LISTCRIME SHOWS HOW CYBERCRIME HAPPENS

LISTCRIME
YOUR ONE STOP CYBER CRIME INFORMATION SHOP

HOW BAD GUYS STEAL CYBER INFORMATION

Listcrime is a one-stop-shop for reliable, up-to-date information about cyber crime, we at Listcrime.com want to give home users and small businesses the advice they need to use the Internet safely. For the most part, references within this web page appear as links to the actual site that the information came from. I revert to customary referencing when citing non-WWW based sources. A bibliography of any sources not linked will appears at the end of this web page.

For the United States, the information technology revolution quietly changed the way businesses and governments operate. Without a great deal of thought about security, the Nation shifted the control of essential processes in manufacturing, utilities, banking, and communications to networked computers. As a result, online fraud has dramatically increased, costing internet users and companies millions if not billions of dollars. Lack of security eventually causes lack of public trust in online services.

The term "Internet fraud" generally refers to any type of fraud scheme that uses one or more online services - such as chat rooms, e-mail, message boards, or Web sites - to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme.

According to a recent McAfee Virtual Criminology Report, which studies global cyber trends:

There is growing threat to National Security as web espionage becomes increasingly advanced, moving from curiosity probes to well-funded and well-organized operations out for not only financial, but also political or technical gains. Some believe a new cyber cold war is on the way with China at the forefront.
There is an increasing threat to online services (individuals and industry) because of the sophistication of cyber attacks techniques. As internet users bank and shop more and more online and display personal information on social networking sites, Bad Guys are increasingly employing more sophisticated means to steal information.
There is an emergence of a sophisticated market in which Bad Guys use software flaws that can be used to carry out espionage and attacks on critical government infrastructure networks. An Example is Metasploit, tools that look at exploiting network vulnerabilities. Recently finding flaws in the ( DNS) Domain Name System. The flaw is a point and click operation and so easy to use that even most novice of hackers can take advantage of it.

The speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all. The biggest link between most Cybercrime and Identity theft is stolen data. Stolen data is key to financial loss so we at Listcrime will focus on How Cybercrime Happens. For Example, Lets look at the online industry.

Today a majority of credit card transactions are sent electronically to merchant processing bank for authorization, capture and deposit. The method of processing credit cards will vary by industry the overall process from electronic transmission process is the same. In most circumstances either the entire magnetic strip is read by a swipe through a credit card terminal/reader or the credit card information is manually keyed in to a credit card terminal, a computer or web site

This overview is an example of what happens a during "normal" merchant/online credit card transaction. We will follow a transaction and authorization of a retail sale through a point of sale (POS) terminal and follow the proceeds. Then we will go into how and why companies and customers lose information and what these BAD GUYS are doing with that information. Please keep in mind this is just an overview and other variations exist to this process.

Lets begin by taking take a typical customer, the customer comes to you (in your physical store or online store) and picks out an item to buy. At the checkout stage or online the customer gets to choose payment options. If the customer chooses a credit card (Visa/Mastercard/AMEX) they either give you the card to run though the system provided by your bank or in the case of an online store, they input the account number and CVV code card verification value (a three or four-digit number printed on the back of a credit card and encoded on the mag strip for fraud protection), their billing address, and confirm the amount of the purchase. Once confirmation is done (either by physical signing the slip, or by confirming the cost) the customer has bought the item. If in a physical store they walk away with the product. If an online store you simply type your credit card number into the merchant's World Wide Web (WWW) page payment form (hopefully HTTPS) and wait for there purchase to be shipped to them. The only thing that needs to pass between the merchant and the buyer is the credit card number.

CLICK HERE: Common ways your information is stolen

Steps involved in a normal credit card transaction:

Buyer presents merchant with a credit card.

Merchant runs credit card through the point of sale unit. (online or at point of sale terminal)

The acquiring bank that processes the transaction, routes the authorization request to the card-issuing bank. The credit card number identifies type of card, issuing bank, and the cardholder's account.

The acquiring bank processing the transaction, and then sends the approval or denial code to the merchant's point of sale terminal. Each point of sale device has a separate terminal ID for credit card processors to be able to route data back to that particular unit.

A sale draft, or slip, is printed out by the point of sale unit or cash register. The merchant asks the buyer to sign the sale draft, which obligates them to reimburse the card-issuing bank for the amount of the sale.

CLICK HERE: view Privacyrights.org to see some reported company data breaches.

CLICK HERE: view TrustedID to see breach alerts

This is where you can clearly understand why people have some legitimate fears about giving their credit card number out over the Internet. If the company doesn't have a secure network your credit card and Identification can be compromised at any point during this process without your knowledge. Unless a secure server is involved such as one that uses SSL or S-HTTP (CLICK HERE: VIDEO) for transporting data and other security procedures are in place such as firewalls. A BAD GUY can use various nefarious methods to steal your information. IT HAPPENS ALL THE TIME.

***KEY CREDIT CARD COMPANIES MAKE VENTORS HOLD ON TO TRANSACTION INFORMATION SO IN OTHER WODS YOU HAVE MILLIONS OF VENDORS OR COMPANIES HOLDING YOUR INFORMATION.

THIS TRANSLATES TO MILLIONS OF OPPURTUNTIES FOR BAD GUYS TO STEAL YOUR INFORMATION

Lets look at a company's database: the bad guys sometimes use a SQL injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. In layman's term: the BAD GUYS send the company bad information which causes the companies computer database to send them good information such as credit card numbers or names and addresses.

*In other words the bad guys attack company databases that carry all of your information

For Example; Lets review one of the biggest online data breaches in U.S. History. The TJK data breach which had about 45.7 million credit and debit card numbers downloaded from one or a few of there hundreds of stores in about a year's time. It is believed that the BAD GUYS may have grabbed as many as 200 million card numbers. Investigators believe, hackers pointed a telescope-shaped antenna towards one of it's stores and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion dollar retailer's wireless network had less security than many people have on their home networks, and for 18 months the company -- which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what was going on.

The good news was that the Secret Service was able to trace the origin of the data used to perpetrate this cyber theft of millions of customer records from T.J. Maxx parent company TJX and from Polo Ralph Lauren.

The South Florida bust resulted in the recovery of about 200,000 stolen credit card account numbers used in fraud losses roughly calculated to be more than $75 million. Agents also seized two pickup trucks, $10,000 cash, and one handgun in connection with the case.

An entire economy now exist to outfit criminals with the virtual tools they need to commit cybercrime. This underworld includes specialized auction sites, product advertising and even support services. See Listcrime's Carding Web sites.

Cyberthieves are no longer making large amounts of money off credit card dumps and steling and selling personal identity data. There are just to many small time copycat cyberthieves out there to make hughes profits. Credit card account numbers that once fethched for $100 or more can now be purchased for $20 or less. Bad Guys are now focusing on stealing corporate information. Bad guys will take that information and sell it to competing governments or businesses.

HOW THEY DO IT.

Most bad guys began by targeting corporate employees that use free tools such as Web based email, group chat or social networking sites. Bad guys may use an innocuous post/phishing site which leads the emplyee to click on it causing the company to get inficted with a virues. Some bad guys find holes in Windows xp and Windows servers to sneak through a corporate firwall and deliver an attack.

WHY DOES THIS HAPPEN? THE PROBLEM:

Companies don't build and maintain a secure network - Some don't install firewalls and make sure that any changes to existing rules are sufficiently logged. Ensure that Web servers that must access the Internet are hosted in a neutral area between the organization's private network and the outside public network. They don't assure that company database servers, which hold customer account information are inside the company's network, protected by a firewall.

Companies don't always protect cardholder data - SSL encryption or higher should be utilized when storing customer account numbers, or for data in motion over public networks. As well, all customer data must be disposed of when no longer needed. Some organizations don't conduct regular scans for software vulnerabilities and abnormal activity.

Some companies don't have a strong vulnerability management program - A good vulnerability management program should include antivirus software on all workstations and servers. Also strong access control measures should be in place, for example all stored passwords should be encrypted and an organization should restrict access to only those who need the information as part of their job. They should but don't routinely audit account numbers and remove outdated or malicious accounts.

Maintain an information security policy - Create and maintain an information security policy that covers access control, network and physical security, and application and system development. Keep the policy updated, change when needed and distribute it to all system users. Regularly monitor and test networks -Review and monitor server logs, perform routine vulnerability scans and install Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).

Tracking and keeping log activity - Some IT departments fail to keep a log of network activity, which makes finding a breach and who is attempting to access systems impossible.

For example, an employee may take his laptop home to browse the Web over a weekend. He doesn't know it, but bot code (BOTNET) rides into his system when he downloads a freeware application from, lets say, Stupidemployee.com. What may be unknown to him is the fact that the botmaster then uploaded a virus that will spam an instant message to the employee's buddy list when he plugs into the corporate network on Monday.

Every company should run as much security technology as it can at each level of computing—desktop, server, internal network and external Internet connections. That includes firewalls, antivirus software, automated patching programs, intrusion detection systems, e-mail protection gateways and anti-adware applications, he says.

CLICK HERE: IF YOUR COMPANY' S NETWORK HAS BEEN COMPROMISED. U.S. CERT reporting form

In the end, all security is a negotiation among affected players: governments, industries, companies, organizations, individuals, etc. The players get to decide what security they want, and what they're willing to trade off in order to get it. But it sometimes seems that we as individuals are not part of that negotiation. Security is more something that is done to us.

Our security largely depends on the actions of others and the environment we're in. For example, the tamper resistance of food packaging depends more on government packaging regulations than on our purchasing choices. The security of a letter mailed to a friend depends more on the ethics of the workers who handle it than on the brand of envelope we choose to use. How safe an airplane is from being blown up has little to do with our actions at the airport and while on the plane. (Shoe-bomber Richard Reid provided the rare exception to this.) The security of the money in our bank accounts, the crime rate in our neighborhoods, and the honesty and integrity of our police departments are out of our direct control. We simply don't have enough power in the negotiations but we can make a difference and that is why you have websites like LISTCRIME.COM.

References:
www.mcafee.com

NEXT PAGE »»»

CONTACT US ABOUT US DISCLAIMER

COPYRIGHT ©LISTCRIME 2008 ALL RIGHTS ®RESERVED