A History of Battling Payment Fraud

On Wednesday I popped into The Manchester Museum, and as I strolled into the “Money" collection of exhibits, I was greeted by a bunch of friendly guys sat behind a desk. The desk had various old coins laid out and a sign stating “Please DO Touch”. After a couple of minutes of weighing up and flipping various 2,000+ year ancient Alexander the Great and Roman coins, naturally me being me I started chatting about the fraud aspects, when one of the guys produced a Chinese bank note from the 14th century, which was safely housed in a protective plastic cover. This particular note happens to be one of the oldest surviving banks notes in existence. Now the Chinese invented and started using paper money around 960 following a metal shortage, without copper, silver and gold they couldn’t meet the demand to make coins, although there is evidence of cruder forms of paper money being made by Chinese centuries earlier, but these weren't widely adopted. The construction of the Great Wall of China was financed by printing paper money, which has echoes of our approach to resolving the current financial crisis.

As you can see from the picture the Chinese bank note depicts stacks of coins to show its value. However what I thought was particularly fascinating is the warning; on the bank note it states anyone attempting to produce a copy of the note will be executed. So we can see with this ancient creation of a new payment method, came the understanding to protect it against fraudulent exploitation. Without the death penalty deterrent I doubt if the first bank notes would have ever taken off.

I think Marco Polo describes the Chinese bank note invention best in his book The Travels of Marco Polo (Il Milione).

“All these pieces of paper are issued with as much solemnity and authority as if they were of pure gold or silver; and on every piece a variety of officials, whose duty it, has to write their names, and to put their seals. And when all is duly prepared, the chief officer deputed by the Khan smears the Seal entrusted to him with vermilion, and impresses it on the paper, so that the form of the Seal remains printed upon it in red; the Money is then authentic. Anyone forging it would be punished with death”

Whatever the payment form, be it gold bullion bars, coins, bank notes or payment cards, thousands of years of history shows there has always been a non-stop game of cat and mouse between the payment method issuers and those who seek to take advantage, the fraudsters. I thought this game play was clearly evident when I observed a display of the various examples of bank notes used within the UK over the past few decades, where gradually over of the course of time, bank notes were printed on different harder to acquire types of paper, used more complex design patterns, then watermarks and then holograms.

Modern Bank notes has plenty of anti-counterfeit protection

Now payment cards have actually been around for many decades, but the mainstream usage of plastic payment cards, which we are continually becoming more reliant on instead of cash, really started to take hold from the mid 1980s. As with the evolution of bank notes, which increasingly used anti-counterfeit measures, we see the exact same principles in battling fraud with payment cards, and their originally unintended usage in the Internet payment arena.

However in recent times the lack of general public exposure of major card payment breaches, lack of policing of the Internet (catching the fraudsters) and indeed the lack of a strong deterrent (remember the death penalty?), has resulted in payment card fraud escalation. So the question is, are the card issuers becoming lazy in playing the cat and mouse fraud game? The publicly known statistics on card fraud show payment card fraudsters are continuing to thrive and are getting away with payment card fraud in ever increasing numbers, and history clearly shows us there is no end game in combating payment fraud.

118800 Mobile Phone Directory Search Privacy Concerns

"118800” is a new commercial Mobile Phone Directory Search venture, which charges absolutely anyone at all, £1 to obtain the mobile phone number of a UK citizen, searching by name and location. 118800 have amassed a database around 15 Million UK names, locations and mobile numbers for their directory, which was set to launch earlier in the week. I read a quote from an 118800 representative who stated the contact names and mobile phone numbers in their directory were harvested from the public domain, but what they really meant by public domain, was means they probably purchased the information from market research companies, online businesses and information brokers.

EDIT 12/06/09: Since I originally posted, a representative from 118800 has been in contact and provided further clarity on the 118800 directory search method. It seems my brief description of service was only partial, so may be misleading. I was unable to fully test the service at the time of posting, as the service was (still is) unavailable. I have decided to repost all of 118800 comments below within this post, both in the interest of fairness and to ensure the description of the service is correct and is not misleading.
"I'm from 118 800 and would like to correct the description of our service. We DO NOT give out mobile phone numbers to enquirers. We put people in touch with each other without disclosing any personal information. So if someone is trying to get hold of you through our service, you'll be called by us, told who is on the line for you and you can choose whether to be connected or not. The online service texts you with the enquirer's contact details so you can decide whether to contact them or not.

And, just like any other directory enquiry service, the enquirer needs to know your name & address. So it's very likely the first person to try to contact you using our service will be a friend or acquaintance who has lost your number or not got it on them." - 118 800

Most market research companies and online websites which collect our personal information, pretty much forcing individuals to input their mobile number these days. A minority of companies where this information is collected from, do a good job in warning their users that their information could be shared with a third party, however some companies use small print consent and opt out boxes which are disabled by default, knowing a percentage of people will neglect to read it properly, and some companies don’t even ask for consent, which is illegal under our regularly unenforced Data Protection Laws. So it is small wonder 118800 are able to go from zero to 15Million personal names, locations and mobile numbers in no time at all. Let's be clear on this, mobile service providers such as O2 and Vodafone are not providing your phone number to these guys, in fact I know they are just as annoyed at this practice.

Now it is true our government happily place our personal details on online searchable electrical roles, which can be fully searched for charge, and BT publish our names and home phone numbers in phone books which make them profit by way of advertising as well, but it doesn’t make this is right, we are now in the information age, information, especially personal information has value and companies handling our personal information are entrusted with it, they must protect it, not sell it or exploit it for profit.  With the BT phone book you can opt out and go ex-directory, in fact over a third of UK citizens concerned about this have already done so, but try searching the BT website for information about going “ex-directory”, you won’t find it. Just like Sky won’t let you cancel TV package subscriptions without phoning their call centre up, BT do the same “round the houses” tactic. Incidentally Sky happily let you add TV packages by the web and via the TV. Online audio book providing company Audible use same tactic, sign up for a free trial and enter your payments details online to subscribe, but to cancel, you have to phone them up, this from an internet based company too.

So coming back to the subject of the day, I don’t think its right that companies profit from our personal information, but at the same time they are providing a useful tool for identity thieves. An ID thief would be happy pay £1 to obtain a victims mobile phone number, while we are all aware of issues of voice mail hacking by private detectives, which is hitting the

Interestingly the 118800 website is currently down, perhaps due to complaints and negative media coverage, and they are going to the trouble to clearly describe the mobile directory search as a “Beta”. I suspect they are waiting until the heat dies down before re-launching the service.http://www.phonepayplus.org.uk/ which regulates premium rate and directory enquiry services. And if this sort of privacy exploitation really annoys you, send a letter to your MP. Remember complaining worked with web tracking advertising venture Phorm, such was the public outcry, this week after a year of evaluating BT and TalkTalk finally dropped their plans to use Phorm.

The Information Commissioners Office (ICO), charged with protecting our personal information in this information age, again shows its complete lack of teeth by basically giving this service and others similar services than will inevitably follow the green light.

So what can we do?

1. Complain -
Some might say you will be wasting your time complaining to the ICO, but is still well worth a shot; however I recommend complaining with PhonepayPlus

2. Remove your Mobile Number from the 118800 Directory

Now if everyone did this, their service would crumble, but either way it well worth ensuring the removal of your mobile number from the directory (it really shouldn't have to be this way) and here's how.

When the 118800 website comes back, click on the ex-directory button on the 118800 website or you can text the letter 'E' to 118800 (which is also currently down) from the mobile phone you want to be made ex-directory. 118800 will send you an SMS message confirming you've been taken off.  I have to give some kudos to 118800 for offering this clearly; certainly BT could learn a lesson here.

Secret Service tells UK Government not to Publicly Disclose Data Breaches

Are you wondering why there haven’t been any UK Government Department Information breaches making the news headlines in recent months? Has our government departments resolved their poor Information Security Management and poor security cultures? Has other topics such as swine flu and dodgey MP expenses claims kept government data breach headlines out of the press?  I would love to think UK Government Departments have cleaned up their Information Security Act, as I know serious efforts are being made, however we can't really be sure government have stemmed their poor information management tide, as I heard another reason which goes to explain why the once steady drip of media coverage of government departments data breaches has come to a halt.

I don’t want to name any names, but I heard a member of government committee working on the Digital Britain report say, government departments had been advised by a UK security service department to stop publicising data breaches, because it is letting our enemies know our weaknesses. If this is indeed true, I have to say I really don’t agree with this sweeping under the carpet approach, for one the cat is out already out of the bag regarding our government track record on security, tens of millions of records have been lost that we know about, so I think our enemies already know about our weaknesses!

I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.

Insecure placing of Chip & Pin (PED) places Customers at Risk

Don't tell the misses, but I walked into a popular fast food restaurant in Central London today, I noticed the restaurant had fixed to the payment counter their Chip & Pin payment devices, these devices are known as Pin Entry Devices (PEDs) within the Payments Card Industry. The problem was they had fixed these devices behind the main raised counter, and the devices had no “pin protectors” on them, so forcing their customers to reach over a raised counter to the cashier's side, to type in the their 4 digit pin numbers. I observed several transactions taking place, each customer did not shield their pin entry with their free hand, probably because it would be too cumbersome to reach over the raised counter with both hands. The net result was most people in the queue and behind the counter could observe the 4 digit pin number as it was typed in.

This type of setup is a real goldmine for any potential pickpocket or mugger, as obtaining a payment card together with the pin number is a free license to withdraw hard money from cash machines and to spend freely in shops in the short term. The flipside is this is all very bad news for the victim, in such instances where payment cards are stolen together with the knowledge of the pin number, most card issuers and banks assume their customer is at fault, and must have written their pin number down and left it in their purse or wallet, and so are liable for any fraud losses. It can be very difficult to obtain refunds against fraudulent transactions losses in this type of scenario, not to mention the trauma of potentially being mugged for your card, remember the card has an instant high cash value if the pin is known, so the thief simply views the card as a wade of £50 notes

I am not saying shops should not screw down Chip & Pin devices to their shop counters. Fixing these devices to counters is actually a security necessity to prevent them from being “swapped out” by credit card fraudsters. Card fraudsters have been known to swap Chip & Pin machines when out of the sight of the cashier, then introduce a new identical looking and perfectly working device in it’s place. However the introduced device has been electronically modified by the card fraudsters to record each customer card details together with their pin number. After a few hours or even days, the criminals return and swap out their device and download all credit card details together with the pin numbers, and you know the rest.

So it is important for card security to attach payment entry devices to shops counters, and this is my main point with this post, merchants need to understand these payment devices are meant for their customer usage, not their own staff usage, so must present the pin entry devices on the customer side of the counter, so allowing the customer to put in their own card and enter their pin number without being overlooked by anyone.

Further there is really no excuse to not have pin protectors installed, especially as they don’t cost much. Merchants choosing to accept card payments do have a duty of care to protect their customers from card fraud, there is even an official security standards which they must follow called PCI-DSS.

 Chip & Pin (PED) with Pin Protector

While on this subject, I was at a popular catalogue shop outlet in Chorley a few months back, they too had fixed their Chip and Pin devices to the counter, but this time they had a CCTV camera aimed at the shop counter and their payment devices from a high angle. In their wisdom they had positioned a screen to display the CCTV images, so allowing everyone in the store to view people’s pin numbers as they typed them in. So it is important for high street merchants to position CCTV correctly within their card payment environments, and consider whether it is really a good idea to show the CCTV output to general public.

What can we do as consumers? Always keep possesion of your card at all times, avoid handing it over, even to cashiers and especially waiters. Always shield your pin number entry with your spare hand as you type as in the above picture.

A Clear CRB Check means They haven’t been Caught Yet!

Vanessa George, who worked at a Portsmouth nursery, stands accused of appalling sexual offences against young children. Already media reporters are queuing up in criticising the “enhanced Criminal Records Bureau (CRB)“ check, which this apparently despicable person passed, saying the check must of either failed or the CRB checking system itself is at fault. The CRB checking system has not failed nor is the CRB system at fault, as any seasoned security professional worth his salt will know, clear staff background checks does not guarantee an individual is not a dodgy person and is not capable of doing bad things. The truth is no background security check or test can ever provide a guarantee, whether it’s checking airport workers aren’t terrorists, checking child minders are suitable to be alone with children, or a data entry clerks aren’t data thieves.

Most organisations with staff dealing with financial information, government data or child care are required to carry out a CRB checks on their employees. Personnel whom pass these checks tend to be implicitly trusted by both their employers, and by the governing bodies which make the policies to have the checks done in the first place. As I always, always say, a clear background or CRB check simply means an individual has not been caught yet! Therefore individuals within their roles, depending on the organisation, should always be considered as a potential fraudster, a terrorist or indeed a sexual offender. By all means carry out background checks on staff, but never implicitly trust humans will not do bad things given an opportunity, only by accepting this together with assessing the internal risks staff can pose within their role, can we build the right security controls within processes and systems which will protect against internal staff threats.

EU Elections & Hypocritical Privacy Protection Practices

I reluctantly posted my European electoral postal vote today, reluctantly because I considered not voting at all mainly due to a lack of an anonymous voting system, reluctantly because the European Union Parliament is not very democratic, in that unelected and non-accountable members of committees make the laws, not the people to whom I am being asked to vote to represent me as an European Union (EU) Member of Parliament.

Voting choice wise, there is no other option provided other than a postal vote, for whatever reason it is just not possible to vote at a traditional polling station, not in my area anyway.

The postal voting system involves enclosing a traditional ballet form within a pre-paid envelope, on which your full name is pre-printed with a unique ID number, your date of birth and your signature. Once sealed, the envelope must be placed into the public postal system as a “normal” letter, with its contents easily identifiable as a voting ballot (see picture). Should the envelope be lost (or stolen), then the person in possession will have obtained your full name, your date of birth and your approximant area of resident, from which it is child's play to establish your full address, which ironically can be found on the electoral role, which is publicly searchable. The voter also needs to sign the envelope in order for the vote to count, so your signature is part of the package of information, which is more than enough for identity thieves to start cloning your identity and stealing credit in your name.

Aside from the personal identity theft concerns, your political beliefs can also be discovered, assuming you didn’t spoil the ballet paper! Under European Data Protection Directives (laws) an EU citizen’s political beliefs is classed as “Sensitive Information”, the highest form of information classification.  The EU Information Commission would be most upset if a company were to ask or send out such information by public post; however it appears the EU must be above their own laws.

And those volunteers who open and count the ballet envelopes will be privy to your political beliefs, more than likely they will be from the same area and so could know who you are. Hmm I wonder who Mr. Smith at number 24 voted for?  While the bar codes sporting a unique number for each envelope will sure throw fuel on the conspiracy theorists fire, and they wonder why turn outs for EU elections are so low.

In the end I reluctantly posted my vote after reflecting on the millions of people who died to give me the right to vote in Europe during the last century. I concluded it was worth risking my financial identity out of respect to those who risked and lost their lives, fighting for the right for a just, fair and anonymous voting system and a democratic and accountable government system. Whether we are now taking backwards steps in Europe must be up debate, and whether such democratic debate can actually lead to changes in laws..

Secure Hard Disk Wiping & Disposal

A study by researchers from the University of Glamorgan and BT, resulted in several alarming privacy headlines in the media today - http://news.bbc.co.uk/1/hi/wales/8036324.stm The study involved the purchasing of old computer equipment from trade fairs and online auctions from the UK, US, Germany, France and Australia, and the recovery of data from these purchased items. The researchers were able recover a raft of personal and sensitive data from hard disks, including detailed medical records from a Scottish NHS Trust, military secrets, business financial transactions and an variety of personal information, which included bank details, and the sorts of things identity thieves crave. The study concluded around 40% to 50% of the second hand hard disk drives they randomly purchased held sensitive data which could be recovered by pretty much anyone with half a brain.

I have to say, I am not surprised by this study’s outcome, which highlights the problem of hard disk disposal by both organisations and especially individual home users, who simply neglect to properly erase their personal information from their computer hard disks before selling or disposing of their old computers. Over a year ago I posted about this subject before using a hypothetical story - http://blog.itsecurityexpert.co.uk/2008/03/hard-disk-shredding-story.html I have come across several real incidences of where personal computers had been donated to charities by the way of the old computer equipment recycle bins at local supermarkets and rubbish tips (or as the Council calls them household waste and recycling centres) . These computers end up in places like West Africa, UK young offender’s institutions and youth clubs etc, where new PC users soon discover the original owner’s personal information and website access credentials, and unsurprisingly go on to compromised the bank account and the various online websites used by the original owner, now that’s gratitude for you!

Anyway on to the big question and what the media stories avoided explaining…

What should we do to ensure our personal information is "gone" from our old computer systems before flogging or binning them?

Well removing the hard disk drive from the computer and hitting it repeatedly with a sledge hammer is not quite the best approach. Physically damaging a hard disk does not necessary render it impossible to recovery the data held on it, but hey, it’s still better than doing nothing.

To do the job properly I recommend using a “Hard Disk Wiping” utility. Obliviously the first thing you should do before using such a tool, is ensure you have backed up all your the data, as once you use a hard disk wiping tool, there is no way back.

There are several commercial hard disk wiping utilities available, but there are also some good free utilities which can adequately do the job. My personal favourites are "Darik's Boot And Nuke” aka “dban” http://www.dban.org/, and Eraser http://www.heidi.ie/node/6 (includes dban), [edit based on comments] also Secure Erase is also highly recommended http://cmrr.ucsd.edu/hughes/SecureErase.html

Downloading and running these applications results in the creation of a bootable CD, which you use to boot your computer system direct into the tool operation. If you are a computer novice, you may want to ask that techie relative to help you out.In terms of the type of actual disk wiping method, I always go with securely wiping hard disks to the US Department of Defence standard, by selecting the “US DoD 5220-22.M” option, which will prevent even government secret service forensics experts from recovering the data, never mind petty ID thieves. Some say this level is a little over the top for a personal computer, but if you don't mind the "extra wait" for the process to complete, where's the harm hey!After completion of the hard disk wiping, it’s always a good idea to just double check the hard disk wiping actually worked by trying to boot the computer normally. And if you are super paranoid after applying the DoD 5220 disk wiping standard, go ahead and take your sledgehammer to the hard disk if you really want to.

There are file level secure deletion tools such http://www.fileshredder.org/, but for me, if you are selling or disposing of a computer holding a hard disk, or just a hard disk itself, which has held personal information, you should go with wiping the entire hard disk rather than individual files. This ensures nothing is missed, it is surprising where your personal details end up being stored within a Windows system.

If anyone has any other disk wiping utilities they would like to recommend or novel ways of physically destroying hard disk drives, please go ahead and post a comment.

[edit] NIST have the ultimate say on this subject, read http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Should companies block Twitter?

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.

Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate http://news.bbc.co.uk/1/hi/england/shropshire/8018471.stm and perspective Cisco employee http://today.msnbc.msn.com/id/29796962/#storyContinued. So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.

Big EU is Watching You

As of last Monday all Internet Service Providers (ISPs) in the European Union (EU) are required to store the details of every email and every internet phone call placed by anyone, for at least one year. Principally this European law is in the name of protecting us all from terrorism. Let me make it crystal clear, this law is not about collecting and storing Email and internet phone call content, just tracking the “when”, “the sender” and “the recipient”, think of the information listed on your telephone bill, which is already legally required to be stored by telecoms companies.

Most ISPs in Europe already store this type of information, with the Email information used to help fight Spam for instance. Despite this most ISPs were dead against the law due to the hassle factor, but in the UK, ISPs have been “talked round” thanks to the UK government offering to reimburse ISPs the cost of storing and maintaining the data.

So why the law? Well I think one of the key reasons is to allow EU governments “easier” and direct access to the information on mass, so bypassing the legal system (no court orders), wait a minute, isn’t the legal system in place to protect individuals from governments? I think we can assume this information will be used for data mining, as well as the specific investigations of individual suspects. By data mining, I mean the scanning of these vast amounts of electronic communications data for patterns which match terrorism activity, whereby the system analyzes the data and then spits out the names of who it deems are terrorist suspects.

It’s not about the “Chatter”
In the Second World War before the German Enigma machine encryption was cracked, the UK intelligence would look for “chatter”, which is the tracking of the number of encryption communications being sent, with spikes in encrypted communications usually meant a german attack was being organised and therefore about to occur. The germans counteracted this by having all enigma operators send random messages periodically, so the spikes were not so obvious, in fact this counter activism actually helped with the breaking of the enigma code.

Anyway my point is looking for “chatter” in high volume Email and Internet telephone calls to predict a terrorist attack is about to occur is not likely to work, as unlike the mobilising of large military forces to carry out an attack, terrorist groups are very small and very insular in nature, generally very careful with their communications, which is why they aren’t discovered in the first place. Given the vast amount of daily communications taking place over EU part of the Internet, I just can’t see how it is possible to see terrorism communication chatter spikes, so this law cannot be about using chatter to help prevent or prepare against a terrorist act, not that anyone has said this publically, but it’s worth pointing out.

If anyone knows how the data mining of millions of the daily EU electronic communications is going to protect us from terrorism attacks, I’d love to know. In my view, surely it is much better to target our anti-terrorism resources with good old fashion "police work" approaches, and so investigate individual suspects, infiltrate suspect groups, rather than assume everyone is a suspect. Good luck if this big brother system decides you are a terrorist suspect, as ironically you will be the last person to find out if it does.