<![CDATA[[SecurityRatty] tag: lloyds]]>

<![CDATA[[SecurityRatty] tag: lloyds]]> http://securityratty.com/tag/lloyds Fri, 04 Jan 2008 21:47:26 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Price Discrimination in the Market for Stolen Credit Cards]]> http://securityratty.com/article/cdb8d46e8dd9bdb9c839091a75b5f749 http://securityratty.com/article/cdb8d46e8dd9bdb9c839091a75b5f749

What would be the price of a stolen credit card with an already verified balance, and based on what factors would the sellers come up with the price range? Depends on who you're buying the goods from. Continuing the discussion on the Underground Economy's Supply of Goods, the service I'll comment on in this post is among the countless number of others offering stolen credit card numbers, however, in this one we have a great example of price discrimination compared to the majority of other propositions, emphasizing on a volume basis propositions - the more you buy the cheaper it gets.

Let's go through this proposition differentiating itself on the basis of the balance available on a per bank basis :

- Bank Of America/Between 2k - 50k/400$
- WellsFargo/Between 4k - 40k/300$
- Chase Bank/Between 2k - 30k/250$
- Citibank/Between 9k - 70k/300$
- Wachovia/Between 2k - 18k/275$
- Barclays/Any Balance/400$
- HSBC/Between 30k - 312k/400$ up to 100k=600$
- Halifax/Between 20k 180k/450$
- Nationwide/Between 15k - 230k/450$
- Lloyds TSB/Between 10k - 400k/600$

How they come up with these prices remains a subject to speculation, what's important to point out is that in between the price discrimination used here on a good that in reality is a commodity good, is that they're cashing-in on the high profit margins since when investing the time and efforts into stealing these credit card numbers though banker malware infected PCs, they weren't even aware of what their ROI would be, consequently any price set would be a profitable price outpacing the investments they've made into obtaining the accounting data.

We can also theoretically have the same seller making propositions on a volume basis, operating another site this time targeting different marketing segment, where the site itself would have also been advertised to reach that very segment. What he's enjoying is the overall lack of market transparency and the fact that it's not a daily practice for someone to come across sites selling stolen credit card details, which is where the first proposition would take place. The second, the one on a volume basis, would be targeting the experienced identity thieves who never even consider spending so much money on a good that they come across to, and have good understanding of the market, thus, know where to find bargain deals for it.

Who's supplying the bargain deals anyway, and how are the bargain deals affecting the behavior of the experienced sellers in the market? New market entrants that suddenly managed to get hold of huge amounts of stolen credit cards, consciously or subconsciously introduce penetration pricing in the market. Basically, they are aware of several services and they prices they charge for the goods offered, so on the basis of these prices they start to on purposely undercutting them in order to achieve the necessary growth during the introduction period.

With the ever decreasing cost required to conduct cybercrime, any investment made would automatically result in a positive return on investment. Moreover, for the time being, there's no way we can even consider talking about the average price for a stolen credit card number, as everyone is playing by their own rules, with only a few exceptions using basic market principles. So if you even come across an article or a report stating that the price of a certain good is the specific amount of money pointed out, don't take the number of granted, as this is just one of the many such servics and propositons the researchers came across to, not the average.

Ironically, just like you have publicly available backdoored versions of Mpack and Icepack aiming to trick the average script kiddies into providing those who backdoored the kits with the opportunity to hijack their successful campaigns, that's of course next to the backdoored phishing pages released in the very same fashion, we also have scammers trying to scam other scammers by pitching the stolen credit cards and never "delivering the goods".

]]> Tue, 03 Jun 2008 03:23:29 +0000 price price discrimination volume basis basis market average price bank basis volume basis propositions credit card Price Discrimination in the Market for Stolen Credit Cards <![CDATA[Lloyds TSB warning may panic some customers]]> http://securityratty.com/article/e1041e480e1b024db89c47a6e3f67acd http://securityratty.com/article/e1041e480e1b024db89c47a6e3f67acd Security Breach

Date Reported:
1/4/08

Organization:
Lloyds TSB

Contractor/Consultant/Branch:
None

Victims:
Bank customers

Number Affected:
Unknown

Types of Data:
”personal information including credit card and your internet login details"

Breach Description:
Lloyds TSB's Fraud Response Team, acting on a tip from APACS and intelligence from law enforcement, sent letters to an unknown number of bank customers warning them that their computers may have been infected with a virus that is specifically meant to steal personal information, credit card data, and authentication information.

Reference URL:
ComputerWeekly.com Story
BobsGuideStory

Report Credit:
Karl Flinders, ComputerWeekly.com

Response:
From the online sources cited above:

The bank's Fraud Response Team sent letters to some customers in December after it received a tip-off from payments association APACs, acting on intelligence from a law enforcement agency.

"Lloyds TSB has been recently advised that your computer may have been infected with a virus. This virus is specifically designed to steal personal information including credit card and your internet login details," warned the letter.

"This virus can be difficult to detect and you may have downloaded this unknowingly. It can compromise your use of the internet banking service on your PC including your Lloyds TSB passwords and memorable information."

Lloyds said a small number of customers received the letter but would not give details of the exact number, the type of Trojan or how it discovered the information.
[Evan] Lloyds TSB sends the letter, then won't provide any useful information. If Lloyds TSB had evidence about some "difficult to detect" virus on my computer that was stealing my information, I would certainly like to know what it was!

Lloyds TSB said, "We received intelligence from a law enforcement agency via Apacs that a very small number of UK consumers might have been exposed to a Trojan horse programme and that some of these were Lloyds TSB customers."

"We always monitor customer accounts to guard against any potentially fraudulent transactions and in this case have also advised customers who did not have an anti-virus software package on their machine to consider purchasing one to ensure maximum protection for their PC in the future."

Victim Response:

The letter left one IT director, who banks with Lloyds TSB, angry. He contacted the anti-fraud team but did not receive answers to his questions. He was told that his personal details had been available on a website, which the bank had now closed down, and was offered a security service but was not given details of the Trojan on his PC.

"You cannot go to a customer and spread panic. You go to them with consolidated information and do not just throw unqualified data at them," he said. "They said my details have been published on the internet. I asked what details and where and they could not answer."
[Evan] I can empathize with this person's concern and agree with his point. I am glad to see someone (a customer) step up and demand answers. We all should.

"I have asked to be informed about what this personal information was, and so far Lloyds TSB has been far from helpful and have never responded to my calls,"

Commentary:
This reminds me of some tips I learned from seasoned information security professionals years ago. One tip was not to raise a "red flag" unless you had something substantial to back it up. Other tips were to educate users with facts and earn trust. I am sure that Lloyds TSB's intentions are noble, but the follow-up is questionable at best. People have a tendency to panic about these things unless they are given facts and assured of an outcome.

This also reminds me of my days working for a major U.S. bank years ago. I worked on the Threat & Vulnerability team, which I would assume isn't too much different from Lloyds TSB's Fraud Response Team. We detected and responded to thousands of suspicious activity reports, intrusion detection alerts, phishing reports, etc. We never reached out to a customer without facts and we were always prepared to answer questions with facts. Initiating "takedowns" on malicious web sites (primarily phishing) was a daily occurrence.

I sincerely hope that Lloyds TSB will provide their customers with additional details and handle future incident responses with more thought. To give Lloyds TSB the benefit of doubt, maybe they are unable to disclose additional details because of law enforcement action. Still, customers are frustrated and some are scared.

Past Breaches:
Unknown

]]> Fri, 04 Jan 2008 21:47:26 +0000 lloyds lloyds tsb customers customers lloyds tsb lloyds tsb passwords internet login details internet information information security professionals Lloyds TSB warning may panic some customers