EMV Will Help Retailers Prevent Credit Card Fraud

EMV, which stands for Europay, MasterCard, and Visa, refers to the chip and PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point of sale terminals.

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Implementation should occur in 2015, Visa announced plans to expand their Technology Innovation Program to the U.S., which will encourage retailers to support cards with microchips by “[eliminating] the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75% of the merchant’s Visa transactions originate from chip-enabled terminals.” This will go into effect October 1, 2012 for merchants whose point-of-sale terminals accept both contact and contactless chips.

PCMag reported MasterCard followed Visa’s lead stating that it too intends to move U.S. consumers onto so-called chip-and-PIN technology. MasterCard, like Visa, also said that it is preparing for a world where consumers will pay in stores, online, and via mobile devices.

Another method of credit card fraud prevention is device reputation technology. It works to prevent all types of fraud and abuse on the Internet, including account takeovers, which occurs when your existing bank or credit card accounts are infiltrated and money is siphoned out. Iovation the leader in device reputation helps prevent new account fraud, which refers to financial identity theft in which the victim’s personal identifying information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

5 Ways to Protect Your Credit Card

Credit card fraud happens in a number of ways. Sometimes your bank or credit card company will notify you of fraud and other times they won’t. So it’s up to you protect yourself. Smart retailers on the other hand are already protecting consumers behind the scenes by implementing multiple layers of fraud protection.  

1. Whenever you hand over your credit card to anyone — a waiter, gas station attendant, store clerk, etc. — keep a close eye on them as long as they are in possession of the card, or at least watch the card as it is being processed. You want to see where your card is going, and how it’s being used. The idea is to make sure the card isn’t being “skimmed” with a device designed to collect card data. This is good advice when it’s possible, but since waiters typically take the card out of sight to process, it really only works in scenarios where the clerk never leaves the terminal.

2. Cover your PIN. This is absolutely necessary at any point-of-sale terminal or ATM. The public nature of these devices makes it very easy for someone to “shoulder surf” and see your PIN. A cell phone video camera over your shoulder, a video camera 50 feet away, binoculars, or even a hidden camera attached the to face of the ATM can all compromise your PIN.

3. Change your card number. With millions of card numbers hacked over the last few years, chances are yours has been compromised at some point. I have had three changes of credit cards due to proactive card issuers sending me a new card whether I liked it or not.

4. Check your credit card statements every day. This is an extra layer of protection that requires savant-like attention. You check your email every day, so checking your credit card statements every day is manageable, right? Even once a week is sufficient, and every two weeks is okay. Just be sure to confirm your bank’s cut-off date to refute unauthorized withdrawals. For most credit cards, it’s 60 days.

5. Protect your PC. Viruses on your computer will almost certainly result in account takeover. Install antivirus, anti-phishing, anti-spyware, and a firewall.

One very effective fraud detection technique smart retailers are using is to implement device identification and device reputation, which alert businesses to known fraudsters on their websites. iovation Inc. takes this service to another level by analyzing the device’s reputation to assess the potential risk of every transaction.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Social Media A Big Risk To Banks

For more than a decade criminals have been attacking online banking successfully by one upping security professionals their and clients by creating viruses to bypass existing security measures.

In response security companies offer new technologies to fight new threats and federal regulators have continually updated their compliance rules in response to existing vulnerabilities.

However one variable that technology has yet to fully fix is the human element. Sure many of the existing security technologies help protect the consumer and bank from human error like downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email. But no technology or even security or privacy policy can prevent someone from exposing all their life’s details on a social media site.

When criminals target an organization like a bank they start by looking for vulnerabilities in the network infrastructure. Beyond that they target the employees of a bank and their customers using the information provided on the corporate site, and via social media.

Once they gather enough information about their target they use that data to circumvent all the security technologies meant to prevent a user from downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email.

This is where banks need to step it up and incorporate complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Banks Big And Small Targets of Cyber Gangs

Brilliance historically is often expressed in the simplest of technologies, the wheel or the light bulb are perfect examples. Today brilliance is often attributed to advances in technologies that cure illness, solve problems and make life easier.

In the past decade coders, programmers and hackers of all kinds are coming up with the simplest to the most brilliant inventions transforming life as we know it. And unfortunately it’s the criminal hackers that seem to be the smartest in the room.

CIO spoke to how “ZeuS, SpyEyeSunspotOddJobGameover. Villains in the next James Bond movie? No. These are names for sophisticated and dangerous crimeware used by real villains – internationally organized gangs of cyber criminals – to hijack online bank accounts and steal money.”

They further state “The Anti-Phishing Working Group estimates that 45% of all computers are now infected with software designed to steal money.”

When banks began building out their infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which the bad guy would scheme and come up with brilliant ways to separate banks and their clients from their cash.

A Texas bank sued one of its customers who was hit by an $800,000 online bank theft to determine who is to be held responsible for protecting their online accounts from fraud.

Now the FFIEC has stepped in telling banks to smarten up and enhance their online banking security. Effective this past January banks must use multi layers of security and educate their clients on security risks.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Consumers must protect themselves by updating their devices operating systems critical security patches, antivirus, antispyware, antiphishing and firewall. It is also critical they use a secure, encrypted wireless internet connection.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Your Strong Password Isn’t so Strong

Banks rely on usernames and passwords as a layer of protection and authentication to prevent criminals from accessing your accounts. However researchers now show that your password—even though it may be a relatively “strong” one, might not be strong enough.

When you create a password and provide it to a website, that site is supposed to then convert them to “hashes” as Ars Technica explains “Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” is the MD5 hashes for “password”.

But Ars did an experiment with some newbie technologist all the way up to expert hackers to see what they could do to crack the hash.

“The characteristics that made “momof3g8kids” and “Oscar+emmy2″ easy to remember are precisely the things that allowed them to be cracked. Their basic components—”mom,” “kids,” “oscar,” “emmy,” and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.”

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like “John the Ripper” or similar programs.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Protect yourself:

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

While you must do your part to manage effective passwords, banks are working in the background to add additional layers of security to protect you. For example, financial institutions are incorporating complex device identification, which looks at numerous characteristics of the online transaction including the device you are using to connect. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments. iovation knows the reputations of over 1.3 billion devices in iovation’s device reputation knowledge base. By knowing a devices reputation, banks can better determine whether a particular device is trustworthy before a transaction has been approved.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Classifieds Ripe For Rental Fraud

I once listed a property for rent on Craigslist that scammers ended up relisting for a third of my asking price. People would pull into my driveway and knock on my door while the listing was active and even after the listing I posted had expired too.

Business Insider reports, “Since lenders have tightened their requirements for getting a mortgage—which is making it harder to buy a home—the rental market is hot right now. Turns out, so is the online identity theft market, which is why it’s no surprise that identity thieves are attacking people who are looking to rent.”

Here’s how the scam often works. The scammer copies and pastes the ad and poses as the homeowner, who is conveniently away traveling on business overseas. In order to generate traffic, the scammer lists the ad for much less than is being asked. When people respond to the ad, the scammer tells them they can rent it out—all they have to do is forward him the first month’s rent via a money wire overseas. Some people will want to drive by to get a look without actually going in, and that’s enough for them to send the money.

The way I thwarted this crime under my watch was to continually scan Craigslist for keywords related to my ad to see if it was being posted by a scammer. When I discovered a fraudulent post, I emailed abuse@craigslist.com with the link. Craigslist was very responsive and took the posts down. The scammer was equally diligent, however: I had to do this almost 20 times during the period I was renting out the apartment.

How can you protect yourself from scams like this, or other scams that take advantage of online classified ads?

  • Use common sense, be smart and pay attention. If you do that, you won’t fall for these types of cons.
  • Be very careful who you contact and who contacts you. You never know who the person is or what his or her motivation may be.
  • Whenever possible, deal locally. People who cannot meet you in your town are more likely to be scammers. And even when you do meet in person, you still should be wary.
  • Never engage in online transactions involving credit cards, cashier’s checks, money orders, personal checks, Western Union, MoneyGram, cash or anything that requires you to send money to a stranger in response to money he or she has sent you. This is known as an advance fee scam.
  • Be smart. Don’t disclose your financial information, including account or Social Security number, for any reason. Look out! Scammers will say anything in order to get this information.

Many classified sites stop fraudulent ads from being published in the first place by incorporating device-based intelligence that helps them assess risk upfront. Fraud prevention technology offered by iovation Inc. not only helps these sites identify repeat offenders coming in under multiple fake identities, but also detects when scammers are attempting to place multiple fraudulent ads using a variety of computers, tablets and smartphones to do so. This greatly helps rid these sites of undesirables and protects their valued members.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

How Your Smartphone Will Identify You Privately

Banks rely on usernames and passwords as a layer of protection and authentication to prevent criminals from accessing your accounts. However researchers now show that your password—even though it may be a relatively “strong” one, might not be strong enough.

When you create a password and provide it to a website, that site is supposed to then convert them to “hashes” as Ars Technica explains “Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” is the MD5 hashes for “password”.

But Ars did an experiment with some newbie technologist all the way up to expert hackers to see what they could do to crack the hash.

“The characteristics that made “momof3g8kids” and “Oscar+emmy2″ easy to remember are precisely the things that allowed them to be cracked. Their basic components—”mom,” “kids,” “oscar,” “emmy,” and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.”

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like “John the Ripper” or similar programs.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Protect yourself:

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

While you must do your part to manage effective passwords, banks are working in the background to add additional layers of security to protect you. For example, financial institutions are incorporating complex device identification, which looks at numerous characteristics of the online transaction including the device you are using to connect. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments. iovation knows the reputations of over 1.3 billion devices in iovation’s device reputation knowledge base. By knowing a devices reputation, banks can better determine whether a particular device is trustworthy before a transaction has been approved.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Banks Sues Client Over Wire Fraud

Banks usually have relatively secure systems to maintain and protect online banking activities. They’ve spent billions to ensure that criminal hackers don’t liquidate all of our accounts. But criminals spend all their time seeking vulnerabilities and often find some way to make a fraudulent withdrawal.

Over the past decade as we have all (mostly) banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

American Banker reports an example of what can still go wrong: “the $2 billion-asset bank is suing Wallace & Pittman, a Crosstown law firm, to recover funds the firm relayed electronically to Russia after an email that purported to be from an industry group lured someone at the firm to surrender their user name and network password, the Charlotte Observer reported.”

The fraudsters used the access to install software on at least one of the firm’s computers that allowed them to hijack its account.

“Masquerading as Wallace & Pittman, the thieves instructed Park Sterling to transfer roughly $336,600 through JPMorgan Chase to a recipient in Moscow. The law firm asked Park Sterling to stop the transfer after receiving confirmation of it, but the request allegedly came too late.”

To defend against all of these hacks the Federal Financial Institutions Examination Council (FFIEC) recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat this type of crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Consumers still need to apply antivirus, antispyware and a firewall and must never respond to emails requesting usernames and passwords and avoid clicking links in emails.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Portland Company Keeps Ringing the Bell Of Success

iovation, protects businesses from Internet fraud by identifying good online customers with its device reputation technology, recently announced that its ReputationManager 360 solution won gold in the security services category for Network Products Guide’s 8th Annual 2013 Best Products and Services Award. The award honors and recognizes the achievements and positive contributions of organizations and IT professionals worldwide.

Additionally, iovation announced that its Chief Financial Officer, Doug Shafer, has been named CFO of the year by the Portland Business Journal. Shafer was recognized for iovation’s company performance as well as community involvement over the past year. The award is given each year to professionals in Oregon and Southwest Washington who have excelled in their roles as financial executives.

This is the second time in four years that iovation has been awarded a gold by Network Products Guide and this year the company joins other best products and services winners like Cisco Systems, Inc., Yahoo, Inc., Samsung, and NETGEAR.

With its ReputationManager 360 solution, iovation tracks the online behavior of more than 1.3 billion devices from around the world; everything from desktops to laptops, mobile phones to tablets, and gaming consoles to smart TVs by utilizing iovation’s device reputation intelligence.

Device reputation spots online evildoers by examining the computer, smartphone, or tablet they are using to connect to any website. If a device is recognized as having previously committed some type of unwanted behavior, the website has the opportunity to reject the transaction, preventing damage before it occurs.

In the physical world, as the saying goes, “You are only as good as your word.” And when somebody says one thing and does another, we no longer trust them.

Online, people say and do things they never would in the real world. Internet anonymity fuels bad behavior. Websites’ comments sections are filled with vitriol that you’d never hear real people utter. Scammers create accounts in order to con people and businesses into forking over money. And identity thieves use your personal information to fill out online applications for credit.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Identity Theft Rings Focus On Loans and Credit Cards

Identity theft rings are in every state, victimizing approximately 10 million people a year.

In Wycoff NJ, 11 men and women were arrested on charges of stealing identities to open credit cards in an alleged scheme that is believed to have defrauded more than 70 victims.

Patch reports: “Credit cards were opened in the victims’ names, and charges were made on their behalf by “authorized buyers.” The task force investigation found that most of the victims had recently refinanced or applied through.”

In Tyler TX 45 people were victimized in a loan in an identity theft scam using loan fraud. KLTV reports “They had obtained information on citizens, names, date of  birth, social security numbers and so on. Enough so that when they went online to these loan companies then they took out a loan in someone else’s name. Then, they went to a bank and opened an account in their true name and had that money wired to their account.”

Consumers must:

  • Protect themselves from account takeover by monitoring their accounts closely, protect their passwords, and refute unauthorized charges.
  • Protect themselves from new account fraud by locking down their credit with a credit freeze or identity theft prevention services.
  • Protect their devices with antivirus, antispyware, antiphishing and a firewall.

Identity theft will continue to plague citizens until smart systems are put in place to mitigate new account fraud and account takeover. Businesses are engaging an emerging device identification technology by Oregon-based iovation Inc. that spots cybercriminals by analyzing the reputation of computers and mobile devices used to connect to online businesses. They proactively investigate for suspicious activity and check for characteristics consistent with fraudulent users.

In one major case, iovation helped bust a fraud ring that victimized over 15 people where tens of thousands of fraudulent charges were racked up. The case started when a report of $5,000 in fraudulent credit card charges at a large electronics store and two department stores was reported. It just so happens that the credit issuer was using iovation to flag fraudulent credit card applications and tracking that back to the specific computers and mobile devices used. This information, combined with surveillance photos and other offline detective work, provided the perfect blend of digital and physical data that law enforcement needed to bust the crime ring.