Security researchers blast credit card verification system

Some credit card companies use a system called 3-D Secure (3DS) that adds an extra step to transactions that are carried out on the Internet. Visa and MasterCard tout their security, but researchers are questioning their efficacy.

When making a purchase, online shoppers are confronted with a validation check that requires them to supply a password—in addition to the standard security code that is on the card itself—in order to prove that they are the real owner of a credit card. Systems built on 3DS are better known by their brand names, which include Verified by Visa and MasterCard SecureCode.

Security researchers say that these validation systems—which are used by over 200 million cardholders—suffer from serious security deficiencies. Although the failings of 3DS and its lack of conformance with best practices are well-documented, it has still been widely adopted by online retailers because it allows them to deflect the liability for fraud back to the credit card companies.

Some of the credit card companies take advantage of 3DS by wrapping their implementations of the validation system in draconian terms of service that force users to agree to accept full liability for credit card fraud. To make matters worse, some retailers don't allow consumers to opt out. The 3DS Activation During Shopping (ADS) functionality often ropes in users and gets them to sign up without fully realizing that they are doing.

In a paper presented at the Financial Cryptography conference, researchers Ross Anderson and Steven Murdoch reveal the dark underbelly of 3DS and show how the service is detrimental to consumers.

"From the engineering point of view, [3DS] does just about everything wrong, and it's becoming a fat target for phishing," wrote Anderson in an entry at the University of Cambridge security research blog. "This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure."

The standard method of integrating 3DS verification in a website involves using HTML iframes. This is highly problematic, because it means that users won't be able to rely on the security features of their browser—such as certificate highlighting in the browser URL bar—to easily distinguish between phishing sites legitimate 3DS verification. The inability to visually ascertain whether the certificate is valid exposes users to the possible risk of man-in-the-middle attacks.

Another problems with 3DS that is highlighted in the report is that it fails to specify a consistent mechanism for verification. Individual implementors are free to determine the means for verification on their own, and often make really poor choices. For example, the report says that one bank requires cardholders to enter their ATM PIN during the verification process. This is a pretty shoddy security practice that encourages consumers to engage in risky practices that will expose them to significant risk from phishing scams.
Fixing the problems

The widespread and growing adoption of 3DS is difficult to combat because it offers built-in incentives for merchants and banks by making it easy for them to shift liability to the consumer. The researchers say that the time has come for better technology and regulatory intervention.

Financial institutions have aggressively embraced the concept of electronic passwords in some countries—such as the UK—because passwords aren't covered by the laws that protect consumers from the consequences of transactions that are carried out with forged signatures. The security researchers say that the banks should only get to shift the liability to the consumer when transactions are validated by a trustworthy payment device—a piece of hardware, similar to a CAP calculator, that connects to the user's computer and implements a two-factor authentication model.
Further reading

* Paper (PDF) (cl.cam.ac.uk)
* PCWorld (news.yahoo.com)

By Ryan Paul
http://arstechnica.com

How Unique is your browser

Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.

Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.

Only anonymous data will be collected by this site.
Check HERE

Pentagon Searches for ‘Digital DNA’ to Identify Hackers

One of the trickiest problems in cyber security is trying to figure who’s really behind an attack. Darpa, the Pentagon agency that created the Internet, is trying to fix that, with a new effort to develop the “cyber equivalent of fingerprints or DNA” that can identify even the best-cloaked hackers.

The recent malware hit on Google and other U.S. tech firms showed once again just how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard to say conclusively that the People’s Liberation Army launched the strike.

It’s the kind of problem Darpa will try to solve with its “Cyber Genome” project. The idea “is to produce revolutionary cyber defense and investigatory technologies for the collection, identification, characterization, and presentation of properties and relationships from collected digital artifacts of software, data, and/or users,” the agency announced late Monday.

These “digital artifacts” will be collected from “traditional computers, personal digital assistants, and/or distributed information systems such as ‘cloud computers’,” as well as “from wired or wireless networks, or collected storage media. The format may include electronic documents or software (to include malicious software - malware).”

Ultimately, Darpa wants to develop the “digital equivalent of genotype, as well as observed and inferred phenotype in order to determine the identity, lineage, and provenance of digital artifacts and users.”

“In other words,” The Register’s Lew Page notes, “any code you write, perhaps even any document you create, might one day be traceable back to you - just as your DNA could be if found at a crime scene, and just as it used to be possible to identify radio operators even on encrypted channels by the distinctive ‘fist’ with which they operated their Morse keys. Or something like that, anyway.”

The Cyber Genome project kicks off this week with a conference in Virginia.

[Photo: NASA]

By Noah Shachtman

Imperva, a data security firm, said it had analysed around 32 million passwords that had been exposed in a recent hack of the RockYou website.

In December last year a hacker breached the site's company database and gained access to the unencrypted usernames and passwords of all its 32 million users.
After studying the security breach Imperva has come up with a list of the most commonly used passwords which website users should avoid.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” said Amichai Shulman, Imperva’s chief technical officer.

“Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” he added.

“The problem has changed very little over the past 20 years. It’s time for everyone to take password security seriously; it’s an important first step in data security.”

The ten most commonly used passwords analysed in the study were:

1. 123456

2. 12345

3. 123456789

4. Password

5. iloveyou

6. princess

7. rockyou

8. 1234567

9. 12345678

10. abc123

The Internet is about to get a lot safer!

DNS, the Domain Name System, is one of the major pillars of the Internet. It’s a critical service, and without it we would all have to use IP addresses instead of handy domain names like “Pingdom.com” when we want to visit websites, send emails, and so on.

However, DNS has a huge flaw. Because DNS lacks security features it has been relatively easy for hackers to trick DNS servers with false information. By tricking DNS servers, hackers have been able to hijack entire websites. Needless to say, attacks such as these are a security nightmare and can be used for a large variety of malicious purposes such as site defacement, phishing, malware installations, and more.

For example, last December (on the 17th) visitors to Twitter.com were redirected to a completely unrelated website for over an hour. All because of compromised DNS servers.

In a step to counter these kinds of threats, a set of security extensions called DNSSEC have been developed. However, actually deploying these security extensions and making them part of the Internet’s DNS infrastructure has proven a long and arduous process with many delays. DNSSEC adoption today is in all practicality pretty much non-existent.

DNS security, the story so far

DNSSEC stands for Domain Name System Security Extensions, and just as its name implies, it adds a layer of security on top of the otherwise unsecure DNS. DNSSEC protects the integrity of DNS data and makes sure that it comes from a verified source.

With DNSSEC, site owners like for example Twitter can certify that they are the true originator of the Twitter.com domain and are therefore a credible source, and end users looking up domain names can verify that the result they get back is from a trusted source (e.g. the real Twitter).

One of the main problems so far has been that for DNSSEC to be a practical viability, it needs to be incorporated in the root zone, in the DNS root servers of the Internet. They are the core DNS servers that all other DNS servers depend on, like the roots of a tree or the foundation of a building. This so far hasn’t been the case.

But next week, this important step is finally about to happen. Or rather, it will start to happen,

DNS security extensions in the root zone

Next week we will enter a testing phase where ICANN, the main organizing body of the Internet, and Verisign, the registry of .com and .net, start adding DNSSEC to the various DNS root servers on the Internet.

Since the root servers are so critical the rollout will be incremental and is planned to last well into May, with plenty of testing of the results in the meantime to make sure that there are no problems. After all, breaking the root zone would essentially break the entire Internet.

Fortunately there isn’t any one single point of failure. There are 13 sets of root servers, numbered from A to M. In total there are about 200 root servers, spread all over the world.

Above: Map of root server locations. (From root-servers.org.)

Providing the testing goes well, the security changes to Internet’s DNS root servers will be made permanent on July 1. At this point security in the root zone will be switched on and we will have taken a big step toward a more secure Internet.

This is actually Big News. There will still be a lot of work to be done to get the entire DNS infrastructure to properly support DNSSEC on all levels, and this will take time, but once DNSSEC is included in the root zone, DNSSEC adoption is predicted to get a huge boost.

Posted in Main on January 19th, 2010 by Pingdom

Would You Have Spotted the Fraud?

Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM machine and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device picture below is a perfect example of that evolution.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?



This is fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.



Also check these pics:

http://twitpic.com/4pko1
http://twitpic.com/4pknu

found on http://www.krebsonsecurity.com

UPDATE:Police catch Facebook-taunting fugitive

LONDON - An escaped British convict whose online antics drew an international Internet fan base has been caught after nearly four months on the run, police said Wednesday.

Craig "Lazie" Lynch, 28, was caught by Scotland Yard in southern England on Tuesday night. The force confirmed only that he had been arrested and gave few other details.

Lynch was serving time for burglary at a minimum security prison in Suffolk, eastern England. He escaped on Sept. 23 and has spent much of his time since posting defiant photos of himself mocking the police on the Internet.

The ensuing media attention drew as many as 40,000 fans to his Facebook page and other associated fan sites, spawning T-shirts and even a tribute song.

Lynch's page could not be located Wednesday.

Suffolk Constabulary said that Lynch had been charged with escaping from custody and was due to appear in court later Wednesday.

Online scammers try to hijack Haiti donation bandwagon

People are rushing to help out the millions affected by this week's Haitian earthquake. Scammers are also rushing to take advantage of that generosity.

News of the this week's devastating earthquakes in Haiti spread quickly across the Internet as people looked for ways to help in the recovery efforts from home. As usual, scammers have seized the opportunity to take advantage of search engine trends by setting up fake charity sites and sending out spam soliciting donations that will go anywhere but Haiti.

Scammers pop up anytime something significant happens, whether it's a natural disaster or the death of a celebrity, trying to redirect users to their just-registered domains to infect people with malware. Disasters such as the Haiti quakes, though, have the added benefit of concerned citizens wanting to donate money—indeed, as we learned during Hurricane Katrina, large numbers of ignorant Internet users were duped by fake donation sites and ended up sending their money to those with ill intentions instead of charities that could help those in need. And not all of them are obvious scams, either—one e-mail circulating in the UK claims to come from the British Red Cross and even displays the real Red Cross address in London, but directs users to a different domain when they try to click through.

It's bad enough that several organizations have issued warnings this time around, urging those looking to donate to do their research and choose reputable charities. For example, the Better Business Bureau has a quick guide on what to look for when donating money to Haiti recovery efforts. The Federal Bureau of Investigation also has a fraud alert on its site, warning people to be wary of unsolicited e-mails, those soliciting on social networking sites, and those who claim to be making donations to a charity on your behalf. The takeaway from both the BBB and the FBI is to only donate to charities that you know and trust, and if you need help, there's a list where you can research relief organizations that are accredited by the BBB.

If you don't have time or energy to do the research, however, we'll provide a few suggestions for you. The most obvious choice is to donate to the Red Cross, which has told various news outlets that it has already exhausted all of its supplies in Haiti and that there are far more people in need of help. However, the Red Cross website isn't the only place you can donate anymore—the organization says you can donate a quick $10 just by texting the word "Haiti" to 90999. There's also Doctors Without Borders/Médecins Sans Frontières, an international organization created by doctors that provide relief efforts around the world.

There are a number of other donation memes spreading around Facebook and Twitter, most of which ask you to SMS something to a number to donate $5 or $10. We caution you, however, to be wary of these unless you hear it directly from a reputable organization (such as the Red Cross, as mentioned above)—there's no telling how much you're actually charging back to your own phone bill or what services you may inadvertently sign up for.

While you wait for your donations to go through, you can head over to Google Maps to catch updated satellite images of the destruction areas. Google is also offering a KML overlay for Google Earth as part of its partnership with GeoEye.

1 in 6 Massachusetts Residents Estimated Affected By Data Breaches from 2008 Through 2009

The Boston Globe had a sobering story over the weekend where it estimated that 1 in 6 Massachusetts residents were affected by some type of data breach over the past two years.

According to the Globe, its review of state recorded data breaches showed that at least 1 million state residents had their data compromised through credit card theft, unauthorized medical information disclosures, or other types of confidential data breaches. The Globe story also provides a list of some of the more prominent data breaches reported to the state from June to November 2009 - there were 13 of them affecting over 88,000 residents.

In 2007, Massachusetts passed a law requiring institutions such as banks, stores, universities, etc., must inform consumers and state regulators about security breaches that might result in identity theft. Since then, some 807 data breaches have been reported to state officials by the end of November 2009 the Globe says.

The Globe said that 60% of the disclosed data breaches were caused by criminal acts, while 40% were due to negligence.

However, the Massachusetts disclosure law has some loopholes that were exposed by the Hannaford episode in 2008 which may result in an under reporting of unauthorized data disclosures.

In addition, according to this paper by Sasha Romanosky et al. at the Heinz School of Public Policy and Management at Carnegie Mellon University, disclosure laws such as the one in Massachusetts don't do much in the way of reducing identify theft.

Given the number of data breaches, it is almost a certainty that someone in Massachusetts has had their personal data disclosed more than once. If anyone has had this happen to them, I would be very interested in hearing about it.

The Globe also writes that, "On March 1, new state regulations will require organizations to take stronger measures to ensure data security. Institutions that hold such personal data will have to write an official security program and train employees to follow it. In addition, organizations will have to encrypt all personal data stored on laptops, flash drives, or other portable devices, or that is transmitted over the public Internet or wireless networks."

It will be interesting to see how long after the 1st of March it will be before a data breach is disclosed to state officials that violates these new rules. I would be surprised if it takes more than 3 months

POSTED BY: Robert Charette

New airport scanners break child porn laws

A 12-month trial at Manchester airport of full body scanners only went ahead last month after under-18s were exempted. Photograph: Paul Ellis/AFP/Getty Images

The rapid introduction of full body scanners at British airports threatens to breach child protection laws which ban the creation of indecent images of children, the Guardian has learned.

Privacy campaigners claim the images created by the machines are so graphic they amount to "virtual strip-searching" and have called for safeguards to protect the privacy of passengers involved.

Ministers now face having to exempt under 18s from the scans or face the delays of introducing new legislation to ensure airport security staff do not commit offences under child pornography laws.

They also face demands from civil liberties groups for safeguards to ensure that images from the £80,000 scanners, including those of celebrities, do not end up on the internet. The Department for Transport confirmed that the "child porn" problem was among the "legal and operational issues" now under discussion in Whitehall after Gordon Brown's announcement on Sunday that he wanted to see their "gradual" introduction at British airports.

A 12-month trial at Manchester airport of scanners which reveal naked images of passengers including their genitalia and breast enlargements, only went ahead last month after under-18s were exempted.

The decision followed a warning from Terri Dowty, of Action for Rights of Children, that the scanners could breach the Protection of Children Act 1978, under which it is illegal to create an indecent image or a "pseudo-image" of a child.

Dowty told the Guardian she raised concerns with the Metropolitan police five years ago over plans to use similar scanners in an anti-knife campaign, and when the Department for Transport began a similar trial in 2006 on the Heathrow Express rail service from Paddington station.

"They do not have the legal power to use full body scanners in this way," said Dowty, adding there was an exemption in the 1978 law to cover the "prevention and detection of crime" but the purpose had to be more specific than the "trawling exercise" now being considered.

A Manchester airport spokesman said their trial had started in December, but only with passengers over 18 until the legal situation with children was clarified. So far 500 people have taken part on a voluntary basis with positive feedback from nearly all those involved.

Passengers also pass through a metal detector before they can board their plane. Airport officials say the scanner image is only seen by a single security officer in a remote location before it is deleted.

A Department for Transport spokesman said: "We understand the concerns expressed about privacy in relation to the deployment of body scanners. It is vital staff are properly trained and we are developing a code of practice to ensure these concerns are properly taken into account. Existing safeguards also mean those operating scanners are separated from the device, so unable to see the person to whom the image relates, and these anonymous images are deleted immediately."

But Shami Chakrabarti, of Liberty, had concerns over the "instant" introduction of scanners: "Where are the government assurances that electronic strip-searching is to be used in a lawful and proportionate and sensitive manner based on rational criteria rather than racial or religious bias?" she said.

Her concerns were echoed by Simon Davies of Privacy International who said he was sceptical of the privacy safeguards being used in the United States. Although the American system insists on the deletion of the images, he believed scans of celebrities or of people with unusual or freakish body profiles would prove an "irresistible pull" for some employees.

The disclosures came as Downing Street insisted British intelligence information that the Detroit plane suspect tried to contact radical Islamists while a student in London was passed on to the US.

Umar Farouk Abdulmutallab's name was included in a dossier of people believed to have made attempts to deal with extremists, but he was not singled out as a particular risk, Brown's spokesman said.

President Barack Obama has criticised US intelligence agencies for failing to piece together information about the 23-year-old that should have stopped him boarding the flight.

Brown's spokesman said "There was security information about this individual's activities and that was shared with the US authorities."

by
Alan Travis, home affairs editor
guardian.co.uk