|
|
|
Contact Us
.............................
1220 West Third St. Little Rock, AR 72201
Phone: 501.376.3741
Fax: 501.376.9243
Email Us
|
|
|
|
|
|
|
|
|
|
|
|
|
|
July 7, 2010
New Fraud Alert Service Launched
A new service developed by Microsoft and the National Cyber Forensics and Training Alliance, aims to give banking institutions a faster way to know when a customer's account has been compromised.
The Internet Fraud Alert service, announced on June 17, is designed to offer a trusted and effective mechanism for participating researchers to report stolen account credentials discovered online, including username and password login information for online services or compromised credit card numbers.
Through a centralized alerting system powered by Microsoft technology developed specifically for this program, Internet Fraud Alert will quickly inform companies about compromised credentials, allowing them to take the appropriate action to help protect their customers.
"It's a good example of repatriating customer data to the hands of the orgs that need to deal with problems inherent with customer data losses," says Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international consortium of business, trade groups and governments.
"It's almost a fire drill these days when a researcher or someone finds breached customer data, with people asking, 'Who do they turn it over to? Who do I call? What's the 911 number when you find breached data?' Cassidy says. "It is amazing that it has taken us this long to develop this much needed service. Now that it is here, everyone should be availed to it."
The program will serve the much-needed purpose of enabling security researchers and investigators to systematically share information with service providers, retailers, financial institutions and governments about incidents where compromised account credentials have been discovered. Up to now, when the security community uncovered compromised credentials stemming from phishing attacks, for example, there has been no simple mechanism to warn the service provider or bank about the exposed credentials.
Phishing and malicious code attacks pose a serious threat to consumer identity and account credentials. In 2009, the Anti-Phishing Working Group received more than 410,000 unique phishing e-mail reports, and recent data from the group show that the number of brands being exploited by phishers is at an all-time high. The recovered credentials will be handled in a secure manner. The way this program is structured, says Doug Johnson, vice president of risk management policy at the American Bankers Association, "No matter where the credentials are found, they will make it back to the bank or issuing organization. The entire process will be fairly transparent to the customer."
While it will first be focused on getting retail customer credentials back into the hands of banks, the service may also run across other credentials from businesses and municipalities as well.
Microsoft developed the program along with the National Cyber-Forensics and Training Alliance (NCFTA), Accuity, the American Bankers Association, Anti-Phishing Working Group, Citizens Bank, eBay Inc., Federal Trade Commission, National Consumers League and PayPal. NCFTA will run the program's service on behalf of the organizations that sign up for it. More information about the Internet Fraud Alert can be found here.
The Latest Phone Scam- Targets Your Bank Account
Imagine getting hundreds or thousands of calls on your home, business, or cell phone, tying up the lines. And when you answer, you hear anything from dead air to recorded messages, advertisements, or even phone sex menus.
It’s annoying, no doubt. But it could be more than that—it could be a sign that you’re being victimized by the latest scam making the rounds. This”telephone denial-of-service attack“could be the precursor to a crime targeting your bank accounts.
Denial-of-service attacks, by themselves, are nothing new—computer hackers use them to take down websites by flooding them with large amounts of traffic.
In a recent twist, criminals have transferred this activity to telephones, using automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens.
Why are they doing it? Turns out the calls are simply a diversionary tactic: while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts and online trading or other money management accounts.
Here, in a nutshell, is how the whole thing works:
Weeks or months before the phone calls start, a criminal uses social engineering tactics or malware to elicit personal information from a victim that this person’s bank or financial institution would have—like account numbers and passwords. Perhaps the victim responded to a bogus e-mail phishing for information, inadvertently gave out sensitive information during a phone call, or put too much personal information on social networking sites that are trolled by criminals.
Using technology, the criminal ties up the victim’s various phone lines.
Then, the criminal either contacts the financial institution pretending to be the victim…or pilfers the victim’s online bank accounts using fraudulent transactions. Normally, the institution calls to verify the transactions, but of course they can’t get through to the victim over the phone.
If the transactions aren’t made, the criminals sometimes re-contact the financial institution as the victim and ask for it to be done. Or they add their own phone number to victims’ accounts and just wait for the bank to call.
By the time the victim or the financial institution realizes what happens, it’s too late.Law enforcement and industry responseThe FBI first learned about this emerging scheme through one of its private industry partners, which told us how a
Florida
dentist lost $400,000 from his retirement account after a denial-of-service attack on his phones.And as of April of this year, there has definitely been a noticeable surge in telephone denial-of-service attacks, with numerous incidents having been reported in several Eastern states.
To help fight these schemes, the FBI has teamed up with the Communication Fraud Control Association—comprised of security professionals from communication providers—to analyze the patterns and trends of telephone denial-of-service attacks, educate the public, and identify the perpetrators and bring them to justice.
Ultimately, though, it’s individual consumers and small- and medium-sized businesses on the front line of this battle. So take precautions: never give out personal information to an unsolicited phone caller or via e-mail; change online banking and automated telephone system passwords frequently; check your account balances often; and protect your computers with the latest virus protection and security software.
And if you think you may have been targeted by a telephone denial-of-service attack, contact your financial institution and your telephone provider, and file a complaint with the FBI’s Internet Crime Complaint Center.
June 7, 2010
Wi-Fi Street Smarts, iPhone Edition
Brian Krebs, recently posted an article on his blog “Krebs on Security” about the popular Apple iPhone. If you use your iPhone to connect to open or public wireless networks, it's a good idea to tell the device to forget the network's name after you're done using it, as failing to do so could make it easier for snoops to eavesdrop on your iPhone data usage. For example, if you use your iPhone to connect to an open wireless network called "linksys," -- which happens to be the default, out-of-the-box name assigned to all Linksys home Wi-Fi routers -- your iPhone will in the future automatically connect to any Wi-Fi network by that same name. The potential security and privacy threat here is that an attacker could abuse this behavior to sniff the network for passwords and other sensitive information transmitted from nearby iPhones even when the owners of those phones have no intention of connecting to a wireless network, simply by giving his rogue access point a common name. To read the blog post, click here.
|
|
|
|
|
|
|
|
 |
|
|
|
|
 |
|