My inbox has been flooded of late with pitches for new technologies aimed at making credit cards safer and more secure. Many of these solutions are exceedingly complex and overwrought — if well-intentioned — responses to a problem that we already know how to solve. Here’s a look at a few of the more elaborate approaches.

Some of these ideas may have benefited from additional research into where financial institutions actually experience most of their fraud losses. Hint: Lost-and-stolen fraud is minuscule compared to losses from other types of fraud, such as counterfeit cards and online fraud. Case in point: A new product called Safe Swipe. From their pitch:

“The basic premise of our solution, Safe Swipe…is a technology which ‘marries’ your smart mobile device, phone, tablet and or computer to your credit/debit card(s). We’ve developed a Geo-Locator software program which triangulates your location with the POS device and your mobile phone so that if your phone and credit card are not within a certain predetermined range of one another the purchase would be challenged. In addition, we incorporated an ON/OFF type switch where you can ‘Lock Down’ your credit/debit card from your mobile device making it useless should it ever be stolen.”

The truth is that you can “lock down” your credit card if it’s lost or stolen by calling your credit card company and reporting it as such.  Along these lines, I received multiple pitches from the folks who dreamed up a product/service called “Siren Swipe.” Check it out:

“The SIREN SWIPE system immediately notifies local police (via the local 911 center) of a thief’s location (ie merchant address) once heswipes a card that has already been reported stolen,” the folks at this company said in an email pitch to KrebsOnSecurity. “SIREN SWIPE has the potential to drastically impact the credit card fraud landscape because although card credentials being stolen is a forgone conclusion, which cards thieves decide to actually use is not.  For a thief browsing a site like Rescator, the knowledge that using certain banks’ cards could result in an immediate police response can make thieves avoid using these banks’ stolen cards over and over again.  And in the best case scenario, a carder site admin could just decide not to sell subscribing banks’ cards in the interest of customer service.”

The sad truth is that, for the most part, cops generally have more important things to do than chase around the street urchins who end up using stolen credit and debit cards, and they’re not going to turn on the dome lights and siren over something like this. Also, the signals for fraud are all backwards here: The fraudsters know to use criminal card-checking services before buying and/or using stolen cards, so they don’t generally end up using a pile of cards that have already been cancelled.

My favorite overwrought solution to making credit cards more secure comes from researchers in the Netherlands, who recently put out a paper announcing a card security idea they’re calling Quantum-Secure Authentication. According to its creators, this approach relies on “the unique quantum properties of light to create a secure question-and-answer exchange that cannot be spoofed or copied. From their literature:

“Traditional magnetic-stripe-only cards are relatively simple to use but simple to copy. Recently, banks have begun issuing so-called ‘smart cards’ that include a microprocessor chip to authenticate, identify & enhance security. But regardless of how complex the code or how many layers of security, the problem remains that an attacker who obtains the information stored inside the card can copy or emulate it. The new approach…avoids this risk entirely by using the peculiar quantum properties of photons that allow them to be in multiple locations at the same time to convey the authentication questions & answers. Though difficult to reconcile with our everyday experiences, this strange property of light can create a fraud-proof Q&A exchange, like those used to authorize credit card transactions.”

The main reason so many of these newfangled technologies are even being proposed is that the United States lags 20 years behind Europe and the rest of the world in adopting chip/smartcard technology in credit and debit cards. This is starting to change on both the card-issuing side (the banks) and the merchant side. Most of the biggest banks are already issuing chip cards, with smaller institutions following suit next year. In October 2015, merchants that haven’t yet installed card swipe terminals that accept chip cards will be liable for all of the fraud costs on any fraudulent transaction involving a chip card.

It’s unclear how much appetite there is for new technology to help banks fight card fraud, when so many financial institutions have yet to roll out chip cards. A payments fraud survey released this week by the Federal Reserve Bank of Minneapolis found that “high percentages of surveyed financial institutions report that fraud prevention costs exceed actual losses for many types of payments, especially wire, cash, and ACH payments. This trend is even more striking for non-financial respondents. In every payment category, a higher percentage of such firms responded that prevention costs exceed fraud losses.”

The Fed survey (PDF), which quizzed both banks and corporations, found that about half of the financial institutions that experienced payment fraud losses reported increases in those losses, while three quarters of the non-financial firms responded that loss rates had remained about the same over the prior year.

“In keeping with previous surveys, signature debit transactions are the payment type cited by the largest number of financial institutions as accounting for high levels of payments fraud losses (92% of financial service companies), while checks are cited by 75% of non-financial companies,” the Fed concluded. “While this finding could suggest that companies are overcompensating in prevention vis-à-vis likely losses, it is also possible that risk mitigation strategies and fraud prevention investments have indeed been effective.”

Multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service that allows customers to reserve spots in advance of travel via an Internet-based reservation system. The security incident, if confirmed, would be the latest in a string of card breaches involving compromised payment systems at parking services nationwide.

In response to questions from KrebsOnSecurity, Park-n-Fly said it recently engaged multiple outside security firms to investigate breach claims made by financial institutions, but so far has been unable to find a breach of its systems.

“We have been unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions,” wrote Michael Robinson, the company’s senior director of information technology, said in an emailed statement. “While this kind of incident is rare for us based on our thousands of daily transactions, we do take every instance very seriously. Like any reputable company involved in e-commerce today we recognize that we must be constantly vigilant and research every claim to root out any vulnerabilities or potential gaps.”

Park-n-Fly’s statement continues:

“While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated. We have made all necessary precautionary upgrades and we just upgraded on 12/9 to the latest EV SSL certificate from Entrust, one of the leading certificate issuers in the industry.”

Nevertheless, two different banks shared information with KrebsOnSecurity that suggests Park-n-Fly — or some component of its online card processing system — has indeed experienced a breach. Both banks saw fraud on a significant number of customer cards that previously  — and quite recently — had been used online to make reservations at a number of more than 50 Park-n-Fly locations nationwide.

Unlike card data stolen from main street retailers, which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.

The CVVs stolen that bank sources traced back to Park-and-Fly are among thousands currently for sale in four large batches of card data (dubbed “Decurion”) being peddled at Rescator[dot]cm, the same crime shop that first moved cards stolen in the retail breaches at Home Depot and Target. The card data ranges in price from $6 to $9 per card, and include the card number, expiration date, 3-digit card verification code, as well as the cardholder’s name, address and phone number.

Last month, SP Plus — a Chicago-based parking facility provider — said payment systems at 17 parking garages in Chicago, Philadelphia and Seattle that were hacked to capture credit card data after thieves installed malware to access credit card data from a remote location. Card data stolen from those SP+ locations ended up for sale on a competing cybercrime store called Goodshop.

In Missouri, the St. Louis Parking Company recently disclosed that it learned of breach involving card data stolen from its Union Station Parking facility between Oct. 6, 2014 and Oct. 31, 2014.

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company’s recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information,” wrote SPE’s lawyers, who hail from the law firm of Boies, Schiller & Flexner.

This letter reminds me of one that I received several years back from the lawyers of Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and that I remove all offending items and publish an apology. My lawyer in that instance called Gusev’s threat a “blivit,” a term coined by the late, great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

For a more nuanced and scholarly look at whether reporters and bloggers who write about Sony’s hacking should be concerned after receiving this letter, I turn to an analysis by UCLA law professor Eugene Volokh, who posits that Sony “probably” does not have a legal leg to stand on here in demanding that reporters refrain from writing about the extent of SPE’s hacking in great detail. But Volokh includes some useful caveats to this conclusion (and exceptions to those exceptions), notably:

“Some particular publications of specific information in the Sony material might lead to a successful lawsuit,” Volokh writes. “First, disclosure of facts about particular people that are seen as highly private (e.g., medical or sexual information) and not newsworthy might be actionable under the ‘disclosure of private facts’ tort.”

Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. “The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,” he writes.

Volokh concludes that Sony is unlikely to prevail — “either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.”

This is actually the second time this month I’ve received threatening missives from entities representing Sony Pictures. On Dec. 5, I got an email from a company called Entura, which requested that I remove a link from my story that the firm said “allowed for the transmission and/or downloading of the Stolen Files.” That link was in fact not even a Sony document; it was a derivative work — a lengthy text file listing the directory tree of all the files stolen and leaked (at the time) from SPE. Needless to say, I did not remove that link or file.

Here is the full letter from SPE’s lawyers (PDF).

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

In late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare’s network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it “the attack that almost broke the Internet.”

In April 2013, an unnamed then-16-year-old male from London identified only by his hacker alias “Narko,” was arrested and charged with computer misuse and money laundering in connection with the attack.

Sources close to the investigation now tell KrebsOnSecurity that Narko has pleaded guilty to those charges, and that Narko’s real name is Sean Nolan McDonough. A spokesman for the U.K. National Crime Agency confirmed that a 17-year-old male from London had pleaded guilty to those charges on Dec. 10, but noted that “court reporting restrictions are in place in respect to a juvenile offender, [and] as a consequence the NCA will not be releasing further detail.”

During the assault on SpamHaus, Narko was listed as one of several moderators of the forum Stophaus[dot]com, a motley crew of hacktivists, spammers and bulletproof hosting providers who took credit for organizing the attack on SpamHaus and CloudFlare.

WHO RUNS STOPHAUS?

It is likely that McDonough/Narko was hired by someone else to conduct the attack. So, this seems as good a time as any to look deeper into who’s likely the founder and driving force behind the Stophaus movement itself. All signs point to an angry, failed spammer living in Florida who runs an organization that calls itself the Church of Common Good.

Not long after McDonough’s arrest, a new Facebook page went online called “Freenarko,” which listed itself as “a solidarity support group to help in the legal defense and media stability for ‘Narko,’ a 16-yr old brother in London who faces charges concerning the Spamhaus DDoS attack in March.”

Multiple posts on that page link to Stophaus propaganda, to the Facebook page for the Church of the Common Good, and to a now-defunct Web site called “WeAreHomogeneous.org” (an eye-opening and archived copy of the site as it existed in early 2013 is available at archive.org; for better or worse, the group’s Facebook page lives on).

The Church of Common Good lists as its leader a Gulfport, Fla. man named Andrew J. Stephens, whose LinkedIn page says he is a “media mercenary” at the same organization (hours after this story was posted, large chunks of text were deleted from Stephens’ profile; a PDF of the original profile is here).

Stephens’ CV lists a stint in 2012 as owner of an email marketing firm variously called Digital Dollars and IBT Inc, moneymaking schemes which Stephens describes as a “beginner to intermediate level guide to successful list marketing in today’s email environment. It incorporates the use of both white hat and some sketchy techniques you would find on black hat forums, but has avoided anything illegal or unethical…which you would also find on black hat forums.”

More recent entries in Andrew’s LinkedIn profile show that he now sees his current job as a “social engineer.” From his page:

“I am a what you may call a “Social Engineer” and have done work for several information security teams. My most recent operation was with a research team doing propaganda analysis for a media firm. I have a unique ability to access data that is typically inaccessible through social engineering and use this ability to gather data for research purposes. I have a knack for data mining and analysis, but was not formally trained so am able to think outside the box and accomplish goals traditional infosec students could not. I am proficient at strategic planning and vulnerability analysis and am often busy dissecting malware and tracking the criminals behind such software. There’s no real title for what I do, but I do it well I am told.”

Turns out, Andrew J. Stephens used to have his own Web site — andrewstephens.org. Here, the indispensable archive.org helps out again with a cache of his site from back when it launched in 2011 (oddly enough, the same year that Stophaus claims to have been born). On his page, Mr. Stephens lists himself as an “internet entrepreneur” and his business as “IBT.” Under his “Featured Work” heading, he lists “The Stophaus Project,” “Blackhat Learning Center,” and a link to an spamming software tool called “Quick Send v.1.0.”

Stephens did not return requests for comment sent to his various contact addresses, although a combative individual who uses the Twitter handle @Stophaus and has been promoting the group’s campaign refused to answer direct questions about whether he was in fact Andrew J. Stephens.

Helpfully, the cached version of Andrewstephens.org lists a contact email address at the top of the page: stephensboy@gmail.com (“Stephensboy” is the short/informal name of the Andrew J. Stephens LinkedIn profile). A historic domain registration record lookup purchased from Domaintools.com shows that same email address was used to register more than two dozen domains, including stophaus.org and stopthehaus.org. Other domains and businesses registered by that email include (hyperlinked domains below link to archive.org versions of the site):

-“blackhatwebhost.com“;
-“bphostingservers.com” (“BP” is a common abbreviation for “bulletproof hosting” services sold to -spammers and malware purveyors);
-“conveyemail.com”;
-“datapacketz.com” (another spam software product produced and marketed by Stephens);
-“emailbulksend.com”;
-“emailbulk.info”;
-“escrubber.info” (tools to scrub spam email lists of dummy or decoy addresses used by anti-spam companies);
-“esender.biz”;
-“ensender.us”;
-“quicksendemail.com“;
-“transmitemail.com”.

The physical address on many of the original registration records for the site names listed above show an address for one Michelle Kellison. The incorporation records for the Church of Common Good filed with the Florida Secretary of State list a Michelle Kellison as the registered agent for that organization.

Putting spammers and other bottom feeders in jail for DDoS attacks may be cathartic, but it certainly doesn’t solve the underlying problem: That the raw materials needed to launch attacks the size of the ones that hit SpamHaus and CloudFlare last year are plentiful and freely available online. As I noted in the penultimate chapter of my new book — Spam Nation (now a New York Times bestseller, thank you dear readers!), the bad news is that little has changed since these ultra-powerful attacks first surfaced more than a decade ago.

Rodney Joffe, senior vice president and senior technologist at Neustar –a security company that also helps clients weather huge online attacks — estimates that there are approximately 25 million misconfigured or antiquated home and business routers that can be abused in these digital sieges. From the book:

Most of these are home routers supplied by ISPs or misconfigured business routers, but a great many of the devices are at ISPs in developing countries or at Internet providers that see no economic upside to spending money for the greater good of the Internet.

“In almost all cases, it’s an option that’s configurable by the ISP, but you have to get the ISP to do it,” Joffe said. “Many of these ISPs are on very thin margins and have no interest in going through the process of protecting their end users— or the rest of the Internet’s users, for that matter.”

And therein lies the problem. Not long ago, if a spammer or hacker wanted to launch a massive Internet attack, he had to assemble a huge botnet that included legions of hacked PCs. These days, such an attacker need not build such a huge bot army. Armed with just a few hundred bot- infected PCs, Joffe said, attackers today can take down nearly any target on the Internet, thanks to the millions of misconfigured Internet routers that are ready to be conscripted into the attack at a moment’s notice.

“If the bad guys launch an attack, they might start off by abusing 20,000 of these misconfigured servers, and if the target is still up and online, they’ll increase it to 50,000,” Joffe said. “In most cases, they only need to go to 100,000 to take the bigger sites offline, but there are 25 million of these available.”

If you run a network of any appreciable size, have a look for your Internet addresses in the Open Resolver Project, which includes a searchable index of some 32 million poorly configured or outdated device addresses that can be abused to launch these very damaging large-scale attacks.

Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices, according to Scottsdale, Ariz.-based Equinox Payments, the company that owns the Hypercom brand.

“The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal,” said Stuart Taylor, vice president of payment solutions at Equinox. “The certificate was created in 2004 with a 10 year expiry date.”

Taylor said Equinox is now working with customers, distributors and channel partners to replace the certificate to return terminals to an operational state. The company is pointing affected customers who still need assistance to this certificate expiry help page.

“Many of these terminals have been successfully updated in the field,” Taylor said. “Unfortunately, a subset of them can’t be fixed in the field which means they’ll need to be sent to our repair facility.  We are working with our customers and distribution partners to track down where these terminals are and will provide whatever assistance we can to minimize any disruption as a result of this matter.”

According to two different merchants impacted by the incident that reached out to KrebsOnSecurity, the bricking of these payment terminals occurs only after the affected devices (in the 4x version of the terminals) are power-cycled or rebooted, which some merchants do daily.

Michael Rochette, vice president at Spencer Technologies, a Northborough, Mass.-based technology installation and support company, said his firm heard last week from an East Coast supermarket chain that opened for business on Monday morning only to find all of their payment terminals unresponsive. Rochette said that the supermarket chain and other retailers impacted by the incident across the country were immediately worried that the incident was part of a hacker attack on their payment infrastructure.

“Not all stores power cycle overnight, but for those that do, they came up all blank and inoperative,” Rochette said. “If that’s something that a retail chain does as a matter of policy across a whole chain of stores, that can be pretty damaging.”

One retailer that contacted KrebsOnSecurity but asked to remain anonymous said technicians at its locations had spent three days trying without success to restore the devices.

“I use two different generations of their terminals and have spent the last three days trying to understand completely why I had zero impact,” a reader from the retailer said. “Mass extinction of my POS devices at the manufacturer level was never on my list of scenarios that would wreck my day at retail.  It is now.”

While designing your products so that they fail after 10 years seems like a less than brilliant idea, this incident is a reminder of just how much of the payments infrastructure in the United States relies on rapidly aging technology.

According to Rochette, at least one of the affected Hypercom devices is no longer allowed to be used in retail installations after 2014, per sunset provisions set out by the PCI Council, an industry group that sets security standards for payment systems. Other Hypercom models affected by this incident are perfectly acceptable to use for years to come.

As for why Equinox failed to warn its customers of the impending meltdown of these payment terminals? Rochette posits that it might have something to do with Hypercom’s rocky corporate history.

“I’ve never seen this before where a particular product all crashed on the same day, and as far as I can tell there was no advance warning about this from Equinox,” Rochette said. “Over the last few years, they were Hypercom, then part of Equinox, then part of Verifone for a while, so I suspect there’s been a lot of turnover in personnel there, and frankly they just lost sight of the fact that they had a pretty important expiration date coming.”