Tag Archives: Identity theft

Getting Paid for Doing Bad Things (12″ version)

This is the extended version of my earlier blog post. The BBC finally ran my commentary so for those of you who want more info, here it is:

Think of it as product placement for the Internet. It’s been around a while, but I just figured out how it works, and it made me realise that the early dreams of a blogging utopia on the web are pretty much dead.

Here’s how this kind of product placement works. On the Internet Google is like a benevolent dictator: it creates great stuff we love, and with which most of the net wouldn’t work. But it also wields great power–at least if you’re someone trying to make money off the web. Because if you don’t show up in Google’s search results, then you’re nobody. It’s the equivalent of exile, or solitary confinement, or something.

A lot of money is spent, therefore, in gaming your website’s position in Google’s rankings. But you have to be careful. Google also spends a lot of money tweaking its algorithms so that the search results you get are not gamed. Threat of exile is usually enough to keep most web players in line.

But because Google doesn’t issue a set of rules, and doesn’t explain why it exiles web sites, the gray area is big. And this is where the money is made.

One of the mini industries is something called link building. Google reckons a site with lots of links to it is a popular site, so it scores highly. So if you can get lots of sites to link to yours, you’re high up in the results.

Now it just so happens that some of the pages on my modest decade-old blog score quite highly here. So I suppose it was inevitable that link building companies would seek me out.

A British company, for example, called More Digital offered me a fixed upfront annual fee for a “small text-based ad” on my website. As intriguing was the blurb at the bottom of the email:

You must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of More Digital.

Clearly these guys mean business, I thought, so I wrote back to Alicia Ross. She was excited to hear from me, and offered two options: one was a simple link in my collection of recommended web sites. The idea would be that I would include a link to their client’s website–whoever it was–alongside my real recommendations.

The other was “one page simple text”:

The advert will be text, not a visual banner It will appear in the content, and only on a single page of your website. Our writers will provide you with a copy that will fit naturally into your existing content.

(I think she means “copy” rather than “a copy”). For this I would earn $200 a year per ad if the client was a poker, casino or bingo site;

Now in Internet terms this is big money. It would take me a month or so to make that kind of dosh on simple Google ads on my website. Now they’re talking about one simple text link and I get the cash in two days!

But hang on a minute. There’s that ethics thing in the back of my mind. I have to listen to it a second.

The first one I’m not crazy about: What’s the point of a collection of recommended links if I don’t actually recommend them myself?

But the second one took some getting my head around. I couldn’t figure out what she had in mind, so I asked her. And this is when I started to get really depressed.

Basically what they’re after is me inserting a sentence into an existing blog post that links to their client. These guys are not interested in a new post. That would take time to rise up through the ranks of Google; they want to tap into my micro-Google fame. And remember this is not an ad. It’s a plug. It’s product placement. In a piece that is supposed to otherwise be straight, authentic and, well, me. I like to think that’s why it has Google juice.

By the time I got back to Alicia the offer was off the table as all the spots had been picked up. Clearly this is a well-oiled business. But then I got another, from a different company. Mayra Alessi was contacting me on behalf of a U.S. company selling identity theft protection, which she wanted me to link to in a piece I wrote two years ago about a privacy problem with Facebook. For $30 a month.

Mayra, if it was she, proposed I add a sentence at the end of a paragraph on how Facebook needs to fix the way they handle friendshipt requests as follows:

Mistakes like these from Facebook, make us more and more vulnerable to identity theft, that is why it is important to understanding identity theft in the USA.

Clearly Mayra hasn’t made her way in the world based on her copyediting, grammar or punctuation skills.  And the irony hasn’t escaped me of a company peddling identity theft protection is at best unaware that companies operating in its name are paying websites to mislead their readers, and Google.

What’s wrong with all this? Well, I guess the first thing is the seediness. A company is basically hiring another company to fiddle its rankings on Google–instead of just producing the kind of kick-ass content that it should be building it leeches off my kick-ass content.

And it’s not just seedy, it’s illegal. Well, as far as Google is concerned. Only the other day someone complained on a Google forum after getting his sites bumped off Google’s index. The reason, he suspects, is that he took $75 from one of the companies that contacted me for linking to a site about bikes. And these companies must know that. I guess that’s why the fees seem quite high for the chicken feed that niche blogs like ours are used to earning.

The point is, that the companies apparently funding this kind of activity–those whose websites benefit from the link love–are not necessarily sleazy gambling sites. I was invited to link to were an Internet security company. Among companies willing to pay me $150 for a link are, according to one of these link building outfits trying to get me aboard, are those selling mobile phones, mobile phones, health and fitness, travel, hotels, fashion, Internet services, insurance, online education and, somewhat incongruously, recycling companies.

To me this is all the more sleazy because these are real companies with offices in the UK and US and they’re clearly proud of what they do. We’re not talking Ukrainian spammers here. But their impact, in a way, is worse, because with every mercenary link sold they devalue the web. I’ve been doing a blog for nearly 10 years now, and the only thing that might make my content valuable is that it’s authentic. It’s me. If I say I like something, I’m answerable for that. Not that people drop by to berate me much, but the principle is exactly the same as a journalistic one: Your byline is your bond.

All in all, a tawdry example of where the blogosphere has gone wrong, I reckon. Keep your money. I’d rather keep the high ground.

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

The Big Ring

Good piece today by my WSJ colleague Cassell Bryan-Low on the Douglas Havard case which I mentioned a week or so back: As Identity Theft Moves Online, Crime Rings Mimic Big Business (subscription only, I suspect):

Most identity theft still occurs offline, through stolen cards or rings of rogue waiters and shop clerks in cahoots with credit-card forgers. But as Carderplanet shows, the Web offers criminals more efficient tools to harvest personal data and to communicate easily with large groups on multiple continents. The big change behind the expansion of identity theft, law-enforcement agencies say, is the growth of online scams.

Police are finding well-run, hierarchical groups that are structured like businesses. With names such as Carderplanet, Darkprofits and Shadowcrew, these sites act as online bazaars for stolen personal information. The sites are often password-protected and ask new members to prove their criminal credentials by offering samples of stolen data.

Shadowcrew members stole more than $4 million between August 2002 and October 2004, according to an indictment of 19 of the site’s members returned last October by a federal grand jury in Newark, N.J. The organization comprised some 4,000 members who traded at least 1.5 million stolen credit-card numbers, the indictment says.

The organizations often are dominated by Eastern European and Russian members. With their abundance of technical skills and dearth of jobs, police say, those countries provide a rich breeding ground for identity thieves. One of Carderplanet’s founders was an accomplished Ukrainian hacker who went by the online alias “Script,” a law-enforcement official says. As with many of its peers, the Carderplanet site was mainly in Russian but had a dedicated forum for English speakers.

Well worth a read as it details how Havard’s UK operation worked.

A Glimpse Of A Tentacle From The Phishing Monster

Gradually the tentacles of the Russian gangs behind phishing are appearing. But we still have no idea how it really works, and how big the beast is.

The Boston Herald reports today on the arraignment of a “suspected Russian mobster” on multiple counts of identity fraud, having allegedly obtained personal information from more than 100 victims by phishing emails.

Andrew Schwarmkoff, 28, was ordered held on $100,000 cash bail after being arraigned in Brighton District Court on multiple counts of credit card fraud, identity fraud, larceny and receiving stolen property. He is also wanted in Georgia on similar charges, and is being investigated in New Jersey.

What’s interesting is that clearly phishing is tied in, as if we didn’t know, with broader financial fraud. Schwarmkoff — if that is his real name, since investigators are unsure if they have even positively identified him — was found with “$200,000 worth of stolen merchandise, high-tech computer and credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash,” the Herald says.

That would at least indicate that phishing is not just an isolated occupation, and that the data obtained is not necessarily just used to empty bank accounts, but to make counterfeit cards, ID cards and all sorts of stuff. What’s also clear is that the Russians (or maybe we should say folk from the former Soviet Union states) are doing this big time. The Herald quotes sources as saying “Schwarmkoff is a member of the Russian mob and has admitted entering the country illegally. “We know some things that we don’t want to comment about,” a source said, “but he’s big time.”

Schwarmkoff, needless to say, isn’t talking. “‘Would you?’ the Herald quotes the source as saying. “Schwarmkoff,” the Herald quotes him as saying, “is more content to sit in jail than risk the consequences of ratting out the Russian mob.” That probably tells us all we need to know.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

The Bluesnarfing Skeptics

Is Bluesnarfing the big problem it’s made out to be?

“Traditionally,” wrote Guy Kewney of eWeek earlier this month, “security consultants have made a passable living by frightening ignorant managers with security holes. Then they charge money to fix them.” He then takes a look at bluesnarfing, which regular readers of this blog and the column will already be familiar with. His conclusion: Such concerns are “a load of hooey”. Here’s why:

  • Range: “You have to get to within a few paces of the phone you want to raid because the effective range of Bluetooth is said to be about 30 feet..in clear air, not in a crowded room”;
  • Phone ID: “You have to identify the phone correctly. You won’t see “I’m Tony Blair’s phone full of secrets!” in nice helpful letters; you’ll see the make of the phone”;
  • Affected brands: “The phone also needs to be vulnerable to attack…affected phones, which so far are limited to Nokia, Ericsson and Sony Ericsson handsets”;
  • Tools: “you have to have a PC. I doubt there are more than 10 people in the world who could be bothered to create one, and they are almost certainly all security consultants”;
  • Results: “what do you get? A list of phone numbers?”

Guy sees such ‘news scares’ as intended to “convince a large group of people that the guy who discovered the ‘security loophole’ is a genuine expert in the field (true) and it may frighten some of them into hiring this expert to do security work for them.”

OK, let’s take a look at Guy’s points. The first one, range, is pretty simple. Bluetooth doesn’t have a range of 30 feet (10 meters); it has a range of up to 100 meters, depending on which class of Bluetooth gadget you’re talking about. But the problem is not the range of the targetted gadget, but of the attacker’s. Adam Laurie, the guy who first publicised this, has used off the shelf components plugged into a laptop to get a range of 80 meters and reckons with antennae it could go much further.

The second issue, Phone ID, is somewhat misleading. While it’s true Tony Blair is unlikely to have had the time or interest to alter his phone’s default name (usually the model name) to one more personal, the attacker is unlikely to be snarfing around for an exact model name. He is going to gobble up all the vulnerable Bluetooth device data he can find and then later, if he needs to, try to match data to individuals via, for example, the SMS sender field in any outgoing SMS/text messages. This field would reveal the telephone number of the target (thanks Martin Herfurt for clarifying this.)

Affected brands: While it’s true that not all phones are affected, Nokia remains the single largest player in the UK (where eWeek is writing from) with nearly 30% market share in the first quarter of this year. SonyEricsson has nearly 6%. And while not all models from those manufacturers are vulnerable, that’s still a lot of handsets.

Tools: Yes, it’s unlikely you’d be able to mount a successful attack without a laptop, a Bluetooth dongle, and some technical idea of what you’re doing. But it’s naive to suggest that it’s only going to be security consultants doing this kind of thing. The Bluesnarfing problem is one of data theft, which means its most likely users are folk in the data theft business, either for commercial purposes or criminal ones. Sure you’re going to get a few techheads doing it for the hell of it, but the most likely threat is commercial espionage, and those guys are pros. Just because you can’t imagine someone doing it, doesn’t mean a criminal can’t.

Results: This again reflects the limited imagination of the writer. Basically any information can be stolen from a cellphone via snarfing. This not only includes contacts — in themselves potentially valuable — but also any notes stored there, such as safe combinations, passwords, PIN numbers. In any case, Bluesnarfing is not just about data. It can also involve hijacking the user’s phone to make a call without their knowledge. The ability of someone remotely to use your phone to dial a number and talk — which then appears to the recipient to be coming from your phone — raises all sorts of problem scenarios, but I’ll leave those to your imagination.

It’s not a new mantra, but it’s worth repeating: Just because we can’t think of how someone might benefit from these kind of security holes doesn’t mean someone else can’t. Sure, there are plenty of pseudo-security problems out there, and it’s good to be skeptical, but as long as the manufacturers don’t address it, Bluesnarfing is a real one, seriously compromising the security of your cellphone. As cellphones, PDAs and cameras merge into smartphones this problem can only become more acute.

Spammers And Crime, Continued

The ISP bites back.

EarthLink , an Internet service provider, has announced legal action against a multi-state spam ring called the Alabama Spammers. The 16 individuals and corporations allegedly sent out more than 250 million illegal junk emails and “represent a technically sophisticated criminal organization that engaged in a massive scheme of theft, spamming and spoofing.” The lawsuit alleges that the defendants used a hierarchy of falsified names, false addresses and non-existent corporate entities to disguise the identities of individuals involved.

Earthlink’s allegations make the group sound pretty scary. “To further hide their identities, the defendants used spam emails to direct people to dynamically-hosted Web sites that would disappear after advertising a product.” In its lawsuit, EarthLink is charging the defendants with violating federal and state laws, including federal and state civil RICO laws, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Georgia Computer Systems Protection Act. The lawsuit also alleges that the defendants used stolen or falsified credit cards, identity theft, banking fraud and other illegal activities to fraudulently purchase Internet accounts and send out their junk emails.

It’s not the first time Earthlink have gone after spammers, and, as Techdirt points out, they’re not the only ones to do so. And it’s probably no bad thing. If what Earthlink alleges is true, there’s a clear link here between spammers and crime which needs to be investigated and exposed.

News: ID Theft Is A Problem. It’s Official

 The Federal Trade Commission is now wise to the reality: identity theft is a problem. Nearly one in eight U.S. adults has had their credit card hijacked, identity co-opted or credit rating pockmarked by identity thieves over the past five years, Reuters quoted the Federal Trade Commission as saying. The FTC surveyed some 4,000 adults this spring to come up with the most comprehensive picture yet of the fast-growing crime.
 
Amid the grim statistics, the agency found a silver lining: After nearly doubling for two to three years, new incidents of identity theft are growing more slowly and tend to involve less money. That’s because banks are wising up to the problem, making it more difficult for scam artists to set up fraudulent credit cards, and consumers are spotting suspicious activity on their accounts earlier, said Howard Beales, director of the FTC’s consumer-protection division.