Counter to what the movies might say, hacking grades is not just cheating it’s a crime:

An investigation showed the professor’s network account had been accessed without her permission and grades were assigned to nearly 300 students, prosecutor Robert Fratianne said.

I bet they just guessed her password but still, there’s more legal ways to cheat.

Students face 1 year in jail for hacking [Yahoo News / AP]

Evidently the criminals that utilize stolen credit card and ATM numbers for profit are called Cashers. Wired profiles a former Casher, and this is my favorite part:

It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, “a big-time eBay seller,” sent him a link to Counterfeit Library, a website that catered to fraud artists.

“She knew I was into that stuff,” Dillinger says. “I used to send her these huge $150 gift baskets every Mother’s Day (paid for) with someone else’s credit-card number. So she pointed this (site) out to me.”

Who needs criminal help when you have a mom?  Good read on the in’s and out’s of phishing and other credit card related cyber crime.

Confessions of a Cybermule [Wired]

We previously mentioned how some think that the underworld of identity theft is decentralized and that everyone meets online. A new Business Week article seems to suggest otherwise, that there are large mob-like organizations controlling the whole supply chain. US Law Enforcement suspects a Ukrainian named Dimity Ivanovich Golubov of being the mastermind:

U.S. Postal Inspection Service senior investigator Gregory S. Crabb, who worked with Ukrainian authorities on their case, says Golubov and others controlled the numbers, names, and security codes attached to credit cards. Low-level criminals would use that to load up fake cards and withdraw cash from automated teller machines or buy merchandise. “Golubov was known as the go-to guy,” says Crabb.

The article goes on to profile other members of the spyware, spam, and credit card theft underworld. It’s always good to know more about the bad guys.

Meet The Hackers [Business Week]

With statistics being bantered about upwards of 10 million identity theft victims per year, law enforcement is overwhelmed. Private industry needs to do our part, and GE sets a good example:

Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. “You’ve got to make it easy, you’ve got to make a point,” he says.

It’s often hard to justify the need for a world-class forensics or investigations team. This idea helps make the case. If you can make your less of a target by aggressively supporting production of offenders everybody wins, including the bottom line.

One of my key security principles is “Make it easy to do the right thing.” This rings true for law enforcement, too.

GE security exec shares tips to reduce security risks? [ComputerWorld]

Winn Schwartau at Network World does a good job of pointing the myriad of authentication flaws present at your average bank.

My wife overheard the conversation and raised hell with me about how easy it was to gain access to our intertwined online accounts with no decent security check. AmSouth’s proof-positive security check was, in fact, public information.

Then it only got worse. AmSouth called me at home…

When are banks going to get that why we give them money is because we trust them? The lack of decent authentication goes a long way to undermine that trust. A new report from emarketer.com says:

The key factor in customer attitudes is the perception of Web site security. Being able to trust a banking site is extremely important to customers, with more than 87% saying in an Ipsos Insight survey that they wanted assurance that the bank would not sell their personal information and 83% wanted assurance that such data was protected from hackers.

The banks need to get security right or they will be losing customers quickly. This is a great chance for them to sell security as a competitive differentiator.

Big bank goes phishing [NetworkWorld]

Are On-Line Banking Sites Secure Enough [SecurityProNews]

The British paper The Guardian exposes a hole in British Airlines website. Given someone’s name and frequent flier number you could steal their entire identity:

We logged on to the BA website, bought a ticket in Borer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details – including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

The airline responded and closed the hole. According to the article, somehow this whole issue is the fault of CAPPS II, the now-defunct TSA program for screening for airline terrorists. While I’m not excited about any program that invades my privacy and marks my friend’s 2-year-old as a terrorist, the airline is at fault here, not the TSA.

However, there are two lessons here:

1. Be careful of how you deal with any information that is a unique identifier to you. You never know what other information it might be tied to.
2. When engineering or auditing a system, approach it in a threat-based way. Ask yourself, “If I only knew X piece of information how much could I learn.” Better you find out the nasty truth than a national newspaper.

Q. What could a boarding pass tell an identity frustrated about you? A. Way too much [The Guardian] (via Likehacker)