You’d be a victim of a Man-in-the-Middle attack (MITM), a cryptographic form of eavesdropping. This threat to businesses is enormous and getting worse every day. Phishing, SSL proxy, autoproxy, Man-in-the-Browser, DNS poisoning such as Hotspots and Kaminsky attacks, IPSec+XAUTH MITM, and OTP via a botnet client are all extremely dangerous MITM attacks.

On Friday, March 27th, join Steve Dispensa and co-host David Strom as they share solutions to MITM attacks, and discuss possible new threats.

David Strom is an internationally respected author and professional speaker who has been writing about security and networking issues for more than 20 years. He was the founding editor-in-chief at Network Computing magazine and DigitalLanding.com, and has written two computer networking books and thousands of magazine articles for nearly every IT publication.

Listen at:

What’s in your e-mail?

On Friday, March 13th, Security Break Live addresses many of the traps you may not know about, as well as some ways to protect your e-mail environment moving forward.

Steve will be joined by Wayne Rash, a veteran computer journalist for more than 30 years. Wayne was Executive Editor of the eWEEK Knowledge Center and Ziff Davis Events. Now he is the President of Wayne Rash & Associates, which houses a testing lab. He continues to write, specializing in enteprise technology and development.

Listen at:

It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data, and are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM with your PIN, and disappears into the sunset. You’ll never see your money again.

Roll ‘em:

Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.

The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.

(Security Break: What value does the card’s 3 or 4 digit security code add?)

To make things worse, there are a wide variety of ways to get the magnetic stripe info off a card, and because of that, attacks like this continue to grow in popularity. Some easy ways:

• Card skimmers on ATM’s, gas pumps, or even in shops – like in the video above, it only takes a few seconds to install a skimmer and an optional camera, and they can be extremely difficult to detect;
• Waiters at restaurants get your physical card for long enough to copy it, with or without a magnetic stripe reader. They simply take the stolen information and either sell it online, or if they’re truly ambitious, they fabricate a copy card themselves with inexpensive, widely available equipment;
• Browsers and websites can be compromised, or you could be phished – in which case, the Bad Guy gets everything you type and everything you see on your screen, including not only the information on the card, but also things like names, billing addresses, and whatever else you enter for the transaction.

(Security Break: What does signing the back of the card do?)

So, what can be done about this?

There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
So how would this work?

Transaction verification systems call you for approval (usually just pressing the # key) before dispensing the cash or completing the transaction, if the transaction looks suspicious.

I believe more and more banks will be implementing transaction verification systems for just this reason: It’s simple, and it works.