Detangling the $45 Million Cyberheist - bankinfosecurity.com - 15 May 2013

http://www.bankinfosecurity.com/detangling-45-million-cyberheist-a-5759

In Hours, Thieves Took $45 Million in A.T.M. Scheme - nytimes.com - 09 May 2013

It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault.

In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.

In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.

The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.

The first to be caught was a street crew operating in New York, their pictures captured as, prosecutors said, they traveled the city withdrawing money and stuffing backpacks with cash.

On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight men — including their suspected ringleader, who was found dead in the Dominican Republic last month. The indictment and criminal complaints in the case offer a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.

It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery, which inspired a scene in the movie “Goodfellas.”

Beyond the sheer amount of money involved, law enforcement officials said, the thefts underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.

“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.'s in a matter of hours.”

The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of so-called cashing crews, and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars.

In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.

The hackers, who are not named in the indictment, then raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.

Once the withdrawal limits have been eliminated, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.

With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment.

While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be shortchanged on their cut, according to court documents.

MasterCard alerted the Secret Service to the activity soon after the transactions were completed, said a law enforcement official, who declined to be identified discussing a continuing investigation. 

Robert D. Rodriguez, a special agent with the Secret Service for 22 years and now the chairman of Security Innovation Network, said that in some ways the crime was as old as money itself: bad guys trying to find weaknesses in a system and exploiting that weakness.

“The difference today is that the dynamics of the Internet and cyberspace are so fast that we have a hard time staying ahead of the adversary,” he said. And because these crimes are global, he said, even when the authorities figure out who is behind them they might not be able to arrest them or persuade another law enforcement agency to take action.

After pulling off the December theft, the organization grew more bold, and two months later it struck again — this time nabbing $40 million.

On Feb. 19, cashing crews were in place at A.T.M.'s across Manhattan and in two dozen other countries waiting for word to spring into action.

This time, the hackers had infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. Prosecutors did not disclose the company’s name.

After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City, a team of eight people made 2,904 withdrawals, stealing $2.4 million.

Surveillance photos of one suspect at various A.T.M.'s showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the series of thefts to the caper at the center of the movie “Ocean’s Eleven.”

While the New York crew had a productive spree, the crews in Japan seem to have been the most successful, stealing around $10 million, probably because some banks in Japan allow withdrawals of as much as $10,000 from a single bank machine.

“The significance here is they are manipulating the financial system to be able to change these balance limits and withdrawal limits,” said Kim Peretti, a former prosecutor in the computer crime division of the Justice Department who is now a partner in the law firm Alston & Bird. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.”

It was unclear to whom the hacked accounts belonged, and who might ultimately be responsible for the losses.

The indictment suggests a far-reaching operation, but there were few details about the people responsible for conducting the hacking or who might be leading the global operation. Law enforcement agencies in more than a dozen countries are still investigating, according to federal prosecutors. The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, whose body was found in the Dominican Republic late last month. Seven other people were charged with conspiracy to commit “access device fraud” and money laundering.

The prosecutors said they were all American citizens and were based in Yonkers. The age of one defendant was given as 35; the others were all said to be 22 to 24. Mr. Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said.

On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.

By MARC SANTORA         

Smartphone app that allows credit card skimming ‘real risk’ to consumers: experts - globalnews.ca

TORONTO – A smartphone app, which allows the user to read credit card information through wallets and purses, is cause for concern amongst consumers that carry credit cards with radio-frequency identification (RFID) technology, according to experts.

The free app, available on the Samsung Galaxy S3 through the Google Play store, allows the phone to read the RFID chip on a credit card, picking up the cardholder’s name, credit card number and expiry date, according to a CBC investigation.

RFID chip technology is used in many credit cards, most commonly used for tap-to-pay systems like MasterCard’s PayPass or Visa payWave.

The technology stores information including the card number, the cardholder’s name and the expiry date. It does not include the three digit security number on the back of the card – usually used when a larger purchase is being made on the card.

Major credit card companies have stated that RFID technology is safe, however the technology is not encrypted – unlike the chip on the front of the card that physically plugs in to debit or credit machines.
RFID technology serves the same purpose as the magnetic strip on a credit card, but works wirelessly, making it more susceptible to high-tech theft.

“The units that you tap your card on are set on very low ranges, so you only have to get within a few inches of the device for it to read your card. But there is nothing inherent in the technology that says it has to be within three to four inches – if you turn the power up you can push it out to 10 or 15 feet,” said David Skillicorn, professor at the school of computing at Queens University.

“That’s where the trouble starts – because now you don’t have to be very close to the credit card or the passport in order to read the information on it.”

The CBC investigation into the application revealed that credit card information could be read through wallets, pockets and purses using the phones near field communication (NFC) antenna.
Theoretically, this means that someone using the app could gain access to your credit card information by just standing near you.

“The new piece here is that instead of having to buy a slightly elusive piece of hardware from some sort of mail-order place, you can now just download the app to your phone and piggy back on its Bluetooth capabilities,” Skillicorn told Global News.

Skillicorn said that one of the risks associated with this type of technology is identity theft. He notes that because RFID technology does not provide the three digit security code on the back of the card, a thief would not be able to make a substantial purchase.

“You can steal small amounts of money, yes, but you can steal identify – and that’s the real risk. You could phone up MasterCard or Visa and when they ask you to enter your card number, you can change the address listed on the account and other personal details – but you can’t go a buy a $5000 TV with that information,” said Skillicorn.

But Gordon Agnew, associate professor at the University of Waterloo who specializes in cryptography and data security, disagrees.

Agnew argues that because the RFID technology is moving into debit cards now, the financial risk is much higher.

“Most credit card companies say you are not liable for fraudulent use of your card, but a lot of debit cards are coming out with RFID technology and those cards are liable depending on the bank,” said Agnew.

What can consumers do to protect themselves?

The risk of these apps is limited to the Android platform right now.
Near field communication is not yet available on the iPhone and BlackBerry is “too secure” to adopt the technology, according to Agnew.
“The first line of defense is keep it protected,” said Agnew.
“You can check to see if the card is RFID enabled – if there is a pie shaped symbol, made up of four or more lines, on the card then this means your card has the technology.” 

By Nicole Bogart

Online fraudsters 'offering access to stolen credit card details through Facebook' - in.news.yahoo.com - 25 Apr 2013

London, Apr. 25 (ANI): Online fraudsters are offering access to credit card details, networks of hacked computers, and other fraud 'services' through Facebook, according to security researchers.

Cyber security firm RSA identified posts on a Facebook group that included a list of stolen items that appear to have been obtained by one of the group's members.

According to the Guardian, the group has now been removed by Facebook, which said it was a violation of its rules.

The group was launched on 28 February this year and at the time of its closure had 163 "likes" and 20 regular contributors.

A Facebook spokesperson said that 'security issues, from malware to cybercrime, exist across the whole of the web'.

Buying and selling malware, identities and card details is widespread on the Internet, but this appears to be one of the most brazen cases to date.

The Facebook group was completely public, meaning anyone - including those without a Facebook account - could access the sites it links to and the discussions taking place on its homepage, the report added.

Identity Theft: It's Not Just for Grownups! - huffingtonpost.com - 23 Apr 2013

Imagine finding out that your eight-year-old has a house in foreclosure thousands of miles away. How about getting collection calls because your young teen is several payments behind on a car loan? These are not far-fetched scenarios. According to a study conducted by Carnegie Melon's CyLab, over 10 percent of the children studied reported that someone had used their Social Security number fraudulently.

Kids have pristine records with no real credit score of their own. Parents generally don't think to monitor the status of their kids' identity. This is the perfect combination for children to be the easy targets of identity theft.

A child's Social Security number can be used by identity thieves in the same ways as our own numbers can be used -- to apply for government benefits, to open bank accounts, to obtain credit cards, to apply for loans and to secure a rental lease. The main reasons for the use of child identities are to obtain illegal immigration, steal, and clean the credit scores of a loved one. Victimization frequently occurs close to home by family and friends -- data shows that 27 percent of the time, the victim knows the person responsible for the crime and lower income families are disproportionately affected.

When my son was young one of his chores was to bring the mail in from the mailbox. One afternoon, when he was six-years-old, he came running in all excited because he had gotten mail addressed to him. This is always a cause for celebration with youngsters, but this time was different. He was wielding a credit card with his name on it. "Look mom! Now I have a card like you have." I was horrified as I snatched the card from his little hand.

This was back when banks and credit card companies would send out actual, approved credit cards to customers -- all you had to do was call the phone number pasted on the front to activate the account. Even then, six-year-olds were not allowed to have their own cards. This card could have easily fallen into the wrong hands -- many such cards did.
First I had to explain to my son why he would not be keeping his new card, and then call the credit card company to point out their error, and request they did not make further efforts to get my son to open an account. Giving my son his credit lesson was far easier than dealing with the issuing company -- after all, I obviously wasn't my son on the phone. "You don't understand," I was scolded. "Only the cardholder can have his name removed from our records." It didn't matter that I explained that my son was only six. Ultimately, my son had to join the phone conversation and authorize me to represent him.

The government eventually stepped in. The Credit Card Accountability Responsibility and Disclosure Act of 2009 set the minimum age for having a credit card at 21. A student can get a card at 18 with the co-signature of a parent and proof of ability to pay for charges. The companies were also forced to stop practices to recruit students on college campuses with temptations such as a free pizza or a subscription to a popular magazine.

Five Ways to Protect Your Child's Identity and Credit Health

1. School forms often require personal information. Ask how the information is collected, used, stored, and disposed of. This sensitive information is protected by law -- make sure that they have a plan to safeguard the information.


2. Watch for credit offers mailed in your child's name as this can be an early warning to identity theft. If the offer is from a bank where there is an account in your child's name, ask to be removed from marketing. If the offer comes from another source, check with the company to see how they acquired your child's name.



3. If you receive a bill, collection letter or phone call in your child's name -- there's a problem. Don't ignore these red flags, contact the creditor.



4. Check to see if your child has a credit report. The reporting agencies generally don't keep reports on minors -- if there is a report, it is a good indicator that someone has been using your child's identity. Teach your older teens to check their credit report annually. Have them do it on their birthday -- this is an easy reminder, and consider keeping good credit as a birthday present to themselves.



5. Teach your kids about credit cards and using credit wisely -- start when they are very young and see you using your cards to pay for groceries or toys. Explain that credit cards are not magic and that you get a bill at the end of the month which has to be paid. Start your older kids off with a debit or prepaid card -- think of these as credit cards with training wheels.

There are nearly nine million identity fraud victims every year in the United States. In 2010 the total financial loss attributed to identity theft was over $13 billion. Be vigilant and protect yourself and your children. Credit problems can have far-reaching effects on your child's future, including employment, college acceptance, tuition loans and even home ownership.

By : Neale Godfrey

The Year in Hacking, by the Numbers - bits.blogs.nytimes.com - 22 Apr 2013

Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.

Their latest supporting evidence comes in the form of an annual Verizon report, which counted 621 confirmed data breaches last year, and more than 47,000 reported “security incidents.” Those include distributed denial of service (DDOS) attacks, in which hackers flood a site with traffic until it falls offline, but do not necessarily break into a company’s network.

The victims spanned a wide range of industries. Thirty-seven percent of breached companies were financial firms; 24 percent were retailers and restaurants; 20 percent involved manufacturing, transportation and utility industries; and 20 percent of the breaches affected organizations that Verizon qualified as “information and professional services firms.” (The totals exceed 100 percent because of rounding.)

“The results validate that any business that operates online is at potential risk of suffering a data breach,” said Wade Baker, one of the report’s principal authors. “We talk to a lot of actors that are flabbergasted that they would be attacked by a group based across the world. But the report shows that no matter the size of the organization — large, small, government agencies, banks, restaurants, retailers — people are stealing data from a range of different organizations and it’s a problem everyone has to deal with.”

Verizon collaborated with 18 organizations to feed data into this year’s report. Three quarters of successful breaches were done by profit-minded criminals for financial gain. But the second most common type of breach was a state-affiliated attack “aimed at stealing intellectual property — such as classified information, trade secrets and technical resources — to further national and economic interests.”

Verizon said that only a slim minority — 14 percent — of all data breaches were the work of insiders. Most were the work work of external actors who are often difficult to pinpoint because attackers often route their Web traffic through infected computers around the world. But Mr. Baker said victims were able to trace the attacks back to state-affiliated groups in “two out of three cases.”

In those cases, Verizon said that the majority– 30 percent– of all attacks originated in China. Government officials in the United States recently started stepping up diplomatic pressure on China to curtail cyberespionage that originates from within its borders. Last month, the Obama administration demanded that the Chinese government stop the theft of data from American computer networks. And on Monday, cybersecurity was the focus of a meeting between the Joint Chiefs of Staff chairman, Gen. Martin E. Dempsey, and Gen. Fang Fenghui of China.

Surprisingly, the second most common origin of attacks was Romania, where hackers accounted for 28 percent of all data breaches. The third most common origin of attacks was the United States, which accounted for 18 percent of all attacks.
In 76 percent of data breaches, weak or stolen user names and passwords were a cause. In 40 percent of cases, Verizon said the attackers installed malicious software on the victim’s systems; 35 percent of cases involved “physical attacks” in which the attackers did physical harm, to a skimmer at an automated teller machine, for instance.

In 29 percent of breaches, the attackers leveraged social tactics, such as spear phishing, in which a tailored e-mail to the victim purports to come from a friend or business contact. The e-mails contain malicious links or attachments that, when clicked, give the attacker a foothold in the victim’s computer network. Verizon said it witnessed four times as many “social engineering” attacks that used this method in 2012 as it did in 2011. That method, Verizon said, was most popular among attackers in cyberespionage campaigns.

The Verizon report also highlighted the lag between the time an organization has been breached and the time it discovers the breach. “The compromise-to-discovery timeline continues to be measured in months and even years, as opposed to hours and days,” the report said.

Indians among 18 charged with $200 mn credit card fraud in US - Yahoo News - 06 Feb 2013

New Jersey, Feb 6 (IANS) US federal prosecutors have charged 18 people, including at least five Indians, in one of the largest credit card fraud schemes spanning 28 states and eight countries, including India.

Using over 25,000 fraudulent credit cards, the accused wired millions of dollars to Pakistan, India, the United Arab Emirates, Canada, Romania, China and Japan leading to losses of more than $200 million, prosecutors said.

"The defendants are part of a massive international fraud enterprise involving thousands of false identities, fraudulent identification documents, doctored credit reports and more than $200 million in confirmed losses," FBI Special Agent James Simpson said in court records.

According to court records, the scheme involved three basic steps: The defendants allegedly created thousands of fake identities, pumped up the credit histories of those fictitious people and then racked up charges on fraudulently obtained credit cards.

The proceeds, authorities said, were used for luxury automobiles, electronics, spa treatments, high-end clothing and millions of dollars in gold. Authorities said the fraudsters also stockpiled large sums of cash and approximately $70,000 in cash was found in one defendant's oven.

Though the scheme targeted credit card companies, Paul Fishman, US Attorney for New Jersey, said customers everywhere could feel the impact.

"Through their greed and their arrogance, the individuals arrested today and their conspirators allegedly harmed not only the credit card issuers, but everyone who deals with increased interest rates and fees because of the money sucked out of the system by criminals acting in fraud rings like this one," Fishman said.

The defendants, including the alleged ringleaders, Babar Qureshi and Muhammad Shafiq, are due to make their initial court appearances before US Magistrate Judge Madeline Cox Arleo in a Newark federal court Wednesday.