Pirates sue banks for discrimination

When banks decided to obey the whim of the American government and refuse to allow donations to be paid to Wikileaks, in 2010, it seems that the world thought they would get away with it.

However the Swedish Pirate Party has decided to file formal charges against Swedish banks for their discrimination against WikiLeaks.

Visa, MasterCard, PayPal and numerous financial institutions blocked donations to WikiLeaks and other legal operations since 2010.

Because they are part of the network the banks can actively participate in stopping donations without legitimate grounds.

The Swedish Pirate Party says that this is unacceptable and cause for grave concern, and has filed charges against the Swedish banks in question to see if the behaviour is legal.

First action is to have a word with the Swedish Finansinspektionen, which is the authority which oversees bank licenses and abuse of position.

This follows another move by the Pirate Party to regulate credit card companies on the European level in order to deny them the ability to determine who gets to trade and who doesn’t.

Pirate Party’s Erik Lönroth said that the blockade is a serious threat against the freedoms of opinion and expression,

Lönroth said that it must not be up to the individual payment provider to determine which organisations are eligible for donations.

He said that the court action would clear up the small matter of whether the bank regulations of today are sufficient, or if regulations need to be tightened to protect freedom of expression.

Lönroth said that it was not just WikiLeaks that has been hurt by the randomness of the payment service providers.

Swedish entrepreneurs such as sex toy shops and horror movie stores have also been denied payment services arbitrarily and been killed off.

Johan Terfelt, who oversees the Finansinspektionen unit for payment providers, said the body will investigate what has happened and evaluate the reasons, if any, to intervene.

He told the Dagens Nyheter newspaper that there was no room at all for arbitrary randomness.

He hinted that the law states, that if there aren’t legal grounds to deny a payment service, then it must be processed. 

Infosys accused of US visa fraud

Infosys has been dealt another blow after an employee has detailed methods used to circumvent US visa laws, and how the firm systematically discriminated against American staff.

Following the accusations made by Infosys whistleblower Jay Palmer that the Indian firm has been smuggling in workers to the US, another former employee has highlighted ways employees enter the country.

Speaking to ITBusinessEdge, an anonymous former manager from India at Infosys said that the firm had briefed Indian employees of how to get past immigration officials on a B-1 visa.

A B-1 visa allows an individual to travel to the US for sales meetings and so forth, but prohibits actually working.

According to the former Infosys worker, the firm would have “briefing sessions” telling them how to “lie to officials” once they arrive at US customs.

They would be given tips such as not packing Java programming textbooks, for example, in order to hoodwink immmigration officials. With the amount of money promised there was never a shortage of Indian workers who were willing to circumnavigate US immigration laws.

Apparently the Indian company ”doesn’t care” about flouting rules in the US, despite its large presence there.

The same former employee also made claims of systematic discrimination of American recruits.

It is alleged that while Infosys would conduct recruitment drives of college students in the US, new recruits were lied to with the promise of job possibilities.

In actual fact middle management executives at the company had ignored demands by top staff to implement a more culturally diverse recruitment policy and were ignoring potential new recruits.

Despite hiring bright sparks from some of the top unis in the US, the “utilization rate for these people was extremely low”, ITBusinessEdge heard.

The reason that US recruits were not used was that they were unwilling to work the long hours of Indian workers.  

While US workers would want to have evenings free after a days work, it was considered that the Indian cultural work ethic would mean that employees would be willing to spend evenings reporting back to head offices in India.

Consequently, the former Infosys man claimed that he would have to lie to potential new recruits that they had a future at the firm – when the reality was that they would likely join the legions of others who left after just a few months.

Visa, Vodafone the latest to feverishly promote NFC

Near Field Communication, or NFC technology, is well and truly being foisted upon the paying public. Whether they like it or not, the ultra-convenience of waving your smartphone to buy has been picked up by Barclays, and now, Visa.

Mobile carrier giant Vodafone has signed on the dotted line with Visa so that it can use Visa payWave. The feature, which acts as a mobile wallet, will be available from Spring. Users terrified of the security implications might be reassured that, for purchases over £15, the customer will be prompted to tap in a pin code.

The world has been told by Vodafone chief exec Vittorio Calao that NFC payments will be “the next stage of the smartphone revolution”, reports the Press Association

Although most devices on the market right now are not equipped with NFC, it has long been tipped as the next big thing. NFC payments will offer an easier way for customers to spend their hard-earned, in much the same way as the London Underground has Oyster Card readers.

Is the world ready for – or does it want – Near Field Communication for mobile payments in phones? Manufacturers, carriers and credit card companies will, no doubt, be rubbing their palms together over the prospects of profits. In the end, it doesn’t matter what Joe Public thinks – NFC is going to be on tonnes of phones, soon. Barclays has already detailed its own service and we can expect more to come.

According to Catherine Haslam, an analyst at industry-watchers Ovum, NFC and payments really are a “chicken and an egg situation”. Mobile payments are seen by device manufacturers, says Haslam, as the catalyst for the consumer to buy new devices, while service providers see the devices as a catalyst for service take-up.

“The third point of impetus could come from retailers and others with control over PoS equipment such as transport service providers,” says Haslam. “Just like the deployment of chip and PIN bank cards, NFC is likely to be supply rather than demand driven. Given that NFC is becoming commonplace in new mobile handsets and replacement and upgrade cycles are shortening, if enough NFC equipment is installed then services will start to be used.”

Visa has been active in promoting subsidising upgrading PoS equipment, according to Haslam, so there is some momentum. “However, in general, global terms,” she says, “because the benefit in speed is marginal and is not really recognised by consumers, the majority of retailers are slow adopters.”

If deployments are going to be worth it on a wide scale for retailers, Haslam says retailers will need to find service value beyond the convenience and speed that NFC provides. “This could either be for themselves in terms of greater loyalty and customer information, or for the consumer in better deals and service,” she suggests. “Increased security is one possible option but the one Visa and others are talking to retailers about is combining the payment and loyalty card functions to offer more targeted special offers to specific customers, to further increase loyalty and the value of each visit to a store.”

Speed of use will be worthwhile in some situations, for example, on transport or the London Olympics, where processing people as quick as possible does offer significant benefits. “However, this is usually being done with specialist cards such as Oyster in London rather than via mobile phone, as ubiquity and scale are essential,” Haslam says. “The exceptions as usual are in Japan, where NFC-enabled mobile phones have been used for some years, and Korea where they are also being used successfully in transport and other services.”

Though the consumer liked to use NFC in tests, carriers will need to work hard to generate interest. Haslam says that in France, which she says is the home of the smart card, there are already deployments and Visa has been working closely with Telefonica on trials. “People liked it when they used it, but had no real interest in trying it for the first time,” Haslam said. “Therefore, the marketing of services and some form of promotion that enables consumers to try services will be necessary.”

Credit card firms want to stalk you on the web

A report in the Wall Street Journal said Visa and Mastercard have cunning plans to use what they know about you to push ads at you when you’re online.

Apparently, for example if you’ve just bought a burger with your credit then go online, the companies could, in principle, then push ads to you from competing fast food joints.  

In effect, both companies possess so much information about you if you use credit cards that they have a vast database of information that they want to exploit further.

Although Visa and Mastercard don’t have your name and address, one document the WSJ has seen says “you are what you buy”.

The report said that Visa has a patent pending that will link in DNA databases too, all with the idea of stalking you online and pushing ads at you that they think you might want.

Cards are issued by merchants, such as Barclays or Natwest, but the report, which you can find here, says that Mastercard has all the details about 23 billion purchases it makes a year.

Are we safe in their hands? We’d venture to say, er no.

Aussie insurer in hot water after hassling hacker

An Aussie pension outfit, which tried to hassle a hacker who wanted to help them fix a security hole, is now in deep trouble in a cyber billabong.

First State Super called the cops and unleashed the legal hounds on private security consultant Patrick Webster after he informed them of a bug that opened up access to the company’s database of sensitive customer details. Writs were issued as the outfit tried to get Webster to wipe his hard-drive and forget he had ever seen a gaping security hole in its operations.

Of course, Webster’s story was taken up by the press and the antics of First State Super are starting to look more than just a PR own goal.

The Federal Privacy Commissioner, Timothy Pilgrim, told the Sydney Morning Herald  today he was opening an “own motion investigation” into First State Super. An own motion investigation appears to be what happens when you look at a company’s poo.

Webster showed the outfit a serious security hole and punters only found out about it when the press reported that First State gave Webster a good kicking. First State was reported as treating him very badly but also for failing to detect such a glaring and easily exploited security flaw. All Webster had to do was change a number in a URL bar which is hardly a hack.

But it is possible that hundreds of thousands of accounts may have been exposed. First State Super only warned some of its customers, which Acting NSW Privacy Commissioner John McAteer says not warning the entire database was not acceptable.

First State appears to only have informed the 500-odd customers whose accounts were accessed by Webster when he demonstrated the flaw and not all those who were potentially exposed by the flaw.

First State Super CEO Michael Dwyer insisted that there was no evidence that anyone other than Webster had gained unauthorised access to customer accounts. But other computer security consultants who are paid by companies to test their networks, “highly doubted” First State kept logs or had the ability to check.

It looks like First State Super’s 770,000 customers may not have been at risk if only it had heeded a warning from McAteer after a similar hack earlier this year.

Online credit card theft worse than ever

Retail customers will be in for a harder ride in the future if security is not tightened up at every point in the chain, with research showing a 43 percent increase in retail-focused attacks from the same time last year.

Dell claims SecureWorks managed to stop 91,500 attacks per retail customer in January to September 2011, compared to 63,581 from April through December 2010. CTO Jon Ramsey said in a statement that the web is an ideal attack vector for clients and servers.

One of the biggest threats is the SQL injection. Ramsey said it’s no surprise it proves a popular method. In fact, for criminals, it’s a no-brainer – because it works so well. He mentions the Georgia hacker who recently confessed to pinching 675,000 credit card details.  Exploit kits and Trojans, as usual, also proved popular.

Dell says there are a couple of things retailer CIOs really must do to keep their customer data secure.

First, they’ll need to have a centralised plan in place to keep patch management and security up to date, including on both the servers and the workstations.

Another good idea for a CIO to think about is an authenticated proxy server, Dell said, so the admin can figure out which users have an infected machine or are visiting dodgy web pages.

Again, there’s an element of the obvious, but Dell says employees shouldn’t be downloading executable files, using P2P at work or checking out warez or porn websites.

Meanwhile, security outfit Imperva has stumbled on a forum where credit card details are going for a pittance. 

The credit card numbers come with full details, claims the forum post, including name, address, city, state, zip code, email, expiry date and date of birth.

UK Mastercards details are going for as little as $4 a pop, while a US Visa card sells for $2. 

LulzSec hacker faces 15 years

The Untouchables have swooped on the home of a man they think was a member of LulzSec, who took part in a computer breach of Sony Pictures.

Cody Kretsinger, 23, from Arizona has been charged with conspiracy and the unauthorised impairment of a protected computer in connection with the attack in May and June.

Reuters, which has seen the nine-page indictment, said Kretsinger and co-conspirators allegedly used an SQL injection attack on the website to gain access to Sony’s servers.

Kretsinger, who went by the handle “recursion,” posted the information he and his co-conspirators nicked from Sony on LulzSec’s website and announced the intrusion via the hacking group’s Twitter account

Sony is still trying to work out how much damage was done in the attack.

At the time LulzSec published the names, birth dates, addresses, e-mails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony, although the data was a little elderly.

The hacking group said it only took a single injection for the Sony site to fall over and for it to get its paws on everything. It commented that people should not put their faith in an outfit which allows itself to become open to simple attacks.

The attack followed another higher-profile raid on 77 million PlayStation Network and Qriocity accounts.

Kretsinger made an initial court appearance in Phoenix and was bailed by US Magistrate Judge Lawrence Anderson. As a condition of his release, Kretsinger was barred from using a computer to access the internet except at his place of employment, or from traveling to any states other than Arizona, California and Illinois.

He faces a maximum sentence of 15 years in prison if convicted. Government prosecutors want him moved to Los Angeles, where Sony Pictures’ computer system is located and where the case against him has been filed. 

Anonymous publishes US military emails and passwords

Hacker outfit Anonymous has published 90,000 military e-mail addresses and passwords as part of a project called “Military Meltdown Monday.”

According to Epoch Times, the email data was found after someone hacked into the networks of government contracting and consulting firm Booz Allen Hamilton.

During the hack, they found a list of roughly 90,000 military e-mails and password hashes, 4gb of source code, and “maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies”.

While we doubt that the buried treasure will include pieces of eight, there is a fair bit of information leaked that the US government would not want to see the light of day.

Anonymous claims that Booz Allen was involved with several government surveillance and intelligence-gathering programmes which might be illegal.

It also implies that several of Booz Allen’s executives, who are former members of the National Security Agency, managed to curry favour with the government illegally in their private business efforts.

Anonymous’ Sabu tweeted  that this is the first of “two of the biggest releases for Anonymous in the last four years.”

AntiSec is a collaborative movement between hacker groups to attack and steal confidential information from major governments and corporations. 

Lulzsec shuts

Hacking outfit Lulzsec has decided to pull the plug on its operation just as other hackers promised to expose its members’ names and addresses.

Although Lulzsec has not said why it has disbanded, there are some worries that the organisation could be broken by other teams of hackers.

So far the only people to be arrested by coppers have been those who have had their names and addresses published by rival teams of hackers.

Last week, a group of rival hackers had gained access to Lulzsec servers and were planning to grass members up to the cops, unless it shut down. While some of the rival hackers have been targetting groups like Lulzsec and Anonymous because they like the idea of being cops, others hate how the two organisations get publicity without needed to carry out serious hacking operations.

LulzSec took down the FBI, the CIA, the US Senate and electronics giant Sony.

According to AP, as it shut down, Lulzsec released a pile of documents and log-in information apparently gleaned from gaming websites and corporate servers.

These appear to be internal documents from AT&T which talk about its plans for a new wireless broadband network in the US. Not bad to bow out on.

The impact of Lulzsec has yet to be assessed. Certainly it put the fear of god into many of the big corporate networks and government bodies. But most of the hacks were extremely low level and showed up the weak security of the victims rather than the prowess of the attackers.

It is not clear if the hacking community is going to let members of Lulzsec lie low or whether they will eventually be grassed up to the rozzers. Lulzsec made few friends and a lot of enemies. 

Symantec exec's card details leaked by restaurant

An Aussie boss at the insecurity outfit Symantec is furious that his credit card details were leaked by a Melbourne restaurant.

Craig Scroggie, who earns a crust flogging security products to prevent this sort of thing happening, told a Symantec roundtable discussion in Sydney that his case highlighted the need for mandatory privacy breach notification laws.

According to the Sydney Morning Herald, Scroggie’s credit card data was leaked via email when a Melbourne restaurant, at which he was a member, attempted to have its summer menu sent out to clients. Apparently instead of attaching the menu, it sent out the unecrypted client database to members.

What got Scroggie’s goat was that he only found out about the breach after a follow-up email was sent informing him of the incident.

Scroggie said it would be a wise idea for governments to introduce laws requiring companies to notify customers as soon as a data breach has occurred.

In Australia, the government has been sitting on such law reform since 2008. Scroggie believes this is probably because it would reveal embarrassing data breaches within the government.

Many organisations in Australia are not required to own up to a data breach that has happened. In many US states, however, organisations must disclose such breaches.

Scroggie deleted the initial email received because he did not want to read the menu. After being informed, he recovered it to see which details were leaked.