January 27th, 2009

On January 23rd, 2009 it was disclosed on the Monster.com website that a security incident occurred resulting in the unauthorized access of user data. The personally identifiable information of Monster.com customers was accessed and obtained by an unknown third party using an undisclosed method of access. This is the second such breach of the Monster.com web site in as many years, with the last disclosed incident occurring in August of 2007.

While not advocating the disclosure of information that would further jeopardize the security of the Monster.com systems it is blatantly apparent that your organization is finding it difficult to protect the information to which you have been entrusted. For those of us who have again been impacted by the failures in the Monster.com data security architecture we are deeply concerned with not only the frequency of such failures but with the method of disclosure and notification, as well.

Monster.com has stated the following in your public Security Notice: “Monster elected not to send e-mail notifications to avoid the risk those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. We believe placing a security notice on our site is the safest and most effective way to reach the broadest audience. As an additional precaution, we will be making mandatory password changes on our site.” Given the past history of security-related issues with the Monster.com website this response is wholly inadequate and unacceptable.

In your notice Monster.com has stated that the best approach to notify users is to wait for those users to visit the Monster.com website where they will be notified of the breach in security. I take issue with this approach for several reasons:

First, this approach places the onus on the Monster.com user community to visit the website in order to be notified on the unauthorized disclosure of their personal information. Monster.com has no reliable means of determining how long it will take for all users to be notified using this method, as some users may not log on to the website for days, weeks, or even months. Exactly what number of users will remain unaware of this security incident during this period of time? I believe even a single user not being notified is unacceptable.

In addition, there are obvious methods for Monster.com to directly notify their users affected by this security incident. An email is the obvious choice, and can be worded is such a way as to prevent its use in a phishing scam. Beyond email, however, Monster.com has the choice—and responsibility—to use one or more of several other means to directly communicate this issue to their user base. Postal mail, phone calls, press releases on major news websites or even ads taken out in major newspapers are all acceptable and meaningful examples that could be used to demonstrate a responsible approach to notifying your users of your failure to protect their confidential information.

Lastly, given your decision to forgo the direct notification of your users I would expect some type of action be taken on these now exposed Monster.com user accounts. Monster.com has instead left these accounts open and usable knowing that the usernames and passwords for these accounts are now compromised. Enforcing a password change is inadequate as it again assumes that the users will visit the website, read the security notice, and change their passwords in a short period of time. While the remainder of compromised accounts remains active it provides an opportunity for further unauthorized access and potentially fraudulent use of these accounts. Given the Monster.com decision to wait for the users to discover the news of the security incident for themselves, the reasonable and responsible approach should be taken to deactivate these accounts while at the same time providing these users a means of contacting Monster.com by telephone to verify their identity to re-activate their accounts. While this may seem unreasonable to some, the decisions of Monster.com has created the potential for the fraudulent use of these accounts and it is now this issue that must be dealt with in a responsible manner.

The conscious decision by Monster.com management to do nothing in terms of direct notification is without question inexcusable. Waiting for the user community to address the security of their accounts can be viewed as Monster.com failing to accept responsibility for a situation your organization is solely responsible for. The Internet community at large expects reasonable action from any web site or service failing to protect the personally identifiable information of their users, and we hold Monster.com to no less of a standard.

It appears as though Cyberstalking is not a crime in Los Angeles  County.  I have an active criminal case against my daughter’s father.  He has been convicted of Domestic Violence, spent twenty days in jail and as a result of his conviction, was placed on three years probation. Prior to that he was picked up for suspicion of murder.

He has threatened my life and my whole family, he even claims to be dying of cancer to gain the courts sympathy that his threats of killing everyone are justified.  Not only that, has a woman who appears to be his maid sitting with  him in court to make him look even more pathetic than he already looks.

Sociopaths really know how to con the world, but I am not fooled. This man sits and monitors my blog a total of fifty times since I pressed charges of criminal death threats.  What purpose does this man have watching a blog for women? Is he trying to find his feminine side? The judge presiding over this case advised him that he is not allowed to respond to any of the comments on this blog. But he is allowed to have me under surveillance, so doesn’t that go against a  protection order of not being allowed to have the victim under surveillance?

What does this man want. He thinks he is tormenting me, no you are not. He thinks he is controlling me, no you are not.  Sit back and enjoy if you must.

This person claims to want to be a father, however, this person who is so intrigued on watching this blog, doesn’t pay child support. So to all the women who belong to this blog, this is the one.  Let’s welcome him, shall we.

You can threaten to kill me and my family, you can threaten to ruin my life, your maid can do all your dirty work, but you will never lay a hand on me again, you will never lay a hand on my precious child again. You can’t hurt me or my family ever again. We are not going to sit and take your abuse or threats anymore.

Cyberstalking laws need to be addressed and taken seriously. Unfortunately, as I sat in court and watched and listened to how they deal with cyberstalking, there is a lot of work that is needed to address this issue.

I was told since this blog is public, they can’t order him to stay away.  Okay, but this blog really isn’t geared toward men, so why would a man want to spend so much time here, they didn’t get it. Cyberstalking laws need to Change in CA and orders of protection need to include electronic monitoring of blogs, web sites and chat rooms so that women in business today have the same and equal protections as those who do not have stalkers and or domestic violence.

I think this is a civil rights issue and should be taken up as a civil rights issue with the courts.  Every man, woman and child is supposed to have equal protection under the law. How can a woman who is a stalking victim be considered to have equal protections when it is allowed by the courts to monitor her blog and web site which is her business by a convicted DV batterer?

Warnings For Children Online

Here are some guidelines a child should adhere to when they’re online. This is especially important if they’re older and a parent can’t be around all the time to monitor them.

• The child should get a release from their parents prior to submitting any personal information. That would include your name, address, phone number or other personal information.

• The child should advise their parents if they notice something abnormal on the website they’re visiting. The parents can do a follow up and alert local law enforcement if necessary.

• The child should never distribute information regarding a credit card, bank statement or pertinent information.

• The child should never give out their username or passwords to strangers or others. This is a sure way of getting invaded.

• If a child receives a gift from someone online, they should send it back. That could start an unwanted scenario.

• If a child receives an offer for a visit, they should decline it and let the parent know about it.

• The child and the parents should discuss rules for online safety. The parents should set guidelines as to how long they can be on the internet and how many days a week they should get access.

• The child should take their time to get to know others they’ve met on the internet. They could be one way online, and another way in person. Besides, they don’t know what to expect.

• The child should not download any photos from people they don’t know or places they’re not familiar with.

Conclusion

You can help to make the internet a safe place for your child. Taking action today is better than waiting until tomorrow. The longer you wait, the better chance your child has of connecting with those online predators. That’s not something any parent would want to endure.

With the number of children setting themselves up with these strangers on the rise, there’s no doubt that the need for parental intervention is greater than ever.

Cyber stalking and cyber abuse by online strangers is no joke. It’s no longer surprising to find out that many young children are succumbing to what is turning into a national epidemic. More children, especially girls, are now more than every getting bolder and taking a chance because they are curious and don’t want to wait to grow up.

Of course, some of them don’t inform their parents because they know the threat of being grounded is real. So is the threat of being snatched away by someone they don’t know. That fact is also very scary for a lot of parents. It’s not something they’d want to think about happening to their child.

The reason most predators choose the online route because it’s easy and no one will see them in person unless it’s the child their trying to get into their good graces. It’s a rarity that they would even think about coming on to a child in person, even though it has happened.

Also, the internet is just an easy medium for people to correspond, even if they’ve never met before. Once the perpetrator has built up enough trust in the child, then they decide to take action.

If you don’t pay attention to this, your child could be in a whirlwind of unknown and dangerous territory before you can blink your eyes. These online strangers are smarter than you think and they always try to stay one step ahead of everyone else.

With parents having all the knowledge and resources about prevention, it’s never too late to intervene in their child’s online life. In fact, the sooner they start the better chance they have of saving their child from destruction and a downhill spiral.

Consistent intervention from you is the key to keep your child and your family out of harm’s way.

Steve Cownley

http://general-info.890m.com/generalinfo/

The rapid growth of the internet and the world wide web within the recent years has created an interesting phenomenon in e-commerce by offering buyers the expediency of buying from an ubiquitous marketplace and saving the merchants the cost of making brick and mortar investments but for fraudsters the internet has established an anonymous and low-risk avenue to steal and commit crime on the internet.

Information security has become a critical and important requirement in ecommerce as the perceptions of risk and threats continue to strengthen, this security requirement is not only the need for the protection of confidentiality and integrity of the sensitive information, but also e-commerce authentication  and verification of the identity of the cardholder during internet card payment is a crucial necessity and a major problem because of the insufficient and flawed authentication requirement by card issuers to authorise card not present transactions. On the positive side (form the customer’s viewpoint) the card issuers are generally good about responding to challenges and giving refunds, but it would be better for all concerned if the number of fraudulent card not present transactions can be reduced (Walton R. 2005, p. 4).

The e-commerce transaction uses the internet as its corner-stone and strength of operation but there is the perception that using a card to make a payment over the internet is risky and inflicted by information security imperfection which mostly lead to losses of credibility, identity-theft and impersonation. The basic requirement to make a successful card payment over the internet is mostly the provision and submission of the card & personal information, mainly static pass-codes and IDs, to the payment processor for authentication and authorisation, if the card information submitted are correct the authentication will be successful regardless if the card information was provided by the legitimate cardholder or not.

The introduction of the Chip and Pin in the United Kingdom to secure card payment at the point of sale has been a major investment and success story for retailers and the card industry, but its security capability does not extend to secure card payment when the card is not present at the point of sale and this has adversely brought more fraud concentration on this vacuum (Hunter, 2004, p. 4), resulting in utilizing the anonymity and flexibility of the circumstance to make fraudulent card payment on the internet using stolen card information.

The ability to verify that the card information submitted over the internet is done by the legitimate cardholder remains the authentication goal and a huge problem to all merchants who are accepting card payments online since transactions done in this scenario makes use of the card information as opposed to card payment made in the face to face transaction which combine the use of the physical card (what you have) and the Pin (What you know) to authenticate the transaction.

Crime can never be defeated but managed, and this can mean merely the diversion of crime techniques from one channel to another for a variety of reasons including flexibility, benefit, and risk-level (Hunter, 2006, p. 14).

The card not present transaction fraud evolves with e-commerce, but the flexibility, phenomenal and ubiquitous nature of e-commerce which allow buyers to buy from anywhere remotely brought negligence into the scenario aided by the development and introduction of more simplified technology systems which in some cases are used contrary to their purposes to facilitate card not present fraud which in the early year of e-commerce are not possible or difficult to achieve making card not present transaction fraud paramount to all card frauds on UK issued cards. As the world is changing in technology following technology advancement, almost every technology developed has brought benefits as well as attached risks, to every technology there is an anti-technology making it double edged tool to solve and unsolved.

According to academic research, card-not-present fraud has been influenced by the static nature of the payment method which is vulnerable to phishing and other type of identity theft techniques because same data is used over and over again.

Some Vulnerabilities in Card-Not-Present Solutions Verified by Visa and MasterCard SecureCode program promise additional levels of authentication using agreed personal codes or passwords provided by the card issuer, However, as with all static username and password, these could potentially be compromised by fraudsters using phishing or other identity theft techniques, furthermore, the 3D secure protocol requires an optional enrolment from the participants, if neither the card processor nor the cardholder is enrolled in the program, the 3 D secure functionality will not exist in the transaction process. Card Verification Value 2 (CVV2) & Address Verification Service (AVS)CVV2 and AVS verification was introduced by the card scheme as an additional parameter to fortify verification process of cardholders, CVV2 aimed to verify the 3 or 4 digits code on the reverse of the card, while the AVS aimed to verify the billing address of the card, by extracting all the numeric in address and post code. these information are static and used over and over again,  All the parameters required for e-commerce card not present transactions are transmitted and stored in the server, including the security code and the billing address, Vulnerabilities in the storage system can allow unauthorised access to fraudsters, Bogus merchants can sell card information to fraudsters or using phishing technique to willingly allow the cardholders to submit their card information. Rule-based and neural networks solution: The aim is to analyse transactions in real time based on the rule setting and provide a score showing an estimated level of risk associated with the transaction. The system will try to look into the history of the card being used and analyse the spending pattern, number of chargeback associated with the card, it further check the country’s IP address from where the order originated and compare it with the country of the billing address, with this system a card with billing address in United Kingdom, stolen and used by a fraudster in USA will report that the card was used outside the home country which is a signal of a possible fraud, on the other hand, Stolen card information used within the range of the spending pattern will have a good report, and card information stolen and used within the country will also have a good report because the IP address will show the same country.  Matching the billing address to the delivery address do not work for digital goods which are delivered online by email or download link after the order. And legitimate cardholders may not be able to use their card abroad, or if their spending pattern changed because of change in income.

The need and justification for alternative solution

If e-commerce is to take off, then merchants need to be reassured that the people they do business with really are the people they say they are and if consumers are to feel happy about e-commerce, they need to be reassured that their card details are not being used by thieves to make purchases on the Internet in their name, and the card issuers need to know that they are not becoming trapped into carrying a new and growing burden of fraud losses (Card Technology Today,2002, p. 11).

Paymenex: A Realistic Solution for Card-not-Present Fraud.

To cut of the influence of phishing on card-not-present transaction, card scheme should re-think. Possibly the introduction of dynamism during authentication making each transaction unique will greatly reduce the level of fraud resulting from card-not present transaction. Review has shown that new solutions has started paving way for online dynamic authentication during card-not present transaction, an example of  such solution include, the 3W Sentry Card Security Solution introduced by Paymenex Inc. The operator of the Paymenex™ TransNET which its members use to deliver Paymenex range of cards and D-Voucher to their customers. Paymenex TransNET is an all-in-one payment and financial transaction network with a sophisticated 3 tie card security that provides a secure and reliable global network for processing financial transactions.

It offers a range of value-added services which includes:

Credit Card, Debit Card, Store Value Card, MSB Card, DCA Card, D-Voucher.

Solutions for Acquirers, Card Issuers and Payment Service Providers.

Gift cards, Incentive, Point and Reward Program Providers, Money Transmitters, Bill-pay and Debt collection providers.

Store-Value and e-Voucher providers.

Commercial and business customers who require an efficient and secure financial processing platform.

Paymenex is a product of an academic research following a Professional Doctoral Research at two top UK Universities. The Paymenex Card Security applied dynamism in CNP transaction making each transaction unique, and cardholders do not need to enter any personal information to pay online. This solutions are benefited by all their range of card products: credit and debit cards, D-Voucher, MSB Card for Money Service Businesses, and DCA Card for Bill payment management.

More information

www.paymenex.com

www.3wsentry.com

Reference:

Walton, R. (2005) ‘Low-cost assurance for B2C E-commerce’, Computer Fraud & Security, 2005 (10), pp. 4-6.

Card Technology Today. (2002) ‘Card not present fraud’, Card Technology Today, 14 (7-8), pp. 11-13.

Hunter P. (2004) ‘Chip and PIN – biggest UK retail project since decimalisation, but not enough on its own to defeat card fraud’, Computer Fraud & Security, 2004 (5), pp. 4-5.

Hunter P. (2006) ‘Relentless pace of Internet trade in stolen credit card details continues’. Computer Fraud & Security, 2006 (2), pp. 14-16.

Walton, R. (2005) ‘Low-cost assurance for B2C E-commerce’, Computer Fraud & Security, 2005 (10), pp. 4-6.

NOTE FOR STUDENTS: PLEASE REFERENCE APPROPRIATELY, THIS ARTICLE IS AN ACADEMIC RESEARCH ARTICLE

Online dating has changed the relationship rules like few things before or since. In fact with internet technology constantly changing and growing, it’s only a matter of time before online dating goes to the next level i.e. gets more interpersonal.

But it’s not perfect. And just like anything else you have to be cautious in your dealings. Two things in particular you need to watch out for. 

1. Insistence

Each person moves at their own pace. In a relationship one party may want to accelerate things along while the other person may be more comfortable with a go slow approach. Either someone gives in or they work it out and find a happy medium.

But with online dating there is something quite alarming about dealing with a person who every time you chat with them it seems like they always put the pedal to the metal. The first time the two of you had your online discussions they wanted to get together. You told them that it was in the best interest of both parties to take it a little more deliberately. They agreed. That is until the next time you chat. Now they are even more adamant. When you ask them what the hurry is, do they give you a satisfactory response?

Even if they do your instincts should be alerting you to potential problems.  Be on the alert for any flashes of anger as well as the old emotional blackmail routine. This means if you don’t agree to meet them immediately they will cut off all contact.  Don’t fall for it. As a matter of fact do yourself a favor and beat them to the punch by ending the correspondence immediately.

2. Money

You did not join an online dating service to be anyone’s personal atm machine. Sounds obvious but the number of people who have been scammed online continues to grow.

A little sugar coated smooth talk and being surprised at the number of things you both have in common can go along way. Once the rapport has been established then it’s only a matter of time before you get the hard luck story. It can take the form of a family emergency or they really want to see you but just don’t have the funds. After establishing a bond, the experienced scammer can play on your emotions in such a way that not only do you give them the money but it almost seemed like your idea. They didn’t want to tell you their sad fairy-tale but you forced it out of them.  Stay on your guard and the minute they try to put the bite on you for some greenbacks, say goodbye. Also if possible report them to the dating service you are registered with.

Finding the right person online requires time, patience and taking the proper safety precautions. That is not to say that the search process itself cannot be enjoyable. Meeting new people and learning something you did not know before is a kick. Just stay alert to anyone who presses the issue too much when it comes to meeting immediately or handing over money.