Educational CyberPlayGround ®

Avoid becoming a victim of on credit card fraud


The Securities Industry and Financial Markets Association, is one of the industry's main lobbying groups. Industry lobbyists carve out loopholes. When there is inadequate oversight and insufficient transparency on Wall Street we can't prevent another financial crisis like the one. Laws do not help when lax enforcement of existing financial regulations don't hold Wall Street Accountable. Without a uniform set of rules about bank capital requirements or securities trading, much of the riskiest practices will simply move offshore since there are no global financial regulations.

Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh says credit bureaus are not required to notify consumers. "The credit bureaus work on behalf of banks and companies that grant credit," said Ari Schwartz of the Center for Democracy and Technology, a consumer advocacy group in Washington. "They're not set up to be consumer-oriented businesses." And the credit bureaus say they are not in the habit of reaching out to consumers whose private information may have been compromised. "Normally we would not put a fraud alert on a file without a consumer being involved" or initiating it, said Maxine Sweet, a vice president with Experian, one of the three major credit-reporting bureaus. "That's just not something we generally do." Cyber-Criminals and Their Tools [1] and Photocopiers with disk drives may hang onto sensitive data from documents [2]

Get Real-Time Insight Into Your Risk of Identity Theft
My ID Score is a quick, easy, and free way to assess the risk that your identity is being misused. It can be an essential fraud detection and early-warning tool for consumers who are concerned about identity theft.

Getting information from people is the best way to break security. What is a "Social Engineer, Con Artist & Grifter?"

U.S. Authorities can't touch credit card fraud from oversees.

Companies May be selling your Credit Card Numbers

Https connections
phishing, money mules and trojans

Https connections are encrypted which more or less protects the information from man in the middle attacks and users in the same network.

IE attacks against online banking users
The Firefox add-on Firesheep was definitely not the first program to show how easy it is to record data from other users of the network but it brought the issue to a wider audience.

Consumer Reports looked at two dozen identity theft protection services and found them to have dubious value.

Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System

Man in the Middle Spoofing and phishing attacks

Cyber merchants are experiencing fraud rates that are 30 times higher than their bricks-and-mortar counterparts.

How to Minimize Credit and Debit Online
Credit cards come with a legally mandated protection that limits you to a certain maximum loss in the event of fraud. At this time, it's $50. A debit card is more like direct access to your bank account and there is no protection against fraud. Some debit cards have “overdraft protection” which means that if your account balance goes below $0, the bank will loan you money. So if you have $5,000 in overdraft protection and $5,000 in your account, someone can spend $10,000 of your money and your bank will expect you to pay them the $5,000. One easy way to minimize the exposure of your card is to use a service like PayPal, where you're authorizing each transaction manually.

Pre-Packaged Time Cards
Buy pre-loaded cards at large retail stores. You can get online time for multiplayer games, iTunes store credit, Amazon gift cards, etc. Parents: you can also purchase gift cards for many online stores and services; this limits your risk if you want to give someone a spending spree at an online store but don't want to give them your own account and password.

Bank Accounts
To more or less completely protect yourself from online fraud, you can set up one of these accounts at a local bank, then use the account as the backing account for PayPal. That way, you can exactly control how much of your money is exposed to the internet at any given time - simply deposit checks into that account at an ATM,then spend the money online. If the bank offers you “overdraft protection” you should decline it. You may also get a debit card with the account and, as long as there is no overdraft protection on the account, you can use the debit card online as well - your total possible loss is whatever amount of money you keep in that account.
If you have a main bank account where you keep the rest of your money, you should not use that account for online bill paying or banking


You can do orders via email if you only accept encrypted email and provide a company public key for this.
You use PGP to create a public and private key, then you just make your public key available on your web server. Most mail packages today know how to decrypt mail with a private key.
Call your own credit card company and get a unique number to use for your online purchase. It's only good for that one time. This technique may avoid all kinds of problems.

University Databases hacked all over the US
A [name the university] database containing about 270,000 records of past applicants including their names and Social Security numbers was hacked last month, officials said on Tuesday. To find out the latest news on this topic join the NetHappenings Mailing List.

From: Ed Gerck 7/05
"CardSystems Exposes 40 Million Identities"
as a harbinger? Now that we know more about the facts in this recent case, expect more to come. Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, how about the "acceptable risk" concept that underlies the very security procedures of credit card companies themselves and pervades their relationships with their parties? Do As I Say, Not As I Do?
The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not. In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine. This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale.Because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems. There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such security school of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for.
[*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries, or in the Internet, with no common reporting point possible.

Identity Theft Turning Point? 7/05
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem Solutions is a turning point in the identity theft wars.

Iron Mountain Loses More Tapes July 8, 2005
City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility.
The bank said the data was formatted to make the tapes difficult to read without highly specialized skills, but declines to say if they were encrypted. It said there's no evidence that data on the tapes has been compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a small container of backup tapes belonging to a Texas-based Internet services provider that hosts applications for City National and other banks. The incident has been investigated by federal law-enforcement officials and no evidence has been found of identity-theft relating to the loss.

Security war is being lost, says Schneier
By Sumner Lemon 20 September 2006

  • Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, influential security expert Bruce Schneier founder and chief technology officer of Counterpane Internet Security has warned.
  • Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive.
  • Externalities, an economic term used to describe the effects of one person's actions on another, are central to building effective security. For example, U.S banks do not spend heavily to defend against identity theft because they are not affected when such theft occurs. To the banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorised ATM withdrawal, they make the investments necessary to prevent these incidents from taking place, he said.The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft and others should be made liable for
    selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss,"
    Schneier said. That needs to change, according to Schneier. "The organisation that has the capability to mitigate the risk needs to be responsible for the risk," he said.