Traditional Password Advice: Not to be totally discarded

There is a paper that talks about how traditional advice on creating and maintaining secure passwords is somewhat dated.  The hypothesis of the paper is that since phishing and key logging is so rampant, it is no longer necessary to maintain super secure passwords.  A secure password is just as easily used by a bad guy as a weak password if the consumer gives a way the password through phishing or it is observed through a key logger.  Instead, it’s important to have a semi-secure password so that it is not vulnerable to password guessing.

The paper also talks about the need to have more secure userIDs postulating that bad guys are moving towards horizontal password attacks (guessing the same password against large numbers of accounts).  Strong userIDs is helpful in protecting accounts.

One other thing I want to mention is that it is still important to have different passwords for all of your online accounts.  If the bad guy phishes the password for your bank account, you don’t want them to automatically have access to your social network account, etc.   Even in the case of key logging, if you haven’t logged in to a particular account in a while, if you don’t use the same password across all accounts, the bad guys won’t be able to try your standard password(s) on other accounts.

So, while some of the old password adages may not apply as much any more, some of them are still very appropriate.  Please use different passwords on all of your online accounts!

July 13, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Uncategorized | key logging, password security, Phishing | No Comments Yet

Why phishers target low value accounts

PCWorld talks about a recent phishing scam on Twitter.  The question in the article is:

In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.

I’ve posted about this before, but it seems prudent to talk about it again.  Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts. 

If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target.  The user is is less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher. 

If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts.  Therefore, the passwords that I do steal would be more likely to be useful on other sites.

Seems like a good idea to be careful about random tweets!

July 5, 2009 Posted by Laura Mather | Online Fraud, Phishing, Social Networks | Online Fraud, Phishing, Social Networks | No Comments Yet

Security Consistency: Should we standardize password requirements?

I saw a presentation earlier this week where a researcher was talking about consumer education with respect to security.  The researcher said that one way to make security education more consistent would be for websites to all have consistent requirements around passwords.  For example, all websites should require that passwords have at least 8 characters and should include on capital letter, one digit, and one punctuation mark.

While I am all for having consistent messaging around security practices and even encouraging users to have secure passwords, I worry about the implications.

Imagine a world where every website had the exact same requirements for passwords.  Even if the passwords were secure, the risk is allowing people to have the same password on every website.  In this case, if the bad actors were able to phish the password for one of my accounts, and they had my email address, they would likely be able to access many of my accounts.

To make matters worse, once the bad actor has the password for one of my accounts, they will be able to login to my email account which will let them do a forgot my password function on almost any other account.

While I applaud researchers for thinking of ways to make security education more consistent, making password requirements consistent has more negative ramifications than benefits.

June 26, 2009 Posted by Laura Mather | Phishing, education | education, online security, Phishing | No Comments Yet

Anti-Phishing Education Messaging

The APWG has an amazing new initiative for educating consumers.  When a phish site is shut down, ISPs are asked to redirect any clicks to the APWG’s redirect education page instead of showing a 404 error. 

The power of this comes from leveraging the “teachable moment”: consumers are more likely to absorb a lesson if it is presented at the precise moment of the bad action (something my colleagues – Lorrie and PK – at CMU have studied in-depth).

This initiative is starting to get real traction.  Several brands are already participating and I’ve been contacted by many more this week to get started.  It’s a very exciting initiative to give consumers a consistent message from a group like the APWG at exactly the right time in the consumer’s online experience.  American Banker has published an article about it (warning – you have to have a subscription to see the article – sorry).

In a similar vein, another colleague – Dave Piscitello – has a blog post on anti-phishing messaging on Gaia.  It’s great to see anti-phishing messaging is getting to be more pervasive, especially given that the threats are very real.

Finally, for those of you attending the APWG conference next week, there is a cool video – it gives an overview of the topics to be covered in Barcelona.

May 8, 2009 Posted by Laura Mather | Phishing, education | APWG, awareness, Phishing | No Comments Yet

“Equal Opportunity” Business Logic Exploits

There was a phishing attack against iStockPhoto a few weeks ago.  A phishing attack against a new brand isn’t interesting in and of itself.  What is interesting about this particular attack is that it wasn’t clear why the phishers were specifically targeting iStockPhoto. 

Before we get into the various speculations and the actual reason, let’s talk a bit about what happened.  The phishers used the same type of attack that they use on social network sites.  They posted messages with links to the forums and through iStockPhoto’s internal messaging system.  These messages had links in them that took you to fake iStockPhoto signin pages.  iStockPhoto took the entire website down for several hours while they cleaned up the mess on their forums and in their internal email systems.  Add that to the bad press they are getting, their brand is probably suffering a bit right now. 

This type of attack is perpetrated daily on the social network sites, but the results on iStockPhoto were a bit different.

There were several hypotheses about why the phishers would try to steal iStockPhoto passwords.  Most of the theories I saw thought the phishers were using the credits in the iStockPhoto accounts to buy photos.  Hmmm.  Not sure why they would do that.  To make their phishing emails look better?  Phishing is all about marketing, but I’m not sure the phishers would go to those lengths when they can just copy a very well crafted email from a well known brand. 

I had a different, and equally incorrect, hypothesis.  My hypothesis was that the userID for an iStockPhoto account is an email address.  Once you have someone’s email address and password to one account, there are lots of opportunities for badness.  Since many online services use an email address as the userID and many people use the same password for all of their online accounts, you could do damage on a lot of websites with someone’s email address and password.  And imagine tricking someone to give up their email address and password on iStockPhoto.  It would probably be a lot easier than tricking them into giving up their password to their bank account.  Their suspicion level would likely be fairly low when it comes to an iStockPhoto signin page.  And then you could go try that email address/password combination all over the internet!  But, alas, I was wrong.

I read a post today from one of the victims that said their credit card was charged for more than $1500 following the incident.  Is it possible iStockPhoto showed a user’s credit card details in the clear if you went to that user’s account page?  If they used to do so, they probably don’t show that information anymore. 

If the phishers were going to the page that showed credit card information for users, this is a clear cut example of business logic abuse.  There are lots of reasons to want to show the user which credit card they have on file (though you don’t need to show them the entire number).  iStockPhoto needs that functionality as part of their business model.  And yet, the phishers were able to exploit it for their evil ways.

I see two takeaways from this incident.  First, the phishers are continuing to abuse legitimate business logic to perpetrate their crimes.  Second, the phishers are truly becoming “equal opportunity” bad guys.  No longer are they targeting only the well known brands when they can make their money off of the smaller, less popular brands.  The small and medium sized brands out there better get ready – the internet bad guys are coming after you too!

April 13, 2009 Posted by Laura Mather | Business Logic Flaw, Fraud, Phishing, business logic abuse | business logic abuse, Fraud, Phishing | 2 Comments

Sometimes the good guys win!

Sometimes the good guys do win as a 23 year old foreigner is convicted in the US for phishing. An article in PC World gave some interesting details about the conviction and the tactics he used to commit online fraud – and this is just the tip of the iceberg of what is really going on out there. Here are some interesting points from the article:

• He was part of a larger phishing ring with six other Romanians, none of whom have been arrested
• They found 2,600 credit and debit card numbers linked to him, and that he had probably harvested more
• He was likely to have phished customers of People’s Bank, Wells Fargo, Suntrust, Amazon.com, PayPal and eBay, according to court documents
• He doesn’t appear to have written software himself, but assembled a large collection of online fraud tools, including a program called Web Data Extractor, which harvested e-mail addresses [common business logic abuse]
• He sent spam to victims using a program called Email Sender Express, which could send 30,000 spam messages per hour.
• He was able to take an average of US$960 per card number collected, prosecutors said

Its a mixed blessing that the US convicts this 23 year old with much fanfare, but its also frustrating that its 2009 and its the first foreigner who’s been convicted. As Laura Mather pointed out in her recent post, its very difficult to get a conviction, making it that much more compelling for overseas fraudsters to do this. We need to continue to pursue and prosecute, but in the meantime, we need every available solution to fight against online fraud.

April 7, 2009 Posted by Sherrick Murdoff | Investigation, Online Fraud, Phishing, business logic abuse | business logic abuse, conviction, Online Fraud, pc world, Phishing | No Comments Yet

Interesting agenda topics at APWG’s upcoming Counter eCrime Summit

The APWG is hosting it’s third Counter eCrime Summit in Barcelona in May.  The agenda of this year’s summit is particularly interesting.   Some programs that are particularly near and dear to my heart are going to be discussed including APWG’s Phishing Education Landing Page Program which has been surprisingly successful and Rod Rasmussen from Internet Identity and Greg Aaron from Afilias giving their bi-annual update on the various types of nastiness being perpetrated on the internet.

In addition, there will be specific sessions on how e-crime impacts multiple nations including those in Europe and in Asia.  Hearing about the nuances of e-crime and how they morph across the globe has always been intriguing for me and can be invaluable for those of us on the forefront of fighting this global crisis.

All in all, there are three days of discussion about the state of e-crime across the globe.  This is sure to be an educational and fascinating event.  If you’re able to attend, definitely make your reservations soon!

Also, if you are worried about cost, there was an article this past weekend in the San Jose paper about frugal travel in Barcelona.  A bad economy can make for great travel bargains!

April 6, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Prevention | APWG, conference, e-crime, Phishing | 1 Comment

Part 6: Dot-Con follow up

I’ve been getting some great feedback about this series of blogs.  Much thanks to everyone who has been reading them and passing along links to friends.

As part of this investigation I talked to someone at the FBI about ic3.gov and other things people can do when they fall victim to these types of scams.  Here were his thoughts.

1. Report the crime.  This could be entering your information at ic3.gov, going to your local police, contacting the website where the fraud was initiated (if it was initiated through a particular website) or all of the above.  If you don’t report the crime, then there is no chance law enforcement will catch the criminal.  And, if the perpetrator is caught, the only possibility of you getting restitution (in the unlikely event there is restitution), you definitely won’t get restitution unless you report it.  Whatever you do – don’t try to take these criminals down yourself.  By continuing to interact with these people you are only putting yourself more in harms way.  Let the experts – law enforcement – do their jobs.
2. Have appropriate expectations.  Finding and prosecuting these criminals takes time.  It could be years before you hear anything about this.  I know victims want more immediate retribution, but unfortunately, that is extremely rare.
3. [This may be the most important one.] If law enforcement follows up with you later about additional details or needs you to sign a form that you were victimized, PLEASE help them.  There are too many cases where the perpetrator finally goes to trial and because it is years later, law enforcement isn’t able to get victim cooperation.  Don’t let the hard work of the law enforcement agents go to waste!

As I mentioned earlier, I’m hoping to put together an initiative to get the word out about what people to do once they’ve been victimized online.  I’m hoping to work with the APWG, the NCSA, and maybe getsafeonline.org to make this happen.  Please let me know if you want to participate.

Hopefully this series has gotten you thinking about what it is like to be a victim.  I think it is critical that we, as online crime fighters, maintain the perspective of the people for whom we are fighting.

April 1, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, law enforcement, Online Fraud, Phishing, victim | 1 Comment

Part 5: Dot-Con – Online fraud from the victim’s perspective

My previous posts described Paul and Scott, the scams they fell for, and the things they did to try to get help.  In talking to Paul and Scott, I came to realize that I had very little understanding of electronic crime from the victim’s perspective.  I have spent my professional life trying to thwart these online criminals through policies and technology, driven by the belief that it was the right thing to do.  But hearing the frustration, tedium, and finally hopelessness that Paul and Scott have endured because they were fooled by schemes that were very convincing and seemed legitimate has reawakened the purpose of my pursuit.  More than I ever I want to stop these scams.

At the moment, my main concern is this: the bad guys have found a loophole in the system that allows them to exploit people like Paul and Scott and get away with it.  By keeping the final “take” for each victim relatively low (within $10k or so), and by having geographically diverse victims, the bad guys make it extremely difficult for law enforcement to determine when there might be a mass crime spree taking place.

In talking to someone from the FBI, it sounds like it is generally believed the bad guys aren’t targeting the low dollar amounts to stay under the radar.  But, since the amounts in these cases are low, they do tend to go a bit more under-reported/under-investigated than the higher dollar amounts.  There are groups within law enforcement that not only collect the data from the victims (through ic3.gov), but also link that data to more prolific online fraud networks like botnets, spam rings, etc.  This is great news!

So, there are places to report this: ic3.gov.  I don’t think law enforcement usually spends much on marketing, so that might be why the message about this site isn’t out there.

What I’m wondering has two parts.

1) Is ic3.gov the best place to report these types of crimes?  Are there other such databases/aggregators?

2) Whatever place is the best – can we get the message out about how to respond to this type of fraud?  Just because law enforcement doesn’t have a marketing budget, doesn’t mean the message can’t get out there.  Maybe we can help.

If anyone out there knows has thoughts on these questions, I’d be very interested to hear them.  I’m going to start exploring this topic further.  I’ll be soliciting help from my friends at the Anti-Phishing Working Group (APWG) to do this, but if any of you out there would like to participate in this quest, please let me know.  I think the questions above are fundamental to moving the fight against online fraud forward.

March 30, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Prevention, Social engineering, Trust | law enforcement, Phishing, scams | 3 Comments

Blogging from MRC – Last Day

Last day of the MRC (Merchant Risk Council) provided some good presentations and an excellent closing. Last night was fun watching a few folks go down in flames at the blackjack table… and btw: I noticed no signs of “The Great Recession” at the casino – pretty crowded…

I watched the early presentation on payments with a panel of folks discussing alternative payment methods (pre-paid cards, gift cards, delayed billing) which add more buyers to the merchant, but also adds more attack potential for the fraudsters.

Sat in on the presentation by Gene Hoffman, CEO of Vindicia on the unique practices for risk and payments for goods-not-present merchants (essentially, buying digital goods). I thought his quote was very relevant, “The best way to lose a customer is to lose their credit card information to a breach.”

A host of people stayed for the closing keynote with Chris Hansen from Dateline NBC. A 7-time Emmy Award winner, he is well known now in the fraud community for his Dateline NBC piece on “To Catch an ID Thief” and worldwide known for his piece on “To Catch a Predator”. If you have not watched these episodes, I recommend them as a very good report on online fraud & scams – well researched and fascinating to see the operations at work.

A great speaker in front of an audience, Chris gave some entertaining stories about his investigation work into the world of online fraud. He has tracked the Nigerian 419 scams for years now and though he has tracked the scams to West Africa, he has not been able to really to track the scam into Nigeria. It seems the country is so suspect, its difficult to execute a real investigation. His report does get pretty far.

Chris has done a lot to promote the tragedy of online fraud, especially around identity theft and the use of “mules” – innocent victims unknowingly assisting a fraudster in the re-shipping of stolen goods. The victims are numerous. Awareness is one of the first defenses to impact these fraud attacks – the fewer victims, the less chance of success for online fraudsters. Chris also mentioned more education needs to be done, and I couldn’t agree more. Its amazing that with so many articles (250,000 hits on Google alone), there are still new stories and of course, many derivatives of the same scheme. Unfortunately, most people are not concerned or interested until its too late. As a side note, the Anti-Phishing Working Group (APWG) has an initiative to instruct consumers about online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication. This initiative was brought about by our own Laura Mather!

March 16, 2009 Posted by Sherrick Murdoff | Data Loss, Investigation, Online Fraud, Phishing | chris hansen, dateline, mrc, nigerian 419, nigerian scam, Online Fraud, Phishing | No Comments Yet