Friday, October 9, 2009

Are nigerian scams also getting money for identity theft?

Another day, another nigerian scam - here is a fresh one but lets have a look at what the victims are asked to provide.

Sure this helps the scammer for later on, but is this info also being sold and stored to other maintaining a global database of stolen identities?
From Blogger Pictures

Graham Ingram, Head of AusCERT thinks so, he is probably right - he has been warning people throughout 2009 they have seen evidence of such. After all, its not hard to imaging: for years: spamming lists have been bought, traded, swapped - so you can bet bad guys are mining information and taking ID Theft to the next level.
Folks from Auscert will be at Queensland Police Identity Theft Symposium this week (12th-14th Oct), here a link.

Thursday, October 8, 2009

CyberInsecurity: The Cost of Monopoly - remixed

This week had big news about 20,000 hotmail accounts publicly exploited and published - victims of another phish - but is there a deeper lesson to be learned?

This post's title is the same of a famous paper in 2003 penned by some (now) influential security folks: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman and one Bruce Schneier. The paper got its fair share of fame not least due to allegations that Geer lost his job because of its scathing assessment of Microsoft product (lack of) security and the risk to the internet because of that.

The basic tenet of the article was that homogeneity (they called a monoculture) of one operating system will crystallize hacker focus on a single predictable target and any exploit can then be multiplied over millions of hosts.

6 years later, no-one is arguing: Botnets and compromised hosts are the primary platform for attacks, fraud and other crime that benefit from anonymity.

But now we are heading for a new monopoly and a new homogeneity: Google Accounts and SSO (Single Signon)
Its been bothering me for a while but now Google is really picking up steam it needs a public comment: Google Voice, GMail, GTalk, Google Docs, Picasa but most importantly OpenSocial/FriendConnect, OAUTH, Adwords, AppEngine, Adsense and Google Checkout. Its an impressive array of value to the user. But is you Google username and password the "keys to the castle"?

Who me - panic?

Try this now: click or type https://www.google.com/accounts/
Did you know you were signed up for THAT MANY SERVICES?

So why are OpenSocial/FriendConnect, OAUTH, Adwords, Adsense and Google Checkout more important? Simply because they are gateways to value. Behind each of these services is value that is primarily protected by a single username and password. So how easy is it to phish that? Probably much easier than a bank account because the public has been taught to be paranoid about banking but....surely my Gmail account is of no interest to a fraudster - right?

As Ben Metcalfe (dotBen) says: "My GMail password scares me with its power!". Ben points out that we 2FA would be a nice idea. Setting aside the arguments for/against tokens, the simple exploitation of 2FA in authentication scenarios and the emergence of MITB (Man in the Browser) attacks.

I strongly disagree with Metcalfe's suggestion* to split the services - this is security by obscurity or security via homogeneity, after all, when users have multiple accounts they just use the same passwords - dah!

However, Google, whilst being a monoculture has one distinct advantage from the Microsoft monoculture because an upgrade is entirely under Google's control (Microsoft products are only as patched as the competence of their sysadmins).

So why hasn't Google offered this? Its irresponsible to not provide adequate protection**.
I'd posit that a corporate decision on acquiring someone harmless like Vasco*** or someone potent like Verisign to solve 2FA would be a vexing challenge. I'd posit that Google knows this problem needs to be solved and they need to take time to find the right partner or acquisition candidate. I'd also posit that the Chrome OS and the Android Phone/Netbook OS would kickstart a userbase where 2FA is built into consumer devices.

So are we seeing a replay of the monculture that caused the last 8 years of cybercrime? Will the homogeneity of Google Accounts deliver exploits of identity theft rather than just merely an exploit "platform" (that M$-Windows became)? After-all, if we follow the money it always leads to a user's credentials and the assets those credentials protect....

Thanks to Dan Geer et al...the more things change, the more they stay the same.

* dotBens comments about IMAP/POP3 are more valid because these are largely progrmmatic and often "in the clear"
** Its been confirmed by security researc
hers that they already perform some sort of "Device tracking" and perhaps this is a method of "Account Hijack" mitigation
*** do these companies have a future?
**** If you get the joke of this last picture, you are
even sadder than me :)

Umm, so where do I report cybercrime? Needed: eCrime reporting API for enforcement

For many online sites: fraudsters are like mosquitos - you can easily handle a few buzzing around but if you don't swat them, they will eat you alive.

We have customers who deal with some pretty sophisticated fraud every day. Their fraud teams use automated tools to winnow the transactions down to a suspicious subset and then use Aikido-like techniques to direct and exhaust the fraudsters energy - exposing the bad guys and minimising the cost of managing it.

It wouldn't be fair to discuss the techniques used, but often a side-effect is that additional proofs of the fraudsters location, their associates, their ability to manufacture or repurpose stolen identities end out being provided to the fraud team. Sometimes, they get hard evidence.

That sounds great for law enforcement right? Not exactly.

Most merchants run lean operations, they don't have time or profitability to spend excessive time reporting incidents and working with law enforcement - after all, the fraud may only be worth $10-200. This is a lot of money in some countries but its just better to swat the mosquito and move on. There is no need to track every mozzy down back to the swamp or puddle, but certainly merchants would appreciate handing-off to enforcement to handle that part.

But....There is no 911, 000, 999, Neighborhood watch, Crimestoppers etc - its still the wild-west. Such things don't commonly and uniformly exist in Cyberspace.

In 2004, we built a system for the government called "SpamMATTERS" - this was a world first*, that allowed consumers to report spam, scam and phishing emails with a simple "click". The system was a great success and was instrumental in various enforcement and disciplinary actions.
Naturally spam hasn't stopped and thats a story/post for another time. The lessons are the love helping swat mosquitos as long as they know their is some material benefit or action from their help. Relating this to fraud......

....is exactly the same. Back in 2005 I did some proofing of a document that was an attempt to extend the IETF IODEF (RFC 5070) for eCrime reporting. You can now get a tool from "the e-Crime Reporting and Incident Sharing Project" http://sourceforge.net/projects/ecrisp-x/ which has emerged from the Antiphishing workgroup.

But the question remains: If I fill out the details and click the information - so what?
  • Its nice that APWG is providing leadership but
  • its largely a US centric project
  • with not a great deal of visibility who is the benefactor and
  • what is the actionable outcomes from any report.
To truly resonate with SME merchants, their must be a tangible "think globally, act locally" initiative and system.

Alastair MacGibbon
's recent article: When it comes to web safety, we’re going nowhere fast
accurately described the landscape and made a passionate appeal for such a reporting system that is simple and actionable - as I mentioned above basically a "hand-off" from fraud teams swatting mosquitos to enforcement who can wade into the swamp. Of course Alastair's appeal is not new, its just that very few are listening.#

This week, one customers asked me if they could report a stolen and Photoshopped identity papers provided by a fraudster. As I mentioned - this customer is running a business, they don't have time to deal with cross-jurisdictional crime but they would be happy to help - IF:
  • they believed that its not just going into a blackhole.
  • it really was being actioned
  • if it will help all/other merchants in the future
  • don't stop me running my business to get involved in the investigation - I'm interested in a good citizen sense - but Maslow's law dictates I focus on my business.
There is another benefit of such a system - METRICS. Currently there is no real metric for the cost of cybercrime to merchants....here's a hint....its much larger than you realize. Think about it...could it be a case of self-interest that the banks refund your account after a phish/keylog event - if they didn't the number of incidents would start to be reported and we would be getting a sense of how large the problem is.

Cybercrime and Cyberfraud are under-reported (or maybe non-reported).**

With fraudsters using anonymity via botnets and proxies - cybercrime is going to continue to grow unless our enforcement teams can scale on cross-jurisdictional levels.

Its a big deal, merchants want to help - but their is no roadmap, no whitepages and no belief there is anyone on the other side of the phone.

* Specifically for enforcement. The FTC fridge predated SpamMATTERS but did not retain forensic information required by evidentiary handling standards. The feedback-loop and AOL reports followed a little later.

# In 2004, speaking at an OECD conference in Busan Korea on spam control, I warned that spam was not the issue but botnets were the main threat. Being the current Gold Medalist for botnets the Koreans understood and built large KR-CERT teams to wrangle the domestic botnet problem. Other countries dismissed this warning, they thought spam was about viagra - not the anonymity that botnets provide. The rest is history: botnets are now the premier platform for many types of cybercrime including keylogging, identity theft and click-fraud.

**Below is an example or global summaries from apwg.org. Currently there is no country specific statistical reporting of events and there is no quantitative financial study for fraud happening to SME eCommerce operators. The Cybersource Annual fraud report is not a bad indicator or credit-card related fraud but new commerce models are appearing in virtual currencies and micropayment ecosystems - I will leave that for another post.

Monday, September 28, 2009

"DataPervability" - social media and setting the right example for younger generation

DataPortability is a movement that advocates the ability for a user to extract their data from a social network or other on-line systems/community.

DataPervability riffs/remixes the term to ask the question:

Why can people perve anothers data/lifestream anonymously?

Surely it should be a reciprocal agreement?:
  • You can see me, so I should be able to see you (if I or my parents care)
  • Social networks are NOT brochureware websites - just because your profile is on some webserver doesn't mean the social contract is the same.

One of my interests in social media anti-patterns is based on establishing "norms" or "best practices" that protect the vulnerable in the community from malicious acts and actors. Look under the covers of online dating, gaming, auctions and their is plenty of grey activity that leverages information that people are willing to share. This

I've not seen sustained dialog (please correct me if I am wrong) about these elements of social media - possibly because:
a) all the early adopters are still in the hype cycle.
b) all the early adopters are consenting adults.

But we (those building and evangelizing social media) need to step back from enamorment of this new media/conversation and balance with the potential impact on the younger generations that will just "grow into" this technology.

As adults, we joke about who is "stalking" us, or how we spent some voyeuristic quality time trawling someones twitter feed or flickr photos. Have you ever wondered why you can't see a "friend-of-a-friends" Facebook profile but you can see their photos (or maybe its just everyone's photos?*) - thats just plain spooky right?



But what does that mean to kids "growing-into" Facebook or Twitter now? - as they enter these networks, who explains to them in a logical factual (not hysterical fear driven) fashion - what are the risks and traps. Its fine if kids don't care about DataPervability but at least I know.

The Australian Government (ACMA) has started some education on cyber-bullying and the overwhelming feedback from their research is the kids are aware of the technology but have not heard enough anecdotes or war stories about the down-sides. "Stranger Danger" is a paranoid response but adults and social media evangelists can take a leadership position in ensuring the kids and teens become as savvy as they think they are.

Reciprocity...Look at it this way: If you own a normal website:
  • You can use analytics to profile your users.
  • You can ask users to log in and self-verify their email address before they can access confidential parts of the site.
  • You can even use tools like LeadLander to identify what organization visits
So, why is it that Social Networks provide casual browsing of your profile, activities and friends (some Facebook API programs can get a whole lot of data) without give ANY analytical feedback to you? Its crazy.

When Facebook delivered an API, we tried to build a "Who's checking me out?" application,

This is not a Facebook bashing post - its just about the anti-patterns - it applies to all social media sites and evangelists. How will you protect the social sovereignty (privacy) of the users that help build your communities?


* I simply don't have time to figure out all the nuances of Facebook privacy, nor should I or anyone else. It should be clear, understandable and controllable based on clear and accessible user profile setup (but thats the topic of another post).

Sunday, September 27, 2009

Social media anti-patterns - how websites teach users to tolerate crap

The design of websites condition users to believe what is "normal" in behavior.

For example, back in the good old days we learned put our email address on the website so people could contact us easily. Years later (our mailboxes flooded with viagra spam because our email addresses got scraped by some harvesting bot), we changed the design pattern to something like sales AT example DOT com. My guess is that we probably needs to change that as the harvesting bots can easily scrape and harvest those addresses.

Over the last few years, in fraud protection we've learned a plethora of fraudulent methods and what website practices and design patterns actually attracts or invites fraud.

What I mean by "invites" is that a website with low fraud detection skills or poor practices suffers fraud first before their competitors - its a low hanging fruit thing.....fraudsters will make money where its easier, when you skill up, they move on to the next easy target.

But fraud protection has typically been the concern for eCommerce sites. The worst that individuals have had to tolerate is spam/malware in their email box and spam in their blog posts.

Spam in blog posts grew to such a degree that solutions: CAPTCHA, Akismet, Mollom or Defensio have emerged - because bloggers are early adopters and motivated to keep their comment feed clean.

However, as social media crosses the chasm to everyone owning a conversation - what competence will they have to spot a fraud or an attack?

Here is an example from this weekend's Twitter spam:














Now...this fine young lass doesn't seem to have any clothes or friends (Followers:0, Following:0) but she loves to send the same link to lots of folks (or maybe blokes). Blasted out 254 tweets.
The tweeted IDENTICAL link was probably spam but could easily be malware/worm. (There is several precedents and twitter account phishing attacks). But when this stuff appears in your reply stream, its pretty easy to reflex click-thru to the "attack site".

The Twitter account is still live several days later.

So - nothing new about this - but its an anti-pattern that we accept:
  • the users have no warning
  • there is no reputation in the reply stream about the sender
  • the account isn't killed (it may have been disabled invisibly, but surely twitter users should know when an account is blocked by others).
Are Twitter going to spend some of their brand-spanking new $100m investment on keeping the Twitter ecosystem clean and safe? (especially if they think they can cross the chasm with a proprietary solution).

Some examples or other anti-patterns in authentication are:
  • Username/Password (no 2-factor)
  • Allowing simple passwords
  • Making passwords so difficult that the user has to write them on a post-it note
  • Storing your Username/Password in a 3rd party (yes you Twitter API applications!)
  • Positioning single signon (SSO) as being safer
  • Auto follow
  • Really confusing privacy policies and obscured privacy settings (watch Paul Fenwick's presentation on Facebook privacy - some of you may be surprised)
  • Changing your Terms and Conditions on privacy (beacon)
  • 140 characters. Not enough to give the recipient context for the target
  • URL shorteners like tr.im, bit.ly - again, these separate recipient from context of destination without any reputation on the link.
  • Not allowing users to partition their personal and public life.
  • Not educating users (like children) the ramifications of public social media behavior. It should be mandatory at primary school to learn how:

    • difficult it is to get something deleted from google cache is - especially if its not your site: http://lifehacker.com/166500/deleting-things-from-googles-cache
    • impossible it is to delete all known copies of an embarassing photo, vid or chat thread
Of course, we (including me) are all co-conspirators in one or more of these social anti-patterns. In fact I will use a short link pasted into Twitter *sigh*

I think I will expand on social media anti-patterns in the future, if the next generation will learn the traps too late, we will have more sites promulgating an unacceptable set of "norms".

Is there an existing repository of such?

first blog since 2003 - internet anonymity, privacy and fraud

In 1993, the famous New Yorker cartoon "On the Internet, nobody knows you're a dog" captured the beauty of a new frontier.

You could be a single person company with a great website that made you look huuuuge. History has proven the clear benefit of size doesn't count (or even location or age) - but the same benefits of anonymity have brought lots and lots of bad guys....botnets, phishing, 419 and advanced fee scammers, credit card fraud, account hijack, identity theft....you get the idea - the list goes on and on.....



Back in 2003, I finished up my role as VP R&D at Surfcontrol a few years after they acquired the email filtering company I started in a bedroom. During that period, I had seen spam grow from a trickle to a pandemic and become more of a commercial tool. Spam had shifted from open-relays and open-proxies to malware that compromised machines - the perfect storm of anonymity and compromisable Windows host was a cybercriminals best tool.

It was clear to me that once the bad guy had your PC, then spam was just one kind of fraud - my partner Scott Thomas and I built a system (SpamMATTERS) accepting crowd-sourced spam and security reports, then correlating to identify the players behind spamming operations - we built this for the federal government and remains in production today.

From this botnet tracking was a key side-effect that could be used as a security defence and in 2005, ThreatMetrix was founded. In 2009, anonymity and fraud is big business and we help websites running eCommerce, payments, dating, marketplaces enable the good guys whilst stopping the bad guys in real-time. The good news for ThreatMetrix is that in a world where identities are phished, keylogged and credit-card numbers are stolen this is a hockeystick problem that we are helping to address.

The bad news is that its a hockeystick problem.

So, I'm excited about the single-signon/auth solutions emerging (OpenID, Facebook Connect, OAUTH, FriendConnect) AND I am excited about the conversation of social media but I am pretty sure that social media spear-phishing is going to grow as more valuable assets are all contained behind one login/password.

If a bad guy gets access to your Google account, they may not merely have access to your reputation but also your Google Checkout or maybe your Google Voice account. Over the weekend, I saw on my screen - I've never signed up for Checkout but there is was. Google doing some A/B testing or maybe just a reinvention of subliminal advertising :)

With Facebook Connect, its likely/predicted that Facebook will allow you to shop purely by logging into a merchant site with your Facebook ID. This is a Paypal killer if they execute it well, an Amazon 1-click experience - but are Facebook users conscious of the risks of having their ID phished? Up until now, its been fairly isolated with mostly scam account hijacks but with purchasing power - your Facebook account is gold to a fraudster.

And it might just be micro-payment fraud. I can easily see Facebook enabling micropayments in their platform. They need to monetize somehow right? :)

I am also keen to understand the impact of mobile on commerce, all of the above applies but the smartphones now offer a semi-solution for 2-factor authentication. But are handsets vulnerable and what if your handset is lost/stolen - is it always logged into your accounts and not protected by a PIN?


Wow - what a downer of a first post - well that not my intent, I aim to post on mobile, social, startups, cloud, meta and other goodies.

stay tuned....

just a placeholder...