July 9-10, 2013
San Francisco, CA

Tickets On Sale Now

Last week I bought 13 laptops from WalMart.com. All were pretty cheap, between $500 and $700, but 13 of them added up to a rather hefty $8,000 bill on my MasterCard.

There were only two problems: I didn’t buy them, and they weren’t being shipped to my house.

I’d been hacked. Somehow, somebody in Sacramento, Calif., was going to get 13 Dell Inspirons at my expense. Lucky them … and unlucky me.

But not only unlucky me — a staggering one in four Americans report being a victim of identity fraud, according to a new study by Jumio, a leading credit card validation service for web and app-based commerce. And 83 percent of us worry about identify theft.

Source: John Koetsier

Fraudulent WalMart.com orders charged to my account

That’s a problem, because commerce is increasingly going mobile. Two-thirds of us own a smartphone and/or a tablet, and most of us plan to use them to buy things in the near future. A full 48 percent of us use our mobile devices to check something as sensitive as our bank balances. But as we do, we’re opening ourselves up to even more avenues of fraud and scamming.

“Users may be willing to accept risk now in favor of convenience, but this tolerance will weaken as fraud continues to grow,” Daniel Mattes, founder and CEO of Jumio, said in a statement. “The industry needs to get on board to protect our customers as much as the customers themselves need to take greater precautions.”

Investigators in my case suspected a phishing attack, in which you get an email purportedly from an online store that leads you to a fake but real-seeming site that then takes your credentials, but I had not clicked on any real or fake WalMart emails.

And so the only greater precautions that would have been useful would have been perhaps using unique passwords for each e-commerce site I use.

The problem of online and mobile security is a growing one. According to VISA, mobile commerce fraud was $2.7 billion in 2010, $3.4 billion in 2011, and $3.5 billion in 2012. And Cybersource says almost a third of all retailers experienced mobile fraud in 2012.

So what’s the solution?

Perhaps biometrics. Apple is said to be building a fingerprint sensor into the next iPhone model, the iPhone 5S. And Jumio’s survey says that 74 percent of us don’t feel that simple username/password security is sufficient. It certainly didn’t protect me — I was only fortunate enough to notice 13 thank-you-for-your-order emails from Walmart.com.

But biometrics won’t be available on every device, and won’t be an industry-standard smartphone feature for some time to come, if ever.

Meanwhile, according to Jumio, 69 percent of us would feel more comfortable sharing our personal information online, and buying via mobile, if there were more secure ways of storing that data online.

Source: Jumio

Mobile purchasing and banking activity

“For mobile to reach its full potential, the industry needs to adopt more consistent and accurate ways to identify and authenticate consumers,” Mattes said. “Only then will we be able to truly combat fraud.”

The question remains: How exactly that should be done?

The mechanisms for catching fraud after the fact, and protecting consumers from the consequences, are mostly in place. MasterCard canceled my credit card, WalMart canceled the transactions, and no harm was done. And big data solutions that the big credit card issuers including VISA and American Express employ to track consumers’ spending habits and suspend cards if odd or suspicious spending patterns start to emerge limit losses when the fraud proceeds successfully.

But that’s not the case every time: web and mobile security has a last-mile problem that isn’t going away any time soon.

photo credit: ToastyKen via photopin cc

After a rash of major Twitter account hacks, rumor says the company will be releasing two-factor authentication. While this is a great extra protection, it’s not the panacea many are looking for.

Over the past two weeks, three major news outlets — NPR, CBS, and the Associated Press — have all had their Twitter accounts hacked. In the AP’s case, hackers took over the account and tweeted about a bogus explosion at the White House. Following that breach, many called on Twitter to introduce that golden security measure: two-factor authentication.

We saw something similar when a journalist was hacked through Apple, prompting the company to figure out two-factor authentication for iCloud. The rumor now is that Twitter is going to release its own version of two-factor authentication. For that, we say, thank you, Twitter! But as PhishMe chief executive Aaron Higbee points out: that’s not the be-all, end-all solution to the problem.

“You would think this is obvious, but there seems to be a lot of undeserved criticism directed towards Twitter simply because AP employees fell for a phishing attack,” said Higbee in an email to VentureBeat, “Calling on Twitter to provide two-factor authentication doesn’t solve the AP phishing incident, nor would a long, frequently-changed password. That’s not to say it’s not worthwhile. Twitter should make an effort to offer two-factor for those that want it.”

The AP confirmed that the hack was preceded by a phishing attempt in a post about the incident.

Brian Krebs provides an excellent overview of why two-factor authentication could fail in such cases. Summarized, people set up phony phishing websites where targets are tricked into submitting their login credentials, which might include two-factor authentication codes. These codes often expire, but for many consumer sites, they are left connected for days because companies don’t want to create a barrier to entry.

Many of these spoofed websites are done really well. In the case Krebs writes about, hackers made a fake Citibank portal that served up error messages just like the real website would if incorrect credentials were supplied. That’s sophisticated and difficult to detect for us regular folk.

Higbee suggests that Twitter open up its own “group tweet” abilities so employees don’t have to share the same login credentials for an official company account. But education on phishing for all types of company employees could help too.

A group of pro-regime Syrian hackers called the Syrian Electronic Army took credit for all of the Twitter breaches, though we haven’t been able to independently confirm this is the case. The group has not mentioned any phishing in its congratulatory touting, but often targets publications based on their coverage of the conflict in Syria. If you’re one of those, it’d be wise to alert your employees to phishing attacks now.

Phishing image via Shutterstock

Why now?

Jeep’s Twitter account recently told the world that the iconic brand had been “sold to Cadillac.” And Burger King’s account started mysteriously promoting McDonalds. Two high-profile hacks in less than a week means, apparently, that Twitter had to take some action.

The hacks were due to phishing attacks, or sending out emails that look legitimate but, sadly, are not.

“There’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information,” Twitter’s “postmaster” Josh Aberant posted this morning on the company’s blog.

Twitter sends out a lot of emails. If you opt into email notifications for new follows, mentions, and direct messages (little hint: don’t), you potentially get hundreds of emails a week. The problem is: how do you know the email in your inbox is from Twitter?

To make that determination easier, Twitter has adopted DMARC technology, an email authentication protocol initially developed by PayPal in 2007. Essentially, it helps receiving mailservers know, with a reasonable level of assurance, that an email’s reported sender is accurate, not spoofed, and not forged. Which then allows the mailserver to delete forged email before it ever reaches your inbox.

Facebook already uses DMARC and is listed as one of the founding contributors to the open specification, as is LinkedIn. Other organizations that use DMARC include Google (Gmail), Microsoft (Hotmail/Outlook), Yahoo (Yahoo Mail), AOL, and Comcast.

A note for emailers:

If you don’t use Gmail or one of the other email providers listed above, you may not be protected. It might be a good time to ask your mail service provider if they support DMARC.

photo credit: Stian Eikeland via photopin cc

On Dec. 31, people around the world will share resolutions to lose weight, become more productive, quit smoking, and read more often. But how many of them will resolve to secure themselves online?

We’ve seen cyber-attacks continue to increase in the last few years, and it’s not just the big guys like Google and Dropbox getting attacked. One of the biggest mistakes a company, or person, can make is to assume that they are too small to be a target.

Individuals are at risk, too: Consider the sad example of Mat Honan, the Wired reporter whose iPad, iPhone, and Mac were wiped because a hacker liked his Twitter handle.

But “securing your digital life” probably sounds like a daunting task, so we’ve put together five ways to get you, personally, on the road to a security-conscious state of being.

See those update notifications? Start using them!

Hackers are like groundhogs. They like holes. Once they find a hole (or make a hole), they can crawl through your system, leaving backdoors and other points of entry to get back inside. But in order to do that, the hacker has to get in first.

When companies discover holes, it is their responsibility to patch them up and send out an update to their users. We do hear the stories of attacking companies such as Adobe for taking their time to patch known vulnerabilities, but it’s in a company’s best interest to fix the hole, protect its servers, and protect you.

The only problem is that so many people don’t actually update their software. And I don’t just mean the software on Macs or PCs but on phones as well. When you see that little update button come through, whether it’s on your computer or your smartphone, take the time and go through the process.

You can use tools such as Qualys’ Browser Check to make sure your browser and related plug-ins are up-to-date. Try it right now, you might be surprised to find that some of your plug-ins are old and insecure.

Clean out your Facebook profile and read through the company’s privacy documentation

Your Facebook profile is an identity thief’s goldmine. It has your birth date, oftentimes your full name, your family members (their full names), your hometown, your current town, the schools you went to, your job, any groups you’re a part of, your political stance, your sexual orientation, your relationship status, and your photos. Anyone trying to answer a security question to get access to your bank account could likely find the answer on your Facebook profile.

You need to make sure you know exactly what is on there, and get rid of anything you feel could be used against you. If you’ve got 4,000 photos, go through all of them. If your posts were inappropriate when you first opened up Facebook, delete them. But don’t forget that anything you delete off of Facebook stays on its servers for some time, though the social network will eventually delete it completely.

You should also be aware of its privacy policies too. Facebook isn’t necessarily an evil, data-mining, privacy-upending machine. It’s a business that is trying to make money, and your data just so happens to be what it makes money off of. Get acquainted with what the Statement of Rights and Responsibilities and the Data Use Policy say, and “like” Facebook’s Site Governance page. Unfortunately, you’re not going to be able to vote on any of the policy changes anymore, but at least you can get to know them and provide constructive feedback to Facebook when you feel violated.

Protect your phone and understand what your apps are doing

How many of you have the banking application Mint on your phone, but you don’t have a pin or pattern password protecting the phone itself? As Lookout Mobile recently said in a blog post, “Our smartphone knows more about us than perhaps anyone or anything in our lives.”

The Federal Communications Commission recently created a set of simple tips smartphone owners should check out based on the type of smartphone they have, whether that’s iOS, Android, Windows Phone, or even BlackBerry. The tips only scratch the surface of how you can protect your phone, but it puts you in a security frame of mind. Check them out and download some of the suggested security apps before 2013 — a year guaranteed to be filled with all new exploits and hacks — gets underway.

But protecting what’s on the phone isn’t always the problem. Sometimes it’s the apps you’ve already downloaded that are taking too much of your information. We saw this early in 2012 when Path, a social app, was found to be siphoning off users’ contacts without permission.

Bitdefender, an antivirus company, created the tool Clueful that tells you what your iOS apps are doing when you aren’t looking. I typed in Angry Birds Free to see what it does. Clueful reports that it tracks my usage, can display ads, could track my location, uses an anonymous identifier, and encrypts stored data. Good to know. If you’re trying to download an app you’re unsure of, however, it’s probably good to do a little more research.

Don’t be fooled by phishing scams and spoofed websites

One of the most successful ways hackers get your information is simply by tricking you into giving it up. Sometimes it’s a prince in Nigeria who is desperate to give you $50 million. Other times it’s less obvious, like an email faked to look like it’s coming from LinkedIn but is actually just trying to get your account information. When it comes to these “spoofed” emails, it’s always best to hover over any link in the email before clicking on it, so you can see the link’s true destination. (This only works on a computer with a mouse, not a phone or a tablet, obviously.)

You should also be very suspicious if a company is asking you for your username and password. Most companies guarantee that they will never ask you for a password or credit card information via e-mail.

But it’s not just emails that get spoofed. The websites that are often associated with those emails often take a digital polyjuice potion and pretend to be a trustworthy site as well. In order to catch these sites before you enter personal information, F-Secure‘s chief research office Mikko Hypponen suggests using Flag for Chrome or Flagfox for Firefox.

“It’s a handy extension which shows a flag in the URL bar of the browser, indicating the country where the website is hosted. This comes handy in more cases than you’d think,” Hypponen told VentureBeat in an email. “For example, if you follow a link that you think should take you to your bank’s website but the Flag shows the site is hosted in Uganda, you should probably close the tab.”

Organize your accounts and passwords

This is going to be the most painful resolution: knowing where all your accounts are online. You’ve likely set up an account for nearly every website you frequent nowadays. There’s the obvious ones like Facebook and Gmail, but how about your favorite retailers, Amazon, Groupon, Gilt, your local newspaper, your blogging platform? The list goes on.

It’s important to know where you accounts are because it’s important to know all the avenues a hacker may take to get your information. Look at Wired reporter Honan. Earlier in 2012, Honan’s iPhone, iPad, and Mac were all wiped after a hacker got into his Amazon account. The information there gave the hacker enough information to answer Apple’s security questions and access Honan’s iCloud account. There the hacker held the keys to Honan’s digital kingdom. Cyber-criminals often use a daisy chain to hop from one app to the next until they get to their trophy.

Start with your Gmail inbox and write a list of every website that sends you spam email, you’ve probably got an account on each one.

Once you know where all your accounts are, you should divvy them up into different password categories. At the beginning of my career Dave Marcus, a director at McAfee Labs, suggested the tier system to me. Put your most valuable accounts at the top with unique passwords for each. This should include your bank account, Gmail, and Facebook.

The second tier should have one, difficult password for all your semi-important accounts, and the last tier should have one easy password for all the accounts you could probably get rid of anyway.

Right now people are saying that passwords are the bane of Internet security. But no one has found the safest, but still consumer-friendly, way to replace them yet (though companies like OneID think they’ve got the right solution). So, until then you’ll just have to use easy to remember, but difficult to crack passwords such as passphrases. (Think of three random words that mean something to you and put them together, like “dogpeppermintsport,” and you’ll have a workable passphrase.)

There are tools to keep track of your passwords too, such as One Password and LastPass, but keep in mind that by using them, you’re putting all your eggs into one basket. While these services might help you remember your passwords, they are themselves protected by — what else — a single password. Eventually everything breaks, so be prepared.

Hacked image via Shutterstock

Facebook serves anti-virus software to over 30 million people through its AV marketplace — a function you probably didn’t realize Facebook had. The company added seven new security companies to the mix today that will not only provide virus protection but will also help Facebook build its security tools.

The eight new anti-virus providers are Kaspersky, Total Defense, Webroot, Avast!, AVG, Avira, and Panda. They join Microsoft, McAfee, Symantec, TrendMicro, and Symantec.

The marketplace originally launched in April and gives Facebook users a variety of anti-virus software downloads as well as Facebook tips, a security guide, and updates on current threats. The downloads are free, but you’ll be prompted to pay after a six-month trial run.

In addition to providing free anti-virus software to Facebook users, these eight companies will also help Facebook develop its “URL blacklist system.” Facebook will be able to query the companies’ databases of viruses and malware to detect infected websites before users click on them.

The social networks says the system looks through trillions of links daily. And it seems the partnerships won’t stop there.

“Whenever you click a link on our site you are protected both by Facebook and 13 of the industry leaders in computer security,” said Facebook’s security team in a blog post. “We will be cooperating with these partners more in the future and look forward to announcing new tools soon.”

Separate from the anti-virus marketplace, Facebook also opened up a phishing “hotline.” Really, it’s just an email address, phish@fb.com, where users can report phishing attempts on Facebook. Still, phishing is one of the most commonly used ways to steal personal information. It’s important that the big guys like Facebook are paying attention to it.

Virus image via Shutterstock

Criminals have already started taking advantage of millions of stolen LinkedIn passwords that were uncovered today. Spoofed emails are being sent to LinkedIn users, phishing for personal information and redirecting traffic to Viagra-selling websites.

This morning 6.5 million passwords were apparently leaked from the business social network. The passwords were hashed, not plain text, and uploaded to a Russian website this morning. Researchers quickly looked into whether the passwords were legitimate, and LinkedIn later confirmed they were. The company released a blog post saying, “we can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.”

Any LinkedIn user who has not yet changed their password should do so immediately.

But be careful not to do so through an email prompt. Eset security researcher Cameron Camp explained in a blog post today that a number of LinkedIn users have been receiving emails from the social network asking them to confirm account information. Camp has found these to be false emails, spoofed by cyber criminals to look like legitimate notifications from LinkedIn. Indeed, the first link in one of these spoofed emails will take you to a website selling Viagra.

These types of spoofed emails are unique to today’s incident, but there’s a chance that criminals could take this opportunity to attempt to phish personal information out of unsuspecting LinkedIn users.

hat tip The New York Times; Phishing image via Shutterstock

We knew it wouldn’t be long before Pinterest, the image-based social network, would attract spammers. We spotted a new scam on the site today, luring users to click for coupons to popular stores.

Pinterest is growing rapidly with an estimated 13 million users since its birth in the last 10 months. The site allows you to grab images from the web using the “pin it” bookmark tool, which then publishes the image to your Pinterest “board.” A board is a collection of images associated with a particular theme such as recipes. The pins often entice people to click through to the original website to, for instance, get a recipe or purchase a shirt.

Because Pinterest makes it so easy to post any image, and because the images are linked to outside websites, it is a petri dish for sleazy marketing tactics — one that is just starting to be used.

“I know that users aren’t very familiar with the platform, so they’re more easily scammed,” said Cameron Camp, a security researcher with ESET, in an interview with VentureBeat.

While surfing Pinterest last night, I saw the above image, a coupon offer for the Cheesecake Factory. It is set up to look like a promotion exclusively for members of the growing social network, but it doesn’t actually come from the Cheesecake Factory. If you click on it, your browser redirects itself several times and winds up at a survey site.

Many businesses try to entice new customers with customized promotions, but this simply looks scammy. This isn’t the only one: Security company Trend Micro noticed a few of its own fake promos, including Starbucks and Coach handbags. According to Trend Micro, the images lead to a survey site, which first prompts you to re-pin the image to get the coupon code. It is not yet known whether the image downloads any malware to the victim’s computer. This falls more in line with a phishing scam, promising discounts for personal information.

Camp explained that the phishing scam is quite new, appearing only within the last couple weeks. He has also seen e-mail scams that appear to be from Pinterest, but are really spoofed by cyber criminals. But there’s a reason why such similar scams appear across social networks such as Facebook, Google+, and Twitter.

“There’s an entire behind the scenes machine that’s already in place,” said Camp. “They have the ability to flood the market extremely fast … You just plug it in to [the] network and off it goes.”

Cyber criminals are business people as well. They have found a way to quickly and easily distribute their “product” across different networks, with low cost and high proliferation. Camp says he hasn’t heard of Pinterest doing anything to directly stop the scams, though its terms of service do issue a warning about third party services.

According to Pinterest’s terms of service, advertising is not prohibited on the service. In other words, it would be perfectly OK for the Cheesecake Factory to post a legitimate ad like this. But Pinterest’s parent company, Cold Brew Labs, also absolves itself of any responsibility for links that lead to malicious websites:

The Site and Application may contain links to third-party websites or resources. You acknowledge and agree that Cold Brew Labs is not responsible or liable for: (i) the availability or accuracy of such websites or resources; or (ii) the content, products, or services on or available from such websites or resources. … You acknowledge sole responsibility for and assume all risk arising from your use of any such websites or resources.

Pinterest, which has only developed an iOS application, is also the subject of an Android app scam. According to GottaBeMobile, cyber criminals have created a fake Pinterest Android app, which really takes you to a mobile website and serves up annoying advertisements. In reality, Pinterest does not yet have an Android app.

We have reached out to Pinterest and Google for comment and will update the post upon hearing back.

Starbucks screenshot via Trend Micro

Much like the popular 1Password software from AgileBits, the Chrome feature would generate, suggest, and remember strong passwords for you. The tool would save you from having to remember multiple passwords and cut down on the highly unsafe practice of using one password across multiple sites.

The Chrome-created passwords would be random and different for each of the sites where you have a login. You wouldn’t have to use the tool while using Chrome, but the built-in option would come up each time you created a new account. In the mock-ups, it is indicated by a discreet key icon at the end of the password field. Click to get a randomly generated password that you change to meet any special requirements from the site (for example, must have one character and capital letter), and then Chrome will record it.

The suggestion would only come up for new passwords, leaving old passwords, for better or worse, alone. Since you wouldn’t know your own passwords, you’d also be less likely to succumb to phishing attacks.

An even more interesting potential feature would be a sort of self-destruct button. If your passwords fell into the wrong hands, you could do a mass reset and change all of your passwords.

The Chrome tool would only work with sites using OpenID, a standard that allows you to use one account to log in to multiple sites. Currently, more than 50,000 sites use OpenID, but there are still many more that need to adopt the standard to make this potential tool take off.

There is also the potential for privacy concerns, though many might see no harm in adding a few passwords to the scores of data Google already has from them.

Combination lock image via Shutterstock

Tech heavyweights are coming together to stand behind DMARC, a new system announced today that could block phishing emails before they ever reach your inbox.

“We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing,” said Google’s Gmail product manager Adam Dawes in a blog post.

DMARC, which stands for Domain-Based Message Authentication, Reporting, and Conformance, is a way for domain owners to prove an email is truly being sent from them and is not a phishing attack. These attacks are often emails that attempt to dupe a user into giving up personal information such as logins or financial information. One of the main ways criminals attempt to trick users is by forging a “sender” line so the email looks like it’s from a reputable source. People are far more willing to give their bank account number and login credentials to PayPal than to the Prince of Nigeria.

“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole,” said DMARC chair Brett McDowell, who is also PayPal’s senior manager of customer security initiatives.

Being able to fake the sender line is very dangerous, especially for older people who have not learned to be suspicious of unknown email. DMARC, however, provides domain holders like PayPal an opportunity to prove their identity and block any other emails claiming to be them. It does this by building on a two-step authentication system.

First, the domain owner can use SPF (Sender Policy Framework), to identify which of its employees are allowed to send emails on the company’s behalf. These emails are authenticated by looking at the IP address of the computer to make sure they are the verified sender.

Second, domain owners can use DKIM (Domain Keys Identified Mail), which looks at the digital signature of the sender. A digital signature exists in the background of an email, and lists out a number of different parameters that should be met within the body and to/from fields of the email. For instance, one parameter could be “d,” for domain, where the domain owner can put, “d=paypal.com.” DKIM then checks if the email being sent is actually from “paypal.com” and can block a message if the parameters aren’t met.

By using and fine-tuning these authentication systems, DMARC aims to make more companies take responsibility for their outgoing mail. Eventually, companies will get to a point where enough trust is put in the system to block any email that fails authentication.

Facebook, Google, and PayPal aren’t the only ones who have seen this kind of phishing scheme. Apple also recently experienced a string of phishing emails claiming to come from “appleid@id.apple.com.” The email’s body, which took on the same shadowing and coloring as a normal Apple email, asked members to “update their account information,” including bank account and social security number. Another scam came from “member@linkedin.com,” claiming you had received an In-Mail, but really redirected you to a Viagra sale site.

According to Dawes, nearly 15 percent of all non-spam Gmail messages are already being authenticated and are protected by DMARC.

He explained, “The phishing potential plummets when the system just works, and that’s what DMARC provides.”

hat tip NetworkWorld, Phishing image via Shutterstock

This week, my Xbox Live account was hacked. This is the story of what happened, my response to it, and the questions about security that it has raised.

The hijack

At twelve minutes past midnight on Tuesday night, just as I was finishing up some work, I received an email to say that I had purchased 6,000 Microsoft Points. My first thought was to laugh it off as spam, as I hadn’t bought any points for months, but I thought I should check my console anyway. On switching on my Xbox, I found that I could no longer access my account.

A quick Google search revealed that other Xbox users had been experiencing similar problems, and I realized that my account had been compromised. I tried to contact Xbox Live support, but its helpline was unhelpfully shut for the night.

Trying to think clearly, despite my somewhat bleary late-night state of mind, I logged into my Microsoft account on my PC, and changed the password. I then went through the process of recovering my Xbox Live account on my console dashboard, which involved entering my Windows Live ID and the new password. On seeing my account again, I was relieved, but also surprised to note that it had been used to play FIFA 12, the popular Electronic Arts soccer game.

The loot

My next move was to contact my credit card provider. The customer service adviser at the bank revealed that there had indeed been a transaction to Xbox Live that night, for £51 (about $80), and they immediately cancelled my card. I was told to phone again once the transaction went through, as it would then be reversed, and dealt with as fraud. Thankfully I use a decent bank and the issue was dealt with quickly and efficiently from that end. I am not sure that every victim of such an attack will be so lucky with their card issuer.

The response

The next morning, I successfully contacted Xbox Live support, explaining in detail what had happened. The adviser confirmed that my account had been used to purchase 6000 Microsoft Points, and intimated that these points had been spent on FIFA 12 Ultimate Team packs. To add insult to injury, it seemed that the hacker had also used up my own, admittedly rather paltry, supply of MS Points during their spending spree.

Confirmation of these Ultimate Team card purchases was found when I checked my console, to find these three new achievements staring back at me:

New Club in Town – 5G – Create your FIFA 12 Ultimate Team club
I’ll Have That One – 10G – Open your first pack in FIFA 12 Ultimate Team
How Great is That? – 20G – Find a team of the week player in an Ultimate Team pack

Quite a kick in the teeth, but hey, at least someone got some pleasure out of those 35G.

The Ultimate Team packs of football cards that were purchased, containing various players that can be used in the game,  are apparently transferable between Xbox Live accounts. This allows a hacker to buy them with a hijacked account and then send them to their own account, for their own purposes. Scouring the internet, it appears that the rarer cards are being traded for cash, through  forums and online auction sites, with some fetching as much as $280 .

I was told by Microsoft Customer Support that my account would be suspended, pending an investigation, which could take between 21 and 30 days to complete. My existing points would apparently be restored once the investigation was complete, and the £51 that had been fraudulently spent would also be refunded (I said this was not necessary, due to the actions being taken by my bank). In the meantime, I would be unable to access my Xbox Live account, and would only be able to play my console offline.

A widespread problem?

Such hacking of Xbox Live accounts, particularly for the purchase of FIFA items, has been widely reported in the past few weeks, both in the specialist and mainstream press. There have also been multiple occurrences of such hacking reported on a variety of websites, including the official Xbox forum and Twitter.

Questions have been asked of Microsoft, as to whether its security is up to scratch, and the response has been that this is not a wider security breach, but rather individual cases of malicious activity.

I approached Microsoft with some questions on this hacking issue, and a spokesman responded with the following statement:

“It is important for us to reconfirm that the Xbox Live service has not been hacked. Some of our customers have been the victims of internet fraud on their accounts. This is a frequent issue that all internet and e-commerce sites and services experience every day. These threats include phishing, brute force attacks, malware, third-party security breaches and in-game scamming / social engineering.

Customers who use the same identity and log-in details across multiple online sites and services are more vulnerable against these everyday internet threats. As ever, we advise customers to be vigilant, and provide further advice on account security across Xbox 360, internet websites and email at www.xbox.com/security.

Of the tens of millions of Xbox Live customers (there are 35 million active members) using the service daily, these issues are affecting a very small percentage of users globally.

Security in the technology industry is an ever-evolving challenge. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time, account security features have been added to help protect our customers’ accounts, and we will continue to add features and processes.

As always, Xbox Live customers who have any queries or concerns should contact Xbox Live Customer Service on 0800 587 1102 [in the UK] or visit www.xbox.com/security.”

So, according to Microsoft, this issue is only affecting a small percentage of global users, but that does not stop it being an issue that raises some pretty big questions, and it is deserving of further investigation.

How is this happening?

The Microsoft statement suggests that these breaches are caused by account details being obtained, via a variety of malicious methods. The nature of Xbox Live is such that an account can be ‘recovered’ on a second console, as long as you have access to the Windows Live ID and password of that user. That results in the account being locked on the original console, as I experienced. With card details being stored on the Microsoft servers, anyone hijacking an account in this way is then able to make purchases on Xbox Live, using the payment card linked to that account.

Why me?

While I cannot dispute that I may have been hacked through some third-party breach, I  would be surprised if that was actually the case. I am pretty careful with my passwords, having four or five that I tend to use for different websites, which I regularly change. I have never responded to a fake ‘phishing’ email and I keep my PC clean, using anti-virus and anti-spyware software.

Looking at other reports of Xbox Live hacking, it is clear that I am not the only one asking this question – a question that remains unanswered.

Pages: 1 2

That’s what Zaarly, an online marketplace for people to post items they need, appears to be doing.

In an email thread obtained by VentureBeat, a Zaarly employee reached out to a Craigslist seller about a possible item for sale. Upon response from the seller, the inquirer responded with what appears to be a pretty canned email about also using Zaarly to make money. It also had nothing to do with the seller’s original item, which was a PS3, but rather comments on a trampoline.

No doubt, Craigslist is a major destination for anyone looking to sell something. With more than 60 million unique visitors a month, Craigslist is a big marketplace for both sellers and buyers and survives off of its classified listings. So, it can’t be happy to see competitors contacting its customers through its very own service. Though, a tempting target for startups looking to increase their reach. Here’s the email:

I wanted to reach out to you because there is an ad for a trampoline on Zaarly: http://zaar.ly. Like Craigslist, Zaarly is an on-line marketplace but on Zaarly, people name what they want, the price they’re willing to pay and when they would like it. So, I thought you might want to check it out and see if you can make some money. It’s completely free to join Zaarly.

We just wrote a full guide to selling on Zaarly — I hope you find this helpful. You can check it out here.

If you have any other questions, I’m here to help. Feel free to call or send me an email any time.

The person who sent the email is a Zaarly employee, Katelyn Bogucki, who works in content strategy and community development. (When we contacted her, she confirmed her employment with Zaarly.) While Katelyn may in fact be in the market for a PS3, it’s more likely she is trying to find people to post and sell on Zaarly as well. It also appears that Katelyn used a Gmail account instead of her company account, lending to the credibility of the action.

In response to an email query from VentureBeat, Zaarly COO and cofounder Eric Koester replied, “At Zaarly, we’ve always told our team to be helpful. Sometimes, with a young company and a young community, there’s some over-exuberance. We go to work to help people find what they want. We also want to be sure we’re staying within the rules, so we’ll reinforce that with our team.”

However, Koester didn’t answer more detailed questions about this particular email or Zaarly’s practices.

Zaarly isn’t the only one that might have used these marketing tactics on Craigslist users. Recently, Airbnb, a startup that pairs travelers with people willing to rent their rooms for a fee, was thrown into the spotlight after supposed rogue sales contractors hit Craigslist. VentureBeat’s Tom Cheredar noted that Airbnb “hired contractors who used unsavory tactics to get people posting property listings on Craigslist to create a listing on Airbnb as well, according to Tnooz.” Entrepreneur David Gooden actually proved the claims on his own blog of automated spamming and harvesting of emails by Airbnb. The company blamed the incident on the individual salespeople and noted that it didn’t result in any significant gains in customers or postings.

San Francisco-based Zaarly, founded in 2011, has raised $1 million in funding to date from a plethora of investors, including TechCrunch founder Michael Arrington, Felicis Ventures, Lightbank, Paul Buchheit, Bill Lee, Naval Ravikant and celebrity actor Ashton Kutcher, who also acts as an investor and advisor to Airbnb.

Full email thread between Craigslist seller and Zaarly employee below:

The question is why Google homed in on Jinan (a city whose name is politically charged because it is a regional command center for China’s military, the People’s Liberation Army) and left out some other potential sources, which a key expert says included Korea and New York.

Jinan is also home to the Lanxiang Vocational School, which was the alleged source of a more serious cyberattack on Google in 2009, in which the attackers spied on human rights activists and which forced Google to pull out of China — this coming after years of tension-filled negotiations between Google and China to find a way to get along. So of course, when Google pinpoints Jinan as the apparent source, and provides no further back-up to its allegations, the assumption is  that Google either thinks, or at least wants others to think, that this all stems from the same Chinese foes of the past, and maybe even from the Chinese government.

Now, Google didn’t say it was orchestrated by Beijing, but you can see why the Chinese government thinks it’s being singled out.

The truth is, we just don’t know why Google has focused on Jinan. But in light of the political sensitivity, it would be in Google’s interest to offer more details, if only to shield the company from criticism that it is playing hardball against China for political reasons, and suspicion that it hasn’t nailed down enough facts to back its assertion that this came from China.

Here’s what we know: Mila Parkour, the Washington-based IT specialist at the security specialists Contagio Malware Dump who first spotted the attacks three months ago, and wrote about it here, documented a series of attacks from various locations. These also included Korea and New York.

This has some other experts asking questions, including Mary Landesman, a respected senior security researcher at Cisco. I called her up to ask her point of view of the attacks, and she pointed out that the Contagio documentation alone is not enough to pinpoint Jinan as the source.

“The Jinan, China connection seems to be coming from fact that some phishing emails were sent through 163.com,” she says, “but if that’s evidence, then I think it’s worth questioning. That’s a funny email for cyber [activity].” The domain 163.com may be based in Jinan, but that doesn’t mean that’s where the attack really originated.

By way of explanation, if someone sends a phishing attack through a Gmail account, that doesn’t mean that the attack originated from Mountain View, California (the home of Google, which owns Gmail), she said.

There’s a difference between tracking email headers and extracting origin, she added. Especially since the U.S government is taking such a keen interest in this (see Secretary of State Hilary Clinton’s tough words on this today, and given recent report that the Pentagon may respond to cyber warfare with military force), it’s worth asking: Where’s the evidence?

The only real evidence contained in the Contagio report, Landesman added, is the spoofed Gmail page, which appears to have been lifted from Google Korea (more insight here about the techniques used). No one is saying Korea did it, but the attackers apparently forgot to change some links that pointed to Gmail Korea.

Google isn’t commenting on the story right now beyond its original post, but we’ve checked in with our sources at the company, and they say Google is basing its Jinan reference on security intelligence gathered on its own. The company doesn’t want to reveal how this was done. Google’s post merely said it relied on “user reports” as well the original Contagio report.

For now, we just don’t know, but because of the political ramifications, it sure would be helpful if Google were to reveal more facts.

Just after Sony suffered a long and embarrassing outage for its 77-million member PlayStation Network, a Sony site has been hacked again.

This time, hackers compromised a Sony website for users in Thailand. F-Secure, a web security company, found the live phishing site at the Sony Thailand address. That means hackers had broken into the site’s security and were redirecting users to a fake website where it could steal their credit card numbers.

While it’s not that significant, it’s another black eye for Sony at a time when it is trying to lure back angry and frustrated users to its online services, which were down for almost a month. Sony has been notified of the hack.

Update: A second attack on Sony’s systems was more malicious. About 100,000 yen ($1,225) was stolen from Sony accounts in Japan. Users lost virtual points in their accounts. That shows that Sony’s troubles aren’t over yet.

Web of Trust is based in Helsinki, Finland. Its user community rates web pages on how trustworthy they are, so the service is able to warn users if they try to access a website with untrustworthy content. Facebook user’s can’t themselves rate the websites, the ratings come from the WOT user community.

WOT’s reputation tool is already available as a free browser add-on. It has been downloaded over 20 million times. The user community has so far reported five million sites for phishing, fraudulent services or other scams. The browser add-on is not available on mobile browsers, but the Facebook protection will be available also for mobile Facebook users.

“We are excited about our partnership with Web of Trust — they share similar goals and approaches in giving users better control of their online experience,” said Jake Brill, Facebook’s manager of site integrity.

WOT claims its crowdsourced model regularly uncovers dangers and threats that automated algorithm-based systems miss. Typical examples include pointing out e-commerce sites with questionable business practices and giving advance notifications of content not suited for children.

The negotiations with Facebook and Web of Trust started about a year ago when Facebook connected with several website reputation service providers, Vesa Perälä, CEO of WOT Services, said in an interview earlier today. After some testing, Facebook decided WOT’s service was good enough to be integrated with Facebook. The deal was made in late April. The service has been live for one percent of U.S. Facebook users this week. It will start working for all U.S users today and then expand globally.

WOT has received funding from MySQL founder Michael Widenius’ investment company Open Ocean, Finnish Industry Investment and private investors

That’s the experience Virtual World Computing promises with it’s new Cocoon browser plug-in.

The Cocoon plug-in works with Firefox and other browsers to effectively unplug your computer from the internet and route you instead through Cocoon’s servers. Those servers filter out the bad stuff and let you surf the web through Cocoon’s own connections as fast as possible.

“We let you have more control, like setting up an electric fence around your house,” said Jeff Bermant (pictured right), chief executive and founder of Santa Barbara, Calif.-based Virtual World Computing.

The benefit of going through Cocoon’s connection is that web sites can’t spy on you. They see only Cocoon, not your computer, as if you were using an “in-private browsing” feature. Normally, browsing the web privately would mean your machine would browse the web as if it were stripped of tracking software known as “cookies.” If you take out your cookies, you are in for a rude surprise when you visit a site such as Amazon.com, which won’t recognize who you are and won’t let you log in without those cookies.

But Cocoon has a clever scheme for letting you get around that. When you log into Cocoon’s SE Linux-based secure servers, everything you do is encrypted. Your browsing history, personal information, and passwords used on web sites are all protected. When you visit Amazon, no data is revealed about your computer, your internet connection, your service provider or your location. But you can still sign in via a kind of proxy.

Rather than using a traditional third-party site to mask your movements, such as a proxy server or Tor identity-masking network, Cocoon tweaks your browser. Cocoon then creates “mail slots” for you, concocting a random and disposable email address for every site that you want to log into on a regular basis. Cocoon will automatically fill out a form when you sign up, substituting a Cocoon-generated email address for your actual email address. You don’t have to remember the Cocoon email at all. When the web site wants to verify your email, it will send an email to the Cocoon email address. You can go into your mail slots, click on the name of the web site, and find the verification email there. You can then open it and click on the verification link from the web site. After you do that, the web site will confirm your account as a real one and let you proceed to browse or buy things. Cocoon can store cookies related to that site, but you don’t have to do so on your own machine.

One protection is clear. If hackers break into a company and steal your email address, as happened with the cyber attack against email marketing company Epsilon, the hackers won’t get your real email address. They will only be able to steal the Cocoon address. Your privacy is protected. Your Cocoon email address can’t be used to send email to anyone; that blocks spammers from signing up for Cocoon accounts.

Another benefit is that you can log into Cocoon from anywhere and then log into a web site. Normally, you would have to log in and prove to that web site that you are who you say you are. But Cocoon handles that for you so you can quickly get on with what you want to do. You can even log into Cocoon and see all 30 web sites you had open the last time you logged off.

Bermant founded the company in 2008 with chief technology officer Brian Fox. Bermant had a bad experience where a virus took over his server and spammed his friends with 30,000 messages a day.

“I felt there has to be a better way to browse,” Bermant said. “I didn’t like being followed around, with cookies landing on my computer without my knowledge.”

The solution was to recreate the browser so that you don’t touch the internet directly, tapping instead the benefits of virtualized and cloud computing. And you can do what you normally do. If you want to download a game, you can still do so. But soon Cocoon will scan that download for you first to check to see if any viruses are in it. You can visit a Flash web site and enjoy the rich animation without worrying that it is going to deliver a virus. And you can browse the web without worrying that a site like Facebook, or perhaps a government spying agency, is tracking your every move.

Cocoon can also be set up with master accounts and sub-accounts so that children can safely cruise the web. You can lock down the sub-accounts so they can only visit safe sites, and you can track every site the kids visit using Cocoon’s own tracking ability. You can also block the user’s ability to fire up another browser. And for yourself, you can turn off Cocoon’s ability to track your history. In that case, your internet service provider also won’t know your web-browsing history.

You can sign up for Cocoon and get a 30-day free trial and then pay $6.95 a month for it after that. There are rivals out there, but Cocoon has gone a long way to making this friendly to consumers who don’t want a lot of hassle just to browse the web privately and safely. You can, for instance, hide Cocoon from your browser window and also turn it off with a single button click.

The company already has more than 4,000 active users and is self-funded. Its advisors include Marvin Minsky, the artificial intelligence expert at the Massachusetts Institute of Technology.

Epsilon sends more than 40 billion emails a year on behalf of 2,500 brands. Security Week said the breach has affected a number of those brands, including grocery retailer Kroger, TiVo, Marriott Rewards, Ritz-Carlton Rewards, US Bank, JPMorgan Chase, Capital One, Citi, McKinsey & Company, New York & Company, Brookstone, and Walgreens.

At first, the breach was believed to have affected only Kroger. But more and more companies have been confirming that they have had their data stolen as well. Epsilon builds and hosts customer databases for brands, making it a prime target for hackers. In many cases, the data lost is simply someone’s email address. But Security Week says that’s all that a hacker needs to try a targeted phishing attack against the customer, who will expect to have communication from these brands. You might, for instance, receive a message from Brookstone about a special offer addressed to your name. But it may be carrying a virus that exposes you to data theft if you simply open the email. These kinds of phishing attacks are likely to have a higher success rate.

Marriott Rewards and Ritz Carlton Rewards told SecurityWeek that their customer names, email addresses, and member point balances were exposed. Citi warned customers via Twitter about the incident. Epsilon disclosed the breach late Friday.

[image credit: alertsec]

IBM researchers said the recent growth of cloud computing and remote desktop access will likely become a sore point for security issues, as hackers cracking into a master rig that controls several virtual desktops could theoretically access all of those desktops.

Web apps had the largest number of security vulnerabilities, growing by 55 percent year-over-year. The report indicated that incidents of malicious code hidden in JavaScript, a common interactive scripting language, and other Web app code rose by 52 percent compared to the same period a year earlier.

Exploits of documents in Adobe’s PDF format rose 37 percent. Most of that increase can be attributed to the use of PDF exploits earlier this year to expand the Zeus and Pushdo botnets, organized networks of infected computers manipulated remotely by hacker gangs.

Phishing activity, which involves tricking users into putting information like bank account logins into a website masquerading as a bank or email service, fell 82 percent from the same period a year earlier. Browser makers have taken measures to discourage phishing attempts by warning users. About half of all phishing attacks in 2010 were coordinated against financial websites, such as those of banks.

More than half of the security vulnerabilities listed in IBM’s X-force report were not patched by suppliers or vendors by the end of the first half of 2010, when the reporting period ended.

[Photo: Clip Works]

Thanks to cookie-cutter tools, cyber attacks are multiplying exponentially across the internet, hitting both developed and emerging countries in all regions of the world, according to an annual assessment by security vendor Symantec.

Symantec found that cyber attacks are growing dramatically in countries such as Brazil, India and Russia. The U.S. is still the No. 1 country where computers are attacked, accounting for 19 percent of all malicious code findings. But that stat is down from 23 percent a year ago, according to the 97-page Symantec Global Internet Security Report.

As emerging countries launch broadband networks and new users connect to them, the scourge of phishing, botnets, and other threats is hitting them too.

One reason is that those new users aren’t as savvy about protecting their computers as those where computers have been used for a long time, said Kevin Haley, director of Symantec Security Response.

The attacks are yielding ill-gotten gains such as stolen credit card numbers or online bank accounts, and that in turn fuels a huge underground economy that covers just about every corner of the globe where there are web-connected computers.

As the computers in the emerging countries are compromised, they are brought into botnets, which are herds of computers that hackers use to attack others or even rent out for a fee to other attackers. Botnets consist of thousands or sometimes millions of computers. Each bot can be rented for as little as 3 cents, the report said.

The actual number of bots being identified per day is 46,591. That number is down 38 percent from a year ago, in part because some Internet service providers that supported the botnets have been shut down.

As for attacks on users, the prime goal is phishing, or stealing usernames and passwords in the hopes of gaining access to online bank accounts or personal information. Many phishing attempts are masked as cheap antivirus offers, which fools people into giving out their credit card numbers and personal data. The attackers often exploit holes in common programs such as Internet Explorer or Adobe Reader. The main means for these attacks are malware programs that are generated in near automatic fashion using widely available tool kits such as ZeuS or SpyEye.

Symantec has identified more than 90,000 different variants of malware created with the ZeuS tool kit. It has to come up with a specific signature of each of those variants to be able to block them. And in 2009, Symantec had to create more signatures than it ever had in all of its previous years.

That gives you an idea of the underground economy that has grown up around cyber threats. The company estimates that 130 million credit card numbers were stolen in 2009.Another measure is the price of stolen credit cards, which go for anywhere from 85 cents to $30 per stolen card.

Measures to deal with cyber crime are also getting better, but it’s still hard for security forces to keep up. Cyber criminals are proving to be extremely resilient, coming back time after time with bigger and more sophisticated attacks.