Privacy and Identity Theft

According to the AFP, the Indian Government wants the ability to spy on all manner of their citizen’s communications on the Internet. Recently they made news by joining the United Arab Emirates and Saudi Arabia in demanding access to Blackberry communications. Now it seems that the government is demanding access to Google Gmail communications and voice communications from Skype.

“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible. The message is the same for everybody.”

The Indian government is also said to be wanting access to corporate VPN traffic. How they will do this without compromising the security of corporations is really up for debate.

I wonder if they will be trying to ban IronKeys next?

Dark Reading has published an article looking at online banking fraud, focused on commercial bank accounts. It’s estimated that losses to US companies from online banking fraud (trojans and phishing) will hit $1 Billion in the next 12 – 18 months.

European cyber criminals have used sophisticated malware that infected computers at the Catholic Diocese of Des Moines, Iowa, last week. They accessed the Church’s online bank accounts, and wired out $600,000 to money mules, who then sent the money out of the country.

Money mules were recruited by fake online job advertisements. They were told that the money was going to be payouts to some of the settlements in the sex crimes cases against the Church.

Read more about it at Brian Kreb’s security site.

Germany’s Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert has issued a call to end so-called data handling “safe harbor” for US companies doing business with European customers. In 2000, the European Commission agreed to recognize the US Department of Commerce “safe Harbor” principles, essentially allowing US companies to self-certify that they exercise good practices to protect the information about their European customers.

Safe harbor compliance entails:
1. Notice: An organization must inform individuals about the data processing and about possibilities to file inquiries or complaints;
2. Choice: An organization must provide a general opportunity for individuals to choose to object (opt out) and must ask for consent (opt in) for processing of sensitive data;
3. Onward Transfer: Disclosure of information is only permitted if the recipient adheres to the notice and choice principle;
4. Security: Protection of data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
5. Data Integrity: Observance of purpose limitation of data;
6. Access: Right to access personal information hold by an organization about the individual concerned;
7. Enforcement: Mechanisms for assuring effective compliance and data subjects rights.

Weichert’s statement is based on research by privacy research Chris Connolly who has done research showing that of 2,170 US companies that claim to be safe harbor compliant, many were in fact not. 940 out of the 2170 US companies do not provide information on how to enforce individuals’ rights. Strangely, 388 of these companies were not even registered with the Department of Commerce!

Reports are circulating that an investigation of the computer systems on the wreckage of Spanair flight 5022 has revealed that the systems were infected by malware. The flight crashed while taking off from Madrid, Spain, killing 154 people.

If true, it could be one of the first incidents in which computer malware resulted in the death of innocent people.

The United Arab Emirates, Saudi Arabia, Indonesia, and India are now planning to ban Blackberrys in their countries. The Blackberry service uses encrypted connections between devices and the email and web browsing service, which are operated from North America. The above countries have a policy of monitoring the email, messaging and browsing of their citizens, and even of foreign visitors to those countries.

It seems that RIM, the maker of Blackberry, is looking to add security back-doors so that governments in these countries can spy on Blackberry users in those areas.

Charles Jester at security firm ESET has written a great article looking that how banks report online electronic crime.

We know from public reports and various lawsuits that cyber criminals have been targeting users of online commercial banking sites, breaking into their accounts, and transferring hundreds of thousands and sometimes millions of dollars.

But how are banks reporting these losses?

Banks in the USA must file a Suspicious Activity Report (SAR) with the US Treasury Department’s Financial Crimes unit, FinCEN.

Interestingly, Jester has been tracking the number of these reports. Since 2003, there has been a very large increase in SARs. However, these are all filed as “Other”, and there is no detail available as to what these SARs are reporting on. Jester suggests that this steep climb in SARs corresponds to the rise of phishing and malware that compromises online banking accounts. Here is the graph from his article.

By looking at public reports by the FBI and journalists like Brian Krebs (http://krebsonsecurity.com/), I estimate that online commercial bank account losses will reach $1 Billion in 2010 in the USA.

I did some quick calculations from NACHA fraud data around ACH transactions, and I compute that all fraud on the ACH networks in the USA looks to be about $6 Billion in 2009. NACHA downplays this by saying that fraudulent ACH transactions were only 0.02 percent of all the ACH transactions. But when you consider that approximately $30 Trillion was sent via ACH transfer in 2009, the fraudulent transactions would be 3.75 million transactions and add up to about $6 Billion. How much of this is related to online crime?

Cyber-fraudster Florin Necula, accused of electronically stealing credit and debit card numbers from ATM machines, swallowed a USB flash drive that contained evidence of his crimes.

Apparently the flash drive got stuck in his intestinal tract. Federal agents obtained a search warrant, and had a surgeon remove the device from Necula’s body. Wow. I didn’t realize you could get a search warrant to search your intestine!

The latest version of the Zeus banking trojan steals not only usernames and passwords from infected computers, but it also appears to steal digital certificates and cookies from browsers. Cookies and certificates are often used by websites to authenticate a user, in addition to username and password. By stealing these credentials from a user’s computer, criminals can potentially access a variety of online sites and accounts of the victim.

One benefit to using a hardware PKI token is that the signing keys are stored on the device, and cannot be exported or stolen. This means that stealing a certificate from a browser is not effective, as you also need the private RSA key to be able to use the client-side certificate to log into a website.

Experi-Metal, Inc. had their online business banking account taken over by hackers who stole their password in an email phishing scam. The hackers logged into the company’s online bank account at Comerica bank, and wired almost $2 Million out of the account. Comerica bank was able to recover about $1.5M, but the company was left with over $500,000 of losses from the event.

Comerica refused to reimburse Experi-Metal. So the company sued the bank to recover their funds, alleging that the bank does not have sufficient online security and anti-fraud measures.

Comerica responded by filing a request for a summary judgement to dismiss the lawsuit. A judge has dismissed the request, and the course is now going to court.