<![CDATA[[SecurityRatty] tag: cvv2]]> http://securityratty.com/tag/cvv2 Tue, 21 Aug 2007 20:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Fake Windows XP Activation Trojan Wants Your CVV2 Code]]> http://securityratty.com/article/fac8ba92dd4114941015e75bba3149c4 http://securityratty.com/article/fac8ba92dd4114941015e75bba3149c4
In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.
]]> Mon, 06 Oct 2008 15:01:01 +0000 credit card details credit card credit card theft details malware malware author social mega virus cleaner creative Fake Windows XP Activation Trojan Wants Your CVV2 Code <![CDATA[Catalina Conservancy Divers donors are warned]]> http://securityratty.com/article/31ae26c705d39decf66cfee8c2d3c7b2 http://securityratty.com/article/31ae26c705d39decf66cfee8c2d3c7b2 Security Breach

Date Reported:
3/14/08

Organization:
Catalina Conservancy Divers

Contractor/Consultant/Branch:
None

Victims:
Donors

Number Affected:
816

Types of Data:
Donor information including credit card numbers, expiration dates and possibly CVV2 codes.

Breach Description:
"Hammonds, 36, was able to obtain the names and credit card numbers of hundreds of victims when they made online donations to the Catalina Conservancy Divers site he was hired to develop in 2005, police said. He then used the information he obtained through the site, www.ccd.org, to make online purchases and pay for personal items."

Reference URL:
The Newport Beach Police Department News Release
The Daily Pilot
The Orange County Register

Report Credit:
Joseph Sema, The Daily Pilot

Response:
From the online sources cited above:

On February 13, 2008, Newport Beach Police Detectives arrested Trevor Hammonds for 484G PC – Illegal Use of a Credit Card.  Detectives had learned that Hammonds was renting an apartment in Newport Beach through fraudulent means.  He was paying his rent by providing valid credit card account numbers of unsuspecting victims as payment.  Since his arrest, Detectives have been attempting to discover where and how Hammonds obtained his victim’s personal credit information.

Detectives recently discovered that Hammonds had created a website for the “Catalina Conservancy Divers” Avalon Harbor Cleanup, www.catalinaconservancy.org in 2005.  Through 2005 and 2006, Hammonds was able to obtain unsuspecting victim’s names and credit card numbers when they made online donations to the Conservancy.

Since that time, he has been using victim’s names and valid credit card account information to make online purchases and pay for personal items.  Detectives have identified a total of 816 possible victim credit profiles in the possession of Hammonds.

In 2005, the Catalina Conservancy group did not have a website capable of receiving electronic donations, conservancy spokeswoman Leslie Baer said. Many of its loosely organized support groups, such as the Catalina Conservancy Divers that would clean up Avalon Harbor, set up their own websites to accept donations.

Hammonds is currently being housed at the Orange County Jail in lieu of $100,000 bail.  The Catalina Conservancy Divers is a victim of Hammonds scheme and is not involved in any manner.

If you registered to this site and/or made an online donation to the Catalina Conservancy Divers during 2005 or 2006, please check your credit profile and account records.

The Catalina Conservancy Divers no longer accepts online donations
[Evan] This is sad not only for the individual victims, but Catalina Conservancy also.  Online donations should be a viable option, but now it viewed so.

If you believe you have been the victim of a crime, please notify your bank immediately to close your account(s) and prevent any further crimes from occurring.

In addition, contact the Newport Beach Police Department in order to report your crime.  This can be done by contacting Investigator Bob Watts at (800) 550-NBPD or (949) 644-3799.

Commentary:
I am impressed with how the Newport Beach Police Department has handled this investigation, at least from what I read.  I very much like Sergeant Evan Sailor's remarks to the press and the decision to publish a public press release.

Employee fraud can be a very difficult crime to protect against and pose a very high risk to organizations.  As long as we have bad apples in the bushel, we will have a certain amount of fraud.  Not that we should throw up our hands and give up though!  This article "Eight Tips to Prevent Employee Theft and Fraud" is a pretty good read.

Past Breaches:
Unknown

]]> Mon, 17 Mar 2008 10:32:50 +0000 catalina conservancy conservancy catalina conservancy divers hammonds trevor hammonds victims names names victims online donations Catalina Conservancy Divers donors are warned <![CDATA[Employee fraud at Tenet Healthcare affects 37,000]]> http://securityratty.com/article/3354deb2261c2960edeefc322fb21ebf http://securityratty.com/article/3354deb2261c2960edeefc322fb21ebf Security Breach

Date Reported:
2/13/08

Organization:
Tenet Healthcare Corporation

Contractor/Consultant/Branch:
None

Victims:
Patients*

*Tenet Healthcare Corp. owns 54 hospitals in a dozen states, including Hilton Head Regional Medical Center and Coastal Carolina Medical Center.

Number Affected:
37,000

Types of Data:
Social Security numbers and other personal information.

Breach Description:
A former employee working in the Tenet Healthcare Corporation billing center in Frisco, Texas has been convicted of identity theft.  Terrence Brooks worked for the company for less than two years and stole names, Social Security numbers and other personal information belonging to at least 90 patients, but also had access to 37,000.

Reference URL:
The Beaufort Gazette online story
The Sun-Sentinel online story

Report Credit:
Daniel Brownstein, The Beaufort Gazette

Response:
From the online sources cited above:

A former employee of a locally connected national hospital chain who was convicted of identity theft had access to the personal information of about 37,000 patients, according to a company spokesman.

Terrance Brooks, 30, of Fort Worth, was arrested Nov. 25 when he tried to open a Costco credit card using a state ID with fraudulent information, police said.

The company mailed letters last week announcing the security breach to anyone who could have been affected, said spokesman Steven Campanini.

Tenet also informed victims how to set up free fraud alerts at the nation's three major credit bureaus.

"There's an annoyance factor and we apologize for that," Campanini said. "We recognize consumer privacy is very important and take it very seriously."
[Evan] I am not personally a victim, but I am pretty sure that this surpasses "an annoyance factor" for some people.

The ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients, Campanini said. The company has paid to monitor the credit reports of those victims.

Terrence Brooks, 30, had access to 37,000 other accounts

He pleaded guilty last month to five counts of fraudulent use and possession of identification information and was sentenced to nine months in prison.
[Evan] Only nine months in prison.  In 2006, the average time it took victims to recover from identity theft was 607 hours.

He had passed a background check to get the Tenet job. Brooks was immediately fired when the company learned of his arrest.

"What's challenging in this situation is there was an employee intent on committing fraud," Campanini said. "No company can prevent that, but we can have practices in place to immediately address it when it does occur, and that's what we did."
[Evan] I agree that preventing employee fraud is challenging, but reducing risk is very impossible.  There are several things that companies can do to reduce the risk significantly (segregation of duties, job rotation, cross-training, etc.).  Access to Social Security numbers should require an additional level of clearance and this clearance should be closely scrutinized.  The normal "run of the mill" billing work does not require Social Security number access.

"I'm more concerned with what could happen than what has happened," Ashley Latzer a person that received one of the Tenet notification letters.
[Evan] More than an "annoyance"?

Tenet patients concerned about the security of their personal information may call a company hotline at 1-800-553-6101 between 8 a.m. and 6 p.m. weekdays.

Commentary:
I am concerned with how many people in companies have unnecessary access to confidential information.  One of the first steps in reduding risk of employee fraud is to limit access to confidential information to only when it is absolutely required.  The resolution of most customer service, help desk, and billing calls don't require Social Security numbers, credit card numbers (including CVV2), and other sensitive information. 

I don't know enough about how Tenet manages its data and billing center, but I am sure that creative information security solutions could reduce the risk of this happening again.

Past Breaches:
Unknown


]]> Mon, 18 Feb 2008 07:26:45 +0000 tenet require require social security security tenet healthcare corp employee fraud fraud letters tenet notification letters Employee fraud at Tenet Healthcare affects 37,000 <![CDATA[S&K Menswear two-phased attack]]> http://securityratty.com/article/a6b7e9d484c4c32babb1d3a40b8ff785 http://securityratty.com/article/a6b7e9d484c4c32babb1d3a40b8ff785 Security Breach

Date Reported:
12/10/07 (backdated from 1/3/08)

Organization:
S&K Famous Brands (S&K)

Contractor/Consultant/Branch:
None

Victims:
Online customers of www.skmenswear.com

Number Affected:
Unknown*

*25 reported New Hampshire residents

Types of Data:
Names, addresses, email addresses, credit card numbers, and expiration dates.

Breach Description:
According to the breach notification letter sent to the New Hampshire Attorney General, on or about October 24th, 2007 personal information belonging to S&K online customers was accessed without proper authorization.  S&K became aware of the unauthorized access after reports of fictitious spear phishing emails began circulating in which the attacker requested the CVV2 codes to match the credit card numbers.  It is unknown how many customers were duped by the second phase of the attack.

Reference URL:
New Hampshire Attorney General Breach Notification

Report Credit:
New Hampshire State Attorney General

Response:
From the official breach notification and letter to customers:

This letter is to inform you that S&K Menswear has discovered that you personal information--including your name, address, credit card number, and expiration date--may have been accessed on or about October 24, 2007 without proper authorization.

stored in one of our databases has been retrieved by external sources

S&K was notified of a suspicious e-mail addressed to its customers on Wednesday, October 24th at approximately 3:00 p.m.  The e-mail was sent from a fictitious S&K e-mail address.  The body of the e-mail appeared to contain an S&K order number and the last four digits of the credit card number used by the customer to whom it was addressed.  The e-mail requested that the customer provide a credit card identification number.
[Evan] The "suspicious e-mail" is the second phase of the attack.  The credit card number, cardholder name, and expiration date were already obtained in the first phase.  This spear phishing attack now aims to get the CVV2 code, which makes this much more valuable to the attacker.  I am curious about how many people actually fell for this second phase.



Once notified, S&K immediately assembled a response team to assess the situation.

a decision was made at 3:30 p.m. the same day to disconnect the online store and disable remote access to S&K's network.  Further to these actions, S&K:
  • Notified credit card issuers
  • Purged or masked credit card data on its servers
  • Changed all user names and passwords on the system
  • Hired a leading provider of information security to conduct a full forensic security audit as required by the major credit card issuers
  • Notified various law enforcement agencies including the FBI and Secret Service
[Evan] These all seem like prudent steps in response to an incident.  Timing is critical and the response took ~30 minutes, which is good.  The response to customers however was not quite as good.  Judging from the date on the sample customer letter, it took 47 days to send notification to customers.

S&K's investigation of this incident is ongoing.

We want to stress, however, that no social security number, CVV2 data or track 2 magnetic stripe data was compromised at all.
[Evan] This isn't true, unless S&K can say with certainty that NONE of the customers fell victim to the second phase of this attack.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains a top priority.  We have made and will continue to make significant investments in security software, systems and procedures, and will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter.  For more information, including a list of Frequently Asked Question (FAQs), please go to www.skmenswear.com\security\faq.htm or contact us at 1 (800) 690-4996
[Evan] I think the "\" in the URL is supposed to be "/".  The first FAQ in the list of FAQs bugged me a little; "Q: Is this a major breach?  A: No, our credit card security manager classifies this as minor."

Commentary:
At the top of the customer letter it states:
You do not need to make any changes to your S&K menswear accounts or to change the way you do business with us.

I am going to guess that S&K would be classified as a VISA Level 3 Merchant.  Is it safe to assume that S&K is PCI DSS compliant?  It sounds like they don't store prohibited data (CVV2, Full Magnetic Stripe, or PIN / PIN Block), but only 55% of Level 3 Merchants are PCI DSS validated as of 9/30/07.  It should be easier for customers to find the status of an organization's compliance and information security practices rather than having to guess.  Although now that I think about it, compliance doesn't really ensure security does it?

Anyway, I get the feeling that S&K would have liked to keep this breach quiet and minimize it as much as possible.

Past Breaches:
Unknown



]]> Thu, 03 Jan 2008 07:40:36 +0000 information personal information information security practices notification information security breach notification letter sample customer letter credit card credit card data S&K Menswear two-phased attack <![CDATA[PCI Data Collection: Your CVV isn't special]]> http://securityratty.com/article/8e6e734e5a964bd87a9a8b80d9f6124a http://securityratty.com/article/8e6e734e5a964bd87a9a8b80d9f6124a PCI is very clear about forbidding the storage of PIN and CVV2 information and most merchants understand that this will cause serious problems in their audit results if they continue to collect this information... ]]> Tue, 21 Aug 2007 20:00:00 +0000 collect cvv2 information cvv2 information information collect store card data competitive business edge encrypt data audit results customer experience PCI Data Collection: Your CVV isn't special