A world wide phishing attack on carbon emissions trading registries forced registries in nine countries to shut down, while in other countries trading was temporarily suspended.  Fake registries (phishing sites) were set up by a group of criminals who then sent out messages to thousands of users in different companies, making off with about 250,000 emissions permits, worth over 3 million Euros ($4.1M, £2.6M).

Taking a quick look at several of these emissions trading registries’ websites (DEHSt, DEFRA, ETR.ie, etc.), it appears that SSL certificates is the limit of security on all of them.  While the banking industry is generally perceived to be very conservative when it comes to adopting new technologies, in the past several years a large number of banks chose mutual authentication technologies as an effective and low-cost solution to fight phishing.  As criminals learn about new schemes where social engineering can turn into profit, they will pursue other industries that will be vulnerable and that have not adopted safe login mechanisms.

The moral of the story? Mutual authentication isn’t just for banks. Companies in other industries need to anticipate cyberthieves just as much as banks do. What’s next?

Well, it might not be the best career move and it probably won’t help you pad your resume, but hey – income is income, right? According to Reuters cyberthieves are hiring, and they’re placing ads online.

One site, for example, pays $180 (£112) for each 1,000 times that malware is downloaded onto a US computer but less for computers elsewhere. It refuses to pay for any downloads to Russian computers, causing Stevens and others to strongly suspect that it, like other similar sites, are based in Russia.

“We pay your wages via the following systems: Fethard, WebMoney, Wire, e-gold, Western Union (WU), MoneyGram, Anelik and ePassporte, and PayPal,” the site said.

Think they include pension plans? Retirement? Paid holidays and sick days? Hm… probably not. Seeing as how it’s illegal, we wouldn’t suggest you take them up on the offer. But it is an indication these crooks are getting a little cocky – a little brazen – in their tactics.

2 of my 3 Twitter accounts asked me to reset my password this morning when I signed in. It seems that a third party application may have compromised accounts, but stories abound about what really happened.

What I can tell you is that I know enough about where to share my passwords that I didn’t accidentally give my credentials to a fraudulent site. I can also tell you that no one hijacked my account. My password is reset on both ‘compromised’ accounts and I’ve updated the legitimate applications I use to access Twitter.

I’m not quite sure why Twitter would be the target of a phishing attack. While they might be able to post what they ate for breakfast or follow a few celebrities (or whoever), no one can use my Twitter login information to access money or sensitive information. Not sure what the point to the whole Twitter phishing attack was, but I’m not too worried either. A minor inconvenience at worst, interesting blog fodder at best.

Update: Thanks to Malcolm for posting the following in the comments on one of our posts about phishing:

With the knowledge that many people use the same passwords across multiple sites, there is value in phishing ANY online login system. Because email+password can be identical on every site, any and every site is vunerable to phishing. Phishers need a single chink in the armour, if the phished person uses a hotmail/gmail etc email address for Twitter, there’s a high chance the email can then be comprimised with the same login details, and once you have the email you could wait for a ’statement’ email from a bank or credit card …

More online users know about phishing, while number of victims is up by 600% @ Tricerion Security Blog

The good folks over at Credit Card Processing Gist posted an article yesterday naming the flaws of Verififed By Visa and MasterCard’s Secure Code. Flawed technology and poor design meet good economics – telling us that price is the trump card when it comes to online authentication.

When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.

We read stories about phishing and data breaches and we get worried. Some of us start thinking that maybe we’re better off (security-wise) with paper-based banking. Sending checks, receiving statements in the mail, paying bills the old fashioned way – manually with a checkbook and a stamp. But as Jean Chatzky said this morning on NBC’s Today Show, online banking is actually safer than paper-based for a few reasons.

1. People who use online banking check their account 4 times more often than those who use paper-based banking. That means if someone does fraudulently steal your identity or your banking information, you’ll find out about it more quickly and remedy the problem earlier, translating to potentially fewer losses.
2. Banks’ online systems are more secure than your mailbox and trash bin. Sure, they may not be 100% impervious to attack, but they’re much harder to hack into than your mailbox at the curb or the trash can full of sensitive information (even if it is shredded).
3. You can’t ‘wash’ an online transaction. Check washing still occurs today – where someone takes a legitimate check you signed, washes the original amount and payee information but retains your signature. They’re then free to put their own name and any amount they choose. Online transactions aren’t washable – they go where they’re meant to go, when they’re meant to go.

Basically what it boils down to is, choose a secure password that you can remember without writing it down. Keep your information to yourself, and don’t fall prey to scams inviting you “click here” to verify your information. You bank doesn’t need you to verify your information, and if they do they can find a more secure way to contact you than sending an email or putting a button on your Facebook page.

Two studies show that young people are more likely to be victims of online fraud.  You’d think that since most of them have not experienced a world without Internet and email, they’d be more knowledgeable about phishing and other schemes.  But the insurance group CPP reports that the 16 to 24 age group is most likely to be defrauded in the UK, with the average loss of £590 per incident.

Another research study comes from RSA’s 2010 Global Online Consumer Security Survey, which shows very interesting trends:

“Of the more significant survey findings, consumer awareness of phishing attacks has doubled between 2007 and 2009 and the number of consumers who reported falling prey to this attack increased six times during that same period of time. In addition, while hundreds of thousands of people join social networking websites each day, the survey exposed that nearly two in three (65 percent) people who belong to these online communities indicated they are less likely¹ to interact or share information due to their growing security concerns.”

“Consumers using online banking (86 percent) websites shared more concern with the theft of their personal information than those using healthcare portals (64 percent) and government websites (68 percent). As a result of these concerns, more than half of all consumers reported that they are less likely to share information and interact on these websites.”

This is interesting because it tells us that phishers are becoming more and more sophisticated and consumer education is limited in terms of preventing online and identity fraud.

What it means for us is that social engineering is becoming more sophisticated, fooling even those who don’t remember the times before Internet and mobile phones.  Effective proactive defense includes mutli-channel authentication options, which will not rely on user alertness or mental mapping techniques.   Secure web services will help protect their customers without relying on their ability to recognize a phishing attack.

A few days ago Google decided to shut down its operations in China after a spear phishing attack directed towards Chinese human rights activists, as well as attempts to steal some of Google’s intellectual property.   It is presumed that the attackers sent exploit-ridden PDF attachments in emails to Google employees, thus attempting to gain access to internal systems that contained account passwords (some researchers’ opinions differ). This and similar attacks have been going on since mid-June of 2009 and affected over 30 companies around the world.

What’s different this time is Google’s response to the attack, as well as a number of governments (like France and Germany) that made public announcements recommending that their citizens stop using Internet Explorer, since the attacks were targeting this browser’s vulnerabilities.

Online security is a lot like an inflatable balloon.  If you squeeze a balloon, the air will extend the part with the least resistance.  When it comes to security, attackers will most likely go the path of least resistance that promises the greatest rewards at minimum risk.  In this situation, I really don’t understand why advising millions of people to stop using a specific browser will somehow protect them from future attacks.  Let’s say everyone starts using only Firefox, or Chrome.  Are hackers going to give up and never write another exploit again?  Not only this boycott of IE is not going to be effective for the general public, but since governments usually use IE as their default browser in all of their institutions, imagine the logistics required to make the changes across the board.

Tricerion protects its users in a way that is completely independent of browser functionality and vulnerabilities.  Our graphic passwords are stored in a database in such a way that this information is not possible to interpret and reuse from the outside.  Effective authentication methods should not rely on specific browsers, nor should they be threatened by the vulnerabilities in other companies’ software products.

A Canon advertisement at the International Consumer Electronics Show (CES) in Las Vegas, Monday, Jan. 4, 2010. (AP Photo/Paul Sakuma)

This year’s Consumer Electronics Show brought us some interesting trends and ideas.   In his review of the show, Lance Ulanoff lists 9 things he’s learned there.  In the last point in that post, he makes the observation that “the marriage of technology and content took center stage”.

There is a fundamental change in how we’ve been turning every possible device into content delivery or presentation mechanism.  You can read your email or a book on you PC, on your phone or on TV.  I can now watch a TV show on cable, on my iPod, iPhone or on Hulu Desktop.  I happened to be in an Eastern European country during their parliamentary election.  The ruling party rigged the election and when the students came out protesting, they were using Twitter and Facebook to organize themselves and broadcast the latest news.  The government promptly shut down Internet access to these websites.  However, I was pleasantly surprised to learn that the Facebook app on my iPhone continued to work.  Multi-channel communication rocks.

As our life becomes more digitized, we are being asked to get used to reading and sending information via a multitude of devices and services.  We’ve been conditioned to open up our private lives and share (some more, some less) our life experience with our online social networks.  Various companies are now hording more and more data about who we are.  I laugh every time a bank asks me to select “What year did you graduate from high school?” as one of my security questions.  Come on, there are at least 1000 people who know the answer to this question.  Besides, about 50% of half of all identity fraud crimes are committed by people who know the victims personally.

As we enable more types of devices to access our private or paid content, the identity access technologies will have to evolve in order to make sure we have consistent usability and security across all information delivery platforms.   The users also need to know that the service they are accessing is authentic, based on the mutual authentication principle, where the service provider will first reveal a secret which will assure the user of the integrity of the communication channel.

Do you hear that? The sound of drip… drip… drip…? It’s the sound of money ever so gradually leaving your account through insecure transactions.

There are these clever little ways to send money through text messaging – Yele does it to help humanitarian aid after the quake in Haiti. Just text “Yele” to a specific number to donate $5 bucks to relief efforts. What’s wrong with that? In this case it’s for a good cause, but the very same technique could be used by others with less-than-honorable intentions. Misplace your phone? Before that was a hassle of immeasurable proportions, but now it could mean more – the same level of financial vulnerability as losing your wallet and credit cards. You can read more on the worrisome tactics of post-disaster funding scams at CNet’s post by Caroline McCarthy.

And what about email? Did you know that you can be held responsible for transactions over email? These annoying post-transaction marketing ploys are promoted by sites like VistaPrint who offer seemingly countless offers after completing a sale, all of which will lighten your wallet a bit (or more). The offering site already has your payment information saved, and their ‘special offers’ from affiliate sites push transactions through that were never authorized, or were authorized through the sharing of an email address, but no disclosure of credit card information.

It makes me wonder… when will authentication for mobile phones actually make sense – for security and usability? And will there ever be a day when the majority of companies have scruples? I’m just sayin’.

Everyone is excited about the new Google phone – Nexus One. I am actually considering making the jump from iPhone to an Android-based phone. The Android Market is the Google’s answer to iTunes App store.

In an interesting twist of events, a rogue app called “Droid09” was uploaded to Android Market, claiming to be an official online banking app from First Tech FCU. The fake app then attempted to collect user login information – thus becoming the first phishing app for Android.

It makes me wonder whether there is any way for an Android-phone user to know whether a downloaded app is authentic or not. While we usually go to the websites of the companies we know and trust to download software patches and upgrades, both Apple and Google are essentially the middle men in delivering web apps from various service providers. You can’t just go to the Electronic Arts’ website and download a game for iPhone. Consumers will be at risk as long as there is no mutual authentication mechanism that would authenticate the service provider (and/or their app) before the user is asked for their security credentials.