• Bins – Bank bins are the first 6 digits of a card. Carders (see below) selling credit cards will advertise the bins they have for sale.
• Carders – Sellers of stolen credit cards.
• csv – The card security code, same as cvv. The three to four digit code is on the back of a credit or debit card.
• Drop point – A physical address, usually a home, that can be used to send purchased merchandise to. The home is usually vacant (e.g. vacation) and the hacker can pose as the occupant to receive the merchandise.
• Dropzone – A machine that accepts phished data.
• Dumps – A set of stolen credit cards.
• Fresh (as in selling “fresh”…) – A newly stolen card or cards. The cards are more likely to be active if they are “fresh.”
• Fullz – A card that includes full information – cvv (security code), expiration date as well as first/last name, address and phone.
• Live – A non-cancelled credit card.
• lr (liberty reserve) – A 100% irrevocable payment system and digital currency. A common way to purchase stolen cards and identities.
• Mules – Recruited by scammers (see below), mules are led to believe they are working for an import/export company. They are asked to accept merchandise and re-ship it outside the country.
• Rippers – Carders that do not deliver the credit cards as promised. They take the money from lr or wu and never transfer the data file with the credit cards.
• Scammers – Criminals who reship merchandise purchased with stolen credit cards. They may pose as legitimate importers/exporters and hire unsuspecting mules to help them.
• Track1/Track2 – The magnetic stripe on the back of a credit card is encoded with track1 and track2 data. Credit card readers are able to read the data. Criminals will create a real credit card with the track1 and track2 data encoded from stolen credit card numbers. 
• wu (Western Union) – A 100% irrevocable payment system and digital currency. Wu is a common way to purchase stolen cards and identities.

We’ve all heard that it’s important to pick long, complicated passwords. What you may not realize is why this becomes crucial in the context of a breach. While ensuring you don’t pick from some of the most common passwords is important, it’s still not enough. 

Some background information on how passwords work: while we still see websites storing passwords unencrypted (in this case, if you are part of a breach, the complexity of your password makes no difference), it is most common for websites to encrypt your password with a one-way hash. Put simply, this is a method that takes your password and transforms it into a long string of characters that is then stored in the website’s database. The website does not know your original password. When you log in to the website it applies the transformation and compares the long string to what it has stored in the database. If they match, then it knows you have entered the correct password.

When a company is breached, a common result is the selling and or sharing of that company’s user accounts. They could be publicly disclosed, shared in criminal forums and chat rooms, or sold to the highest bidder. The breached company may have taken steps to secure your account credentials, but the strength of your password can be your best friend or worst enemy. When a breach happens on a website where the passwords have been hashed, the criminal steals a list of user ids/emails and associated hashed passwords. They do not yet have your original password. The criminal has to decrypt the hash to retrieve the original password. While there are many sophisticated techniques at the criminals’ disposal, one of the most popular is referred to as the “brute force” method.  Every possible password is tried. Given the short and simple passwords that are routinely used, the criminal can quickly decrypt the majority of the encrypted passwords. 

To find out just how simple it is to decrypt a password, try to Google the encrypted hash of a common password, “d8578edf8458ce06fbc5bb76a58c5ca4”. It’s pretty easy to see what the original password is even without using brute force guessing software.

Let’s assume you’ve chosen something more complicated. For passwords with 6 characters, how many brute force guesses are necessary? Assuming your password at least has mixed upper and lower case letters, there are 19 billion possible passwords. There are two things that make cracking this type of password trivial for the criminal:

1. They do not have to attempt to log in to the website for each of their guesses. It would be impossible to make the necessary number of attempts to log in. They are able to make as many guesses as they want without anyone knowing what they are doing because they have the hashed password. 
2. Computers are very good at making very fast guesses. An average computer with an upgraded graphics card can make 500 million guesses a second.   Your 6-character password length can be guessed in 38 seconds or less. Adding numbers and the full set of non-alphanumeric characters, the password can now be guessed in 26 minutes or less. 

Parting advice: the easiest way to make your passwords better is to make them longer (at least 9 characters).  If you still use only alphanumeric characters but your password is 10 characters, a criminal would need over 18,000 days to crack it. Hopefully he won’t have this much time on his hands and will move on to an easier target!

Now, Global ID Protector has done it again. The TechAmerica Foundation has named CSID a finalist in the Cyber Security and Authentication category of the 2012 American Technology Awards (ATA’s) for the Global ID Protector product. We’re up against two other finalists in the category: RSA and KOBIL USA. See more about the awards and the complete list of finalists.

Jennifer Kerber, President of the TechAmerica Foundation, said in the company’s press release: “The caliber of this year’s nominees was incredible. Our judges had their work cut out for them in coming up with these outstanding finalists, who represent the best of technology in their categories. What a great indicator of how the tech sector is growing and innovating.”

They’ll be announcing the winners for each category early next week. Fingers crossed for CSID!

The most advanced security measures can be unraveled through everyday human error. In fact, some of the most recent security breaches began with employees simply opening an email containing a virus. But businesses can’t operate without humans, meaning proactive credit and security monitoring is crucial. Businesses that neglect to proactively monitor for security breaches or issues leave themselves open to a wide range of security threats that can impact their customers and ultimately, the bottom line.

Marc opened his presentation with this compelling statistic from Trusteer: 73 percent of consumers reuse their online banking login and password with nonfinancial websites. The reuse of login information increases the possibility that if one website gets hacked, other locations where its customers conduct business or interact online can also be accessed using that same information. In many cases, the stolen login information can even access a work database or server, leaving many businesses vulnerable without them realizing they are under attack.

For more information about proactive credential monitoring, read Marc’s conference paper. Read more about the ID360 Conference and Marc’s presentation in the Austin-American Statesman, and check out the #ID360Conference Twitter hashtag for key points from the event.

 The UT Center for Identity hosted the group’s very first ID360 conference earlier this week. The purpose of the conference – gather some of the best and brightest security professionals in education, business and government and talk identity security.

 The conference had an excellent line up of speakers including keynotes from Dr. Peter Tippet from Verizon and Kim Little from Lexis Nexis. Presenters also covered a number of relevant topics from security transparency to recent trends in biometrics.

Our very own VP of sales, Marc Ostryniec spoke on the topic of proactive identity protection for enterprise businesses. Come back later this week and we’ll have a more extensive blog post on Marc’s talk as well as a link to a downloadable paper on the topic. 

Identity protection is going to continue to be a hot-button issue throughout 2012 as breaches, data loss and hacks continue to occur. Luckily there are some really smart people working on how to mitigate the damages and risks of identity theft and, if what we heard at the ID360 conference is any indication, there are some exciting and innovative solutions in our future.  

The organization recently wrote about CSID on their blog as the “featured member of the day.” According to the article, they chose to feature us because our solutions scale globally, we innovate and adapt, we move quickly and efficiently, we are creating jobs, and the services we provide are crucial to the security and safety of others.

See the original write-up about CSID.

The Center for Identity works to deliver the highest quality, most recognized identity management discoveries, applications, education and outreach available.  The center works closely with students, governments – federal, state and local – as well as key players in the commercial industry to support its education, research and outreach efforts. 

With this new partnership, CSID will:

• Participate and contribute to research and pilot projects on identity protection and security
• Hold a Board of Directors seat and engage in the Research and Education Committees
• Participate in Center-hosted events like the ID360: The Global Forum on Identity and Identity Symposiums
• Provide dynamic internship opportunities for students interested in all aspects of the business from product research and development to client services

CSID is looking forward to working with the Center and its partners on upcoming opportunities to further research, technologies and education for identity protection, and management and security.

Before we get ahead of ourselves with arrangements for next year’s event, we wanted to revisit SXSW 2012 one last time and call out some key messages from each of our panels.

Data Breaches: Taking the Bull by the Horns
This panel, moderated by CSID President Joe Ross, brought up some resonating points about the importance of preparing your company for a data breach, and what to do in the instance that a breach occurs. A few key points from the panel include:

• Negligent insiders are the top cause of data breaches. One study estimates that 61 percent of security breaches are caused by internal sources.
• Every company, no matter how big or small, must create a risk management protocol that covers processes and procedures in the case of a breach.
• Breach notification laws differ among states. In 41 states, a breach of usernames and passwords does not need to be reported.

My Voice is My Passport. Verify Me.
This was a dual panel featuring Isaac Chapa, VP of technology at CSID, and Dan Miller, senior analyst and founder of Opus Research. Isaac and Dan discussed voice biometric technology and the future of voice authentication. Some interesting points made by Isaac and Dan include:

• Experts predict an exponential growth in voiceprint enrollments as businesses look for ways to authenticate online and mobile transactions like mobile payments.  
• Voice biometric technology has two key advantages over other biometric solutions: it can be used in a number of environments, and it does not require additional software or hardware to be built into a device as would fingerprint or retina scanners.
• Your voice can be a useful replacement when dealing with frequent password resets or remembering hundreds of complex log-ins. You can’t forget your voice.

No Rainy Days: Identity Protection in the Cloud
CSID’s VP of product strategy, Eric Youngstrom, discussed cloud security with a well-rounded group of experts. Notable points discussed during the panel include:

• On the horizon for cloud security: The National Strategy for Trusted Identities in Cyberspace (NSTIC) “Identity Ecosystem.” When implemented, the protocol will be similar to the FDA stamping your meat. NSTIC-approved sites will have a standard level of security in place, protecting consumer data.
• Security across the supply chain is completely relevant and important when storing and accessing data in the cloud.
• Make sure your cloud provider has third party certifications and is taking proper measures to secure your data.

What did you take away from SXSW this year? What topics do you want to see CSID cover at next year’s event? Leave a comment or let us know through Facebook and Twitter.

 “Data Breaches: Taking the Bull by the Horns,” moderated by CSID President Joe Ross, sparked a number of audience questions and Twitter chatter. We’ve gathered a handful of Tweets about the session, which was assigned the hashtag #SXBreach, to sum up some of they key points addressed by the panel. Take a look, and feel free to join the conversation on our Facebook and Twitter.

By Adam Kennedy, CSID Identity Restoration Supervisor; Certified Identity Theft Risk Management Specialist

Imagine you’re on your favorite tax preparation software recalling incomes and deductions from the year past. Finally, you’ve reached the end of the seemingly endless questionnaire and the estimated refund number glares from the screen like a stuffed piggy bank waiting to be cracked open… ‘Sorry, we are unable to accept your return; someone has already filed with this social security number,’ the software says.

If this has happened to you, you are not alone. The IRS estimates 404,000 people were victimized by identity theft tax fraud from 2010 to the end of 2011 and the number is rising as we reach the peak of the tax season for 2012.  With more than 100 million income tax refunds to process each year, the IRS concedes it will never be able to squelch such tax fraud completely.

Here are two easy precautions to take to keep your hard earned refund in your pocket.

1. File First: File your taxes before the perpetrator will block the fraudulent filing. If the criminal files first, your tax return will be blocked as a potential fraudulent filing and an investigation can delay your refund by 4 months to a year. File as soon as you have collected your W2 from your employer(s) and do not wait until April to process your taxes.
2. Check your earnings: Checking your Social Security Earnings Statements once a year can be a great way to catch potential tax and employment fraud. In light of the current budget situation, the Social Security Administration is sending statements only to workers age 60 and older. If this applies to you, you should receive your annual statement about three months before your birthday.
   If you’re younger than 60 years of age you will need to request a copy by visiting your local SSA office. Unfortunately the SSA no longer accepts the request form online or by mail. Upon your visit to the SSA office you will have the opportunity to review your employment history with a SSA representative to ensure there are no unidentifiable employers.
   Get in the habit of reviewing your wages and earnings statement in October or at least two months before you plan to file taxes. This will give you enough time to review the information before it’s time to file and act early to notify the IRS.

Unfortunately there is no sure-fire way to predict when or if you will fall prey to IRS identity theft and tax fraud. The hope is that this article helps arm you with the knowledge to catch and detour thieves from receiving your hard earned refund… Let’s keep those thieving hands off your piggy bank.