Don’t Get Caught Unaware

Every day, new security threats are in development, working to expose flaws in current IT. We’ve documented some of the most recent creations below.

Criminal shape shifting
Synthetic identity is the method a fraudster uses to “skin” himself to appear as a real person. It is a sort of criminal shape shifting. Synthetic IDs appear real on paper, so criminals can use them easily to get loans and credit cards from financial institutions as if they were valid, credit worthy customers.

While similar to identity theft, criminals using a mix of phony and legitimate information to create a synthetic ID. The criminals might mix a real person’s Social Security Number with face name. Usually this doesn’t affect consumers. Banks, however, get stuck with defaulted loans and unpaid credit card bills. Gartner says synthetic IDs may account for at least 20 percent of credit card charge offs, and 80 percent of bank’s credit-card fraud losses.

These false IDs work since they exploit practices in the big credit reporting companies by preserving files with faulty information in their databases. By exploiting these files with a mix of real and made-up information, the criminals get access to credit cards and loans.

Tightening up the process for security is the answer. But what worries financial managers about this is that tightening their processes too much for security can slow their credit granting and overall economic efforts.

Secure USB tokens? Bah humbug!
If you are thinking about securing your laptop with a USB token, reconsider, says Flylogic’s blog. Flylogic opens many supposedly tamper proof tokens. Once a hacker opens a token and finds access to the one-time programmable EEPROM, they have gained access to personal information. Flylogic says this takes only minimal technical skills. This lack of security means you probably don’t want to bet your laptop, its data and any network it connects to on a USB token.

WEP myth busted
Conventional wisdom says that to crack into a WEP, the attacker needs to be in its broadcasting range and one AP up and running. AirTight found it possible to retrieve the WEP key from a far distant client. They used a new technique called “AP-less WEP Cracking.”

For organizations that have not yet upgraded from WEP to WPA or WPA2, especially those who need to comply with PCI regulations, this has serious ramification, because their WEP keys possibly can be cracked even while an employees is taking a restroom break far from the RF signal of the office.