The Internet Crime Complaint Center (IC3) recently released their report on 2009 Internet crime statistics.  As you can probably guess, there were more complaints, more losses, higher average loss per incident.  IC3 is a federally funded non-profit, a joint operation between the FBI and the National White Collar Crime Center (NW3C).

In brief:

• Complaints received:  336,655
• Total loss:  $559.7 million
• Increase from 2008 by 22.3 percent
• Median dollar loss of $575
• Average dollar loss: $1,633

Top five categories of offenses:

1. Non-delivered merchandise and/or payment – 19.9%
2. Identity theft – 14.1%
3. Credit card fraud – 10.4%
4. Auction fraud – 10.3%
5. Computer fraud – 7.9%

Find lots more data and demographic information by reading the full report at IC3.

Several researchers the University of Michigan have succeeded in cracking  the RSA security technology which protects all ecommerce and online banking transactions.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

Read the full statement here.

Small business or large, studies show that all companies are at risk of attack by hackers. Government agencies including the FBI have suggested using a separate computer for all transactions involving money or sensitive information, but from a business view, that isn’t scalable or practical. So we’re gonna spill the beans for you. We’re not claiming to bullet-proof your enterprise, but a few minor tweaks may deflect attack, because – as we’ve seen – the lowest hanging fruit is usually what gets picked off. Let’s raise up your proverbial tree and get that fruit out of reach, shall we?

1. Beware the man (or woman) behind the curtain. Spear phishers are looking for quality, and they’ll do their research well. Often though, they won’t go for the high profile target directly, they’ll go to someone who pushes the buttons for that person – an executive assistant, general counsel, staff attorney. They are more likely to be phished than, say, the CEO or CFO. These folks need to be super vigilant about the links they click on and the sites they login to, in a sense, expecting that someone will try to dupe them. And that is why they should follow the next advice.
2. Look for non-obvious clues. Anyone can duplicate a logo or make a look-alike login page. But a vast number of attacks come from non-English speaking countries. If an ‘official’ communication uses rotten grammar and is overly casual, be suspect. Hover over links and read the entire link source before clicking – is the format what it should be? Trust your gut. If something seems odd, don’t click. And just like dad always told you, if it seems to good to be true, it probably is.
3. Be cautious of downloads. Certain people – like lawyers – deal with downloads all day. PDF’s and other documents are sent back and forth, passed around, read and re-read. Are you aware that PDF’s can contain malicious payload that compromises your computer? Don’t download PDFs thinking they’re just harmless documents. Note the sender (or host), make certain it’s something you requested or critically need. And if you’re unsure, confirm the credentials before downloading.
4. Use unique email addresses if you can, only giving out your ‘real’ email address to people you trust. It’s easy if you have your own domain – myspace@jennycramer.com, travel@jennycramer.com, amazon@jennycramer.com. If you don’t have your own domain, you can at least set up a public email address and a private email address. The public one would be the one you use on websites that require opt-ins, on forms for store loyalty programs, etc. And you would know that anyone can gain access to that account.
5. Don’t click on anything in an email. If you think about it, you hardly ever receive something vitally important in an email that requires a click. There’s the occasional “click to verify your account” message, but let’s be honest – you expect those, they come right on time, and you were told in advance when and where it would come. So if you didn’t ask for it, don’t click on it.
6. You know those patches for software? Ever wonder if they’re for real? Well, they are. Use them. They’re there to protect you, so let them.
7. Avoid P2P – person to person – download applications. BitTorrent, Rapidshare, you know what I’m talking about. If you want to do it at home, go for it. But there’s no place for it on an enterprise computing network. Those things are rife with malware.
8. Switch your company and your home router’s DNS resolver to use OpenDNS. Do it right now, I’ll wait. There’s no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don’t want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.
9. “Bob” saying so doesn’t make it so. We’ve all had that experience where ‘Bob’ says that if we download that patch or install the new version or upgrade the antivirus software, application xyz will fail to work and the entire business will crash. Are you really going to let ‘Bob’ put your entire network at risk? If the mission-critical application needs to be tweaked for upgrades, tweak it. And silence Bob – your enterprise security is more important than Bob’s personal opinion. Sorry, Bob.

We have to thank CIO magazine for the tips here – many of them came from their informative article on enterprise security. And to conclude, if you have influence over your business’ security procedures, make sure you have policies in place to inform your people about what’s acceptable and what’s not. It doesn’t take militant enforcement – your people want their computers to be safe. They just need to know how.

First Direct bank in the UK has been the first British bank to embrace Twitter. Does that really surprise anyone? As a 100% online bank, they’ve maintained a business pace a few clicks ahead of competitors in online services.

But last weekend their clients and colleagues got a little surprise. First Direct’s Twitter account was duped, sending direct messages – the Twitter equivalent to short emails – to contacts. What’s more? These weren’t just any direct messages – they were pornographic. I don’t think that boosted their image of professionalism. The direct messages sent out tantalizing links, and upon clicking, users were asked to login to Twitter. Of course, it was a phishing attack where the users were actually divulging their password to hackers.

The next day First Direct sent out a series of tweets that did little to allay fears – they mentioned twice that they’d been hacked, then tried to reassure clients that only the Twitter account had been hacked – not the bank – and that no user passwords were involved.

The Register reader Paul Eagles comments in Twitter style of 140 characters or less: “Let’s hope they are more secure with their banking systems than their twitter account,” he writes. Here’s the deal. This attack phished bank users and convinced them to give away their passwords for Twitter. The problem is that a large number of users have the same passwords for all their accounts, giving hackers potential access to more than just Twitter accounts.

So, a note to all users on all platforms. If a link sent to you looks suspect, it probably is. Clicking on it is unwise, and entering any information about yourself is plain foolishness. Your bank won’t send you porn. I promise.

Browsing on the web just became a little more scary.   A group of researchers found a way to deploy an attack that can “de-anonymize” the users behind the browser (research paper available in PDF format).  Focusing on the users of social networking sites (LinkedIn.com, Facebook, Xing.com, etc.), these security researchers show how to de-anonymize a user taking a “browser fingerprint“ – a JavaScript queries the color of various links to find out whether the user has visited those sites in the past – information that is used to essentially “triangulate” the user.  Taking Xing.com as an example and proof-of-concept, this business networking site allows its users to join a variety of groups.  Since many of these groups have open lists of their members, it is possible to build a service that will correlate user data with these publicly available lists of social networking groups, thus pinpointing the users based on their browsing history.  Having this kind of relevant personal information, it then becomes easy to build effective spear phishing attacks.

At Xing.com, the site that was used to test this theory, it is impressive how quickly the technical team implemented the appropriate safeguards to protect their users from this type of attacks (it took 3 days from learning about the potential threat for Hotfix deployment).

Now that the whole world knows how to launch this type of attack it may be wise to adjust the privacy settings of your browsers so that your browsing history is either not recorded or is erased fairly often.  Alternatively, use this plug-in for Firefox – Stanford SafeHistory.

I was in a conversation this week with someone else in the online security space and I happened to mention that I think Tricerion’s Safe Login is pretty darn sweet. He was a proponent of a keyfob token that additionally used a USB chord and a card too. Yikes. That’s too complicated for me. In the course of our conversation he told me that Tricerion’s system is very user-friendly and elegant for enterprises, but… (so he said) it doesn’t protect against trojans or malware. WHAT?

Ahem. I’m here to clear up that awful myth that Tricerion strong mutual authentication is less secure than those irritating tokens. So here it is folks, the cold, hard facts.

Malware and trojans are all about stealing passwords. They steal them by capturing typed in passwords and login names. With Safe Login, passwords are never typed in – they’re entered on an on-screen keyboard using the mouse to select either alphanumeric characters or pictures that make up a password. To malware, it’s like grasping at air – there’s nothing for them to catch.

What makes Safe Login even more special is that it anticipates and protects against something that has never happened. See, virtually every (secure) login everywhere is protected by 128-bit encryption. No one has figured out how to crack it, but that doesn’t mean hackers aren’t trying. And if someone did crack it, the world would be their oyster. They’d have all logins and passwords in open text, able to hack just about anything, anywhere. Tricerion has this really elegant, intuitive system that separates data streams, so that if SSL 128-bit encryption were ever cracked, anyone using Tricerion’s system would be protected.

A world wide phishing attack on carbon emissions trading registries forced registries in nine countries to shut down, while in other countries trading was temporarily suspended.  Fake registries (phishing sites) were set up by a group of criminals who then sent out messages to thousands of users in different companies, making off with about 250,000 emissions permits, worth over 3 million Euros ($4.1M, £2.6M).

Taking a quick look at several of these emissions trading registries’ websites (DEHSt, DEFRA, ETR.ie, etc.), it appears that SSL certificates is the limit of security on all of them.  While the banking industry is generally perceived to be very conservative when it comes to adopting new technologies, in the past several years a large number of banks chose mutual authentication technologies as an effective and low-cost solution to fight phishing.  As criminals learn about new schemes where social engineering can turn into profit, they will pursue other industries that will be vulnerable and that have not adopted safe login mechanisms.

The moral of the story? Mutual authentication isn’t just for banks. Companies in other industries need to anticipate cyberthieves just as much as banks do. What’s next?

Well, it might not be the best career move and it probably won’t help you pad your resume, but hey – income is income, right? According to Reuters cyberthieves are hiring, and they’re placing ads online.

One site, for example, pays $180 (£112) for each 1,000 times that malware is downloaded onto a US computer but less for computers elsewhere. It refuses to pay for any downloads to Russian computers, causing Stevens and others to strongly suspect that it, like other similar sites, are based in Russia.

“We pay your wages via the following systems: Fethard, WebMoney, Wire, e-gold, Western Union (WU), MoneyGram, Anelik and ePassporte, and PayPal,” the site said.

Think they include pension plans? Retirement? Paid holidays and sick days? Hm… probably not. Seeing as how it’s illegal, we wouldn’t suggest you take them up on the offer. But it is an indication these crooks are getting a little cocky – a little brazen – in their tactics.

2 of my 3 Twitter accounts asked me to reset my password this morning when I signed in. It seems that a third party application may have compromised accounts, but stories abound about what really happened.

What I can tell you is that I know enough about where to share my passwords that I didn’t accidentally give my credentials to a fraudulent site. I can also tell you that no one hijacked my account. My password is reset on both ‘compromised’ accounts and I’ve updated the legitimate applications I use to access Twitter.

I’m not quite sure why Twitter would be the target of a phishing attack. While they might be able to post what they ate for breakfast or follow a few celebrities (or whoever), no one can use my Twitter login information to access money or sensitive information. Not sure what the point to the whole Twitter phishing attack was, but I’m not too worried either. A minor inconvenience at worst, interesting blog fodder at best.

Update: Thanks to Malcolm for posting the following in the comments on one of our posts about phishing:

With the knowledge that many people use the same passwords across multiple sites, there is value in phishing ANY online login system. Because email+password can be identical on every site, any and every site is vunerable to phishing. Phishers need a single chink in the armour, if the phished person uses a hotmail/gmail etc email address for Twitter, there’s a high chance the email can then be comprimised with the same login details, and once you have the email you could wait for a ’statement’ email from a bank or credit card …

More online users know about phishing, while number of victims is up by 600% @ Tricerion Security Blog

The good folks over at Credit Card Processing Gist posted an article yesterday naming the flaws of Verififed By Visa and MasterCard’s Secure Code. Flawed technology and poor design meet good economics – telling us that price is the trump card when it comes to online authentication.

When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.