Dan Clements

This hacker shopping list appeared recently on what appears to be a Russian-based website offering credit reports for sale. Prices are based on the victims' credit scores.

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

Dan Clements

This bulletin board post, intentionally cut off to be incomplete by msnbc.com, shows a hacker discussing how he allegedly defeats credit report website security.

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

The best way to get the attention of a classroom full of rowdy kids is to turn the lights off. And the best way to get the attention of Internet users is to essentially do the same thing.

Thursday's Twitter denial-of-service hack certainly grabbed everyone's attention.  Nothing like a total shutdown to make people sit up and take notice. But relatively speaking, denialof-service attacks are harmless. Everyone's been through it - CNN, Yahoo, Microsoft. Heck, Facebook and LiveJournal were hit Thursday, too, by the social media bandwidth bandit.  (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

But Twitter's been hit by far more serious security issues in the recent past..   Just last month, a hacker wormed his way through Twitter and into personal documents of a company executive.  Earlier this year, a hacker managed to impersonate several high-profile public figures (including President Barack Obama and CNN's Rick Sanchez) by hijacking their Twitter accounts.  Not to mention all the spam, viruses, and malicious links that are finding their way around the microblogging site these days.

Oops, we did it again. We invented a cool new technology, got millions of people hooked on it, seduced them into over-sharing information through a false sense of security, and created a wonderful playground for hackers. E-mail, Web browsers, online shopping, Facebook -- they've all gone through the same growing pains.

It doesn't have to be this way, of course. Last week, the world's best security minds gathered in Las Vegas at the Black Hat/DefCon conference. One year ago, researcher Dan Kaminsky got everyone's attention by threatening to quite literally shut down the Internet. A flaw he discovered could have enabled a hacker to render the Web useless in a few minutes. It was fixed promptly.

This year, Kaminsky was back with a slightly less dramatic flaw: a trick that would have basically disabled "https" and those security locks on Web browsers.  That got fixed too. But still, he's frustrated. The vast majority of Internet perils are avoidable, if companies like Twitter baked security directly into their products.  And still, nearly two decades into the grand public experiment of Internet use, nearly all consumer information is protected by a measly user name and password combination.

"Sixty percent of all attacks are just passwords. Missing passwords, stolen passwords," he said. "We have this technology and it's not working. If we don't do things better it's going to be a real problem."

Authentication, he explained, is at the heart of all commerce, and all Web transactions. For the most part, we're no further ahead in authentication technology than we were in 1995.

The hacker who attacked Twitter executive Evan Williams' e-mail claims he got in by simply guessing the answer to one of those silly "Forgot your password?" questions, like "What is your dog's name?"  We warned users about this last year.

Still, Twitter used the technology, Williams allegedly trusted it, and now people know what he purchased at Amazon recently.  Criminals who got into his Twitter account used access to "escalate" their way into Williams' Google Docs account as well, and obtained sensitive information about the company.

Theoretically, it's not that big a deal for someone to hack your Twitter account - everything you say there is designed to be public.  But increasingly, like Williams, Web users are slowly but surely moving everything they do online, and linking it all through various social media and document-sharing tools.

If the thought of not being able to tweet for a few hours bothers you, stop for a moment and consider what might happen if someone was able to access all your online activities, read all your e-mail, or impersonate you and send nasty notes to your boss or wife.

Moving in the right direction
Twitter deserves credit for trying to play catch up. Recently, it quietly instituted a security upgrade - disabling links to known hacker sites.  A positive step, and one that could so irritate- the bad guys, I wouldn't be surprised if there's a connection between this new security tool and the denial-of-service attacks.

Twitter has other enemies, too. Its shining moment came during the recent Iranian uprising, when Twitter proved robust in the face of government censorship.

But the question remains: Why would a service like Twitter set itself up for this string of attacks and bad publicity?  Kevin Haley, director of security response at Symantec Corp., says it's normal "growing pains" for a ragingly successful Internet startup.

"Nobody has a full-blown security plan when they develop their business plan or their site," he said. "At the beginning, you are completely focused on getting your site up and your services up. Anything like security that makes it harder for people to join, you're not going to want to put that into place."

Eventually security problems arise, and then companies address them, he said.
That means you, me, and everyone else who hops on the next great Web thing is really just allowing the creator to experiment with our personal information.

A few hours without Twitter is nothing to be alarmed about.  But today's incident, and other recent missteps, provide continued hints that things at social media sites aren't as safe as we perceive.

It's enough to make you wish that the last hacker to break into a major Web site would turn the lights off when they leave.

RED TAPE WRESTLING TIPS
What does this mean for you?  Once upon a time, it was consumer gospel that you never bought a new car in its first production year.  You let the manufacturer work out the kinks with other suckers for a year before you jumped in. When it comes to exposing personal information, that's a pretty good strategy.  Twitter, Facebook, online document storage, all these services have a lot of promise.  But I'd let these security issues settle down for a while before I trust them with anything meaningful.

Here's a good rule of thumb: Recent celebrity incidents should have taught all of us that anything we say to a police officer during a traffic stop could become public record and end up in front of the whole world --  so it's best not to say anything you wouldn't want everyone to see.  That's a good rule for online services, too. Before you type or post, picture everyone you know reading it. If that gives you pause, you should probably hit the delete key.

Also, it's more important than ever not to use the same password at all sites.  A hacker who breaks into your Twitter account will immediately try to break into Amazon, Yahoo, Hotmail, Gmail, Facebook, and any other ubiquitous site.  Imagine the trouble someone who read your Gmail could cause.

And now's a good time to take a look at those "Forgot Your Password?" links on your favorite sites. If the question is "What was your high school mascot?" and your Facebook picture is you wearing a sweatshirt with a horse on it that says "Lake City 'Stangs," you should change your question.

One theory has a new variant of the Koobface virus responsible for these outages. It's easy to fall for Koobface, because it can arrive as a tweet that looks like it's from a friend, with a link to video.  Clicking on unexpected links is always a bad idea, but those clever "bit.ly" links, and their shortened URLs, create a particular hazard. Because you don't really know where you are going (the landing URL is hidden), bit.ly links are great for hackers, bad for you. Just ask your friend to re-send the full link. That'll foil most hackers.

Finally, if you are so inclined, send a note to the CEO of the companies involved saying you are very concerned about security. The chief reason security pros like Kaminsky gather in Las Vegas every year is to commiserate on this fact: the marketing department always gets much more money than the security department. You could help their cause by letting companies know that you care about security and privacy.

Become a Facebook fan by clicking here.

Web surfers who used Google.com to search for information on President Barack Obama on Tuesday afternoon were presented with a racial slur. The slur originated from Obama's Wikipedia entry, after a user had removed all content in Obama's entry and replaced it with three repeated words: a derogatory term for African-Americans.

Wikipedia.com's revision history records show that slur was only live for two minutes, with the Obama page edited to include the slur at 4:44 a.m. Greenwich Mean Time (just before midnight ET) and the original content restored at 4:46.

But the slur lived on in Google search results. Anyone who Googled "Obama," "Barack Obama," or "President Barack Obama" was presented with a link to the Wikipedia reference page showing the racial slur , sometimes as high as the second result. It was removed about 4 p.m. ET after msnbc.com made inquiries to Google.

The slur was contained within a blurb of text called a "snippit," which Google presents on its initial results page to show users what they will see if they click on the link. Google's Wikipedia snippits generally include the first sentence or two of the Wikipedia entry.

Even though the slur was visible nearly 16 hours after the Wikipedia entry was changed, Google spokesman Eitan Bencuya said it's unclear how long it appeared on Google's site.

Google scans the Web constantly, updating its database of links and snippits. Unfortunately, Google grabbed the slur during the two-minute period that Wikipedia displayed it, he said. But Bencuya said it could have taken hours after it was indexed for it to appear on the site.

"I imagine it wasn't on there for very long, otherwise we would have received a lot of complaints," he said.

Wikipedia did not immediately respond to requests for comment. Wikipedia is collectively edited by its registered users, and nearly any entry is subject to such attacks. Politicians and other public figures are frequent targets of such attacks. Entries with racial slurs are normally removed quickly by other editors.

Bryan Rutberg's daughter was among the first to notice something odd about her dad's Facebook page.

At about 8 p.m. on Jan. 21, she ran into his bedroom and asked why he'd changed his status to: "BRYAN IS IN URGENT NEED OF HELP!!!"

Rutberg initially thought little of it, and lay down for an after-dinner nap. But an hour later, when his wife woke him to ask what was wrong, he took a second look and realized his Facebook account had been hacked. Within minutes, his cell phone was ringing non-stop, with concerned friends calling to offer help. Many had received an e-mail with the story that Rutberg had been robbed at gunpoint while traveling in the United Kingdom, and needed money to get home. One even sent $1,200 to a Western Union branch in London.

The Seattle resident and Microsoft employee then spent the next 24 hours in a frantic search for a way to contact Facebook and stop the hackers. But he was locked out of his own account and locked into a Catch-22; criminals had changed his login credentials so he couldn't access his own Facebook page. That meant he couldn't remove the dire status message. He tried to use his wife's account to put a message on his "wall" indicating he was fine, but the scammer had "de-friended," his wife, so that didn't work. And he had no outside-of-Facebook way to contact many of his friends. Before he succeeded in getting his account deactivated, a friend's impulsive generosity had cost him big-time, and Rutberg was left wondering how carefully Facebook protects its users from these kinds of crimes.

"It was all over by Thursday (the next day) but not without a hell of a lot of drama," Rutberg said. By then, friends had filled up his cell phone with text messages of concern, sent endless e-mails, and one even called Microsoft to warn the firm that an employee was in trouble.

(Microsoft, which owns msnbc.com in a joint venture with NBC News, also holds a minority stake in Facebook.)

Rutberg was the victim of a new, targeted version of a very old scam -- the "Nigerian," or "419," ploy. The first reports of such scams emerged back in November, part of a new trend in the computer underground -- rather than sending out millions of spam messages in the hopes of trapping a tiny fractions of recipients, Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable.

In Rutberg's case, criminals managed to steal his Facebook login password, steal his Facebook identity, and change his page to make it appear he was in trouble. Next, the criminals sent e-mails to dozens of friends, begging them for help.

Bryan Rutberg

"Can you just get some money to us," the imposter implored to one of Rutberg's friends. "I tried Amex and it's not going through. ... I'll refund you as soon as am back home. Let me know please."

Like all Facebook messages, the pleading note appeared right next to a picture of Rutberg, making it all the more convincing.

One of his friends, Beny Rubinstein -- a fellow Microsoft employee -- fell for the story. At 10:30 p.m. that Wednesday night, he sent $600 via Western Union using an online service. The following morning, Rubenstein received a phone message from the imposter, asking for more money. So he went to a local retail store and wired another $600.

In an e-mail to Rutberg, Rubenstein explains how he got taken in.

"I thought the whole story was weird but given the circumstances my instinct was to help you out," Rubenstein wrote. "I was afraid it was a scam, but since I transferred using your name and given the emergency situation, I did it."

No Facebook phone number
Facebook confirmed Rutberg's identity theft story and says it's beefing up security in reaction to the new scam. But Rutberg isn't sure how effective the social networking company has been. His main complaint: There is no way to call the firm and sound the alarm that a crime is in progress. The company confirms it doesn't accept phone calls.

"We don't offer phone support. We would love to do that but with 150 million users worldwide we are just not staffed to do that," said company spokesman Barry Schnitt. "I don't know any free Web service that does."

Instead, Ryan McGeehan, a member of Facebook's security team, said the firm responds quickly when consumers fill out forms on its Web site complaining about account takeovers and other privacy concerns.

But Rutberg said he tried that, almost immediately, and got no response. He received no reply to e-mails sent to privacy@facebook.com, either.

"Facebook has been no help through normal channels," he said. Only a message sent to a cousin who has a friend that's a Facebook employee got results. Thanks to this personal, internal contact, Rutberg said, the account was disabled.

How to find out who's been hit?
But one week later, Rutberg still couldn't get into his old account, meaning he had no way of knowing which friends had been contacted by the scammer.

McGeehan said Rutberg's experience was unusual; identity theft victims normally have their accounts restored quickly through a process that involves e-mails from customer support with challenge questions like "What was your pet's name." Then, users can quickly track down friends who might be potential victims.

McGeehan confirmed that other victims had wired money in response to similar pleas for help, though he said the scam has impacted a very small number of users. Facebook won't refund any of the victims, McGeehan said.

Part of a chat dialog between the imposter and one of Rutberg's friends. Her information has been intentionally obscured.

Facebook is also adding tools that automatically detect suspicious behavior typical of a Nigerian scammer and warns users, McGeehan said.

"We are trying to improve the process," he said.

But Facebook has had several months to find a solution to the Nigerian scam – at least since the initial reports back in November – and it's still failing to protect users, says Mark Neely, a Facebook user who lives in Australia, and was hit by the same identity theft scam on Jan. 14. He said he found the online security report form fruitless.

"(I) heard nothing from Facebook for over 40 hours," he said. "The hackers were still active in my account -- I was receiving phone calls and SMSs (text messages) from concerned friends throughout."

Only after he posted a note that got the attention of Wired magazine did he get a response from the company. His account was disabled, but when asked for data showing him which friends had been contacted by the criminals, Facebook officials refused.

"Facebook told me that they could not disclose those details for privacy reasons and that I should consult a lawyer and obtain a court order for disclosure," he said. Because his imposter de-friended nearly everyone in his account, two weeks later, he has no idea how far the scammers got. He wasn't shy about his frustration with Facebook.

"Absolutely pathetic response times, and even worse 'support' in remedying the problem and ensuring none of their customers lost money," he said.

'Easier to pretend you're someone else'
Kevin Haley, a director at Symantec Corp.'s Security Response team, said his firm is seeing a sharp uptick in attacks on social networks, though he could provide no precise data.

"It's easier to pretend you're someone else in the Facebook environment," he said. "We are seeing a tremendous amount of phishing for login credentials for social networks."

Rutberg isn't sure how criminals got his password, but he thinks he probably did fall for a phishing e-mail. Because Facebook regularly contacts its users through e-mail, and includes links in those e-mails to login pages, the format is ripe for phishers. It's easy to imitate Facebook e-mails and simply send users clicking to a look-a-like login page that steal passwords.

Haley said there really isn't a way for antivirus software to stop such a scam.

"There's no malware involved," he said. "Some of it can be caught with spam filters ... but really, this is just an instance of people talking to each other through e-mail, you can't stop that."

RED TAPE WRESTLING TIPS
Facebook's security team recommends use of an anti-phishing filter to weed out Facebook phish. It also recommends that users pay close attention each time they log on, to make sure they've landed on the authentic Facebook site.

The firms also made a number of other recommendations:
• Be suspicious of anyone – even friends – who ask for money. Verify their circumstances independently, preferably by direct telephone contact.
• Don't use the same password for all Web accounts -- something many Web users do. Because Facebook is so popular, criminals who manage to steal any user's password will surely try it on Facebook.com.
• Have more than one contact email address, in case one is compromised.

Victims of the scam -- or any bout with Facebook identity theft -- should fill out the form at this Web site, Facebook says. Keep the link handy: It's very hard to find using normal methods from Facebook's home page. http://www.facebook.com/help/contact.php?show_form=account_compromised.

Leave a comment below or become a member of the Red Tape Raiders and be a consumer advocate!

Social networking tool Twitter was hit by a major hacker attack on Monday, with several "high profile" accounts -- including that of President-elect Barack Obama -- taken over by computer criminals, the firm said.

The hackers then impersonated a series of famous users by sending out fake, sometimes embarrassing messages.

Among them was a Twitter message posted on CNN anchor Rick Sanchez's blog that said Sanchez "might not be coming into work today," because of drug use. The message was quickly removed.

A later message on Sanchez's Twitter account said, "Sorry loyal followers. Someone hacked us for a moment there." Sanchez is among Twitter's most popular users, and incorporates the service into his afternoon show on the cable network.

A spokeswoman for CNN said the network would issue a statement on the situation shortly.

Obama's Twitter page urged visitors to take an online survey and win a gas card, but the link actually sent visitors to a site that pays commissions to affiliates who generate traffic.

Other Web surfers suggested that several other high-profile users also were hit by hackers. Britney Spears' Twitter page included obscene language. A note critical of anchor Bill O'Reilly was apparently posted on the Fox News Twitter page.

Twitter acknowledged the hack, posting on its corporate blog at about 1:30 ET that "we have identified the cause and blocked it."

The San Francisco-based company said that 33 accounts were compromised "by an individual who hacked into some of the tools our support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can't remember or get stuck." Sanchez and Obama are now back in control of the accounts, Twitter said. The company also said that Obama had not posted to the Twitter page since the Nov. 4 election.

Also, a phishing attack
That high-profile hacks weren't the only problem Twitter had on Monday. The firm also suffered a first-of-its kind phishing attack over the weekend.

The firm said the phishing attack was "unrelated" to the high-profile Twitter impersonation.

Thousands of Twitter users reported receiving messages urging them to visit a Web page with the message: "Check out this funny blog about you." Others received a similar message that said, "Hey, i found a website with your pic on it. … LOL check it out here twitterblog." On Monday, another phishing message said users could win an iPhone by clicking on the message.

Users who clicked on the link were asked to log in to Twitter. The site they were directed to mimicked the real Twitter site, but was actually controlled by hackers and apparently designed to steal Twitter passwords. At least some of those who fell for the ruse had their accounts hijacked and used to send out more phishing e-mails.

Phishing e-mails are hardly new, and many Web users have become too sophisticated to fall for traditional e-mail phishing scams. But the Twitter phishing messages were more believable, for several reasons. They appeared to be sent by a trusted user. And Twitter users can log in using third-party sites.

"If you are a Twitter subscriber you should be aware of these recent phishing efforts and how to protect yourself," said Marian Merritt, a security expert at Symantec Corp.

Twitter allows users to connect with each other through short, 140-character messages similar to cell phone text messages. The service says it has 6 million registered users, though the number of active users is less. Similar to Facebook or MySpace, users agree to subscribe to each other's "feeds," and can follow each other's daily lives through the short notes.

While having a Twitter account hijacked might not seem that dangerous, it obviously can be detrimental to high-profile users. Also, nearly half of all Web users use the same password at all Web sites they use, according to security firm Sophos, meaning Twitter users who fell for the phishing attack may also have put their online banking accounts and other financial accounts at risk.

Twitter is urging users to change their passwords in response to the attack.

At 12:30 a.m. on Dec. 2, hackers pulled off what might have been the perfect computer crime. You can expect a host of imitators during 2009.

Beginning early that morning and continuing for nine hours, customers who visited MyCheckFree.com to pay bills made an unexpected visit to computer servers in the Ukraine. The customers did nothing wrong; many followed a bookmark or even typed in the Web address manually, as security experts advise. And Checkfree didn't do anything wrong either. The company's computers weren't hacked.

Instead, criminals hijacked all traffic headed for the bill-paying service by tricking the Internet's domain name server system, which links common Web site names like msnbc.com to their numeric equivalents.
Checkfree had to send out notices to 5 million customers indicating they might have been victims of identity theft, though the number of visitors actually affected by the scam was probably closer to 160,000, according to the Wisconsin Office of Privacy Protection.

If you're wondering what computer headaches you should expect in 2009, the Checkfree attack should be high on your list, says Amit Klein, a domain name system expert at The Trusteer Security Research Group. He compared the attack to a phishing attack on steroids, and said it will probably keep security professionals up late at night. None of their fancy security tools can ward off complete interception of traffic headed to a Web site.

"(This attack) can bypass sophisticated network, authentication and end point security mechanisms," Klein said. "It is likely to become more common (next year)."

Once again, 2008 failed to bring a virus that brought the computer world to its knees. In fact, it's hard to imagine a worldwide attack on software that would have the impact of the notorious Melissa or LoveBug viruses, which stopped so many PCs that they created the equivalent of a snow day for office workers.

Targeted attacks and cell phones
The Checkfree attack serves as reminder that computer criminals favor small, targeted, profitable attacks over loud, obnoxious ones. You don't hear much anymore about "bot networks," those armies of hijacked home computers that made headlines two years ago. But experts still believe millions of home PCs are enslaved by criminal software. As evidence, they point to the continued nuisance of spam, which represents about 81 percent of all e-mail and mostly originates on hijacked PCs, according to spam-fighting firm MessageLabs.

Even the latest hacker fad -- attacks on social networking sites like Facebook – is designed to quietly gather personal information rather than noisily destroy Web sites.

Don't get me wrong: I'm not saying we'll never have another computer virus epidemic. The next big nemesis, many security experts say, will not be a virus that slays personal computers, but one that wreaks havoc with your cell phone.

For years, technology writers have penned stories predicting that the coming year will be the one in which an ominous mobile worm that destroys handsets, calls all your friends and hacks into e-wallets to purchase thousands of cans of Coke from e-pay enabled vending machines in Japan.

All these things will happen. Smartphones will one day meet their match in the virus writing community. But I'm going to side with security researcher Vincent Weafer of Symantec, who proved to have a clear crystal ball a year ago when predicting the rise of Facebook-style attacks, and say that a mobile virus epidemic this year is unlikely.

Weafer thinks a killer smartphone virus is still a ways off, particularly because smartphones still account for just 11 percent of the cellular phone market, according to research firm Gartner. He reasons that virus writers won't focus their attention on cell phones until they believe they can knock a significant portion of them offline with a single worm.

More to the point, Weafer said, mobile phone attacks won't really take off until mobile banking takes off. Criminals go where the money is. And in countries like Brazil and China, where many viruses now originate, mobile banking is still several years off.

Other mobile phone features are ripe for attack, however. Weafer warned that authentication tools like password reminders are vulnerable. Many firms now send password resets or PIN codes through text messaging to telephones. It's generally considered safe for a Web site to send a password reminder to a cell phone number stored when customers sign up, a technique that's called "out of band" authentication. But criminals have caught on to that vulnerability and are hard at work looking to intercept such messages.

COMING NEXT YEAR
In addition to flying PINs, what should you watch out for next year to stay cybersafe? The Checkfree incident points to a larger problem:

There are new reasons not to trust the Web sites you visit. Getting a virus by clicking on an infected attachment is now passé; if your computer gets sick next year, it will probably be because you visited a booby-trapped Web site.

The Checkfree attack is just one way that criminals can take advantage of well-known brand names to attack your computer. Thanks to the proliferation of Web 2.0 services, which increasingly rely on third-party content that is "sucked" into traditional sites, there are new ways for criminals to place corrupt code on otherwise trustworthy pages. Attackers have spent the better part of this year finding vulnerabilities in Web software so viruses can be injected onto Web servers, so that you'll download them even if you only visit sites you trust.

Right before Christmas, Microsoft had to rush out a patch for a vulnerability in Internet Explorer that allowed just such an attack. The firm said that 1 in 500 Net users were exposed to the flaw during its first week of exploitation.

Mary Landesman, a virus expert at the ScanSafe security firm, said Web-delivered malicious software exploded at the end of 2008 -- in fact, more viruses were delivered this way in October than the entire year of 2007. As in the heyday of e-mail worms, she thinks Web-delivered viruses may get "out of control" during 2009 before companies reign them in. Unfortunately, in some cases the cure may be worse that the disease.

Most Web sites rely on third-party firms to place ads on their sites, and Landesman expects frustrated software designers will begin blocking all third-party connections or scripting to stop viruses.

To stay safe, Internet users must know that Web sites -- even trusted ones -- have the potential to infect their computers under certain circumstances. That means it is more important than ever to run up-to-date security software and to download the necessary patches. It's also important to know which sites the kids are visiting, as Web site attacks are more common on less popular sites like music download haunts and second-tier game sites. Users might consider turning off scripting capabilities in their Web browsers, but that means many popular Web sites won't work properly.

Criminals are becoming much more precise with identity theft-related scams. By now, it seems absurd that anyone would fall for a traditional Nigerian scam promising riches from a recently-deposed royal family. But Weafer, the Symantec expert, said con artists are compiling databases of information that allow them to personalize attacks in believable ways. New Nigerian scams come bearing the recipient's first name, perhaps their hometown and in some cases, allude to other personal information such as family members?

Where does this information come from? It's easily gleaned from social networking sites like Facebook.

"What we're talking about is much more like data mining," Weafer said. In the underground data trade, criminals now pay much more for data sets that include geographic location or employment information, Weafer said.

Criminals are using social networking sites to trick "Forgot your password?" features on many Web sites. By gleaning information such as victim's pet names, school affiliations and middle names, criminals can sometimes pass the "question" challenges provided by sites to authorize password retrievals. Then, they get their hands on login information for private e-mail, corporate networks and even online banking.

Cybercriminals will continue to hit people where they are most vulnerable, targeting the recently unemployed. Security firm McAfee warned in November that work-at-home scams have skyrocketed. Scams that offer to help victims file for unemployment benefits -- tricking them into paying for something that should be free -- also have risen.

Finally, expect more lost and stolen data next year. The year 2008 brought remarkable data breaches and thefts, including 4 million credit cards exposed to hackers by grocery chain Hannaford Brother, announced in March; 12 million customer identities lost on a backup tape by Bank of New York Mellon in March; 3.4 million motor vehicle records transmitted online by the Colorado motor vehicle department; millions of birthdays inadvertently exposed by Facebook; and 2 million identities stolen by a former Countrywide Financial employee. There's no reason to believe that depressing trend won't continue.

eBay.com users are complaining that a holiday contest offered by the auction Web site has been overrun by Scrooge-like computer hackers, and that eBay's poor design for the contest is to blame.

As part of its "Holiday Doorbusters" promotion, eBay is giving away about 1,000 items -- everything from jet skis to iPods to a Corvette -- for $1. The first buyer to find and bid $1 on the specially-marked items wins. But users say the contest has been overrun by "cheaters" who are implementing automated scripts to game the contest, winning hundreds of auctions before the items are even available to the public.

As evidence, the disgruntled point to a number of closed auctions where the visitor counter shows "0000," meaning no Web users visited the item's page before it was won. On Saturday, for example, a "Green Life" brand electric scooter worth $1,000 was won by a bidder before anyone visited the page, according to the counter on it. The next day, a vintage Oscar de la Renta evening gown was also won with the counter reading zero.

Forums devoted to eBay users are ablaze in complaints about the contest from disappointed would-be bidders who haven't won.

"This should have been advertised as a programming contest because those are the only people who can win," complained contestant Rich Coloyan in a note to msnbc.com. "eBay can stop this if they want to by requiring a verification screen or something, they just don't care."

The contest rules on eBay's Web site seem to suggest automation is prohibited. They say:

"Sponsor reserves the right, in its sole discretion, to cancel or suspend part or all of this Promotion at any time without notice, if in the Sponsor's opinion there is any suspected or actual evidence of electronic or non-electronic tampering with any portion of the Promotion, or if virus, bugs, non-authorized human intervention or other causes corrupt or impair the administration, security, fairness or integrity of the Promotion."

During a series of brief interviews, however, eBay representatives were unable to provide a clear explanation of what kind of automation is allowed and what is prohibited.

In one interview, a spokesman said the use of automated tools to find Doorbusters items as they come up for sale is not prohibited. He said the rules quoted above were designed to prohibit the creation of multiple fake eBay user accounts that could be used to gain an advantage in the contest.

But later, the spokesman – who asked not to be named – said the rules might prohibit automation of Doorbuster prize purchases.

When asked for clarification, eBay could not provide it, and instead offered only an e-mail statement from spokesman Usher Lieberman.

"We can not discuss the specifics of how we are monitoring this promotion as it speaks to how we prevent fraud across the site. Rest assured that we are doing everything in our power to ensure that all eBay users have an equal opportunity to search for and win these hot holiday items," he said.

'eBay will not do anything'
Many eBay users don't think the firm is doing nearly enough to make the contest fair.

"Since the beginning of this promotion I have been trying to win something, but it seems to be impossible with all the so-called fake accounts out there that have scripts and bots doing automatic bidding for them ," said Melissa Henlsey. "This is terrible and it seems as if eBay will not do anything to prevent this from happening."

Programmers have long used automated scripts as part of both bidding and listing items on eBay. But the widespread script application in the Doorbusters contest has frustrated many contestants who now feel they have no chance to win.

"Unfortunately, scripters have taken over and almost 100 percent of the prize auctions are 'won' with 0000 on the counter, meaning that the auction page was never even seen by mortals and the scripter stole the auction by jumping straight to a 'buy' with a hacking program," said eBay user Victor Ireland. "eBay has done nothing to mitigate the fraud even though it's within their means to do so."

eBay did not provide an explanation for how a contestant could win an auction without at least registering a single hit on the items auction page. Ireland suggested that programmers may have found a way to access listings before they are posted to the eBay site, but an eBay spokesman said that was impossible.

All items are listed on the site by an outside firm, New York-based Strobe Promotions, which is helping eBay administer the contest. Soon after it began on Sept. 24, programmers figured out they could gain an advantage over manual bidders and began using automated tools to search for and win the special $1 auctions. In fact, one eBay users actually posted a solicitation on the RentACoder.com Web site asking to hire a professional free-lance programmer to create such an automated tool.

Bids placed by scripting tools are now so widespread that some eBay auction sellers pulled pranks in recent days and began inserting the word "Holiday Doorbusters" into their descriptions so automated tools would be tricked into purchasing them. In one case, a member sold several $1 pictures of his pet with this warning:

"This is picture I took of my cat with my Cannon Powershot Camera after she overheard that people where using scripting to purchase HOLIDAY DOORBUSTERS items on eBay. Not responsible for poor scripting techniques."

Rosalinda Baldwin, who runs eBay watchdog group The Auction Guild, said she didn't believe that programmers who were winning auctions had done anything illegal.

"eBay made it so a decent programmer could monopolize the searches, that does not make such a programmer a scammer, just someone with the skills to take legal advantage of eBay's system," she said. "eBay is responsible for the way they set this promotion up, and it is up to them to decide if it is equitable or not, and change the code and rules accordingly."

Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar "Forgot your password?" link and, after entering your pet's name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there's a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You'd be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching.

Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

As an experiment, Herbert Thompson, chief security strategist of People Security, recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites, Thompson found his way in within minutes.

"This is a serious problem. It kind of blew me away," Thompson said.

Here's what Thompson did. Using only one friend's name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank's Web site, where her user name was simply her first initial and last name. He asked for a password reset. The bank sent an e-mail with that information to her Web mail account. Thompson then asked for a password reset there, which sent a link to her old college e-mail account. There, Thompson needed only supply the woman's address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying her birthplace and father's middle name -- and ultimately entered her bank account by supplying her pet's name.

"I did this a couple of times. But the scariest thing would be someone doing this with some scale," Thompson said. A more detailed description of his romp through someone else's identity can be read on the Scientific American Web site.

There are no known cases in which hackers have widely exploited "forgot your password" links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he's seen demonstrations of far more sophisticated tools designed to "scrape" information off blogs and social networking pages for later use by hackers.

"It's an automatic dossier building tool," he said.

Like Paris Hilton
Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as "fallback authentication." Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, "Security Questions in the Era of Facebook." It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can't seem to get rid of that question. … If we do nothing this will get steadily worse."

In some situations, statistics give the criminal an advantage. For example, data published by some U.S. cities indicated about 1 percent of the nation's dogs are named "Max," making that a pretty good guess for a criminal trying to break into thousands of bank accounts. When a bank asks consumers who their favorite president was, it rarely takes more than two guesses, Rabkin said.

Even if the questions are more personal, and even if the subject doesn't have their own blog, others might blog about their dog, car or high school. And search engines can easily unearth such minutiae.

"There is an arms race here between people who trying to ask obscure questions about (us) and people who are trying to answer obscure questions about (us)," Rabkin said.

Not a bad idea
Thompson, the People Security expert, said that asking "challenge" questions with so-called "out of wallet" answers – questions that even a criminal who stole your wallet couldn't answer – once was a secure way to confirm someone's identity.

"If you think about it, 10 years ago this didn't seem like horrible idea, to ask for someone's personal information," he said. "You could say, 'It's probably unlikely that someone will know all of this information about me, or spent the time necessary to gather it.' But now it's really easy for someone who's never met you to know all this about you."

Coming up with secure challenge questions is no easy task. There are two problems to consider: The question must be difficult for a stranger to answer but it also must be easy enough so the customer doesn't forget. Quick: What's your kindergarten teacher's name? Was it McFadden or MacFadden or Mcfadden?

"In some cases, it's easier for an attacker with good data mining skills than the real person to answer these questions," Jakobsson said. He is hard at work developing a new solution, one which relies on the answers to "preference" questions rather than fact-based personal questions. A consumer who requests a password reset might be confronted with questions like, "Do you like antique stores?" or "Do you like opera?"

Asking 16 questions like these would provide positive identification in better than 99 percent of cases, he said. "And preferences are rarely stored in databases." (More on this idea can be found at I-Forgot-My-Password.com.)

Rabkin is all for improving the problem of forgotten passwords, but he is careful to not exaggerate the problem. In addition to the lack of proof that any widespread forgotten password hacking has occurred, he says banks have multiple systems in place to prevent thefts from online services. When a password reset is initiated, for example, banks automatically set a red flag on an account and watch it for suspicious behavior. Any large transactions following soon after would surely be stopped, he said.

"The problem is not as bad as you think," he said. "It's not so easy to match up a pet name from Facebook with another database of login names and another database of Social Security numbers," and use that to withdraw cash, he said.

Still, there is another problem associated with the importance of personal questions in security. A consumer who falls for an extensive phishing e-mail or has their blog copied by a hacker, may find it nearly impossible to navigate the digital world in the future. How would such a person ever reclaim a password or otherwise authenticate their identity?

"It would be incredibly difficult to recover from something like that," Thompson said. "You can't really change your mother's maiden name or these other things."

RED TAPE WRESTLING TIPS
Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people's eyes, fingerprints, etc., to verify their identity, is the "doomsday" possibility that once such information is compromised, it could never be trusted again. You can't change irises, for example. But Thompson points out that the same is true for personal information such as your first pet's name or you mother's middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don't always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it's probably much more secure. Again, think of a question only you can answer, and something that's unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won't cut it.

Could a hacker steal enough information from a store you've shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you've never told a soul your PIN code?

In fact, said the Justice Department last week, it's already happened, possibly to millions of people.

Buried in last week's indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: At at least one retail chain, the indictments accuse the group of swiping encrypted versions of debit card PINs, decrypting them, then using the information to print debit cards and get cash from ATMs.

If proven true, that could mean criminals have crossed a new threshold in the pursuit of plastic card fraud -- PIN hacking.

For decades, the only security layer standing between criminals and cash from stolen debit cards has been the secret PIN code, which has proven surprisingly robust. When hackers steal a large set of debit cards numbers, there is generally no way to obtain their corresponding PINs, limiting the value of the stolen data.

Criminals have stolen small numbers of PINs in old fashioned ways, such as installing tiny cameras on ATMs that record PINs while they are entered.

But uncovering a way to obtain PINs from a stolen batch of debit card account data would give hackers the ability to withdraw thousands of dollars at a time from any ATM in the world – a holy grail of sorts for card thieves. That's precisely what the U.S. government says some of the suspects did as part of their five-year scheme, detailed last week.

In the indictment of alleged ringleader Albert Gonzalez, the Department of Justice accuses him of:
• Downloading "tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards."
• Obtaining "technical assistance from criminal associates in decrypting encrypted PIN numbers."
• Cashing out "by encoding the data on magnetic stripes of blank credit/debit cards and using these cards to obtain tens of thousands of dollars at a time from ATMs."

The Justice Department would not comment on the indictments or on the specific methods that might have been used to perform the decryption. A spokeswoman would only confirm that the agency is indeed accusing some of the suspects of decrypting PINs.

Speculation for years
Encrypted PIN codes are supposed to be impenetrable. After a consumer enters their code into a PIN pad at a store, or at an ATM, the data is immediately converted into an unintelligible string of text called a "PIN block." That block of text is then sent along the payment processing network, ultimately back to the cardholders' bank, where the PIN is verified.

There has been speculation for years that criminals had found some way around the PIN encryption. In 2006, after a spate of fraudulent ATM withdrawals, Citibank began cutting off ATM cash access to some overseas travelers. Consumers around the country reported phantom withdrawals from their checking accounts of $1,500 or more from far-flung places like Bulgaria.

At the time Citibank, Bank of America, Wells Fargo, and Washington Mutual all reissued some debit cards. There was conjecture that criminals might have stolen PIN information that was accidentally left "in the clear," or unencrypted, by a retailer.

Earlier this year, Wired News reported that a Citibank server that processes transactions initiated at 7-11 stores ATMs had been "breached," according to an affidavit filed by an FBI investigator. The affidavit claims a single suspect, who has now been arrested and charged with theft, stole $750,000 from ATMs in a single month during early 2008.

But last week's indictment accuses the criminals of taking everything they need to print fake debit cards and steal money directly from retailers. The specific case outlined in the indictments involved downloading PIN blocks from a Florida OfficeMax store in 2004 through a vulnerable wireless network, then later decrypting them. The indictments also accuse the group of downloading PIN blocks associated with millions of debit cards," hinting that the PIN problem might be even wider.

The scheme was apparently so successful that at several times the suspects allegedly sent boxes full of cash through express mail services to make payments to one another.

How it might have happened
PIN blocks are transmitted from retailers to credit card processors and are sometimes stored on computers along the way, where they would be available for the taking by criminals who knew how to decrypt the secret codes. This is sometimes called stealing data "at rest." Retailers have no need to keep PIN blocks in the stores, but poorly configured systems sometimes store this information anyway.

The hacking gang indicted last week also was capable of stealing data on the move, according to the indictments. The group is accused of using various methods to install "sniffer" programs that grabbed account numbers and PIN blocks as they flew by on computer networks. Initially the suspects sat in parking lots and used insecure wireless networks to gain unauthorized access, the government charges. For example, in July 2005, while sitting in a Miami TJ Maxx parking lot, the criminals are accused of worming their way into the firm's central credit card server in Framingham, Mass.

Later, some of the suspects brazenly walked into stores and physically installed sniffer software onto computers in other stores, the indictments say.

In May 2007, for example, they entered a Dave & Buster's restaurant in Islandia, N.Y., and installed sniffer software. Afterward they re-entered the store every month to empty the catch from their virtual net, eventually stealing 5,000 account numbers from that store alone and using those numbers to steal $600,000. In that case, they are accused of stealing only debit and credit card numbers.

Still, even with data stolen using such hands-on methods, stolen PIN blocks should be useless to criminals -- unless they can be unscrambled.

Encryption expert Ross Anderson, a professor at Cambridge University in England, has testified before about the possibility of "phantom withdrawals" involving PIN codes stolen from British banks. He says potential vulnerabilities in bank encryption software have been known by researchers for years. In 2003, a British court imposed a gag order on Anderson, preventing him from revealing some elements of his research.

He called this week's indictment "the first documented recent case" of PIN hacking, but added that it was "not surprising."

"The banks have encryption boxes that are claimed to be 'secure' but the claim is of course untrue," he said. "

Not so alarming
Mike Urban, who runs a debit card fraud-fighting service called CardAlert at Fair Isaac Corp., counters such talk by saying the most likely explanation for the crime is also the least alarming: Hackers didn't reverse engineer PINs; they simply managed to steal encryption keys from the same retailers where they stole the data, he said.

"I'm speculating here, but more than likely, to compromise that many PIN blocks they would have to have gotten the encryption keys somehow," he said. "More than likely there was a breakdown in management of keys wherever the keys were compromised. " Armed with the keys and a little know-how, he said, criminals could readily discern PIN codes from PIN blocks.

Urban said it would not be terribly alarming if the hackers obtained PINs that way, noting that retailers routinely secure keys carefully and that PIN compromises are "extremely rare." He also said that while the government's case against the hackers mentions theft of PIN blocks from several retailers, evidence of actual PIN-block decryption is offered in only one case – the one involving OfficeMax. He said he believed that could be an isolated incident.

"Fraud on PIN-based transactions is much lower than signature-based debit or credit transactions," he said.
Gonzalez, the alleged ringleader of the hacking ring, who also went by the moniker soupnazi -- apparently a reference to the "Seinfeld" character -- is being held in New York while awaiting trial. He faces life in prison if he is convicted of all charges. Only two other suspects out of the 11 indicted are in custody. Ukranian national Maksym Yastremskiy is being held in Turkey, and Aleksandr Suvorov is in Germany. Both are facing extradition.

RED TAPE WRESTLING TIPS
There's no need to panic over the possibility that hackers could steal PINs from places you shop. Consumers who are hit with fraud related to debit cards have strong legal protections. Losses reported within two days of discovery are limited to $50, and most banks give full refunds to consumers. Still, debit fraud can be a huge hassle, because consumers who are victims may find their bank accounts emptied and their ability to access cash severely limited until the money is replaced. The hassle factor is much higher than with standard credit card fraud.

But possible PIN theft is another incentive to use debit cards only to withdraw cash at ATMs – not for purchasing. There are already plenty of other good arguments for keeping your debit card in your wallet. We've written about the case for credit here; so has Consumer Reports.

If you really want to buy things with your debit card, perhaps as part of a monthly budgeting plan, consider signing the sales slip instead of entering your PIN, to keep your PIN a secret. And if you really want to enter your PIN, consider setting up a separate checking account, isolated from your standard account, for your purchases. That way, if your account is hacked, the criminals won't have access to all your money. But be sure to keep that fully stocked with cash; overdrawing your debit account can lead to costly overdraft fees.
Also, resist the urge to use the same PIN code for all your accounts.

Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada's largest airport in Toronto.

One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.

About 31 million passengers fly through Toronto's Pearson International Airport every year, making the potential haul for credit card thieves able to access data entered into the 150 check-in kiosks enormous. But a possible kiosk-related heist raises questions about the security of the self-service machines at other airports, which are used by millions of travelers every day in the U.S and elsewhere.

It's still unclear how thieves could have stolen credit card numbers from the kiosks. A Canadian government report is expected later this week.

One possibility: Scammers attached small skimming devices to the kiosks that lifted the numbers from unsuspecting travelers, a technique often employed by criminals to steal information at bank ATMs.

But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.

Put away your credit card?
Because of the uncertainty about the system in light of the investigation, some security experts are suggesting consumers should change the way they check in for flights.

Kiosks at Toronto airport are being investigated

"Next time you go to an airport kiosk for self-service check in, just type in your ticket reference number," said Avivah Litan, a security analyst at research firm Gartner. "Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves."

If the kiosks turn out to be the source of the stolen credit card information, that would raise another question: Why would the machines read credit card account numbers and other personal information, and store that data? Security consultants say the kiosks need only read names off the cards to check in passengers, but the machines in Toronto – and similar machines in the U.S. – could be set up to collect and store more data.

The kiosks in Toronto are made by IBM Canada, and the data is managed by two firms -- ARINC Inc., based in Maryland. and SITA Inc., a European consortium based in Geneva.

Linda M. Hartwig, a spokeswoman for ARINC, declined to comment on the apparent security breach. But she said the kiosks read everything on the entire credit card magnetic stripe – including account numbers and expiration dates -- then hand the information off to the airline. She said no data is stored on the kiosk itself.
Spokesmen for the other software company, SITA Inc., did not return calls seeking comment.

U.S. kiosk maker won't comment
In the U.S., about two-thirds of the kiosks used at airports are provided by Florida-based Kinetics, Inc., a subsidiary of NCR Corp. The firm would not discuss how its kiosks worked.

Several airlines contacted referred questions to Visa. A Continental Airlines spokeswoman, for example, said the airline wouldn't reveal if its kiosks collect credit card numbers while checking in fliers.

Christopher White of the Transportation Security Administration said the Toronto incident was "not an aviation security issue, it's more of a customer service issue, " and referred questions to the industry group, the Air Transport Association.

Elizabeth Merida, a spokeswoman ATA, would say only that there are no reports of similar credit card heists in the U.S..

Violation of state privacy law?
It's unclear what consumers expect when they use a credit card at the kiosks. The machines generally display a message such as "Your credit card will not be charged," suggesting that the account number won't even be read by the machine.

But that's probably not technically feasible, said Greg Buzek, president of research firm IHL Group, which studies the self-service kiosk industry. Credit-card-reading software generally will pull all data that's on the magnetic stripe and only later distinguish between names, account numbers, expiration dates, etc., he said.

After the account numbers have been read, they might be deleted -- but only if the software has been programmed to do so, Buzek said.

"What happens is completely up to the way the software is designed," he said. To make sure account numbers are not stored, "somebody has to physically take that information, take that data, and delete it."

Failing to do so might violate various state laws, said privacy expert Larry Ponemon, who runs research firm The Ponemon Institute. In California, for example, companies that collect information about consumers that is otherwise "non-public" are required to disclose that.

"Most people when they go to a kiosk just think of it as a way to identify you, not as a system that captures your credit card information," Ponemon said.

Kiosks wildly popular
Kiosks are enormously popular with airlines and fliers alike. Buzek said about three-fourths of consumers say they prefer checking in via kiosk. At Continental Airlines, more than 85 percent of travelers check in using them, he said.

The trend toward self-service machines has exploded in recent years. There are now about 70,000 ticketing kiosks in North America – including self-service movie theater or bus ticket machines -- performing $370 billion in transactions annually. That figure is expected to rise to $1.25 trillion by 2012.

But favoring machines over humans could have unexpected security consequences, warned Robert Grapes, chief technologist at Virginia-based security firm Cloakware Inc.

"We strive to make things convenient and we strive for a reduction of operational costs, but we focus on convenience more than security and now we're getting bit by that," he said.

RED TAPE WRESTLING TIPS
• Because the airlines and the kiosk makers have so far not been forthcoming about how their systems work, it's unclear how consumers should react to the Toronto airport story. There's no need to stop using airport kiosks, however. It's safe to use airline-issued record locators, such as confirmation codes, when checking in. Most machines accept frequent flier cards, too.

• It's easier to check in with your credit card, though, so it's important to keep the risks in perspective. Remember, your liability for theft from your account is legally capped at $50, and consumers generally aren't forced to pay anything when they report their cards as stolen. Still, a compromised credit card is a hassle, so a little caution could be worthwhile.