Avoid becoming a victim of on credit card fraud
LEARN HOW TO GET YOUR CREDIT CARD
REPORT REPAIRED IN 30 DAYS.
The Securities Industry and Financial Markets Association, is one of the industry's main lobbying groups. Industry lobbyists carve out loopholes. When there is inadequate oversight and insufficient transparency on Wall Street we can't prevent another financial crisis like the one. Laws do not help when lax enforcement of existing financial regulations don't hold Wall Street Accountable. Without a uniform set of rules about bank capital requirements or securities trading, much of the riskiest practices will simply move offshore since there are no global financial regulations.
Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh says credit bureaus are not required to notify consumers. "The credit bureaus work on behalf of banks and companies that grant credit," said Ari Schwartz of the Center for Democracy and Technology, a consumer advocacy group in Washington. "They're not set up to be consumer-oriented businesses." And the credit bureaus say they are not in the habit of reaching out to consumers whose private information may have been compromised. "Normally we would not put a fraud alert on a file without a consumer being involved" or initiating it, said Maxine Sweet, a vice president with Experian, one of the three major credit-reporting bureaus. "That's just not something we generally do." Cyber-Criminals and Their Tools [1] and Photocopiers with disk drives may hang onto sensitive data from documents [2]
Get Real-Time Insight Into Your Risk of Identity
Theft
My ID Score is a quick, easy, and free way to assess the risk that your identity is being misused. It can
be
an essential fraud detection and early-warning tool for consumers who are concerned about identity theft.
U.S. Authorities can't touch credit card fraud from oversees.
Companies May be selling your Credit Card Numbers
Https connections
vs.
phishing, money mules and trojans
Https connections are encrypted which more or less protects the information from man in the middle attacks and users in the same network.
IE attacks against online banking users
The Firefox add-on Firesheep was
definitely not the first program to show how easy it is to record data from other users of the network but
it brought the issue to a wider audience.
Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System
Man in the Middle Spoofing and phishing attacks
How to Minimize Credit and Debit Online
Credit cards come with a legally mandated protection that limits you to a certain maximum loss in the
event
of fraud. At this time, it's $50. A debit card is more like direct access to your bank account and
there
is no protection against fraud. Some debit cards have “overdraft protection” which means that if your
account balance goes below $0, the bank will loan you money. So if you have $5,000 in overdraft protection
and $5,000 in your account, someone can spend $10,000 of your money and your bank will expect you to pay
them the $5,000. One easy way to minimize the exposure of your card is to use a service like PayPal, where
you're authorizing each transaction manually.
Pre-Packaged Time Cards
Buy pre-loaded cards at large retail stores. You can get online time for multiplayer games, iTunes store
credit, Amazon gift cards, etc. Parents: you can also purchase gift cards for many online stores and
services; this limits your risk if you want to give someone a spending spree at an online store but
don't want to give them your own account and password.
Bank Accounts
To more or less completely protect yourself from online fraud, you can set up one of these accounts at a
local bank, then use the account as the backing account for PayPal. That way, you can exactly control how
much of your money is exposed to the internet at any given time - simply deposit checks into that account
at
an ATM,then spend the money online. If the bank offers you “overdraft protection” you should decline it.
You
may also get a debit card with the account and, as long as there is no overdraft protection on the
account,
you can use the debit card online as well - your total possible loss is whatever amount of money you keep
in
that account.
If you have a main bank account where you keep the rest of your money, you
should not use that account for online bill paying or banking
EMAIL Fraud
You can do orders via email if you only accept encrypted email and provide a company public key
for
this.
You use PGP to create a public and
private
key, then you just make your public key available on your web server. Most mail packages
today know how to decrypt mail with a private key.
Call your own credit card company and get a unique number to use for your online
purchase.
It's only good for that one time. This technique may avoid all kinds of problems.
University Databases hacked all over the US
A [name the university] database containing about 270,000 records of past applicants including their names
and Social Security numbers was hacked last month, officials said on Tuesday. To find out the latest news
on
this topic join the NetHappenings Mailing List.
From: Ed Gerck nma.com 7/05
"CardSystems Exposes 40 Million Identities" as a harbinger? Now that we
know
more about the facts in this recent case, expect more to come. Yes, public opinion and credit card
companies
can and will force companies that process credit card data to increase their security. However, how about
the "acceptable risk" concept that underlies the very security procedures of credit card
companies themselves and pervades their relationships with their parties? Do As I Say, Not As I
Do?
The dirty little secret of the credit card industry is that they are very happy with 10% of credit card
fraud, over the Internet or not. In fact, if they would reduce fraud to _zero_ today, their revenue would
decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary,
keeping the status quo is just fine. This is so because of insurance -- up to a certain level, which is
well within the operational boundaries of course, a fraudulent transaction does not go unpaid through
VISA,
American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by
the
merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that business model that shifts the
burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude
reported to me by a car manufacturer representative when I was talking to him about simple techniques to
reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will
need replacement that will be provided by insurance or by the customer working again to buy another car.
While the stolen car continues to generate revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no
company will accept a continued loss without doing anything to reduce it. Arguments such as "we
don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud
costs" are just a marketing way to say that a fraud has become a sale.Because fraud is an hemorrhage
that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is
incurred
only once. So, to accept fraud debits is to accept that there is also a credit that continuously
compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security
school
of thought which focus on risk, surveillance and insurance as the solution to security problems. There is
no
consideration of what trust really would mean in terms of bits and machines[*], no consideration that the
insurance model of security cannot scale in Internet volumes and cannot even be ethically
justifiable.
"A fraud is a sale" is the only outcome possible from using such security
school
of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed,
because
it is paid for.
[*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while
also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust
as
a synonym for authorization. This may work in a network, where a trusted user is a user authorized by
management to use some resources. But it does not work across trust boundaries, or in the Internet, with
no
common reporting point possible.
Identity Theft Turning Point? 7/05
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem Solutions is a turning point in the identity
theft wars.
BACK IT UP
Iron Mountain Loses More Tapes July 8, 2005 http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015
City National Bank has become the second company in two months to experience a loss of backup tapes in
transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing
sensitive data, including Social Security numbers, account numbers, and other customer information, were
lost during transport to a secure storage facility.
The bank said the data was formatted to make the tapes difficult to read without highly specialized
skills,
but declines to say if they were encrypted. It said there's no evidence that data on the tapes has
been
compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a small container of backup tapes
belonging
to a Texas-based Internet services provider that hosts applications for City National and other banks. The
incident has been investigated by federal law-enforcement officials and no evidence has been found of
identity-theft relating to the loss.
Security war is being lost, says Schneier
http://www.techworld.com/security/news/index.cfm?newsID=6914
By Sumner Lemon 20 September 2006
- Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, influential security expert Bruce Schneier founder and chief technology officer of Counterpane Internet Security has warned.
- Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive.
- Externalities, an economic term used to describe the effects of one person's actions on another,
are
central to building effective security. For example, U.S banks do not spend heavily to defend against
identity theft because they are not affected when such theft occurs. To the banks, this is an
externality. However, when banks bear liability for a security breach, such as an unauthorised ATM
withdrawal, they make the investments necessary to prevent these incidents from taking place, he
said.The
same economic lessons can be applied to software vendors. To improve the security of software, Microsoft
and others should be made liable for
selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss,"
Schneier said. That needs to change, according to Schneier. "The organisation that has the capability to mitigate the risk needs to be responsible for the risk," he said.