in a PIN, and palm a credit card so the numbers don't show while you're waiting in line or finishing a transaction.

Keep your checks, account statements and other sensitive financial information in a locked filing cabinet. This is especially important whenever people you don't absolutely trust will be in your home, such as during parties, when you're having work done on your house or during any family gatherings that include sketchy relatives.

Set up e-mail alerts in your bank and credit card accounts to inform you when large transactions have been made or when your balance reaches certain limits.

Monitor your credit reports. You can access reports from each of the three major bureaus once a year at the government's free site. If you're at high risk for identity theft or will be in the market for a loan in the next few months, consider getting a credit-monitoring subscription. (Read "Should you hire a credit watchdog?" for details.)

Never click on a link embedded in an e-mail, even if the message looks like it legitimately came from one of your financial institutions. Open a new browser window and type in the institution's URL yourself.

Consider blocking access to your credit reports if you've already been a victim of identity theft or are at high risk. (Read "Should you freeze your credit report?")

Cancel paper bills and statements. Monitor your accounts and pay your bills online. People who monitor their accounts online tend to catch fraud much faster. (Read "Go paperless for safer banking.")

Tough times are ripe for ID theft

MSN Money

If you don't know what 'vishing' is, you could be a scammer's

next sucker. As the economy turns down, you need to wise up on how your

personal data can be swiped.

By Liz Pulliam Weston - Published Oct. 20, 2008

Your job and your portfolio aren't the only things you have to worry about during a recession. You need to keep an eye on your identity as well.

Crime tends to increase during hard economic times, and security experts believe we may see a reversal in the recent trend of declining identity-theft cases. (The percentage of adult Americans victimized by ID theft was 3.58% last year, according to Javelin Strategy and Research, down from 4.25% in 2004.)

So it's timely that MSN Money has joined with the National Foundation for Credit Counseling, or NFCC, in promoting ID-theft awareness on a new Web site. On the site, you'll find:

A quiz to assess your ID-theft risk.

Recommendations for people who've been victimized.

Consumer tips.

A map with links to local events that promote ID-theft awareness during National Protect Your Identity Week, Oct. 19-25.

In addition, credit bureau Experian has partnered with MSN Money and the NFCC to give away 10,000 credit-monitoring subscriptions Tuesday, Nov. 25, through the Ask a Credit Counselor message board. We'll remind you as the date approaches.

Think you already know everything that’s needed to protect your identity? Try the following pop quiz:

Data breaches, in which personal information such as Social Security numbers are stolen or exposed by hackers, have become the leading cause of identity theft. True or false?

Consumers can prevent criminals from accessing their bank accounts by not writing down their personal identification numbers (PINs). True or false?

What is "vishing"?

For the answers, read on.

The biggest worry

Database breaches certainly get a lot of news coverage, probably because they remind us how much of our personal information floats around in the ether, beyond our ability to protect it.

As of this writing, more than 245 million consumer records have been exposed in data breaches in the past four years, according to the Privacy Rights Clearinghouse. We know about these incursions thanks to state laws enacted since 2004 that require companies and governments to report such cases.

Only a small fraction of those breaches were used to commit fraud, however.

Ask a Credit Counselor
to Javelin Strategy and Research

Hackers Breach Heartland Payment Credit Card System

USA TODAY

By Byron Acohido, USA TODAY - Posted 1/20/2009 8:37 PM

Heartland Payment Systems

(HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.

Robert Baldwin, Heartland's president and CFO, said in a USA TODAY interview that the intruders had access to Heartland's system for "longer than weeks" in late 2008. The number of victims is unknown. "We just don't have the information right now," Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months' worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

"Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions," said Baldwin. "This is a very sophisticated attack." Once it sorts out the matter, Heartland plans to notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states, Baldwin said.

"Cleaning up the mess could be potentially much more expensive than any fines or penalties," says Michael Argast, senior analyst at security firm Sophos.

Heartland's disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20% year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure that they're active. "The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer," says Dan Clements, CardCops president.

Also, Forcht Bank in Kentucky last week began issuing replacement debit cards to 8,500 patrons, due to reports of fraudulent card activity. "There are several other banks affected, and this is not isolated to Forcht Bank customers," the bank said in a Jan. 12 statement to customers.



http://www.newsday.com/news/local/newyork/ny-nycomp0108,0,1374063.story

2010 Census to Begin

THIS IS PRETTY BASIC ADVICE; BUT, IN TODAY'S TIMES, I CAN SEE IT COULD


LEAVE AN OPEN DOOR FOR PASSING OUT YOUR PRIVATE INFORMATION.



WARNING: 2010 Census Cautions from the Better Business Bureau






Be Cautious About Giving Info to Census Workers by Susan Johnson






With the U.S. Census process beginning, the Better Business


Bureau (BBB) advises people to be cooperative, but cautious, so as

not to become a victim of fraud or identity theft. The first phase of


the 2010 U.S. Census is under way as workers have begun verifying the


addresses of households across the country. Eventually, more than


140,000 U.S. Census workers will count every person in the United


States and will gather information about every person living at each


address including name, age, gender, race, and other relevant data.






The big question is - how do you tell the difference between a U.S. Census


worker and a con artist? BBB offers the following advice:






If a U.S. Census worker knocks on your door, they will have a


badge, a handheld device, a Census Bureau canvas bag, and a


confidentiality notice. Ask to see their identification and their


badge before answering their questions. However, you should never


invite anyone you don't know into your home.






Census workers are currently only knocking on doors to verify


address information. Do not give your Social Security number, credit


card or banking information to anyone, even if they claim they need it


for the U.S. >Census.






REMEMBER, NO MATTER WHAT THEY ASK, YOU REALLY ONLY NEED TO TELL THEM


HOW MANY PEOPLE LIVE AT YOUR ADDRESS.






While the Census Bureau might ask for basic financial information,

such as a salary range, YOU DON'T HAVE TO ANSWER ANYTHING AT ALL ABOUT

YOUR FINANCIAL SITUATION. The Census Bureau will not ask for Social

Security, bank account, or credit card numbers, nor will employees

solicit donations. Any one asking for that information is NOT with

the Census Bureau.



AND REMEMBER, THE CENSUS BUREAU HAS DECIDED NOT TO WORK WITH ACORN

ON GATHERING THIS INFORMATION.. No Acorn worker should approach you

saying he/she is with the Census Bureau.



Eventually, Census workers may contact you by telephone, mail, or in

person at home. However, the Census Bureau will not contact you by

Email, so be on the lookout for Email scams impersonating the Census.



Never click on a link or open any attachments in an Email that are

supposedly from the U.S. Census Bureau.



For more advice on avoiding identity theft and fraud, visit http://www.bbb.org/



PLEASE SHARE THIS INFO WITH FAMILY AND FRIENDS.


http://www.bbb.org/


 2010 Census to Begin - Warning from Better Business Bureau