Credit Card Security

I recently had a miserable experience with credit card fraud and am not looking forward to having more high tech credit cards in my pocket as a result. I was pumping gas at a Chevron station in East Palo Alto. All seemed rather benign and safe. I swiped my credit card in the embedded machine in the pump. It asked me for the usual zip code info, approved and on I went with pumping the gas. I finished, took my receipt and drove off. About an hour later I get an email from Barclays Bank who handles the Virgin America VISA card (really cool looking card) stating that I had possible fraud activity on my card. I checked it online and noticed that there were two charges at that same Chevron station: my first legitimate one and another larger, fraudulent one for $120. I promptly cancelled it and the Barclays Bank folks were really good on the phone.

I asked around with several friends as to how this might possibly have happened. It’s not definitive but it’s theorized that there was someone at the gas station with a wireless device that somehow had activated the embedded chip in my credit card and somehow got access to information that obviously made them capable of a making a fraudulent charge on the card. Another possibility is that the gas pump somehow could have gotten hacked or intruded upon allowing access to be gained to the cards that get swiped through it.

So there are many credit cards with the embedded chips in them for contactless payments with the terminals at several merchants. Are we headed full speed ahead into a brick wall of a security hole with this embedded technology? What else is at risk?

  • Our healthcare with smart tags or cards that carry our health information?
  • Our passports with the new smart chips in them?

Will the move to using our smartphones or cellphones be safer for doing payments and commerce?

Always Connected Criminals

I’ve written on the problem of contraband cellphones in the past and how bad of a growing concern (and public safety threat) this issue is to the respective corrections officials dealing with it. My recently, Richard Stiennon of ThreatChaos forwarded me an article who reports on a lot of news in Pakistan of how Omar Saeed Sheikh, a militant being held in Pakistan for, according to the article, his arrest in Feb 2002 for the murder of US journalist Daniel Pearl, threatened the President and Chief of Army Staff of Pakistan…using his cellphone in a Hyderabad prison!

The article titled, Jailed militant’s hoax calls drove India, Pakistan to brink of war, states “‘Omar Saeed Sheikh was the hoax caller. It was he who threatened the civilian and military leaderships of Pakistan over telephone. And he did so from inside Hyderabad jail,’ investigators said. The controversy came to light after Dawn broke the story, exactly one year ago, that a hoax caller claiming to be then Indian foreign minister Pranab Mukherjee was making threatening calls to President Zardari.”

“The very next morning, Nov 29, Hyderabad jail was raided by intelligence agencies and over a dozen SIMs were recovered along with two mobile sets. Majid Siddiqui, the jail superintendent, was suspended. ‘I don’t know much but it is true that some mobile SIMs and mobile sets were recovered from Omar Saeed Sheikh when he was in Hyderabad jail.”

It’s been said before that criminals would gladly conduct their illicit enterprises from within prisons using cellphones because it’s the safest place to be. This certainly rings true of the case of Omar Saeed Sheikh whose cellphone had a SIM card from a UK wireless operator so looked like a UK cellular device roaming in Hyderabad. And over a dozen more SIMs were confiscated during a raid to obtain the contraband. This is only the scratch on the scratch of the tip of the iceberg. This problem will continue to grow without an effective technical solution to detect, track, and monitor or confiscate the contraband devices in all prisons worldwide. These Always Connected criminals will simply continue to easily obtain the same great devices and services that we as productive consumers enjoy and take for granted every day.

Open Mobile Platforms and Security

There will be an interesting intersection between open mobile platforms and network/information security looming in the not-too-distant horizon. In particular, security engineers and architects, threat analysts, or general enthusiasts for network and information security have a lot on their plates today on the vulnerability of compute endpoint devices and their subsequent infection with malware that have the potential of creating huge botnets fueling the “snowball effect” of malware propagation and disruption to networks.

Now with the advent of mobile platforms and last years craze on “who’s more open then who” in terms of the mobile OS platforms, this starts to illustrate the next major inflection point of potential for vulnerable endpoints, their sheer magnitude, and botnets like the Internet has never seen. Let’s look at the numbers. Gartner, IDC and other analysts have forecasted on the order of 100-120 Million new PCs to be sold in 2009. This is mostly laptops with a growing number of netbooks sprinkled in there. ALL of the laptops and netbooks will be equipped with WiFi, likely Bluetooth, and an increasing percentage of 3G mobile broadband. OK, so that is certainly a decent target addressable market (TAM) to go off and provide a security solution for any technology vendor.

But the REAL numbers are in the forecasts for mobile devices…on the order of 1.3-1.4 Billion new devices sold just in 2009! So PCs are just a rounding error when you compare that with new cellular mobile devices. And forecasts for smartphones vary greatly, anywhere from 15-20% in 2009 with a trend towards 25-30% by 2012. These smartphones are small compute devices generally with open OS’s, multinetwork connectivity (3G, 2G, WiFi, Bluetooth), and are Always Connected.

We are increasingly using our mobile handsets for what previously was done only on a laptop or PC. We check and write emails, update our Facebook, visit numerous other social networking sites, perform searches for all sorts of things from restaurants to doing research, take pictures and post them to some of the same social networking sites, read RSS or blogs, download files to do what I refer to as “mobile snacking” of the content (scan through a document or Powerpoint pitch for a quick read). Would a security architect or analyst agree that every single one of these actions on a PC would be considered at threatening, hence the need for malware, content, connectivity protection? You bet! And yet these handheld devices and the networks they connect to have generally ZERO protection from the threats!!

So how interesting would a botnet size of rather than 1, 5, or 10 Million endpoints but 10, 50, or 100 Million endpoints be to a malicious code writer or some aggressive government elsewhere in the world looking to put another chink in the economic armor of the US? I don’t know…you do the math.