Avoid becoming a victim of on credit card fraud
LEARN HOW TO GET YOUR CREDIT CARD
REPORT REPAIRED IN 30 DAYS.
The Securities Industry and Financial Markets Association, is one of the industry's main lobbying groups. Industry lobbyists carve out loopholes. When there is inadequate oversight and insufficient transparency on Wall Street we can't prevent another financial crisis like the one. Laws do not help when lax enforcement of existing financial regulations don't hold Wall Street Accountable. Without a uniform set of rules about bank capital requirements or securities trading, much of the riskiest practices will simply move offshore since there are no global financial regulations.
Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh says credit bureaus are not required to notify consumers. "The credit bureaus work on behalf of banks and companies that grant credit," said Ari Schwartz of the Center for Democracy and Technology , a consumer advocacy group in Washington. "They're not set up to be consumer-oriented businesses." And the credit bureaus say they are not in the habit of reaching out to consumers whose private information may have been compromised. "Normally we would not put a fraud alert on a file without a consumer being involved" or initiating it, said Maxine Sweet, a vice president with Experian , one of the three major credit-reporting bureaus. "That's just not something we generally do." Cyber-Criminals and Their Tools [ 1 ] and Photocopiers with disk drives may hang onto sensitive data from documents [ 2 ]
Get Real-Time Insight Into Your Risk of Identity Theft
My ID Score is a quick, easy, and free way to assess the risk that
your identity is being misused. It can be an essential fraud
detection and early-warning tool for consumers who are concerned
about identity theft.
U.S. Authorities can't touch credit card fraud from oversees.
Companies May be selling your Credit Card Numbers
Https connections
vs.
phishing, money mules and trojans
Https connections are encrypted which more or less protects the information from man in the middle attacks and users in the same network.
IE attacks against online banking users
The Firefox add-on Firesheep was definitely not the first program
to show how easy it is to record data from other users of the
network but it brought the issue to a wider audience.
Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System
Man in the Middle Spoofing and phishing attacks
How to Minimize Credit and Debit Online
Credit cards come with a legally mandated protection that limits
you to a certain maximum loss in the event of fraud. At this time,
it's $50. A debit card is more like direct access to your bank
account and there is no protection against fraud. Some debit cards
have “overdraft protection” which means that if your account
balance goes below $0, the bank will loan you money. So if you
have $5,000 in overdraft protection and $5,000 in your account,
someone can spend $10,000 of your money and your bank will expect
you to pay them the $5,000. One easy way to minimize the exposure
of your card is to use a service like PayPal, where you're
authorizing each transaction manually.
Pre-Packaged Time Cards
Buy pre-loaded cards at large retail stores. You can get online
time for multiplayer games, iTunes store credit, Amazon gift
cards, etc. Parents: you can also purchase gift cards for many
online stores and services; this limits your risk if you want to
give someone a spending spree at an online store but don't want to
give them your own account and password.
Bank Accounts
To more or less completely protect yourself from online fraud, you
can set up one of these accounts at a local bank, then use the
account as the backing account for PayPal. That way, you can
exactly control how much of your money is exposed to the internet
at any given time - simply deposit checks into that account at an
ATM,then spend the money online. If the bank offers you “overdraft
protection” you should decline it. You may also get a debit card
with the account and, as long as there is no overdraft protection
on the account, you can use the debit card online as well - your
total possible loss is whatever amount of money you keep in that
account.
If you have a main bank account where you keep the rest of
your money, you should not use that account for online bill
paying or banking
EMAIL Fraud
You can do orders via email if you only accept encrypted email
and provide a company public key for this.
You use
PGP to create a public and private key
, then you just make your public key available on your web server.
Most mail packages today know how to decrypt mail with a private
key.
Call your own credit card company and get a unique number to use
for your online purchase.
It's only good for that one time. This technique may avoid all
kinds of problems.
University Databases hacked all over the US
A [name the university] database containing about 270,000 records
of past applicants including their names and Social Security
numbers was hacked last month, officials said on Tuesday. To find
out the latest news on this topic join the
NetHappenings Mailing List.
From: Ed Gerck nma.com 7/05
"CardSystems Exposes 40 Million Identities"
as a harbinger? Now that we know more about the facts in this
recent case, expect more to come. Yes, public opinion and credit
card companies can and will force companies that process credit
card data to increase their security. However, how about the
"acceptable risk" concept that underlies the very security
procedures of credit card companies themselves and pervades their
relationships with their parties? Do As I Say, Not As I Do?
The dirty little secret of the credit card industry is that they
are very happy with 10% of credit card fraud, over the Internet or
not. In fact, if they would reduce fraud to _zero_ today, their
revenue would decrease as well as their profits. So, there is
really no incentive to reduce fraud. On the contrary, keeping the
status quo is just fine. This is so because of insurance -- up to
a certain level, which is well within the operational boundaries
of course, a fraudulent transaction does not go unpaid through
VISA, American Express or Mastercard servers. The transaction is
fully paid, with its insurance cost paid by the merchant and,
ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that
business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into
a sale. This is the same attitude reported to me by a car
manufacturer representative when I was talking to him about simple
techniques to reduce car theft -- to which he said: "A car stolen
is a car sold." In fact, a car stolen will need replacement that
will be provided by insurance or by the customer working again to
buy another car. While the stolen car continues to generate
revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the
defrauded is profiting from it. Because no company will accept a
continued loss without doing anything to reduce it. Arguments such
as "we don't want to reduce the fraud level because it would cost
more to reduce the fraud than the fraud costs" are just a
marketing way to say that a fraud has become a sale.Because fraud
is an hemorrhage that adds up, while efforts to fix it -- if done
correctly -- are mostly an up front cost that is incurred only
once. So, to accept fraud debits is to accept that there is also a
credit that continuously compensates the debit. Which credit
ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude
but also that traditional security school of thought which focus
on risk, surveillance and insurance as the solution to security
problems. There is no consideration of what trust really would
mean in terms of bits and machines[*], no consideration that the
insurance model of security cannot scale in Internet volumes and
cannot even be ethically justifiable.
"
A fraud is a sale
" is the only outcome possible from using such security school of
thought. Also sometimes referred to as "
acceptable risk" -- acceptable indeed, because it is paid for.
[*] Unless the concept of trust in communication systems is
defined in terms of bits and machines, while also making sense for
humans, it really cannot be applied to e-commerce. And there are
some who use trust as a synonym for authorization. This may work
in a network, where a trusted user is a user authorized by
management to use some resources. But it does not work across
trust boundaries, or in the Internet, with no common reporting
point possible.
Identity Theft Turning Point?
7/05
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem
Solutions is a turning point in the identity theft wars.
BACK IT UP
Iron Mountain Loses More Tapes July 8, 2005
http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015
City National Bank has become the second company in two months to
experience a loss of backup tapes in transit by Iron Mountain Inc.
The Los Angeles-based bank disclosed Thursday that two tapes
containing sensitive data, including Social Security numbers,
account numbers, and other customer information, were lost during
transport to a secure storage facility.
The bank said the data was formatted to make the tapes difficult
to read without highly specialized skills, but declines to say if
they were encrypted. It said there's no evidence that data on the
tapes has been compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a
small container of backup tapes belonging to a Texas-based
Internet services provider that hosts applications for City
National and other banks. The incident has been investigated by
federal law-enforcement officials and no evidence has been found
of identity-theft relating to the loss.
Security war is being lost, says Schneier
http://www.techworld.com/security/news/index.cfm?newsID=6914
By Sumner Lemon 20 September 2006
- Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, influential security expert Bruce Schneier founder and chief technology officer of Counterpane Internet Security has warned.
- Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit motive.
-
Externalities, an economic term used to describe the effects of
one person's actions on another, are central to building
effective security. For example, U.S banks do not spend heavily
to defend against identity theft because they are not affected
when such theft occurs. To the banks, this is an externality.
However, when banks bear liability for a security breach, such
as an unauthorised ATM withdrawal, they make the investments
necessary to prevent these incidents from taking place, he
said.The same economic lessons can be applied to software
vendors. To improve the security of software, Microsoft and
others should be made liable for
selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss,"
Schneier said. That needs to change, according to Schneier. "The organisation that has the capability to mitigate the risk needs to be responsible for the risk," he said.