Ads 468x60px

Featured Posts

Tuesday, April 22, 2014

Abney Associates Tech Blog, Zeus Malware: A Continuing Threat

The indictment of nine alleged participants in a fraud scheme that involved infecting thousands of business computers with Zeus malware to steal millions of dollars shows that the malware remains a formidable ongoing threat, financial services security experts say.

The victims in the case included a Nebraska bank and a Nebraska company, according to an announcement of the indictment from federal prosecutors. The indictment was unsealed in connection with the April 11 arraignment of two Ukrainian nationals, who were recently extradited from the United Kingdom. Three other Ukrainians and a Russian have not yet been arrested; the indictment also names three other "John Doe" defendants.

"These actors are only a few of those who operate Zeus botnets out of a sea of cybercriminals who use variations to commit fraud," says Ryan Sherstobitoff, a threat researcher at security vendor McAfee, a unit of Intel. "Zeus will always be a continuing threat, and cybercriminals will continue to use Zeus to steal money. We as an industry must be vigilant."

Kevin Haley, security response director at security vendor Symantec, says the indictments won't put much of a dent in the use of the malware. "Zeus is not a gang; it's a toolkit, a very popular one used by many gangs," he says. "While today there is one less gang, there are still plenty of others using Zeus to attack us."

Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix, says that when it comes to fighting fraud, the latest indictments are "like taking a scoop of sand out of the beach.

"The thing about Zeus is that the people who develop and distribute Zeus are not the same people who use Zeus to steal money," Baumhof says. "Now we have a couple less people using Zeus."

Zeus is a continuing threat because many financial institutions aren't looking necessarily for the malware itself, says George Tubin, banking expert at anti-malware provider Trusteer. "What [banks] are trying to do is use different authentication means and different fraud prevention technologies to try to spot when fraud happens," he says. "But very few institutions are actually trying to identify when man-in-the-middle malware [such as Zeus] is being used."

The nine defendants in the case revealed April 11 allegedly used the malware to capture passwords, account numbers and other information necessary to log into online banking accounts, federal prosecutors say. The conspirators then used the information to steal millions of dollars from victims' bank accounts.

The defendants allegedly falsely represented to banks that they were employees of the victim organizations and were authorized to make transfers of funds from the victims' bank accounts, according to an announcement from the Federal Bureau of Investigation.

As part of the scheme, the defendants allegedly used money mules in the U.S. who received funds transferred over the ACH network or through other interstate wire systems from victims' bank accounts, the FBI says. The money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators.

All the defendants were charged by a federal grand jury with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud.

McAfee's Sherstobitoff says federal law enforcement is making progress mitigating the Zeus threat through botnet takedowns and disruption efforts. "These disruption efforts are oriented toward breaking up criminal rings who operate Zeus to steal from commercial entities," he says.

Haley at Symantec notes: "Security technology continues to get better, and users become more aware of the social engineering tricks that attackers deploy. But the attackers do not stand still either."

Organizations need to first identify the critical business information that must be protected and prioritize that appropriately, Haley says. Then they must implement security technology, including anti-spam technology, to mitigate the e-mail threats. "And finally, users need security awareness training," he says.

ThreatMetrix's Baumhof says making progress in fighting fraud is challenging because many malware attacks are so targeted. "The trick with Zeus is that it is a very flexible toolkit that you can use in many different ways," he says. "People try to mitigate the specific attacks that they are being attacked with, not against Zeus. People are protecting against cuts and not against the Swiss Army knife."

To fight attacks that use Zeus, banks need to ensure more data is available to systems that assess risk, Baumhof says. And that includes information about end users' devices. "How can a bank make a good decision regarding whether or not a particular transaction is valid if there is no visibility into the endpoint?"

Monday, April 21, 2014

Abney Associates Tech Blog, Online Debit, Credit Fraud Will Soon Get Much Worse. Here's Why.

I’m not much of a Nostradamus, but one thing I can predict with near certainty is that this time next year we are likely to find ourselves witnessing an all-time high in the rate of online credit and debit card fraud. Ironically, that surge in online theft will be the result of efforts to make the offline use of credit and debit cards more secure.

By Oct. 1 of next year, retail establishments are supposed to be able to accept new credit and debit cards that have a chip embedded and require the use of a PIN when making purchases at the checkout counter. The point is to make the cards smarter so that financial institutions can better detect fraudulent usage. Requiring a PIN clearly adds a layer of identification and protection that can deter such fraud.

How do we know that this effort to increase security at the point of sale is going to actually drive online fraud? We already saw it happen in Europe.

In 2002, European financial institutions starting rolling out these very same cards and point-of-sale terminals. We call this technology EMV (Europay, MasterCard and Visa). Financial institutions intend to make EMV a global standard for authenticating credit and debit card transactions using integrated chip technology.

This technology has now been partially or fully deployed in about 14 countries and regions, including most Asian Pacific nations, all of Europe, most of Latin America and the Caribbean. Every country and region in which EMV has been deployed has seen a corresponding surge in online fraud.

Four years after beginning the deployment of cards and new point-of-sale terminals, about 99 percent of businesses and consumers were utilizing EMV. No doubt the cards were effective at cutting offline abuse. Before EMV, Europe saw fraud losses in stores of about 13 basis points of net sales. After EMV, the offline fraud rate plummeted to just 3.5 basis points, according to Douglas King in the study, “Chip-and-Pin: Success and Challenges in Reducing Fraud.”

However, the online world was a fraud nightmare. Online credit and debit card fraud rates more than doubled from the pre-EMV days. In 2004, Europe had an online credit and debit card fraud rate of 25 percent. By 2010, the rate had soared to 64 percent. Further, the European Central Bank’s February 2014 report on card fraud found that card-not-present (CNP) payments, i.e. payments via the internet, post or phone, were the source of 60 percent of total fraud incidents across Europe in 2012. With about $1.1 billion in fraud losses in 2012, CNP fraud showed the highest growth rate, up 21.2 percent from 2011, and analysts project this growth rate will continue to increase in 2013 and 2014.

Making credit and debit cards smarter made the crooks smarter. They stopped using cards with EMV technology in brick-and-mortar stores. Even the thieves knew that using one of the new EMV cards in a store was quickly going to get the card shut down.

So they doubled their efforts at stealing online, where the chips in cards did no good when all that was required were card numbers. Additionally, the bad guys shifted more of their nefarious online activity to foreign countries where it’s even harder to tell a legitimate card user from a thief.

When EMV technology was established, the crooks also started targeting debit cards over credit. Most debit cards use the magnetic stripe and therefore behave like credit cards without the chip and pin, making it easier for fraudsters to exploit both offline using the swipe and online using the debit card number.

Some will probably ask why online retailers don’t just require a PIN for all purchases as in-store clerks do with EMV. We may see more of that kind of adoption here in the U.S. than we’ve seen in other countries that saw this surge in online fraud, even as offline fraud declined. However, putting any barrier to check out in the ecommerce world means a lot of full shopping carts that never make it to purchase.

We’re all just going to have to be a lot more vigilant about how and when our cards are used. My financial institution now emails me every time one of my cards is charged. I can even set limits so I only get notified for charges more than $25.

But something tells me I’m going to be sitting in my living room in California when I get an email notifying me I just bought a couch in Russia. Let’s just hope I’m no Nostradamus.

Sunday, April 20, 2014

Abney Associates Tech Blog, 3 work-at-home online jobs that aren’t scams

Many people see working at home as the Holy Grail of job perks and thanks to the Internet it’s totally possible. Whether you want a full-time job or just want to make a little extra money on the side, the options are there if you know where to look.

Here are three jobs that you can do from home – and the site and tools you need to make them happen.

But first, I should mention that a lot of “work from home” jobs you’ll find online are scams. You really need to be alert when searching.

  • Always make sure the company is legitimate and has a solid online history.
  • Watch out for jobs that promise outrageous amounts of money a week or month.
  • Never pay any money – such as application processing fees – up front.
  • Never give out personal information in your application that a typical company wouldn’t ask for.
  • Do your research.

With those caveats in mind, let’s look at some jobs.

Friday, April 11, 2014

In a prying world, news organizations are struggling to encrypt their online products of Abney and Associates Tech Research

The old-fashioned newspaper, long maligned for its stodginess and sagging profits, has one advantage over high-tech alternatives: You read it. It never reads you.

The digital sources that increasingly dominate our news consumption, by contrast, transmit information across the fundamentally public sphere of the Internet, leaving trails visible to anyone with the right monitoring tools — be it your employer, your Internet provider, your government or even the scruffy hacker sitting next to you at the coffee shop, sharing the WiFi signal.

This is why privacy advocates have begun pushing news organizations, including The Washington Post, the New York Times and the Guardian, to encrypt their Web sites, as many technology companies increasingly do for e-mails, video chats and search queries.

The growing use of encryption — signaled by the little lock icon in your browser’s address box — has emerged as perhaps the most concrete response to Edward Snowden’s revelations about the ability of the National Security Agency to collect almost anything that exists in digital form, including the locations, communications and online activities of people worldwide.

It’s only fair, say privacy advocates, that The Post and other news organizations that broke these stories heed their key lesson: Online surveillance is pervasive and voracious, especially when data is unprotected.

Among the issues potentially illuminated by what you choose to read, advocates say, are your health concerns, financial anxieties, sexual orientation and political leanings. A single article might mean little, but Big Data companies constantly collect and crunch a broad range of personal information to produce profiles of each of us.

“You could paint a pretty detailed picture of a person — their likes and dislikes — if you could see the articles they’re reading,” said Trevor Timm, executive director of the Freedom of the Press Foundation, one of several groups pushing for wider use of encryption.

Encryption may seem a stretch as a press freedom issue, far from what concerned the Founding Fathers when they enshrined the First Amendment in the Bill of Rights. Yet a free press operates best when the public can make reading decisions without fear that their government — or anyone capable of doing them harm — is looking over their shoulder.

Encrypting something as complex as a news site is enormously difficult, according to technical experts within the industry. Several major news organizations offered encryption for some elements of their sites in recent years but largely stopped when problems arose in displaying content quickly and cleanly to readers, said Peter Eckersley, technology projects director for the Electronic Frontier Foundation, which tracks the use of the technology.

Continue reading at The Washington Post

Thursday, April 10, 2014

Abney and Associates Tech Research: Bitcoin gets easier to buy and spend

It's getting easier for consumers to buy and spend bitcoin, the cybercurrency that has captured much of the tech world.

With each passing month, Bay Area entrepreneurs are rolling out new technology for consumers to buy and store bitcoin, shop online with the virtual currency and send it to friends. Last week, a bitcoin ATM was unveiled in Mountain View -- put in a few hundred bucks, out comes a bitcoin. And more retailers -- from consumer electronics to coffee roasters and pizza delivery -- are accepting bitcoin, making it easier for consumers to choose the Internet currency over dollars.

"It's all about to change over the next 12 to 24 months," said Marshall Hayner, a San Francisco entrepreneur who this month will launch bitcoin app QuickCoin. "We are going to see all kinds of people adopt it. It's going to power transactions on the Internet."

Bitcoin is a cybercurrency and payments network created in 2009 by a mathematical formula as an alternative to banks and government-controlled currency systems. Bitcoins are added one at a time to the network by computer programmers around the world, and most bitcoin is bought and traded on global Internet exchanges.

The Bay Area bitcoin community is filled with entrepreneurs and investors pouring millions of dollars into their projects. But for the rest of us, still buying with cash and plastic, bitcoin is a bit of a mystery.

"You've got people out there who are software engineers who don't understand it," said Vinny Lingham, co-founder of Gyft, a San Francisco digital gift card app that accepts bitcoin. "It's far too complicated out there for the average consumer to understand. But that will change."

Cary Peters is hoping to uncomplicated bitcoin for consumers with the ATM he unveiled at Hacker Dojo, a nonprofit shared tech space in Mountain View. His is the first bitcoin ATM in California, and anyone can use it by setting up an account with a phone number, ID, and face and palm scan, which is used to run a background check to rule out potential fraud.

"Regulation has to be implemented," Peters said, a position rarely heard in the libertarian bitcoin community, but one that experts say is necessary to gain the trust of consumers. After about five minutes, the machine sends a text message that the user can start buying and selling bitcoin. Many bitcoin websites take about four or more days for transactions, and that delay doesn't work for everyone.

"Something you decide you want to do today you may not want to do in four days," said Hami Lerner, a Sunnyvale resident who works in tech and visited the ATM on Tuesday. Bitcoin valuation can fluctuate wildly on any day; in February, it fell more than 85 percent in less than two hours. Recently valuation has ranged between about $450 and $500, about half its all-time high of more than $1,200 in November.

Read full article at Mercury News

Wednesday, April 9, 2014

Abney and Associates Tech Research: The Credit Card of Tomorrow

SINCE the 1970s, paying with plastic has been pretty standard everywhere: Customers swiped their cards, signed receipts and took home their purchases.

But after security breaches at Target late last year led to the loss of personal data from as many as 110 million customers, the financial industry is racing to adopt technologies that will alter that decades-old ritual.

Driven largely by security concerns, credit card companies and issuers say they are working to make the system as consumers know it obsolete through smart chips and advanced computer programming.

To many, it is about time. The roots of the magnetic strip on credit cards extend back to World War II, ample time for thieves to learn to hack and steal those black lines of prized account information.

Credit card fraud totaled nearly $5.3 billion in the United States alone in 2012, giving the industry plenty of incentive to devise a better system. The amount lost to fraud continues to grow by 30 to 50 percent a year, according to estimates from the Aite Group, a research company.

Efforts to bolster card security were underway well before hackers broke into the systems of Target, Neiman Marcus, Michaels and other store chains. But the recent data breaches injected new urgency into adopting newer technology.

“I think this will become a defining moment about how we in the industry think about security,” said Eileen Serra, the chief executive of Chase Card Services.

The credit card industry, especially in the United States, has long relied on increasingly sophisticated analytical programs to weed out potentially fraudulent transactions. But it has also focused on a handful of technologies it contends will better protect customers in stores and online.

One is placing microprocessors onto cards, a standard known as E.M.V. for its initial backers: Europay, MasterCard and Visa. Another is known as tokenization, a way of masking consumers’ card information over the Internet.

Read full article at The New York Times

Tuesday, April 8, 2014

Abney and Associates Tech Research: Bitcoin Regulation Roundup

Rumours, Court Cases and Taxing Times

Regulatory attitudes towards crypto currencies around the world are shifting. Hardly a day goes by without a central bank issuing a warning on the digital currency. However, it’s not all bad news – as some authorities are taking a much more positive approach.

In CoinDesk’s regulation roundup, Certified Public Accountant and ACFE Certified Fraud Examiner Jason Tyra examines the most significant digital currency news from the world’s regulators and law courts over the past two weeks.

USA: Bitcoin is property, says IRS

The US Internal Revenue Service issued a notice in late March that classified bitcoin as property for purposes of taxation, clarified that mined bitcoins are taxable at the time they are received, and specified that bitcoins received in connection with a trade or business or as wages are subject to withholding and/or payment of Medicare or social security taxes.

The reaction among US bitcoiners was mixed. Treatment as a capital asset grants access to preferential capital gains rates for bitcoins held longer than a year and a day, but imposes the burden of tracking basis and gain for every bitcoin received or spent.

This is good news for US taxpayers using bitcoin as a store of wealth, but terrible news for those who might use it as a means of exchange.

The subtleties and implications of the IRS notification are likely to fuel debate among US bitcoin enthusiasts for months to come: for example, the IRS did not specify whether taxpayers exchanging bitcoins for other crypto-currencies would be entitled to defer taxable gain under like-kind exchange rules.

Rejection of non-functional (otherwise known as ‘foreign’) currency treatment by the IRS has also created uncertainty as to the implications, if any, for FinCEN’s designation of bitcoin as a monetary instrument.

USA: Texas following NY example?

The Texas Department of Banking released a letter this week addressed to “virtual currency companies operating or desiring to operate in Texas” that declared that, “because cryptocurrency is not money under the Money Services Act, receiving it in exchange for a promise to make it available at a later time or different location is not money transmission” in the state.

However, since the Texas Department of Banking is a state-level agency, its declaration has no impact on FinCEN’s federal registration requirements.

Texas has aggressively cultivated a business-friendly climate in recent years, poaching a number of high-profile companies from higher tax and higher regulation states. Austin, Texas is especially well known as a progressive hub for technology companies, including many bitcoin startups.

Read full article at CoinDesk