Week of March 13, 2006
Last time around
E*TRADE limits customer liability for online losses
UK MPs credit card details end up in hotel dumpster
Hotel in Bahamas hacked too
Security company exposes CIA, NSA, AND FBI customer data
Cops' data stolen from police ID tag company
Mastercard extends carrot to retailers to improve security
US States swift to adopt security breach notification laws & what Canada is doing
CardSystems get away lightly
It seems CardSystems has had a lucky escape.
After the terms of the Choicepoint order, examined elsewhere in this posting, there was ample reason to expect a similar fate for the errant US payment processor- believed to have exposed millions of card numbers last year, in an attack some commentators blamed on an internal security breach.
Read the FTC press release and the terms of the proposed order- and decide for yourself on the relative merits of both cases. Should a company that is in the primary business of processing billions of dollars in card payments- a largely unregulated sector- and that displays a seemingly wanton disregard for security in doing so, get off more lightly than the large data aggregator?
What do you think?
Are cellphones a liability?
You could be forgiven for eyeing your cellphone with increased suspicion and trepidation, despite your deep and abiding affection for it. Recent stories in the media that seemed to suggest that cellphone cloning is rife, and that consumers are paying dearly with enormous bills for calls they never made- were less than reassuring.
But what is the reality? And is there any connection between these two issues? How scared should you really be?
Read Mary's latest Globe and Mail column to get the full story.
Are remote workers the weak link?
We are just back from RSA in San Jose- the biggest IT security event of the year. Mary will write up her observations for the Globe & Mail in a few weeks, but there are a few issues that came out of it that relate to current news.
US Congress focus on IT security
IT security is now top of the agenda for several US Senators and Members of the House. Constituents are increasingly vocal with their concerns about identity theft and spyware and they want something done about it - yesterday. There are about 26 bills in play at present that have a security/spyware component- from both Houses, but no unified view exists on how best to tackle the issues. However, there is still some degree of optimism that a Federal ID Theft law may be passed during this session.
Remember a very large proportion of US states have already passed legislation in this area, so there will be all kinds of states rights issues to contend with before passing a federal law.
In addition, several US politicians favour a broad strokes, technology neutral approach- more akin to a set of over-arching principles than a set of requirements. Others, however, such as Senators Patrick Leahy (D-VT) & Arlen Specter (R-PA) favour quite specific mandates around what companies should do, compulsory risk assessments, audit provisions, and so on.
Senator Leahy's (the Tech Senator) personal data may have been exposed by Bank of America in a breach that potentially impacted 1.2 million Federal employees back in February 2005. Coming so close to the flame has undoubtedly spurred on Senator Leahy all the more.
Recent caselaw- (should remote workers use encryption at home)
A recent case in the US District Court- District of Minnesota- Stacy Guin v. Brazo Higher Education Service Corporation, Inc. seems to support the position of those senators and house members who believe that specific security mandates are necessary in future legislation, and that a principals based approach just won't do the job.
The plaintiff sued the defendant- a Texan provider of student loans- from whom he had received a loan- for negligance, breach of contract and breach of fiduciary duty, for allowing an employee in Maryland to work from home with an unencrypted laptop.
His house was, of course, burgled and the laptop stolen. To date no-one whose data was on the computer seems to have suffered any ill effects. One of the quirks of the case was that Brazos had no idea whose data was on the laptop. It may, however, have contained several hunded thousand records, including SSNs.
Brazos chose to notify all 550,000 customers as they were bound in any event to notify Californian customers pursuant to the Californian data breach reporting law, SB1386. They provided customers with a free credit report and access to a call centre for assistance.
The presiding judge was markedly unsympathic to the argument that Brazos was negligent in not mandating that employee data be encrypted at home, and dismissed the action on a summary judgement motion. Brazos accepted that they owned him a statutory duty of care as a financial provider under the Gramm- Leach- Bliley Act (GLB) - which has extensive provisions regarding safeguarding and securing data, but denied that they had breached that duty.
Most importantly, it is unclear what- if any- evidence was presented regarding the measures that Brazos did take to secure customer data in the hands of remote workers- e.g. did this worker have anti-virus/spyware and firewall products installed; how was data 'received' by him from HQ- over a secure VPN?; did he port any company data to a home PC, and if so, how was that audited or protected?
Does anyone know?
Brazos did have a public privacy policy document and it would be interesting to have read this document to see what representations were made about securing data.
However, the judge was adamant that "...the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office". And furthermore, that Braxas had "written security policies, current risk assessment reports, and proper safeguards for its customers personal information as required by the GLB Act".
Guin was also unable to prove-as required by law- that he had suffered any loss due to the breach- as Brazos did not know whether in fact he had been affected by the loss. It certainly seems most odd that the defendant was able to rely on the fact it had no inventory management system in place- nor knowledge as to where its (or TPs) data assets resided- against the plaintiff.
In addition- the fatal blow- the judge found that it was not reasonably foreseeable that the employee's laptop might be stolen from his home, as he lived in a 'relatively safe neighbourhood".
Surely the relative sensitivity of the data (who would want to steal it- how valuable it was, etc?) ought to have been the main criteria in assessing any potential risk to it, and not solely the location of his home?
It also seems odd that a complaint was not made to the FTC under its mandate to protect consumers from deceptive and misleading advertising. And why emphasis was not placed at trial on the fact that encryption has a special role to play in US state data breach reporting laws- suggesting that State legislators favour its use to protect sensitive data.
Will it stand?
The case is unlikely to stand for long for the the proposition contended - namely that remote workers can work away at home on unprotected laptops, without fear of reprisal.
If the courts were to maintain this position, I believe federal legislation will mandate otherwise in due course.
Choicepoint pays dearly for breach
There has been plenty of media attention about the unprecedented final order and judgement made by the FTC against Choicepoint. The huge credit check and data aggregator agreed to its terms, all the more amazing, although its bargaining power was undoubtedly exceptionally weak.
Criminal receives 10 year sentence
The criminal responsible, Nigerian national Olatunji Oluwatosin, 41, was sentenced Friday 17 Feb 06 in LA to 10 years in prison and ordered to pay $6.5 million in restitution after a plea of guilty. This was not his first infraction: he was serving a 16-month prison sentence for identity theft when he was charged in the Choicepoint case.
Reports indicate that about 750 people have lost money so far, including one instance where an individual lost $12,000. It could have been far worse- but it is still early days.
Remember, Choicepoint was responsible for a huge breach that exposed credit reports, Social Security Numbers, driver's license numbers and other personal data information on circa 144,778 US consumers.
Miserably bad PR response
And because the data was accessed by social engineering tactics (rather than a traditional 'hack')- namely by Oluwatosin posing as a representative of various legitimate businesses to gain access to credit reports, Choicepoint's initial response was to maintain that there had been no security breach, and that people- by implication- should get off its back.
This response was plainly a monumental PR screw-up, and there was nowhere to go but down from that point onwards.
The FTC duly filed a complaint against them, alleging breaches of the Fair Credit Reporting Act and alleging that they had engaged in unfair or deceptive acts or practices in violation of Section 5 of the FTC Act.
The FTC flies high
The FTC has been flexing its muscles as of late- and some say, over-reaching in terms of its statutory powers. However, it is worth noting that there is considerable debate in the US Congress about giving them even more powers to deal with a broader variety of Interent/security crimes and to fill any existing gaps in their current mandate.
So this is manifestly not a good time to insult any staff members. In fact some of the language used in the extremely stiff Choicepoint final order is replicated in various bills floating about the Senate and the House. It might just stick.
As well as the ten million dollar fine (to be paid within seven business days- it is just as well they are liquid) and the five million dollar 'consumer redress' fund payment (to be paid within 10 days by wire transfer or cashier's check), Choicepoint is required to put in place 'know your customer' processes and procedures that would make a Fortune 100 bank proud.
In fact, in certain instances it must traipse out to physically inspect and audit its customer base, and conduct (using suitably qualified folk) security assessments, threat and gap analysis, left right and sideways- literally from here to eternity.
FTC staff turned Inspector Clouseau
It must also- following the tenor of the Gramm Leach BlileyAct- re-evaluate the adequacy of security provisioning in light of any material change in the business. There is now effectively a new face in the boardroom.
However, our absolute knockout favourite is the provision that allows FTC hit squads to pose as consumers and suppliers to Choicepoint, its employees or any related entity- fully incognito.
So not only does it have to train staff (who are entitled to a copy or summary of the order and the requisite training) to recognise scamsters like Mr Oluwatosin seeking to boldly go where many men have gone before, they also have to identify FTC staff trying to do the same thing. The mind truly boggles.
The FTC can also interview just about anyone associated with the Choicepoint operation- no doubt to try to get the skinny on any funny business going on.
The order is worth reading for its sheer audacity. A truly horrible beast.
You have been warned.
Russian cyber-thieves target French online banking customers
Russian cyber-thieves- many of them aged between 20 and 30- are believed to be responsible for stealing more than Euro 1 million from bank accounts all over France. One customer lost Euro 40,000- about USD$47,500. Russian police have made several arrests in Moscow and St Petersburg.
Details are scant, but it seems, yet again, that keyloggers- a term for malicious computer code that records keystrokes such as password and banking access codes- were behind the attacks. The stealth code was probably contained in emails received by the victims, or embedded in fake 'phishing' websites.
These attacks are on the increase and unless consumers have up- to- date anti-virus and anti-spyware software in place, they are sitting ducks. In addition, embedding a healthy scepticism in the minds of consumers towards all emails purporting to be from banking institutions requesting password or banking information would go a long way towards eliminating this threat.
Mules used to launder funds.
The story is also revealing in that it shows a continued trend towards the use of 'mules'- a term long used in the drug trade- to launder stolen or 'phished' funds through legitimate bank accounts in an attempt to fly under the radar of the banks as they try to pinpoint suspicious transactions. Many naive but desperate folk have been implicated in moving money in this way for a commission of between 5 - 11%.
More recently, even legitimate companies are getting in on the act, and laundering money for a commission of about 11%. In the French case, an American company is implicated, although it is unclear if it was a shell company or a going concern, and whether the principles were aware who they were helping.
Legitimate companies ready and willing to turn a blind eye.
In a case described as the biggest Internet child porn investigation to date in the US, a Belarus (a former Soviet republic) based company- Regpay-and its principles were charged in the US with a bunch of offences, including operating as a payments processor for 50 plus child porn operations.
Regpay used computer servers located in the US and the services of a legitimate Florida based credit card merchant to collect credit card payments for them and to launder the funds through Latvian accounts back to Belarus. The scheme was extremely profitable.
The Regpay lynchpin was lured out of Belarus by a US led sting operation and arrested in France and extradited to the US. Although the Belarusan authorities appear to have co-operated, it seems that a prosecution in that country was not satisfactory to US authorities as penalties for these offences are far less stringent in that country. New Jersey is a long way from Belarus- and must be looking mighty scary right now.
According to a recent report in the Wall Street Journal (subscription only), both Morgan Stanley and Deutsche Bank accounts were also used to move the funds, although no banks have been indicted. Knowing your customer is a whole lot harder these days. Even for the huge banks.
Especially as there is a growing consensus amongst law enforcement agencies that organized crime is interested in profiting from Internet crime and that they are adding their money laundering and business acumen to the ever more toxic mix.
Expect far more of the same.
Brazilian teen hackers steal USD$ 4.7million from bank accounts
In what seems to have been an almost identical scam, hackers broke into 200 online bank accounts from six banks all over Brazil and made off with a tidy sum. In a country wide sting operation, Brazilian police have arrested 41 gang members, five of whom are minors- the ringleader is reported to be 19.
Although Brazil is a poor country, Brazilians are highly enthusiastic adopters of Internet and cellphone technologies.
To their peril it would seem.
Forever young.
The story also highlights the fact that despite claims that 'serious people' (i.e. adults) are primarily orchestrating the majority of Internet crimes today, a sizeable proportion are still carried out by someone's teenage son or daughter.
Of course, they 'may' be mere mules- minors make excellent mules for organized crime figures- as they generally avoid more stringent penalties. But it is also likely that certain teens just want to augment their meagre allowances- and have few scruples about how they do it. The thrill of the hunt is also an added attraction.
Do you know what your teen is doing? Apparently many parents do not. Or perhaps they wouldn't know it if they saw it.
Wiretapping your adversaries- the 'new, new thing'?
In the last several weeks, it has become abundantly clear that wiretapping and hacking your adversaries, whether they be your ex-wife, lover, a Hollywood star you want to dig up dirt on (and possibly extort)-or a mere competitor- is by no means a rare occurence. In fact it may well be a viable business model -at least until you are caught- for many private eyes and other unscrupulous individuals.
LA based lawyers are supposedly quaking in their boots about the arrest of a high-profile PI - Anthony Pellicano- who is alleged to have used illegal wiretaps and accessed confidential databases- including police files- to assist clients to scope out targets, and possibly gain an advantage in pending litigation. He was assisted in his gumshoeing exploits by employees of the telecos SBC and Pacific Bell, and an ex cop.
According to CNN, Pellicano 'has worked for Hollywood stars, including Michael Jackson, Elizabeth Taylor and Stallone.' And a coterie of high-powered divorce lawyers and Hollwood agents.
To show that this type of activity is not just an LA aberration, the heir to the US Mellon fortune- and another extremely wealthy individual- were recently charged in the UK with allegedly being part of a similar PI operation that engaged in wiretapping and hacking exploits on behalf of clients.
According to the London Times account (which now bears what sounds like a warning that they have been sued), Matthew Mellon is allegedly implicated in a PI operation run by an ex cop that bugged calls and spied on police, and hacked into NHS computers for health data that could be used to extort or embarrass targets.
Mellon, according to the Times, an ' avid nude skier' is the ex-spouse of the owner of the Jimmy Choo shoe empire (the sexy shoe of choice for many a self-respecting socialite) - and a pal of such luminaries as Elizabeth Hurley.
The story bears all the hallmarks of a Hollwood drama and the salacious details will undoubtedly keep Fleet Street reporters happy as spring lambs for some time to come.
BT (British Telecom) and Scotland Yard co-operated in the investigation and there is a tantalising suggestion that some of the defendants may have masqueraded as BT and NTL (another UK teleco) employees, as BT and NTL uniforms and tools were found in their possession.
Of course, recent stories in the US media would suggest that obtaining phone records is easy as pie - and perfectly legal in the US as the law now stands. Indeed many companies exist to provide just that service- and despite ongoing US congressional hearings and lawsuits flying back and forward on the issue- the practice will not cease anytime soon.
Where demand exists - someone will meet it. And demand seems to be healthy.
The revelation that the entire Greek cabinet and the US embassy may have been wiretapped during the Olympic Games in Athens, is another example worth noting. Vodafone Greece is apparently highly embarrased by the incident- it appears that a tap may have been located at one of their switching stations and that insiders must have been involved.
Counter-espionage is alive and well.
And don't assume that you and/or your company are unlikely to be a target.
|
