Wednesday, October 24, 2007

Fraudsters evolve to stealing YOU

In the ever-evolving world of Fraud - the bad guys adapt and change strategy as us security folks find ways to curb their effectiveness. This constant and on-going struggle is no surprise to anyone (or shouldn't be!) reading this.

What does strike me, is the evolution of the tricks used to part Joe User from his personal information (PII). When this whole game started tricksters and fraudsters were out to steal your credit card number, cvv/cvv2, and your expiration date along with your userID and password. The game has certainly changed, hasn't it?

Since we the security community, with the help of the media (or hinderence if you read the NY Times) have been beating people over the head with the idea that they shouldn't give away this information to just anyone, the fraudsters have gotten more clever as they had to in order to continue to get their information. What started out as campaigns of mass-email to everyone that appeared to come from eBay, PayPal, and the like has now turned into a targeted, micro-targetted attack against people who have a very high likelihood of not only being part of the organization you're seeking to defraud, but also likely to fall for your fraud.

Blasting two hundred million emails to everyone in the world worked well the first few times - but then people started hearing from the news man, the neighbor, the computer guy at the office, and your own mum that you shouldn't fall for those schemes. OK, problem solved right? Wrong. Then came a slightly more targeted attack, customer lists were lifted from, say, CitiBank as an example and these customers' emails would then be peppered with "We're from CitiBank, click here to re-set your password"... since these people were also customers, and their neighbor and mother didn't get the same email, the people who got them figured they were authentic and fell for the frauds. Millions of targeted attacks later, people have heard about this, and for the most part ignore them when they hit your mailbox.

Now you get something like this, an email in your mailbox that says what you've been hearing from all around - organizations of good repute will never send you email soliciting you to send them your personal account information. Sounds logical, right? But look at the bottom of the email! This is a classic confidence scam. Lure the person in with a confidence-builder so that they figure they can at least minimally trust you, then steal their information.


And now the really bad news... notice that the site (pasted here) doesn't even ask you for anything more than a username and password (which, in all fairness should be a good sign that wait a minute... wouldn't they want me to authenticate first... then give my information??) and the answers to some simple questions. But once you've answered these questions - the person can then become YOU. These aren't just ordinary questions, mind you. These are questions that the more advanced "multi-factor authentication systems" such as RSA/Passmark and others utilize.

See the bigger picture now? You can change your password for Regions Bank's website, easy enough... but can you change your ...favorite food? what about your first dog's name? what about the high school you went to? your first car? Now you get it, hopefully. The attack is much deeper than just password theft - this is stealing some information about you which you CANNOT CHANGE, and which will be asked over and over in other "high security" sites and applications.

This type of theft, once it's happened to you, has **no defense**. You can't go change your information... easily. Unless you now change your favorite color, college roommate's name, and street you grew up on in your head - and remember that you changed it - you're in for a world of hurt.

Lookout folks - fraudsters are getting smarter in their efforts to part people from their hard-earned money and their identities. This is scary stuff. We must spread the word, let people know this is happening... write about it, tell people about it, and make yourself heard because we all pay the price from our own wallets.

Good luck out there, and be safe.

1 comment:

Anonymous said...

This is why I never answer the security questions with true answers. I choose to make up answers unique to the institution. In the event that one company loses my data, at least my other accounts will not be compromised.