Archive for the ‘Online Credit Card Transactions’ Category

Misha Glenny’s book, DarkMarket, relates the brief history (2005 – 2008) of DarkMarket.ws, an Internet cybercrime forum (in English) that was kind of a cross between a chat room and Amazon.com.

If you haven’t heard about the site, it probably says something about your honesty. You see DarkMarket.ws was “by-invitation-only.”  If you weren’t a cybercrook who knew a cybercrook, you were not about to get access to the URL.  Very exclusive.

You know the expression “honor among thieves?”  Well, you could call getting an invitation to join, “a high honor among thieves.” The Website provided criminal entrepreneurs — stolen identity and credit-card data buyers and sellers — a venue to meet and exchange information and ideas with their peers and learn from experts about the latest technologies and scams in a professional, friendly atmosphere. Created in London by Renukanth Subramaniam, who went by the user name JiLsi, the site had 2,500 users at its peak and was a place where an online thief could buy “skimming machines” (devices installed in ATMs to record users’ credit-card details), find reviews of hardware advertised on the site, and generally catch up on the latest and greatest in crime.

You’ve probably heard this other old saying one time or another.  “You can’t bulls_ _t a bulls_ _ _ ter.”  While you may have heard it, the FBI evidently didn’t because they ended up scamming the scammers.

FBI agent J. Keith Mularski infiltrated the DarkMarket site using the name of an infamous Polish spammer, Master Splyntr. In fact, he not only infiltrated it, he became the site’s administrator!

Misha Glenny’s DarkMarket is the story of how DarkMarket.ws was taken down. Says Evgeny Morozov in his review in the Wall Street Journal, “Mr. Glenny, a gifted investigative reporter, has sought out investigators and cyber criminals alike (he visited many convicted offenders in prison and got them to talk about their trade). He dissects DarkMarket’s transient but maddeningly convoluted history in a highly meticulous, almost forensic manner….Before the story is over, Turkish military intelligence agents, the Tamil Tigers, members of the Saudi royal family and the brother of Supreme Court Justice Stephen Breyer all make appearances.”

Pointing out that it’s impossible to end cybercrime without understanding the psychology of cybercriminals, Morozov says Glenny’s book offers valuable insight. “Even though many cyber criminals have day jobs, they spend inordinate amounts of time online, mostly in a futile attempt to impress their peers and join the ranks of the digital übermenschen. Many choose cybercrime for the same reasons that disaffected youngsters choose more pedestrian forms of crime; tales of desperation, rejection and poverty loom large in this book. Faced with an unpalatable choice between a life of violent crime or seemingly victimless cybercrime, 13-year-olds in Ukraine choose the latter.”

However, no matter how they found their way into cybercrime, once in it, these criminals often act like mainstream business. “Obsessed with profit-maximization, they vie to annihilate competition, establish absolute monopoly and ratchet up the prices.”

While European and American police agencies seemed to work well together, the same couldn’t be said of American internal police agencies.  Offers Morozov, “Mr. Glenny recounts a grotesque story of how the FBI and the Secret Service had been investigating each other’s undercover agents, in both cases believing them to be actual criminals. Only the intervention of their British colleagues, who were privy to the secrets of both groups, prevented a major crisis.”

So, lacking guns, explosions and car chases, what kind of read is DarkMarket? Wall Street Journal reviewer calls it, “an eminently readable, witty narrative that sustains suspense until the very last pages.”

As a result of the FBI sting, there were more than sixty arrests worldwide with the man who started it getting sentenced to nearly five years in prison. So, what’s the best way to fight cybercrime if you’re not an FBI agent with unlimited time and funds?

ThreatMetrix™.

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix’s customers. The information is always up-to-date and always available. Incorporating ThreatMetrix SmartID™ cookieless device identification, the Platform lets companies authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Integrated into the latest release of the ThreatMetrix™ Cloud-Based Fraud Prevention Platform is a new multi-layered data encryption architecture feature that takes data encryption to a whole new level.  Addressing strict security requirements, the new feature provides multi-layered encryption of customer-siloed data and global customer data with minimum impact on customer response times.

Should any one customer account be compromised, data loss is limited to that one customer.  Even if the data center hosting ThreatMetrix services were compromised, the encrypted data would remain confidential. Customer data shared with ThreatMetrix™ for fraud protection purposes remains secure. And, there’s no worry about a degradation in performance.

“It’s our goal to raise the bar for the level of security and privacy of online transactions,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “The question is not if a consumer’s identity will be compromised, but it’s a matter of when it will be compromised. Credit card companies can update their credit cards if they’ve been compromised, but consumers can’t simply recycle their identity. ThreatMetrix is staying one step ahead so fraudulent activity is minimized and our clients can do a better job of protecting their customers.”

Faulkner added, “ThreatMetrix, in broadening its strategy as a leader in digital cyber identification, views the new data encryption feature as a critical next-step toward protecting privacy and enhancing the security of confidential consumer information during online transactions. Activities associated with hacker group LulzSec and many recent high-profile data breaches like Epsilon and PlayStation — which resulted in millions of compromised accounts — underlines the need for new encryption technology that better protects both online brands as well as consumers.”

The new release offers a host of new benefits including new fraud detection rules, device identification improvements, administrative enhancements, queue management improvements, and changes to the ThreatMetrix Portal around access and data privacy.

Faulkner observes, “PII is no longer an effective authentication tool by itself, as it can’t authenticate the person behind the transaction.  Context is key, which means looking past the device and also considering other factors associated with the device, like phone number and email. We’re looking for anomalies in customer data, in conjunction with the underlining device reputation behavior. It’s whether or not all transactions and customer and device information make sense in the context of that transaction. We then apply this intelligence across a comprehensive global network to stop fraud in real-time and better protect consumers.”

Today, ThreatMetrix serves social networks, financial services, e-commerce companies et al. by authenticating payments, new accounts, and customers in real-time —without hassling those customers for personal information like Social Security Numbers, mothers’ maiden names, etc. It’s estimated that ThreatMetrix helps screen up to one-billion online transactions each month and is successfully eliminating the threat of an estimated 300,000 fraudulent attempts every day!  That’s why ThreatMetrix has become the fastest growing provider of cloud-based fraud prevention solutions that don’t require personally identifiable information.

Anonymous took more than 600 MB of data from the International Association of Chiefs of Police and took down the IACP’s Website for good measure. Then Anonymous released data which included internal documents, membership rosters, home addresses, passwords, Social Security numbers, etc.

Now, if you agree with Occupy Wall Street, you may feel the hacker group Anonymous has its heart in the right place. But, wherever Anonymous’s heart is, the rest of its geography seems a bit skewed.

As everybody who’s ever lost money in the market knows, Wall Street’s in New York. But Anonymous revealed 1000 names and passwords from the Boston Police Patrolmen’s Association; 1000 names, ranks, social security numbers, addresses and phone numbers from Alabama law enforcement systems; and the full contact database from Arlington Virginia’s Matrix Group, a web development agency serving government Websites.

Attacking police in Boston and Alabama to support a protest in New York? Some observers might be tempted to draw a parallel between these Anonymous attacks and the invasion of Iraq as retribution for 911 which was carried out by Bin Laden from Afghanistan.

Anyway…

According to Meghan Kelly in VentureBeat.com, the Anonymous rationale for the attacks wasn’t supposed to be along geographic lines. “Anonymous said it wanted to attack the police directly because they act as a protector of ‘the one percent,’ or what OWS protesters describe as the fortunate few who hold the majority of the wealth that would otherwise benefit the remaining ‘99 percent.’”

Anonymous has attacked police in the past in an effort to “expose corruption and brutality.” In Anonymous’s own words, ““We have no problem targeting police and releasing their information even if it puts them at risk because we want them to experience just a taste of the brutality and misery they serve us on an everyday basis.”  Spoken like somebody who was caught in a speed trap. Or had his/her vehicle ticketed and towed when the meter was busted. Or got cited for jay walking at 3 in the morning on a deserted side street in a hurricane. Sort of sounds like that.

In an odd twist, Kelly points out that a call to the Baldwin County, Alabama Sheriff’s office via Skype came from a man with a British accent, who claimed he hacked the Sheriff’s website because he was bored.  Kelly’s conclusion – the man was calling from the U.K. and this was an example of how Anonymous is “disjointed.”

No matter how anybody feels about Anonymous’s goals, its tactics, which disclose personal identifying information, are either regrettable or reprehensible. No matter which, there’s one solution designed to thwart an Anonymous attack. And that solution comes from ThreatMetrix™. ThreatMetrix doesn’t rely on passwords, user names or any other personal identifying information to protect its clients. Instead the ThreatMetrix™ Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to stop the bad guys and let the good guys go.

Following a rash of security breaches at Sony, Google, Lockheed Martin, Citigroup, the International Monetary Fund and more, the Securities and Exchange Commission told public companies to disclose cyberattacks that could potentially lead to unexpected losses.

Senator John Rockefeller asked the SEC to issue rules governing what companies are required to disclose. The guidelines come as a result of the concern that companies might be failing to mention data breaches in their public filings.

According to a report in Venturebeat.com, the SEC said that if a cyber attack leads to losses, companies have to disclose the losses, or at least “reasonably possible” estimates of those losses.

In a statement to Reuters, Rockefeller noted, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything.”

Because it could help cybercriminals, companies would not be required to describe how they would go about protecting themselves. However, companies are responsible for disclosing:

• The costs of fixing compromised networks

• Increased cyber protection costs that might involve changes to personnel

• Lost revenue from unauthorized access to information

• Losses related to the failure to retain customers after an attack

• Litigation costs, and reputation damage after an attack

There’s one way not to have to report bad news.  That’s not to have bad news to report. With ThreatMetrix™ solutions, the news is invariably good.  Without requiring personal identifying information that can be compromised, ThreatMetrix solutions catch cybercriminals in real time before they can do real damage.

ThreatMetrix combines a computer’s packet signature data with transaction details and credentials that are obtained anonymously and “unlinkably” by the user to differentiate between cybercriminals and genuine customers.

Everybody seems to be looking at privacy. Talk about an oxymoron. But, because of a raft of security breaches that disclosed personal identification information that could be used for everything from blackmail to identity theft, the U.S. and other governments, privacy-advocacy groups and the security industry itself has become “major-league” privacy conscious.

One of the leading organizations taking up online privacy is the International Association of Privacy Professionals or IAPP.  Founded in 2000, the IAPP is the world’s largest association of privacy professionals. Its more than 9,000 members in 70 countries help define, support and improve the privacy profession through networking, education and certification.

The IAPP deals with tough questions that face all security professionals.

• Could your organization’s reputation survive a breach?

• Is there a possibility that your corporation could be the target of an FTC enforcement action?

• How do you ensure that your organization’s products are trustworthy?

The IAPP’s programs, symposia, dinners, Web conferences and events include a Privacy Academy. The last one, held in Dallas, Texas in September, offered 60 sessions featuring operational programming and tools covering issues like mobile applications, consumer-data protection, employee privacy and building bridges between security and privacy. In addition, there were keynotes from consumer privacy leaders that included FTC Commissioner Julie Brill.

Another organization at the forefront of the online privacy movement is the National Cyber Security Alliance (NCSA). Board members include: ADP, AT&T, Bank of America, Cisco Systems, EMC Corporation, ESET, Facebook, General Dynamics Advanced Information Systems, Google, Intel, Lockheed Martin Information Systems & Global Services, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Verizon and VISA.

A non-profit public-private partnership focused on cybersecurity awareness and education, NCSA is organizing and leading the effort to make January 28, 2012 Data Privacy Day. Scheduled to be an annual event, this international awareness initiative promotes data privacy and protection across the United States, Canada, and a host of other countries across the world.

Another organization stands at the forefront of privacy. That organization is ThreatMetrix™. Because the ThreatMetrix™Cloud-Based Fraud Prevention Platform does not rely on passwords, user names and other personal data to identify returning visitors, it offers unmatched security and unrivalled privacy. ThreatMetrix’s Cloud-Based Fraud Prevention Platform provides a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all ThreatMetrix customers. Information is always up-to-date and always available. With ThreatMetrix, companies can have it all —privacy and security.

A long time ago, online retailers caught onto cybercriminals using stolen credit card accounts to buy expensive consumer products online, then turning around and reselling them in Eastern Europe, North Africa or Russia. The retailers’ answer was to stop shipping goods to these places.

But, reports security expert Brian Krebs in his blog, KrebsonSecurity, “these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.”

Krebs points out, “There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as ‘Drops for stuff’ on cybercrime forums.”

The people “hired” to do the reshipping are variously known as reshippers, mules or drops. “The ‘drops,’” says Krebs, “are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

“A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the U.S. Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.”

Dropforrent.com is a kind of cyberspace fence operation that offers “clients” (cybercrooks) and “managers” (people who do recruitment scams) a percentage of what they steal. Krebs explains that Dropforrent pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products. Incidentally, if you do a search for Dropforrent online, you’ll get a score of websites warning you to stay away, that the jobs the site offers are a  scam.

In addition to electronics, Krebs says, “Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

Reproduced here without editing KrebsonSecurity.com at http://krebsonsecurity.com/wp-content/uploads/2011/10/applestore-directinstructions.html gives an example of a standard operating procedure of rules for mules:

Use your applestore-direct.com Account to:

- Check a shedule about package deliveries
- Send messages to your manager
- Edit Your Default address and shipping address
- Upload your resume and documents for an approvement
- To check total scores and money you earn

IMPORTANT INFORMATION ABOUT SCORE AND PAYMENT SYSTEM:
YOU WILL RECEIVE APPROXIMATE 40 PACKAGES FOR MONTH
YOUR SALARY BASED ON THE 2000$ MONTHLY PAYMENT, STARTING FROM THE SHIPPING FIRST PACKAGE
AND THERE IS A BONUS SCORE SYSTEM
FOR EVERY SHIPPED PACKAGE YOU GET A SCORE
10-SCORES IF YOU SHIPPED A PACKAGE ON THE SAME DAY BEFORE THE NEXT DAY NOON
5-SCORES IF YOU SHIPPED A PACKAGE ON THE NEXT DAY
0-SCORES IF YOU DELAYED PACKAGEs SHIPPING FOR 3 DAYS AND MORE

ON YOUR PAYDAY THE SCORES WILL BE CHANGED TO MONEY AND ADDED TO YOUR TOTAL INCOME IN RATE OF
10 SCORES-50$
5 SCORES-25$
3 PENALTIES- MINUS 100$

PENALTIES CAN BE USED BECAUSE OF ANY SHIPPING DELAYS, NOT CONTACTING YOUR REGIONAL MANGER IN TIME, NOT COMPLETED

ORDERS,
MISSED PACKAGES TO YOUR ADDRESS WITHOUT ANY REASONS

Krebs observes, “Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through one front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.”

And, the best part about the scam from the cybercriminals’ point of view?  If anything happens, the drop or reshipper or mule is the person the long arm of the law will snag.

For online businesses to avoid being victims of reshipping, the answer is ThreatMetrix.  Device identification is the first and most effective layer in a multi-layered defense against cyber criminals. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

Okay, so maybe Sony can’t say it didn’t happen…again.  It did. But, there is one bright spot from the latest hacking. The company learned something from previous break-ins.

As reported in Wired.com, hackers broke into more than 93,000 Sony customer accounts. Sony believed those customers used the same Sony login credentials to log on to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).

Phil Reitinger, Sony’s new chief information security officer, announced the break-in. Hired last month as part of Sony’s efforts to improve security after two previous break-ins, Reitinger had been Deputy Under Secretary of the National Protection and Programs Directorate and Director of the National Cyber Security Center at the Department of Homeland Security. Prior to that, he was Microsoft’s chief trustworthy infrastructure strategist.

What Sony learned from previous breaches was to get the bad news out as fast as possible. Last time it took Sony a week to tell customers hackers had stolen 75-million of its customers’ personal information. And, there was no hurry to admit breaches had taken place at Sony Pictures, Sony BMG and Sony Online Entertainment. The last resulting in an additional 25 million customers’ information compromised.

This time it took Sony just two working days to fess up. The quick response may have been a reaction to a class-action lawsuit accusing Sony of failing to adequately secure data, depriving customers of the use of the network for an extended period of time (an almost Biblical 40 days) and failing to notify customers of the breach in a timely manner.

Reitinger explained hackers had tested a “massive set of sign-in IDs and passwords” at websites for several of its properties — Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE). Most of the login credentials failed to gain the intruders access, but about 60,000 credentials matched those used by SEN and PSN users, and another 33,000 matched credentials for SOE accounts.

Observed Reitinger, “[G]iven that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks.”

He noted that a “small fraction” of the accounts showed activity after they were breached, but that the intruders couldn’t access credit card account information. Sony had since locked all of the accounts accessed through the attack until customers could be notified to change their passwords.

Reitinger promised to “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

Including expenses for shoring up its network against future attacks, Sony estimated the breaches last spring would cost it more than $170 million.

If users don’t have to create a profile with personal information, such as birth dates, maiden names and Social Security numbers, to log on to a website, hackers can never have access to that information. Because the ThreatMetrix Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction, ThreatMetrix avoids the pitfalls of PII as an authentication method.

Customer confidentiality is respected at the same time online fraud is being detected.

Five class action lawsuits have been filed against Facebook alleging that it violated wiretap laws by having user-ID tracking cookies track those users’ browsers on sites integrated with Facebook — after the users had logged off.

Gavin Dunaway on Adotas.com reports, “One of the suits seeks statutory damages of $100 per day for every member of the class (the lawsuit is trying to certify all 150 million U.S. Facebook members as a class — so $15 billion a day….) or $10,000 per violation, plus punitive damages, attorney fees and court costs.”

But, rather than the lawsuit route, Dunaway thinks the Federal Trade Commission (FTC) would be a better arbiter of whether Facebook is guilty of stepping on users’ privacy rights.

What is Facebook accused of?

Well, according to Dunaway, after an Australian developer discovered Facebook leaving cookies (including the one with the user’s unique account number) on the user’s browser after the user logged out, Facebook revised its logout rules so the user ID cookie was deleted on log out along with the cookie that’s used to stop “cross-site forgery.”  However, Facebook kept the rest of the cookies that it had put on the user’s browser for security purposes to ensure users were who they said they were on login.

Stanford Security Lab’s Jonathan Mayer discovered that the cookie that sends data back to Facebook from Facebook-integrated sites whether users are logged in or not, was back. This after the cookie had been removed by Facebook just before publication of a Wall Street Journal article decrying the fact the cookie was there.

So, what’s Facebook doing with the data (Facebook says it keeps the data for up to 90 days, then deletes it.) obtained by this cookie from third-party sites?

Though there’s no evidence Facebook is profiling users for targeted advertising (All Facebook’s targeted advertising is based on user-submitted/shared information.), Dunaway speculates the data could well be used for that purpose. But, he adds, even if Facebook is not using the data for advertising, “It’s associating browsing data with specific users.”

While the Wall Street Journal was questioning Facebook’s motives for Facebook’s use of tracking cookies, Derrick Harris in a GigaOm.com story pointed to the Wall Street Journal’s own privacy policy update which included the use of new registrants’ personal identifiable information (PII) in building online profiles. The Journal claimed it was for content purposes only.

But, Dunaway admits, “Just like a lot of the ambivalent people (consumers and OBA [Online Behavioral Advertising] industry folk) out there that Harris is worried about, I got a bad case of online privacy fatigue. There’s so much back and forth and so many accusations shouted into the media megaphone, but nothing really ever happens. Nothing ever changes.”  Dunaway used the example of Facebook’s removing, then reinstating the tracking cookie after the Wall Street Journal’s story had run.

Because he doesn’t feel the lawsuits will be able to prove individuals have been harmed by Facebook’s gathering personal information and because many in media have grown tired of tackling the privacy issue, Dunaway believes, “…an FTC investigation is the ideal solution for both examining Facebook’s data collection practices and stirring the online privacy fatigue.”

Dunaway explains, “… it’s time for the FTC to talk less and act more. For at least two years, the FTC has been fanning consumer fires over privacy controls while promising OBA companies it won’t ‘strangle the golden goose.’ But what’s it actually done? “

Dunaway continues, “Granted, I’ve gotten used to the speed of digital innovation and forgotten the lurching pace at which Washington moves. But agency members constant tsk-tsking about the industry pulling its act together has only highlighted the lack of progress in an OBA framework.

“Well, here’s your chance for action, FTC — to actually show you’re protecting online consumers while insuring a fledgling (relatively) industry can continue to flourish. Investigate Facebook’s use of tracking cookies, give us a detailed report. And please don’t take two years to do it….”

The Wall Street Journal, Facebook et al. say they’re only interested in protecting users’ privacy rights and protecting their sites and contents from cybercriminals. If that’s the case, the solution is as close as www.threatmetrix.com. ThreatMetrix offers device identification solutions that recognize returning visitors without cookies and also recognizes them even when their device fingerprints change. ThreatMetrix has solutions that protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, it’s designed to interdict attacks of fraud in real time, while passively and transparently profiling users — without collecting extraneous personal identity information. ThreatMetrix offers universal, reliable fraud detection that puts an end to overreliance on identity authentication.

Cyberthieves have grown significantly more “professional” than they were in their “hit-or-miss” hacking past. Instead of using viruses and Trojans to search for logins or credit card details, cybercrooks are now beginning to specialize. They hack into corporate networks looking for intellectual property and business secrets their customers requested in advance. It’s like a gang of “upscale” car thieves who steal prestige and high-performance to fill an order.

Says Raj Samani, chief technology officer in Europe for McAfee in a BBCMobile.com report, “Cyber criminals are targeting this information based on what their clients are asking for.” In some cases,” adds Mr. Samani, “thieves were running campaigns to get at particular companies or certain types of information.”

The attacks have also grown more sophisticated. Hackers have turned to the Stuxnet virus to target industrial plant equipment, petrochemical firms, the London Stock Exchange, the European Commission and many others.

Another new wrinkle is the possibility of a “wolf-pack” attack.  According to BBCMobile.com there were cases in Germany, Brazil and Italy where trade secrets were either stolen by an insider or cyberthieves tried to get hold of the information through concerted attacks.

Several areas where corporations may be lax and should be paying more attention include:

• Who’s looking after corporate data when it’s moved into the cloud or sent to a third-party host center?

• Is the corporate culture or structure being revealed through innocent email, Twitter, Facebook, etc. messages that would make it possible for cybercriminals to pose as employees to penetrate the network?

• Is there an effort to watch casual and contract employees who may not have been vetted as closely as permanent staff?

• Is the corporation using behavioral analysis software to spot anomalous activity on the corporate network?

More difficulties arise from the fact that the theft of intellectual property or key documents could be hard to detect. “You may not even know [your property has been] stolen because [the thieves] just take a copy of it,” notes Mr. Samani.

In addition to the theft of trade secrets, marketing plans, R&D reports and source code, BBCMobile.com notes that cybercriminals are also making off with something less tangible, but just as important – the trust of customers.

The best way to maintain customers’ trust and avoid the damage cybercriminals can wreak on a company is with ThreatMetrix. Providing solutions, which can’t be compromised by break-ins, ThreatMetrix protects against bad scripts and fraudulent account logins, payments and transactions. With customized rules for each, ThreatMetrix solutions are designed to interdict attacks in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information. ThreatMetrix offers universal, reliable fraud detection that puts an end to overreliance on identity authentication.

For anybody who is unfamiliar with it. Queens is one of New York City’s five boroughs. It is the home of the New York Mets, JFK and LaGuardia airports, the U.S. Open tennis tournament and now, the biggest identity theft bust in U.S. history.

Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business was more than $13 million over a 16-month period. Now 111 people are charged and 86 are in custody.

In New York, employees of banks, retail outlets and restaurants would skim credit card information while swiping customers’ credit cards. Others were tasked with stealing credit card information online.  The numbers were then handed off to teams who, using blank credit cards from overseas, forged Visas, MasterCards, Discover and American Express cards as well as fake IDs.

Sometimes the alleged crooks would employ an “impersonator,” an individual who contacted financial institutions or retail stores and impersonated the true cardholder to check on the actual cardholders’ credit.  After all, they probably didn’t want to get charged fees for going over their credit limits.

Anyway…

The bogus plastic was turned over to teams who went on spending sprees at higher-end stores including Apple, Bloomingdale’s and Macy’s in New York, Florida, Massachusetts and Los Angeles. During these shopping sprees, criminals used forged credit cards to stay at such five-star hotels as the Fontainebleau and The Royal Palm in Miami Beach and the high-end private villas of the El Conquistador in Puerto Rico. They are also alleged to have used forged credit cards to rent Lamborghinis and Porsches and, in one instance, a private jet to take them from New York to Florida.

The groups would then resell the merchandise that included iPads, iPhones, computers, watches and upscale handbags from Gucci and Louis Vuitton in China, Europe and the Middle East.

In addition to credit card fraud, twenty-four defendants were variously charged with burglaries and robberies throughout Queens County, including conspiring to commit a bank robbery. Five are charged with stealing more than $95,000 worth of cargo from Kennedy Airport and seven of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.

“This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across,” said District Attorney Brown. “Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions…. Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

The investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of different telephones in which thousands of conversations were intercepted. Many required translation from Russian, Mandarin and Arabic to English.

Indictments charge that Imran Khan, Ali Khweiss, Anthony Martin, Sanjay (a/k/a/ Rocky) Deowsarran and Amar Singh were “bosses” of the criminal enterprise.

In what could be considered an act of irony or chutzpa or both, one defendant, Nelson Feliciano, who owns a security firm, allegedly allowed others to make a counterfeit credit card using his business account information and to use that account to make $50,000 in purchases before claiming that the charges were fraudulent and that he was a victim of identity theft.

The indictment also alleges that Jonathan Ortiz, Wilfred Rodriguez, Travis Hassang, Angel Quinones and two other individuals, who have not been apprehended, were charged with stealing approximately $850,000 in computer equipment. In a stirring demonstration of motherly devotion, Jonathan Ortiz’s mother, Maria, has been charged with hindering prosecution by logging into her son’s Facebook account to create an alibi for him – allegedly.  Now, don’t you just hate it when parents insist on checking what their kids do online

Govinfosecurity.com’s Managing Editor, Tracy Kitten, gathered analysis from security experts:

Gartner’s Avivah Litan, says “I think this does point out that U.S. law enforcement has beefed up multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11.”

Aite Group’s Julie McNelley observes, “While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens.”

Security author and writer Neal O’Farrell notes, “We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up. The big problem we’re seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there’s little left to prosecute.”

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix customers. The information is always up-to-date and always available. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, lets financial institutions and others verify new accounts, authorize payments and transactions and authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.