Online tracking is fueling a heated national debate over whether new do-not-track laws are needed to safeguard consumers’ online privacy. Leaders in the online advertising industry use a version of Privacyscore to self-police the tracking practices of online advertising networks, and thus head off new laws. Privacy experts welcomed the consumer version.

“This certainly is going to be a useful tool for consumers, but it may actually be even more useful in pushing application developers, who don’t like getting poor grades, to look more closely at their own privacy practices,” says Jules Polonetsky, director of the Future of Privacy Forum, a Washington, D.C., think tank on data security.

Facebook’s pervasive Web presence comes with “a responsibility to hold people who are developing apps on their platform accountable for the (privacy) assertions that they’re making,” says Craig Spiezle, executive director of the Online Trust Alliance.

Facebook’s David Swain noted that the company requires app developers to agree to its privacy policies. “If we find an app has violated our policies … we take action,” Swain says.

According to PrivacyChoice, 140 different tracking entities routinely collect information about users of the top Facebook apps. Trackers can correlate that data to profiles of individuals’ browsing behavior across multiple Web pages in order to deliver more relevant ads. “It’s up to users to know the privacy risk of sharing personal data with apps,” says Jim Brock, PrivacyChoice founder and CEO.

Privacyscore’s top score is 100. Deductions are made for sharing data with an excessive number of tracking entities, failing to honor deletion requests, failing to provide an opt-out choice or storing consumer data for long periods.

Gamemaker Zynga, for instance, registers an overall score of 82 for 17 Facebook games. The game Slingo, with 17 million players, scores 80, losing points partly because it connects to 59 trackers. Zynga general counsel Reggie Davis says Zynga welcomes tools such as Privacyscore. And Zynga’s online tutorial, PrivacyVille, rewards its users for learning more about the company’s privacy policies.

—

Another detection tool you can use has been made available by Russian antivirus firm Kaspersky. Meanwhile, Apple has issued a statement indicating that it is continuing to work on an offical detection and innoculation tool.

It’s not just individual Mac owners who ought to take heed. Network security firm Lancope says companies with employees who use Macs would be wise to check for infected Apple computing devices.

Kissling

“Enterprises should also bolster their defenses,” says Lancope vice president Jody Ma Kissling. “As the market share for Macs continues to increase, end users, corporations and Apple itself must all be prepared for a subsequent rise in attacks targeting Apple’s Mac OS X.”

Neil Roiter, research director at Corero Network Security says “cyber criminals now consider Macs profitable targets. Mac users should protect their computers with antivirus software, encrypt sensitive information and follow the common-sense advice not to click on links or open email attachments from unknown sources.”

Roger Thompson, chief emerging threats researcher at vendor-neutral testing and certification firm ICSA Labs, explains the significance of the emergence of a major botnet comprised entirely of Macs.

He observes that Mac infections were considered rare for much of the past two decades “as a natural consequence of relative market opportunity for the bad guys. Put another way, there were way more PCs than Macs, so there was simply more opportunity for a return on their development and marketing effort.”

What the existence of a massive Mac botnet highlights, Thompson says, is that “Mac malware is not just a reality, but is now a genuine problem. The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything.”

The bottom line for Mac users: they will have to install and keep current antivirus programs and make sure all application updates, for things like Java, iTunes and Adobe Flash are quickly installed, just like Windows users.

“There will soon be a name for Mac users who are not doing this: victims,” says Thompson.

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”

Henry

The disclosure of a massive botnet comprised entirely of Macs is serving as a lightning rod for the community of a few hundred top virus hunters who would like to see Apple become more collaborative about defending the Internet against cybercriminals.

“Maybe Apple will feel a little of the pain their users are now feeling and get serious about being more candid and perhaps more revealing in their patch release notifications,” says Paul Henry, security and forensic analyst at network security company Lumension,.

Henry notes that calculating the number of infected Macs has been relative easy, since the Trojan “actually sends a copy of each infected Mac’s UUID to the command and control server.”

Some 300,000 of the 600,000 Macs infected by the Flashback Trojan are located in the U.S., including 274 in Cuppertino, Apple’s hometown in Silicon Valley, according to Tweets from Ivan Sorokin, a malware analyst at Russian antivirus company Dr. Web.

Sorokin used sinkhole technology to redirect the botnet traffic to their own servers to count infected Macs.

Henry says that “Apple still lacks any urgency in their patch release and in fact, users had to be lucky enough to have checked.

“Simply put, if Apple wants to be taken seriously as an enterprise provider, they need to be more timely and candid about their patches,” Henry continues. “How else will administrators understand the necessary sense of urgency to prioritize and deal with security issues?”

Apple has been issuing patches roughly once a month, much like Microsoft issues security fixes on the second Tuesday of each month, known as Patch Tuesdsay.

“Apple should take a lesson from Microsoft and formally adopt a monthly process and provide, at minimum, the same level of disclosure users have come to expect from Microsoft,” says Henry.

An unpatched portion of Java left Mac users prone to the Flashback Trojan, which causes the machine to quietly report to a command and control server for further instructions.

Mac users  can get infected by navigating to a viral web page pre-loaded to deliver a driveby download tuned to exploit this Java vulnerability — much the same as Windows PC users.

The  Russian antivirus company Dr. Web says some 600,000 Macs have been infected, several of which include devices based in Cupertino, California, the home of Apple. So if your Mac has been balky lately, this could be the explanation.

Swiss Army knife

Botnets are used to spread spam and infections, participate in denial of service attacks, hijack online bank accounts etc. Botnets are the Swiss Army Knife of cybercrime. And when your machine is performing bot duties, your processing efficiencies naturally get sapped. It was only a matter of time before this common experience of Windows PC users came home to roost with Mac users.

One commenter to Ars Technica’s coverage noted:

My wife’s first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don’t have it. I’m going to check first thing when I get home. Has anyone’s machine here tested positive? If so, does this sound familiar?

Apple has since patched the Java flaw. F-Secure has supplied details on how to diagnose and fix the problem, but warns that the steps are tricky.

Wake up call

“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” says Mike Geide, senior security researcher at Zscaler ThreatLabZ. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn’t matter if you’re using Windows, Mac, or even mobile phone.”

Marcus

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, says the existence of a major Mac botnet comes as no surprise. He advises Mac users to do as Windows PC users do: keep antivirus protection and all Apple patches current.

“Attackers are leveraging years of success from writing PC malware and they’re doing the same thing in the Mac world,” says Marcus. “Cybercriminals will attack any operating system with valuable information, and as the popularity of Macs increase, so will attacks on the Mac platform.”

–By Byron Acohido

Visa and MasterCard acknowledged Friday that they’ve been alerting banks about a major breach of an unnamed payment card processing firm. The Wall Street Journal, citing unnamed sources, named Atlanta-based Global Payments as the processor in question.

Global Payments declined interview requests.

Security blogger Brian Krebs, who broke the story, says thieves cracked into the processor’s systems between Jan. 21 and Feb. 25, and may have swiped more than 10 million credit and debit card transactions records, originating from an unknown number of merchants, banks and credit unions.

Litan

Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking over ” an administrative account that was not protected sufficiently.”

“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” says Litan.

MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.

However, criminals know better than to try to waste time on highly defended systems, and have been consistently successful cracking support system. “Sooner or later they find some weakness in the highly complex chain of systems that they can exploit,” says Geoff Webb, of data security firm Credant Technologies.

Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008 -2009.

It’s not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network.

And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.

“Any business that’s capturing payment data is a target,” says Mark Bower, analyst at Voltage Security.

Consumers whose debit card account information landed in criminals’ hands with this latest breach are at heightened risk. That’s because gangs are adept at quickly manufacturing faked cards to make large cash withdrawals from ATMs. And the consumer’s cash goes missing until a theft is reported and reimbursement carried out, which can take several days.

“You should always be watching your statements for unauthorized transactions but right now people should be extra vigilant,” says Steve Coggeshall chief technology officer at ID Analytics.

Retailers are also uniquely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.

Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.

States could pursue a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals’ hands. “Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship,” Julian says.

Cyberthieves are stepping up phone-calling scams to pilfer from consumers’ online banking accounts.

In the second half of 2011, Pindrop Security detected more than 1 million fraudulent calls, including 189,439 in December, a 52% spike from the 124,258 calls tracked in July, according to a first of its kind reporte released Thursday.

“Mobile is a growth area for online banking fraud,” says Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, a tech professionals group that’s working with financial institutions to stem all forms of online banking fraud.

Many of the bogus calls were tied to caller ID spoofing – a way to place a phone call that causes the recipient’s phone to display a caller ID number that appears to originate from a trusted party.

Phone call spoofers often begin by luring a cell phone user into divulging account information via an automated call or text message that appears to come from the user’s bank. Next, the crooks call the bank, spoofing a patron’s phone number and correctly answering security questions to trick the customer rep into carrying out fraudulent cash transfers or issuing new credit cards to mailing addresses they control.

The use of spoofed calls to hijack online banking accounts is one slice of a thriving, multi-billion dollar online banking fraud industry. Cyber robbers also spread poisoned links on webpages and in e-mail and on social networks to take control of consumers’ PCs. They then embed programs, called banking Trojans, that let them stealthily tap into online banking accounts.

Billions stolen

Based on cases it has worked on with law enforcement and victim companies, Dell SecureWorks estimates that small- and medium-sized businesses in the U.S. and Europe lose as much $1 billion a year from online banking accounts. The financial services industry contends the security of computing devices is the responsibility of the companies and often do not reimburse theft losses from online business accounts.

The financial services industry often does not reimburse such losses. “We’d expect business owners to be a bit more savvy and have more resources at their fingertips,” says Carol Kaplan, spokeswoman for the American Bankers Association. “That doesn’t mean we’re not seriously concerned about the problems small businesses are having, and there continues to be huge gobs of investment into shoring up security.”

Results of an ABA survey of 95 financial institutions, released exclusively to USA TODAY, show the number of commercial account takeovers by cybercrooks rose 260% in 2011 vs. 2009. However, the average loss per victimized company decreased 92% during the same period.

“Financial institutions are becoming more effective at stopping illicit transactions from being executed,” says Doug Johnson, the ABA’s vice president of risk management policy.

Individual consumers are getting hit too, but typically get made whole by the banks — if they catch and report theft from online accounts quickly. In those instances, the banks bear the loss.

“It is incredibly difficult to measure losses from consumer accounts, but it’s probably higher than $1 billion a year,” says Dale Gonzalez, Dell SecureWorks mobile product strategist. Droves of less-skilled cyberthieves, equipped with free, easy-to-use account hijacking tools “are absolutely targeting consumers,” Gonzalez says.

Spoofed call attacks, in particular, are catching on because they are easy to do and difficult to defend, law enforcement  officials and security analysts say. Consumers’ names, phone numbers and e-mail can be purchased inexpensively from hackers who specialize in cracking into databases, like the gang that swiped 24 million customer records from online  shoe retailer Zappos.

Easy pickings

What’s more caller ID spoofing techniques are trivial to master; free and cheap automated programs are readily available on the Internet. In the last six months of 2011, bogus calls were placed in connection with online banking scams directed at 30 of the 50 largest financial institutions in the U.S., says Pindrop CEO Vijay Balasubramanian.

“We are continuing to see this rising trend,” says Balasubramanian. “There appears to be a network effect as word of successful scams gets relayed to other fraudsters.”

ISSA’s Stahl says tech companies and banks need to do more to stem the tide of attacks. Part of the solution: being more transparent to small businesses and consumers about the risks of online banking.

“Online bank fraud is at epidemic levels, there’s no question about that,” Stahl says. “Right now there is inadequate security against the many kinds of attacks that lead to online banking fraud, and that’s only going to get worse, not better.”

Nearly one in five mobile phone users have experienced some type of security threat with their device. That’s the finding of a Cloudmark survey of 1,000 cellphone users, scheduled to be released Tuesday.

Poisoned text messages, nearly non-existent in the U.S. a few years ago, grew 300% in 2010 and 400% in 2011, accounting for about 1% of all text messages. “We’ve gone from totally clean to a trickle,” says Rachel Kinoshito, head of Cloudmark’s security operations. “Most people are seeing about one a month.”

That foothold is part of a broader concern. Variations of scams that infest the Internet, through PC browsers, have begun spreading on a meaningful scale through mobile devices. And it looks like the bad guys are just getting warmed up.

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams.

“Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile,” says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

Meanwhile, hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google’s Android operating system are frequently the target of hackers. In December, anti-virus company F-Secure tracked down 1,639 unique malicious Android apps — disguised as free apps and circulating on websites across the Internet. That’s up from 48 in January 2011.

One type offered and delivered a free copy of the popular Angry Birds game. But the victim is also unwittingly signed up for a premium-rate texting service and charged an extra $10 a month on his or her phone bill, says F-Secure researcher Sean Sullivan.

Network security company Juniper Networks says the pool of bad apps it has been tracking swelled 86% in February from January. Nearly half of the poisoned Android apps analyzed by Juniper were classic spyware, says Dan Hoffman, head of Juniper’s mobile security business.

“We’ve identified malware that can steal credentials from e-mail and mobile banking applications,” Hoffman says. “These attacks can be devastating.”

The online industry is on high alert. The working group— whose members include AT&T, Verizon, Comcast, Facebook, PayPal and Time Warner— convened in San Francisco last month to join forces on defending new mobile threats.

“We need to stay ahead of what’s happening with mobile abuse, social networking abuse and malware,” says Tobin. “It makes sense for us to collaborate across all these channels.”

For more information about reprints & permissions, visit our FAQ’s. To report corrections and clarifications, contact Standards Editor Brent Jones. For publication consideration in the newspaper, send comments to letters@usatoday.com. Include name, phone number, city and state for verification. To view our corrections, go to corrections.usatoday.com.

USA TODAY, 22Feb2012, P1B

Mud-slinging between tech rivals is nothing new. But the red hot issue of online privacy has pushed it to another level.

Last week Google scrambled to deflect criticism that it tracked the online activities of users’ of Apple’s Safari web browser against their wishes, by circumventing an anti-tracking mechanism.

On Tuesday the search giant lashed out at Microsoft in response to allegations that it has been doing much the same to users of Windows Internet Explorer browser.

Google and Facebook have been under pressure from Congress and the Federal Trade Commission to disclose more about their tracking techniques.

Widespread tracking

Ironically, this latest tempest, stirred up by Microsoft, could widen the spotlight and invite scrutiny of Microsoft’s own tracking practices, and those of Microsoft, Apple, Twitter, Amazon and thousands of web companies in the hunt for online advertising revenue, says Al Hilwa, software applications analyst at IDC.

“The web industry has gravitated towards advertising as the primary source of income and (tracking) data is the fuel the industry runs on,” Hilwa says.

In a blog posting on Monday, Microsoft corporate vice-president Dean Hachamovitch accused Google of issuing tracking mechanisms designed to bypass technology called P3P. Internet Explorer uses P3P to screen the privacy policies of any entity engaged in online tracking to determine if they’re up to snuff.

Google senior vice president Rachel Whetstone responded by blasting P3P as “largely non-operational.” As proof, she pointed to a 2012 Carnegie Mellon research report revealing some 11,000 websites routinely by-pass P3P.

‘We have to lie’

Cranor

The professor who ran that study, Lorrie Faith Cranor, says many website operators bypass P3P by mistake, while others do it on purpose to circumvent Microsoft’s attempt at grading privacy policies.

Google and Facebook, Cranor says, are in the latter group. Each use tracking mechanisms that bypass P3P so that popular features, such Facebook’s Like button, and Google Gmail logon services. Otherwise those features would not work.

Google essentially says, ‘we have to lie because if we didn’t lie we couldn’t do these cool features,” Cranor says.

Whetstone contends that channeling tracking mechanisms through P3P makes little sense. “It is impractical to comply with Microsoft’s request while providing modern web functionality,” she says

Hachamovitch, meanwhile, insists that Google should “commit to honoring P3P.”

Yet, the 2010 Carnegie Mellon study found even some Microsoft websites bypass P3P, as do sites from Godaddy, Hulu and Amazon.

“My students and I discovered that Google, Facebook and thousands of others essentially have bogus privacy policies,” Cranor says. “In some cases they put them in place on purpose. In other cases, it may be mistakes in computer code, or the person running the website might be doing whatever it takes to make it (tracking mechanism) run properly.”

Google came under fire today by several members of Congress after a Stanford University grad student disclosed how the search giant has been tracking the online activities of users of Apple’s Safari web browser, despite the default use of a browser mechanism to block such tracking.

Jonathan Mayer, a grad student and privacy researcher, wrote about Google’s Safari tracking techniques in this blog posting. Mayer’s findings got wide attention after the Wall Street Journal featured it in a news story published Friday morning.

Rachel Whetstone, Google’s senior vice president of communications and public policy, says the Journal “mischaracterizes what happened and why.”

Whetstone

Whetstone says the Safari browser “contained functionality that then enabled other Google advertising cookies to be set on the browser.” She says Google’s engineers “didn’t anticipate that this would happen.” The search giant has started removing these advertising cookies from Safari browsers, she says.

Even so, backlash has followed. Rep. Mary Bono Mack, R-Calif., is asking Google to reappear before Congress to explain how it tracks the online activities of iPhone and iPad users. Bono Mack moderated a closed door briefing two weeks ago at which two Google executives answered questions about a major privacy policy change the search giant is about to make.

Bono Mack

“Google has some tough new questions to answer in the wake of this latest privacy flap, and that’s why I am asking them to come in for another briefing.” Says Bono Mack. “These types of incidents continue to create consumer concerns about how their personal information is used and shared.”

Meanwhile, Representatives Ed Markey, D-Mass., Joe Barton, R-Tex., and Cliff Stearns, R-Fla., fired off a letter to the Federal Trade Commission asking the agency to investigate whether Google’s Safari tracking violates a standing consent order that restricts Google from misrepresenting its privacy policies.

“Google’s practices could have a wide sweeping impact because Safari is a major web browser used by millions of Americans,” the letter states. “We are interested in any actions the FTC has taken or plans to take to investigate whether Google has violated the terms of its consent agreement.”

Sen. Jay Rockefeller, D-WV,weighed in, indicating Google may have to answer to the U.S. Senate, as well.

“According to press reports, Google circumvented consumer choice and may have paved the way for third-party ad networks—including Google’s own DoubleClick—to track consumers against their will,” says Rockefeller. “If so, this practice may have violated the company’s own stated privacy practices. I fully intend to look into this matter and determine the extent to which this practice was used by Google and other third parties tocircumvent consumer choice.”

The FTC already is dealing with legal action taken last week by the Electronic Privacy Information Center asking a federal court judge to order the agency to enforce that same standing consent order Markey, Barton and Stearns want applied to the Safari tracking snafu. EPIC filed suit to get the FTC to enforce the consent decree to stop Google from making a sweeping privacy policy change on March 1. Should Google move ahead with that March 1 change, it can begin to more readily index and profile users of its search, Gmail, Google Apps, YouTube, Picasa and other popular services. And consumers wishing to patronize more than one of these free services will have no way to say no to such profiling practices.

EPIC also wrote to the FTC today, urging the agency to enforce the consent order with respect to Google’s practices tracking Safari users. EPIC’s letter contends that Google “took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained.”

Mayer, the Stanford researcher, also described how the techniques Google has been using to track Safari users have also been used by three other online ad companys: Vibrant Media, Media Innovation and PointRoll, whose parent company is Gannett, USA TODAY’s parent company.

A Gannett spokeswoman told the Wall Street Journal that the Safari tracking techniques PointRoll uses were part of limited test.

–Byron Acohido