NSA’s phone records program ends, but loopholes could revive it

NSA has moved systems overseas before to circumvent US law. (Image: file photo via CNET/CBS Interactive)

The NSA’s bulk phone records collection program may be alive and well — just not in the place you think it is.

On Friday, the program that ensnared millions of Americans’ phone records was shut down, months after the passing of the Freedom Act, which was brought out to counter a wide (and criticized) interpretation of the Patriot Act by the Obama administration. After two years of back and forth in Congress after Edward Snowden leaked thousands of documents to journalists, the Freedom Act nixed just one of the many programs disclosed by the whistleblower.

James Clapper, director of national intelligence, said Friday that the government was now “prohibited from collecting telephone metadata records in bulk under Section 215, including of both US and non-US persons.”

The program, known as the Section 215 program after its namesake place in the law books, allowed the NSA to see metadata of almost every phone call made in the US, including caller and recipient, the time and date, and duration — but not the contents.

Verizon and AT&T were both forced to hand over their records to the authorities on a rolling basis.

But not everyone is heralding the closure of the program as a wide success. Some — more on the skeptical side — believe the government wants to keep it alive under a different legal authority.

Why? Because the NSA has done it before.

Earlier this month, The New York Times posted a startling revelation that a similar defunct program — this time to collect web and email metadata — was restarted by effectively moving the program overseas.

Under a Freedom of Information request, the newspaper found that the program could be shut down because “other authorities can satisfy certain foreign intelligence requirements.”

The news wasn’t all that surprising given that a year earlier, we published at sister-site CBS News new academic research that showed legal loopholes could allow the government to “bypass Fourth Amendment protections to conduct massive domestic surveillance on US citizens” by collecting the data from overseas.

That authority is given under a little-known presidential directive, known as Executive Order 12333, which other NSA whistleblowers have said is a “blank check” for the intelligence community.

William Binney, a former National Security Agency official turned whistleblower, told me earlier this year that the executive order is a “direct threat to Americans’ privacy.”

Even the NSA says it uses the order for the majority of its authority, whereas Section 215 only produces a “small percentage of the overall data that’s collected,” according to former government official Richard Clarke.

How the administration’s Executive Order 12333 works remains a secret, but privacy and civil liberty groups have said it permits, among other things, spying “on anyone within the United States.”

Marcy Wheeler, a national security blogger, led the skepticism following Clapper’s announcement.

She said, on her blog Emptywheel, that “just a tiny corner of the phone dragnet will shut down,” adding that the government is “probably” not collecting phone records under the now defunct Section 215 authority, but existing provisions in the law allow for records to be collected from overseas under Executive Order 12333.

“They’re still collecting your phone records in bulk, not to mention collecting a great deal of your Internet records in bulk as well,” she said.

Under the presidential order, some of the worst of the government’s surveillance continues on. And because it’s under the sole direction of the executive branch, there’s no oversight by Congress or the judiciary. At least under the Patriot Act, there was some judicial oversight — even if it was in absolute secret by a set of judges referred to as a “kangaroo court” by one former NSA analyst.

It’s entirely possible that by nixing the Patriot Act, the NSA has pushed its phone records and wider metadata collection under the full control of a directive that makes it even tougher to stop in the future.

A call to the Office of the Director of National Intelligence was not returned Monday.

Revealed: FBI can demand web history, phone location data without a warrant

The FBI can compel companies and individuals to turn over vast sums of personal data without a warrant, it has been revealed for the first time.

In a case that’s lasted more than a decade, a court filing released Monday showed how the FBI used secret interpretations to determine the scope of national security letters (NSLs).

Nicholas Merrill, founder of internet provider Calyx Internet Access, who brought the 11-year-old case to court after his company was served a national security letter, won the case earlier this year.

National security letters are almost always bundled with a gag order, preventing Merrill from speaking freely about the letter he received.

While it was known that national security letters can demand customer and user data, it wasn’t known exactly what.

In a statement on Monday, Merrill revealed the FBI has used its authority to force companies and individuals to turn over complete web browsing history; the IP addresses of everyone a person has corresponded with; online purchase information, and also cell-site location information, which he said can be used to turn a person’s phone into a “location tracking device.”

According to a release, the FBI can also force a company to release postal addresses, email addresses, and “any other information which [is] considered to be an electronic communication transactional record.”

Merrill said in remarks: “The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs.”

Federal district judge Victor Marrero described in his decision that the FBI’s position was “extreme and overly broad.”

He also found that the FBI’s overbroad gag order on Mr. Merrill “implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.”

Merrill is the first person who has succeeded in completely lifting a national security letter gag order.

The Patriot Act expanded the reach of national security letters when it was signed into law a month after the September 11 attacks in 2001.

More than ten thousand national security letters are issued by the FBI every year, without a warrant or judicial oversight.

These letters have been surrounded with controversy for years, leading to many unsuccessful attempts to litigate against them. Major companies, including Google, have challenged national security letters, with little luck. Microsoft recently challenged an order, which led to the FBI to withdraw the demand.

In 2008, a US court found the National Security Letter statute, amended by the Patriot Act in 2001, was unconstitutional.

In a separate case in 2013, the gag order provision was found to be in breach of the First Amendment. The government appealed the ruling.

How Facebook Bakes Security Into Corporate Culture

Security is everyone’s responsibility at the famous social network. These five ingredients are what make up the secret sauce.

Sophisticated systems and advanced engineering capabilities are critical for scaling security at Facebook, and we’re fortunate to have them. However, one of our most powerful defenses is something businesses of any size can develop: a strong security culture. 

Frequent and proactive discussions about security helped us create a culture where security is paramount and knowledge drives out fear. We nurture specific characteristics of our security culture at Facebook to keep it strong — and they’re things every company can do.

Ingredient #1: Openness
Security is everyone’s responsibility at Facebook and we don’t wait until something bad happens to talk about it. A member of the Facebook security team is part of every orientation session for all new hires to introduce them to our security approach and ensure they know how to reach our team for any reason. New engineers go through a six-week bootcamp program, which includes several courses on security. So, before they even start working on projects, our engineers are familiar with our expectations for security and are active participants in our defense strategy.  

But a security culture doesn’t start and end with training. Facebook employees have direct access to security teams at any time. We value feedback from anyone about what’s working and what isn’t; including employees in security discussions that could impact the way they do their job removes friction and builds a network of internal security advocates across the company. It also helps employees understand why we’re doing something not just what we’re doing

Ingredient #2: Company Mission
Tying security to the overall purpose and future of the company is also critical. It sets the tone for how security is treated within the organization. Is it an afterthought, an inconvenience, a compliance mandate, or is it critical to the company’s success? Facebook’s mission is to make the world more open and connected. To do this effectively, we must do it securely. This empowers everyone at Facebook to be part of making our services — and the Internet as a whole — safer and more secure. 

To succeed, we have to move fast with multiple code pushes per day involving a dizzying number of diffs. To do this securely, we complement traditional security reviews with secure development frameworks so engineers can be more productive while also removing vulnerabilities from our code.  A team of software engineers is dedicated to making it easier for developers to quickly create secure code by default. In this way, security contributes to the overall success of our company mission.

Ingredient #3: Community Collaboration
Exchanging ideas, lessons, and best practices with other security teams helps keep your skills sharp and your company informed. Whether you’re discussing new discoveries at events, sharing threat intelligence, or contributing to open source projects, collaboration allows us to solve problems as a community for the entire Internet. Take advantage of things that have already been solved by others, especially if you don’t have the resources or expertise to build solutions on your own.

We open-sourced osquery last year, giving other companies a way to detect intrusions in Linux and Mac systems. It’s now the most popular security project on GitHub with dozens of contributions from outside Facebook. Osquery has an active user community sharing new improvements and experiences with each other and our security team.

Ingredient #4: Empathy
With all its technical elements, it’s easy to forget the human side of security — and that can be a costly mistake. At Facebook, we strive to make empathy the driving force behind the problems we solve and how we apply solutions. Even well-intentioned people can find themselves in trouble if they don’t understand the implications of their choices. Don’t expect everyone to be a security expert, so look at your products from their perspective and plan for a variety of uses. This is an important consideration both internally and externally.

Empathy requires that security issues get addressed from the start, especially at Facebook where we develop, test, and iterate quickly. Empathy Labs in Facebook offices around the world give engineers a better understanding for how people with different abilities, in different parts of the world, facing various life situations might interact with our products. A strong commitment to empathy is the only way we could build products that work safely for everyone. 

Ingredient #5: Engagement
Most people need a level of muscle memory to recognize when something suspicious is happening. Thus, security education must be consistent and memorable for employees to recognize potential risks on their own. This can’t be done with periodic compliance training or static content alone. 

Hacktober is a month-long program at Facebook with contests and workshops designed to engage employees on how to protect our company and all the people who use Facebook. We use gamification to drive participation, rewarding employees not only for avoiding unsafe behavior, but also contributing to security improvements such as identifying bugs in code. Fun interactive activities help reinforce the principles we practice throughout the year without reverting to scare tactics.

There is no magic technology or process for creating a security culture — it’s about people. A security culture requires understanding your employees and the people you serve. Whether it’s empowering your security team to participate in industry collaboration or articulating how security enables the overall company mission, a focus on people is critical. This effort has made all the difference at Facebook where every employee is part of the team that helps us protect 1.5 billion people around the world.

Chris Bream is a security director at Facebook. Chris has 12 years of IT experience, with the previous ten focused on information security. At Facebook, he leads a team that helps drive security on the infrastructure that delivers Facebook, Instagram, and Oculus to people … View Full Bio

Previous

1 of 2

Next

More Insights

Gas Theft Gangs Fuel Pump Skimming Scams

facebooktwittergoogle_plusredditpinterestlinkedinmail

Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

External pump skimmers retrieved from LA fuel stations.

An external pump skimmer is attached to the end of this compromised fuel dispenser in Los Angeles (right).

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.’”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Internal pump skimming device seized from a Los Angeles fuel station.

Internal pump skimming device seized from a Los Angeles fuel station.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.

MOBILE BOMBS

Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 container truck.”

A bladder made to look like it's hauling used tires.

A bladder made to look like it’s hauling used tires. The wooden panel that was hiding the metal tank exposed here has ben removed in this picture.

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

This bladder truck went up in smoke (literally).

This bladder truck went up in (a) smoke.

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. They fill it up with 300 pounds of liquid, and we see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”

COUNTERING FUEL FRAUD

With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”

WHAT CAN  YOU DO?

Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Tags: , , , , , , , , ,

These companies lost your data in 2015’s biggest hacks, breaches

In 2014 alone, more than one billion personal records were illegally accessed — including health, financial, email and home address data, and other personal information like Social Security numbers. That’s up more than 54 percent on the year prior, according to Gemalto. This year, there’s no sign of let-up.

As we’re coming up to the end of the year, we look back at some of the biggest — and most dangerous breaches — so far.