Graham Cluley’s blog

Put your best dancing shoes on and deck the halls with bunting, because it’s that time of year again. Yes, it’s Get Safe Online week here in the UK.

International celebrities like Brad Pitt, Bill Gates and that little guy who used to be in Diff’rent Strokes are converging on London for a media blitz to help raise awareness amongst the British public of computer security issues. A 120 foot 3D hologram of Carol Vorderman will be beamed above Nelson’s Column to provide shoppers and tourists with tips on how to avoid having their online bank account raided, and how to upgrade their version of Internet Explorer. Meanwhile, episodes of top soap operas Eastenders and Coronation Street will feature storylines about identity theft and scareware.

Okay, so some of that last paragraph may not be entirely true.

But wouldn’t it be great if it was? You see, I think Get Safe Online is a terrific website with superb material on it, and there’s no doubting the very real determination of the people behind the organisation to spread the word about how to use the internet safely. But - and it’s a big but - no-one apart from security geeks seem to know about the website, and we’re hardly the most important people to train about computer security.

I hope the awareness week is successful in raising the profile of the site and safe computing practices amongst the general public, but the government needs to put much more effort into educating the masses into how to surf safely online.

Jeremy Kirk, a journalist with IDG, has published an interesting story today about how customers of a collapsed bank may be at risk of phishing scams.

When Iceland’s banking system collapsed in October it made international headlines. Here in Britain, many individuals and organisations were affected as they found that withdrawals from their internet bank Icesave had been suspended.

The UK’s Financial Services Compensation Scheme (FSCS) is now co-ordinating refunds for British customers, and has said that it will be sending two emails to Icesave investors. The first will tell them how they can claim their money back, and the second email - which is to follow within a month - will ask users to log onto a website to complete the electronic transfer to a British bank or building society.

The risk is, of course, whether phishers might take advantage of the opportunity and spam out emails posing as Icesave and asking people to log in to their accounts. Would investors concerned about the safety of their money rush to click on a link without necessarily checking that they were going to the real Icesave website at www.icesave.co.uk?

My feeling is that risks would have been reduced if instead of an email a postal letter had been sent to Icesave investors, telling them of the plan. After all, it is much much more expensive and time consuming (and I suspect impractical) for cybercriminals to send out a fake letter then to knock out a quick email to millions of people in the hope of hitting a few Icesave customers.

The personal information of almost 1000 bank customers has been lost by an employee of Bank of Ireland, after the data was copied onto an unencrypted USB memory stick.

In the latest security blunder to befall a bank, details of 894 customers’ accounts, phone numbers and addresses were wrongfully copied onto a portable flash drive which was subsequently lost. In the wrong hands, the information could provide criminals with some of the essential stepping stones to committing identity theft.

Bank of Ireland says it has informed most of the people affected by the data breach, and will monitor their accounts for unusual activity.

That’s all very well - but this security lapse should never have happened in the first place. With proper checks and measures in place, it should have been possible to control access to the memory stick and ensure that any sensitive data copied to it remained encrypted.

Sadly it seems the message about the need for greater care over the transport of sensitive data just isn’t getting through to some businesses - or at least that workers cannot be trusted to follow security guidelines and policies.

If you cannot enforce a policy across your workforce then there is the risk that your employees are putting the reputation of your company directly into the firing line.

When you have a victim of banking fraud as high profile as the President of France, it’s not surprising that the authorities will put a lot of resources and effort into getting to the bottom of who might be responsible.

According to media reports, French police have now arrested a total of six people in connection with the breach of President Nicolas Sarkozy’s bank account.

President Sarkozy filed a complaint with police last month following withdrawals of “small amounts of money” from his personal Parisian bank account. It is alleged that the money was used to set up mobile phone subscriptions - and some of the people arrested are said to be employees of a cellphone store in Rouen.

Of course, it should be remembered that identity theft isn’t just a problem for famous people like Sarah Palin, Paris Hilton or Nicolas Sarkozy. It can - and does - potentially impact all of us, and we must all do what we can to properly defend ourselves.

Poor old Nicolas Sarkozy. He’s got a lot on his plate.

Not only is he busy being President of la belle France and keeping the ravishing man-eating supermodel Carla Bruni entertained, but he’s also had his bank account hacked!

We’ve made a little movie to cheer him up, en Franglais (or is it Frenglish?)..

If you thought living a secure life was hard enough with email phishing, keylogging spyware, backdoor Trojan horses, wi-fi hijacking and compromised websites here comes another thing to worry about.

According to British newspaper The Daily Telegraph this weekend, hundreds of chip and pin payments in European supermarkets have been tampered with to steal shoppers’ credit card details.

Dr Joel Brenner, the head of the US National Counterintelligence Executive, told the newspaper that chip and pin devices exported to Britain, Belgium, Denmark, Ireland, and the Netherlands, were implanted with additional hardware that transmitted credit and debit card data via the mobile phone network to criminals in Lahore, Pakistan.

Hundreds of the tampered devices, which cannot be recognised as dangerous without opening as there is no external sign of interference, are said to have been found at affected countries, including reportedly at some British branches of Tesco, Asda (a subsidiary of Wal-Mart) and Sainsbury’s. According to reports, supermarkets were weighing chip-and-pin devices to determine if they were compromised or not, as affected machines weighed three to four ounces heavier.

Once hackers had acquired stolen credit card information they did not steal cash or order goods online. Instead, they waited.

Waiting at least two months before making fraudulent withdrawals and payments made it harder for victims to piece together where their details may have been stolen. Thus undoubtedly meant it took the authorities much longer to identify how the crimes were being committed.

I first heard rumours of this huge data heist a few months ago, when local newspaper reporters called me saying that readers had contacted them, complaining of credit card fraud, but could only identify a particular supermarket branch they shopped in as a common thread.

To hear that the problem may indeed have been nationwide, and indeed a problem across other countries in Europe, puts this crime into a whole new league. There is next to nothing that consumers can do to protect themselves against this type of theft. What are people supposed to do? Take a set of kitchen scales with them when they go shopping and weigh the chip-and-pin machine before they swipe their card?? Buying goods in a respected supermarket should be safe.

Retailers are going to have to do more in future to ensure the integrity of their payment devices is utterly without question, and to guard the supply of such devices from factory to supermarket checkout, or risk losing the confidence of their customers.

Fox News is reporting that the network of the World Bank Group has suffered from six major intrusions since mid 2007, including hackers gaining full access to the rest of the bank’s network for nearly a month in June-July 2008. The most recent breach was last month.

The FBI are said to investigating the series of serious security intrusions, which is said to have affected at least 18 servers (some sources are claiming as many as 40), including systems responsible for security (such as the management of passwords) and human resources (where confidential personnel files are held).

Two of the intrusions are said to have been tracked to the same range of IP addresses based in China, but that does not necessarily mean that the attackers are Chinese or supported by the authorities in Beijing. Studies done by Sophos in the past have revealed that there is a large number of compromised computers in China, being controlled by hackers who could be based anywhere in the world.

Put simply - if you were going to illegally access the network of as high profile an organization as the World Bank, would you really use your own computer when it is so easy to take remote control of someone else’s? It would be foolish, therefore, to jump to hasty assumptions as to the motivation or origin of these attacks.

One thing that has caught my eye is a memo reportedly sent to World Bank staff by CIO, Guy De Poerck, and a senior treasury official, trying to reassure employees that their own personal information was not put at risk. Part of the memo, published by Fox News [PDF], claims that the bank has since introduced secure authentication tokens for staff accessing their accounts remotely:

It is simply mind-boggling to believe that staff weren’t already using secure authentication tokens (those little devices you keep on your keyring to give you a random number when you login to your account). Without them World Bank employees web-access accounts would be rich for the picking by keylogging spyware.

Another part of the memo is reported to say, “The deadline for all Bank staff to take the online information security awareness course is brought forward to December 31 2008″:

December 2008? Ermm.. shouldn’t this be made a little bit more of a priority? Every worker at every company should be made aware of security issues at their indusction into the organisation, and existing staff should be given regular refreshers. Waiting until the end of the year sounds like security is not being treated as seriously as it should be.

What we can all learn from this incident is that if this can happen to the World Bank it can happen to anyone. All firms, individuals, and organisations, need to take the appropriate steps to properly secure their data and prevent hackers from smashing into their networks.

For instance, why aren’t more firms using encryption? If you encrypt your sensitive data (basically, turning your secret and confidential files into gobbledygook which can only be read if you know the right password) then even if hackers do manage to defeat your other defences they won’t be able to steal your information.

One question that people are bound to be asking right now is “Is this connected with the current financial crisis?”. I don’t think we can necessarily link it right now - until we have more information about precisely what information has been stolen, we can only speculate as to what the intention was here. It’s possible that it was just curious kids messing around and breaking into networks they shouldn’t have rather than inspired by a financial or political motivation.

But it’s important to remember one thing. The economy and the banking industry succeed because people have confidence and trust in them. If confidence and trust disappears then things get pretty difficult, and it takes time to restore. Although the implications for an organisation like the World Bank are obviously higher than a small store on the high street, it is still essential that companies do everything they can to ensure that they are seen as a firm who can be trusted to hold data securely, and that the public and organisations can have confidence in them.

If the Fox News report is true, then news of this hack couldn’t have come at a worse time for the World Bank.

According to the latest update from Fox News, however, the World Bank is categorically denying the claims of the report:

It seems the rest of us will have to see what develops next. It’s a long holiday weekend in America - what’s the betting that there will be other financial news making the headlines by the time people return to their jobs on Tuesday?

Newspapers in Minneapolis are reporting that a 22-year-old Romanian national has admitted his involvement in a US-based phishing scheme that raked in $700,000.

Sergiu Daniel Popa, who was extradited to the USA from Spain in June, stole a total of approximately $700,000 from over 7000 people after spamming out emails pretending to come from financial institutions such as SunTrust, Citibank and PayPal.

By leading victims to bogus websites, Popa was able to steal PIN codes, names, addresses, bank account numbers, credit card and social security information from internet users.

Court documents showed that Popa had a high opinion of his position in the computer underworld. In an email to an associate in January 2005 he is said to have written:

“Listen up, I am a accredited [sic] vendor in underworld. I have many scams, shop admins, and many full info credit cards. I can also pull up credit reports and cash out ATMs. I charge for my services but I am a great provider of everything.”

According to an affidvait filed in the court, Popa also offered phishing kits for sale with instructions on how to counterfeit credit cards.

A date for Popa’s sentencing has not yet been scheduled, but he faces a possible maximum sentence of ten years in jail and a $500,000 fine.

The authorities should be applauded for pursuing this case, and forcing Popa to face his day in court. Sadly, thought, there are plenty of other criminals taking advantage of innocent internet users and stealing identities from the unwary.

* Image source: Jeffrey Simms Photography’s photostream (Creative Commons 2.0)

With gloomy predictions on the economy and plummeting share prices, people are likely to be tightening their belts more than ever.

So the last thing you need is someone hacking into your bank account and spiriting away your hard-earned savings.

And yet, more and more criminals appear to be using the internet to do precisely that, all around the world.

In the latest case to come to light, authorities in Kuwait have arrested a teenager in connection with a Trojan horse that stole bank account information from internet users.

According to reports, a 17-year-old boy is alleged to have post what is described as an “immoral picture” on a website to attract potential victims, but then silently installed spyware onto their computers, stealing online bank account information and other personal data.

Officers at the Mubarak Al-Kabeer division of the Criminal Investigations Department claim that the young man’s computer contained programs for hacking into other people’s computers.

Governments around the world are trying to avoid a financial meltdown - make sure you’re doing what you can to protect your savings, by running up-to-date security software, patches and a firewall and always following best practice when surfing online.

* Image source: Hamad M’s Flickr photostream (Creative Commons 2.0)

It has been a jittery week in the United Arab Emirates for several banks and their many customers.

Citibank, Dubai Bank, Emirates NBD, HSBC, Lloyds TSB, and the National Bank of Abu Dhabi (NBAD) are just some of the banks to have contacted their customers in the region, advising them to change their security PIN codes. The advice follows reports this week that there has been a marked jump in the number of fraudulent transactions made from ATMs in other countries.

In essence, the belief is that criminals have managed to steal card details and PIN numbers of bank customers in the UAE, made counterfeit cards, and then used them to withdraw money in other countries such as Kuala Lumpur and the Philippines.

Details of how precisely the criminals might have accessed the card and PIN code data is presently unclear, but it is clear that several banks have been rattled by the rise in incidents, and thought it wise to warn their customers to take preventive steps. A number of financial institutions thought the situation serious enough to send an immediate SMS text warning to their customers in the region, rather than rely upon the post.

There have been claims, however, that the banks’ warnings have resulted only in causing some of their customers to panic. For instance, it is reported that the HSBC hotline told customers to change their PINs before 6pm, or face having their ATM cards cancelled. Long queues were said to be building at ATMs of various banks as people rushed to alter their security codes.

One interesting point to note is that this is not the first time that banking customers in the area have been troubled by a hacked ATM machine. In March of this year it was reported that thieves had stolen bank card details from an ATM in the UAE over a seven day period, copying details from all cards used in the machine during the period 19-25 February.

What was disturbing about that case was that the gang fitted a card reader inside the ATM, rather than the more normal situation of having it installed externally.

Is it possible something similar has happened again? And, if so, how are the criminals managing to install their devices inside the ATM without being noticed? Alternatively, rogue software inside the banks’ systems could potentially send confidential information out to criminals, or wireless-enabled devices transmit information to hackers waiting nearby.

Clearly if anybody knows what happened in this new case, they’re not talking about it at the moment. It will be interesting to find out what new snippets of information emerge in the days and weeks to come.

* Image of cash machine buttons: Leo Reynolds’ Flickr photostream (Creative Commons 2.0)