June 18, 2010

Microsoft Program To Assist In Reporting Stolen Data

Microsoft Corp is designing a new program that will allow researchers a way to find and report stolen credit card numbers and other data that they find over the Internet.

Establishing a link is important because when a researcher finds stolen data, it can be quite hard to convince a bank or law enforcement agency that the information is legitimate. The lost time can be the difference between someone's identity being used for fraud, and stopping fraud before it can occur.

Microsoft's program could significantly help researchers deal with data they find online and submitted to affected computers, said Dan Clements, former president of CardCops, which specializes in tracking down stolen payment card numbers online.

When researchers find card numbers being sold online, the information is sent out to everyone immediately. "We send it to companies, the government, the consumer "” it's a blitzkrieg. That way they have all the intel and can act accordingly," Clements told the Associated Press (AP). "You could call it scattershot. It's the only way you can assure that we've done our job. But we have no way of knowing it's effective."

Clements said the speed to which researchers can get notifications out will be the key to how successful the program will be.

Some merchants and gambling sites have tried similar techniques in the past. But the programs fell apart, mainly because the companies didn't work well together without a middleman, he said.

The new program is being operated by the National Cyber-Forensics & Training Alliance, a nonprofit organization that focuses on cybercrime and has law enforcement agencies as members. The American Bankers Association and eBay are also taking part in the new program. Banks, retailers and Internet security firms will be added over time.

The idea for the program came about from problems Microsoft security researchers encountered in their attempts to alert banks and online retailers about fraud they had discovered, said Nancy Anderson, Microsoft's deputy general counsel.

"When these kinds of credentials are stolen, they may not get used immediately, so the goal here is to get the information to the institutions quickly, quickly, quickly, so the appropriate action can be taken before the damage is done," she told AP.

The program might have one flaw, though, Clements noted. The program won't allow people to anonymously submit what they find, which could discourage potential informants from coming forward.

He cited an example from CardCops that involved an insider at an e-commerce company who discovered his company was hacked and lost 50,000 credit card numbers. The employee said management threatened to fire him if he disclosed the breach. Clements said CardCops allowed the employee to disclose the breach anonymously and sent the information to the banks and the government.


On the Net: