Posts Tagged ‘credit cards’

Just released in a second edition, Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr, is a wide-ranging overview of virtually every type of online illicit activity from cyber spying and cyber stealing to malicious malware attacks and identity theft.

Carr, a cyber intelligence expert is a columnist for Symantec’s Security Focus. A writer who specializes in investigating cyber attacks against governments and infrastructures, he’s been quoted in The New York Times, Washington Post, The Guardian, Business Week, Parameters, and Wired. Carr was also principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008.

With a foreword by former Secretary of Homeland Security, Michael Chertoff and guest essays, including an essay by former senior advisor to the Director of National Intelligence and Cyber Coordination Executive,  Melissa Hathaway, Inside Cyber Warfare is encyclopedic in scope as it takes up :

·      The Conficker Worm: The Cyber Equivalent of an Extinction Event?

·      Africa: The Future Home of the World’s Largest Botnet?

·      The StopGeorgia.ru Project Forum

·      The Russian Information War

·      The Gaza Cyber War between Israeli and Arabic Hackers during Operation Cast Lead

·      Control the Voice of the Opposition by Controlling the Content in Cyberspace: Nigeria

·      Are Non-state Hackers a Protected Asset?

·     The Legal Status of Cyber Warfare

·      The Antarctic Treaty System and Space Law

·      The Law of Armed Conflict

·      Is This an Act of Cyber Warfare?

·      Responding to International Cyber Attacks as Acts of War

·      Analyzing Cyber Attacks under Jus ad Bellum – whether entering into a war would be a just war

·      The Korean DDoS Attacks (July 2009)

·      One Year After the RU-GE War (the War between Russia and Georgia)  Social Networking Sites Fall to DDoS Attack

·      Ingushetia Conflict, August 2009

·      Pakistani Hackers and Facebook

·      TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences

·      False Identities

·      Components of a Bulletproof Network

·      The Bulletproof Network of StopGeorgia.ru

·      SORM-2

·      The Kremlin and the Russian Internet

·      A Three-Tier Model of Command and Control

·      Organized Crime in Cyberspace

·      Russian Organized Crime and the Kremlin

·      Using Open Source Internet Data

·      Team Cymru and Its Darknet Report

·      Using WHOIS

·      Weaponizing Malware

·      The Role of Cyber in Military Doctrine

·      China Military Doctrine

·      A Cyber Early Warning Model

·      Advice for Policymakers from the Field

·      When It Comes to Cyber Warfare: Shoot the Hostage

·      The United States Should Use Active Defenses to Defend Its Critical Information Systems

·      Scenarios and Options to Responding to Cyber Attacks

·      Whole-of-Nation Cyber Security

·      Conducting Operations in the Cyber-Space-Time Continuum

·      Anarchist Clusters: Anonymous, LulzSec, and the Anti-Sec Movement

·      Social Networks: The Geopolitical Strategy of Russian Investment in Social Media

·      Globalization: How Huawei Bypassed US Monitoring by Partnering with Symantec

·      The Russian Federation: Information Warfare Framework

·      Russia: The Information Security State

·      Russian Ministry of Defense

·      Internal Security Services: Federal Security Service (FSB), Ministry of Interior (MVD), and Federal Security Organization (FSO)

·      Russian Federation Ministry of Communications and Mass Communications (Minsvyaz)

·      Cyber Warfare Capabilities for: Australia – Brazil – Canada – Czech Republic – Democratic People’s Republic of Korea – Estonia – European Union – France – Germany – India – Iran – Israel – Italy – Kenya – Myanmar – NATO – Netherlands – Nigeria – Pakistan – People’s Republic of China – Poland – Republic of Korea – Russian Federation – Singapore – South Africa – Sweden – Taiwan (Republic of China) – Turkey – United Kingdom

·      US Department of Defense Cyber Command and Organizational Structure

·      Active Defense for Cyber: A Legal Framework for Covert Countermeasures

·      Covert Action

·      Cyber Active Defenses as Covert Action Under International Law

The book covers much more in 316 pages that are topical while, at the same time, providing in-depth analyses of the often dark underbelly of cyberspace.

For maximum protection from cyberspace’s dark underbelly, there’s one company that stands out — ThreatMetrix. ThreatMetrix offers superior solutions that can’t be compromised by break-ins. ThreatMetrix solutions protect against bad scripts and fraudulent account logins, payments and transactions.  With customized rules for each, ThreatMetrix solutions are designed to interdict attacks of fraud and other criminal behavior in real-time, while passively and transparently profiling users — without collecting extraneous personal identity information such as Social Security Numbers, birth dates and mother’s maiden names.

Superstition has it that if a horseshoe is hung upside down, the luck runs out. Running out of luck and into a scam is exactly what happened to a number of unlucky Lucky Supermarket customers in Northern California.

U.S. Secret Service agents told Save Mart CFO Stephen Ackerman – Save Mart is Lucky’s parent company — that the device thieves concealed in Lucky card readers was ”the most sophisticated device[ they'd] ever seen in the United States.” Without being detected, thieves planted circuit board sniffer devices inside debit and credit card readers at self-checkout lanes in several San Francisco Bay Area stores. To make detection more difficult, only one card reader at each store was targeted.

Lucky informed customers that they might have to cancel their credit cards or change their bank accounts. “At this time, we strongly recommend that anyone who used our self-check terminals in the affected stores during the months of October and November consider closing their bank account and opening a new one,” said Ackerman.

Television station KTVU said that thus far eighty people have reported money taken or suspicious activity on their accounts with losses in the thousands of dollars.

Lucky only discovered that the card readers had been tampered with after routine maintenance. You might say Lucky found them by “sheer luck.”  Once detected, the affected card readers were immediately removed.

While management told KTVU that a recurrence of the tampering “could not happen again,” federal investigators were not quite so optimistic.  However, the feds did have a clue how thieves were able to plant the sniffers. It seems someone had stolen credit card readers from a Lucky store in Fresno, California several months prior. If and when they catch the responsible individuals, the feds could be on their way to finding the thieves.

Authorities maintained that thefts of this nature are most likely to occur over the weekend when most financial institutions are closed or have limited hours. To protect against credit card and other financial fraud 24/7/365, more and more online financial institutions are turning to ThreatMetrix.

ThreatMetrix solutions combine a computer’s packet signature data with transaction details and anonymized credentials (credentials that are obtained anonymously and unlinkably by the user) to differentiate between honest transactions and fraudulent ones. Financial institutions are protected against bad scripts and fraudulent account logins, payments and transactions.

Ericka Chickowski, a contributing editor at Darkreading.com, did a piece titled “Tales of De-Crypt 2011.” Considering it was scheduled to run sometime around Halloween, the title was “scary clever” while the subject matter was just plain scary. Chickowski observes that 2011 has been “a banner year for authentication and Identity and Access Management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month…. [There have been] targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.”

Compiled by Ms. Chickowski is a list of the top ten worst “hacks, vulnerabilities and screw-ups to hit the headlines in 2011.” The upside is that the top-ten list only has seven entries.  It also has some lessons to be learned.

1. The RSA Tokens That Took a Lot of People for a Ride. “After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. RSA confirmed that some ‘information related to the RSA SecurID product had been extracted.’” Extracted is another way of saying ripped off.

So what was learned? Don’t put all your eggs in one basket and leave the basket where anybody can trip over it. Or as Darkreading.com put it, “Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company’s most critical assets.”

2. The Death of DigiNotar.  A hacker with the moniker, ComodoHacker created fraudulent Comodo SSL certificates in March, then, later, hacked CA DigiNotar to issue 500 more certificates. The actions of ComodoHacker, who claimed to have hacked other certificate authorities, ultimately led to the demise of the company.

So what was learned? A stitch in time saves nine?  A penny saved is a penny earned? A wet bird never flies at night?  No, what was learned was, “DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.”

3. HBGary Federal’s “federal case” Over Anonymous Backfires.  After the company’s CEO said he was about to release information about Anonymous, the group infiltrated HGGary’s network through SQL injection, stole stored passwords and got control of the company’s email, internal accounts and its executives’ social media accounts.

So what was learned? As they used to say in the U.S. Infantry (and probably still do) in not such genteel terms, “Don’t let your alligator mouth overload your hummingbird ass.” Darkreading.com put it this way, “Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords’ encryption because the firm used weak MD5 hashes to protect them.”

4. Beware the LulzSec. After breaking into networks, LulzSec members distributed unencrypted passwords and other sensitive information, such as emails that impacted everyone from Sony to the U.S. Senate and compromised millions of accounts.

So what was learned? The bigger they come, the harder they fall. That could be one of the things learned.  But, Darkreading.com pulled out some other lessons like, “a lack of input validation or database monitoring [allow LulzSec] to commit SQL injection attacks at will. And …organizations [have a tendency] to store login information unencrypted and unprotected within network systems.”

5. Don’t Count on Citi Account Numbers. Darkreading.com says, “Hackers were able to game Citgroup’s online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers’ accounts. The trick gave them access to customer names, account numbers, and transaction information.”

So what was learned? Money is the root of all evil?  Or rather lack of money is the root of all evil?  No.  Actually it’s that, “web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi’s online banking authentication engine.”

6. Bank of America Rogue Employee Was a Rogue. A Bank of America employee leaked information to an identity-theft ring.  Fake accounts were created under victims’ names and $10-million was stolen before the thieves were nailed.

So what was learned? One rotten apple can spoil the whole barrel. He/she can also steal $10-million. The other thing that was learned is frequent reviews of access controls might have prevented this type of theft.

7.Duqu Worms Its Way Into the World. “A refinement on the code foundation laid down originally by Stuxnet… this password- and data-stealing Trojan features a rogue certificate [now revoked. However,] it’s able to fly under the detection radar by injecting itself into running processes.”

So what was learned? “[This was] another instance of hackers manipulating the certificate authority ecosystem…”

Perhaps the most important lesson to be taken from the seven disasters described above is many could have been averted by using ThreatMetrix solutions. The first perimeter and the most effective element in a multi-layered defense against cyber criminals is device identification. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect Social Security numbers, email addresses or bank account information.

A long time ago, online retailers caught onto cybercriminals using stolen credit card accounts to buy expensive consumer products online, then turning around and reselling them in Eastern Europe, North Africa or Russia. The retailers’ answer was to stop shipping goods to these places.

But, reports security expert Brian Krebs in his blog, KrebsonSecurity, “these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.”

Krebs points out, “There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as ‘Drops for stuff’ on cybercrime forums.”

The people “hired” to do the reshipping are variously known as reshippers, mules or drops. “The ‘drops,’” says Krebs, “are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.

“A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the U.S. Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.”

Dropforrent.com is a kind of cyberspace fence operation that offers “clients” (cybercrooks) and “managers” (people who do recruitment scams) a percentage of what they steal. Krebs explains that Dropforrent pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products. Incidentally, if you do a search for Dropforrent online, you’ll get a score of websites warning you to stay away, that the jobs the site offers are a  scam.

In addition to electronics, Krebs says, “Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.

Reproduced here without editing KrebsonSecurity.com at http://krebsonsecurity.com/wp-content/uploads/2011/10/applestore-directinstructions.html gives an example of a standard operating procedure of rules for mules:

Use your applestore-direct.com Account to:

- Check a shedule about package deliveries
- Send messages to your manager
- Edit Your Default address and shipping address
- Upload your resume and documents for an approvement
- To check total scores and money you earn

IMPORTANT INFORMATION ABOUT SCORE AND PAYMENT SYSTEM:
YOU WILL RECEIVE APPROXIMATE 40 PACKAGES FOR MONTH
YOUR SALARY BASED ON THE 2000$ MONTHLY PAYMENT, STARTING FROM THE SHIPPING FIRST PACKAGE
AND THERE IS A BONUS SCORE SYSTEM
FOR EVERY SHIPPED PACKAGE YOU GET A SCORE
10-SCORES IF YOU SHIPPED A PACKAGE ON THE SAME DAY BEFORE THE NEXT DAY NOON
5-SCORES IF YOU SHIPPED A PACKAGE ON THE NEXT DAY
0-SCORES IF YOU DELAYED PACKAGEs SHIPPING FOR 3 DAYS AND MORE

ON YOUR PAYDAY THE SCORES WILL BE CHANGED TO MONEY AND ADDED TO YOUR TOTAL INCOME IN RATE OF
10 SCORES-50$
5 SCORES-25$
3 PENALTIES- MINUS 100$

PENALTIES CAN BE USED BECAUSE OF ANY SHIPPING DELAYS, NOT CONTACTING YOUR REGIONAL MANGER IN TIME, NOT COMPLETED

ORDERS,
MISSED PACKAGES TO YOUR ADDRESS WITHOUT ANY REASONS

Krebs observes, “Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through one front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.”

And, the best part about the scam from the cybercriminals’ point of view?  If anything happens, the drop or reshipper or mule is the person the long arm of the law will snag.

For online businesses to avoid being victims of reshipping, the answer is ThreatMetrix.  Device identification is the first and most effective layer in a multi-layered defense against cyber criminals. Offering transaction security from hidden proxies, scripted attacks and cookie and browser manipulation, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform lets companies authenticate payments, new accounts and returning customers in real time. And it doesn’t matter what device is being used from smartphones to PCs to tablets. Combined with aggregated fraud intelligence in the cloud, ThreatMetrix device identification offers companies maximum protection without the need to collect social security numbers, email addresses or bank account information.

For anybody who is unfamiliar with it. Queens is one of New York City’s five boroughs. It is the home of the New York Mets, JFK and LaGuardia airports, the U.S. Open tennis tournament and now, the biggest identity theft bust in U.S. history.

Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business was more than $13 million over a 16-month period. Now 111 people are charged and 86 are in custody.

In New York, employees of banks, retail outlets and restaurants would skim credit card information while swiping customers’ credit cards. Others were tasked with stealing credit card information online.  The numbers were then handed off to teams who, using blank credit cards from overseas, forged Visas, MasterCards, Discover and American Express cards as well as fake IDs.

Sometimes the alleged crooks would employ an “impersonator,” an individual who contacted financial institutions or retail stores and impersonated the true cardholder to check on the actual cardholders’ credit.  After all, they probably didn’t want to get charged fees for going over their credit limits.

Anyway…

The bogus plastic was turned over to teams who went on spending sprees at higher-end stores including Apple, Bloomingdale’s and Macy’s in New York, Florida, Massachusetts and Los Angeles. During these shopping sprees, criminals used forged credit cards to stay at such five-star hotels as the Fontainebleau and The Royal Palm in Miami Beach and the high-end private villas of the El Conquistador in Puerto Rico. They are also alleged to have used forged credit cards to rent Lamborghinis and Porsches and, in one instance, a private jet to take them from New York to Florida.

The groups would then resell the merchandise that included iPads, iPhones, computers, watches and upscale handbags from Gucci and Louis Vuitton in China, Europe and the Middle East.

In addition to credit card fraud, twenty-four defendants were variously charged with burglaries and robberies throughout Queens County, including conspiring to commit a bank robbery. Five are charged with stealing more than $95,000 worth of cargo from Kennedy Airport and seven of stealing approximately $850,000 worth of computer equipment from the Citigroup Building in Long Island City.

“This is by far the largest – and certainly among the most sophisticated – identity theft/credit card fraud cases that law enforcement has come across,” said District Attorney Brown. “Credit card fraud and identity theft are two of the fastest growing crimes in the United States, afflicting millions of victims and costing billions of dollars in losses to consumers, businesses and financial institutions…. Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

The investigation involved physical surveillance, intelligence gathering and court-authorized electronic eavesdropping on dozens of different telephones in which thousands of conversations were intercepted. Many required translation from Russian, Mandarin and Arabic to English.

Indictments charge that Imran Khan, Ali Khweiss, Anthony Martin, Sanjay (a/k/a/ Rocky) Deowsarran and Amar Singh were “bosses” of the criminal enterprise.

In what could be considered an act of irony or chutzpa or both, one defendant, Nelson Feliciano, who owns a security firm, allegedly allowed others to make a counterfeit credit card using his business account information and to use that account to make $50,000 in purchases before claiming that the charges were fraudulent and that he was a victim of identity theft.

The indictment also alleges that Jonathan Ortiz, Wilfred Rodriguez, Travis Hassang, Angel Quinones and two other individuals, who have not been apprehended, were charged with stealing approximately $850,000 in computer equipment. In a stirring demonstration of motherly devotion, Jonathan Ortiz’s mother, Maria, has been charged with hindering prosecution by logging into her son’s Facebook account to create an alibi for him – allegedly.  Now, don’t you just hate it when parents insist on checking what their kids do online

Govinfosecurity.com’s Managing Editor, Tracy Kitten, gathered analysis from security experts:

Gartner’s Avivah Litan, says “I think this does point out that U.S. law enforcement has beefed up multilingual capabilities in Russian, Mandarin and Arabic, which is critical to its activities, and is a big improvement over the situation pre- 9/11.”

Aite Group’s Julie McNelley observes, “While the operation spanned the five continents, the focus of this bust appears to be the hub of the operation in Queens.”

Security author and writer Neal O’Farrell notes, “We know there are scams like this being run in almost every city, usually in the $500,000 to $1 million range. That usually makes them too big for local law enforcement to investigate and too small for federal agencies to pick up. The big problem we’re seeing is that because the low- to mid-level crooks and gangs are going unchallenged, they simply have more time to get better, perfect their art, steal more, and hide their tracks. By the time law enforcement uncovers them, there’s little left to prosecute.”

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform offers a global perspective of risk from a worldwide network of shared intelligence across tens of millions of transactions across all of ThreatMetrix customers. The information is always up-to-date and always available. The ThreatMetrix Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, lets financial institutions and others verify new accounts, authorize payments and transactions and authenticate user logins in real-time — without relying on personally identifiable information (PII). So, even in a worst case scenario where a breach has occurred, cybercriminals never have access to personal information such as birth dates, maiden names and Social Security numbers.

Somebody else ran up all those bills that ruined his credit. But how’s a guy gonna complain when he can’t even talk yet. Crooks, cyber and otherwise, are coming after everyone who walks – and even those who don’t.

Men and women in the 29 to 40 age group, who are in their prime earning years, are prime targets for financial identity theft.  Also, the elderly, who often lack technical expertise, are at risk for having their identities stolen. Now, there’s another group that thieves target because stealing from them is like…well, stealing candy from babies. That group, of course, is made up of newborns to teenagers.

According to MarketWatch.com, children’s identities provide the kind of clean backgrounds that make it possible for thieves to create credit histories from whole cloth.  And, because there aren’t a whole lot of Shirley Temple’s, i.e, kids who earn money from the time they’re toddlers, it can take years before anyone realizes that a youngster’s Social Security number has been compromised.

The Federal Trade Commission received 18,300 complaints involving identity thefts on people 19 and under last year. Eight percent involved children, a one percent increase over the previous year.

When thieves use an adult’s Social Security number to open a line of credit, they are forced to provide additional personal information such as the mother’s maiden name, date of birth, etc. And, these bits of information have to match entries that the adult has already established. Naturally, no such problem exists when an infant or child’s Social Security number is ripped off. All thieves have to do after they get their hands on a child’s Social Security number is mix it with another name and birthdate, and bam — instant credit for a person who doesn’t exist. However, at some point, when the child has need of his/her Social Security number, he or she is in for some major hassles.

One case reported by MarketWatch.com came to light when Adora McLemore tried to get her children state medical benefits, and was almost denied because her one-year-old daughter, Kenna, was apparently earning money.

“How could she be earning income when she was only one?” questioned an incredulous Adora. Numerous calls to the Social Security Administration and local police provided no help.

Years passed and an identity monitoring service discovered that eight-year-old Kenna had accumulated $39,000 worth of debt and multiple credit-card accounts tied to three other people using her Social Security number.

“We’ve been buried in a paperwork storm trying to prove Kenna is the real holder of that social security number,” said Adora who wanted the matter cleared up before he daughter started applying for college loans.

So how does an online company protect itself from being victimized by cybercriminals using a child’s stolen identity?  By turning to ThreatMetrix.  The ThreatMetrix™ Cloud-Based Fraud Prevention Platform, incorporating ThreatMetrix SmartID™ cookieless device identification, provides online businesses with the ability to protect themselves and their customers by verifying new accounts, authorizing payments and transactions and authenticating user logins in real-time — without relying on personally identifiable information (PII) such as birth dates, maiden names and Social Security numbers.

The proverb has it that there’s honor among thieves.  Well, some cyber crooks in Russia better hope so. While it’s not news that anybody with no conscience, a couple of bucks in virtual currency and an internet connection can buy anything online from stolen credit cards to ripped off personal information, security expert and former Washington Post reporter, Brian Krebs offers yet another tantalizing revelation:  Ignoring their victims’ mistakes, Russian cyber criminals aren’t bothering to take precautions against somebody ripping off the data they ripped off!

Krebs focused on one online shop with the name “mn0g0.su.” Mnogo is a transliteration of the Russian word много, which means “many.” This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type.

A Krebs’ source, who enjoys ruining criminal projects, by chance came across  mn0g0.su’s back-end database site, where it was backing up its cache of stolen card data to a third party server that was wide open and unencrypted.  Considering how the crooks got the data in the first place, you’d think they’d catch a clue and attempt to protect it.

In mn0g0.su’s database were more than 81,000 sets of credit and debit card numbers, along with expiration dates and card security codes. Each listing had the owner’s name, address and phone number and/or email address. Plus, Social Security numbers, mother’s maiden names and dates of birth were available for some cardholders. The site likely got its stolen credit-card data (all from the UK) from small-time cyber thieves, such as restaurant servers skimming data while scanning cards.

Mn0g0.su’s customers may pay in virtual currency, such as WebMoney and LibertyReserve; no credit cards accepted.

Email addresses, IP addresses, instant messaging ICQ numbers, usernames and passwords of more than 4,300 mn0g0.su shoppers (euphemism for crooks) were included in mnogo‘s hack-able database backup. Passwords were encrypted with a salted SHA256 hash. According to Krebs, using a decent set of password-cracking tools, fifty to seventy-five percent of the passwords could be deciphered given enough time.

Testing the site, Krebs ran a search for stolen debit and credit cards in his ZIP code. One turned up with a $2.50 asking price for the information. When Krebs contacted the person whose information had been compromised, the woman confirmed that the Bank of America Platinum debit card was hers and that she was unaware it had been stolen because there had been no recent fraudulent activity on the account.

Strangely enough, after Krebs bought the stolen debit card’s data, the woman’s personal information was removed from the list of cards for sale on mn0g0.su.  While not proof of honor among thieves, could this be an example of honor among fences? Or purely a business decision?  It probably wouldn’t be good PR to have your customers busted when they used your information.

Whatever the story, you can be sure ThreatMetrix is not about to safeguard criminals’ data stashes. But no one offers a better solution for maintaining security than ThreatMetrix. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cloud-Based Fraud Prevention Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to stop online theft and safeguard data anywhere in the world.

Cyber thieves no longer have to swipe a credit card through the Square dongle card reader to transfer money from a stolen card into the bank account of their choice. The Square payment system, which turns iPhones, iPads and Androids into point-of-sale credit card processors, also turns them into a new way to rip off credit card holders.

Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that with less than 100 lines of code written by Laurie, they could feed magnetic-stripe data from a stolen card into a microphone and convert it to a sound file made up of a series of beeps.  When the file is played into a Square device app. via a stereo cable, it turns a merchant system designed to only accept physical cards into one that accepts electronic-only transactions. Thieves don’t have to go to the hassle of creating cloned cards or go to a store to make purchases or know PINs.

Of course, if cyber crooks do want to create cloned cards and go shopping brick-and-mortar, no problem. The same Square dongle that’s used to skim data from cards can also be used to make cloned cards. All it takes to steal magnetic-stripe card data is plugging a Square dongle into a mobile device’s audio input and, using Laurie’s code, convert it from audio into readable (by humans) credit card data.

Thieves can already buy skimming machines online. However, Laurie’s code lets anyone with a mobile device and a Square dongle skim a card while pretending to perform a legitimate transaction.

While U.S. anti-fraud bank regulations make it harder to set up the dummy accounts cyber thieves need for transferring money, it’s hardly a major obstacle.  All fraudsters have to do is hire money mules and use the mules’ accounts to link to the Square system. Then the mules transfer the dirty money to the fraudsters’ accounts.

What the Square dongle dangles in front of cyber thieves is an easier way to get to the money – with no need to even invest in skimming machines.

Not getting a square deal from a Square device doesn’t have to mean the criminals win. ThreatMetrix solutions protect against bad scripts and fraudulent account logons, payments and transactions.  With customized rules for each, ThreatMetrix solutions are designed to interdict fraud attacks in real-time and nab criminals in the act.

According to Cameron Kerry, the U.S. Department of Commerce’s general counsel, the market for online transactions is predicted to reach $24 trillion ONLY IF users can be convinced the cloud is secure.

Twenty-four trillion is a hard number to wrap your head around. With $24 trillion, you could pay off the national debt and, at a minimum, have enough left over to buy steaks for every dog on the planet. You didn’t really think dogs played cards for stakes, did you?

Anyway…Kerry’s keynote at the Computers, Freedom and Privacy Conference in Washington D.C., outlined two priorities for his Department: cyber security and privacy. Kerry pointed out that the principal roadblock to developing new services and achieving the $24 trillion in online transactions was a lack of confidence in security, noting that Citibank, RSA/Lockheed Martin, Sony, Nasdaq, the International Monetary Fund (IMF), PBS, and the United States Senate have all come under cyber attack.

Kerry explained that when credit cards were introduced, they faced similar security concerns.  What assuaged those concerns was the introduction of encryption. Advising his audience not to wait for legislation or additional regulations to improve security, he stressed the need to go beyond the standard name/password approach, while at the same time maintaining a “privacy bill of rights,” introduced in the Senate by Senator John Kerry, Cameron Kerry’s brother.

One company has a solution that fits both criteria – and it’s available today. That company is, of course, ThreatMetrix.  ThreatMetrix solutions don’t rely on passwords, user names and cookies that could compromise a user’s privacy rights.  Yet, its ThreatMetrix Cloud-Based Fraud Prevention Platform, which uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction that can spot a fraudster literally half-a-world away.

Following are cyber security principles the Obama administration has endorsed and Department of Commerce seeks to have in place:

• Instead of the current patchwork of laws that vary by state, breach notification requirements should be standardized and procedures for notifying customers simplified

• Companies should be encouraged to have better data security, especially for power grids, water systems, and other core critical infrastructure

• Increased criminal penalties for hackers

• Encouraging the sharing of information with law enforcement to improve the nation’s ability to detect and prevent cyber attacks

Two more principles that weren’t explicitly addressed by the Department of Commerce or the Obama administration, but should have been:

• As a matter of course, every company doing business on the Web should be required to check out ThreatMetrix

• “Dogs Playing Poker” exhibited as art should be prohibited by law

Actually, ThreatMetrix believes you CAN handle the truth.

Just reach out. It’s a fingertip, mouse-click away, anytime day or night, anywhere.

Need to know what’s really going on in the world of fraudsters, cheats, thieves and scammers? Here’s the truth, the whole truth and nothing but….

It’s ThreatMetrix’s up-to-this-instant, exciting, brand-new initiative for tracking fraud-activity trends: ThreatMetrix™ Fraud Facts. Based on evaluations of over 15-million transactions taking place every day, you get a unique peek into the fraudster mindset. Here you discover his/her latest tactics, tricks and dodges, so you can formulate plans and adopt strategies for stopping them.  With this information, it’s far easier to cull the criminals hidden among the vast majority of honest customers.

The analysis will cover a range of online fraud, looking at:

• Percentage of Transactions from Compromised Devices

• Percentage of Transactions from Devices that have had Cookies Wiped

• Percentage of Transactions from Devices that are Associated with Multiple Email Addresses

• Percentage of Transactions Flagged as Higher Risk

• Percentage of High-Risk Transactions by Country

• Percentage of Countries with Highest Ratio of High-Risk Transactions

• Mobile Transaction Volumes

• Relative Mobile Transaction Volume by Country

The ThreatMetrix™ Cloud-Based Fraud Prevention Platform is the only global online fraud prevention platform that stops web fraud in its tracks to speed up e-commerce for new account origination, web payments and account logins.

The truth that was only “out there” is now here.

Bookmark it — ThreatMetrix Fraud Facts — and stay way ahead of the bad guys.