"Protect Both Rears Simultaneously"

[Graham Smith]

The quote, "Protect Both Rears Simultaneously", comes from the movie "The Hallelujah Trail". It comes from a scene when there is a battle in a dust storm involving three groups and bullets are flying everywhere. If you haven't seen the movie, do so.

The only reason for bringing it up is because I'm starting to worry more and more about credit and ID theft. Last month, I had some bogus charges show up on my credit card. I spotted them after I got an email from Amazon saying that someone was trying to use a CC number registered to me. I called the credit card company and they closed the account that moment and within a couple days I had a new card and a couple days and a bit of paperwork later, the bogus charges were gone.

This got me to trying to figure out how someone got my card number and the more I learned the more I worried. We all know about cyber security and the need to be careful about placing orders on line. I think I'm fairly secure along those lines but I'm starting to learn that even secure connections can be at risk under some circumstances. The sheer volume of different versions of what's being called crimeware that are out in the wild is absolutely staggering. I (my AV software actually) ran across one today on a forum that I would have never expected to be infected. Essentially, when you connect, it tries to install a little program onto your computer that collects and passes information back to another server. This in-turn collates bits and pieces of information on individuals until there is enough information to allow someone to try and steal your identity, then information is sold. Apparently this is a very popular exploit with Russian hackers.

Well, recently I've found something that is potentially even more scary. If you have a credit card that has a PayPass logo on it, then that card has a tiny RFID chip in it and anyone with a scanner can read that if they can get within about an inch of your wallet. That means a pickpocket can now pick your pocket without having to boost your wallet, just wave a small electronic device past your rear pocket. If you do a little searching on the internet, you will find quite a bit about this, including instructions on how to destroy the chip in the card.

It's getting to the point where it's not safe to do anything any more. <sigh>

[Corey]

I've seen some products out there to stop that RFID hijacking, but i dont know how effective it is. My cc doesnt have it and i dont want one that does. but yes, i know the feeling of what you went through. a few years ago, my paypal account info got jacked (it was a huge myspace phishing issue going on). I realized it when i tried to log into my account on another forum and found out it was locked. when i checked my email to find out why, i saw the charges from paypal in my email. $2300 in gift certificates had been bought in 3 or 4 places in about 20 minutes. one call to paypal and 12 hours later it was all cancelled and refunded. all passwords are now changed regularly, i dont use many of the social networks anymore (still use FB, but usually just check my messages and comments, then log off) and am very careful as to what links get clicked (thats how the whole phishing problem started-i was trying to look at a picture someone posted about a trade offer)

I really hate the people that came up with all that crap...

[Merlin Orr]

I got an account with Debix and it seems like they are on the ball.... Don't know how much good it really does but it looked good when I checked it out as best I knew how...

I understand this is not really a ringing endorsement but the subject is pretty complex.

[The_Vigilante]

Graham,

Would you mind sharing the name of the Forum that tried to install a program on your computer so that we can all be on-guard? Thanks. If you don't want to name it online perhaps you can PM me with the info.

[Graham Smith]

Would you mind sharing the name of the Forum that tried to install a program on your computer so that we can all be on-guard? Thanks. If you don't want to name it online perhaps you can PM me with the info.

I emailed the owner as soon as I found it and it was fixed within the hour.

[raz-0]

Yup, if you visit any sites with the does ad buys from a network that isn't super vigilant about screening ad buyer content, you can get infected. 

If you visit sites that use popular packages like wordpress, phpbb, invision, etc... they are targets for exploits. Even with admins that are 100% vigilant, they are exposed until patches hit the net.  You can get infected.

You buy form an online store that uses an off the shelf cart? You can get screwed when that get exploited. 

You can't really escape it. You can take precautions, but you can't avoid exposure 100% because you don't control the back end of any of your transactions. 

[Jon Clayton]

Thanks to the OP for bringing this to light. I personally cringe every time I see someone use a speedpass card. A few years ago I completed a week long prep course before taking the ethical hackers exam. During a discussion on the vulnerabilities of RFID the instructor walked around the room and managed to collect card information from numerous students using a device that he built for less than $20. Of course, the data was purged immediately after being used to prove a point, but it definitely opened some eyes that day.

[Graham Smith]

You can't really escape it. You can take precautions, but you can't avoid exposure 100% because you don't control the back end of any of your transactions.

There is one feature that CitiBank offers that I do use with any online retailer I'm not certain about, and should probably use all the time. It's called a Virtual Account Number. Essentially you can log onto your CC account and request that it generate a Virtual CC number for you. That number is only good for about 30days and then only for a single transaction. So if you buy something online and someone boosts the number and tries to use it again, it's denied. Pretty slick.

As to PayPass, I took a good deal of satisfaction in destroying the RFID chip in my card. It's easy enough to spot if you look at the card obliquely. Then just use a pair of needle nose pliers to hold onto it and gently flex the card and listen for the crunch. About 30sec work and no more PayPass chip in my card.

The ironic thing is that it was supposed to be a more secure method of payment.

All I can say is that hackers can be glad I don't make the laws because any of them I caught would have their jewels cut off, sauteed in motor oil, and served to them on a bed of poison ivy.