Fraud Intelligence Newsletter

April/May 2008

Event Schedule

June 4–6, Authentication and Online Trust Alliance Summit 2008, Seattle, WA. Our own Rod Rasmussen will be speaking. Please contact us for a big discount on registration fees!

June 29–July 2, America's Credit Union Conference and Expo, New York, NY. We are sponsors of the conference and will be an exhibitor.

Massive “Crime Server” Found in Malaysia – 40 FI’s at Risk

Information security vendor Finjan discovered a server in Malaysia in April that held approximately 1 ½ Gigabytes (Gb) of business and personal data stolen from Trojan infected computers around the world. This particular massive amount of information is especially damaging as it was so up-to-date, all of it less then 30 days old.

User names, passwords, account numbers, social security numbers and credit card numbers were found within 5,388 unique log files, reports Finjan, and up to 60% of all the information contained within the 1 ½ Gb was bank customer data.

"The scope and ramifications of this particular incident are staggering," says Viveca Ware, director of Payments and Technology Policy at the Independent Community Bankers of America (ICBA). "It is very unusual to have such a diversity of information available on one server in one location. It looks like a one-stop shopping location for criminals to get information," Ware says.

Finjan’s CTO Yuval Ben-Itzhak reports that the server has been taken down, although Finjan has found two more similar servers in the past few weeks. More then 40 financial institutions have been affected across the globe, from the United States to Turkey. It is unknown how many of the 40+ financial institutions have been notified of this serious issue.

Compromised Data - Satisfaction Guaranteed!

A blog post at McAfee’s Avert Labs by Francois Paget, titled “You have to pay for quality” provides some very interesting data on the price for quality compromised data.

Paget uncovered a site selling “top-quality data for a higher price than usual.” As you can see in the blog post and screenshots (http://www.avertlabs.com/research/blog/index.php/2008/05/07/you-have-to-pay-for-quality), price was dependent on available balance, the financial institution, and the country it was located in.

To ensure top-quality, some guarantees were offered, including that if you were not able to log into the account within so many hours with the provided information that your payment would be refunded!

The site offered bundled pricing, sold skimmers and dump tracks to create white cards. It also offered some free data, a “Free Cvv2 of the Day” and technical know-how to convince potential clients.

Satisfaction Guaranteed!

The Track 2 Cash Out Vulnerability

“ATMs are the pot of gold for criminals,” says Avivah Litan of research firm Gartner. The firm estimated that in a 12 month period in 2005 that $2.75 billion was pillaged using counterfeit ATM/debit cards. To create a counterfeit debit card, all criminals need is a card number and a PIN which they can easily obtain through phishing attacks. They then encode blank cards (also called “white cards”) and either withdraw money from automatic tellers or through cash-backs when using debit cards at a point-of-purchase.

A relatively simple way of mitigating this type of fraud is to include PIN offsets and Card Verification Value (CVV) codes on Track 2 of the magnetic strip of ATM and debit bank cards. Those numbers are generally unknown to the customer, so they can't be divulged in a phishing scam.

A standard card contains two tracks of data encoded on the magnetic strip. The specification for Track 2 was defined by the American Bankers Association decades ago for use by banks and credit unions, while the specification for Track 1 was defined for the use of airlines. The main difference is that Track 1 contains the cardholder’s name. There is a Track 3 that is rarely used anymore.

Before the advent of Mastercard and Visa logo debit cards, virtually all debit cards did not use the CVV encoding on Track 2. As a result, the verification systems for ATM transactions were not originally programmed to check that Track 2 CVV encoding.
Phishers are quick to take advantage of this vulnerability and they seek out customers of banks that are not validating debit cards' Track 2 security data during cash withdrawals. Phishers refer to these banks as “cashable" and they're at the top of the phisher's hit lists. When phishers find a bank that is not using Track 2 verification, they will attack it relentlessly and in high volume, because every stolen credential can immediately be turned into cash. Once a bank closes the so-called “Track 2 Hole” by instituting additional card safeguards, the phishers move on to another “softer” target, usually the next day. At least one bank has lost over $100 million directly as a result of this vulnerability.

In the past four years, most banks have started verifying the Track 2 CVV, and some have added additional security codes to Track 2. However, some banks have been reluctant to add PIN offsets and encoded CVVs to the cards, much less take an even more aggressive security posture by writing their own algorithms to generate stronger, six- or seven-digit encrypted verification codes. Such additional security measures can be costly to implement. According to several news articles, an estimated 25% of the country's banks do not use secondary security codes that can be placed on an ATM or debit card's magnetic strip.

To make matters worse, even systems that use the encoded CVV on Track 2 can be exploited. Recently, phishers have discovered that certain ATM networks in foreign countries such as Spain, do not properly verify the encoded CVV and allow transactions that fail the verification. The only sure remedy in these situations is to block transactions from the compromised networks and/or countries.

Breach at Hannaford – Are Banks on the Hook?

A security breach at Maine-based Hannaford Supermarket in February 2008 exposed millions of unique credit card numbers and has led to at least 1,800 cases of fraud. Reportedly, more than 300 servers in at least six states were compromised with malware. Credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique card numbers were exposed, placing the case among the largest data breaches ever.

The malware stole "Track 2" data stored on the magnetic strip of the credit cards as customers used them at POS machines. Track 2 data includes the card number and expiration date, but not the customer's name (see our above article "The Track 2 Cash Out Vulnerability") The malware stored records of the purchases in batches and periodically transmitted them to an unidentified offshore internet service provider.

In a letter to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation, Hannaford claimed it was the victim of a "new and sophisticated" technique where the attacker sneaked malware onto servers at all of its nearly 300 grocery stores.

Hannaford has been publicly vocal about its PCI DSS compliance, which requires merchants to institute a variety of security controls to protect customer card data. Companies often assume they are ironclad secure because they've been deemed compliant, but PCI DSS leaves out some common-sense mandates, such as encrypting data at the moment a card is swiped. It is possible that being PCI DSS compliant may mitigate Hannaford’s financial liability for losses from this attack, passing that liability to the banks.

State of IS Survey

BankInfoSecurity.com released a report on “The State of Information Security Survey 2008” that Internet Identity thinks might be a valuable read to our customers. Conducted in the month of December 2007, the survey received responses from nearly 300 banks and credit unions, representing institutions of all sizes and geographies. Here are some of the survey’s findings:

Thirty-five percent of respondents say their institution has been the victim of at least one phishing attack over the past year.

Smaller institutions say they are doing significantly less than larger institutions in implementing strategies to fight identity theft.

A staggering 73% of all respondents assess themselves as “average” to “failing” when it comes to security awareness efforts with their customers.

For more information, please review the survey at http://www.bankinfosecurity.com/articles.php?art_id=688&pg=1.

FDIC Computer Intrusion Report

A recent report from the FDIC on Computer Intrusion has shown a huge spike in the cost of computer intrusions for both banks and consumers.

The report found that overall phishing spam declined during the quarter, and FDIC-insured FIs were targeted less frequently. Ecommerce and credit union phishing attacks increased, and PayPal spam showed a declining trend.

Phishers targeted specific business employees using emails with malware links or attachments to gain access to payroll, accounts payable, and other ACH applications. This is referred to as spear phishing (aiming for a specific target) or whaling (going after accounts with larger balance and transaction amounts).

Internet Identity reported on whaling in its Fraud Intelligence Newsletter, Vol I, No II - February 2008.

Thanks to the Washington Post’s Brian Krebs, a redacted version of the yet-to-be-made-public report “FDIC Division of Supervision and Consumer Protection: Cyber Fraud and Financial Crime Report,” November 9, 2007 is available here: http://blog.washingtonpost.com/securityfix/FDIC%20INCIDENT%20REPORTR2Q07.doc

Brian Krebs states “The report is a centralized collection of information related to cyber fraud and financial crimes that impact FIs for the 2nd quarter 2007. The information in this report may be used for risk assessments, examination scoping, training, and outreach. Internal FDIC information systems, open source intelligence, and Suspicious Activity Reports (SARs) submitted by FIs was analyzed. Check Kiting, Counterfeit Checks/Instruments, Misuse of Position, and Computer Intrusion SARs were sampled this quarter to estimate mean (average) loss per SAR and identify other statistical trends and is presented in aggregate or redacted format.”

The report covers a variety of different issues in fraud and may be of interest to Internet Identity’s customers. Some points of interest may be:

If you want to learn more about protecting your organization from phone phishing, phishing, spear phishing, targeted malware and other attacks against your customers, please contact Internet Identity.