Officials are reporting a wave of credit and debit card attacks targeting point of sale swapping, skimming of card data, and hacking into payment processors. Reports say the U.S. Secret Service, among others, are in the process of investigating a multistate crime spree.

The Oklahoma Bankers Association commented, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

Organized criminals have long been ramping up and coordinating multiple attacks. They continually find inventive ways to circumvent existing systems.

Electronic funds transfers at the point of sale (EFTPOS) skimming is when the POS is swapped out.

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, cheating 3500 customers out of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card PIN numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

Revisiting the Oklahoma Bankers Association’s statement, specifically, “It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment,” it sounds a little desperate to me. Credit and debit cards as we know them, with their magnetic strips, are easily compromised and frequently targeted by criminals. Now that Mexico and Canada are going chip and PIN, getting “creative” to save the mag stripe is going to take a lot more than a class in creativity. Sounds like a serious upgrade is in order.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

In the early days of the web, cybersquatting was a concern among corporations who were late to the game in getting their domain names. I had a little battle with LedZeppelin.com that I regret, but that’s another story.

Today that same battle is being played out in social media. Anyone can register any brand or likeness on social media with very little difficulty, and it’s free. Once the scammer owns your name, they can pose as you, blog as you, and comment as you.

The basis of much of this social media identity theft, or “impostering,” revolves around social engineering. When a profile claims to represent a certain person or brand, it is generally taken at face value. Lies propagated from such a credible source are likely to be taken as fact for quite a long time, if not indefinitely.

1. Someone may want to seize your C-level executive’s name on Facebook, LinkedIn, or Twitter, posing as that person in order to gather marketing intelligence. Once they are “linked” or “friended,” they have access to that person’s contacts and inner circle.

2. Another tactic is to pose as a family member of an executive, since on Facebook, parents and children are often “friends.” Pretending to be the child of one executive “friending” another in order to gather information is an effective con.

3. Given the opportunity, companies will often take over social networking pages in the name of a rival company. The competition, unable to use the page for their own benefit, loses market share.

4. In other scenarios, the same social networking page or profile can be used to disparage or slander the competing company.

5. Or worse, it could be used to spread falsehoods or create fake contests or scams that inevitably damage the brand.

6. There have been companies and individuals whose names or variations of their names were hijacked in response to a customer service issue gone wrong. The person then uses that platform to slam the company using the company’s own name.

7. Employees who are unhappy with their jobs can use social media to vent their frustration about their boss or company. This can easily result in a public relations nightmare.

The best thing to do is gather every possible brand name and individual name that could be used against you. Even if you never use the site, you own the name. This can be done manually for free or by paying a small fee. I’ve done both. Manually is very time consuming. One site that can help you do it yourself for free or provide full service for a fee is knowem.com.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Advice on how to defeat mobile malware aimed at your hip pocket.

Read more

Facebook "Places" will enable users to track friends and services.

Read more

A new AOL survey, released today, conducted by The Nielsen Company, reveals the challenges of modern day parenting in a world with social networking.

Read more

This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data. Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts. Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you. That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures

Social media has evolved into the fifth major form of media: print, radio, television, Internet, social. While social media functions on the Internet, there’s no denying that it is its own platform. It encompasses most forms of media in one tight and neat package. Some social networking sites have more users than number of residents in some countries.

In the process of this explosive growth, a few social networking websites like Facebook, Twitter, and LinkedIn have risen to the top. And in each frontrunner’s quest to be the biggest, fastest, and strongest, each wants to be your “single sign-on” in the form of a registration. Webmail providers Google and Yahoo also want you to log in to other sites using their credentials. This means when you visit any other site with a registration requirement, they may ask for your username and password but also give you the option to login in using your Facebook or Google credentials.

This same process can also link your different social media communities with each other and facilitate cross-posting.

The idea behind social registration is that each user has a somewhat established online identity. Over time, the user’s various identities in each community or platform begin to merge for purposes of shopping, communicating, and connecting to different devices. This can allow you to hop from one place to another without having to enter multiple usernames and passwords.

All that said, rarely will I engage in social registration. If one account is ever compromised, and it’s linked to others, then the hacker accesses multiple accounts with a single hack. If the accounts are of low security value then it may not be a big deal, but once email credentials are involved, the risks increase. There are security measures behind the scenes that protect you in some ways. I’m just not so trusting.

Look at it this way: does your online banking interface allow you to log in via Facebook? I didn’t think so. Of course, if anyone wants to walk me through their bulletproof process and change my mind, I’m listening.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers on social media on CNN. (Disclosures)

---

 

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC[JB1] , as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world. Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)

---

[JB1]What does the EC stand for?

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack. Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected. Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why. Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

The U.S. for the first time is publicly warning about the Chinese military's use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies

Read more