Thursday, April 9, 2009

GhostNet Haunting Webbos Fear

Wherever you click, someone is watching you - The National Newspaper
Wherever you click, someone is watching you

Theodore Karasik

Information is a strategic resource. The demand for information, or in some cases denial of information, is enormous, and growing. And as recent revelations of a computer espionage network based in China illustrate, the lines between government agencies, lone wolves and criminals are becoming blurred.

GhostNet, the name given to the Chinese spying effort, is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and even web cameras. Its discovery raises questions of how to safeguard personal, corporate and governmental data that may be sensitive or classified.

As a tactical weapon, cyberspying captures information without the agency or individual knowing about it. As a militarised weapon, it means disrupting if not destroying the information and communications systems, broadly defined to include even social and political culture, on which an adversary relies in order to “know” itself: who it is, where it is, what it can do and when, why it is fighting, which threats to counter first, etc. It means trying to know all about an adversary while keeping it from knowing much about oneself. It means turning the “balance of information and knowledge” in one’s favour, especially if the balance of forces is not.

It also means using knowledge so that less capital and labour may have to be expended. In 2007, Chinese hackers, allegedly part of China’s People’s Liberation Army (PLA), hacked into US, British and German government computers to access defence and foreign policy related information without expending much money or manpower.

Distributed Denial of Service (DDoS) attacks are where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidth of the servers running the sites. DDoS is also a form of cyberspying because the hackers prevent information from being shared, and it becomes a strategic tool for the attackers.

In 2006, for instance, Russian hackers, angered by the removal of a Soviet war memorial, launched a sustained denial of service attack on government and business websites in Estonia. In August, 2008, Georgia suffered massive internet outages in the midst of its military battle with Russia. In January, 2009, Kyrgyzstan became the latest victim when its two largest internet service providers were targeted by a DDoS from hackers in Russia at the same time as the Kremlin was pressuring Bishkek to kick out American forces from the airbase at Manas. These efforts also were cost effective and influenced the outcome of politics and war.

Lone wolves – individuals acting on their own – are also involved cyberspying. Increasingly there are reports of individuals posing as jihadi terrorists to lure real jihadi terrorists into a trap, and to expose them to law enforcement. These individuals take on a false identity, infiltrate websites and enter chatrooms, and become part of the community. They are using language, data-mining and technology to help governments to track terrorists better. In addition, lone wolves may be in your household or workplace now, using spy software. CyberSpy, for example, is an award-winning spy software that features powerful computer and internet monitoring. CyberSpy records all computer and internet activity to be reviewed at a later date and time. This software allows you to monitor others who use your computer: children, spouses or employees. But it raises privacy issues in the hands of lone wolves.

Cybercrime is also part of cyberspying. It is now the fastest growing sector of global organised crime, increasing at a rate of about 40 per cent a year. Cybercrime encompasses any criminal act dealing with computers and networks through hacking. Additionally, cybercrime includes traditional crimes conducted through the internet: hate crimes, telemarketing fraud, identity theft and credit-card account thefts are considered to be cyber crimes when the illegal activities are committed through the use of a computer and the internet. In addition, criminal-to-criminal transactions are the fastest growing type of illegal cyber-activities, creating a virtual cybercrime service sector.

What all of these secretive and false activities signal is that the “need to know” is becoming more and more essential on all levels of society – from the individual (private or criminal) to the most complex bureaucratic organisations, including sectors of government. The term “need to know”, when used by government and other organisations, particularly those related to the military or espionage, describes the restriction of data that is considered sensitive.

Now enter cyberspying, lone wolves and cybercrime: all three have one factor in common – the need to know. States, companies and individuals are all seeking coveted information and protecting their own information. In addition, information has become both instantaneous and ubiquitous; it often seems that very little happens anywhere that is not known within a few hours everywhere. And when one gets caught or exposed, damage results. Overall, modern societies have reached unprecedented levels of information collection, yet they remain vulnerable to a wide range of possible disruptions by those who want to influence others.

Cyber activities are beginning to distort the line between legal and illegal activity, giving everyone the ability to spy on everyone else, changing the content of information and influencing command and control: the result is that we distrust all information received or seen.

Dr Theodore Karasik is director of research and development at the Institute for Near East and Gulf Military Analysis in Dubai.

U.S. Consumers Snub Mobile Banking on Security Fears

95% Said Uncomfortable Conducting Financial Transactions on Their Phones

Banks and mobile phone companies have a long way to go to persuade U.S. consumers to use their phones for banking, as many worry about security and extra fees and others are not even aware they can.

In a survey of about 500 U.S. consumers, accounting firm KPMG found that only about 9 percent had tried mobile banking. In comparison, about 76 percent "consistently use" online banking services on computers.

As many as 95 percent said they were so uncomfortable with conducting financial transactions on their phones that they've never used them to make a purchase on a retailer's Web site.About 48 percent of respondents cited security and privacy worries as their reason for not banking on their mobile phones, according to KPMG.

Editor's Note:  Guess what people...the web is no safer!  So to those 76% who "consistently use" online banking services on your computer?  Tell your bank you want secure sign-in capability with HomeATM's PCI 2.0 PIN Entry Device.  Oh...and for you 95% don't trust the security of a mobile phone?  You can use our PIN Entry Device to conduct secure transactions via ANY mobile phone.  Just plug our device into your phone jack and  your transactions will be even more secure than in a brick and mortar retail location!  Guaranteed!  But be takes as long as it does to plug in your charger...maybe a little less time!  :-)

While many respondents said they believe mobile banking is important, according to the accounting firm, they do not think it is important enough to pay extra for it.

Roughly 19 percent of respondents said they are "somewhat likely" to a use a mobile device for online banking in the next 12 months but only seven percent said are willing to pay a nominal fee for phone banking, according to the survey.

And even though most of the major U.S. banks offer a mobile banking service, about 68 percent of the survey respondents said their bank does not offer the service.

"The fact that the majority of U.S. consumers are not aware that their current banks offer mobile banking is clearly more perception than reality," said Carl Carande, a principal in KPMG's Advisory and Banking and Finance practices.

Banks offering mobile services include Citigroup Bank of America and Wells Fargo.

American Banker Article on HomeATM

American Banker
Remittance Use Seen for Online PIN Debit Device

Thursday, April 9, 2009
By Will Hernandez

HomeATM ePayment Solutions
, which offers a system that lets people make online purchases with PIN debit cards, is now promoting its technology for remittances and online banking. 

(Editor's Note:  That's not to say that we're NOT promoting it for use with eCommerce transactions.  We most certainly are.  In fact, our device provides the ONLY "TRUE PIN Debit" it enables a "card present" transaction.  By definition, a software-based application is and always will be, a "card not present" transaction... therefore it would not qualify for "card present" Interchange rates...let alone card present PIN Debit Interchange.)

The Montreal company said last month that its SafeTPIN device meets the Payment Card Industry data security standard, and Ken Mages, HomeATM's chairman and chief executive, said last week that his company had signed a deal with a foreign remittance company that plans to distribute 250,000 of the devices to U.S. consumers, who could use them to send money to their home countries. He would not name the remittance company or say where it is based. 

"Once those units are out there, they do us a lot of good because they can be used for any merchant who wants to use our payment method," Mages said.

The SafeTPIN devices incorporate both a card reader and PIN pad; it plug(s) into a computer's USB port.  Participating Web sites prompt users to swipe their debit cards and enter their PIN to complete the transaction.

John B. Frank, HomeATM's executive adviser, said the PCI certification could make online merchants more willing to accept the device since HomeATM would be liable for any breach linked to a SafeTPIN.

Editor's Note:  That's fine, what's printed above, however, my actual quote was this: "One of the major benefits to merchant's who would choose to utilize HomeATM's PCI 2.0 PED certified device is that it would effectively remove them from the scope of PCI DSS compliance, and that fact alone could save them hundreds of thousands, if not millions of dollars."  But I'll go with American Banker's quote...Here's why:

HomeATM's solution Triple DES encrypts the "entire" transaction in our PCI 2.0 PED certified device (including the Track 2 data) AND utilizes DUKPT key management.  So we not only have TRUE PIN Debit, but we have TRUE end-to-end encryption (E2EE)  Even in the unlikely event a hacker was to intercept a transaction, (and unencrypt it, and get lucky and guess the PIN) they would have ONE card.  That's it.  DUKPT key management assigns an individual key to each transaction.  Since hackers, like water, find the path of least resistance, I don't think they'd exhaust the time and effort necessary to enable them to try and "guess" the PIN order to obtain the information for just ONE card.  I think it's much more likely that they'd go after a software application as software is 92 million times easier to breach...which is why 92% of all breaches are software related.  Continuing on with the American Banker article:
The device is also easy to use in sending remittances, Frank said.  

A dedicated Web site prompts the sender to enter his name and e-mail address, the recipient's name and e-mail address and the amount. The sender also selects a security question, the answer to which is known by both parties.The sender then swipes his or her card and enters the PIN to complete the transaction. (Senders can also use credit cards by using the same PIN that they already use for automated teller machine withdrawals.) Both the sender and recipient receive a confirmation by e-mail. To claim the money, the recipient visits the Web site, answers the security question and swipes his or her debit card through a SafeTPIN device and enters a PIN. The funds are instantly transferred to the recipient's checking account.

"It's user-friendly," Frank said. "Consumers (have been swiping their cards at retail locations for years) already know how to go to a retailer, swipe their card and enter a PIN." 

Mages said his company has not yet set a price for the SafeTPIN devices; he expects merchants and banks to take the lead in distributing them to consumers.

HomeATM will also offer the device to banks as a tool to authenticate online banking customers. 

SafeTPIN is more secure than the user name-password combination widely used today, Mages said. "If someone puts malware on your computer and they are keylogging the strokes or they phished you to a third party, they are going to be able to read your bank account."

Paul Turgeon, a senior consultant at the research firm Payments and Processing Consultants, in Chicago, said that consumers' online banking passwords can be hacked but that a hardware device offers strong security. 

Turgeon formerly worked at Metavante Technologies Inc.'s NYCE Payments Network LLC debit unit, where he helped develop a similar card reader for consumers, SafeDebit.

He said HomeATM's device is a "reasonably affordable and very good" product
but that the technology is not an issue. Merchants and banks that would consider offering the devices to consumers need to believe it is worth the investment.

Merchants will wonder "how many consumers is it going to get for me," he said, and banks will ask "what is the interchange rate." (The answer is TRUE card present, PIN Debit published rates)  Any kind of Internet PIN-debit product will face challenges until something can "get enough mass to get both parties interested."  Editor's Note:  Challenges are fun. 

Turgeon also said the Federal Financial Institutions Examination Council has required two-factor authorization for online banking for some time "and no one I know is doing it very well."

Reblog this post [with Zemanta]

Internet Hacker Hits Bank Accounts

Internet hacker hits bank account - Local News - Rotorua Daily Post


Eleven Rotorua people are accused of hacking into online bank accounts and stealing thousands of dollars in an elaborate internet scam.  One of the accused has admitted her role in the widespread fraud ring that targeted the National Bank.  Nine others have been remanded without plea after appearing in Rotorua District Court yesterday, and one is wanted by police after failing to show up.

The Daily Post can today reveal details of the scam which involved people using the bank's secure website to access accounts and transfer money from one account to another, creating credits in their own or a nominated bank account. 
Editor's Note:  Wait until the professionals get crackin'!

The woman who pleaded guilty yesterday was Rotorua's Lauren Sainty, an unemployed 25-year-old.  she stole nearly $6000 and the nine others are accused of stealing about $56,000 and allegedly attempting to steal a further $25,000.

Sainty pleaded guilty to one charge of accessing the National Bank website on December 18 last year, gaining $2998 and three counts of gaining pecuniary advantage by obtaining cash amounts of $198, $2000 and $800 on the same day.

The police's summary of facts states that from June 2008, a small group of people in Hamilton found a way to access the National Bank internet website and transfer money from one account to another, creating credits in their own or a nominated bank account.  The money was then withdrawn the next day before the money was dishonoured for insufficient funds. This then put both accounts into overdraft.  The scheme became widely known to criminals in the following months before the scam was picked up, the summary states.

In November, the scale of transactions and reversals became large enough to become noticed in the banking world.  By late November, the matter was reported to police.

Judge Chris McGuire noted Sainty was a first-time offender and sentenced her to 150 hours' community work and ordered her to repay $2998 to the bank.  When contacted by The Daily Post, ANZ National Bank spokeswoman Jessamy Malcolm-Cowper said she was unable to make specific comments as the matter was still before the courts.  Meanwhile, nine other people appeared before the registrar yesterday and did not enter pleas to the charges they each faced.  All were remanded on bail to appear back in court on April 27. An arrest warrant has been issued for Rory Carlaw, 20, after he failed to show up yesterday.


  • Chantelle Rangitaitaia Green, bartender, 21, two counts of accessing a National Bank internet website in an attempt to steal $11,000.
  • Tracy Gail Dawn Anson, 19, unemployed, one charge of accessing the National Bank internet banking system dishonestly gaining $6000.
  • Elaine Rewa Jeffery, 44, unemployed, one charge of accessing the National Bank internet website in an attempt to gain $3000.
  • Jordan Moke, 18, one charge each of accessing the National Bank internet website to dishonesty obtain $1000, dishonestly using an ANZ debit card to obtain cash and cultivation of cannabis.
  • Tyrone Benjamin Moke, 21, unemployed, two charges of accessing the National Bank internet website to gain $4048 and $1000 plus three counts of using his own bank card withdrawing $800, $2000 and $202.
  • Deidre Anne Heta, 31, solo parent, 11 charges of illegally using her bank card to withdraw a total of $5191.
  • Brian Charles Brogden, 30, unemployed, one charge of accessing the National Bank internet website in an attempt to gain $2000.
  • Wallace Waiariki, 42, table hand, one count of accessing the National bank internet website in an attempt to gain $4000.
  • Owen Dlyakiya, 20, from South Africa, one charge of accessing the National bank internet website dishonestly gaining $4672 and four charges of using his bank card to dishonestly gain a total of $4673.
  • Moanata Janey Karaitiana, 23, unemployed, five charges of accessing the National Bank internet website to gain $20,700 and 35 charges of using debit cards to gain $11,739.
  • Rory Carlaw, 19, plasterer, one charge of accessing the National Bank internet website in an attempt to gain $5000 and one charge of possession of cannabis - warrant issued to arrest.

Reblog this post [with Zemanta]

Onliine Sales in Germany Rising

April 9, 2009
German Online Sales Rose Last Year
Despite endemic economic losses in Europe in 2008, online sales in Germany experienced healthy growth. Full Article

PIN Debit Payments Blog: Book 'em Danno! Cybercrime Thrives in Hawaii

PIN Debit Payments Blog: Book 'em Danno! Cybercrime Thrives in Hawaii

Book 'em Danno! Cybercrime Thrives in Hawaii

Cybercrime thrives in Hawaii, 8th in nation in e-criminals per capita
Hawaii ranks 8th nationally in online criminals per capita

By Peter Boylan - Advertiser Staff Writer

White-collar crooks using the digital domain to commit crime are prevalent in Hawai'i, as the state ranks in the top 10 for highest number of perpetrators per 100,000 residents, according to FBI statistics.

There were 44.Five-O alleged electronic fraud criminals per 100,000 residents in Hawai'i last year, putting the state eighth on the FBI's watch list. Hawai'i trails New York, Delaware, Florida, Montana, Washington, Nevada and Washington, D.C.

"We are very concerned with the victimization in Hawai'i in particular because the culture of our Islands is one of trust. Thus, many times our victims just could not believe it would happen to them," U.S. attorney Ed Kubo said.

"Those who are perpetuating Internet crimes feel that they can hide behind the cloak of secrecy when they scam our innocent victims out of their hard-earned money. These criminals do not care what circumstances their victims are in as long as they can successfully get their ill-gotten gains.

"What bothers me about this trend of Internet crime is that in this technological age, these types of crimes are increasing at a faster rate than other crimes."

Hawai'i averages about 800 Internet criminal complaints every year.

In 2007, Hawai'i residents reported Internet fraud losses of more than $1 million, with auction fraud and failure to deliver paid-for merchandise the most prevalent forms of online crime.

Users of eBay and other online auction houses are required to pay for their merchandise before receipt. Often, Internet fraud purveyors will post pictures of merchandise that does not exist. The winner of the auction will send a payment using a credit card or third-party transaction handler such as PayPal.

The criminal will keep the money and after about a week, when the merchandise doesn't arrive, the purchaser will file a complaint with the auction house. By the time the complaint is forwarded to law enforcement officials, the criminal is often long gone, law enforcement officials said.

The FBI has warned that given the global economic woes, identity thieves and Internet fraud schemes are on the rise. Hawai'i had the 17th-highest rate of complaints per 100,000 residents in 2008 with 84.92.

"Internet crime is something we are closely monitoring in Hawai'i. Given what our data shows us, regarding the frequency of these complaints happening in the state, we urge the public to be vigilant with their personal information whenever they are working, shopping or playing online," said FBI special agent Brandon Simpson.

Continue Reading at Honolulu Advertiser

Reblog this post [with Zemanta]

Disqus for ePayment News