In a review of the most common cyber scams, one of the top places in popularity is the credit or debit card fraud. In most cases the cyber criminals use a victim’s illegally obtained credit card number to purchase goods or services online.

Among the reasons this scam is so widely spread is the increase of phishing attacks. Very often a phishing scheme would trick the user into entering his or her credit card number and other personal information. The personal information can further be used to steal the person’s identity by opening new credit cards or lines of credit lines. InternetNews reports that in 2003 online fraud losses some of which are linked to stolen identities or credit cards amounted to $437M.

Many new credit and debit card providers start to provide ‘liability-free’ cards where the users are not liable if their credit card is stolen in response to the increasing numbers of such attacks and increased reluctance by people to use their cards. This gives the users a piece of mind when using their cards to purchase an item online, but the costs and damages are not avoided - they are merely shifted from the users to the credit card provider, or their insurance company. Arming users with liability-free cards also seeks to promote the ‘moral hazard’ problem in the law and insurance business - by removing some of the incentives from the users to be careful to whom they give their credit card number, the credit card companies are indirectly responsible for the high numbers of credit card fraud, which in turn makes cyber criminals more aggressive.

I don’t mean to blame the credit card companies for the high level of fraud in this field, but I am willing to hold them accountable for not doing much to educate their customers of what is safe and what is not when it comes to credit cards and the Internet.

InformationWeek reports about the sentencing of the Wi-Fi hacker who used Lowe’s unsecured WiFi network to access the central network and steal personal and credit card information from Lowe’s. The 21-year old defendant was sentenced to nine years in prison for breaking into the network, the longest ever term imposed in the US for hacking.

Defendant and his two co-conspirators were sitting in a car in Lowe’s parking lot and accessed the network via Wi-Fi from their car. They were caught because of a vigilant system administrators who spotted the unusual network traffic. Also, critical in breaking the conspiracy was the car with “suspicious-looking” antennas.

The Associated Press reports this is the harshest ever prison sentence for hacking into a computer network. The second harsh is Kevin Mitnick’s sentence in 1999 for 5 years and 8 months. The harsh sentence was imposed mainly because of a stipulated potential losses of over $2.5 million in defendant’s plea agreement.

It is interesting that one of the co-conspirators was exonerated, but pleaded guilty eventually on a misdemeanor charge for checking his email over Lowe’s network. This one qualifies for the “stupid criminals” column of Jay Leno.

Via InternetWeek and SecurityFocus.

The Department of Homeland Security leads by example, unfortunately in the “How not to…” column of cyber security. The agency entrusted to keep America safe from attacks both on the ground and through the Net was the target of a security vulnerability testing by security auditors,

Earlier this year security auditors armed with ISS’s Internet Scanner,
@stake’s L0phtCrack and Sandstorm Enterprises’ PhoneSweep 4.0 spent
five months probing hosts, attacking passwords and war dialing the
Department.



They found that me of the hosts designed to allow home workers
and other trusted users access to DHS networks by modem or over the
Internet lacked the authentication measures called for by official NIST
guidelines and recommendations by the National Security Agency, like
minimum password lengths and password aging.

So, according to this research, you and your organization should:

1. Impose a minimum password length and enforce it (and make sure all accounts have some password)
   
2. Keep patches up to date, especially the critical ones.
3. Keep phone lines connected to modems secured and accounted for (modem war dialing, although what old, is still a thing to try if you are a hacker)

More by SecurityFocus.