Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

ICO Updates Requirements For Data Breach Disclosures

The Information Commissioner’s Office (ICO) recently updated its data breach disclosure regulations for ISPs and telecommunications providers in the United Kingdom. To make reporting requirements easier for businesses, the ICO suggests that companies submit a list of data breaches monthly.

However, companies would still need to report major breaches in detail and separately. The existing regulations require companies' breach disclosures to include:

"The nature of the breach; the consequences of the breach; and the measures taken or proposed to be taken by the provider to address the breach."

The existing regulations require companies to maintain a log of any breaches affecting consumers personal information, and to provide affected consumers or customers with a breach notification covering:

"The nature of the breach; contact details for your organisation where they can get more information; and ow they can mitigate any possible adverse impact of the breach."

Companies do not have to report data breaches where the data is protected by encryption. The ICO describes itself as:

"... the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

A 24 Year Old Student Issues The Challenge: Europe Versus Facebook

Whether you use Facebook or not, this bears watching. After researching the issues, a 24 year-old student from Vienna is challenging how Facebook treats members' personal information: data collection and deletion. Not liking what he found, his next steps were a series of 22 clear and well-reasoned complaints submitted to the Irish Data Protection Commissioner, since European users have a relationship with the Facebook subsidiary located in Ireland.

According to Kim Cameron's blog:

"Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD... So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement..."

The article confirms what I found in this prior post about Facebook social plugins: they monitor your usage across the Internet whenever you visit a site with the Like button (or other Facebook social plugins). Using a different web browser may or may not provide the privacy you seek.

For English, click on both the CC and annotation icons to see subtitles in English.

France Isses New Breach Notificaton Law for ISPs And Telecommunications Companies

Information Age reported that Internet service providers and telecommunications companies operating in France must report data breach to both the affected consumers and government regulators. The France lesgislation defines a data breach as:

"... any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorised access to personal data."

ISPs operating in France must report data breaches to their regulator, the the Commission nationale de l'informatique et des libertés (CNIL). Violators face both prison time and a Euro 300,000 fine. Germany and Spain have similar breach notification laws, but the fines are far lower -- less than one percent of the fine in France.

Hays Apologizes For Email That Caused Breach At Royal Bank of Scotland

An employee at Hays, a global staffing and recruitment company used by the Royal Bank of Scotland (RBS), apparently sent an email which caused a data breach at RBS. According to the Kroll Ontrack Data Recovery blog, the email message:

"... detailed the pay rates of around 3,000 contract employees and was sent to some 800 RBS staff... Research by the Ponemon Institute earlier this year revealed that 19 per cent of data security breaches in the UK were caused by mistakes with emails..."

In 2009, the UK Office of Fair Trade fined hays 30.4 million pounds for price-fixing violations, allegedy to prevent a competitor from entering the construction industry.

In 2008, a hacker broke into the computer systems of RBS' payment processing unit, RBS WorldPay. About 1.5 million records were stolen, including the Social Security Numbers of about 1.1 million consumers. Several class-action lawsuits resulted from that data breach.

A year ago this month, the UK Financial Services Authority (FSA) fined members of the Royal Bank of Scotland Group (RBSG) 5.6 million pounds (about US $8.9 million) for failing to have adequate processes and controls, when RBS allegedly performed money laundering to companies on the UK financial sanctions list.

Kroll Ontrack provides a variety of services for companies to search, analyze, and recover data, including computer forensic analyses. In 2007, IBM hired Kroll to assist with IBM's February 2007 data breach. Kroll provided credit monitoring services to IBM's data breach victims.

KPMG Survey: A Typical Corporate Fraudster Is...

KPMG recently released its 2011 Who Is A Typical Fraudster? report, describing the profile of a typical corporate fraudster, the impacts and amounts stolen, industries where fraud tends to concentrate, and the conditions which enabled the fraud. The report included 348 events in 69 countries. The fraud events included "white collar" crimes such as:

"... misstatement of financial results, theft of cash and/or other assets, abuses of expenses, and a range of other fraudulent acts."

The report excludes acts of no material value and misconduct.The report does not mention names. The average duration of the fraud was almost three and a half years from the start until its detection. In 74% of the incidents, fraudsters exploited weak internal controls. Companies fail to read and act quickly on the warning signs:

"The number of fraud cases preceded by a red flag rose to 56 percent of cases in 2011, from 45 percent in 2007... Just 6 percent of initial red flags were acted on in the 2011 analysis... Rarely is an act of fraud a one-off... In 2007, 91 percent of fraudsters were repeatedly fraudulent, compared with 96 percent in the 2011 analysis."

The average loss was $1.4 million in Asia Pacific, $1.1 million in the Americas, and $900k in Europe. The report described the following as one of the most interesting cases in the United States:

"At a U.S. financial institution, a larger-than-life chief executive surrounded himself with an inner circle of "yes men." The fraud, which involved subterfuge and complex bundling and unbundling of loans and transactions to make bad loans appear good... The investigation quickly uncovered conflicting stories told by the CEO's inner circle and the people working with the loans and customers. This case illustrates, in particular, how dominant and bullying behavior can coerce others to participate in fraudulent activity."

The corporate fraud includes identity theft. A case from Switzerland:

"Fraudsters attempt to extract money from dormant accounts or they assume the identity of a customer to trick advisers into making payments or transfers. Often this involves the collusion of an external party with an internal ally..."

I also found the consequences interesting:

• Disciplinary action: 40% of cases (54% in the Americas; 23% in Asia Pacific)
• Regulatory, legal enforcement: in 45% of cases
• Civil recovery: 23% of cases
• Resignation/voluntary retirement: 17% of cases (25% in Asia Pacific)
• Out-of-court settlement: 6% of cases
• No action taken: 3% of cases

The profile of a typical corporate fraudster:

• Male (87% were men)
• 36 to 45 years of age (41% were ages 36 to 45; 33% were ages 45 to 55)
• Committed the fraud against his own employer (90% committed the fraud against their employer)
• Works in the finance function or in a finance-related role (32% worked in finance; 26% were CEOs; 25% were in operations/sales)
• Holds a senior management position (29% were in management; 53% were in senior management)
• Employed by the company for more than 10 years (33% employed more than 10 years; 29% employed 3 to 5 years; 26% employed 6 to 10 years)
• Committed the fraud in collusion with another employee (61% acted with others)

The report mentioned this about collusion:

"... male perpetrators (64%) are almost twice as likely to collude than women (33%). After taking account of male dominance in the perpetrator group, collusive females account for just 4 percent of activity. Perpetrator groups are most typically all-male or mixed gender."

KPMG is a tax, auditing, and advisory firm operating in 144 countries. A KPMG auditor caused a data breach in May 2010 when the auditor lost a flash drive containing 4,500 unencrypted patients records.

German Teen's Facebook Party Invite Creates Out Of Control Party

If I had to pick only one story to highlight the need for good security settings on your social media accounts, I'd pick this story.

The Huffington Post reported that a teenage girl in Hamburg, Germany wanted a birthday party with a few friends and family, but didn't check her security settings for the party invite on Facebook. Instead, the Facebook invite was public and went viral.

The teenager and her parents quickly realized the problem when 15,000 people accepted the party invite. They cancelled the party, sent several party cancellation notices, and informed local police. The parents also hired a security service to protect their home. This was a wise move, since 1,500 people showed up for the party despite the cancellation notices. About 100 police officers managed to keep order.

Yet Another Data Breach At Sony; Playstation Network Returns Online in Phases

Several news organizations reported that hackers attacked Sony Ericsson's Canadian eShop website. This latest Sony data breach affected only about 2,000 consumers. The Canadian eShop website provides accessories and support for phone customers. At press time, portions of the Canadian eShop website were unavailable.

The Canadian eShop breach is more bad news for Sony after massive data breaches at its Playstation Network and Online Entertainment units. Sony forecasts its breach-related costs in the United States at $171 million for the coming fiscal year ending March 2012, excluding any lawsuits.

On Tuesday last week, Sony disclosed a breach at its Sony Music Entertainment Greece website, which affected about 8,500 customers. Sony also disclosed that an unauthorized user had accessed and changed its Sony Music Indonesia website, and a hacker may have accessed its Thailand website to send e-mail spam.

On Friday May 27, Sony announced a phased restoration of service at its Playstation Network unit:

"... Sony Network Entertainment International (SNEI, the company) will begin a phased restoration of PlayStation®Network and Qriocity Services in Japan and Asian countries and regions including Taiwan, Singapore, Malaysia, Indonesia, and Thailand*1 on May 28. A new identity protection program will also be offered in conjunction with the phased restoration for PlayStation Network and Qriocity customers in Japan..."

Second Sony Data Breach Exposes Personal Data of 24 Million Consumers

You've probably heard of the massive Sony Playstation Network data breach that affected 77 million customers. Well, there has been a second Sony data breach.

In a May 2 press release, Sony Online Entertainment (SOE) announced that hackers had breached its servers and stole consumers' sensitive personal information, including name, address (city, state, zip, country), email address, gender, birth date, phone number, sign-in credentials (e.g., login name and hashed password), and debit/credit card account information:

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained."

The stolen bank account data included bank account number, account holder name, and account holder address. All of the above stolen personal data is sufficient for identity criminals to open fraudulent accounts and/or access existing accounts. SOE is notifying affected consumers via e-mail with Innovyx, their third-party email distributor. Reportedly, the e-mail notifications will contain either 'soe.innovyx.net' or 'soe.sony.com' in the sender field. SOE has also:

"Temporarily turned off all SOE game services; engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and quickly taken steps to enhance security and strengthen our network infrastructure..."

In a May 3 press release, SOE announced an update of their breach investigation:

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen..."

Since SOE gaming websites are down, SOE will add 30 days onto its customers' subscriptions and compensate them for each day of downtime. SOE produces popular, multi-player online games, including EverQuest, EverQuest II, Champions of Norrath, Clone Wars Adventures, and DC Universe Online.

Given that debit and credit card data was stolen, consumers should check their bank accounts for fraudulent entries and change their sign-in passwords. The SOE breach notification contains the usual disclosures advising consumers to check their credit reports for fraudulent entries and to contact the U.S. Federal Trade Commission's identity theft website for advice and tips about how to protect themselves and their bank accounts.

The Four Pillars of Online Data Privacy

A few weeks ago, I blogged about personal identity information values -- shopping and acting online consistent with what you deem important. eGov precently published comments by the European Union (EU) Justice Commissioner, Vivianne Reding, about privacy for individuals. Reding's view of privacy for individuals in an online digital world includes four pillars:

1. The “right to be forgotten” - a combination of consumers' right to withdrawn or opt-out of any data collection efforts by companies, and the burden on companies to prove first that they have a need to archive and store the sensitive personal information of consumers they have already collected.

2. "Transparency" - to build consumers' trust, companies should fully disclose and inform consumers about what personal data they collect about consumers and why, how they use the personal data collected, the names of all third-party companies they share personal data with, the rights of consumers for remedies when consumers' rights are violated, and the risks with the personal data companies ask consumers to share.

3. "Privacy by default" - in too many instances companies build websites with privacy controls that are so complicated and convoluted that consumers can't effectively make their personal data private. In these websites, there really isn't any privacy and the websites' privacy controls don't reflect consumers' true consent. Reding believes that this situation must change, and that private should mean private.

4. "Protection by data location" - privacy standards for EU citizens should be consistent regardless of where consumers' personal data is stored. For example, if an EU resident's personal data is collected and stored by a U.S.-based company, then that company must comply with EU privacy standards, not U.S. privacy standards.

All of these pillars make perfect sense to me, but I see the fourth pillar being particularly tough. It's logical extension would force a website operator to konw, track and comply with a multitude of countries' varying privacy policies. My impression is that many corporate executives would be unhappy with having to work within the boundaries of all four pillars (not just the fourth), when they usually don't have to today.

I especially agree with Reding about the risks stated in the second pillar. Explanations about risks from sharing personal data apply to all consumers, but especially to youth who don't yet understand how business works and how companies use personal information. The risks and consequences should be explained to consumers about personal data that companies may make public permanently that consumers cannot make private again.

Over at the Guardian UK, columnist Mayes contests Reding's second pillar:

"But does the "right to be forgotten" really have a sound basis? In British law there is no right to be forgotten, but there are a host of laws to protect your identity and personal data... But to say there should be a right to be forgotten is to say we can live outside society. We can't."

To me, it's not about living "outside of society." For a lot of perfectly valid reasons, a consumer may decide to live off the grid, or entirely off-line. It is about consumers' control; the ability to control when and where your sensitive personal information is archived. Without the second pillar, there is no real control for consumers.

What do you think of these four pillars?

German Government Proposes New Data Breach Notification Law

In its "Privacy and Information Security Law" blog, the Hunton and Williams law firm announced that the German government has proposed a new data breach notification law:

"... telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay."

While the notification of affected consumers is not required if the data is encrypted, the BNetza retains the right to require any telecommunications companies to notify consumers regardless of the data security protections in place at the time of the breach.

The new breach notification rules are part of broader changes under the European e-Privacy Directive, scheduled to go into effect in May of 2011. Other changes in these new European Union directives include tightened rules about how companies treat, collect consumers' data, and obtain consent with consumers' web browser cookies.

St. Petersburg Times Interview: Heartland's Chief Information Officer

Recently, the St. Petersburg Times interviewed Steven Elefant, the Chief Information Officer Heartland Payment Systems hired after its disastrous data breach in 2009. With 130 million debit/credit card numbers stolen, that data breach was the largest corporate data breach in history. Consumers at banks and credit unions were affected. Several class-action lawsuits resulted and Heartland paid numerous fines, as banks had to reissue debit/credit cards to affected breach victims.

Prior to joining Heartland, Elefant held positions within the U.S. Secret Service and the F.B.I. crimes tasks forces. I found some of Elefant's comments very interesting, as it highlights the global nature of identity theft and fraud. About the person caught and convicted of the breach:

"... Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece. U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there..."

Thieves make money with stolen debit/credit card account information when they:

"... sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or Craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise."

About how Heartland's retail clients have responded after the breach:

"We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption."

If you want to learn more about Elefant, there is a good article at BankInfo Security.

Video Shows How Thieves Install And Use an ATM Skimming Device

This blog has discussed how to recognize skimming devices attached to ATM machines. According to Wired magazine, law enforcement authorities in Europe seized the video below from an identity thief's actual surveillance camera. The video shows:

• The thief attaching a tiny surveillance camera to the ATM machine
• The thief attaching the skimming device to the card slot
• Bank customers entering their debit cards and PIN numbers

Thieves use the tiny surveillance camera to record bank customers' PIN numbers as they entered them. Thieves use the skimming device on the card slot to copy all of the data stored on the magnetic strip of bank customers' debit cards. Both devices transmit their contents via a wireless connection to the thief's laptop computer somewhere nearby.

With these pieces of bank account information, thieves then create duplicate debit cards and return to one of your bank's ATM machines to drain all of the money from your checking (and savings) account. And, you'll never know it until a check bounces, you try to withdraw cash, or you check your account balance.

The video shows some bank customers safely covering their hands when entering their PIN numbers. To protect your PIN number and bank account, you should cover the hand you use to enter your PIN number. Watch all of this video:

Alert users will notice that this ATM machine is accessible via a public sidewalk. I do not use these ATM machines. I use only the ATM machines behind a locked door at my bank's ATM booths.

Theft by ATM skimming devices is a nationwide problem. Experts say that every year ATM machines dispense about $1 trillion dollars (that is $1,000,000,000,000), and theft by ATM skimming devices is less than one-half of one percent of that total -- still a huge amount of money. So, the problem is not going away anytime soon. Plus, the ATM skimming devices are getting smaller and more sophisticated.

As good as the above video is as a training tool, it won't help you at gas stations because thieves often insert skimming devices inside unattended gas station pumps. To learn about how to protect yourself at gas stations, read this blog post.

Insider Identity Theft And Fraud at Bank of New York Mellon

Since its huge data breach in 2008, breach news about the Bank of New York Mellon catches my attention. Last week, the New York Country District Attorney's Office announced in a press release:

"... Adeniyi Adeyemi, 27, a computer technician formerly employed as a contractor at the headquarters of the Bank of New York. ADEYEMI admitted to stealing a list of personal identifying information of 2,000 bank employees, and using this information to orchestrate thefts of more than $1.1 million from charities and nonprofit organizations, among other institutions, over an eight-year period. ADEYEMI pled guilty to the top charges in the indictment, Grand Larceny in the First Degree and Money Laundering in the First Degree, as well as to the felony charge of Computer Tampering in the First Degree."

This event is noteworthy for a couple reasons. First, many consumers assume that banks have airtight data security and don't suffer data breaches. That clearly isn't so. You can find several stories in this blog about breaches at financial institutions and banks.

Second, insider identity theft is arguably one of the tougher crimes to stop because banks trust their employees to work with consumers' sensitive personal and financial information to perform critical bank operations. This latest breach shows the lengths to which criminals will go to steal consumers' financial account information. Adeyemi opened fraudulent bank accounts with the stolen employees' personal and financial information; stolen money from both the charities and his coworkers; wired stolen money through fraudulent E*Trade and Fidelity accounts, and into the the fraudulent bank accounts he'd set up; and wired money on to more fake accounts where he ultimately pocketed the stolen money. More than 12 charites were victims.

I wonder if Adeyemi truly acted alone.

Third, this breach should be a reminder to all consumers to vigilantly protect your financial account information (e.g., routing and bank account numbers) and to monitor your financial accounts for fraudulent entries. While that won't stop insider ID-theft, consumers will spot fraudulent activity on their accounts sooner.

Another news item highlights just how far identity criminals will go to steal consumers' financial account information. They will attach banks from the inside or outside. InfoSecurity magazine reported:

"... online banking users are being targeted by 'regional malware' that flies under the radar of IT security software... Silon.var2, which resides on one in every 500 computers in the UK compared to one in 20 000 in the US, and Agent.DBJP, which has been detected on 1 in 5000 computers in the UK compared to 1 in 60,000 in the US."

So, consumers need to keep the anti-virus software on their home computers loaded and up-to-date. Visit websites you trust and don't click on fake banner ads that claim your computer is unprotected. Be smart about the links you click on. Use a product like McAfee SiteAdvisor to help you avoid virus-infected sites when using a search engine site.

The InfoSecurity magaine article highlighted the fact that banks need to do more about computer viruses:

"... to fight the problem, regional malware Trusteer recommends banks work together, share information, and pro-actively try to identify and target regional malware.They should also actively investigate regional malware in order to understand how the malware works..."

The combination of the latest Bank Of New York Mellon breach and the malware study should be a strong reminder to bank executives of the threats from both inside and outside.

Several States' AGs To Investigate Data Collection By Google Street View

In a press release earlier this week, the office of the State of Connecticut Attorney General announced that it will lead a multistate investigation into the collection of personal information by Google Street View cars. As many as 30 states may join the investigation. Blumenthal said:

“Street View cannot mean Complete View -- invading home and business computer networks and vacuuming up personal information and communications. Consumers have a right and a need to know what personal information -- which could include emails, web browsing and passwords -- Google may have collected, how and why Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks."

The investigation will consider what may have been broken and whether changes to state and federal statutes are necessary. Some of the questions posed by investigators:

• Was data collected by Google ever extracted and if so, when and why?
• How did purportedly unauthorized code -- which captured data broadcast over unencrypted WiFi networks -- become part of a Street View computer program?
• Who inserted what Google calls unauthorized code into the program and why?
• Have there been other instances of engineers writing unauthorized code into Google products to capture consumer data? (And if so provide all instances and full details)
• Why did Google save data it says was accidentally collected?

That list is a good start at question which should be asked. I applaud the AGs for taking action. Follow-through is important here.

Earlier this month, Google reported that personal wireless information collected in Austria, Denmark, and Ireland was deleted. Investigations of Google Street View are underway in Canada, Belgium, Britain, the Czech Republic, France, Germany, Italy, Spain and Switzerland.

I have used Google Street View and found it a useful application. The neighborhood in Harlem where I grew up is in Google Street View. As Google said in June in a letter to Congressional representatives:

"Street View is a feature of Google Maps that allows consumers to view 360-degree panoramic street-level photographs. The photographs are taken by cameras mounted on Google’s Street View cars and depict what is visible from the street. WiFi information is not linked with Street View imagery, and Google does not share this WiFi information with third parties... The system detected and collected WiFi network data, including SSID, MAC address, signal strength, data rate, channel of the broadcast, and type of encryption method... Recently, we became aware that we had mistakenly included code in our software that collected samples of “payload data” -- information sent over the network -- from open (unencrypted) networks. Payload data from closed (encrypted) networks was not stored."

That's some significant data collection. The point here is the goal of Street View cars is to shoot video of locations, not capture wireless information. I can see the cars needing to transmit imagery to Google servers, but the broader collection seems way out of bounds.

And if the Google Street View cars' drivers paused in any locations for a period of time -- say at traffic signals, traffic congestion, on the road side to make a phone call or send a text message -- more data must have been collected at those locations.

Questions I have and want answered:

• I am sure that data collection was more extensive in some locations versus others. Which locations? The talented folks at Google should produce heat maps of its data collection by city, urban area, and residential areas.
• Did the data collection vary by driver? If so, who?
• What QA testing was done with the Google Street View cars before the cars were released to residential enter neighborhoods?
• This data harvesting went on for three years. Nobody at Google noticed the increased server memory storage requirements for this harvested personal information?
• "Unauthorized code" suggests that an executive approved development of this code for use in a different application. So, who approved development of this code and what different application(s) was it intended for?
• Companies are required to notify consumers of a data breach, when people not authorized to access/view sensitive personal data do so. What about enforcement of a breach notification to consumers by Google... as required in about 35+ states?
• Has the "unauthorized code" and data collected been removed from the Google Street View cars, and from data center backup tapes/servers?
• What assurances can Google provide that "unauthorized code" isn't installed in other Google applications?
• What steps is Google taking to prevent an event like this from happening again?

Maybe now, Google executives will realize that consumer trust has been broken. That needs fixing.

What questions do you want answered during the investigation?

Identity Thieves Upgrade Their ATM Skimming Devices

In case you hadn't seen this news report:

Visit msnbc.com for breaking news, world news, and news about the economy

As I wrote previously about ATM skimming devices, my advice for consumers:

• If an ATM machine looks like it has a skimming device attached, use a different ATM machine. Don't try to remove the skimming device. Notify law enforcement and or the bank.
• Experts recommend that consumers check their bank statements frequently for fraudulent entries and cash withdrawals, because it is difficult to spot skimming devices
• Use ATM machines that are in well-lighted and in public places
• Anybody can buy and operate an ATM machine, so I only use ATM machines from my bank. When you use an ATM machine, you are trusting that retail store to keep that ATM machine secure
• I avoid unfamiliar-looking ATM machines because it is harder to spot an ATM machine that may have a skimming device attached

Global Credit Card Theft Ring Busted in 14 Countries

I always like to acknowledge the good work of law enforcement with identity theft and fraud.

Reportedly, police arrested 178 people in 14 countries (including the USA) in an international credit card scam operation. The credit card theft ring reportedly stole 120,000 credit card numbers and cloned 5,000 credit cards. The theft totaled about 20 million Euros. The arrests resulted after a two-year investigation.

As if this wasn't enough, police alleged that the theft ring also conducted armed robbery, blackmail, sex trafficking, and money-laundering. Wow! A diversified operation.

It is early in the news cycle for this story. I am sure that over the coming days, more facts will emerge about this fraud operation. I'd like to know:

• If the credit card numbers stolen were from contact-less (RFID) credit cards
• How the theft ring stole credit card numbers (e.g., unsecured wireless hacks, ATM card skimmers, retail store card skimmers, cards swiped out of cardholders' view at restaurants, RFID card skimmers, insider ID-theft at a bank, or card transaction processor hack),
• Why the theft ring diversified with so man businesses,
• Which business the theft ring started first,
• If any of the stolen card numbers included debit card numbers and PINs, and
• If any of the money was transmitted to terrorist groups

A Conversation With Jens Muller, CTO at Maxa Research

Companies and online advertisers increasingly use both web browser and Flash cookies to track consumers' online usage and to collect personal information, often without notice and consent. Many consumers are unaware or unsure what to do about this.

I discussed this situation recently with Jens Muller, the Chief Technology Officer at Maxa Research. Maxa Research developed and offers the Maxa Cookie Manager software for consumers to manage, review, and delete the variety of cookie types that websites place on consumers' computers. Jens was gracious and answered all of my questions. Our discussion:

I've Been Mugged: Who is MAXA Research and what is your position/duties at MAXA?
Jens Muller: MAXA Research is an established (for 20 years) and innovative company for computer hardware, firmware, and software development. In the last years, our main focus lies in the areas of internet application development and security solutions. I am the CTO at MAXA and responsible for product development.

Mugged: For consumers that don't know, what are browser cookies and the dangers?
Muller: A browser cookie is a mechanism that allows a website to save information on the visitor's computer. This information is then automatically sent back to the original website when opening it the next time. This mechanism can be used for legitimate purposes, like keeping you logged in or retaining website specific settings (i.e., the chosen language). However, a website page can also assign a unique ID to a website visitor and save it in the cookie on their computer. This way, the website is able to recognize you over a long period of time, even years.

When large advertising networks use cookies, they can find out the user's interests and create a profile of the user's surfing habits. When this information is linked with information that can be obtained after logging into accounts, even more is shared with third parties. We call such cookies, which have no use for the user but are only good to track him, "web bugs."

Mugged: How are Flash cookies, "Super Cookies," and Silverlight cookies different?
Muller: Browser plug-ins additionally allow websites to store information on the user's PC, especially Adobe Flash. It is installed on virtually all computers and, for example, is used to display videos in the browser window. After ad companies found out that some users were deleting their standard browser cookies, they had the idea to also store the information in a Flash cookie. In case the browser cookie is deleted, they still are able to find out who the visitor is.

Flash cookies are widely unknown and difficult to delete or manage. Even worse, Flash cookies are browser independent (i.e., shared among all browsers on the user's computer). So, it does not help to use the Firefox browser to visit "privacy sensitive" websites and use the Internet Explorer browser to visit other websites. Flash cookies also stay active during a browser's "private browsing mode."

Our privacy test demonstrates this.

Mugged: When evaluating options to manage browser cookies, what should a consumer consider?
Muller: During the last few years, browser developers have added more options for cookie management. The amount of settings differs from browser to browser. Normal browser cookies can be adequately managed this way, with some manual action needed in every browser. Flash cookies cannot be managed this way and they remain active. Even the "Internet Security/Management" software products available today cannot handle Super Cookies.

I've Been Mugged: What benefits does the MAXA Cookie Manager software provide?
Muller: MAXA Cookie Manager allows the automatic management of all kinds of cookies:

• Browser cookies of all popular browsers and browser independent cookies are both listed and evaluated.
• Cookies of sites the user wants to keep can be organized in a white list while undesired cookies can be blocked using the black list.
• Known web bugs are recognized and can be deleted automatically.

Our website features two introductory videos about the software: video #1 and video #2.

Mugged: Many consumers like integrated software. Why didn't MAXA offer its cookie management software integrated with anti-virus or web browser software?
Muller: First of all MAXA Cookie Manager is not directly integrated, (like an add-on) into a specific web browser as it must be able to manage all cookies produced by all of the browsers and browser plug-ins on a user's computer. You are right that cookie management can be seen as a sub-task for anti-virus software which is, however, widely neglected. While malware actively harms your computer by executing malicious code, cookies "only" spill information to third parties and therefore infringe upon your privacy without you noticing it.

We are a small and innovative company and have therefore decided to develop this product standalone, as we have no anti-virus product in our portfolio. However, we are always open to other AV and security companies that would like to OEM our code/product.

Mugged: MAXA Cookie Manager currently runs only on Windows ® computers. What about a version for Mac/Apple iPad users?
Muller: Browser independent cookies indeed are a privacy issue for Macs, too. MAXA Cookie Manager is tightly coupled to the operating system and cannot easily be ported to Mac OS. Furthermore, the browsers available for Mac OS are different ones. If we receive enough demand, we might consider developing a MAXA Cookie Manager version for Mac OS in the future.

Mugged: My anti-virus software updates itself about every other day because threats change quickly. What updates can users expect with MAXA Cookie Manager?
Muller: The definition base for the algorithms that evaluate the cookies and recognize web bugs are regularly updated. Furthermore, users can establish their whitelist in MAXA Cookie Manager either by selecting from a list of popular websites we provide and update, or by iteratively adding websites whose cookies they want to keep. Users have the ability to delete all other cookies or to delete only explicitly blacklisted cookies.

Again, it is important to remember that a website setting a cookie itself does in no way immediately "infect" your computer as a virus would do. When the cookie stays present for a longer period of time, the site or ad network can gain more and more information about the user. Also, please note that we do not have a subscription model like most anti-virus solutions. People who buy MAXA Cookie Manager can use it as long as they want in this version. Multiple updates with improvements are free and web bug definition updates stay free. Occasional upgrades which may introduce a new feature to the software can be obtained for a reduced price if wanted - but again - the user can keep using the version he purchased as long as desired.

Mugged: I installed the BetterPrivacy add-on with my Firefox web browser to delete Flash cookies. Why should a consumer with this add-on also purchase the MAXA Cookie Manager Pro?
Muller: BetterPrivacy allows users to delete Flash cookies. In my opinion, it has a rudimentary whitelist, and it does not support the user's decision about which cookies to save or delete. MAXA Cookie Manager's evaluation feature helps users decide to delete or save a cookie. Also, a BetterPrivacy user would need to make the same settings for Firefox itself (in order to have the same rules to manage regular cookies) and possibly for other browsers he is using.

MAXA Cookie Manager's white and black lists affect all cookies of all technologies. MAXA Cookie Manager allows users to inspect the cookie's contents and to search for strings in cookies -- which BetterPrivacy does not offer. Finally, BetterPrivacy does not handle Silverlight cookies, which have the same power as Flash cookies, though Silverlight is installed on fewer machines than Flash.

Mugged: I visited one of the cookie software sites cookiecentral.com) to find your software. Where is it available for download/purchase, and why isn't it more widely available?
Muller: Good question. In my opinion, cookiecentral.com is trying to make money via website ads and software commission sales using its privileged domain name. Nevertheless we contacted them in the past and did not get any answer.

UPDATE: I contacted again recently and got a positive answer to add our software soon to the list of cookie managers. Compared to other companies we are relatively small and do not have a huge marketing budget. We try to differentiate via innovative products with fast and individual customer support. Sometimes we have the impression that companies or large websites ignore us and do not want to cooperate as they themselves depend on cookies for user tracking and have no interest in the spread of (good) cookie managers.

Nonetheless, we are listed on many websites like:

• Bits du Jour (having had the 24-hour deal recently)
• Download.cnet.com
• Tips and Tricks For PC
• Softpedia.com

Try a Google search using "maxa cookie manager" and you will find us on many more websites.

Mugged: Download.cnet.com lists dozens of cookie manager software products. Why should consumers use MAXA Cookie Manager?
Muller: I looked at the list. First, the large majority of these products do not support Flash cookies. Then, look at the date they were added. It seems nearly all of the software listed here is really old (last release more than 4 years ago). Therefore they already cannot support Google Chrome, a new browser, and probably don't support newer versions of Firefox. Finally, the points I mentioned above about the BetterPrivacy comparison also apply.

Mugged: Some cookies are needed to log into my financial accounts or similar websites. How can a consumer easily identify which (Flash and HTTP) cookies to keep versus delete?
Muller: The evaluation function in our MAXA Cookie Manager helps by highlighting the active cookies in different colors for: web bug / suspicious / unsuspicious / whitelisted. Furthermore, the whitelist wizard allows a user to add popular websites to the white list if he wants to keep the cookies. For the rest, most often, the domain name of the cookie will have something to do with the website whose service the user wants to use.

Mugged: While consumers can download your software at Download.cnet.com, the site's editors haven't reviewed it. When will a review appear here or elsewhere?
Muller: I had in mind that in the past there was a review, but even in the box "Previous versions" at the very bottom I could not find it any more when going back to all the previous versions. In order to re-schedule a review for download.cnet.com a major change in the software must be provided. So, we cannot trigger one immediately. However, lately we had a great response from the following Belgian CNet/ZDNet review (use an online translator if interested).

About a year ago, ZDNet.de listed MAXA Cookie Manager as its software pick of the week. We were reviewed in a couple of European print PC magazines, if interested I can supply more details. Also, we were mentioned in this EZine article about cookies.

Yet, the most relevant feedback we receive are comments from our existing customers in the product survey we send them after purchasing. These comments are visible at our website. Users often have good suggestions which we incorporate into new versions.

Mugged: What do you see in the future for cookie management software?
Muller: We see that people are getting more and more privacy aware lately, which is important as cookie use is spiraling out of control. While this increases the demand for cookie managing software, browsers supporting the new web standard HTML5 will, in the further future, definitely bring a change; and in my opinion render Flash useless. On the other hand, new plug-ins will emerge and with a tighter coupling of online and offline information, could make keeping one's privacy more and more difficult.

Cyber Criminals Trick Consumers To Wire Money To Overseas Accounts As "Money Mules"

In his Krebs on Security blog, Brian Krebs outlined a rather creative scam by cyber criminals. This story highlights how criminals tricked consumers to help them commit fraud by preying on consumers job search insecurities.

First the criminals hacked into the Delray Beach Public Library's computer systems to steal the library's financial account credentials. Then, the criminals created a bogus company to recruit fake empoyees to help them commit wire transfer fraud. The scam began to surface when the staff at a Florida library couldn't determine:

"... how or why nearly $160,000 had disappeared from their bank ledgers virtually overnight. The money was sent in sub-$10,000 chunks to some 16 new employees that had been added to the usual outgoing direct deposit payroll."

The criminals had hacked into the library's computyer systems to insert the bogus employees into the library's payroll, and to steal the library's money using the library's financial account credentials. Krebs described the plight of one fake employee:

"... 19-year-old Brittany Carmine... Carmine had just lost her job at a local marketing firm when she received a work-at-home job offer from a company calling itself the Prestige Group. She said after researching the company online, she decided it was legitimate, and filled out the paperwork to begin her employment. Just days later, she received a bank deposit of $9,649, with instructions to wire all but roughly $770 of that to individuals in Ukraine."

Not knowing she was working for criminals, Carmine followed the instructions she received and wired the money to separate accounts in the Ukraine and kept each wire transfer amount below $3,000 -- a limit that would trigger alarms at Western Union and Moneygram. Of course, the bank deposit Carmine received into her bank account was money stolen from the library, and:

"The next day, Carmine found she had a negative $9,649 balance at her bank, which froze her account and sent an investigator to hound her for the money. Brittany says she doesn’t have the money to pay back... The library would later learn that the attackers had swiped its online banking credentials with the help of a password-stealing computer virus, and then initiated a batch of sub-$10,000 transfers to Carmine and 15 other so-called money mules. Because staffers at the library noticed the fraud immediately, their bank was able to reverse most of the other bogus transfers and was willing to refund the library the remaining amount..."

Carmine was stuck because her bank had reversed the deposit to her bank account, and she had already wired money overseas to the cyber criminals. What should a consumer do to avoid getting scammed like this? The Privacy Rights Clearinghouse advises consumers:

1. "Do not give personal bank account, PayPal account, or credit card numbers to an employer.
2. Do not agree to have funds or paychecks direct deposited to any of your accounts by a new employer.
3. Do not forward, transfer, or "wire" money to an employer.
4. Do not transfer money and retain a portion for payment."

"Legitimate employers do not usually need your bank account numbers. While direct deposit of a paycheck is a convenience, if that is the only option an employer offers, then you should not accept the job. A legitimate employer will give you the option of direct deposit, but not demand that it is used. You should wait until you have met the employer in person before agreeing to a direct deposit option."

Follow this advice so you don't become a "money mule" in your next job. If you are already a scam victim, then you should:

1. "Close all bank accounts at the bank where the scam took place.
2. Order a credit report from all three credit bureaus every 2 to 3 months. Watch the reports for unusual activity. If you have given your SSN to the fraudster, we advise that you place fraud alerts on your three credit reports - Experian, Equifax, and TransUnion.
3. Victims of payment-forwarding scams should contact their local Secret Service field agent. The Secret Service handles complaints of international fraud. Fraud victims should also file a police report with local law enforcement officials as well.
4. Victims should report the company name, the job posting, and all contact names to the job sites where the scam was posted.
5. Victims should permanently close all email addresses that were associated with the job fraud."

U.K. Council Implements Encrypted USB Sticks To Prevent Breaches

Computer Business Review magazine reported that to prevent future data breaches, a United Kingdom organization has:

"... moved to prevent the leakage of any data from its network of 4,100 fixed and mobile desktops by issuing 900 tamper-proof and encrypted USB memory sticks to its workforce. IT staffs at Caerphilly County Borough Council, which is the fourth largest local authority in Wales employing around 9,000 people, have taken the precautionary steps to minimise the operational risk of a security breach..."

The council took this action to require employees to use only approved USB memory sticks and to protect the organization computer viruses. The council offered an amnesty program, where employees could swap any current un-approved USB memory sticks for the standard, approved devices. A company representative said that their computer system also provides a complete audit trail of USB memory device usage by each employee.