Is spyware the root cause of this data leak?

Linden Lab published this yesterday to remind people about basic internet security.   In a roundabout way it is very forcefully reaffirming Linden Lab’s position that these spam emails are as a result of user machines being compromised.  Unfortunately it ignores what is being said by those who have been affected.  The thread where this is still being discussed is here.

Once I am convinced that this was due to spyware I’ll remove these posts and replace them with a background piece and the actual cause.  At the moment I’m not at a level of comfort to be able to accept the Linden Lab position.

Without knowing how local payments work, what data is required and if you need to access the Dragonfish site to do this rather than via the Second Life web pages (and there’s no way I’m going to test it out), my problems with blindly accepting Linden Lab’s position are:

  • If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web.  Although, web access does increase the chance that spyware could capture it.
  • Those who have identified the spam emails claim their machines are spyware free.  Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up.
  • If it is spyware, then I would expect their non Second Life accounts to be receiving spam as well, I doubt there is anyone who only uses their second life email address, yet I’ve not seen any reports of this.
  • Whilst there is a chance that somehow this spyware is clever and targetted enough to only recognise second life accounts and wait until it has the card holder name from a transaction against a Second Life account to send the data to the data collector to enable the email to be sent out, I wouldn’t consider it likely.

I’m still not convinced this can be brushed aside as user carelessness and I would certainly be asking Dragonfish to explain. As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question. Just brushing this aside as user carelessness without even going through the motions of due diligence doesn’t impress me. Just saying “contact us” in what looks like a peripherally relevant post isn’t what I would expect of a company who is so committed to protecting our data and believes in good customer relations but of course the only recent Linden Lab employee who publicly demonstrated that commitment and understanding of the basics recently ceased working for the company.

Linden Lab are extremely lucky with their user base, the user base is extremely tolerant of errors, it’s extremely rare that people ever exercise their right to complain to external authorities and they’re easily distracted.  Given another week this will have passed from most memories and this will have been just another blip on the horizon.

However, since I’m not feeling enough confidence in the Lab over this, I’ll stick to avoiding local payments and keep these posts here.

Linden Lab in another data security breach. Possibly payment details, definitely cardholder name and email address

Linden Lab has outsourced the processing of payment details to a company called Dragonfish, who claim to be  “The Leading Provider of Online Gaming Solutions”.  How true this claim may be is for others to decide, one thing is certain, they appear to play fast and loose with their customer’s credit card data.

Apparently Dragonfish/Cassava Enterprises (the parent company) passes at least the card holder name and the email address to other gambling sites, this has been confirmed by people who have received spam email for gambling sites to email addresses that are only used for Second Life purposes*.  More worrying is that card holder names are also being passed, this claim was made by someone who received a spam email to the Second Life account used by the account holder yet addressed to the card holder name which was someone who had allowed them to use the card to make payment to Linden Lab*.

Added to this was the extremely poor method of verifying a card holder.  All reputable payment processing organisations use the card verification plugin provided by the credit card company (think “Verified by Visa” and the rest) but not Dragonfish, they send emails with the following text* before they even use the security provided by the card companies. This of course is unnecessary as the card company is best placed to verify the card, so the question arises as to why this effort is being spent on obtaining copies of the card.

(*to view links marked * you need a Second Life account and be logged into the forum.)

Operations Department – Second Life to me
show details 2:48 PM (2 hours ago)

Dear Resident,

I am Paramjit B. from the Operations Department at Cassava Enterprises (Gibraltar) Ltd. I am contacting you with regards to your Linden Lab account with username “(name redacted)“.

As part of our continued efforts to provide confidence and security for all of our members, we will always seek to verify the ownership of any credit cards used to make a deposit. As such your account may experience enhanced security steps at deposit stage, including processing through Verified By Visa or Mastercard Secure.

To process your deposits without this requirement and in order to become a fully verified customer, please send us the following documentation –

–  A photocopy of your credit card ending # 0479 (front & back)
–  A photocopy of your national identity document such as an ID card, Passport or Driver’s License

These documents can be sent to us by you uploading them through the link:

http://secondlife.com/my/account/billing-verification

Please copy and paste the above address directly to your web browser. You will then be prompted to enter your username and password. You will then be guided through a simple process to upload the requested documentation.

Please note that to ensure the security of your documents we have implemented powerful security policies, rules and technical measures to protect the financial security of our Residents. However, please make sure that you block the middle 8 numbers of any credit/debit card uploaded and also block the CVV (3 digit code) on the back of such cards.

If you have any further queries with regards to our requests please review first our Frequently Asked Questions, located on the “Contact Us” tab of the website. Here you will find all the information on why we routinely request documents, how it is possible to send these documents, and the type of documents that we will accept. All these questions and more are answered by typing in the relevant key words to the Frequently Asked Questions search option.

Many thanks for your continued patience and co-operation in this matter.

Regards
Paramjit B.
Payment Operations
Second Life

I did smile wryly at the claim they have “powerful security policies” but then ask you to remove some of the card details and in breach of best practice for financial services, they provide a link to the web page to upload the documents.

Neither Linden Lab nor Dragonfish have ever provided details of their customer data handling procedures.  If you ever send sensitive documents like this to Linden Lab you have no idea what becomes of them, for example;

  • who has access to the data? (apparently everyone by the look of it),
  • if the information is printed out, how is it disposed of?

This is a concern as Linden Lab has had data security breaches in the past which they never advise their customers of.  Those we do know about range from the wholesale breach of the database in 2006 which resulting in everyone being advised to change their password to last year when accounts were compromised but only those affected were notified when they tried to access their account and the doubts (now realised with this Dragonfish leak) about their commitment to protecting their customer data, giving Linden Lab your data is a risky business and on the balance of probabilities, sending them copies of your ID is foolhardy.

It’s been 8 months since full payment options were available to Second Life users.  Apparently Dragonfish are having problems delivering the solution.  If Linden Lab were any one else, the fact that their new supplier of services had effectively stopped some overseas customers paying them would have been a big deal.  Linden Lab appear to be fine with it and apart from reinstating PayPal payments last week after some pressure and bad publicity due to people losing their regions and accounts due to LL not providing a mechanism for their customers to pay them.  This project seems to continue to meander along with a possible release date of this month, yet as usual the Beta deployment isn’t even what would normally be considered Alpha, let alone deployed for customer use due to the sensitive nature of the transactions.

Will I use local payments when it’s finally released?  No.  If I ever have to add new payment details and Dragonfish is the only choice then I won’t be doing it. There’s nothing I need in Second Life that would make me provide my details a site that cannot keep the financial data secure.

How will you know if your data has been compromised?

You can’t really, if you live outside the United States and in particular Europe and have recently used Linden Lab’s local payment option (new accounts apparently were forced to join the beta test for this, for the rest it was “voluntary”), it is very likely that you have had your credit card details compromised.   There will be a couple of indicators that arouse your suspicions.

  • You should have received spam emails from gambling sites.  Although, if you use a provider such as gmail, yahoo or hotmail you may not have received them as the spam filters
  • You may see unusual transactions on your card statements

What you can do

  • Check your spam folder to see if you’ve received any spam emails from gambling sites
  • You should check your card statements, and
  • Consider making a complaint to you local data protection commissioner.

Here is the link to the European Data Protection authorities: http://www.dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Feuropean%2F6f.htm&CatID=37&m=i

Here’s the UK one: http://www.ico.gov.uk/complaints/data_protection.aspx

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

I’ve highlighted the relevant reasons for the complaint.

Dragonfish has a UK office, you may like to also lodge a formal complaint with them.

Dragonfish UK

20 Thayer Street
London
UK
W1U 2DD

As always, carefully think about the information you provide to Linden Lab.  The risk of it being accessed by unauthorised people appears to be continuous and real.