Netflix cancels contest sequel

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 E-mail: [email protected] Web: www.computerfraudandsecurity.com Publisher: Laurence Zipson E-mail: [email protected] Editor: Danny Bradbury E-mail: [email protected] Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: 1085 for all European countries & Iran US$1178 for all countries except Europe and Japan ¥144 400 for Japan (Prices valid until 31 December 2010) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/ or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065 Pre-press/Printed by: Mayfield Press (Oxford) Limited

2

Computer Fraud & Security

...Continued from page 1 be divided among too many people (3.5 million plaintiffs) to be worthwhile. However, privacy groups protested the mechanics of the settlement, arguing that Facebook shouldn’t be on the board of the trust fund, and also complaining that consumers should have received direct relief as a result of the settlement.

Auto dealership employee bricks car fleet

Y

According to Texas Auto Center manager Martin Garcia, Ramos-Lopez was “pretty good with computers”, although the alleged hacker couldn’t have been that good; investigators tracked him down by finding an IP address for offending Webtech sessions in system logs. You’d have thought that someone going to those lengths to gain revenge on a former automative employer would have taken the road less travelled, and perhaps researched something like Tor before sparking up their browser.

ou’ve heard about Apple potentially bricking iPhones, but that’s small potatoes, compared to remotely disabling whole fleets of cars using centrally controlled computer systems. That’s just what a 20-yearold employee for a Texas auto dealership is being accused of doing after he was laid off last month.

Netflix cancels contest sequel

According to a report by Wired, Omar Ramos-Lopez, a former employee at the Texas Auto Center, was arrested after allegedly using a web-based vehicle immobilisation system to stop cars sold by the dealership from working. The Auto Center reportedly used a system from Pay Technologies called Webtech Plus. Designed to remotely disable cars whose owners are behind on their payments, the system can be made to remotely honk a car’s horn, or to prevent it from being started up. Ramos-Lopez is said to have had his account on the system closed when he left, but commentators close to the situation said that he gained access using another employee’s password. He was then allegedly able to set up a database of 1100 customers who had purchased vehicles from the Center’s four dealership lots, said the Wired story. He was able to disable the cars and set off their horns. Customers were calling the dealership in a confused state, asking why their horns were honking, and were forced to disconnect their batteries, said reports. Cars controlled by the Webtech Plus system are manipulated using a hardware device installed behind the dashboard, which is sent instructions via a wireless pager network. Cars cannot be stopped while they are in motion.

After a Federal Trade Commission investigation, and a lawsuit attempting to block the sequel, Netflix’ chief product officer Neil Hunt posted a message on the Netflix blog announcing that the second contest had been cancelled. Netflix had used anonymous movie rental data, pulled from its large database of customer information, and invited contest participants to refine the movie recommendation algorithm using the data. However, researchers at the University of Texas managed to deanonymise some of the data in the list of 10 million movie rankings by 500 000 customers. They compared rankings and timestamps with public information in the Internet Movie Database. “We have reached an understanding with the FTC and [have] settled a lawsuit with plaintiffs,” Netflix said in a statement. “The resolution to both matters involves certain parameters for how we use Netflix data in any future research programs. In light of all this, we have decided to not pursue the Netflix Prize sequel that we announced on August 6, 2009.” Most of the comments on the company’s blog reacted negatively to the move, supporting the idea of a contest. “Trending towards the lowest common denominator just isn’t progress,” said one angry participant in the discussion.

D

VD rental company Netflix has quietly cancelled a sequel to its Netflix Prize, a contest to enhance its movie recommendation technology using anonymous user data.

March 2010

NEWS “How about they have to prove that Netflix data is more invasive than data collected by other sites and entities such as grocery stores, banks, restaurants and websites?”

Lifelock accepts settlement

I

dentity theft protection company LifeLock will pay $12 million to settle charges of false claims made over its services.

LifeLock will pay $11m to the Federal Trade Commission, along with $1m to a group of 35 state attorneys general. The payment will settle charges that it used false claims to promote its identity theft protection services. According to an FTC statement on the LifeLock case, LifeLock was wrong to guarantee that its customers would never be subject to identity theft. The fraud alerts that it put on customers’ credit files only protected against certain forms of identity theft, the Commission alleged. Account misuse, which the FTC said was the most common type of identity theft, was not protected against. 17% of identity theft incidents comprised new account fraud according to an FTC survey released in 2007. The FTC alleged that the service failed to protect against medical or employment identity theft. Claims that customers would receive a telephone call from a potential creditor before a new account was opened were false, the FTC said, as were claims that LifeLock could prevent unauthorised changes to customers’ address information. “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” commented FTC chairman Jon Leibowitz. The FTC said that LifeLock’s data was not encrypted, and that the company falsely claimed that only authorised employees would have access to the information, on a need-to-know basis. LifeLock put a positive spin on the situation. “LifeLock is pleased with this agreement, which, for the very

March 2010

first time, works to set advertising guidelines for the entire industry,” said LifeLock chairman and CEO Todd Davis. “We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft.” Under the settlement, Davis was personally barred from making the same misrepresentations as LifeLock had previously, along with its cofounder Robert J. Maynard Jr, the FTC said.

Online crime effects getting worse 5

L

awsuits from online crime more than doubled between 2008 and 2009, according to the latest figures released by the Internet Crime Complaint Center (IC3). The organization also received 22.3% more complaints about Internet crime in 2009, indicating that the average money lost in a single fraud case has increased.

According to the Internet Crime Complaint Center Center (IC3), which is a joint venture between the FBI and the national White Collar Crime Center, $559.7 million was lost in 2009 due to online crime. Scams that purport to use the FBI’s name were the most frequently reported, at 16.6%. The second most reported incident was nondelivery of merchandise or payment. Figures show that 11.9% of online fraud reports fell into this category. The increase in dollar losses in the past year represent a marked spike in the average rise over the last nine years. Losses rose relatively steadily from 2001 through 2008, with the only decrease coming in 2004. But the 2009 figures amount to more than the previous two years combined. Of the cases reported to law enforcement by the Internet Crime Complaint Center, almost one in five were the result of goods not being delivered online, or payments not being made. Identity theft ranked second, at 14.1% of referrals, with credit and debit card fraud coming in third. Continued on page 20...

Editorial Have you ever noticed how sometimes, reality and statistics don’t tally up? According to the UK Cards Association, card fraud figures are dropping as more people use online banking fraud to steal money from unsuspecting customers. A combination of chip and pin, and more sophisticated fraud systems within banks, are dropping numbers drastically, the Assocation said. Even card fraud in foreign places, where chip and pin hasn’t yet been implemented, is plummeting. That must be nice. But on my planet, things don’t look that rosy. I’m based in Canada, and had my UK card skimmed in a dodgy ATM in early February. later that month, I noticed unauthorised withdrawals showing up in my UK account. I posted something about it on Twitter and Facebook. Suddenly, friends and colleagues started replying to my posts. Yes, it had happened to them too, just weeks previously. They too had experienced the same rigmarole with their banks as I had, getting my £1200 refunded. So too did the business owner who contacted me earlier this year, who was adamant that she took good care of her card and PIN number before having £10,000 withdrawn from banks across London. I saw the withdrawal statements. I listened to her and her fiance on the phone for hours, and believed them when they said that they were telling the truth about not withdrawing the money themselves. Last week, one of the journalists that I was on a trip with when I learned about my own card fraud mailed me to say that he, too, had seen unauthorised withdrawals on his account. The problem is rampant, and it doesn’t seem to be going away, which is why David Birch’s article “Buyer Beware?” in this edition of Computer Fraud and Security is so important. There is a canker at the heart of the financial industry, and try as they might to say that card fraud is a falling problem, I'm not buying it. The anecdotal story on the street is entirely different.

Computer Fraud & Security

3