Card Skimming.

Card skimming involves swiping your debit or credit card through a card reader that has been illegitimately set up to record information from your card’s magnetic stripe. After your information has been recorded, it is usually then sold to other scammers on the black market or converted into a counterfeit card and used to make fraudulent purchases. Because it is difficult to know when your card has been skimmed, you may not find out unless you review your financial statements regularly.

How skimming works?

Skimming devices are usually installed on machines like ATMs and handheld pin-pads, but also come as standalone, portable versions that are small enough to fit inside your pocket. One method of skimming involves fraudsters installing a face-plate over the card slot of any machine which accepts debit or credit cards. This is commonly referred to as ATM skimming, but it is also popular with other types of payment processing machines, such as those at gas stations and parking lots.
The face plates installed on these machines usually contain hardware which reads your card’s magnetic stripe before it enters into the original ATM card slot.
Your PIN number is then either observed by a person “shoulder surfing” or by a hidden pinhole camera installed on the machine and pointed at the keypad. This is why it is a good idea to cover your keypad with your hand even when alone at an ATM machine.

Fraudsters don’t need to return to the ATM machine to extract the video and card information because many of these skimming devices also have wireless capabilities. Fraudsters can comfortably and anonymously sit in their car, hundreds of feet away, and retrieve the information via  wireless.

Replacing or Modifying Pin-pads

Fraudsters, sometimes the family members of employees, often approach employees of a retail establishment and bribe them to assist in modifying or replacing an existing pinpad with a counterfeit one and installing cameras to record PIN numbers.
Card information from the pinpads and the video is later retrieved by the dishonest employee and given back to the fraudster. The employee will usually share in the proceeds and receive a lump-sum payment or be paid on a per-card-skimmed basis.
Some retail establishments, such as the office supplier Staples, have used locks on their debit pin-pads to prevent fraudsters or dishonest employees from stealing and replacing them.

Skimming Devices

Because skimming using a handheld device can be extremely easy, many dishonest employees choose to operate alone. All an employee needs to do is wait until your attention is distracted to swipe your card from behind the counter.Skimming devices are readily available on the Internet from websites such as eBay for as little as $50. These devices are usually disguised under the name of a “card reader” because they can also serve legitimate purposes. Skimming at restaurants also happens frequently, especially since customers often leave their credit card for the server to pick up, process, and return a few minutes later. In these cases, a portable card reader is perfect because it is small enough to fit in the server’s pockets or apron.

A server may not even need a portable skimming device. Your credit card information can easily be written down or copied from a receipt.

Protect Yourself from Card Skimming

• Cover your keypad : Always use your hand and body to cover your keypad when operating a handheld pin-pad or a payment processing machine like an ATM — even when alone. This will prevent shoulder surfers and pinhole cameras from observing your PIN number.
• Watch your card : If you must hand your debit or credit card to an employee, don’t take your eyes off of it. It only takes a second for your card to be swiped while you look the other way.
• Pay up front : When eating at restaurants, ask to pay at the terminal instead of giving your credit card to a server for processing.
• Review your statements : View your bank and card statements on a regular basis. Watch for suspicious charges.
• Notify someone : If you spot a suspicious pin-pad or payment processing machine, notify someone immediately. If you are using a bank’s ATM and the bank is open, notify the bank manager. Otherwise, notify the local police.

5 Safety Tips for Online Transaction

1. Always make sure that the card is swiped in your presence. The data in your card's magnetic stripe is recorded when swiped at a machine. This information is then used to make duplicates, a process called skimming and cloning.
2. Always ensure that the site visited for making payments are secure and begin with https.
3. Notify your banker immediately on spotting any illegal transaction.
4. Update your operating system frequently and use branded anti-virus software.
5. Never click on email links that seek details of your account. It could be phishing emails from fraudsters

Brothers held for credit card fraud

AHMEDABAD: Two brothers have been arrested by the crime branch on the charge of credit card fraud and for siphoning off more than Rs 50 lakh from various private and nationalized banks in the city.
The cyber cell of the crime branch had a tip-off about the brothers - Brijesh and Hemal Patel, both residents of Isanpur. The informer had told crime branch officers that the brothers were using credit cards acquired for fake identities created with the help of duplicate documents.

On getting this tip-off, the crime branch set up a team headed by police sub-inspector Taral Bhatt to keep the brothers under surveillance. "During investigation, we learnt that Brijesh used to work at a private agency which handled documentary verification for loan and account holders of banks," said a crime branch official.
After initial investigation, the police raided the house of the brothers in Isanpur. "We suspected there would be incriminating documents to prove their involvement in this racket," said a police officer.
And as expected, the crime branch team recovered several documents that were used as identity proofs and no less than 54 credit cards and two card swipe machines. When they were brought to the crime branch and interrogated, the brothers revealed their rather unique modus operandi.
They confessed that they had collected several identity proof documents when Brijesh was employed in the document-verification agency. A crime branch official said that though the brothers own a house in Isanpur, they had given it out on rent and then shifted to rented accommodation.
"The rent agreement they drew up with their landlord was used as address proof to apply for credit cards. They frequently changed to different rented houses to get new address proofs and more credit cards. Another fraudulent practice they indulged in was to take out life insurance policies which came with a freebie - credit card of a private bank. They opted for low premium and long-term policies under different names and identities. They also used these insurance policy documents to get new PAN cards which they again used to get credit cards," said a crime branch official.
Posing as entrepreneurs, the brothers then filed an application with the HDFC Bank. They had created fake documents to prove that they owned two firms - Sagar International and Earth Electronics. The bank then issued them two credit card swiping machines.
"The two brothers then started swiping the 54 credit cards in these machines. The cards had a credit limit ranging between Rs 50,000 to Rs 1 lakh. They themselves posed as the purchasers and also the sellers. The money spent by the credit cards ended up in their account. By the time the credit card company could intimate the concerned bank and seek reimbursement from the brothers, they had shifted to another house and changed their identity," the crime branch officer said.
The officer further said that the brothers claimed they had been at this business for the last eight months. "Since this is the initial phase of the investigation, we know of only one instance where the brothers owe Axis Bank Rs 5.75 lakh. We suspect more financial frauds will surface as investigations proceeds," said the officer.

Credit cards found on brothers

AXIS Bank - 20
HDFC Bank - 25
SBI Bank - 07
Kotak Mahindra - 02

Source : TOI

Hacking police websites earns Ohio man three years in jail

John Borell III, a 22-year-old man from Ohio said to be linked to hacker collective Anonymous, was sentenced to three years in federal prison on Thursday for hacking police and other websites and releasing sensitive information.Borell denied involvement in the attacks in April 2012, but the hacktivist pleaded guilty to computer fraud charges one year later and agreed to pay $227,000 for systems that were damaged and in need of improved security.Judge Robert Shelby announced the sentencing at U.S. District Court in Salt Lake City. Utahchiefs.org, a Syracuse police website, a Springfield, Mo. municipal website and a Los Angeles County Police Canine Association website were among the websites that were targeted. Borell wreaked so much havoc on the Salt Lake City police website that it went out of commission for roughly four months, according to the AP, and along the way he was able to access citizen complaints and information on police officers and informants. He did not respond to inquiries regarding his motivations, according to reports.
Borell is said to have operated within an Anonymous splinter group known as CabinCr3w. The Ohio hacktivist communicated with others under the Twitter name @ItsKahuna, and investigating this account was instrumental in authorities tracking Borell down and charging him.

All too common SQL injection attacks are what allowed Borell to access and compromise the targeted websites, according to the indictment unsealed against him in 2012. Five men charged in July used SQL injection attacks to steal roughly 160 million card numbers from major U.S. companies.

Source :  scmagazine.com

Have you got fake mail from RBi, SBI or IT department - Phising Fraud

Phishing is the act of attempting to acquire information such as usernames, passwords, credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communications. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT department are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Each time the July 31 deadline for filing income-tax returns nears, the hoax about refunds is sent from web sites that are remarkably similar to the official portal. Fake links to Indian and foreign banks are provided and users are told to provide account numbers and passwords.

Another scam involves the impersonation of outgoing Reserve Bank of India governor. An e-mail purportedly sent by RBI offers to transfer $12 million (approximately Rs72 crore) to the receiver's personal account. A Madhya Pradesh resident paid thousands of rupees after hearing that "Subbarao had met United Nations secretary general Ban Ki-moon to release funds".  RBI spokesperson Alpana Killawala said they had been running a multi-pronged awareness campaign to alert people to this fraud. "We have messages scrolling on our website www.rbi.org.in and are running four spots on FM radio. We have also inserted advertisements in 13 languages in 800 newspapers," she said.

The unemployed youth is still trying to get back on his feet, interestingly, seeking a job with the banking sector. The criminal probably continues to operate the fake account. Jiten Shah from Borivli received an email from the 'Office of the permanent secretary for non residential taxation on international lottery award of the British Ministry of Finance, United Kigdom (sic)'. The letter offered him 500,000 pounds after he "cooperated" by paying 80 pounds as service charge. He trashed it right away.
  What to do* Fake online lotteries, windfalls and job offers are part of the spam network and should not be taken seriously

* Do not open dubious links for they could steal stored information from your computer

* Do not respond by divulging personal information, bank account numbers or passwords

* Never transfer money to them

* Reserve Bank of India does not seek account details from individuals

Where to complain
* The income-tax authorities and the apex bank advise victims to approach the local police or cyber crime cell and file a complaint. 

Cyber Security

Cyber-security is the technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cyber-security. According to a December 2010 analysis of U.S. spending plans, the federal government has allotted over $13 billion annually to cyber-security over the next five years.

Ensuring cyber-security requires coordinated efforts throughout an information system. Elements of cyber-security include:

1. Application security
2. Information security
3. Network security
4. Disaster recovery / business continuity planning
5. End-user education

One of the most problematic elements of security is the quickly and constantly evolving nature of security risks. The traditional approach has been to focus most resources on the most crucial system components and protect against the biggest known threats, which necessitated leaving some less important system components undefended and some less dangerous risks not protected against. Such an approach is insufficient in the current environment. Adam Vincent, CTO-public sector at Layer 7 Technologies (a security services provider to federal agencies including Defense Department organizations), describes the problem:

"The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly..."

To deal with the current environment, advisory organizations are promoting a more proactive and adaptive approach. The National Institute of Standards and Technology (NIST), for example, recently issued updated guidelines in its risk assessment framework that recommended a shift toward continuous monitoring and real-time assessments.

Data Broker

A data broker, also called an information broker or information reseller. It collects personal information about consumers and sells that information to other organizations. Data brokers can collect information about consumers from a variety of sources both public and private sources including courthouse records, website cookies, loyalty card programs and promotional events. Typically, brokers create profiles of individuals for marketing purposes and sell them to businesses who want to target their advertisements and special offers.

Currently, there is no legislation that requires a data broker to share the information they have gathered with the consumers they have profiled. In an effort to provide transparency, however, the data broker Acxiom has created a web site called Aboutthedata.com. The site allows consumers to register, see what information Acxiom has collected about them and correct data that is wrong. Critics maintain that the website is just another way for the company to gather more data.

Data brokers may refer to themselves as being database marketers or consumer data analysts.

Denial of Service Attacks

Denial of Service Attacks (DoS Attacks) involve flooding a computer with more requests that it can handle. This causes the computer or web server to crash and results in authorized users being unable to access the service offered by the computer.

Another variation to a typical denial of service attack is known as a Distributed Denial of Service (DDoS) attack wherein the perpetrators are many and are geographically widespread.

Incident 1 

A series of distributed denial of service attacks in February 2000 crippled many popular websites including yahoo.com, amazon.com and cnn.com.

Incident 2 

A series of more than 125 separate but coordinated denial of service attacks hit the cyber infrastructure of Estonia in early 2007. The attacks were apparently connected with protests against the Estonian government's decision to remove a Soviet-era war memorial from the capital city. It is suspected the attacks were carried out by Russian hackers. The attacks lasted several days.

Web Jacking

Just like any conventional hijacking of plane or vehicle is done, similarly web jacking means taking over control of a website. The purpose may be like political or monetary. This can be done by someone by cracking the password and later changing it of a website control. The actual owner of the website does not have control anymore. There are many ways in which a hacker may get the credentials, the most common ways is using a cracking software to guess password.

In an incident reported in the USA, the owner of a hobby website for children received an e-mail informing her that a group of hackers had gained control over her website. They demanded a ransom of 1 million dollars from her. The owner, a schoolteacher, did not take the threat seriously. It was 3 days later that she came to know, following many telephonic calls from all over the country, that the hackers had web jacked her website. Subsequently, they had altered a portion of the website which was entitled "How to have fun with goldfish". In all the places where it had been mentioned, they have replaced the word 'goldfish' with the word 'piranhas'. Piranhas are tiny but extremely dangerous flesh-eating fish. Many children has visited the website and had believed the contents of the website. These unfortunate children followed the instructions, tried to play with piranhas, which they bought from pet shops, and were very seriously injured.

Preventing e-mail address forgery.

Spammers can forge, or "spoof," a domain's From email address to make their spam look like it came from someone in your domain. To help prevent this, it is recommended that mail sent from a domain to be authenticated.

Authenticating mail from your domain can be done in two ways:

1. by adding a digital signature to your messages that conforms to the "DomainKeys Identified Mail (DKIM)" and 

2. by creating SPF records

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message that is in transit.  The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for further handling, such as delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

More details can be found at http://www.dkim.org

SPF (Sender Policy Framework) is a sender authentication method through which the administrator can specify which hosts are allowed to send email on behalf of a domain. The sending domain adds a specially formatted record into its DNS zone file identifying all authorized mail servers. The receiving mail server checks the sending domain's DNS zone file to see if the IP address from which the message originates matches one of the authorized IP addresses.