Archive for category Cybersecurity

How Private is your Social Network?

How Private is Your Social Network?

Amy Wees



April 19, 2012




Social networking websites such as Facebook, Twitter, and Google+ provide communication and advertising services to individuals, businesses and marketers.  Facebook was ranked by Google as the most visited site in 2011 with 880 million users and an astonishing one trillion page views (Google, 2011).  What makes social networking sites so popular?  Most sites are free to use and provide an easy way to keep in touch with family and friends near and far. All of this sharing of information has allowed businesses to track user interests and gain valuable information about consumers that can be customized to assist in sales.  In the same way, users can conduct searches of people and find out more about them by viewing their profile information on various sites.  Although this information is convenient, is it safe?  Privacy policies are intended to inform the user of how their information will be stored, shared, and utilized by the entity collecting or requesting the data.  This paper will examine the use and privacy policies of three popular social networking sites: Facebook, Twitter, and Google+; and identify ways in which the policies can be improved to benefit both the website and customers.    


How Private is Your Social Network?

Social networking websites such as Facebook, Twitter, and Google+ provide communication and advertising services to individuals, businesses and marketers.  Social networking websites are so captivating that 82 percent of the world’s 1.2 billion Internet users spent one of every five minutes online logged into a social networking site in October of 2011 according to research firm comScore (comScore, 2011).  Facebook was ranked by Google as the most visited site in 2011 with 880 million users and an astonishing one trillion page views (Google, 2011).  What makes social networking sites so popular?  Most sites are free to use and provide an easy way to keep in touch with family and friends near and far.  People can share photos, quick updates on their life’s happenings, play games with friends, network for employment, sell products or market businesses, and meet new people with similar interests (GEV, 2011).

The popularity of social networking sites has caught the eye of marketers across the Internet.  Users can now “like” a business on Facebook, “tweet” about a product or interest on Twitter, or add their most recent book purchases to their Google+ profile page.  All of this sharing of information has allowed businesses to track user interests and gain valuable information about consumers that can be customized to assist in sales.  In the same way, users can conduct searches of people and find out more about them by viewing their profile information on various sites.  Although this information is convenient, is it safe?  If a user signs up and creates a profile of personal information to share with friends, how much of that information should be made public?  Personal information can be used to destroy a person’s reputation, steal their identity, or unfairly stereotype someone.  In 2009 researchers from Carnegie Mellon University were able to accurately predict the social security numbers of over 500,000 Americans using various online data sources to gather the individuals place and date of birth (Acquisti & Gross, 2009).  For this reason it is vital for personal information to be protected and only shared with consent of the individual.  Privacy policies are intended to inform the user of how their information will be stored, shared, and utilized by the entity collecting or requesting the data.  This paper will examine the use and privacy policies of three popular social networking sites: Facebook, Twitter, and Google+; and identify ways in which the policies can be improved to benefit both the website and customers.

Privacy Policies

A privacy policy is defined by as a “Statement that declares a firm’s or website’s policy on collecting and releasing information about a visitor. It usually declares what specific information is collected and whether it is kept confidential or shared with or sold to other firms, researchers or sellers” (Business Dictionary, 2012).  Websites are highly encouraged to have privacy policies although they are not required by United States law unless information is being collected from children under the age of 13.  There are currently bills in congress awaiting approval that will strengthen legislation for the protection of personally identifiable information (PII).  One such bill is the Commercial Privacy Bill of Rights.  This bill would require businesses to notify customers of practices for collecting information and protect that information but prevent businesses that are only marketing to customers from collecting or storing personal information (Kerry, 2011).

The Federal Trade Commission (FTC) is responsible for governing privacy policies and prosecuting those who violate their own privacy policies under the Federal Trade Commission Act (Connelly, 2010).  In a 2007 report to congress, the FTC noted that “although 85 percent of over 1400 websites surveyed collected personal information from consumers, only 2 percent of provided a comprehensive privacy policy and 14 percent provided notice to consumers regarding information practices” (Federal Trade Commission, 2007).  A more recent FTC report in 2012 continues to urge congress to enact baseline privacy legislation and notes that “overall, consumers do not yet enjoy the privacy protections proposed in the preliminary staff report” (FTC, 2012).  The FTC (2012) also noted they would concentrate on improving consumer privacy in five key areas:

  1. “Do Not Track” Allowing consumers mechanisms to avoid having their activity tracked on the web
  2. “Mobile” Helping businesses to create short and effective privacy disclosures for mobile applications
  3. “Data Brokers” Requesting legislation to require notification to consumers of personal information held by data brokers
  4. “Large Platform Providers” discouraging Internet service providers and other larger entities from tracking consumers activities online
  5. “Promoting Enforceable Self-Regulatory Codes” Developing and enforcing sector-specific codes of conduct for businesses and law enforcement to follow

Reading Privacy Policies

Privacy policies are commonly lengthy, use broad and confusing terminology and are confusing to consumers.  Research conducted at Carnegie Mellon University by Aleecia McDonald and Lorrie Cranor found the average policy to be 2500 words with a reading time of 10 minutes for a total of 250 hours per year for the average number of websites visited (Vedantam, 2012).  Perhaps this is why research shows that extremely few website visitors actually read privacy policies while others provide necessary personal information for sign up and hope for the best.  Forrester research studied visits to six popular travel websites for one month and found that less than 1 percent of visitors viewed privacy policies (Regan, 2001).

Social networking sites host an enormous amount of PII of their users.  In order for customers to protect their information, they need to ensure they understand the privacy policies and limit the amount of personal information they post online.  It is necessary to delve further into the privacy policies of these sites to determine whether privacy and online social networking are compatible.

Social Networking Website Privacy


     Facebook has a short history of just over eight years but has made a big impact on the world.  According to Facebook’s about page, “Facebook’s mission is to make the world more open and connected. People use Facebook to stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them” (Facebook, 2012).  Facebook reported 845 million active users and 425 million mobile users in December of 2011; 80 percent located outside of North America (Facebook, 2012).  To sign up for a free Facebook page, the user must provide a name, e-mail address, password, gender, and date of birth.  The date of birth is required to limit access to certain content to children and users are able to hide this information from their profile after signing up.  Additionally, the fine print above the sign up icon states users have read and understand the terms and data use policy (Facebook, 2012).


Terms provides a 4,205 word document titled “Statement of Rights and Responsibilities” that covers detailed ways in which the information on Facebook is used and the responsibilities of the user when adding, deleting or sharing information.  There is also a statement notifying the user that the document could change at any time and to become a fan of the governance page should they want notification of changes.  The document explains to the user that they can hide certain information from their profile but does not give any specifics on procedures for doing so (Facebook, 2012).  Using the average reading speed of 250 words per minute from McDonald and Cranor’s research, this document would take the user 17 minutes to read.

Data Use Policy

By clicking sign up, the user has also agreed to the data use policy which is Facebook’s title for its privacy policy.  This document consists of 6,910 words regarding what information is available to Facebook, how this information is used, how long the information is kept, and how the user may remove their information from the site by deleting their account.  Key information from the document is that the user’s name, photos and network are always publicly available.  Users’ photos, comments and information input about them by other users are also public.  Specifically, if a user posts a comment on a business’ page, that business now owns that comment and may use it anyway they like within or outside of Facebook (Facebook, 2012).   The data use policy also covers communication with advertisers and how to manage the data shown on users and friends pages.  Average read time of this document is 28 minutes at 250 words per minute.  Fortunately, Facebook has created interactive tools to help the user in navigating the document and viewing or changing privacy settings.  Figure 1 shows the navigation page for Facebook’s interactive tools (Facebook, 2012).




Figure 1


Most information on Facebook is publicly available unless the user follows the guidelines in the Data Use Policy to remove or protect their information from certain users.  Unfortunately, users cannot control information friends post about them or photos they are “tagged” in. Facebook notes in the terms that they collect data about a user’s location, interests, and friends in order to provide them with a better experience (Facebook, 2012).  Facebook’s policies have caused uproar from users and legal implications.  For example, in 2011 the FTC charged Facebook with breaking its own privacy policies without notifying the user by changing the site so information users thought was private was made public, allowing third party applications access to personal data of users and their friends, falsely claiming they had verified the security of applications, allowing access to users’ photos and videos even after accounts were deactivated or deleted, and violating data transfer laws between the U.S. and Europe.  The charges forced Facebook to clean up their policies and website and succumb to a privacy audits for the next 20 years (FTC, 2011).  More recently a user in Mississippi opened a class action lawsuit against Facebook claiming the site tracked her with cookies from “like” icons on various sites even when she was logged out of the site; something the sites’ privacy policy states will not happen (Goodin, 2011).


Facebook CEO Mark Zuckerberg wrote in a November 2011 blog that he admits the company had made many mistakes with their privacy policies and outlined improvements to be made.  Among those mentioned were improvements to the privacy policy creating tools to help users understand and view what information was public (such as the interactive tool in Figure1), notifying users when they are “tagged” to allow them to review the postings, an application dashboard allowing users to view what information applications had access to, making friends lists easier to manage, and including permissions options on each post (Zuckerberg, 2011).

Facebook can also benefit by ensuring third party applications are safe and do not require separate privacy policies for users to consent to.  Users would benefit by logging into Facebook and trusting the applications they use are safe and are not collecting personal information and Facebook will prevent further lawsuits and trouble with the FTC.  Another benefit to the user and the company would be to simplify privacy settings across the board.  Users should not have to select a privacy setting every time they make a posting, or repeatedly go through their friends list to control who has access to what information.  User information and interests should only be shared with friends and not friends of friends or third party applications or advertisers.  The current policies force a user to “like” a business in order to interact with it.  After this takes place, that business has access to their information and use of all postings made by users.  Users should be able to show interest in a business without giving out their personal information for marketing purposes.  Facebook will benefit by gaining the trust of their users and allowing businesses to market information using the site without the liability of protecting additional customer information (Reisinger, 2010).


     Twitter calls its site an “information network” and requires only an e-mail address and password from a user to sign up.  Users then have the option to add additional information to their profile such as a name, location, and website.  Twitter uses “tweets” or microblogs to communicate with the world.  Tweets consist of short messages or photos from a user, business, or community effort.  Users can participate in the conversation or just read comments from other entities or users that interest them.  Users can search for tweets from any user by topic or follow all of another user’s posts (Twitter, 2012).  In September 2011, Twitter had 100 million active users who logged in at least once a month and 362 million registered users (Bennett, 2012).


Twitter does not have a disclosure statement upon sign up of for users to consent to terms or privacy policies nor are these documents shown to the user as part of sign up but the terms do state that by accessing the websites’ services the user agrees to the terms.  The term document consists of 2,985 words explaining the user is responsible for all content posted on the site, the importance of use of strong passwords, that all content posted gives Twitter an unlimited license to reuse or copy that content, that Twitter is not responsible for any liability related to content posted and has the right to remove content if necessary (Twitter, 2011).  Overall the document is much more straight-forward than Facebook’s terms document and makes it clear to the user that when they post something on Twitter, it is available to the world.

Privacy Policy

The Twitter privacy policy is 1,440 words long and explains that any information provided to Twitter will be made public on Twitter anywhere in the world unless specified otherwise in the users profile or settings.  The policy states “Our Services are primarily designed to help you share information with the world. Most of the information you provide to us is information you are asking us to make public. This includes not only the messages you Tweet and the metadata provided with Tweets, such as when you Tweeted, but also the lists you create, the people you follow, the Tweets you mark as favorites or Retweet and many other bits of information” (Twitter, 2011).

The policy also covers the information Twitter collects from users including log data such as Internet Protocol addresses, mobile phone numbers, device names and searches; cookies, links clicked on, and interaction with advertisers or marketers.  Like Facebook, Twitter also notes that their policy can be changed at anytime and users will be notified via an e-mail or their Twitter account.  Unlike Facebook, Twitter does not offer third party applications within the site or request PII such as date of birth, age, relationship status, gender, education or work history, or names of family members.


The biggest threats to a Twitter account are impersonation or misrepresentation by someone logged in as another user and users clicking on malicious web addresses posted by other users (Reisinger, 2009).  Unfortunately, Twitter has not figured out a way to authenticate accounts and passwords, leaving any third party application granting access to Twitter with the username and password of the users Twitter account.  Twitter has plans to implement an authentication similar to Facebook where the user downloads the mobile application, gives only their Twitter username and then uses Twitter to log onto the application and grant permission for access.  There are too many Twitter usernames and passwords floating around in third party application databases for users to feel safe about their credentials (Reisinger, 2009).  In February 2012, it was reported that the Twitter mobile application was copying users contact lists from their phones and storing this information on the website’s servers.  The application creators claimed it was an oversight in an attempt to assist users in finding their friends on Twitter (Skynews, 2012).

Security is linked to privacy when accounts are compromised and a person’s information used without their consent.  Twitter must find ways to improve sign on services, set clear requirements for third party applications, and educate users on dangers of providing account details to non-affiliates.


     Google+ is very similar to Facebook in that a profile is created and users provide their name, employment details, interests, and various other details to a page that friends can see.  Google+ differs in that it was designed with social circles in mind, allowing users to add their contacts to circles according to what details they want the members of that circle to see.  For example, instead of posting a status message to their page and deciding who can see each individual status message as it is with Facebook; Google+ allows users to exempt an entire group from all status messages, simplifying the process.  Google+ also allows users to view their page as it looks to each social circle at any time, without having to navigate to a special tool like Facebook uses.  Additional features unique to Google are video hangouts where a group of friends can video chat at the same time and the ability for users to make public posts and blogs viewable to the entire community (Google, 2012).  In February 2012 Google+ had over 100 million registered users and membership is growing at a fast pace (Allen, 2012).


            In March of 2012 Google replaced 60 separate documents used to define terms of use and privacy within its various services and created one policy for all services.  There is an overview page explaining the changes and a quick link to terms of service and privacy.  The terms of service are similar to Facebook and Twitter in that they explain that any content posted is now owned by Google with license to use as needed.  Other items of importance are that open source software owned by Google can be used by users but not copied or redistributed and that the liability of Google is limited to the amount paid to use the service (Google, 2012).

 Privacy Policy

Google’s privacy policy explains “what information is collected and why, how that information is utilized, and how to access and update information” (Google, 2012).  The policy is similar to Twitter in that it explains that Google collects and stores data from the information given for a public profile, device or hardware information, cookies, log information, and location and application specific information related to a user’s operating system.  Similar to Facebook, Google explains that they use the information collected to provide an improved and tailored user experience.  The policy also notes that information will be shared with third parties only with a users’ consent (Google, 2012).


Google’s policy lacks specific details on how to update incorrect user information or restrict information only to certain parties.  This could be improved by providing links for updating information within the privacy policy for each service offered.  Although the new all-in-one privacy policy is claiming to make for an easier user experience, Google has been under scrutiny as many customers do not want their private information shared between services and combined into one single profile.  An article on news states “it’s not like Google doesn’t already collect a lot of information about its customers. When you are using Android mobile phones, Google can access your contacts and location. If you are searching for something on the internet, Google remembers all the search terms. When you sign into your Google account, it can track the sites you visit” (RT, 2012).  This scrutiny is combined with reports that Google tracked Apple device users without their consent by exploiting an anti-cookie tracking mechanism in the Safari web browser (Rawson, 2012).

Google can improve its privacy policy by making specific information regarding protecting information within each service easy to find and understand.  For example, currently when in Google+ the privacy policy users click on is the all-in-one policy and provides no specifics on how to protect the Google+ profile except within user tutorials.  Users should know how their information is being used within each Google service and how they can change their privacy settings or opt-out of information sharing.  Google+ improved on the privacy of its social network site pages over Facebook by creating social circles but has room to improve upon the short and broad termed privacy policy covering all of its many services.


            Social networking sites like Facebook, Twitter, and Google+ have changed the way people communicate and the way businesses market around the world.  There are so many options to share photos, products, life events, videos and opinions online.  Unfortunately somewhere amongst all of the excitement and new technology privacy was lost.  Users learned the hard way not to get too personal online after reputations were destroyed, identities stolen and feelings hurt.  Technological innovators created cool new applications without security or privacy in mind and those that have survived the backlash from citizens and governments are backtracking to fix old software and redesigning new applications.  Legislation is needed to enforce privacy policies and allow the FTC to regulate and audit business standards for privacy protection.   The social networking websites that have privacy policies need to make improvements in the way these policies are written to ensure they are easy for the user to navigate, read and understand.  Equally necessary is the ability of the business to comply with the privacy policies they create.  The way the world communicated may be changing by the day but privacy should not and cannot be ignored in the innovations of the future.





Acquisti, A., & Gross, R. (2009). Predicting Social Security numbers from public data. PNAS, 10975–10980.

Allen, P. (2012, February 1). Google+ Passes 100 Million Users. Retrieved from Google+:

Bennett, S. (2012, January 13). Twitter on Track for 500 Million Total Users by March. Retrieved from All Twitter:

Business Dictionary. (2012). Privacy Policy. Retrieved from

comScore. (2011, December 21). It’s a Social World: Social Networking Leads as Top Online Activity Globally, Accounting for 1 in Every 5 Online Minutes. Retrieved from comScore:

Connelly, R. V. (2010, September 28). What is a Privacy Policy? Retrieved from Render Visions Consulting:

Facebook. (2012). Data Use Policy. Retrieved from Facebook:

Facebook. (2012). Newsrooms. Retrieved from

Facebook. (2012). Terms. Retrieved from Facebook:

Federal Trade Commission. (2007, June 25). Privacy Online: A Report to Congress. Retrieved from

FTC. (2011, November 29). Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises. Retrieved from

FTC. (2012, March). Protecting Consumer Privacy in an Era of Rapid Change. Retrieved from

GEV. (2011, April 14). Popularity of Social Networking Sites. Retrieved from GEV:

Goodin, D. (2011, October 14). Facebook accused of violating US wiretap law. Retrieved from The Register:

Google. (2011, July). The 1000 most-visited sites on the web. Retrieved from Google:

Google. (2012). Learn More. Retrieved from Google+:

Google. (2012). Privacy Policy. Retrieved from Google Policies and Principles:

Google. (2012). Terms of Service. Retrieved from Google Policies and Procedures:

Kerry, J. S. (2011, April 12). Kerry, McCain Introduce Commercial Privacy Bill of Rights. Retrieved from

Rawson, C. (2012, February 17). Google allegedly bypassed privacy settings to track user browsing in Safari. Retrieved from

Regan, K. (2001, June 15). Does Anyone Read Online Privacy Policies? Retrieved from ecommerce times:

Reisinger, D. (2009, February 12). Twitter security: There’s still a lot of work to do. Retrieved from CNET News:

Reisinger, D. (2010, May 24). 10 Ways Facebook Can Improve Privacy and Security. Retrieved from

RT. (2012, January 25). Google to track users… like never before! Retrieved from

Skynews. (2012, February 16). Twitter admits peeking at address books, announces privacy improvements. Retrieved from Fox News:

Twitter. (2011, June 1). Terms of Service. Retrieved from Twitter:

Twitter. (2011, June 1). Twitter Privacy Policy. Retrieved from

Twitter. (2012). About. Retrieved from Twitter:

Vedantam, S. (2012, April 19). To Read All Those Web Privacy Policies, Just Take A Month Off Work. Retrieved from

Zuckerberg, M. (2011, November 29). Our Commitment to the Facebook Community. Retrieved from The Facebook Blog:




, , , ,

Leave a comment

The Life and Crimes of a Carder





The Life and Crimes of a Carder

By: Amy L. Wees

University of Maryland University College


April 6, 2012





The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year.  The most lucrative example of the carding network came from a website called CarderPlanet.  Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career.  Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet.  To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.


Keywords: Carders, Identity Theft, Credit Card Fraud, Cyber-crime


The Life and Crimes of a Carder

The words of a fictitious Internet advertisement boast “Don’t miss it! There is a limited time only sale on stolen identifications, debit and credit cards including pins and CVVs, counterfeiting equipment, bank account information and PayPal accounts!  Get dumps of U.S. accounts for as little as 20 dollars!  Learn how to make your own credit cards with our specialized equipment.  It has never been easier to get your hands on all of this FREE money!! Fine print: Membership required, website can be relocated at any time and cannot be held liable for unlawful transactions.  All transactions are risky and success is not guaranteed”.

Unfortunately the above advertisement illustrates a scenario that is very real.  The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year.  Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career.   Though these criminals can make a lot of easy money and mask their identities behind online codenames to avoid capture, there are many separate roles played in this crime ring and different motivations for involvement.  This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.


The Threat

The most lucrative example of the carding network came from a website called CarderPlanet.  CarderPlanet was launched in 2003 and was quickly known in the underground community as the place to go to learn the secrets of the carder trade and how to make money from stolen credit cards and identities.  Forum topics on the site covered everything from beginners’ instructions, sales or trades of credit cards, identity theft information and sales, programming, hacking and carder software, how to maintain anonymity and security, and employers offering carding jobs (Munns, 2010).    The site had fake contact information for an address in Ho Chi Minh City, Vietnam and an administrator who went by the alias “Script”.  “Script” was so bold he even created several online advertisements boasting of CarderPlanet’s success.  One of the flashy advertisements makes the following statements in capital letters: “NEED RELIABLE PARTER? CARDERPLANET! WORLD-CLASS CARDERS; GENIUS OF PROCESSING SECURITY; PROFESSIONALS OF PAYMENT SYSTEMS; WE GIVE YOU THE KNOWLEDGE; PROFITABLE STRATEGIES, CARDERPLANET TACTICS AND TUTORIALS; CARDERPLANET IS INEVITABLE” (F-Secure, 2008).

The site was easy to find for Internet browsers and Federal Bureau of Investigation (FBI) investigators attempting to hunt down cyber criminals.  Authorities gained a lot of leads from posts on the site which could be linked to open cases, but only names of aliases and little in regards to location or actual identities of criminals could be found.  Interpol soon was involved, and with the cooperation of multi-national law enforcement agencies, arrests were made and the site brought down (Munns, 2010).  In a 2010 FBI press release after the arrest of one of CarderPlanet’s founders Vladislav Anatolievich Horohorin, U.S. Secret Service Assistant Director for Investigations Michael Merritt stated:

“The network created by the founders of CarderPlanet, including Vladislav Horohorin, remains one of the most sophisticated organizations of online financial criminals in the world; this network has been repeatedly linked to nearly every major intrusion of financial information reported to the international law enforcement community” (U.S. Department of Justice , 2010).

Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet.  To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals.

Threat Profiles and Scenarios

According to University of Maryland University College (2010), a threat profile has five elements: asset – an item of value, whether data or physical property; actor – the person causing damage; motive – the reason for the action; access – the means of obtaining the item; and outcome- the eventual result of the action (p. 9).  For the purpose of this paper threat profiles will be given based on observed and reported scenarios of carders.

Scenario 1: Data Breach via Wardriving

In 2010, eleven cybercriminals were charged with conspiracy, computer intrusion, fraud, identity theft and various other crimes after stealing forty million credit and debit card numbers via wardriving.  The criminals tapped into the wireless networks using laptops while parked in front of various retailers including Sports Authority, TJ Maxx, Barnes & Noble, Marshalls and Office Max.  After gaining access to the network packet sniffers were installed to capture account numbers as cash registers processed purchases (U.S. Department of Justice , 2010).

Threat Profile

The asset in this case is the credit and debit card numbers.  There were 11 separate actors, most with the motive of financial gain as account numbers were sold over the internet or imprinted on magnetic strips of counterfeit cards and used to withdraw thousands of dollars (DOJ, 2008).  Ukrainian Maksym Yastremski was a well-known online seller of stolen cards and supposedly gained eleven million dollars from his crimes.  U.S. citizen Albert Gonzalez was also caught while simultaneously acting as a Secret Service informant on a separate operation (Poulsen, 2008).  Gonzalez’s motive may have been to lessen his previous sentence by working as an informant but also to use this position as a cover up to participate in other crimes for financial gain.  He may have been addicted to this crime if even after being caught he could not stop.  The outcome of this crime was severe financial losses to several major retailers.  The cost of the intrusion to TJ Maxx alone was reported to be over 130 million dollars (Poulsen, 2008).

Prevention Strategies

            How could these wardriving attacks have been prevented?  Data on a wireless network is transmitted via radio instead of over a wire, leaving it highly vulnerable to interception.  The first step in protection is to keep all essential data on a more secured wired network and not connect a device loaded with critical data to an unsecured wireless network.  Next, defaults on routers should be changed from factory settings and the Service Set Identifier (SSID) should not be broadcasted.  When setting passwords, ensure they are complex enough to deter a password cracker.  Third, Media Access Control (MAC) address filtering and Dynamic Host Configuration Protocol (DHCP) can be used to limit the number of workstations or devices allowed to access the network.  Last and most importantly, ensure the information sent over the wireless network is encrypted.  The best encryption standard is Wi-Fi Protected Access (WPA) 2 and is included in the latest router configurations.  Information should also be protected at the source using anti-virus programs, personal firewalls, and wireless network firewalls.   For businesses that may need even more protection, virtual private networks (VPN) can be used to ensure the person connecting to the network enters via a secure gateway (Comodo, 2006).

Scenario 2: Skimming

            In 2011, carders were arrested in several states after installing skimming devices on top of existing automatic teller machine (ATM) card slots on the entryway door used for access to the machine.  Additionally, carders installed pinhole cameras pointed at the ATM number pad (KTLA News, 2012).  The skimming device captured the account numbers on customers’ debit cards and carders later used these numbers in combination with the pins from captured videos to create counterfeit cards used for purchases and cash withdrawals (Kitten, ATM Skimmer Sentenced to Jail, 2011).

Threat Profile:

The asset in this scenario is the account data and pin numbers.  In this case there were three actors believed to be linked to a larger crime ring as several separate arrests were made for similar crimes in New York.  Gabriella Graham plead guilty of acting a lookout for other members of her team while they installed cameras and skimming machines at eleven banks in Connecticut, Massachusetts and Rhode Island.  She also admitted to creating and using counterfeit debit cards.  At first glance Graham’s motive appears to be financial gain, though she was labeled as a mule by authorities and offered a lower sentence in exchange for her testimony against accomplices.  This suggests she may have been pressured into involvement by others.  The skimming attacks cost banks and customers over $335,000 (Kitten, ATM Skimmer Sentenced to Jail, 2011).

Prevention Strategies

            Julie McNelley, a fraud analyst for Aite Group, states “ATM skimming has helped push debit-related fraud losses to the top of the card-fraud list; debit losses now outpace credit card fraud” (Kitten, Skimmers Busted by Fraud Detection, 2011).  Customers and banks need to know how to protect themselves from skimming.  Customers need to keep an eye on their account statements, look for irregular charges and report them to the bank immediately.  Credit cards offer fraud protection but debit cards are limited to a $50 limit by the FDIC’s consumer protection rule.  Therefore if a customer’s bank account is drained due to theft or fraud the bank does not have to refund the money unless a full investigation is completed to determine there was no fault of the customer (Sullivan, 2004).  Some banks use fraud detection software that limits the amount of cash that can be withdrawn on a daily basis and looks for irregular customer spending habits such as large dollar amounts outside of the immediate area.

Customers should also pay attention to ATM card slots or credit card swiping machines that look out of the ordinary.  If it appears as if something is attached to the original machine, do not use it and report suspicion to the vendor (Rogak, 2012).  Skimmers have also been found on cashiers and wait staff at restaurants, so customers should pay at the register when possible and not leave their card with staff for long periods of time (such as for a bar tab).  Retailers should mount security cameras over all areas in the store where transactions are processed to deter employees from theft or fraud (Crane, 2008).

Scenario 3: Phishing

In December, 2011 the United Kingdom’s e-crime unit caught six cybercriminals running a phishing scam targeted at college students across the U.K.  The criminals sent e-mails to students at various schools asking them to update the login details to their student loans.  Some students followed the e-mail link to an official looking website and provided enough personal information for criminals to gain access to the student’s bank accounts (Kovacs, 2011).

Threat Profile:

            The asset was the student loan accounts and the bank accounts.  The actors, whose names were not released, were four men and two women many in their mid-20’s and one age 49.  Police found computers and storage media used to access the stolen information (Neal, 2011).  The motive was financial gain as amounts of up to 5,000 pounds were withdrawn at one time adding up to over 1 million pounds stolen.  The U.K. charged the suspects with “conspiracy to defraud, money laundering and other offences under the Computer Misuse Act” (Ashford, 2011).   The outcome to the victimized students and banks is unknown.

Prevention Strategies

Consumer awareness is key when it comes to preventing phishing attacks as the amount of phishing e-mails sent and the differences in subjects are substantial.  Consumers need to know what to look for that is commonplace in many phishing e-mails and web addresses so they are able to recognize the scams in their inboxes.  The Anti-Phishing Working Group (APWG) offers consumer advice and recommendations; a brief summary is given:

  • Do not respond to e-mails with requests for personal financial information; banks and other businesses will not ask for this information via e-mail
  • Avoid clicking on links in an e-mail.  Type the known web address in the address bar instead
  • When purchasing items online use trusted retailers and ensure the https:// secure site is enabled as well as the padlock icon
  • Install a web browser toolbar that will provide alerts when browsing known fraudulent websites
  • Report phishing e-mails to the company being spoofed, the Federal Trade Commission or the Internet Crime Complaint Center of the FBI (Anti-Phishing Working Group, 2012).

Scenario 4: The Middle Man

            The U.S. Secret Service reports they have arrested “one of its five most wanted cybercriminals in the world” (Metzger, 2010).  “BadB” was an online credit card trafficker who was one of the founders of and later opened another site named  “BadB” sold credit card dumps to Secret Service agents on one of his sites and collected money for the sale through a Russian hosted site called Webmoney.  The sale led to his eventual identification and arrest in Nice, France (U.S. Department of Justice , 2010).

Threat Profile:

The asset in this scenario is the credit card dumps, which are large amounts of electronic copies of the magnetic stripes of stolen credit card numbers offered for sale in bulk in online forums (, 2012).  The actor is Vladislav Horohorin, a.k.a. “BadB”, who bought and sold stolen credit card data online in web forums that he reportedly scrupulously participated in by posting chat rules against swearing and warnings of devious users.  On his own site, he advertised his services with animated cartoons showing Russian political gain by stealing from the U.S. and carders receiving medals for their work.  Horohorin’s motive is more than just financial.  Being a founder of CarderPlanet and watching fellow carders go to prison did not derail him.  He continued on as a leader in the carder crime ring and did not make any attempts to cover his tracks, making noise with his bold cartoon advertisements, his website, and his avid participation on other popular carding sites (Metzger, 2010).  His actions show political motivations as he was determined to show Russian carders as heroes and U.S. citizens as easy targets who deserve to be criminalized.  Horohorin also showed that his crimes were motivated by his ego.  He wanted to see how much he could get away with.  It was obvious he thought he was untouchable.  The outcome of Horohorin’s crimes was his arrest.  He is charged with access device fraud and aggravated identity theft with a total maximum sentence of up to 12 years in prison and fines of up to $500,000 (U.S. D.O.J., 2010).

Prevention strategies

Although authorities have cracked down on carders, the problem remains almost too large to conquer.  There is no sign carders are slowing down in their crimes.  The credit card and banking industry must find better ways to combat the simplistic ways in which account data can be compromised.  Europe, Japan and various other areas around the globe have moved to a new standard using credit cards embedded with a computer chip instead of a magnetic strip.  The new cards also require the user to enter a pin to verify their identity at the time of purchase (Tulipan, 2012).  The use of this card prohibits skimmers from being used to steal credit card data and is a step in the right direction toward more secure credit and debit cards.  Another option would be to utilize biometric systems either instead of cards or to verify the identity of the owner of a card in lieu of a pin.

History has shown us that regulating information shared on the Internet is nearly impossible.  Regulating users of the Internet is also exceedingly tough as many of the sites in which hackers and cybercriminals converge are quickly moved from one location or host to another or utilize dynamic internet protocol addresses.  Law enforcement has come together on a global scale to bring cybercriminals to justice, but there are many more criminals to arrest than there are cyber-crime teams to dedicate to their capture.  Another solution posed by journalist Misha Glenny while speaking for Technology Entertainment Design (TED) talks is to hire the hackers to design security solutions instead of jailing them.  Glenny studied some of the most notorious cybercriminals and noted that nearly all of them learned their skills in their teens before their moral compass had developed, demonstrated advanced skills in science and math, and lacked social skills.  He also noted that countries like Russia and China are recruiting these hackers before and after they get into crime and utilizing them to develop their cyber-offensive capabilities (Glenny, 2011).  Glenny ends his presentation with an interesting point; he says “We need to find ways of offering guidance to these young people, because they are a remarkable breed.  And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame” (Glenny, 2011).


Identity theft and credit card fraud are a serious global problem.  Criminals have various motivations for committing these crimes as carding does not require any advanced hacking skills, it is fairly easy to hide securely behind an Internet address and alias, and there is money to be made.  Victims must report crimes and suspicious activity to law enforcement and consumer protection agencies and also stay informed on the latest security threats and prevention strategies.



Anti-Phishing Working Group. (2012). Consumer Advice: How to Avoid Phishing Scams. Retrieved from APWG:

Ashford, W. (2011, December 9). UK police arrest six in £1m phishing scam. Retrieved from Computer Weekly:

Comodo. (2006, October 11). Wardriving: What is it, how common is it, and how to protect against it. Retrieved from Comodo:;msg23829#msg23829

Crane, A. (2008, September 9). 5 steps to avoid ID theft at the register. Retrieved from (2012, April 6). Credid Card Glossary: Terms and Definitions. Retrieved from

Department of Justice. (2008, August 5). Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers. Retrieved from Department of Justice:

F-Secure. (2008, March 14). Digging the Archives for Case CarderPlanet. Retrieved from

Glenny, M. (2011, July). Hire the Hackers. (M. Glenny, Performer) TED, Edinburgh, U.K.

Kitten, T. (2011, December 28). ATM Skimmer Sentenced to Jail. Retrieved from Bank Info Security:

Kitten, T. (2011, November 22). Skimmers Busted by Fraud Detection. Retrieved from Bank Info Security:

Kovacs, E. (2011, December 10). Six Phishers Arrested for Scamming UK Students. Retrieved from Softpedia:

KTLA News. (2012, February 7). 2 Arrested for Installing Skimming Device at Chase Bank. Retrieved from KTLA News:,0,1600909.story

Metzger, T. (2010, August 12). Alleged cybercriminal, cartoonist arrested in France. Retrieved from

Munns, D. (2010, August 12). The secret history of and Dmitry Ivanovich Golubov. Retrieved from

Neal, D. (2011, December 9). Arrests made for student phishing scam. Retrieved from The Inquirer:

Poulsen, K. (2008, August 5). Feds Charge 11 in Breaches at TJ Maxx, OfficeMax, DSW, Others. Retrieved from Wired:

Rogak, L. (2012, April 6). 10 things you should know about identity theft. Retrieved from

Sullivan, B. (2004, February 18). ID theft victims face tough bank fights. Retrieved from MSNBC:

Tulipan, M. (2012). European Credit Card Standard Leaves Americans Stranded. Retrieved from The Saavy Explorer:

U.S. Department of Justice . (2010, August 11). Alleged International Credit Card Trafficker Arrested in France on U.S. Charges Related to Sale of Stolen Card Data . Retrieved from Federal Bureau of Investigation:

University of Maryland University College. (2010). Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology. Module 7. UMUC.



, ,


Vulnerabilities and Threats of Mobile Computing

Vulnerabilities and Threats of Mobile Computing
By: Amy Wees
CSEC620 Section 9082University of Maryland University College




Tech target defines mobile computing or nomadic computing as “the use of portable computing devices (such as laptop and handheld computers) in conjunction with mobile communications technologies to enable users to access the Internet and data on their home or work computers from anywhere in the world (, 2012).”

Mobile computing is a part of everyday life for many people.  Devices that offer the ability to connect to the Internet on-the-go are vast.  Some common examples are smartphones, laptops, tablets, Global Positioning System (GPS) devices, music players, handheld video games, wireless home appliances and e-readers (O’Dell, 2010).  A study conducted by Morgan Stanley in 2010 “predicts that the mobile web will be bigger than the desktop web by 2015 (O’Dell, 2010).”  This is mostly due to the development of smaller, more affordable devices with better data coverage and connection speeds.  Mobile e-commerce is also increasing along with the use of social networks over e-mail use (O’Dell, 2010).

Mobile computing is prevalent for businesses and consumers because of its many advantages.  Businesses can communicate with employees and customers in and out of the office, employees can update their work and human resource requirements in online portals.  People can search for, communicate with, and navigate to businesses on-the-go.  Productivity and leisure time are also increased as people can send and receive e-mails, update their social status, conduct research, or watch a movie all while waiting at the airport or standing in line at the coffee shop (Shukla, 2011).  “We are entering the era when the mobile employee has become the typical employee rather than the exception. One recent survey found that 81% of global executives use a mobile device, and analyst firm IDC estimates that there will be 1 billion mobile workers by 2011, including nearly 75% of the US workforce.”

Although mobile devices offer ways to be productive without an Internet connection such as by tracking appointments and reminders, creating documents and taking notes, capturing photos or videos, and listening to music; an Internet connection offers the ability to access and share information at anytime from almost anywhere.  Many software applications used for productivity and leisure are also limited or unusable without an Internet connection.  Some examples are Microsoft Office’s templates, e-mail applications which require Internet access to download new mail or send mail, music and video streaming software such as Apple’s iTunes which requires online access to download new content and anti-virus programs such as Norton that download important updates from online repositories.

Mobile computing devices connect to the Internet in a variety of ways such as wirelessly using a Wi-Fi card and a wireless internet connection or hotspot, through a mobile broadband connection such as third generation (3G) or fourth generation (4G) wireless connections provided by a cellular network, or by tethering using a cellphone as a modem (Pinola, 2012).

Vulnerabilities and Associated Threats of Mobile Computing

The benefits of mobile computing also come with various cybersecurity threats and vulnerabilities.  The vulnerabilities of mobile computing can be associated with the devices hardware, the Bluetooth or wireless internet connections, or mobile applications, data, and information transfer.  Threats associated with vulnerabilities are rated on a scale of low, medium, and high based on the likelihood of the threat versus the impact to the user (Bosworth, Kabay, & Whyne, 2009).  Threats will be listed from highest to lowest threat rating and strategies to decrease the probability of or mitigate the threat will also be noted.

  1. 1.      High Threats (Likelihood and Impact to User are High)   

Theft or Loss

The chance of loss or theft of a device is high.  Some devices are small and easy to lose and because of their portability even larger laptops can be left behind.  Theft of devices is also a concern as there is a large market willing to buy and “most devices are stolen for their cash value and not their information value (Barcelo, 2011).”  The vulnerability with theft or loss is the loss of proprietary or personal data.  A study done by the Ponemon Institute found that “55 percent of consumers are aware that they may be putting their employers’ confidential business information at risk when using their smartphone for both business and personal use.  The survey also found that 52 percent of those who are aware of the risk say that it has happened (NZ Business, 2011).”

Employers need to consider this risk when drafting security policies to ensure the rules on the use or prohibition of personal devices for company purposes are spelled out.  Hardware and software of the device should be known to the employer and employees should be required to follow minimal secure practices on their devices before accessing company websites or e-mail (NZ Business, 2011).  The Information Systems Control Journal notes “The biggest decision a corporation needs to make with respect to mobile device deployment is the cost of support based on graduated levels of security. If the total cost of the device and the risk it generates does not surpass the business benefit, corporate management should “just say no (Milligan & Hutcheson, 2008).”

It is difficult to prevent theft or loss of devices, but the loss of data can be minimized by encrypting data on the device, requiring a password, biometrics, or an access key to use and configuring the device to erase data after a number of failed logon attempts.  The cost of these mitigations is minimal since most operating systems offer password protection and biometric systems are also relatively inexpensive (Milligan & Hutcheson, 2008).  Another option is to install software that allows remote wipe of the data such as Lojack for laptops and Sophos for smartphones (Barcelo, 2011).  Users may not want to take the extra steps in logging on to their devices but the pay off is rewarding if the device is lost or stolen.

Malware and Phishing Attacks

The threat of malware includes viruses, Trojans, worms, spyware and other types of malicious software that can severely degrade or destroy a computer system’s operations.  Most malware is targeted at laptops but threats against mobile phones have also recently been discovered.  The danger of mobile devices infected with malware is that they can infect other computers when connecting to a network at work or home.  The “mobile blind spot” is a large threat for businesses that allow their employees to use corporate devices and travel for weeks exposed to malware without updating anti-virus software and then returning and connecting to the business’ network (Friedman & Hoffman, 2008).

Phishing attacks are an additional concern for users’ on-the-go. The risk of malware can be reduced by using updated anti-virus and anti-spyware software but phishing tricks users into giving up personal information, log-on information or downloading a file that could be a virus simply by sending an e-mail or displaying a website that appears to be from a reputable company but is really a cybercriminal looking for an easy target.  Phishing attacks have gotten so sophisticated they are often hard for even the experienced computer user to distinguish.  “In May 2011, Trend Micro discovered a vulnerability in Hotmail that could compromise a user’s account just by previewing an e-mail. The malicious messages, specially crafted for individual targets, triggered a script that could steal e-mail messages and contact information and forward new messages to another account (Newman, 2011).  Although some phishing attacks may be hard to recognize, the best prevention strategies are to read e-mail carefully to ensure it is from a reputable source, look for grammatical errors and avoid opening attachments unless their receipt is expected (Newman, 2011).

  1. 2.      Medium Threats (Likelihood and Impact to User are Medium)

Wireless Internet Connections –

Unlike wired devices within the work center which are often behind firewalls and physical security defenses, mobile devices connect to corporate networks and the Internet directly without the protection of firewalls.  Wireless networks controlled by business are much more protected and controlled than the wireless hotspots mobile workers are connecting to which may have little or no security, leaving devices vulnerable to interception or spoofing (Friedman & Hoffman, 2008).

Unsecured WiFi connections such as those at the local Starbucks coffee shop are an open invitation for snoopers and can even allow an attacker to take over a users’ browsing session.  A hotspot attack called sidejacking uses automated tools to take over unsecured websites.  One such tool developed by Mozilla as a Firefox browser plug-in is called “Firesheep.”  “Firesheep automates session hijacking attacks over unsecured Wi-Fi networks by analyzing traffic between a Wi-Fi router and a person’s laptop or smartphone using a packet sniffer (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”

Users can reduce risks of hotspots and wireless networks by deactivating the automated search and connect to wireless feature on their device and connecting to secure wireless connections whenever possible.  “Developers such as Google offer encryption support for browsers using open connections and IBM has created a Secure Open Wireless Standard that uses a digital certificate to secure the hotspot and ensure the Service Set Identifier (SSID) is legitimate (Westervelt, Top 5 mobile phone security threats in 2012, 2011).”


            Bluetooth technology allows laptops, phones and other devices to wirelessly transfer data between devices, connect to technologies such as keyboards and other peripherals, and stream audio and video.  Mobile devices with Bluetooth activated and set to discoverable are vulnerable to bluesnarfing attacks.  Bluesnarfing uses a Bluetooth connection to steal data such as contacts, calendars, e-mails and text messages, often without the user’s knowledge.  “Bluesnarfing requires software such as “SpyBuddy” which is easy to install software can monitor a device’s text messages, phone calls, and GPS and is totally undetectable (Bluejacking Tools, 2012).”

With the amount of uses for Bluetooth technology today, it is important for mobile users realize the security threats to Bluetooth, to pair with known devices only, and turn Bluetooth off when not in use.

  1. 3.      Low Threats (Likelihood and Impact to User are Low)

Mobile Phone Applications

            Although applications submitted to Apple and Android markets are evaluated prior to being added to the marketplace, recent events leave reason to believe the security of applications is not the number one priority (Westervelt, 2011).  In June of 2010, Apple banned a Vietnamese developer from the iTunes store after his electronic books application reportedly charged 400 users for books they did not purchase.  Experts believe the developer launched the attack to boost his ratings in the iTunes store; as he was able to move from position 50 to 21 in a matter of weeks.  In response, Apple implemented a new policy that requires users to enter credit card data more often (Computer Weekly, 2010).  One month later a reported 4.6 million Android users downloaded a wallpaper application that was collecting data such as the users’ phone number and transmitting information to China (Warwick, 2010).   Security firm Lookout studied the application and reported that although the application was suspicious there was no proof that the activity and data transmission was malicious.  Lookout’s Chief Technology Officer Kevin MaHaffrey spoke on mobile application security at a BlackHat conference: “Apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones (Warwick, 2010).”

A study by Veracode Inc. found a hard-coded cryptographic key in 40 percent of Android mobile applications.  Veracode discovered these keys assign the same password to multiple users allowing for anyone, namely an attacker, to easily discover and publish keys in public forums (Westervelt, 2011).  Chris Wysopal, Chief Technology Officer of Vericode stated “If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access (Westervelt, 2011).”

Mitigation of application vulnerabilities is easier said than done as the resources and infrastructures for creating applications are still very immature.  Some suggestions for improvement in software are code signing which allows users to verify the applications’ source; sandboxing, which separates an application from other processes; and permission notifications to warn users of an application attempting to access their data (Westervelt, 2011).  It will be up to the application police such as Google for Android and Apple for iTunes to raise the standard for security requirements in mobile applications and to users to review the application before downloading.


            People and businesses today have found ways to use mobile technology to their advantage by working and communicating from anywhere at anytime.  Although the advantages of mobile computing come with cybersecurity risks; the right training, information, and policies can reduce these risks and allow for continued productivity in the mobile world.  As devices and technologies improve, cybercrime will also evolve.  Technology professionals and businesses must keep security at the forefront of development and implementation in order to keep customers and proprietary information safe.


Barcelo, Y. (2011, September). Mobile Insecurity. CA Magazine, pp. 36-38.

Bluejacking Tools. (2012). Mobile Phone Spy. Retrieved from Bluejacking Tools:

Bosworth, S., Kabay, M., & Whyne, E. (2009). Physical Threats to the Information Infrastructure. In F. Platt, Computer Security Handbook. New York: John Wiley & Sons Inc.

Computer Weekly. (2010, July 12). iTunes hack could effect thousands, say experts. Retrieved from Computer Weekly:

Friedman, J., & Hoffman, D. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 159-180.

Milligan, P. M., & Hutcheson, D. (2008). Business Risks and Security Assessment for Mobile Devices. Information Systems Control Journal, 1-5.

Newman, J. (2011, June 3). 4 Security Tips Spurred by Recent Phishing Attacks. Retrieved from PC World:

NZ Business. (2011, September). Are mobile devices compromising your business security? NZ Business, p. 60.

O’Dell, J. (2010, April 13). New Study Shows the Mobile Web Will Rule by 2015. Retrieved from Mashable:

Pinola, M. (2012). Mobile Internet Access Comparison. Retrieved from Mobile Office Technology: Pros and cons of different Internet-on-the-Go options:

Shukla, I. (2011, September 21). Advantages of Mobile Computing. Retrieved from (2012). Search Mobile Computing. Retrieved from

Warwick, A. (2010, July 30). Millions downloaded suspicious Android wallpaper. Retrieved from Computer Weekly:

Westervelt, R. (2011, December 8). Android app security: Study finds mobile developers creating flawed Android apps. Retrieved from SearchSecurity:

Westervelt, R. (2011, December 9). Top 5 mobile phone security threats in 2012. Retrieved from Search Security: