One week after a breached corporate health care company refused to pay extortionists, the criminals now are seeking money from the corporate clients whose employee data might have been exposed.
St. Louis-based Express Scripts said on Tuesday that a limited number of its clients--which include government agencies, unions, and employers--have received letters threatening to expose the personal information of its members. The company said the letters sent to its clients were similar to the original extortion threat it received in October.
The company also said it was establishing a reward totaling $1 million to anyone providing information that results in the arrest and conviction of the criminals responsible.
"We are cooperating fully with the FBI to assist them in their investigation and doing what we can to protect our members," said George Paz, CEO and chairman of Express Scripts, in a statement on the company's site.
In a separate announcement, Express Scripts announced that Knoll, a New York-based risk-consulting firm, has been contracted to offer expert assistance to members who become victims of identity fraud as a result of this incident.
Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.
(Credit: Arbor Networks)
Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.
The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.
Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."
In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."
One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.
While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.
Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.
The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.
But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."
(Credit:
Arbor Networks)
In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."
The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.
Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.
"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.
Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.
Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.
This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."
A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.
Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."
Express Scripts said it will notify affected customers in compliance with state regulations.
Last summer, Sen. Barack Obama's presidential-campaign computers came under cyberattack from an "unknown entity." His machines weren't alone; John McCain's computers were also attacked, according to a report appearing Wednesday on the site of Newsweek magazine.
The Obama attack was initially thought to be a piece of malware downloaded from a phishing site. Newsweek reports that "the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: 'You have a problem way bigger than what you understand,' an agent told them. 'You have been compromised, and a serious amount of files have been loaded off your system.'"
The McCain campaign's computer system was also compromised over the summer. Newsweek confirmed with a top McCain official that the FBI had become involved. A federal investigation into both attacks is under way.
According to Newsweek Editor at Large Evan Thomas, the FBI and White House officials told the Obama campaign that a foreign entity or organization was likely responsible, not political opponents. Independently, Obama technical experts have speculated that the hackers were Russian or Chinese. The files accessed appear to be policy-related and thus potentially useful in future negotiations with a new presidential administration.
Earlier this year, during the primaries, an online prank had the Obama campaign site redirected to Sen. Hillary Clinton's campaign site.
The Newsweek report is part of a special edition that will be on newsstands November 6 through 16, and online November 5 through 7.
Last week, a new report (PDF) on emerging threats from the Georgia Tech Information Security Center mentioned, among other predictions, that botnets were likely to hit mobile phones sometime in the next year. On Tuesday, I spoke with VeriSign CTO Ken Silva about that possibility and why it might happen within the coming year.
"Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."
Silva said the mobile phone market is changing. Today's mobile phones don't just make phone calls, they stream video and support content. "Most consumers did not care about a smartphone until Windows Mobile, the Apple iPhone, and now Google Android came along. Now more and more consumers want smartphones. Kids want them; it's a cool phone to have."
Silva said that smartphones tend to use either Java-based Blackberry OS, Mac OS, or Windows Mobile OS as platforms, and it is this standardization of operating systems that should make it easier for criminals to target their victims. The way mobile users browse the Web already is standardizing. With Windows Mobile you have Internet Explorer, and on Apple's iPhone you have Safari. Both of these browsers have vulnerabilities that can be exploited, although not always on the mobile version.
Another compelling reason to think malware is coming soon to your smartphone is more bandwidth. Because of the streaming media options, this year's phones process data much faster than last year's models.
One possible malware vector might be new application downloads. "People are thirsty for applications to run on their devices," Silva said. "Despite the fact Apple has gone to great lengths to make sure the applications are signed (and) have gone through a vetting process, users continue to break their iPhone and install software outside the channel."
Silva doesn't, however, think denial-of-service (DoS) attacks will be the first choice of botnets operating on mobile phones. For one thing, DoS attacks require always-on computers, and mobile devices are not always on or connected to the Internet.
He ranks DoS attacks second behind data theft. "These smartphones now have e-mail on them--and also corporate e-mail on them. We're doing more personal transactions with them." Silva thinks it's the rise of mobile payments and the popularity of banking on mobile phones in Europe and Asia that are leading malware to the mobile phone.
"If we've learned nothing else from the desktop, we should have learned that software needs to be secure right from the get-go." We have opportunity on the mobile platform to write secure code, he said, knowing what has happened on the desktop.
As for the currently status of botnets operating on mobile phones: "Definitely theoretical." But Silva adds, "Someone--just to prove the point--will develop a toolkit to do it." So it's never too early to be thinking about this problem.
Your ordinary bank robber can now steal hundreds of account numbers from ATMs without so much as lifting a finger. Instead, he skims.
Skimming is the physical use of secondary readers to capture the magnetic tracks on the backs of credit and debit cards. On ATMs, skimmers and secondary keypads are used to capture account numbers and PINs. Often, the ATM transaction goes through, and the customer doesn't realize that the account has been compromised until later.
Two risks these high-tech criminals face are being caught fitting a faux cover over an ordinary ATM card slot and keypad, then later retrieving the skimmers in order to get the account information.
With the arrest last week of "Chao," a Turkish ATM skimmer, comes new information on the lifestyles of modern bank robbers, including details on new devices that send captured account data via SMS to their smartphones.
For about $8,000, skimmers can have their own ATM overlay capable of transmitting 1,856 cards via SMS. Bulk pricing is available. And if they don't want the information sent card by card, they can dial into the device and download the data at their convenience.
You're probably saying, "wait, I'd notice the compromise." Not so fast. These guys are good. Very good. See the photos of a compromised ATM machine on Snopes.com. Or watch this video to see how ATM skimming with SMS was accomplished last year in Pennsylvania.
Skimming got its start in South Africa, and since 2004, there have been a handful of noteworthy cases in the United States, affecting ATMs in Seattle, San Francisco, Los Angeles, and Austin, Texas. Late last year, Citibank replaced debit cards for its Manhattan customers because of a skimming operation there.
Last February, during a presentation by Billy Rios and Nitesh Dhanjani at the Black Hat conference in Washington, I saw a photograph of a warehouse full of ATM card input overlays from one of the criminal enterprises they stumbled upon. You want black? They got black. You want beige? They have that. What about white or gray? Covered.
Industry standardization of ATM readers makes it easier for criminals to copy, so a bank robber needs only to match the look and style. A second photo showed boxes of keypad overlays. Large. Small. Again, you need only to match the look and style.
Once the account information is captured, the criminals tend to burn it onto blank magnetic stripe cards (ISO standard 7810), then use it at ATMs worldwide.
How are they able to fool so many people? In a blog on ZDNet, Dancho Danchev speculates that there might be some collusion with individuals working with ATM manufacturers. His blog is full of details from a site offering these overlays.
There is a downside to having the SMS service. As with a cell phone, the devices need batteries, which wear out. And some SMS transmissions simply fail. Still, if a criminal gets 1,500 bank account numbers, I don't think they're going to mind.
Debit cards and PINs are hot subjects on the criminal underground forums these days, Tom Rusin said on a recent visit to CNET. Rusin is president of North American operations at Affinion Group, a company that monitors the criminal underground for several thousand banking institutions by lurking in carder chat rooms.
"Carders" are the people who buy, sell, and trade online the credit card data stolen from phishing sites or from large data breaches at retail stores. Affinion is one of the largest identity protection companies in the world, with offices in more than a dozen countries. Over the years, it has provided a wealth of information to the U.S. Secret Service and the FBI. A few weeks ago, Affinion identified .Mac users who found themselves victims of a phishing scam.
While scrolling through posts in an online underground criminal forum on his laptop, Rosin explained that since "every American keeps some money in their savings account," unlike when stealing credit cards, debit cards grant thieves immediate access to cash. Next in demand are usernames and passwords because "most people use the same password on the sites they visit."
Carders once used to peddle their wares on forums as "novs" for novelties, as though they were only providing fake accounts or fake personal details for fun. What Rusin showed me on his laptop were bold, even boastful, claims. For example, today they're not just selling card information online.
Threaded among the expected offers in the forum were those for proxy servers and bullet-proof servers (i.e. servers that are unlikely to ever be shut down, located in parts of the world where the law often doesn't reach). These are used in conjunction with phishing kits (packages that help you create your own fake Bank of America page), which are also for sale.
Getting to this level of access hasn't been easy, Rusin said. Carders are tremendously paranoid. Often, just to gain access to the forums, you have to demonstrate your chops by providing up to five active credit card account numbers. It's the equivalent of gang or mafia initiation.
Rusin says Affinion has been establishing its carder credentials since 1998 or so. The company maintains several credit cards, accounts that they use to test their own software as well as that of others in spotting customer's data among the carder forums. For example, they once fed an Affinion credit card account to a carder, then watched at the bank's end of things.
There is a predictable pattern. Often, the purchasing individual will first run a $1 transaction through to a charity--say, the American Red Cross. Once that transaction is authenticated, a flood of illegal purchases cascade in until the card account is shut down.
That's an example of what's known in the business as an "account takeover," the most common use of personal information, in which thieves start using your active account without your knowledge. The effect is immediate, and the losses can be large.
The next most common use, according to Rusin, is new-account creation. This is a slower process, and it often involves establishing utility accounts. Here, the goal is to actually become someone else so that if it ever gets to court, a jury would have a tough time determining the difference between your transactions and another's.
New-account creation requires that a carder have a Social Security number, birth date, and mother's maiden name, at least. Rusin explained that a "full" profile will contain a name, address, SSN, date of birth, and driver's license number. Scrolling through the forum, he fingered one of the entries on the screen and said, "this guy's selling U.S. fulls for $20."
Rusin says that once a criminal has your Social Security number, it's possible to find the rest of that personal information from various sources via Google. "Typically, they're garnished from phishes but also from hacks. It's everything I need to become you. So your identity in the underground is worth about 20 bucks."
Terrorists, not just organized criminals, are interested in stealing and using your credit card history. That's one of the surprising trends identified by Rusin and documented in a Department of Justice white paper (PDF) that cites the increasing involvement of terrorist networks, starting as far back as the 2002 bombing in Bali.
In 2007, FaceTime Communications' Chris Boyd and Wayne Porter gave a standing room-only talk at the RSA Conference in San Francisco on a botnet they'd traced back to the Q8 Army sites.
Unfortunately, personal information is going to flow, admits Rusin. He cites high-profile data breaches such as the ones affecting ChoicePoint and the parent company of TJ Maxx.
Rusin, whose company also sells ID protection services, likens the process of ID monitoring to having a smoke detector: "You should have a smoke detector in your house." So the goal isn't necessarily to stop ID fraud, but rather to manage it.
In addition to having antivirus software and a firewall to protect our digital information on our desktops, it looks as if we now need ID protection for our real-world information as well.
You can hear more of my interview with Tom Rusin in this week's Security Bites podcast.
Jay Foley, co-founder of the Identity Theft Resource Center, told me recently that 57 percent of all identity fraud involves opening new accounts "for short-term gain." The ITRC should know: it has been surveying ID fraud victims for several years and has amassed some impressive real-world statistics.
Foley also said 13 percent of the identity theft victims found out about the attacks only after criminals had established utility or cable service in their names. "So your credit record is more theirs than yours, making it harder to fight them in court," he said.
Clearly the best solution is to stop credit fraud at the moment it starts, when the account is first applied for, but for years credit histories and scores lay shrouded in mystery.
Fortunately, there's greater transparency with regard to credit reports these days. Since 2003, the Fair and Accurate Credit Transactions Act, or Facta, makes it possible for individuals to request one free annual credit report from each of the three major credit reporting agencies. (Go to AnnualCreditReport.com.) Initially, it was to correct any errors in the credit report; many people, however, use this process to monitor their reports for credit fraud.
While you can request all three credit reports at once, experts recommend staggering these, requesting one from a different reporting agency every 90 days or so. That way you'll see a comprehensive view. In addition to requesting your credit report, Congress, through laws such as the Fair Credit Reporting Act (FCRA), has provided other tools for monitoring your credit activity.
A fraud alert placed on your credit history requires an issuing entity to contact you first before opening a new account. Fraud alerts need to be renewed every 90 days unless you are a documented victim of identity fraud, in which case you are entitled to additional protection for up to seven years.
Another option is to place a credit freeze on your credit history. As of November 1, 2007, all three major credit reporting agencies offer this option. Lenders looking to issue credit in the name of someone with a credit freeze will be unable to access the credit history without your explicit permission. In most states there is no termination date, however there is a $10 fee to institute a freeze, and a $12 fee to lift it whenever you want to allow a credit check. These fees are waived if there is proof the individual is an identity fraud victim. The main advantage of a credit freeze over a fraud alert is that the credit freeze does not expire. Credit freezes, however, do not apply to entities with whom the consumer has an existing account. Nor do they apply to law enforcement agencies and certain governmental agencies.
The plans from Experian, Trans Union, and Equifax are similar, each providing a complementary credit report from all three reporting agencies, continuous monitoring of credit activity and any online use of your personal information, and some insurance against identity fraud abuse. The plans range from $11 to $14 per month, with annual and family plans available for less. They do not, however, place alerts or a freeze on your credit history.
This creates a market for private identity protection companies. One of the first was TrustedID, which costs $10 per month per adult (with annual and family plans available) and places both a fraud alert and a credit freeze on your credit history (requiring you to be contacted in both cases), opts you out of credit offers, $1 million in loss insurance, scans for personal data on the Internet, and monitors change of address. TrustedID also scans for medical fraud and protects against spyware.
Providing similar protection is LifeLock. This company is perhaps the best known because its CEO advertises his personal Social Security number as an example of how secure the company is. Bruce Schneier recently did an analysis of what's right and what's wrong with LifeLock as did the CNET Blogger Network's Chris Soghoian.
The Achilles' heel in all of these plans is that the financial institution does not have to make a reasonable attempt to contact you, so the fraudulent account may still get opened. Even with a credit freeze, some financial intuitions won't contact you. There's no way to prove or disprove an institution called you, said ITRC's Foley.
Until now.
Back in 2004 a guy named Bo Holland took a gamble. He bet that that identity fraud would only get worse, not better. And he was right. Having built a series of start-ups within the financial services industry, Holland had an insider's perspective on the problem; he knew how banks and other institutions handled credit requests; he also had worked at Critix Systems, so he had understanding about application delivery. With his latest start-up, Debix, an identity protection network, Holland pulled together all of his skills.
Not only does Debix put a credit freeze on your profile, but it uses its own phone number to log whether the credit institution tried to contact you. And if you're not available, Debix puts the pending account or loan on hold until you are able to return the call. And by using a Debix phone number, not your home number, on your credit report, that adds another layer of security to the product.
So how does Debix work in the real world? Say you are at a car dealership and you need to finance a new car. Shortly after the salesperson leaves the showroom floor, your mobile phone should ring. That's Debix; you know it because it's your voice saying a secret code. Then Debix asks if you indeed are seeking to establish a new account. If yes, you type in a secret personal identification number.
Say you are on vacation and Debix conveys a permission request for a new account. Since you didn't request a new account, you press star and you are instantly put in touch with a Debix investigator, who then contacts the party requesting the credit check. The advantage here, says Holland, is that the ID fraud case is still hot. In some cases, Debix has been able to identify a particular IP address and then turn that information over the local law enforcement. This saves local law enforcement time; they don't have to get a warrant for the bank's information--Debix has already provided the information.
Jerry Dixon, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, told me that there are many reasons why ID fraud cases aren't investigated.
"An assistant U.S. attorney might ask 'What's the likelihood of this going overseas?' 'What is the likelihood of being able to nail down who this is without having to write 20 subpoenas first?'"
If the IP address goes out to Belarus, then Dixon says forget it; the U.S. no longer has a law enforcement attache in Belarus so it's hard to enlist sympathy from law enforcement in that country. But if a company like Debix can provide law enforcement with details from the financial institution and a party willing to press charges, your odds of getting someone arrested improve.
Sound too good to be true? In a study published by Julie Fergerson, vice president of Emerging Technologies, and Debix's Holland, the authors looked at 30,000 Debix-secured transactions during a two-month period at the end of 2007. Of those, 380 were identified as fraud and were stopped immediately. Overall, the rate of new account fraud among Debix customers was zero percent.
ITRC's Foley said he was impressed with the results within the survey. Holland told me that during the survey period there were four instances of new account fraud. In each case, however, the financial institution did not call the customer. With Debix, though, you have some recourse. Debix maintains a record and can prove the institution in question did not attempt to call the customer.
Since learning about Debix in June, I've been trying to knock the protection, but so far cannot. Holland, it turns out, is no stranger to the computer security community; since 2004 he's been showing his wares and soliciting opinions at Defcon in Las Vegas. He invited Phil Zimmerman, creator of Pretty Good Privacy (PGP) to fault it, and he could not. Holland has invited other computer hackers to pick apart his logic. Even Foley and Dixon are full of praise for Debix.
And it gets better.
As of Monday, Debix is lowering its prices "way down" says Holland. One adult can sign up for $24 a year; families with up to three adults and four children can sign up for $72; and families with up to five adults and four children can sign up for $144 a year. That's much less than similar plans being offered by Experian, Trans Union, Equifax, TrustedID, and LifeLock. And Debix has been protecting people since 2004, so it's not some untested entity.
If you can name a more secure ID protection service for less cost, I'd like to hear from you.
Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.
Storm got its name because it first took advantage of a huge winter storm in Northern Europe in early 2007. Since then, it has used a variety of social engineering tricks, including the use of political themes, to get unsuspecting users to open its malicious payload.
This time Storm is offering form.exe and iran_occupation.exe as executable payloads.
Acording to Dancho Danchev over at ZDNet, the latest iteration of Storm appears to be using the following domains:
- statenewsworld . com
- morenewsonline . com
- dailydotnews . com
- dotdailynews . com
- newsworldnow . com
A link from one of the Storm worm e-mails leads to this page.
(Credit: Websense)
