Code Compromise, Theft, Privacy Breach, Data Disclosure, and Insider Problems

Marcus Eikenberry of MarkeeDragon has a 38 minute interview with "Patrick" - a young man who made between $10,000 and $20,000 over the course of one year of criminal scamming:



There are some fascinating details (here are my notes on the highlights):

3:00 Started in Eve Online / GoonSwarm

5:30 Scammed his own Eve Online Corporation as a Director (non GoonSwarm) stole 9B ISK in 2006

6:30 WoW Scam/Griefing casual every month of so

7:30 Lost his job and decided to sell his Eve Online Account.. he took the money and realized he didn't have to transfer the account - there was no protection for intangible items in PayPal Terms of Service - He made $750... used it for rent.

10:00 In order to "beat PayPal", he mailed piece of paper with invalid information... got through Paypal security and send the Shipping Tracking information (PERSONAL NOTE: my company used physical shipments to validate shipments of license keys to avoid fraud problems in 2003).

11:45 Scammers "networking" to develop tactics... Paypal changes and protect buyers, not sellers. Reverse scam to a "Buyer Scam": Buy Item, dispute sale, Resell the account quickly

13:30 Started identity theft ... used stolen name and SSN, to set up fraudulent paypal account tied to his Real bank account + fake ID (there is no cross verification of account names - Marcus is currently checking to see if this weakness still exists)...Patrick worked in HR as recruiter... had info of anyone who applied for a job at the company (IT IS SCARY HOW MANY PEOPLE HAVE ACCESS TO YOUR NAME AND SOCIAL SECURITY NUMBER) then close Paypal account quickly before they put in a dispute... age 21,22. Blames economy, desperation - rent & food problems.

16:30 - All you need to create a PayPal account is a name & SSN (and your own bank account)

16:50 - $10 to $20K in one year... was active for one year.

17:30 - Why he was not caught - only small transactions... keep it under $1000. Paypal "caught up with him" eventually - then he started using other peoples accounts.. that is why he stared ID theft (but they didn't validate account, see above)

19:00 - Paypal is so easy, much easier than direct deposit or wire transfer... a lot of scammers only do this (scamming) once.

20:00 - Last Scam / Biggest Scam - started getting scared. Meet girls "get them to love him" and use their Paypal account (or get them to set up a Paypal account). "Most interesting" found he actually liked the girl. Got a real job and paid her back. Realized what he was doing.

22;15 - Other most exciting was the first one. When you make over $500,... a "means to get by".

23:20 - Security advise... copy of drivers license & prove its actually the person... TrustWho works (NOTE: run by MarkeeDragon - 99.7%).. if they've never done any sales before on the site, don't trust them... reputation at sites is a problem if you haven't done a sale before... TrustWho really "ruined his (scam) business". He was not able to get TrustWho verified.

29:30 CraigsList is great place to scam people. Get 18 year olds with fresh money (after graduation).

30:50 - Successful transactions in past, get drivers license (repeat)... scary how many people have your drivers license and SSN

33:00 - Wrapup by Marcus Eikenberry - scamming women, HR attacks, name & SSN is all it takes

I'd echo Marcus' comments. The potential for abuse by people in Human Resources and customer service is truly frightening, especially in this economy. It is also disheartening how weak our financial authentication systems are.

72 percent of banks state that they have had one case of data fraud committed by an employee in the past 12 months.

Nearly half of the banks say they are losing 1 to 4 percent of their total revenues due to insider fraud.

80 percent of banks say that the insider problem has increased due to the economic downturn.

Top risk areas:

Nearly 60 percent of the respondents in the survey ranked tellers and traders as the highest risk of insider fraud, followed by administrative/back office (55.74 percent), technology (34.43 percent), executive/senior management (29.51 percent), call center (29.51 percent), and line of business (26.63) employees.

If you touch transactions, you are dangerous.

Countermeasures... a familiar problem:

...the biggest challenges to meeting the threat are cost/expense (67 percent), data availability/access (55.77 percent), availability of tools (46 percent), and general resources/priorities (46 percent).

Banks don't want to talk about the problem (and, of course, can pass the costs onto their other customers).

What about the online game industry? I suspect the story is similar.

K. J. Higgins (2009), "Bankers Gone Bad: Financial Crisis Making The Threat Worse", http://www.darkreading.com/insiderthreat/security/government/showArticle.jhtml?articleID=220301087

via

kdawson (2009), "72% of Banks Say Their Employees Committed Fraud", http://news.slashdot.org/story/09/10/05/2251233/72-of-Banks-Say-Their-Employees-Committed-Fraud

CCP Games' Eve Online apparently had a recent security incident where someone gained access to data about in-game volunteers through servers that support these individuals (the Interstellar Services Department).

It sounds like IP address data and perhaps information about these players' characters in-game were taken, perhaps with the intent of being identifying their activities.

No account data was compromised.

... this is a minor security incident, but it is notable that CCP Games moved promptly to shut down the servers and services involved until they could solve the problem and notified both the volunteer community as well as the general Eve Online player-base as to what had happened and what they (CCP Games) are doing about it.

Awesome incident response (2 times in one month! see previous article about the corrupt member of the game's player governance council).

Coincidentally, I'm speaking on Security Incident Response, among other things, at the Engage Expo today in San Jose.

If anyone from CCP Games (or other game companies) would be willing to share information about their incident response program, I'd love to hear more.

J. Egan (2009), "EVE Online's volunteer program compromised", http://www.massively.com/2009/09/23/eve-onlines-volunteer-program-compromised/#continued

CCP Ginger (2009), "recent events with the isd volunteer team", http://www.eveonline.com/devblog.asp?a=blog&bid=701

One of the worst problems you can have is an insider exploiting a game. CCP Games has faced accusations of this previously on several occasions in their science fiction MMO Eve Online, and it is clear that they have learned from their experience:

Eve Online has a player governance group called the Council of Stellar Management (CSM) whose members are elected for 6 month terms. They interact closely with CCP Games on issues of game design and other matters (The CSM was actually created in response to an earlier insider problem in the game).

The CSM members were flown to CCP Games headquarters in Iceland recently and presented with information on some proposed changes to the game's design. One of the CSM members acted on this information to stockpile a huge amount of items that would have been affected by the design change. CCP Games detected this activity and promptly banned all of the players accounts (he used insider knowledge in two of his accounts) and asked him to resign from the Council.

They also put out a detailed message on their community forum explaining what happened.

Kudos to CCP Games!

1. Measures in place to detect bad behavior by insiders.

2. Prompt, clear action.

3. Excellent Communications with game players.

CCP Xhagen (2009), "A CSM Delegate Resigns", http://www.eveonline.com/devblog.asp?a=blog&bid=692

via

J. Egan (2009), "EVE Online player elected council rep steps down in wake of insider trading", http://www.eveonline.com/devblog.asp?a=blog&bid=692

Pirate servers / private servers are quite common in China (a topic I would love more information on... I suspect this situation is growing worldwide in developing nations as Internet access spreads). These individuals and companies have bought, stolen, or reverse-engineered the game servers for popular online games and operate them for a profit... selling subscriptions and items at a fraction of the cost of the legitimate MMO.

No Honor Among Thieves

A Chinese pirate server operator was having trouble with a competing private server business. So, to retaliate, he leased 81 servers for 280,000 Yuan (around $41,000... apparently, there is good money in pirated game servers!) to run a Denial of Service attack against his competitor.

His first attempt failed (poor hacker hiring... I hate when that happens), so he found a "more skilled" individual who targeted the DNS provider for his foe.

The DNS provider was rapidly overwhelmed by the excessive number of DNS requests and resulted in DNS queries being escalated to China Telecom's DNS servers causing Internet outages in 6 provinces.

The War Continues

The individuals involved were arrested, but the war continues:

Attacks between illegal game operators and other Internet businesses are fairly common in China, both in and outside of major cities, said a local security researcher. Online mercenaries who own servers or control networks of compromised PCs often sell attack services on private forums or chat clients, he said.

By the way, I discuss the Pirate Server problem (and potential solutions) in my book Protecting Games

O. Fletcher (2009), "China Game Boss Sniped Rivals, Took Down Internet", http://www.pcworld.com/businesscenter/article/171018/china_game_boss_sniped_rivals_took_down_internet.html

130 Million credit card numbers stolen. A staggering number. Heartland Data Systems, Hannaford Brothers, and 7-Eleven, are the known victims. Every couple of months, it seems there is another compromise of thousands or millions of people's data (remember TJX? no one seems to).

The culprit? SQL injections... that allowed the criminals to insert malicious code into the internal payment processing systems of these firms, even if they were PCI DSS compliant.

Right. and Wrong.

Do you really believe that by stopping SQL injections or strengthening PCI compliance we are going to stop having these massive breaches?

Hardly.

The core problem is that our credit card system is fundamentally flawed. There is no reason for payment processors to have data that would result in massive compromises.

Serious system security design is about avoiding scenarios where massive failures can occur. You don't want attacks to scale. So, even though SSL has tons of faults (and it does... a topic for another day), at least from an encryption perspective, every session is encrypted with a different key. Conceptually, this means that each communication session would need to be attacked separately.

There is nothing (except greed and laziness) to prevent the credit card system to work the same way. So that payment processors can do what they need to do to process payments without being able to disclose sensitive individual data and that attacks against the system would have to be localized.

Why isn't anything done?

Mainly, because the people who pay (merchants and consumers) have no control over the transaction systems (VISA, MasterCard, etc.) that they use and the companies that operate those systems have reallocated the risk to you and me.

They don't have a problem, so why should they fix the system?

PCI DSS will NEVER stop these massive compromises. As Willie Sutton famously said when asked why he robbed banks "Because that's where the money is". Today, the easy money is in the payment processing systems of independent payment processors and large corporations. Massive, online databases of personal information and credit cards. Its better than stealing money because its "just" stealing a copy of data (no empty vault to be noticed... in fact, no cost to the company that compromises the data until/if someone figures out that they were the source of the information).

There is so much identity theft that stolen credit card numbers are only worth a couple of dollars each.

Of course, if you multiply 130 Million by $2, you've got yourself a pretty juicy target.

The only real solution is to make the entire payment processing system accountable for its security and design the system so that it is actually secure, attacks don't scale, compromises quickly identified, and that there is a rapid, cost-effective recovery mechanism when inevitable compromises do occur.

B. Prince (2009), "Details of Heartland, Hannaford Data Breaches Emerge", http://www.eweek.com/c/a/Security/Details-of-Heartland-Hannaford-Data-Breaches-Emerge-788029/?kc=EWKNLSTE08202009STR1

CasualGames.biz and quite a number of other sources are reporting that EA's "The Sims 3" has been leaked and is available for download from file sharing sites. If correct, this is one of the most serious breaches of a major PC game that has happened in years. Half Life 2 was leaked early and that leak may have been the cause of a several month delay for the game.

It is an open question as to whether the early disclosure will have a substantial impact on sales, particularly as the game's audience is not usually associated with piracy... and, of course, the lingering question as to whether game pirates ever purchase games to begin with.

R. Crossley (2009), "The Sims 3 leaks onto torrent sites", http://www.casualgaming.biz/news/28615/The-Sims-3-leaks-onto-torrent-sites

Heartland Payment Systems massive data disclosure due to hackers penetrating the company's network (announced in January 2009) has cost the company $12.6 Million so far.

Over half of the costs are associated with fines from MasterCard.

The company faces at least two lawsuits.

Heartland was certified as PCI-DSS compliant as of 30 April 2008, but the certification was under review in the wake of the incident.

The company is installing an "end-to-end encryption solution"... though it is not necessarily clear that encryption would stop a disclosure of this sort - if critical computers need to have credit card data in clear text form, the fact that there is encryption on all of the wires won't help if the computers are compromised.

D. Kaplan (2009), "$12.6 million spent so far to respond to Heartland breach", http://www.scmagazineus.com/126-million-spent-so-far-to-respond-to-Heartland-breach/article/136491/?DCMP=EMC-SCUS_Newswire

D. Kaplan (2009), "Payment processor discloses potential monster breach", http://www.scmagazineus.com/Payment-processor-discloses-potential-monster-breach/article/126161/

D. Kaplan (2009), "Heartland sued as payment processor seeks to encrypt more", http://www.scmagazineus.com/Heartland-sued-as-payment-processor-seeks-to-encrypt-more/article/126597/

Online banking fraud is up 185 percent in the UK to £21.4 million pounds from January to June, up from £7.5 million in 2007.

Mainly due to a rise in spyware an phishing.

Credit card fraud (again in the UK) is at £300 million this year.

The biggest problem with credit card fraud and other forms of online fraud is that the service providers (the credit card companies) have largely transferred the liability for losses onto the merchants.

No risk, no loss, no reason to fix the problem.

The credit card companies control the systems that would need to be upgraded to fight these forms of fraud, but they have little incentive to do so.

(see also the recent huge Chip & Pin fraud problem in the UK in the previous article)

R. O'Connor (2008), "Online fraud rises by 185 per cent", http://www.timesonline.co.uk/tol/money/consumer_affairs/article4860081.ece

D.Raywood (2008), "Online fraud prevention plans deemed not strong enough", http://www.scmagazineuk.com/Online-fraud-prevention-plans-deemed-not-strong-enough/article/119375/

Wikipedia (2008), "Credit card fraud", http://en.wikipedia.org/wiki/Credit_card_fraud

As a security guy, I look at anything that can undermine your business. Hackers, cheaters, griefers, frauders,...

and payments.

People do not seem to understand or spend much time thinking about getting paid. The relationship between a merchant and a payment processor is NOTHING LIKE the relationship between a consumer and their credit card company. If anything goes wrong, all the risk is dumped on the merchant. Payment processors accept no risk and will fine you or shut you down if anything goes wrong.

... and you have no recourse.

Adam Martin at T=Machine has a good article on the payment issue including problems with identity and identity theft. He gives some good examples from iTunes and you can go back through my history here for a bunch of examples of how not to protect customers' identities.

My upcoming book on game security has 2 chapters on Money in addition to a chapter on identity because I believe the topic is critically important and widely neglected.

Adam mentions pre-paid cards as the only viable solution. I also think that moving to a pure channel partner system is also a good strategy that has not been seriously considered by game companies.

A. Martin (2008), "Online Services Problems: Credit Cards", http://t-machine.org/index.php/2008/10/13/online-services-problems-credit-cards/