Credit Card Scam Raises New Web Security Fears

Alleged credit card scam raises new web security fears

Editor's Note: Browsers Are an Open Book

Everything is relative.  What's new for some is old news for others.  But again, I am gratified that these new "web security" fears are being raised.  We are and have been on the record stating that the web is NOT a safe place to conduct financial transactions...and recent events are pushing others over to our way of thinking. 

Maybe the publicity over this recent indictment will be the straw that breaks the camels back.   Maybe it will be the meteoric rise in malware threats.  (Threats have increased from 125,000 unique pieces of
malware in 2006 to 1.5 million in 2008 and 1.2 million MORE in the first
half of 2009 alone) 



Maybe it will the realization that when consumers "type" hackers "swipe".  Maybe a giant phishing attack like the recent one on CommonWealth Bank will do it.  Certainly no one can argue that when you combine all the threats "web security" clearly has severe flaws.  Our "goal" is to make that as clear as the credit/debit card data that travels through it.  HomeATM doesn't make the argument to "swipe" vs.  "type" BECAUSE we created our PCI 2.x Certified Swiping Device.  We CREATED the device because we knew that when people "type" hackers "swipe."

In order to "secure" transactions done via the web, they must be conducted "outside" the realm of the open book known as browsers...

The data must be "instantaneously" encrypted and must be transmitted in it's encrypted form via the "Internet" (not the web) which simply serves as a conduit.   Typing is the "cause" hacking is the "effect." 

Consider how a "phishing" attack would be successful if consumers didn't type their username / password or credit/debit card number into a box?  DES DUKPT (derived unique key per transaction) encrypted data  would be useless to them. 

If consumers were mandated to "swipe" vs. "type" there would be no more "phish" in the sea!   Online banking would eliminate phishing completely if they mandated secure two-factor authenticated log-in by replicating the procedure already required for ATM withdrawals.

Again, it is gratifying to see headlines like the one above.  It's only a matter of time before "everyone" realizes "typing" needs to be eliminated.  Browsers are an open book...

An excerpt from an article published by the Guardian:


US companies and law enforcement agencies are facing fresh questions today about the ease with which hackers can penetrate their defenses and make off with vital data about consumers, following the arrest and charging of a Miami man for what is allegedly the biggest credit card scam in history.

Albert Gonzalez, a 28-year-old former informant for the US secret service who helped the authorities track hackers, was charged with conspiring to steal the details of 130 million credit cards. The charge sheet detailed a complex history of online skulduggery in which Gonzalez used three internet aliases: segvec, soupnazi and j4guar17, each marking different stages in his life.

The alleged fraud was perpetrated through devices that could penetrate computer networks, steal card data and send it to servers in the US and Europe, prosecutors say. The acting US attorney general, Ralph Marra, praised the investigators "in tracking down cutting edge hacking schemes committed by hackers working together across the globe"...

Security firms join working group to fight web threats

Wednesday, August 19, 2009

Several
prominent web security companies are joining together to share
information and resources to fight the growing threat of malware on the
web. Assembled under the IEEE Standards Association, the working group
is called the Industry Connections Security Group (ICSG).



AVG
Technologies, McAfee, Microsoft, Sophos, Symantec and Trend Micro are
the initial members of ICSG, which will seek to engage security
vendors, banks, internet service providers, educational institutions
and government agencies to promote better security on the web.



The
group will develop, document and promote proposals for enhancing
security, toward the goal of producing consensus approaches and perhaps
fueling new IEEE standards.



"We've seen a whole ecosystem develop around threats to computer security," said Jeff Green, ICSG chair and senior vice president of McAfee Avert Labs.

Green said
the security industry has fragmented itself among various siloed
efforts designed to solve very specific problems, such as phishing and
spyware. ICSG would seek to more comprehensively address the security
problems. Threats have increased from 125,000 unique pieces of
malware in 2006 to 1.5 million in 2008 and 1.2 million in the first
half of 2009 alone, according to McAfee.

Related articles by Zemanta

• Alleged credit card scam raises new web security fears (guardian.co.uk)


• Online Banking's Innate Security Flaws (information-security-resources.com)


• The latest in phishing (clubtroppo.com.au)


• Commonwealth Bank Of Australia Phony Phishing Email (loadofbullshit.com)


• Master Hacker Albert Gonzalez (time.com)


• Satan gets frostbite, security providers form coalition to fight malware (downloadsquad.com)


• IEEE-SA Launches ICSG to Pool Expertise in Enhancing Computer Security (Business Wire via Yahoo! Finance) (slumpedoverkeyboarddead.com)