News Blog

You think your personal information is priceless. But everything has a price, even your stolen bank account information.

McAfee Avert Labs has discovered a price list that criminals use to buy and sell credit card numbers, bank account log-ins, and other consumer data that have been filched from unsuspecting Web surfers.

"Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual," writes Francois Paget of McAfee. "But when we look at this data we understand that as everywhere, you have to pay for quality."

For example, a Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310).

There's even a guarantee that if the buyer is unable to log into the account within 24 hours, maybe because the owner of the data canceled the account, the buyer can get a replacement stolen account to use.

Criminals can even buy skimmers, fake face-plates for ATM machines that steal credit card data when the card is swiped, and so-called "dump tracks" used to create fake credit cards, the McAfee blog entry says.

This follows on news earlier this week from Web security company Finjan of the discovery of a server containing stolen consumer and business data. Finjan said it found a server controlled by hackers that had more than 1.4 gigabytes of data--more than 5,000 log files--stolen from infected PCs. The stolen data included consumer and business e-mails, as well as health care patient data and bank customer data from individuals, financial institutions, law enforcement agencies, and other companies around the world.

Screenshot of price list for stolen credit card numbers and available balance amounts discovered on the Web by McAfee Avert Labs.

(Credit: McAfee Avert Labs)

IBM is launching an initiative to give its corporate customers a way to measure and potentially monetize energy-efficiency measures in their data centers using an emerging form of currency.

The computing giant on Friday detailed a program that will let companies earn energy-efficient certificates, which are awarded after a company undertakes a project to lower its data center power consumption. It's part of its Big Green Innovations program to invest in clean tech.

IBM is partnering with Neuwing Energy Ventures to verify the amount of kilowatt hours reduced through data center makeovers.

Companies can either claim those energy reductions as part of their own corporate environmental initiatives, which increasingly call for more quantifiable measures. Or they can sell the energy-efficiency certificates on the voluntary renewable energy certificate market. A handful of states also have a mechanism to sell these certificates to utilities that have renewable energy mandates.

IBM designed the program because more companies are looking for ways to accurately measure their energy consumption as part of environmental programs, said Rich Lechner, vice president of IT optimization at IBM.

He said he expects most customers to hold on to the energy-efficiency certificates rather than sell them. The monetary value of a large-scale energy efficiency program could be worth hundreds of thousands of dollars if the company chooses to sell as credits, he said.

The energy-efficiency credits are part of a growing trend to use financial markets to reduce greenhouse gas emissions.

Most corporations in the United States are not regulated on the basis of their greenhouse gas emissions. But that's expected to change within a few years.

There are a number of federal proposals designed to put a monetary value on emissions, such as carbon dioxide. Some regimes call for a tax on carbon emissions, while others are built around a cap and trade model where polluters have a maximum emissions target and are issued credits when emissions fall below that cap.

IBM will offer the energy-efficiency credits on its mainframes and midrange servers to clients in the U.S. this year. It intends to extend the offering to its entire server and storage line and offer it to customers in Europe next year, said Lechner.

Fraud Sciences, which has developed systems that cut down on credit card fraud, has received $11 million in a new round of funding, according to VentureBeat. The lead investor was Redpoint Ventures.

The company has devised what it calls the SpotLight transaction verification system, which essentially confirms that the customer trying to use a credit card number on a computer is the owner of the credit card. The system cuts down on fraudulent transactions, but also lets merchants accept transactions that seem to be a bit suspicious, but in fact are genuine (i.e. a husband on an international business trip uses a card in Asia, while his wife is making a transaction with the same joint account in San Francisco. It looks suspicious but it is legit. I know. This just happened, and it took a panicky phone call from me to get the card reactivated.)

The system relies on behavioral analytics and real-time fraud intelligence tools.

"If we approve a transaction that is ultimately found to be fraudulent, we will cover the full amount we approved. Period," the company's Web site says. The company lists a boatload of customers on its site. The guarantee goes to merchants who buy the services, but consumers benefit as well.

Although based in Palo Alto, Calif., the company comes out of Israel. The CTO held senior positions in the Israeli Defense Forces, which is sort of a finishing school for the security industry.

In an audacious feat, someone posing as approximately 1,200 different eBay users posted credit card information to eBay's Trust & Safety forum. For the time being, eBay has suspended access to the forum.

In a statement on the site, eBay insists that the credit card information posted does not match the accounts on record for those individuals. eBay further believes the postings were part of a hoax. That could explain the mismatch between the account information and the credit card information.

Earlier, a YouTube.com video showed the postings as they appeared on the forum. YouTube has since removed the video as a violation of its terms of use.

SEATTLE--Carbon offsets, energy efficiency credits, renewable energy certificates. The lexicon of the new, niche business world of brokering in greenhouse gases was spoken at the Discover Brilliant conference Monday. (It felt like being in Charlie Brown's classroom.)

Carbon markets have begun to boom over the past year, offering corporations options for offsetting their emissions by trading them with cleaner companies. Many proponents of carbon trading want laws to force businesses to clean up their act.

"As long as companies can dump carbon without paying, they will," said K.C. Golden, policy director of Climate Solutions, a nonprofit that advises businesses on renewable energy strategies.

Under Europe's mandatory carbon cap and trade system that took effect this year, companies are allowed to emit a certain amount of greenhouse gases. To make up for exceeding that level, businesses buy expensive credits from companies that release fewer carbons. Europe borrowed the idea from the U.S. Clean Air Act of 1990, which set up caps and trading for sulfur dioxide, which causes smog.

Carbon markets are set to take off here in 2009 once a cap-and-trade program comes into effect in 11 Northeastern states. California establishes its own system in 2011, and is setting up emissions trading with Oregon, Washington state and British Columbia.

Attempts to offset carbons spewed into the atmosphere are attractive for companies seeking to wash their hands of causing climate change. The trading might be lucrative where mandatory, especially for businesses that already emit few carbons.

"If you're a large emitter, emitting tens of millions of tons of carbon and each one of those tons is a $10 cost, there's a noticeable impact on your balance sheet--or it can be a noticeable plus if you can sell it," said Gordon Smith, EcoLands Director of the nonprofit Environmental Resources Trust.

PepsiCo bought in April the largest chunk of renewable energy certificates yet--500,000 terawatt hours worth--through the for-profit Sterling Planet, which also supplies green pricing programs to 43 utilities companies.

Critics, however, contend that carbon trading is a distracting shell game that lets companies dump some carbon in one place while supposedly removing it elsewhere--kind of like throwing trash out your car window on the way to volunteer at a beach clean-up.

Determining the effectiveness of these new markets is sure to get harder as they grow. The very concept of carbon trading is an abstraction upon an abstraction, sort of the way a hedge fund is. It's hard to visualize carbon in the air, unlike other environmental hazards, such as banned aerosol from hairsprays that would hiss in your face, or cigarette smoke.

Even the seemingly more concrete efforts to reduce carbons are hard to measure. Environmental Resources Trust, which creates a registry of emissions rather than a market for trading them, specializes in forestry credits. The goal is to get more trees in the ground to suck up carbon dioxide. Trees look lovely and may be easier to count than abstract emissions certificates, but measuring their effectiveness is not.

Years ago, the method used by criminals to see whether a stolen credit card was still active was to charge a penny to the account. If it was authorized, the criminal could then purchase more substantial goods using that card. Credit card companies and banks have both gotten wiser. Today, they look for penny purchases as well as random gas station purchases, for example, as early warning flags. Well, the criminals may have outsmarted everyone this time.

According to a Symantec enterprise security blog, criminals are now attempting to pay small amounts to various charities, including the Red Cross. The criminals can determine the value of the stolen card depending on the success or failure of the transaction. Active credit card accounts sell for higher values on the Internet black market.

Symantec believes that bank behavior monitors, the services that flag inappropriate use of your credit card, are less likely to pick up on such transactions. Given the random nature of charitable donations, banks would be unable to determine whether such activity is out of the norm.

This raises some ethical issues as well. The charities need the money. And you might not be too upset to learn that you have donated, given that you can claim it on your taxes. But unless you are monitoring your credit statements online, you might not otherwise know that your card has been stolen. You certainly don't want to get stuck paying for online electronics purchases earmarked for addresses in Eastern Europe.

(Credit: MagnePrint)

The way the particles land on a given credit card's magnetic stripe are as unique as individual snowflakes or human fingerprints--or so says a Magtek, the company that developed, MagnePrint, which records the unique magnetic media signature for all credit and debit cards scanned through its readers. The first scan by a MagnePrint reader creates a template against which all subsequent scans are compared.

MagnePrint is designed to prevent "skimming." Online carders buy credit-card information from a black-market database, then copy that information onto a blank physical card using a machine that costs about $250. The skimmed card is then used in an ATM or a retail environment, as though it were the original card, until the credit or debit limits are maxed.

Using MagnePrint, faux cards are identified quickly. Even if you were to rerecord the magnetic stripe information onto your credit card a second time (say you damaged your first card and seek a replacement), the magnetic particles on the second card would not match the original and would be flagged. The results are given in percentages, with around 80% considered to be enough of a match. The bank always has the ability to accept or deny the recommendations.

(Credit: World of Warcraft)

The notion of "frequent gamer rewards" has been tossed around by trend specialists and pundits (like MAKE Magazine's Philip Torrone) for some time now as online gaming becomes more and more profitable and increasingly entrenched in mainstream culture. Now, it's a reality with the World of Warcraft Visa credit card.

You can apply for it now. With your first purchase on the card, according to the World of Warcraft site, you'll earn a free month of game time.

But you won't be able to buy yourself new weapons by using this card. The WoW Visa does not earn you virtual currency--rather, you accrue game time toward your subscription. It's unclear what the thinking was behind this decision, but it's true that there has been some controversy about bridging the gap between virtual and real-world currency, most notably the eBay ban on virtual goods earlier this year.

You can't brand the World of Warcraft credit card with your avatar (yet), but you can choose from 13 total designs. Whether or not you want to use this card when you pick up the tab on a first date, however, is up to you.

(Link via Boing Boing)