The Green Sheet Online Edition
May 12, 2008 • Issue 08:05:01
Fraud busting, electronic style
The illusion of romance that made stars of Prohibition-era gangsters, Mafia dons and certain other crooks was sustained by time and the physical distance between star-struck fans and the actual crimes that were perpetrated. But when the gun is pointed at your head and you become the victim, the infatuation ends, leaving behind the cold and brutal reality of crime.
With the advent of the Internet and wireless technology, which enable almost instantaneous connectivity anywhere on the globe and render physical distance moot, that gun is pointed at all our heads, at all times of the day and night. But many of us don't know it.
Fraud in profile
Fraud in its broadest meaning can be defined as an act of intentional deception that causes an individual to surrender something of personal or professional value to another individual or organization. So a real estate scam that bilks senior citizens out of their retirement money is one type of fraud; a scam that dupes people into giving over credit card numbers is another.
The 2008 AFP Payments Fraud and Control Survey released by the Association for Financial Professionals in March 2008 showed that check fraud is still the most prevalent type of fraud, with automated clearing house debit payments a distant second and corporate cards coming in third. For consumer payments fraud, thieves used credit cards most frequently while PIN debit cards were the least likely piece of plastic prone to abuse.
Perhaps the most pernicious and destructive type of electronic scam today is identity theft. Bob Aguirre, Risk Manager at Irvine-based Group ISO Inc., said, "The crime itself might not be regarded as a devastating event, but it is very important to recognize that it is a gateway crime - one that leads to the many other financial and physical crimes that disrupt a person's life for many years past the original event."
Theodore Svoronos, who works alongside Aguirre as Vice President, Business Development & Strategic Partnerships, Group ISO's, added that after identity fraud happens, it takes on average "600 to 900 hours and approximately $10,000 to $12,000 to try and clear their good name over the course of two to four years."
For the payments industry, which relies on the Internet and other electronic networks for processing data, fraudsters are the anonymous individuals and organizations worldwide that glut e-mail inboxes with phishing scams and spyware, or steal cardholder information through skimming scams at the POS.
With stolen personal cardholder information, street-level fraudsters buy goods and services until the fraud is exposed. Then they go on to the next victim. The more sophisticated and organized data thieves use pilfered data to set up false identities or sell it via the Web to other criminals who use it to perpetrate identity fraud and other crimes.
Most of the time, it is the profit motive that drives modern fraudsters to commit crimes. "It's mostly about the money," said Jon McDowall, Certified Fraud Examiner and Chief Executive Officer at the Bettendorf, Iowa-based Fraud Resource Group. "It's just about the income that they can receive, that's the prime driver."
The National White Collar Crime Center's 2007 Internet Crime Report indicated that hackers are predominantly male; half of them reside in California, Florida, New York, Texas, Illinois, Pennsylvania and Georgia. The United States is home to 63.2 percent of the world's hacker population; the U.K. ranks second, with 15.3 percent; and Nigeria rounds out the top three at 5.7 percent.
Those numbers were tabulated by the Internet Crime Complaint Center based on complaints it received. The actual size of the problem is harder to tabulate.
Because of the lack of empirical data, statistics vary as to the size of electronic fraud in the United States. Estimates range from $50 billion annually to as much as 6 percent of the U.S. growth domestic product, which would push damages into the hundreds of billions of dollars. Despite these wildly divergent figures, no one disputes that the problem is growing nationally and internationally.
To catch a phish
Leading the charge against electronic fraud are the United States Secret Service's Electronic Crimes Task Force and the FBI's Cybercrime Division. Both agencies, working with state and local law enforcement, postal inspectors, and other governmental agencies on an international level, are waging an uphill battle against fraud nationally and overseas.
"The schemes themselves are becoming much more sophisticated and global, often times across many jurisdictions and even continents," McDowall said. "So, the responses have had to be much more sophisticated and globalized as well. The ugly reality is that they're usually a few steps ahead of us."
Online forums have become a popular way for fraudsters to sell the information they steal. Over 13,000 sites are dedicated to such fraud. A popular product being sold on these online black markets are what's called an info card which offers comprehensive profiles of victims: name, address, phone number, Social Security number, mother's maiden name, date of birth, credit card information, banking information and so forth.
That information is frequently acquired by unsuspecting victims clicking on e-mail attachments that download spyware to their computers. A popular form of spyware is called keylogging, which surreptitiously captures every keystroke that is made on the infected computer and then transmits that data back to the hacker. Credit card numbers on these forums typically sell for $10 per victim, Svoronos said. "That's how much your identity is worth to these people."
When a hacker's forum is discovered, the Computer Readiness Alert Team (CERT) in the forum's country of origin contacts the forum's Internet service provider in order to shut down the Web site. But the perpetrators are rarely caught.
"It feels sort of like that Whack-A-Mole game because you shut it down here, in this country, and the next thing you know it pops up in Peru," McDowall said. "It's pulled down, and it shows up in South Korea."
Agencies fighting fraud have had major successes behind the scenes, McDowall added. But they rarely publicize those successes for fear of tipping off fraudsters to their crime fighting tools and techniques.
Nevertheless, the majority of perpetrators are never apprehended or prosecuted. "If you do get caught robbing a bank, you're gonna do hard time," McDowall said. "The chances of getting caught while you are engaged in this type of cyber fraud are significantly reduced. And the jurisdictional issues that constantly occur could even prevent that person from ever having a day in court."
Fraudsters have shown extraordinary nimbleness in recognizing vulnerabilities in people and technology and exploiting those weaknesses for monetary gain. If law enforcement is playing catch up to their schemes and techniques, academics are trying to stay ahead of the curve.
Recently, researchers at the University of Cambridge reportedly showed security vulnerabilities in PIN entry devices, including a popular model designed for multi-lane retail and single POS environments.
And Karsten Nohl, a 26-year-old graduate student at the University of Virginia, along with two colleagues, revealed at a hacker's convention in Germany preliminary results on how to crack the MiFare Classic Radio Frequency Identification (RFID) chip.
Designed by the Dutch company NXP Semiconductors, the MiFare RFID chip is popular worldwide in such applications as employee security badges and subway passes. In the United States, the chip is used by the Massachusetts Bay Transportation Authority in the CharlieCard contactless smart card for public transportation.
In the Netherlands, the MiFare chip is similarly employed. Nohl was able to hack the chip with relative ease and unlock its encryption, called a cryptographic algorithm.
"There are 2 billion copies of that cryptographic algorithm out there in each of the cards," Nohl said. "And so we just got a few of these cards and opened them and found out what they were doing.
"Prior to our results, people already did what we did, only they would charge millions for it. Now we showed how you could do it basically on a kitchen table."
With inexpensive equipment you could find at any high school chemistry class, and "a little patience," Nohl said, hackers could crack the algorithm, then clone it onto countless RFID chips for fraudulent purposes. "The Dutch government is extremely concerned," he added. "They have just spent 3 billion dollars on a countrywide transportation ticketing system for all their buses and trains using exactly that card."
On April 14, 2008, the Dutch government publicly admitted the chips must be replaced. "Not only do they have to change all the chips, they also have to change the whole infrastructure, the reading devices and probably even upgrade their software and come up with a totally different encryption scheme," Nohl said. "In the Netherlands there are several reading devices on every bus. We're talking tens of thousands."
Nohl believes the Dutch government's admission will spur fraudsters to take advantage of this weakness in the chip within weeks. "So far, only academics are talking about it," he said. "And nobody is actually stealing anything from anybody. But that will change very soon."
Numerous laws and regulations have been enacted to prevent fraud or flag possible instances of fraud, including the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act and the Payment Card Industry (PCI) Data Security Standard (DSS).
The 12 requirements of the PCI DSS are designed to secure the devices and networks that store and process cardholder information so that no data can be compromised or stolen. Tens of thousands to hundreds of thousands of dollars in fines can be levied by the card brands on merchant acquirers, and by default their merchants, if a breach does occur.
In recent years the card brands have pushed contactless payment devices such as smart credit and debit cards embedded with RFID chips that allow users to wave or tap the cards at the POS, rather than swipe them through card readers. Proponents tout smart cards as more convenient for consumers, speedier at POS checkout and thus an improvement over traditional mag stripe cards.
But according to Nohl, unlike the successfully hacked MiFare chip, "we did not break credit cards because there's nothing to break about credit cards. They don't come with any protection to begin with."
Nohl believes that hackers equipped with a $50 RFID reader can slide up next to consumers and read their smart cards wirelessly in a few seconds - without their knowledge. "I don't see the benefit [of contactless cards] at all," he said. "It almost seems like a present to the hackers, without any use for the customer."
The Smart Card Alliance, a nonprofit, multi-industry association devoted to education about smart card technology, refutes Nohl's claims in an FAQ:
"While it is technically possible for a contactless payment card or device to be read illicitly, this scenario is unlikely. In the event that a criminal did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system ... would prevent information from being used to create fraudulent contactless transactions."
But Nohl is not swayed by such rebuttals. He said mobile banking and payments are under the gun as well. Being able to make purchases and access accounts using mobile handheld devices has been promoted by many as the wave of the future.
Nohl contends that near field communication (NFC) technology that enables mobile payments is no different from RFID technology. "It's the very same technology with exactly the same security problems," he said. "Making the phone react to insecure data from RFID/NFC even creates a whole new world of possible attacks."
The 99 percent solution
This dour portrait of the relentless onslaught of electronic fraud is leavened by the wave of new technologies designed to prevent it. Although no system or device will ever be 100 percent secure, "being proactive is the very best way of mitigating fraud," Svoronos said.
Evidence is mounting, however, that a vast cross section of U.S. merchants have not achieved end-to-end security. In February 2008, the East Coast supermarket chain Hannaford Brothers Co., reportedly a PCI compliant business, revealed that hackers had stolen 4.2 million credit and debit card numbers from its network.
The Wall Street Journal reported that hackers installed malware on the Hannaford Bros. internal network to capture the clear text, unencrypted data from in-store, POS transactions. In consequence of the breach, the Delhaize Group-owned chain has implemented height-ened security measures that go beyond the PCI DSS, one measure being encryption of cardholder data directly at the POS.
The PCI DSS requires that all data over publicly accessible networks be encrypted so that no information is in the clear for hackers to grab. But it does not mandate encryption for data that travels across internal networks.
Larry Meyers, Director of Business Development at Mag-Tek Inc.-subsidiary Magensa, said that the "high 90 percent" of businesses currently do not encrypt cardholder data at the POS when the card is swiped or otherwise employed, offering up a weakness for hackers to exploit.
To solve that gap in security, Magensa offers the MagneSafe Secure Card Readers, a full line of traditional and wireless card reader devices that encrypt cardholder data at the point of the card swipe, thus making data stolen internally still useless to fraudsters.
Another weakness in security involves e-mail. Information security and compliance management firm Trustwave considers e-mail to be a primary and secondary attack vector for fraud schemes. Trustwave's mailMAX product is a robust e-mail filter that protects end users from invasive and destructive phishing and pharming scams. MailMAX would provide a "safety net" for merchants' computer systems, said Michael Petitti, Chief Marketing Officer at Trustwave.
On the online identity verification front, AgeMatch, IDMatch and IDMatch+Plus from Englewood, N.J.-based Veratad Technologies LLC can authenticate the validity of individuals for financial institutions when sensitive cardholder information is requested over the Internet.
Practice makes perfect
Pattie Dillon, President of Veratad, said all these solutions are pieces to a complex and ever-changing puzzle, and merchants must be vigilant when it comes to information security.
When PCI compliant level 4 merchants come to JC Carter, Director of Marketing Communications for Salt Lake City-based Panoptic Security Inc., they often hope that, since they have implemented security procedures, they can now forget about data security issues. Carter answers them, "Yeah, you're not done. You're never done."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.