Friday, October 9, 2009

Are nigerian scams also getting money for identity theft?

Another day, another nigerian scam - here is a fresh one but lets have a look at what the victims are asked to provide.

Sure this helps the scammer for later on, but is this info also being sold and stored to other maintaining a global database of stolen identities?
From Blogger Pictures

Graham Ingram, Head of AusCERT thinks so, he is probably right - he has been warning people throughout 2009 they have seen evidence of such. After all, its not hard to imaging: for years: spamming lists have been bought, traded, swapped - so you can bet bad guys are mining information and taking ID Theft to the next level.
Folks from Auscert will be at Queensland Police Identity Theft Symposium this week (12th-14th Oct), here a link.

Thursday, October 8, 2009

CyberInsecurity: The Cost of Monopoly - remixed

This week had big news about 20,000 hotmail accounts publicly exploited and published - victims of another phish - but is there a deeper lesson to be learned?

This post's title is the same of a famous paper in 2003 penned by some (now) influential security folks: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman and one Bruce Schneier. The paper got its fair share of fame not least due to allegations that Geer lost his job because of its scathing assessment of Microsoft product (lack of) security and the risk to the internet because of that.

The basic tenet of the article was that homogeneity (they called a monoculture) of one operating system will crystallize hacker focus on a single predictable target and any exploit can then be multiplied over millions of hosts.

6 years later, no-one is arguing: Botnets and compromised hosts are the primary platform for attacks, fraud and other crime that benefit from anonymity.

But now we are heading for a new monopoly and a new homogeneity: Google Accounts and SSO (Single Signon)
Its been bothering me for a while but now Google is really picking up steam it needs a public comment: Google Voice, GMail, GTalk, Google Docs, Picasa but most importantly OpenSocial/FriendConnect, OAUTH, Adwords, AppEngine, Adsense and Google Checkout. Its an impressive array of value to the user. But is you Google username and password the "keys to the castle"?

Who me - panic?

Try this now: click or type https://www.google.com/accounts/
Did you know you were signed up for THAT MANY SERVICES?

So why are OpenSocial/FriendConnect, OAUTH, Adwords, Adsense and Google Checkout more important? Simply because they are gateways to value. Behind each of these services is value that is primarily protected by a single username and password. So how easy is it to phish that? Probably much easier than a bank account because the public has been taught to be paranoid about banking but....surely my Gmail account is of no interest to a fraudster - right?

As Ben Metcalfe (dotBen) says: "My GMail password scares me with its power!". Ben points out that we 2FA would be a nice idea. Setting aside the arguments for/against tokens, the simple exploitation of 2FA in authentication scenarios and the emergence of MITB (Man in the Browser) attacks.

I strongly disagree with Metcalfe's suggestion* to split the services - this is security by obscurity or security via homogeneity, after all, when users have multiple accounts they just use the same passwords - dah!

However, Google, whilst being a monoculture has one distinct advantage from the Microsoft monoculture because an upgrade is entirely under Google's control (Microsoft products are only as patched as the competence of their sysadmins).

So why hasn't Google offered this? Its irresponsible to not provide adequate protection**.
I'd posit that a corporate decision on acquiring someone harmless like Vasco*** or someone potent like Verisign to solve 2FA would be a vexing challenge. I'd posit that Google knows this problem needs to be solved and they need to take time to find the right partner or acquisition candidate. I'd also posit that the Chrome OS and the Android Phone/Netbook OS would kickstart a userbase where 2FA is built into consumer devices.

So are we seeing a replay of the monculture that caused the last 8 years of cybercrime? Will the homogeneity of Google Accounts deliver exploits of identity theft rather than just merely an exploit "platform" (that M$-Windows became)? After-all, if we follow the money it always leads to a user's credentials and the assets those credentials protect....

Thanks to Dan Geer et al...the more things change, the more they stay the same.

* dotBens comments about IMAP/POP3 are more valid because these are largely progrmmatic and often "in the clear"
** Its been confirmed by security researc
hers that they already perform some sort of "Device tracking" and perhaps this is a method of "Account Hijack" mitigation
*** do these companies have a future?
**** If you get the joke of this last picture, you are
even sadder than me :)

Umm, so where do I report cybercrime? Needed: eCrime reporting API for enforcement

For many online sites: fraudsters are like mosquitos - you can easily handle a few buzzing around but if you don't swat them, they will eat you alive.

We have customers who deal with some pretty sophisticated fraud every day. Their fraud teams use automated tools to winnow the transactions down to a suspicious subset and then use Aikido-like techniques to direct and exhaust the fraudsters energy - exposing the bad guys and minimising the cost of managing it.

It wouldn't be fair to discuss the techniques used, but often a side-effect is that additional proofs of the fraudsters location, their associates, their ability to manufacture or repurpose stolen identities end out being provided to the fraud team. Sometimes, they get hard evidence.

That sounds great for law enforcement right? Not exactly.

Most merchants run lean operations, they don't have time or profitability to spend excessive time reporting incidents and working with law enforcement - after all, the fraud may only be worth $10-200. This is a lot of money in some countries but its just better to swat the mosquito and move on. There is no need to track every mozzy down back to the swamp or puddle, but certainly merchants would appreciate handing-off to enforcement to handle that part.

But....There is no 911, 000, 999, Neighborhood watch, Crimestoppers etc - its still the wild-west. Such things don't commonly and uniformly exist in Cyberspace.

In 2004, we built a system for the government called "SpamMATTERS" - this was a world first*, that allowed consumers to report spam, scam and phishing emails with a simple "click". The system was a great success and was instrumental in various enforcement and disciplinary actions.
Naturally spam hasn't stopped and thats a story/post for another time. The lessons are the love helping swat mosquitos as long as they know their is some material benefit or action from their help. Relating this to fraud......

....is exactly the same. Back in 2005 I did some proofing of a document that was an attempt to extend the IETF IODEF (RFC 5070) for eCrime reporting. You can now get a tool from "the e-Crime Reporting and Incident Sharing Project" http://sourceforge.net/projects/ecrisp-x/ which has emerged from the Antiphishing workgroup.

But the question remains: If I fill out the details and click the information - so what?
  • Its nice that APWG is providing leadership but
  • its largely a US centric project
  • with not a great deal of visibility who is the benefactor and
  • what is the actionable outcomes from any report.
To truly resonate with SME merchants, their must be a tangible "think globally, act locally" initiative and system.

Alastair MacGibbon
's recent article: When it comes to web safety, we’re going nowhere fast
accurately described the landscape and made a passionate appeal for such a reporting system that is simple and actionable - as I mentioned above basically a "hand-off" from fraud teams swatting mosquitos to enforcement who can wade into the swamp. Of course Alastair's appeal is not new, its just that very few are listening.#

This week, one customers asked me if they could report a stolen and Photoshopped identity papers provided by a fraudster. As I mentioned - this customer is running a business, they don't have time to deal with cross-jurisdictional crime but they would be happy to help - IF:
  • they believed that its not just going into a blackhole.
  • it really was being actioned
  • if it will help all/other merchants in the future
  • don't stop me running my business to get involved in the investigation - I'm interested in a good citizen sense - but Maslow's law dictates I focus on my business.
There is another benefit of such a system - METRICS. Currently there is no real metric for the cost of cybercrime to merchants....here's a hint....its much larger than you realize. Think about it...could it be a case of self-interest that the banks refund your account after a phish/keylog event - if they didn't the number of incidents would start to be reported and we would be getting a sense of how large the problem is.

Cybercrime and Cyberfraud are under-reported (or maybe non-reported).**

With fraudsters using anonymity via botnets and proxies - cybercrime is going to continue to grow unless our enforcement teams can scale on cross-jurisdictional levels.

Its a big deal, merchants want to help - but their is no roadmap, no whitepages and no belief there is anyone on the other side of the phone.

* Specifically for enforcement. The FTC fridge predated SpamMATTERS but did not retain forensic information required by evidentiary handling standards. The feedback-loop and AOL reports followed a little later.

# In 2004, speaking at an OECD conference in Busan Korea on spam control, I warned that spam was not the issue but botnets were the main threat. Being the current Gold Medalist for botnets the Koreans understood and built large KR-CERT teams to wrangle the domestic botnet problem. Other countries dismissed this warning, they thought spam was about viagra - not the anonymity that botnets provide. The rest is history: botnets are now the premier platform for many types of cybercrime including keylogging, identity theft and click-fraud.

**Below is an example or global summaries from apwg.org. Currently there is no country specific statistical reporting of events and there is no quantitative financial study for fraud happening to SME eCommerce operators. The Cybersource Annual fraud report is not a bad indicator or credit-card related fraud but new commerce models are appearing in virtual currencies and micropayment ecosystems - I will leave that for another post.