Wednesday, January 27, 2010

Blippy: Do You Really Want Your Card Transactions Showing Up as a Blip on the Bad Guys Radar Screen



When Blippy, which lets you twitter credit/debit card purchases rolled out earlier this month, my eyes rolled as well. Maybe because I still don't get Twitter. Somebody Tweets "I'm at Peet's" and frankly, it won't be more interesting finding out how much they spent there and what card they used. Who cares? Answer: The bad guys!





Social networking sites have been identified as a nesting ground for purveyors of malware and phishing techniques, thus financial information gathering. It isn't difficult for them to round up needed information, but why make it easy for them by signing up to have your purchases show up as "blips" on the bad guys radar screens? I was waiting for someone else to see the naked emperor before saying anything. Cyveillance has spoken...



Blippy
, could be a valuable tool for cyber criminals, warns Cyveillance.




Blippy, a Spear Phisher’s Dream




This month, a service called Blippy was rolled out to the general public. In a CNN article this week, Blippy was described as a “financial version of twitter.com”, where users’ credit card transactions are posted to the internet much like the short tweets that people post to twitter.



On twitter, users post up to 140 characters on any topic they wish to discuss. On Blippy, a posting displays how much a person paid for a recent purchase. In the image below for example, we see that Michael Arrington of TechCrunch paid $112.64 at Amazon for a SanDisk 16GB 60MB/s Extreme Compact Flash Card.











Example of a Blippy transaction. Click the image to see a larger version or see the original here.



CNN reporter John D. Sutter asks Blippy cofounder Philip Kaplan whether there are any dangers in posting this sort of information:

CNN: Is there any potential that this would expose someone to an attack on their financial information, or that it could be used against them?





Kaplan: I don’t — we’ve all been taught that this is just something you don’t do. As an aside, when I was a kid, we weren’t allowed to tell anybody we were going out of town, and we had timers in the house that would turn the lights on and off so it would look like we were home. But now you tweet when you’re at dinner. … You put your whole schedule on Facebook so people can like plan their robberies ahead of time. And I think the pros far outweigh the cons in that scenario. … I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.

That’s not the right answer to the question. Information found in Blippy postings (“blips”?) can be used against them.   Let’s go back to the example in the image above.



We find:

  • a user’s name

  • the name of a business with whom they had a financial transaction

  • how much they spent

  • for certain retailers, what they bought

Great. Now let’s examine what is presented to someone when they receive an email in a traditional phishing attack, which we know to be a very profitable endeavor for bad guys. (A recent study by Cyveillance found that average attacks can cost millions of dollars in losses). It really comes down to two things:

  • The email is made to look like it comes from one’s bank or other business institution.

  • A call to action, where the recipient is asked to follow a link to a website online.

Spear phishing takes things a step further by personalizing the email sent to the potential victim. The attack may address the victim by name or phone number (see example), lending credibility to the attack and greatly increasing the likelihood that the recipient becomes a victim.



From a cyber criminal’s point of view, Blippy currently offers great information to construct a highly targeted spear phishing attack. After examining the types of purchases Blippy shows for Best Buy, consider the spear phishing attack one could construct for a hypothetical Blippy user named Johann Gonzales:

Dear Johann Gonzales,


Thank you for your recent purchase of $52.99 at Best Buy. To receive credit for your purchase in our Best Buy Reward Zone program and receive valuable discounts on future purchases, click here





Putting together such an email would require software to “scrape” information from Blippy that it would then use to send to an array of likely email addresses for Johann Gonzales, like jgonzales@gmail.com, jgonzales@hotmail.com, johanngonzales@gmail.com, johanngonzales@hotmail.com, and so on. Given that software needed to carry out such an attack is freely available online, it must be assumed that cyber criminals are preparing such an attack on Blippy users. Even if they are not yet preparing, for the sake of Blippy’s users, Blippy must plan ahead as if they are.



Conclusion



Currently banks reimburse users when they become victims of phishing attacks, but the financial industry often wonders at what point it becomes the victim’s responsibility for losses incurred during phishing attacks. The information that Blippy users currently provide to would-be cyber criminals gives businesses more leverage to say that they will not reimburse losses incurred in spear phishing attacks. After all, if the Blippy user practically hands the bad guys all the information they need to carry out an attack, how is it the bank’s fault? Blippy does hold promise as a way for consumers to gain information about the prices of goods and services. But it also currently provides a literal wealth of information for spear phishers. 





Disqus for ePayment News