Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: RSA

    A Little Sunshine / Other17 Comments
    7
    May 10

    Fun with ATM Skimmers, Part III

    ATM skimmers, or devices that thieves secretly attach to cash machines in order to capture and ultimately clone ATM cards, have captured the imagination of many readers. Past posts on this blog about ATM skimmers have focused on their prevalence and stealth in attacking cash machines in the United States, but these devices also are a major problem in Europe as well.

    According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008, and most of that increase has been linked to a dramatic increase in ATM skimming attacks. During 2008, a total of 10,302 skimming incidents were reported in Europe. Below is a short video authorities in Germany released recently showing two men caught on camera there installing a skimmer and a pinhole camera panel above to record PINs.

    EAST estimates that European ATM fraud losses in 2008 were nearly 500 million Euros, although roughly 80 percent of those losses resulted from fraud committed outside Europe by criminals using stolen card details. EAST believes this is because some 90 percent of European ATMs now are compliant with the so-called “chip and pin” or EMV (an initialism for Europay, Mastercard and VISA) standard.

    ATM cards store account data on magnetic strips on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them. RSA‘s Idan Aharoni wrote an informative post about this technology earlier this year.

    Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

    While many of the images below are not new, they showcase some of the actual ATM skimmers deployed against European cash machines (click any of the images to view a slideshow).

    A Little Sunshine / The Coming Storm / Web Fraud 2.036 Comments
    17
    Mar 10

    Researchers Map Multi-Network Cybercrime Infrastructure

    Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.

    But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike.

    Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement (pictured in red in the graphic below). RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish.

    Continue reading →

    A Little Sunshine / Target: Small Businesses / The Coming Storm36 Comments
    9
    Mar 10

    Cyber Crooks Leave Traditional Bank Robbers in the Dust

    Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

    Speaking at the RSA Security Conference in San Francisco last week, David Nelson, an examination specialist with the Federal Deposit Insurance Corporation (FDIC), said online banking attacks against small businesses of the sort I have chronicled countless times over the past year netted thieves $25 million between July and September of 2009.

    I wondered how that stacked up against real-life bank robbers here in the U.S., so I had a look at the FBI‘s published bank crime statistics for that same time period last year. Turns out, traditional bank robbers committed a total of 1,184 bank robberies during those three months, netting slightly more than $9.4 million (including $3,071 in travelers checks).

    In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.

    Small wonder that the haul from cyber bank robberies has overtaken that of physical heists:  Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

    What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

    In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

    Continue reading →

    Other30 Comments
    4
    Mar 10

    Krebsonsecurity Author Twice Honored

    There is perhaps no greater compliment than to have your most esteemed peers recommend your work.  I am now blogging from the RSA Conference in San Francisco, and over the past two days krebsonsecurity.com has received two peer recognition awards, one from the SANS Institute – among the nation’s top security research and training groups – and another from the Security Bloggers Network, an organization that has sought to recognize blogs that provide valuable content on computer security issues.

    The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field. True to form, I showed up late to the awards ceremony on Tuesday, and Alan Paller, director of research for SANS, called me up on stage and said I’d received twice as many votes as the next guy in the contest, Robert McMillan, a reporter whose work is almost certainly the most widely syndicated and quoted of virtually anyone in this industry. Likewise, I am proud to have shared this honor with reporters whose work I recommend and admire, including USA Today’s Byron Acohido, Wired.com’s Kim Zetter, as well as Dan Goodin from The Register.

    In related news, the delegates who were party to the Security Bloggers Awards at RSA this year picked krebsonsecurity.com as the top “non-technical security blog.” Somehow, I managed to show up late for this as well. Again, it was wonderful to have been nominated alongside security bloggers such as Taosecurity’s Richard Bejtlich, and security curmudgeon-in-chief Bruce Schneier.