Wednesday 24 October 2007

Identity Fraud Protection Guide Completed

I have completed and uploaded my guide to "reducing personal risk of card & identity fraud", with 20 key tips and some FAQs about Identity fraud/theft.


I had a lot of interest and requests to produce a formal guide by various site visitors and offline friends. I'm aware most of the guide will be just common old sense to any security professional out there, but the guide nor generally my website is aimed at the level.

Monday 15 October 2007

Why do Spammers Spam?

I noticed Microsoft's Eileen Brown was pondering Spam in her Blog, asking “Why the heck do these spammers keep on spamming people?"

Well here’s my response…

It is because out of the tens of thousands of Spam Email they send, which costs practically nothing, there are always one or two gullible people who click through to buy a product or get done, making it a profitable and worthwhile exercise.

“Two years from now the Spam problem will be solved” - Bill Gates, January 2004

Bill got that wrong, it's increased big time since then.

Why the problem? Well Standard Email is just not secure, it is impossible to tell or control who has actually has sent them, not without using Certificates and PGP etc, even the latest Anti-Spam software isn't the silver bullet.

Thursday 11 October 2007

Contactless Cards: Convenience before Security?

I was on national Radio Monday lunch time, taking part in a debate on cashless societies; specifically I was giving my (the security) perspective on the new Contactless Debit/Credit Cards, which will be rolled out within the UK early next year. My points were as follows:

Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.

The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.

I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.

Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.

If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.

Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?

Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.

Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.

Sunday 7 October 2007

Reducing your Risk of Credit Card & Identity Fraud

Here's my 15 tips to help reduce your personal risk of credit card fraud and identify fraud. Oh when I say identify fraud\theft, I mean when someone assumes your identify to rack up credit\loans and other fraudulent activity in your name.

1. Invest in a decent shredder, avoid cheap shredders they are a false economy, they often don’t last long anyway, and can make shredding a real chore. Try to get into the habit of regularly shredding receipts, statements or anything else with financial and personal information.

2. Never ever disclosure your PIN number, login details or passwords. Often fraudsters will “confidence trick” by appealing to either greed or fear. For example if you are told you have won a competition or entry into a free cash draw, but you have never entered the competition, I 99% guarantee it is either a scam or an attempt to collect your personal details for marketing, just remember there is no such thing as a free lunch. Also fraudsters will use fear to by pass your normal cautious thinking, often fraudsters impersonate organisations like your bank or your favourite online auction site, stating they have detected a security breach with your online account, and you must validate your details.

3. Never ever write down passwords, login details or especially Chip & Pin number.

4. Never send card details or bank details by Email, even if a hotel or online shop requests your card details by Email. My golden rule with Email security is, if you are not happy to write the Email contents on the back of postcard and post it, you shouldn’t be writing within an Email, as Email is no a secure medium. Also when reading your Email, the senders Email address and Name is no guarantee it is from that person or organisation, and of course never accept Email attachments, or click on links within Emails you aren’t sure of or expecting.

5. Never let your debit/credit cards or your card details out of your sight when making a transaction in the real world. Unfortunately low paid shop staff are some of the worst culprits when it comes to card fraud, either collecting card details and selling them on, or committing fraud directly themselves, it only takes them seconds for them to steal the info from your card.

6. When using a Chip and Pin devices or cash machines, use your free hand to shield the number pad as you type in your PIN. This will provide protection against bad guys who “shoulder surf” and hidden cameras.

7. If you can, avoid divulging your card details by telephone. You don’t know who might be listening nor can you see the person collecting details, and what they might doing with them.

8. With online banking, always type in your bank website address directly in the address bar of your web browser. Never click on web links, especially those sent in Emails.

9. At all times, make sure your computer has up-to-date anti-virus software, up-to-date Microsoft Windows Patches, Anti-Spyware and a Firewall installed and Enabled.

10. When Shopping online, make sure the webpage is encrypted before entering any personal and credit card details. Look for a locked golden padlock and “https” at the start of the web site address. You probably wouldn’t give your credit card details to a street trader right? Well consider the same approach when shopping online. If a website looks dodgy and you have never heard of the business, you probably should go with your instincts, as you would in the real world.

11. Always check through your statements, and chase up any anomaly you find, even the smallest unexplained transaction could be a sign of identify theft or account compromise.

12. When filling out forms or being asked for personal information verbally, never be afraid to question what you are supplying, as is it is all too easy to go into autopilot. Let’s say if someone knocks on your front door promoting a new local car wash, and gives you a discount voucher and then proceeds to ask for your your name, Email and phone number. Ask yourself why that information is being collected and question the promoter about what the car wash company will do with it. Don’t be afraid to question organisations as well, about how they are going to protect your personal information, read up on their privacy policies before parting with your personal information, know what you letting yourself in for.

13. Always keep your guard up, it's not as easy as it seems. We are all bombard with requests for our personal information on a dialy basis, whether via a street survey, or a small opt in check box on a form, always try to avoid giving up your personal information unnecessarily, often the people collecting it will sell it on to marketing firms for a profit or even worst.

14. Keep track of your bills, if every month you get a credit card statement, and one doesn’t turn up, chase it up. Also when you receive a new cheque book, check all the cheques are present, one cheque scam committed by fraudsters, is to intercept the mail, open it and steal a couple of cheques from near the back of the book and then cash them, before resealing and sending up the cheque book, its far too late before the victim discovers the missing cheques.

15. If you feel particularlly concerned that you might be a victim of identify theft, arrange a credit check on yourself to make sure. (I plan another blog around dealing with this at a later date)