The system addresses a problem that security researchers and companies have faced in the past. Security researchers who uncovered vulnerabilities or stolen data were not able to pass the information along in a centralized secure way. There simply was no option to send a direct warning to service providers, banks or other companies that were affected by the vulnerability or compromised data.

Researchers had to analyze the data to identify the affected companies or online services before they had to find the right contact to pass the data along securely. Cyber-criminals benefited from this as it gave them additional time to make use of the stolen data.

“Last year, according to the Anti-Phishing Working Group, one million U.S. households lost money or had accounts misused as a result of phishing, at a cost of $650 million”, Nancy Anderson, Corporate Vice President and Deputy General Counsel said.

The Internet Fraud Alert System has been designed to provide security researchers and the security community in general with a centralized alert system to report stolen data, such as credit card numbers or account login details. The service furthermore allows the researches to contact the institutions directly, allowing them to take the appropriate action to protect their customers.

Through a centralized alert system powered by Microsoft technology and managed by NCFTA, Internet Fraud Alert provides a new, powerful tool to quickly inform financial and online companies about compromised customer account credentials (such as online usernames and passwords) or stolen credit card numbers. With this information, institutions can take action to protect their customers from further fraud against their accounts.

Microsoft donated the technology to the NCFTA, a non-profit organization dedicated to facilitating public-private partnerships between industry, law enforcement, and academia on cyber-security issues.

Only US companies participate in the Internet Fraud Alert system at the moment. It remains to be seen if this is going to change in the future or if this will remain a US-only project which would severely diminish the efficiency of the system.

It is common knowledge that many companies search for information online about future employees but the story that Roger Thompson, AVG’s chief research officer, posted on his blog seems to suggest that companies use publicly available information for other things as well.

Roger went on a business trip to London and was told during checkout that his Credit Card was declined. A call to his bank revealed that the bank had suspended the card because they did not know that he was traveling overseas.

The scary bit happened in the process that followed on the phone to un-suspend it. It started with the usual questions including the last four digits of the security number or the mother’s maiden name. What then followed was unsuspected. The bank employee told Roger that they had a couple of more questions “from publicly available information”.

The employee asked questions about Roger’s daughter in law using her maiden name (which she apparently has not used for more than nine years). The only publicly available information that connect Roger to his daughter in law is their friendship at Facebook.

Now, I’m not accusing Facebook of _anything_, but one wonders…. I can’t believe Facebook would sell our data, so … is someone “harvesting” it?

The bank employee did not reveal the source of the information and it might have been that this has nothing to do with Facebook as there are other public records available that can be used to connect people to each other.

The bank might however have used Facebook in this case and other publicly available information in other cases for the verification process. The danger with those kinds of information is obviously that they are publicly available meaning that the bad guys can also access those information.

How would you react if your bank would ask you these questions?

Dante send me this interesting article from Techworld that describes the mechanism behind selling Credit Cards. They are sold in so called dumps which seems to be packs of one hundred numbers starting from $10 per 100 for regular Visa and Mastercard Credit Cards up to $150 for European Gold and Platinum cards.

Techworld calls it a Credit Card Supermarket which does not seem to fit the website at all in my opinion. It looks pretty spammy, probably to keep regular visitors from exploring the website. I think it is interesting to note that there is no obvious way to contact the sellers other than to reply with a comment on your own which would make a seller pretty vulnerable to investigations unless they take extra precautions.