Current News

Security breach hits U.S. card processors, banks

A MasterCard logo is seen on a door outside a restaurant in New York in this February 3, 2010. MasterCard Inc is investigating a potential security breach related to a third-party vendor and has alerted banks and law enforcement officials, the company said on March 30, 2012. The credit-card processor said the issue involves a company based in the U.S. and is also being reviewed by an independent data-security organization.

(Reuters) - Four giant card-payment processors and large U.S. banks that issue debit and credit cards were hit by a data-security breach after third-party services provider Global Payments Inc discovered its systems were compromised by unauthorized access. It was not immediately clear how many cardholders became victims of the breach, which affected MasterCard Inc, Visa Inc, American Express Co and Discover Financial Services, as well as banks and other franchises that issue cards bearing their logos. U.S. law enforcement authorities including the Secret Service are investigating and MasterCard said it has hired an independent data-security organization to review the incident. The shares of Atlanta-based Global Payments, which acts as a credit-checking middleman between merchants and card processors, were halted on Friday afternoon after dropping more than 9 percent on the news. MasterCard shares fell 1.8 percent to close at $420.54, Visa shares dropped 0.8 percent to $118, American Express shares fell 0.1 percent to $57.86, while Discover rose 1.2 percent to $33.34. Analysts said any financial losses from the data breach would be shouldered by merchants, card issuers and Global Payments rather than Visa or Mastercard, which operate payment networks. Global Payments said it determined that an unauthorized entity had accessed its systems and possible customer card data in early March. Krebs on Security, a blog that first reported the incident on Friday, said accounts had been compromised for over a month, between January 21, 2012 and February 25, 2012. Global Payments is holding an investor conference call Monday morning to discuss the issue.

This Global Payments breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk. Individual banks and processors said they had not yet determined the full extent of the breach, but Krebs on Security described it as a "massive" breach that may affect more than 10 million cardholders. Some industry experts suggested the figure might be much less, perhaps on the order of tens of thousands. Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share. By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 percent of the market. JPMorgan Chase & Co, as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised. Citigroup Inc said it has been notified by processors of the breach. Bank of America Corp declined to comment on the matter and Wells Fargo & Co said it was too early to comment on the impact. Banks and processors emphasized customers would not be held liable for any fraudulent charges that may occur. Mike Simonsen, the Chief Executive of real-estate research company Altos Research, said he may have been a victim. Simonsen said he was contacted by his bank, Bank of America Corp, last week about his Visa card. Although there were no unauthorized transactions, the representative told him a vendor or law enforcement agency had flagged his account as compromised and so he would receive a new one. "It was very unusual," he said.

PROCESSING PIPELINE

Global Payments, which has about 3,700 employees, was spun off from information-services firm National Data Corp in 2001. For the fiscal year ended May 31, Global Payment reported revenue of $1.9 billion, an increase of 13 percent from the year-earlier period. According to a company presentation in January, the company was projected to report fiscal 2012 revenue in the range of $2.15 billion. The company is scheduled to report fiscal third-quarter results on Wednesday and there had been the expectation Global Payments would report improving results. On Wednesday, Sterne Agee raised its price target for Global Payments to $65 a share from $58. Global Payments is one of dozens of companies that operate along the payment-processing chain, between the time a person swipes a card to pay and the time the payment is delivered. The account number, expiration date and possibly the cardholder's name is sent from the point of payment to a processor, which then connects to Visa, MasterCard, American Express or Discover. Information is then sent to the card issuer — often a bank — which ultimately authorizes the transaction. The actual transfer of money occurs later.

Processing companies, which perform millions of authorizations each day, are supposed to encrypt card information. But a breach could occur if someone gains access to the system and identifies a gap in the encryption. The information that was likely collected illegally from Global Payments is called Track 1 and Track 2 data. A person improperly using the information can transfer the account number and expiration date to a magnetic strip on a card and then try to use the card on a website. Thousands of U.S. banks that issue credit and debit cards receive daily alerts regarding breaches through a system referred to as CAMS, said Thomas McCrohan, an analyst with Janney Capital Markets. The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on a card known as the "CVV code." "The systems can all be made tighter, but if they're too tight no transactions would ever be approved," said Edward Lawrence, a director at Auriemma Consulting Group, a payment systems consultant. "You still have to allow commerce to occur." Rep. Mary Bono, a California Republican who chairs the House Subcommittee on Commerce, Manufacturing and Trade, condemned the Global Payments breach and urged Congress to adopt stronger data-security legislation this year. "You shouldn't have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit 'enter,'" she said in a statement.

RIPPLE EFFECTS

The Visa-Mastercard-Discover breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors. Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America. Sony Corp also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network accounts. Google Inc suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China, and companies, including TJX Companies Inc and Heartland Payment Systems Inc have also had their systems compromised.

On Friday, retailers were already beginning to look for fraudulent purchases from the compromised card accounts stemming from the Global Payments breach. They will bear the financial brunt of those crimes under rules worked out with the card associations and issuers, analysts said. "Our merchant community is sitting here girding itself and looking at their own fraud-prevention strategies and bracing for the influx of bad transactions," said Tom Donlea, managing director for the Americas at the nonprofit Merchant Risk Council. "After Heartland and after the Sony breach, there was an increase in fraud activity." (Reporting by Lauren Tara LaCapra, Carrick Mollenkamp and Jed Horowitz in New York, Joseph Menn in San Francisco, Ben Berkowitz in Boston, and Rick Rothacker in Charlotte, North Carolina; writing by Lauren Tara LaCapra; editing by Gerald E. McCormick, Andre Grenon and Phil Berlowitz)

Tax identity theft on the rise

There is a lot of discussion about the growing problem of identity theft. Most people think of identity theft as a stolen credit card or a compromised bank account. But many people don’t realize that tax identity theft is becoming increasingly common. The IRS reported tax identity theft as No. 1 on its annual list of “Dirty Dozen Tax Scams.” In fact, many refunds in the 2012 filing season were delayed because of IRS filters that were meant to screen for identity theft on tax filings. When the IRS cannot detect and prevent tax identity theft, it becomes a complex post-filing issue for you and your client.

A growing problem

In general, the incidence of identity theft is increasing worldwide. In 2010, the Congressional Research Service noted that there were 8.1 million victims of identity theft in the United States. In 2011, the Federal Trade Commission reported that one out of four identity theft complaints received were related to tax identity theft, and the IRS detected 940,000 tax returns involving identity theft out of 141 million total returns filed.

In 2009, the IRS implemented its identity theft indicator system, which places a “marker” indicating identity theft on affected taxpayer accounts at the IRS. In just two years, the number of indicators created increased 153%, from 254,079 in 2009 to 641,052 in 2011. The IRS Identity Protection Specialized Unit (IPSU) tracked more than 254,000 new cases in 2011, and numbers for 2012 are even higher. The Taxpayer Advocate Office’s workload for identity theft cases has almost doubled in 2012, indicating that internal IRS systems are not sufficiently handling the caseload.

Types of tax identity theft

There are two forms of tax identity theft: refund theft and employment theft.

Refund theft occurs when a thief intentionally uses another person’s Social Security Number (SSN) to file a false tax return to acquire an illegal refund. Usually, this is detected when the IRS rejects an electronic tax return as a duplicate filing or rejects a paper return and sends a notice to the taxpayer. At this point, the identity theft victim has already lost the money and must confirm his or her identity with the IRS to process the return and, if applicable, receive the refund. The majority (85%) of identity theft incidents reported to the IRS involve refund theft.

Employment theft occurs when a thief uses another person’s SSN to obtain employment. The wages are then reported to the IRS under the victim’s SSN. Employment theft is particularly troublesome because it is often discovered months after the return was filed, and it can take several months to clear up.

 

Federal cyber security law pending in congress

Lawmakers and administration officials have warned of potentially catastrophic consequences if Congress doesn't pass cybersecurity legislation this year, but some observers question whether the rhetoric is overblown.

"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. "Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."

At the hearing, committee Chairman Joe Lieberman (I-Conn.) said he feels like it's Sept. 10 2001, on the eve of a devastating terrorist attack.

"The system is blinking red – again. Yet, we are failing to connect the dots – again," Lieberman said. Senior administration officials, including Homeland Security Secretary Janet Napolitano and FBI Director Robert Mueller, performed a classified demonstration of how the government would respond to a cyber attack on the New York City electrical grid in front of dozens of senators earlier this month.

“The simulation was realistic and illustrated just how dangerous inaction on cybersecurity legislation can be,” Rockefeller said. "If we don’t take these steps now, we’ll be back at this again at some point in the future, only it won’t be an exercise.”

The hearing and demonstration were part of a push for Congress to pass the Cybersecurity Act, a bill authored by Sens. Lieberman and Susan Collins (R-Maine) that would give the Homeland Security Department the authority to require that critical private computer systems meet certain security standards. The bill would also encourage private companies to share information about cyber threats with the government. Sen. John McCain (R-Ariz.) agrees about the threat of a cyber attack, but says the Lieberman-Collins bill would impose burdensome regulations on businesses. He has introduced an alternative bill, the Secure IT Act, that focuses on information sharing.

Jerry Brito, director of the Technology Policy Program at George Mason University, said the "rhetoric does not match the reality" on cybersecurity.

"When members of Congress talk about [cybersecurity] they conflate the different threats," Brito said. He explained that cyber espionage is a "very real" problem that is "happening right now." Companies and foreign governments are hacking into the computer systems of American companies to steal their trade secrets and gain a competitive advantage.

News on linkedin security issues

LinkedIn's professional networking website has security flaws that makes users' accounts vulnerable to attack by hackers who could break in without ever needing passwords, according to a security researcher who identified the problem.

News of the vulnerability surfaced over the weekend, only days after LinkedIn Corp (LNKD.N) went public last week with a trading debut that saw the value of its shares more than double, evoking memories of the dot.com investment boom of the late 1990s. Rishi Narang -- an independent Internet security researcher based near New Delhi, India, who discovered the security flaw -- told Reuters on Sunday that the problem is related to the way LinkedIn manages a commonly used type of data file known as a cookie.

After a user enters the proper username and password to access an account, LinkedIn's system creates a cookie "LEO_AUTH_TOKEN" on the user's computer that serves as a key to gain access to the account. Lots of websites use such cookies, but what makes the LinkedIn cookie unusual is that it does not expire for a full year from the date it is created, Narang said.

He detailed the vulnerability in a posting on his blog at www.wtfuzz.com on Saturday.

Most commercial websites would typically design their access token cookies to expire in 24 hours, or even earlier if a user were to first log off the account, Narang said.

There are some exceptions: Banking sites often log users off after 5 or 10 minutes of inactivity. Google gives its users the option of using cookies that keep them logged on for several weeks, but it lets the user decide first. The long life of the LinkedIn cookie means that anybody who gets hold of that file can load it on to a PC and easily gain access to the original user's account for as much as a year.

The company issued a statement saying that it already takes steps to secure the accounts of its customers. "LinkedIn takes the privacy and security of our members seriously," the statement said. "Whether you are on LinkedIn or any other site, it's always a good idea to choose trusted and encrypted WiFi networks or VPNs (virtual private networks) whenever possible."

The company said that it currently supports SSL, or secure sockets layer, technology for encrypting certain "sensitive" data, including account logins.

But those access token cookies are not yet scrambled with SSL. That makes it possible for hackers to steal the cookies using widely available tools for sniffing Internet traffic, Narang said. LinkedIn said in its statement that it is preparing to offer "opt-in" SSL support for other parts of the site, an option that would cover encryption of those cookies. The company said it expected that to be available "in the coming months."

But LinkedIn officials declined to respond to Narang's critique of the company's use of a cookie with a one-year expiration.

Narang said that problem is particularly acute because LinkedIn's users are not aware of the problem and have no idea that they should be protecting those cookies.

He said he found four cookies with valid LinkedIn access tokens had been uploaded to a LinkedIn developer forum by users who were posting questions about their use.

He said he downloaded those cookies and was able to access the accounts of the four LinkedIn subscribers.

Citi-Bank Hacked IBSS On-Demand Biometric Security Products

Banking giant Citibank has confirmed that credit card data of about 200,000 of its North American customers have been hacked, the latest in a string of cyber attacks. However, CITI said other information such as credit card security codes, social security numbers, birth dates, card expiration dates were not compromised. The news was first reported by Financial Times. "We are contacting customers whose information was impacted.

CITI has implemented enhanced procedures to prevent a recurrence of this type of event," Citigroup spokesman, said in an emailed statement to Reuters. "For the security of these customers, we are not disclosing further details," the statement added. Hacking groups have really become a big headache not only for governments but also for corporate giants as well as media organizations. In December 2010, groups like Anonymous attacked the websites of Master Card and Paypal in retaliation of their decision to freeze the account of WikiLeaks. Sony's PlayStation Network was hacked in April and put offline due to a "compromise of personal information as a result of an illegal intrusion". At the time of the intrusion, the network consisted of "approximately 130 servers, 50 software programs and 77 million registered accounts. The attack is expected to cost Sony more than $170 million. The lack of cyber security has emboldened serious institutional cyber criminals to hack companies like Google and Lockheed Martin. In Google's case, the cyber attackers were able to gain access to personal information on Chinese political dissidents and presumably feed that information to the Chinese government. Lockheed Martin, one of the biggest defense contractors, detected a significant and tenacious attack on its information systems network on May 21. However, the company said no customer, program or employee personal data has been compromised. The websites of Public Broadcasting Service (PBS) has been hacked and hackers have also posted a hoax story claiming that rapper Tupac Shakur was still alive and living in New Zealand. Such hack attacks show the pervasive lack of preparedness against cyber attacks, so much so that a loosely-organized group of enthusiasts can deface and embarrass the largest corporations and media organizations in the world.

Google Gmail Accounts Hacked From China

Google (GOOG) disclosed Wednesday that hundreds of Gmail accounts, including those of senior U.S. officials and Chinese political activists, were targeted in a concerted hacking campaign originating from Jinan, China. Unlike a series of cyber attacks from China last year, Google said the goal this time was not its own central systems, but the individual accounts of users of its email service. The attacks, which Google said also targeted government officials in South Korea and other Asian nations, military personnel and journalists, were likely the result of "phishing" attempts, in which the attacker dupes users into sharing passwords.

There were no indications Wednesday that the latest round of attacks would prompt any change in Google's operations in China. Nor was there evidence of Chinese government involvement, although some analysts speculated Chinese officials could be indirectly involved.
"We have more than 500 employees and hundreds of partners in China and we plan to continue to work there," Google said in a written statement provided to this newspaper. Google said the latest attacks, which gained access to an undisclosed number of accounts before they were detected, intended to spy on the private email conversations of U.S. and foreign government officials, political dissidents, journalists and others. The phishing campaign is being investigated by the FBI and other federal agencies.
"We are working with Google and other U.S. government agencies to review this matter further to identify the origin of this campaign and to see what information may have been compromised," the FBI said in a written statement released Wednesday. Neither Google nor an FBI spokeswoman would comment on which senior U.S. officials were targeted. Some of the same targets of last year's Gmail attacks may have been targeted again. Tenzin Seldon, a Stanford student and Tibetan activist, said she noticed that someone improperly commandeered her email account in March and managed to send messages under her name to other Tibetan leaders.
This particular attack used a method called "spear phishing," in which the attacker uses small bits of real information to trick someone into sharing access to their email account. In this case, government officials received a message in their personal Gmail account that appeared to come from the address of a close associate or collaborating government agency, according to an analysis cited by Google as one way it discovered the latest Chinese attacks.
The messages were crafted to appear as though they had an attachment with links such as "View Download" and a name of the supposed attachment. However, the bogus link led to a fake Gmail login page, which the cybercriminals used to obtain passwords. Google "did their own extensive investigation," said Mila Parkour, who wrote the malicious software analysis cited by Google. "The attack started probably a year before if not longer." Google said in a posting to its official blog Wednesday afternoon that it had detected and disrupted "this campaign to take users' passwords and monitor their emails," and had already "notified victims and secured their accounts," as well as alerting authorities. "The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords" to gain access to Gmail accounts, the company said in its post. Google said it was not accusing the Chinese government: "We can't say for sure who is responsible," a Google spokesman said. Last year's cyber attacks broke into Google's computer security infrastructure and resulted in the theft of the company's intellectual property, allowing the attackers to gain access to the Gmail accounts of Chinese activists in the U.S. and other countries.
According to an investigation by The New York Times, the attacks originated in several schools in Jinan province. That intrusion helped precipitate Google's decision that it would no longer comply with the Chinese government's rules that it censor politically sensitive results from its Internet search results. It moved its search service to Hong Kong. Chinese government officials have vehemently denied involvement in earlier attacks. Security experts who specialize in protection against cyber attacks that originate in other countries said that even though the latest attacks targeted political activists, it may be impossible to ever prove whether the Chinese government played any role in the latest attacks. In some cases, said Larry Ponemon of the Ponemon Institute, a Michigan-based computer security consulting company, the governments of China and other nations may shelter cybercriminals in exchange for the information they steal from U.S. networks or individual accounts. While many phishing campaigns target large groups in hopes of finding a few victims, these attacks targeted specific high-value targets.
"It could be a dark alliance where the syndicate is allowed to operate, reminiscent of the (historical) privateers that became pirates," Ponemon said. "China is pretty bold. They are actually educating people to be really good hackers, to be really good cybercriminals." Typically, Ponemon said, people may be slightly less guarded about their personal email accounts. "They are going after people of consequence whose information might be valuable. That's the scary part. " Parkour also believes it is likely the Chinese government was involved.
The same people "are after sensitive corporate, military and government data," she said in an email message. "They might be foreign government sponsored directly, on payroll, or indirectly, selling what they find to willing buyers."
Google on Wednesday urged its users to take safety precautions such as using its two-step verification feature for Gmail, and to use a password that they would not use for any other account but Gmail

Social Networks become latest window for cyber attacks.

When Remya, a Facebook user saw an application on her wall saying Click here to check who viewed your profile curious she clicked on the link. An hour later she realized her account had being hacked after friends complained that she had posted malicious links on their Facebook walls. With Remya, her 250 friends also became victims of the malicious software. With the growing popularity of social networking in India, perpetrators are increasingly using easy mediums such Facebook and Twitter for conducting illicit activities.

Facebook with around 12 million users in India has played host to a string of malicious attacks: The last minutes of Osama Bin Laden, What are you doing in this video?, You know who just got a new iPad2 for no cost, etc. These are just a few of the recent malicious campaigns that hit the Facebook walls. According to security experts, the reason for targeting Facebook is the burgeoning number of users, users age and their profile. Most spams or links have attractive headlines that make the user curious. Since Facebook does not provide a system to view the visitors of your profile, when an application appears on the Facebook wall its natural that you might click, says Vinoo Thomas, technical product manager, McAfee Labs. Apart from this, according to a report from Trend Micro, there was another attack on Facebook which claims to have the ability to verify the security of users accounts. It said, by clicking the link users can avoid Facebook spam. However, in reality, accessing the site is just another ploy to instigate the very same threat that the user wants to prevent. Most social networking sites have two basic application types: Social plug-ins that allow the integration of basic features onto any websites and canvas applications that interact with the profile and can send updated messages or open new pages. Another reason cited for increased attacks on Facebook is there easy access. Some of these applications can access public information, profile information, access posts in the newsfeed, access photos and videos, access data any time. Also, an application can request off-line access privileges from a user. If they are granted, the application can access the user information at any time, regardless of whether the user is actually interacting with the application or even logged into the social networking sites, Abhijit Limaye, Director, security response, Symantec said. Twitter is another social media platform that is becoming the tool for cyber criminals. Every tweet in Twitter is restricted to 148 characters and this is becoming an advantage for criminals. Twitter is becoming a mass-medium for information circulation and most posts in Twitter uses shortened Uniform Resource Locator (URLs). Cyber criminals use this embedded URL as an easy tool, they follow you and learn your interests and post attacks with similar topics and a shortened link of malicious content. These links can make your computer a botnet. Security experts recommend not to use unknown applications or URLs which can compromise your security. It is always better to take precautions than falling prey for somebody. Recently, leveraging on global events, criminals are making more attacks on the recent events and it is expected to grow. Experts says users has to be cautious as they become more curious for gathering information, as criminals are defining various ploys to steal information.

Follow Me