Residenza Il Barone in Tropea, Calabria, Italy. Watch out!

Tropea beach from town, Calabria, Italy

Don’t be fooled into booking the “apartment.”

Ideal beach, ideal Italian beach town.

Ahhh, Tropea! that’s what all the Italians said when they heard that beach town would be the last stop on our journey through the sole of Italy. So beautiful!

The quaint town is high above the beach.

It sure is. So popular is Tropea that the B&B I wanted to stay in was fully booked six weeks before our visit. This is the story of a “sister property” switch, a mean step-sister that does not live up to her sterling siblings, and false claims made by the property owner. There’s also a TripAdvisor mystery, which I’ll save for another post.

Bottom line first: when you go to book a room at Residenza Il Barone in Tropea, don’t be fooled into booking the “apartment”, as I was. Let me tell you about the apartment. Its location is excellent, over a restaurant at Piazza Tre Fontane, a few blocks away from the advertised location. You unlock a heavy door and ascend 14 steep stairs. This brings you into a drab and charmless room with adequate furniture: a dining table and chairs, a sofa, and a sideboard. There’s a mini-kitchen, too, with fridge, sink, and stove. 

To use the air-conditioner, you must leave the tall door open a good six inches, letting hot air in.

Poor lighting: In all this space, there is ONE lightbulb. The lamp, hanging over the table, was barely enough for me to do my paperwork.

This is a balcony? Not much wider than one shoe.

No Air conditioning: The apartment claims to have air conditioning. And yes, it had a portable unit on wheels standing in the room, with an extension cord nearby. (See my photo.) It was 85° (see photo), so we turned it on. Cool air came out the front; hot air came out the large exhaust hose, which was loose on the apartment floor—inside! We went to visit the owner, Roberto. Yes, he said, you have to open the door. So we stuck the wide exhaust hose out the door, leaving the tall door open a good six inches—through which came plenty of heat. In actuality: the apartment does NOT have functional air-conditioning.

No Balcony: The apartment claims to have a balcony. It does not. It has a four-inch ledge. (See photo.)

No toiletries: The apartment claims to have “free toiletries.” It does not. Not even a single bar of soap.

14 steep and narrow stairs up to the bed. Do you get up at night? Bathroom’s downstairs!

Climb up to bed: The bed is up a very narrow spiral staircase. (See photos.) There are 14 stairs, each 15” wide. If you are anything larger than slim, if you are elderly, if you have the slightest problem with stairs, you will not make it up. You cannot bring a suitcase upstairs. In fact, it’s difficult to carry anything up the tight stairs. Think about this if you usually get up during the night. The bathroom is downstairs.

Hot sleep: There is no air conditioning upstairs. (Not that there is any downstairs, either…)

Top view of stairs. Imagine it at night.

No breakfast: This is not a B&B. There is no breakfast.

Residenza Il Barone gets consistently good reviews. Watch out if you are routed to this B&B’s apartment as an alternative. It’s not in the same league and is sold with false claims.

Even more strange is TripAdvisor’s response to my review. I’ll write about that next.

It was really hot upstairs. 86°F by our digital thermometer. No air conditioning in the bedroom (not that there’s any downstairs, either.)
All text & photos © copyright 2008-present. All rights reserved. Bambi Vincent

Unethical Blogger

Unethical blogger's advice will get you handcuffed.

Unethical blogger's advice will get you handcuffed.
Could be you after following Mike Richard’s advice.

Steal. Drink and snack from the hotel mini-bar, the unethical blogger advises in his unethical December 10, 2014 article. Go ahead and have a beer and a candy bar, then deny it at check-out. You’ll get it free!

Swindle. Use a depleted debit card to buy drinks on a plane. Free booze, yay, worth committing fraud for!

Cheat. Walk into a luxury hotel you’re not staying in and take advantage of guest services like free breakfast, the concierge, and luggage storage. They’ll never know!

Unethical blogger's advice will get you handcuffed.
After-effect of using a knowingly depleted debit card to buy drinks on a plane.

Unethical blogger's advice will get you handcuffed.
Unethical blogger’s advice will likely get you handcuffed.

Unethical blogger's advice will get you handcuffed.
Was the free beer worth it?

Lie. Tell the airline gate agent you have a peanut allergy and need to board first to wipe down your tray. Yeah, get that overhead bin space before the honest people get there!

Scam. If your “expensive” item breaks prematurely (an iPad is hinted), go buy a new one, repackage the broken one, and return it for a refund. Sweet dreams, if you can sleep after that one.

And on and on. Like, buy travel gear and return it for a refund when you’re done with it, the unethical blogger advises. Take an empty first-class seat on a plane and try to get away with it. Pay $20 to have your tires rotated when you need parking in a high-priced city.

Unethical blogger

Some people should not be journalists. Some journalists should be decommissioned. This guy, this Mike Richard, is one of them.

I’m not in the habit of slamming other bloggers. But it is my custom to report thefts, cons, scams, and the fraudsters who commit them. Mike Richard may or may not use the methods he espouses; he does call them “useful travel hacks.”

Richard’s headline says it all: “20 Totally Unethical (But Useful) Travel Hacks.” He’s recommending these “travel hacks” even though they’re unethical.

I try to live by a simple little motto: “What if everyone did this?” Would I want that world? If everyone shouted, littered, took a stone from someone’s yard, lied, cheated, stole…. Just…try to be decent.

I grew up with several versions of The Golden Rule. Simply put, treat others as you’d like to be treated. Reciprocity. It makes the world go ’round.

I have little issue with paid placement presented as personal opinion—that’s the way of the world. The way of blog-whores. But this unethical blogger will apparently say anything for money. He calls it paid advertising. No wonder his blog has only one advertiser, despite his plentiful pleas for ads. Well, he has three if you count Anthony Bourdain and a quick-print service.

Unethical and illegal. Steal. Cheat. Lie. Commit fraud. But sure, Mike Richard says, they are, “entirely useful… for shameless budget travelers”. I must not be the only one who finds this to be irresponsible journalism. And not the only one to find it repugnant.

© Copyright 2008-present Bambi Vincent. All rights reserved.

How a stolen credit card number makes cash for a fraudster

credit card shimming
stolen credit card fraud implements

All this talk of stolen credit cards and “skimming.” Then what? What happens after you’ve swiped your card through a tampered-with ATM, gas pump, or bank entry door?

A kid, a computer, and a clever scam that games the system—that’s all it takes to make big bucks, without leaving home. For credit card fraudsters like the teenager who calls himself “d0g,” it’s simply online shopping. He doesn’t handle merchandise, cash checks, or visit drop spots. His butt never leaves his chair, his fingers never leave his keyboard, his eyes never leave his screen.

How fraud with a stolen credit card works

It’s all about shopping, according to Patrick Lambert, who poked around the underground “carder sites” that sell the information from stolen credit cards. Buy one for a few dollars and just go shopping! Well… not quite.

What’s a credit card fraudster to do: buy expensive goods online and have them shipped to his home? Certainly not. In his Interview with a malicious hacker making over $10,000 a week, [Edit 7/8/13: Lambert has taken down his fascinating and instructive article.] Lambert reports how easy it is to find and use these carder sites, and how to turn the hot credit card into hard cash:

So finally, the last question I had was how they manage to get actual, physical goods using that stolen credit card, without having to divulge their address. The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn’t actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer’s address as the shipping location. He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It’s a type of online money laundering. And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.

Now I’m wondering about the wide-format pro printer I sold on Craig’s List: did I unwittingly sell it to an ID thief and obediently ship it to the innocent third party who supplied the thief with clean money? It could have worked that way, at least if I were a store that accepted credit card payments. In my case, I was paid via PayPal, and the funds cleared. Can a thief fund PayPal with a stolen credit card? I’m not sure…

You can see how this three-way scam works. An innocent and unsuspecting buyer of goods provides clean money in return for real items, and is none the wiser. A merchant sells items and is paid with a stolen credit card. d0g sits in the middle pulling strings and catching the money. Easy!

There’s much more to it though, Lambert learned from d0g. “Doing the crime, getting rich with stolen identities, is really easy. The hard part is covering your tracks, and 90% of the things these people do are for the sole purpose of covering themselves.”

That would include subscribing to a VPN (a secure and anonymous web tunnel), and funding an anonymous online payment system.

This sort of “hacking” (which is not what I would call it) can be done on a large or very small scale, but either way, easily, and causing serious financial damage. If it’s true that one credit card fraudster (like d0g, the teenager) can net over $10,000 a week with a low risk of getting caught, it’s clear that the vocation would attract legions of practitioners. It’s clear, too, that our payment system needs fixing.

* * *

12/22/15 Note to HACKERS: I appreciate when you contribute additional knowledge in the hundreds of comments below, but please realize that this post will not function as a message board for contacting each other. Check it out: all email addresses in the comments below have been deleted. This is done by a human (me), not a robot. So please save yourself (and me) the trouble. Do comment on credit card hacking, but don’t look for business here. Thanks —BV

Later note: Alas, I had to close comments on this post due to soliciting. However, there’s really interesting stuff below. Thanks for all the contributions!

Even later note: Looks like skimmers’ days may be numbered, thanks to the Skim Reaper, a credit card-sized detection device that we can dip into an ATM or POS before using it to determine its safety. Well, we won’t be using it any time soon, at a cost of almost $500, but let’s say maybe bank branch managers will check their machines periodically, and police can check random ATMs.

All text & photos © copyright 2008-present. All rights reserved. Bambi Vincent

Summer Scams to Avoid

Thiefhunters in Paradise. Empty pockets. 404

Empty pockets

Are you going to London for the Olympic games this summer? Are you going to Europe? Are you going anywhere? Bob Arno urges you to be on your toes for these five summer scams and ripoffs, all of which are significantly on the increase.

1. The old pickpocket trick.

Pickpocketing’s been around since loincloths got pockets, but it’s increasing drastically in London and all across Europe. It has become more organized, with gang leaders buying or leasing youngsters under the age of legal responsibility. These kids, under pressure to bring in their “quota,” are more desperate than ever and attempt more brazen thefts.

Remedy: Keep your valuables under your clothing and be extremely vigilant at ATMs. Be sure your Social Security number is not in your wallet.

2. The pigeon poop pickpocket trick.

It’s hard to turn away a kindly good samaritan who wants to help you with a real—and vile—problem. You’ve been dirtied with something disgusting—often “pigeon poop” and lately actual (human?) feces. The con artists who secretly put it on you (or their partners did) use the physical contact of cleaning you off to clean you out. They pick your pocket or, if you set down your bag, run off with it.

Remedy: Sadly, we just can’t trust strangers approaching out of the blue. Antennas up!

3. Smart phone theft.

Smart phones are five times more likely to be stolen than wallets or cameras. (iPads are equally attractive, though harder to steal.) More than 50% of thefts in European capitals this summer are expected to be of smart phones—unless you help change the trend.

Remedy: Don’t leave your phone on a restaurant table or in an easy backpack pocket. Be aware that they are often swiped right out of users’ hands. Try to limit the personal information stored in the phone, and use a passcode.

4. Fake cops.

Naturally, we respect authority. A subset of nasty thieves we call “pseudo-cops” exploit this tendency by flashing fake badges and demanding to examine your cash. They claim to be looking for victims of counterfeiters and will take your cash “for examination,” or take a portion of it without you noticing.

Remedy: Do not show your cash or wallet. Police officers do not check the cash of random passers-by. Ask to take a good look at his badge and police ID. A real cop won’t mind at all. A pseudo-cop will move on to a more gullible mark.

5. Fraudulent websites.

Opportunists are working overtime online offering bogus Olympic tickets and nonexistent accommodations in London. London Metropolitan Police recommend buying Olympic tickets only from the official site, and have reported dozens of known fraudulent websites selling tickets and accommodations.

Remedy: Buy Olympic tickets from official vendors only. Buy accommodations from known and trusted sites or travel agents. Use a credit card to pay for your tickets and accommodations.

For full explanations on thefts, cons, and scams, start at the Thiefhunters in Paradise summary page.

© Copyright 2008-2013 Bambi Vincent. All rights reserved.

Skimmers in bank doors

Bank door card swipe

Bank door card swipe
After hours, swiping your bank card through the reader (at left) unlocks doors (at right) allowing access to ATMs in the bank’s locked foyer.

Ever use an ATM at a bank after hours? Was it inside a locked vestibule, where you had to swipe your bank card to unlock the door to enter the antechamber?

Chase Bank branches in and around Las Vegas have found card skimmers on their doors, enabling thieves to capture bank card info without tampering with the ATM at all. At the cash machines, all the thieves need are pinhole cameras to record the PINs.

And of course, alone and private in a locked bank foyer, who shields his PIN as it is poked onto the keypad?

Very clever thieves. Expect to find this latest technique at a bank near you.

More on skimmers:
Gas pump skimmers attached in 11 seconds.
Skimmers and credit card fraud.

© Copyright 2008-2012 Bambi Vincent. All rights reserved.

10,000 shipping containers lost at sea each year

Cargo ship, shipping containers lost at sea, ocean freight

Cargo ship
Source: http://www.cargolaw.com/2006nightmare_apl_panama.html

> Even more! See edit at the bottom.

10,000 shipping containers are lost at sea each year! From my naive perspective, I’m shocked by this number. Twice, I’ve sent an entire household from one continent to another by sea. To think of my container just…tumbling into the sea in a storm! Or worse, ordered jettisoned by the captain to ensure the safety of the ship.

Five to six million shipping containers are being transported at any given moment, and it’s estimated that one is lost about every hour. A goner. True, the percentage is low; but the number is high. Ten thousand containers and their cargo, every year, sunk to the bottom of the deep blue sea. Or presumably, the rough gray sea.

Containers dropped from cargo ships are never recovered and rarely reported. There are no legal repercussions for the losses; no accountability.

There are other repercussions though. Hazardous materials are leached into the ocean. Artificial habitats are created for aquatic life, strung like stepping stones along shipping routes, possibly giving species an unnatural ability to migrate across oceans.

And these cargo containers may float for days or weeks before they sink to the ocean floor. Huge farting boxes the size of houses, invisible just below the surface of the sea, they create a deadly hazard for other ships and yachts. “Very, very dangerous,” a ship’s officer told me. “At night you cannot see them at all.”

While this subject matter doesn’t quite fit my usual categories of Travel or Theft, it interests me mainly in terms of loss and responsibility (and also freak accidents). And there seems to be a huge potential for fraud.

Apparently, expediency in loading cargo ships doesn’t allow for stacking containers logically. Therefore, heavy containers may very well ride on the top layer. On the other hand. I read somewhere that top layer positions go for cheap—or was that a joke?

In a global industry represented by straight-laced and corrupt nations and every banana republic in between, I’m not surprised that:

They overload container vessels on purpose, raising the center of gravity of the ship. If there is smooth sailing, you make millions extra a year. If you hit rough seas, you cut loose your entire top layer of containers, lower your COG, and still come out ahead in the grand scheme of it all.

http://slashdot.org/comments.pl?sid=2070698&cid=35729890

So, if a ship lists or rolls a container or two could go flying. Connecting pins might break or shear off, as they are designed to do at a list of a certain number of degrees. And if a ship is in danger its captain may choose to sacrifice a number of containers in the hope of saving the ship and its remaining cargo.

…essentially the shipping company is not liable for the ‘disposed [of]’ containers, either. If the shipping company has enough losses on a vessel to declare a “General Average,” then the compensation for the losses (including vessel damage, if any) are assessed against the other *customers* with cargo on that vessel.

Basically, the vessel is carrying the cargo as a courtesy; any risk of loss belongs to the owners of the cargo(s) collectively, NOT to the carrier.
So as a forwarding agent, not only do you get the pleasure of telling someone that their container of goods has been lost, you get to tell them that…¨a) they still have to pay freight shipping costs, AND…¨b) they’re going to be legally liable for their ‘share’ of whatever the general average costs work out to be

http://slashdot.org/comments.pl?sid=2070698&cid=35731376

Other than keeping his average rate of loss low, there doesn’t seem to be much to motivate a captain to deliver his full complement of containers. Would it be an exaggeration to suggest that the odd seaman or two might be induced to “lose” a container now and then?

The potential for foul play intrigues me. I hear the whisper of a thumb gently rubbing two fingertips… The master of a ship turns his head away at the screech of metal scraping metal followed by a mighty splash. What might be in that locked steel box? Incriminating evidence? Treasure, bundled with a GPS transmitter, for later retrieval? Hazardous waste too costly to dispose of properly? A secret marine biology laboratory in which creepy experiments will be activated by contact with water, to be carried out in the cold, dark, compressed environment of the sea floor? Bodies?

> Edited 2/22/14 to add link to interesting article about a cargo ship that lost more than 500 containers in heavy seas.

> Edited 1/29/22 to add link to interesting article about a container collapse in which 60 were said to go overboard.

> Edited 6/2/22: In November of 2020, a ship called the one Apus, on its way from China to Long Beach, got caught in a storm in the Pacific and lost more than eighteen hundred containers overboard—more in one incident than the W.S.C.’s estimated average for a year. The same month, another ship headed to Long Beach from China lost a hundred containers in bad weather, while yet another ship capsized in port in East Java with a hundred and thirty-seven containers on board. Two months later, a fourth ship, also on its way from China to California, lost seven hundred and fifty containers in the North Pacific. When Shipping Containers Sink in the Drink

© Copyright 2008-2011 Bambi Vincent. All rights reserved.

Ghost in the Wires

Ghost in the Wires cover

Ghost in the Wires cover

I thought Kevin Mitnick was a friend of mine—but that was before I read his forthcoming book, Ghost in the Wires. Kevin’s the consummate liar, it seems. He’ll say anything to get what he wants, going to extreme efforts to research, then set up support for elaborate cons. He’ll claim to be a cop, a utility employee, or your colleague from a remote office, if it serves his purpose. A faceless voice on the telephone, he’ll sweet-talk one minute, and command with authority the next. At least he used to do this, before spending five years in federal prison…

To become the boldfaced name in social engineering, Kevin honed a natural knack for people-reading from childhood. He was a telephone Zelig who rarely needed to get out of his sweats. He always found a plausible pretext for his capers and pursued them with outrageous chutzpah. Rarely would he fail to obtain the information he sought.

Can one retire a talent like that? I doubt it, but as I can’t think of what use Bob and I are to Kevin, I prefer to think that we really are his friends.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker is Kevin’s third book, to be published in August 2011. I love that title. The book chronicles how Kevin, from an early age, tinkered with communication devices: ham radios, telephones, cellphones, computers, and the software that runs them all. Although he was obsessively compelled to dig deeper and deeper into the gizmo-code, he never tried to make or steal money from his exploits. He did it out of his own curiosity, to learn more, and to challenge himself to do what seemed impossible.

Sometimes, in his relentless pursuit of knowledge, he simply had to break into a company’s computer to get the software, the code, or the user names and passwords that he needed. In an electronic sense, that’s breaking and entering. And when he copied that proprietary information for his own use, well, that’s stealing.

Once he’d gained access to his target computer, he’d usually fiddle with its inner settings just enough to plant a “backdoor,” an easy way in for his next visit. He might read his target’s emails and even copy them, but he never destroyed the files.

Imagine an intruder who breaks into your house, sneaks around and looks into your secret hiding places, rifles your files, and picks through your drawers. Satisfied, he then backs out quietly leaving everything just as it was, sweeps up his footprints and, oh yeah—copies your house key on the way out.

Bambi Vincent, Kevin Mitnick, Bob Arno

I’ve heard Kevin call himself a “non-profit hacker.” Sure, he got himself free phone calls, but throughout his hacking career, he was always gainfully employed. With the information he had at his fingertips, he could easily have enjoyed a life of leisure from credit card fraud. He could have sold proprietary source code in the hackers’ underworld. But no; Kevin lacks a vital attribute. He has nerves of steel and gigantic balls, but he does not possess a criminal core. He was simply educating himself.

That is, until he got himself in trouble for snooping. Then he needed that information to protect himself, so he could make untraceable phone calls, so he could listen in to others. As the Feds closed in on him, he needed to know how much they knew about him, too.

Many times while reading Ghost in the Wires I wanted to smack Kevin. I wanted to shake him and say “you just got out of juvenile detention for doing just this—why are you doing it again?” He makes it clear that his hacking was his idea of fun and entertainment, to see if he could get to the next level. Like an addicted gamer.

It turns out, after all, that Kevin was busy educating himself. From “the world’s most wanted hacker” he has become one of the most wanted security experts in the world. He’s now considered the ultimate social engineer and an “ethical hacker,” one who’s challenge is to break into his clients’ systems, whether electronically or by social engineering. In other words, as Mitnick Security, he’s now paid to do what he loves, and he no longer has to look over his shoulder.

Social engineers are an ominous bugbear to security. A company (or you!) can have the tightest security system in place, but humans are its weakest link. For a hacker like Kevin, it’s easier to simply ask for the key to the front door than to steal it. He simply has to ask in the right way. Because social engineers are basically skillful actors playing a role, they’re an invisible threat and a daunting challenge for businesses.

I’m no hacker, that’s for sure, nor even a programmer. Yet, I found it fascinating to read exactly how Kevin finagled himself into systems and tweaked them to his advantage. Kevin wanted to include more of the nitty-gritty hackery in the book, but his co-author, Bill Simon, saved us readers from too much esoterica. I think they struck an excellent balance. I never felt bogged down by the technical bits.

In fact, some might worry that Ghost is a hackery cookbook, complete with lessons in how to get others to spill their secrets. I worried about this aspect with my own book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams.

Does an exhaustive explanation of theft techniques actually teach the thieves? Kevin and I obviously came to the same conclusion: no, there’s more to gain by putting all the details out there, the better to protect yourself.

I feel a little sorry for all the good people whose trust Kevin exploited. They bought into his ruses in a good-faith effort to be helpful. No doubt that he used them, and probably got many of them into big trouble. Well, in my line of work too, thiefhunting and training the public to avoid theft, a kernel of cynicism is not a bad seed to plant. Kevin’s patsies will think twice before giving out sensitive information.

Ghost is 400+ pages of tension, broken only by Kevin’s sentimental musings about his mother and grandmother, who are constant supportive figures in his life, and the heartbreaking side-story of his brother. It’s fast reading—a tribute to the clear writing and exciting story.

Yeah, yeah, you think I’m all positive because Kevin’s my friend. He gave me an unedited galley copy of the book (littered with typos), but didn’t ask me to write about it. If I hadn’t liked it, I wouldn’t have written a word.

Or maybe I would have. After all, Kevin might not be a real friend of mine…

© Copyright 2008-present Bambi Vincent. All rights reserved.

Database data loss

Vault door; Database data loss

Vault door; Database data loss

People often share their credit card anxiety with me. They’re afraid their cards will be lost or stolen and huge bills will be run up by a thief, and that their identities will be cloned. “Is it better to just carry cash?” they ask. “Should I follow the waiter when I pay my restaurant bill?” “How safe is it to use a credit card on the internet? Will my identity be stolen?”

So let’s put these questions to rest. Then we can move on to the real risk.

First, yes. Your credit card can be lost or stolen and big debts can be incurred by others. You won’t be responsible—your financial institution takes the hit. But in the grand scheme of things, the odds are not high that your credit card will disappear and be compromised. The risk is higher in some places than in others, and for some people more than for others. But that’s life. Get over it and live.

No. It’s not better to carry cash. Keep some cash for small (or secret) purchases, and use credit cards for the rest.

Yes, shop on the internet with your credit card. If it makes you feel better, get one of those temporary credit card numbers on your account, good for a single transaction or a limited amount. Without internet and a credit card, you’re crippled.

The real risk of identity theft and credit card fraud

It’s big business. The hotels and hospitals we go to, the stores, banks, schools, airlines, doctors, utilities, banks, credit unions we use, and even government organizations. All of these and more store information about us. They all comply with information security regulations to some extent. But how much and how well? Our identities are in the hands of those who store our details.

Database data loss

If our PII (personally identifiable information) is set free, it will most likely be due to an electronic data breach of some sort, in a (probably-large) batch with others’ information.

We used to be concerned that manilla folders containing our records were physically locked up. Who had access to them? How were they discarded? Shredded or dumped in a Dumpster? There’s so much more to worry about now, and so much more than a single set of paperwork. Our most sensitive secrets and deepest dirt are stored electronically on hard drives, on servers, in the cloud, backed up, on laptops, mobile phones, and even on thumbdrives.

Laptops and thumbdrives are lost and stolen every day. Databases are breached every day. This is where the risk is, and it’s out of our hands.

The advantage goes to data thieves like Rogelio Hackett who, until a little slip-up, broke into the computer networks of businesses, downloaded credit card information, and sold it for profit. Big profit.

“The bad news is that banks and businesses have not made great progress in the fight against account takeover fraud,” says The Information Security Media Group in its 2011 Business Banking Trust Study. Bringing institutions to compliance has been a painful process.

Security vulnerabilities are uncovered daily in computer networks everywhere, from the Australian Parliament House to the Pentagon to our water supplies In the 3/28/11 Los Angeles Times, Ken Dilanian wrote that “Impeding the move toward bolstering U.S. infrastructure is the government’s lack of authority to coerce industry to secure its networks and industry’s lack of an incentive to implement such protections.” He was referring to the threat of terrorist cyberattacks, but our personal security is at risk as well.

Read this for the state of cybersecurity:

A new survey reveals that roughly three-quarters of energy companies and utilities experienced at least one data breach in the past 12 months. … Seventy-one percent of respondents said that “the management team in their organization does not understand or appreciate the value of IT security.” Moreover, only 39 percent of organizations were found to be actively watching for advanced persistent threats, 67 percent were not using “state of the art” technology to stop attacks against SCADA (supervisory control and data acquisition) systems, and 41 percent said their strategy for SCADA security was not proactive. The survey also concluded that the leading threat for energy utilities was not external attackers, but rather inside ones—43 percent of utilities cited “negligent or malicious insiders” as causing the highest number of data breaches. …

InformationWeek (04/06/11)

To get a fuller grasp of the number of electronic records lost or stolen, take a peek at the DataLoss DataBase project, which “documents known and reported data loss incidents world-wide.” You can search by type of data lost (Social Security numbers, financial information, credit card numbers, etc.); by the industry sector (business, government, educational institution, etc.) You can see if the breach was by an insider or an outside attacker, and whether it was malicious or accidental. And you can search by many types of breach: improper disposal, a hacked or lost computer, a stolen drive, a web attack, etc. I’m especially fond of the datalossdb Twitter feed, for minute-by-minute reports of data losses, with links to known details. For example:

    http://bit.ly/eDcD2s – Blockbuster Video – Employee and applicants’ records containing names, contact details, Social Security and personnel matters found discarded

    http://bit.ly/gW2WYs – AllianceBernstein Holding LP – Employee downloaded client files and transactions before resigning

    http://bit.ly/dTAmUX – Qdoba Mexican Grill – Customers’ card numbers acquired and misused

    http://bit.ly/hdmt25 – Hyundai Capital – Personal credit rating information of 420,000 vehicle loan customers plus 13,000 security passwords acquired by hackers

And on and on. The feed may shock you daily, as it does me. Why is our vital information handled so carelessly?

Well-known and trusted companies like Brookstone, AbeBooks, Ralphs Grocery, Ritz-Carlton, Smith’s Food & Drug, Best Buy, Verizon, etc., assure us they store our information responsibly. Then they farm it out to Epsilon online marketing, a company they do not control. Epsilon got hacked.

More than 65 companies have been impacted, to the great risk and inconvenience of their customers. I got emails after the breach from three of the businesses, warning that data on me had been among the stolen records. Security experts now expect a massive increase in “spear phishing,” in which individuals are personally targeted and tricked by spoofs of companies they have a legitimate relationship with. I get plenty of phishing email already, and some of them look damn believable. Expect them to look even better now, addressed to us by name.

I’m not going to address every risk and precaution here. There is much, and it’s all to be read elsewhere on and off this blog. My points are two:

1. Our ordinary everyday activities may expose us to a little risk of credit card fraud and identity theft, but the big risk is out of our hands.

2. Do look at DataLoss DataBase or at least skim its Twitter feed to get an idea of how much information is lost daily.

© Copyright 2008-2013 Bambi Vincent. All rights reserved.

Credit card shimming

A man enters his PIN while buying Metro tickets with a credit card. shimming

credit card shimming

[dropcap letter=”F”]irst there was skimming, now there’s shimming,” says Kim Thomas, former Las Vegas Metro Detective, now an international authority on forgery. Information on this new credit card acquisition technique comes via a Citibank investigator.

Now, looking for parts stuck onto the front of a cash machine, which might indicate fraudulent activity, is not enough. A shimmer does the work of a skimmer, but is housed completely inside the card slot of an ATM. In other words, entirely invisible to users.

Shimming

Kim Thomas describes the shim-skimmer: “The thief makes a circuit board the size of a credit card, but approximately .1 mm thick. They use a carrier card to insert the device. Basically it is a reader-transmitter. The reader does what the usual credit card skimmer does: capture full track data. The transmitter does what bluetooth does: transmit the track data to a receiver. The technology is pretty sophisticated and will be hard to catch once it goes into mass production.”

According to Jamey Heary, Cisco Security Expert, “effective flexible shims are recently being mass produced and widely used in certain parts of Europe.” He diagrams the physical layout of this “man-in-the-middle” attack as installed inside a card-reader.

I haven’t found anyone who has actually seen one of these shimmers, but no one’s calling it just a proof-of-concept, either. It isn’t clear to me whether or not the shimmer works with U.S. credit cards that lack the chip-and-PIN. Anyone know more about this?

© Copyright 2008-present Bambi Vincent. All rights reserved.