Archive for category Data Loss

ATM Skimming

Using an ATM machine is something we all do often but we do not realize the importance of protecting sensitive information while using an ATM. During the past few years ATM skimming has gained a lot of attention as victims suffer, resulting in loss of millions of dollars. Skimming is act of capturing the information or data that is on the magnetic strip of an ATM card through different techniques and further cloning it on a blank ATM card that has a similar magnetic strip which then allows the bad guys to use cards of the victims of ATM skimming.

Bad guys are able to intercept personal identification information using various custom and homemade devices attached to ATM machines. Skimmers use portable data collectors by mounting them over the regular card reading slot where the card is swiped in an ATM machine or fake keypads can be mounted over existing keypads to gather information. After the transaction is complete, the criminal retrieves the device that was placed on the ATM that contains a mini portable storage behind the device that actually captures the information of various ATM users.

Some of the information that is included on the magnetic strip includes the user’s full name, account number, bank details along with other series of information that is required to allow the card to function properly. As a result, a card that is swiped in a slot that has been tampered gives bad guys the ability to steal large amount of cash. Some of the places where these skimming devices are mounted include the lighting fixtures of an ATM, the brochure plastic case, the ATM card swipe slot itself, and the keypad. Skimmers use a number of ways to gain sensitive information of users. One of the mostly used technique is through the use of spy cameras after mounting the card skimmer in the card swipe slot. One such example is shown in the picture below where the scammer has placed a camera in a small wood box that was then attached to the ATM machine along with the card skimmer.

ATM Skimming

The following picture shows a closer view of the card skimming device that was attached to the card swipe slot which was aimed to gain and record data from the magnetic strip on the ATM cards. Criminals may then use the financial information gained along with the PIN that is achieved through spy cameras and withdraw cash from accounts of victims.

Only recently did ATM skimming hit Pakistan when a couple of university students in Islamabad designed a skimmer and robbed people off millions of rupees before being caught by the Federal Investigation Agency (FIA). According to the investigative report a total of Rs. 12 million was robbed through a single skimming device which included 187 PSO cards and a second skimming device for 1192 ATM cards. The university students that were held responsible for the crime included, Nasir Abbas, Muhammad, Zaheer Ahmed, Mustaqeem and Amir Shahzad, Javed.

According to the FIA, Zaheer Ahmed owned two skimming devices which caused a loss of almost Rs. 12 million to the government and private sector. The skimmer that Ahmed owned was used to derive information of credit cards through the magnetic strip behind a card which holds the card owner’s details after which a clone of the cards were made and were used for fraudulent reasons or the information derived from the cards were also used to make transactions online. The second skimmer was a device that is mounted to an ATM machine which gathers the information of ATM users once they swipe their cards in the slot along with a device that records the keystrokes entered to gather the personal identity numbers (PINs) of ATM users.

Skimmers are getting better at what they do day by day. Over the past couple of months, new skimming devices have been introduced by criminals which allow skimmers to connect to the devices attached on ATM machines through which wirelessly transmit sensitive information of the victim as soon as he enters.

Skimming is not easy to detect but ATM users can be aware of some signs to prevent being victims of such a crime. There are many ways to protect yourself from becoming a victim. It is very important to observe the ATM machine before swiping your card in i.e. whether the ATM looks normal other than the usual wear and tear markings or is there anything strange in the appearance of the machine such as glue residue, cracks, exposed wires, etc. Check the card device reader; whether it looks normal or seem to have an attached device to it. One of the most important ways that you can protect yourself while using an ATM machine is by covering the keypad when typing in your PIN since if there is any chance of a hidden camera being present your PIN would be protected and the criminals would be unable to gain that very vital information. Also it is very important to always be aware of your surroundings because you may never know who or what can be spying on you.

According to law enforcement, ATM skimming is a process that is hard to track which makes it very attractive for thieves. ATM skimming maybe on the rise but staying informed and educated can reduce the likelihood being swiped by criminals.

Carrier IQ

Carrier IQ also known as CIQ is a software that is installed not only on smartphones but also on tablets. Carrier IQ was developed to reduce the number of dropped calls, extend battery life and for the device and services to work efficiently at all times which will actually help understand the experience of mobile users. Operators want to develop and enhance the services all the time and this can only be done by knowing when exactly the mobile user is having a bad experience.

Historically operators use their network to solve problems but today’s network and devices are too complex to understand if you can’t see the device itself.  Carrier IQ examines a large amount of data from each device to capture and summarize what exactly is working and what is not. For example, the operators and the device manufacturers need to know where exactly was a call dropped or which applications drained the battery life of the device and most importantly they need to know how to solve the user’s problems when you call them.

Carrier IQ’s technology counts and summarizes problems. According to CIQ, it is not providing key strokes or tracking tools.  Carrier IQ’s technology is the user’s advocate because operators and handset manufacturers, for the first time are getting an understanding of the users day to day problems.

Developers, on the other hand, believe that CIQ is a low level software that is installed by Samsung and HTC at the command of the mobile carrier such as AT&T. According to them, it basically records metrics i.e. every key that is pressed, every touch on the screen, every application launched, every website visited or any kind of traffic entering or leaving the phone or every time the battery is changed, etc.

Carrier IQ calls this software the Mobile Intelligence Platform (MIP). CIQ works with mobile manufacturers such as Samsung and HTC to embed the agent within the Smartphone to track all the data. The biggest issue behind CIQ is the threat to privacy since the software works in a similar manner to a spyware.

Carrier IQ has recently gotten immense attention of the public. With growing concerns of threat to the privacy of users, CIQ is facing a lot of pressure not only from the general public but also has lawsuits filed against their software. Developers are coming up with new ways of disabling the software according to the wish of the users allowing them to control exactly what information they are willing to share.

Fired Employees Leaving With More Than Just Experience

With rampant downsizing in most organizations, corporations now face new frontiers in their efforts in keeping their data secured.

Uncertainty amongst employees leads to more dubious behavior. With most of today’s security products designed to counter external threats, how do you keep the EVIL WITHIN from jeopardizing your security and compromising the sanctity of your data?

Recent surveys conducted by (but not limited to) Symantec and Ponemon indicate that employee exodus has also resulted in tons of sensitive data being leaked out as well. The survey conducted around a thousand participants revealed that an overwhelming majority of employees took a copy of their work with them. According to the survey, CDs remained the most popular mode of sneaking out data with confessions from 53 percent of the participants. Next inline were USBs which had been used by another 43 % while 38% said that they had used Email.

While the more benign of the lot may just keep it as apart of their memory, the more enterprising may have other wily ideas.

, ,

A Matter of Trust

Another commonly raised point related to DLPs, usually by indignant employees is “don’t you trust us?”

It is necessary to elaborate that implementation of a DLP does not necessarily imply lack of trust in employees, in fact it’s there to prevent against any accidental losses. Studies analyzing recent data leakages indicate that a vast majority of disclosures are unintentional and may be attributed to the lack of awareness amongst employees. A majority of instances of leakage scenarios can be traced back to lost USB storage devices or stolen laptops. Social networking sites, blogs and the increasing use of wikis is contributing to incidences of both incidental and intentional leakages.

It is under these scenarios that the implementation of a DLP starts to make sense, prevent malpractices, before they can actually hurt.

, , , , , ,

Guidelines for Setting Up a DLP

Planning to set up a Data Leakage Prevention (DLP) system for your company? With DLP systems costing as much as they do, its common for security managers to think of these new contraptions as the elixir of all their headaches.

Just before you start attaching too much expectations to your DLP, its better to get an insight of what a DLP system is capable of – and more importantly what its not capable of.

DLP is essentially  targeted at risk reduction, not truly elimination of threats. System admins have to be careful of the nature of security they are deploying, misdirected policies are likely either raise too many false alarms or too little.
Identify your sensitivity areas, categorize possible threats based on your organizational structure. While it may not be very alarming to have some one from the HR to have a list of all your employees, the same list in the hands of someone from, say, the marketing department should be very alarming. Whereas an attempt to copy or email the same from anyone should automatically trigger an alarm.

Hence simpler the policies, the more effectively your system reacts, for example, address personal info of employees in one rule, another for customer credentials, yet another to deal with pricing archives.

Once you have your policies defined, its time to test them and make some fine adjustments as well to optimize your response. One of the biggest hurdles to an effective implementation of a DLP is improperly defined user groups. In a system that relies heavily on your classification of users on the basis of their priveliges, it’s important that you keep the directory structure as straight forward as possible.

And finally, one thing that we can’t emphasize enough on, is to test, test and retest your DLP configurations, these will truly let you gauge the capability of your DLP installation.

, , , , , ,

The Need for Data Leakage Prevention (DLP)

Many years ago, I remember watching a clip on TV about someone inventing a toilet that once locked, would not open unless it senses that someone has used the washbasin first. Interesting and to some extent sickening – just makes you wonder, was it invented as a precaution or a necessity?

There probably aren’t many people out their, who have to be forced to wash their hands after the toilet but considering the stakes – the precaution was worth it.

Putting this in corporate information security perspective, most of our rules have less to do with legislation and more with common sense. Moreover a policy that isn’t implemented tends to remain more of an advice – which tends to be generally disregarded.

Data Loss Prevention (DLP) is a preventative technology, if you’d call it that, I consider it more of an amalgamation of existing little utilities packaged into an integrated software allowing centralized policy control and more importantly policy enforcing.

If you’re fed up being the Dutch uncle on information security issues that is once something appalling has occurred (people usually start seeking an advice once they’ve done the irrevocable). Maybe it’s now time for less advising and more enforcing of things, maybe its time for Data Loss Prevention (DLP).

, , , ,

Copyright © Rewterz. All rights reserved.