Monday, December 03, 2007
Visa fines Ohio bank in TJX data breach
Visa fines Ohio bank in TJX data breach
Card firm also faulted Fifth Third's security in '05 theft at BJ's
By Ross Kerber, Globe Staff | November 24, 2007
Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows.
Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation's leading processors of transactions for merchants.
Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX's, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection.
Visa, the largest payment system, had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements.
In the BJ's case, hackers apparently broke into the Natick company's database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ's settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures.
Neither Visa nor its competitors in the $3 trillion payment card industry will give details of what fines they may have issued. Meanwhile trade groups like the National Retail Federation complain the guidelines put too many security burdens on merchants themselves, and say that banks are more interested in generating fees from card payments than in boosting security.
The fines in the cases of TJX Cos. and BJ's underscore these issues. Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic.
The arrangement creates tensions because it means card networks aren't directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. "When you pass the responsibility on to them, it's kind of like playing telephone," Gavin said.
That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. "Fifth Third is definitely guilty of not requiring its merchants" to meet current security standards, he said, "and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach."
Spokesmen for Fifth Third and Visa have declined repeated requests to interview executives and said they would comment for this article.
A study this year by trade publication Nilson Report showed Fifth Third was the fifth-largest processor of bank card transactions for merchants, handling 2.5 billion bank credit card and debit transactions worth a total of $137 billion in 2006, up 19 percent from 2005.
Visa fines against Fifth Third first came to light in litigation pending against TJX, which faces claims in federal district court in Boston from smaller banks who say the company didn't do enough to protect its data against hackers. These banks are suing to recover the costs of the payment cards they reissued after the breach.
TJX has denied wrongdoing, saying the banks reissued many cards unnecessarily, and the banks themselves were partly responsible for not insisting on better security technologies such as cards with integrated computer chips.
The litigation led to the public filing last month of a June 22 letter from Visa showing it had levied $880,000 in penalties against Fifth Third including what it called an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system." TJX has said the fine is being appealed, which could indicate the bank had presented TJX with the bill, but neither would give further details.
Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards.
In a memorandum dated June 16, 2006, US District Judge William W. Caldwell wrote that a forensic investigation of BJ's credit-card processing systems found it was storing all the information on the magnetic strips of customer payment cards on its systems, which could make personal data easier to abuse after it was captured by hackers.
Fifth Third was responsible for making sure BJ's systems met security standards, Caldwell wrote. Visa fined Fifth Third $555,000 in late 2004 for violations of operating rules.
In addition, he wrote, Fifth Third had paid $872,664 to date meant for banks to cover fraud costs, adding that more cases were still coming in. Parties in the case declined to comment or to give more details about the penalties.
Card firm also faulted Fifth Third's security in '05 theft at BJ's
By Ross Kerber, Globe Staff | November 24, 2007
Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows.
Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation's leading processors of transactions for merchants.
Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX's, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection.
Visa, the largest payment system, had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements.
In the BJ's case, hackers apparently broke into the Natick company's database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ's settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures.
Neither Visa nor its competitors in the $3 trillion payment card industry will give details of what fines they may have issued. Meanwhile trade groups like the National Retail Federation complain the guidelines put too many security burdens on merchants themselves, and say that banks are more interested in generating fees from card payments than in boosting security.
The fines in the cases of TJX Cos. and BJ's underscore these issues. Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic.
The arrangement creates tensions because it means card networks aren't directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. "When you pass the responsibility on to them, it's kind of like playing telephone," Gavin said.
That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. "Fifth Third is definitely guilty of not requiring its merchants" to meet current security standards, he said, "and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach."
Spokesmen for Fifth Third and Visa have declined repeated requests to interview executives and said they would comment for this article.
A study this year by trade publication Nilson Report showed Fifth Third was the fifth-largest processor of bank card transactions for merchants, handling 2.5 billion bank credit card and debit transactions worth a total of $137 billion in 2006, up 19 percent from 2005.
Visa fines against Fifth Third first came to light in litigation pending against TJX, which faces claims in federal district court in Boston from smaller banks who say the company didn't do enough to protect its data against hackers. These banks are suing to recover the costs of the payment cards they reissued after the breach.
TJX has denied wrongdoing, saying the banks reissued many cards unnecessarily, and the banks themselves were partly responsible for not insisting on better security technologies such as cards with integrated computer chips.
The litigation led to the public filing last month of a June 22 letter from Visa showing it had levied $880,000 in penalties against Fifth Third including what it called an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system." TJX has said the fine is being appealed, which could indicate the bank had presented TJX with the bill, but neither would give further details.
Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards.
In a memorandum dated June 16, 2006, US District Judge William W. Caldwell wrote that a forensic investigation of BJ's credit-card processing systems found it was storing all the information on the magnetic strips of customer payment cards on its systems, which could make personal data easier to abuse after it was captured by hackers.
Fifth Third was responsible for making sure BJ's systems met security standards, Caldwell wrote. Visa fined Fifth Third $555,000 in late 2004 for violations of operating rules.
In addition, he wrote, Fifth Third had paid $872,664 to date meant for banks to cover fraud costs, adding that more cases were still coming in. Parties in the case declined to comment or to give more details about the penalties.
Man hacks into EMR system and launches SWAT assault
Man hacks into EMR system and launches SWAT assault
Hacker pleads guilty to stealing AT&T employee passwords to make false 911 calls
11.21.07 Stuart Rosoff pled guilty to gaining illegal access to AT&T networks and placing false emergency calls. He duped emergency dispatch operators into sending police SWAT teams to innocent, unsuspecting homes.
Rosoff is considered the lead defendant in a federal case against a conspiracy that is connected to over 60 "swatting" incidents. Rosoff faces up to five years in prison and a $250,000 fine.
Last October, “swatting” gained attention in the cybersecurity arena when Washington teenager Randall Ellis arrested for a similar crime. Ellis sent a SWAT team, helicopter, and police dogs to descend on a random house, endangering a couple and two toddlers.
Hacker pleads guilty to stealing AT&T employee passwords to make false 911 calls
11.21.07 Stuart Rosoff pled guilty to gaining illegal access to AT&T networks and placing false emergency calls. He duped emergency dispatch operators into sending police SWAT teams to innocent, unsuspecting homes.
Rosoff is considered the lead defendant in a federal case against a conspiracy that is connected to over 60 "swatting" incidents. Rosoff faces up to five years in prison and a $250,000 fine.
Last October, “swatting” gained attention in the cybersecurity arena when Washington teenager Randall Ellis arrested for a similar crime. Ellis sent a SWAT team, helicopter, and police dogs to descend on a random house, endangering a couple and two toddlers.
UK tax office data breach exposes 25 million names
UK tax office data breach exposes 25 million names
Two lost CDs cause the largest data breach in the UK and compromise the personal details of every child in the country including the bank account and national insurance numbers of their parents or guardians
11.21.07 In England, the head of Her Majesty's Revenue & Customs has resigned after admitting to Parliament that his organization lost two CDs containing sensitive information about 25 million people, including almost every child in the country.
The two CDs, which included names, addresses, birth dates, and banking details were mailed to an auditor October 18 by a junior employee, but they never arrived.
The loss was not reported to senior management until November 8, and police were not called in until November 14.
About 7 million families who had children in the database are being warned to watch their bank and credit activity.
Two lost CDs cause the largest data breach in the UK and compromise the personal details of every child in the country including the bank account and national insurance numbers of their parents or guardians
11.21.07 In England, the head of Her Majesty's Revenue & Customs has resigned after admitting to Parliament that his organization lost two CDs containing sensitive information about 25 million people, including almost every child in the country.
The two CDs, which included names, addresses, birth dates, and banking details were mailed to an auditor October 18 by a junior employee, but they never arrived.
The loss was not reported to senior management until November 8, and police were not called in until November 14.
About 7 million families who had children in the database are being warned to watch their bank and credit activity.
McAfee: Typo-squatters cashing in on website misspellings
McAfee: Typo-squatters cashing in on website misspellings
Dan KaplanNovember 19 2007
Internet surfers who misspell the name of a popular website have a one in 14 chance of landing on a site owned by someone trying to capitalize on your poor typing skills, a McAfee report revealed today.
The URLs of these "typo-squatting" sites typically are a letter off to the real thing – for instance, Iohone[dot]com or google[dot]cm. But instead of legitimate content, they contain pay-per-click advertisements, McAfee said in the research report, which studied 1.9 million typographical variations of 2,771 of the most trafficked websites.
So instead of being delivered to Apple's webpage designated for information and sales on the iPhone or Google's popular search engine, a simple press of the wrong key may bring a user to a parked site that contains rows of advertising links. Most of these sites do not contain malicious content, such as malware, although 2.4 percent lead to pornographic sites, according to the McAfee study.
"It is a site trying to capture traffic designed for a well-known product, company or person and it's doing it by registering one, dozens and sometimes hundreds of spelling variations," McAfee research analyst Shane Keats told SCMagazineUS.com today. "The existence of typo-squatters proves that people make money on typo-squatting."
The registrants of these sites profit through ad networks, notably Google AdSense, which offers text-based ads relevant to site content pages. Typo-squatters earn roughly a quarter each time a user clicks on one of the ads, which typically relate to the product or service the user wants, experts said.
"Google releases advertising into their syndication network," Josh Bourne, president of the nonprofit Coalition Against Domain Name Abuse (CADNA), told SCMagazineUS.com today. "It can appear on any type of website that Google syndicates its ads to, and those include pay-per-click websites."
Sites for games, airlines, mainstream media and adult content are the most commonly squatted internet destinations, and more than 60 percent appeal to the 18-and-under demographic, the McAfee study showed.
"Some of these sites can be quite deceptive," said Ben Edelman, an adware researcher and an assistant professor in the Harvard Business School. "You type one thing and you get taken to another page where they're offering you something different."
Edelman told SCMagazineUS.com that creating one of these sites takes nothing more than a few dollars to register a domain name which shares a likeness to a legitimate site.
"It's a business with very low barriers to entry," he said.
But careless typists would not have to worry if it weren't for ad networks, such as Google, he said.
Edelman is representing Vulcan Golf, which sued Google this summer. The St. Charles, Ill.-based golf club manufacturer filed the suit on behalf of all sites who believe they are victims of trademark and copyright infringement due to cybersquatters.
"None of this would happen if the typo-squatters couldn't make money," Edelman said. "They're only doing this to make money. The natural question is, ‘Who is paying for it?' When you look at it that way, all arrows point to Google."
A Google spokesman did not immediately respond to a request for comment.
Meanwhile, Keats said that fighting typo-squatting sites takes a lot of time and money. As an alternative, he suggests that users be careful when they type domain names into the address bar and may instead opt for using search tools, many of which automatically generate a correction request should a popular search term be misspelled.
"If you end up at a typo-squatted site, resist the urge," he said. "They're designed to get you to do another click…You honestly don't know where you're going to end up."
Dan KaplanNovember 19 2007
Internet surfers who misspell the name of a popular website have a one in 14 chance of landing on a site owned by someone trying to capitalize on your poor typing skills, a McAfee report revealed today.
The URLs of these "typo-squatting" sites typically are a letter off to the real thing – for instance, Iohone[dot]com or google[dot]cm. But instead of legitimate content, they contain pay-per-click advertisements, McAfee said in the research report, which studied 1.9 million typographical variations of 2,771 of the most trafficked websites.
So instead of being delivered to Apple's webpage designated for information and sales on the iPhone or Google's popular search engine, a simple press of the wrong key may bring a user to a parked site that contains rows of advertising links. Most of these sites do not contain malicious content, such as malware, although 2.4 percent lead to pornographic sites, according to the McAfee study.
"It is a site trying to capture traffic designed for a well-known product, company or person and it's doing it by registering one, dozens and sometimes hundreds of spelling variations," McAfee research analyst Shane Keats told SCMagazineUS.com today. "The existence of typo-squatters proves that people make money on typo-squatting."
The registrants of these sites profit through ad networks, notably Google AdSense, which offers text-based ads relevant to site content pages. Typo-squatters earn roughly a quarter each time a user clicks on one of the ads, which typically relate to the product or service the user wants, experts said.
"Google releases advertising into their syndication network," Josh Bourne, president of the nonprofit Coalition Against Domain Name Abuse (CADNA), told SCMagazineUS.com today. "It can appear on any type of website that Google syndicates its ads to, and those include pay-per-click websites."
Sites for games, airlines, mainstream media and adult content are the most commonly squatted internet destinations, and more than 60 percent appeal to the 18-and-under demographic, the McAfee study showed.
"Some of these sites can be quite deceptive," said Ben Edelman, an adware researcher and an assistant professor in the Harvard Business School. "You type one thing and you get taken to another page where they're offering you something different."
Edelman told SCMagazineUS.com that creating one of these sites takes nothing more than a few dollars to register a domain name which shares a likeness to a legitimate site.
"It's a business with very low barriers to entry," he said.
But careless typists would not have to worry if it weren't for ad networks, such as Google, he said.
Edelman is representing Vulcan Golf, which sued Google this summer. The St. Charles, Ill.-based golf club manufacturer filed the suit on behalf of all sites who believe they are victims of trademark and copyright infringement due to cybersquatters.
"None of this would happen if the typo-squatters couldn't make money," Edelman said. "They're only doing this to make money. The natural question is, ‘Who is paying for it?' When you look at it that way, all arrows point to Google."
A Google spokesman did not immediately respond to a request for comment.
Meanwhile, Keats said that fighting typo-squatting sites takes a lot of time and money. As an alternative, he suggests that users be careful when they type domain names into the address bar and may instead opt for using search tools, many of which automatically generate a correction request should a popular search term be misspelled.
"If you end up at a typo-squatted site, resist the urge," he said. "They're designed to get you to do another click…You honestly don't know where you're going to end up."
Bank execs targeted by fake Department of Justice phishing emails
Bank execs targeted by fake Department of Justice phishing emails
Dan KaplanNovember 20 2007
Corporate executives again are being targeted in a new round of spear phishing attacks that attempt to dupe them into downloading a malicious attachment.
The messages claim to be a complaint from the federal Department of Justice against the recipient's company, according to a Websense Security Labs alert. The email says that a copy of the original complaint is attached in the email – but clicking on it infects the user's machine with a trojan downloader.
Around midday Monday, researchers at MessageLabs first detected the campaign, in which senior employees working in financial organizations, such as banks and credit unions, were targeted. The messages contain subjects with the recipient's full name.
Experts believe the same gang was involved in a similar scam in September.
Paul Wood, senior analyst for MessageLabs, told SCMagazineUS.com today that he is unsure why top executives are being targeted.
"It may be they want to try and find information on those computers that may be sensitive...such as information about mergers and acquisitions." he said. "There may be corporate intellectual property that they may be discussing."
Another possibility is that it is easier for cybercrooks to find information about these individuals than the average employee, therefore making them easier targets through social engineering, Wood said.
Monday's attack arrived in two waves, MessageLabs said. In the first one, the email subject line contained the full name of the recipient and a ZIP file attachment containing a .scr executable.
The second wave arrived several hours later and included a rich text format (RTF) file attachment with a .doc attachment, this time claiming to come from the Better Business Bureau. This attack contained an executable that was disguised as a PDF, according to MessageLabs.
None of the major anti-virus vendors could initially detect the attacks, Websense said.
The IRS and Federal Trade Commission also have been used in similar schemes.
Dan KaplanNovember 20 2007
Corporate executives again are being targeted in a new round of spear phishing attacks that attempt to dupe them into downloading a malicious attachment.
The messages claim to be a complaint from the federal Department of Justice against the recipient's company, according to a Websense Security Labs alert. The email says that a copy of the original complaint is attached in the email – but clicking on it infects the user's machine with a trojan downloader.
Around midday Monday, researchers at MessageLabs first detected the campaign, in which senior employees working in financial organizations, such as banks and credit unions, were targeted. The messages contain subjects with the recipient's full name.
Experts believe the same gang was involved in a similar scam in September.
Paul Wood, senior analyst for MessageLabs, told SCMagazineUS.com today that he is unsure why top executives are being targeted.
"It may be they want to try and find information on those computers that may be sensitive...such as information about mergers and acquisitions." he said. "There may be corporate intellectual property that they may be discussing."
Another possibility is that it is easier for cybercrooks to find information about these individuals than the average employee, therefore making them easier targets through social engineering, Wood said.
Monday's attack arrived in two waves, MessageLabs said. In the first one, the email subject line contained the full name of the recipient and a ZIP file attachment containing a .scr executable.
The second wave arrived several hours later and included a rich text format (RTF) file attachment with a .doc attachment, this time claiming to come from the Better Business Bureau. This attack contained an executable that was disguised as a PDF, according to MessageLabs.
None of the major anti-virus vendors could initially detect the attacks, Websense said.
The IRS and Federal Trade Commission also have been used in similar schemes.
British data breach affects 25 million
British data breach affects 25 million
Paul FisherNovember 21 2007
British government officials said today that the personal information for some 25 million people – about half of the country's population – was lost after two computer disks being transported between government departments went missing.
In a statement to the House of Commons, Chancellor Alistair Darling explained that the data had been held on two disks that had been sent to the National Audit Office (NAO) from a Revenue and Customs tax authority (HMRC) office. Paul Gray, chairman of the HMRC, announced his resignation Tuesday after the breach was made public.
The disks - which contained names, addresses, birth dates, national insurance numbers and banking details - were said to be password protected but not encrypted.
Darling said the disks had been sent by a junior HMRC employee through a courier, but the package was not registered or recorded, a violation of HMRC policy.
When the disks failed to arrive, a second disk was sent by registered post which did arrive at the NAO.
A police investigation was launched to find the missing disks, but officials tried to reassure residents that they are in no immediate danger for identity theft or other fraud.
"I regard this as an extremely serious failure by HMRC and appropriate steps are in place," Darling said. "There is no evidence of unusual activity and police have no reason to believe the data has fallen into the wrong hands."
He added that HMRC has now introduced changes in its security procedures and that "the government took the protection of personal data extremely seriously".
Calling the incident a "catastrophic mistake," Shadow Chancellor George Osborne asked: "What is the point of this House passing laws to protect people's private data if those laws are not followed by government?"
Industry figures were quick to condemn HMRC and the government.
Tom de Jongh, product manager at encryption specialist SafeBoot, said: "The responsibility must lie with the people in charge, and it is only right that Mr. Gray resigned. Under his leadership, mandatory security measures should have been in place to make sure these mistakes do not occur."
Greg Day, security analyst at McAfee, said that the loss of the data by HMRC served as "yet another example of the danger of putting sensitive information on an easy-to-lose format, such as disks, and the result of internal policies not being backed up by good security practice."
Jamie Cowper, director of European marketing at PGP said: "These disks should never have been transported in the first place. Information of this type should only be transmitted using the strongest security protocols available, such as encrypted batch transfer. But more to the point, these details should not have been stored in this medium."
Paul FisherNovember 21 2007
British government officials said today that the personal information for some 25 million people – about half of the country's population – was lost after two computer disks being transported between government departments went missing.
In a statement to the House of Commons, Chancellor Alistair Darling explained that the data had been held on two disks that had been sent to the National Audit Office (NAO) from a Revenue and Customs tax authority (HMRC) office. Paul Gray, chairman of the HMRC, announced his resignation Tuesday after the breach was made public.
The disks - which contained names, addresses, birth dates, national insurance numbers and banking details - were said to be password protected but not encrypted.
Darling said the disks had been sent by a junior HMRC employee through a courier, but the package was not registered or recorded, a violation of HMRC policy.
When the disks failed to arrive, a second disk was sent by registered post which did arrive at the NAO.
A police investigation was launched to find the missing disks, but officials tried to reassure residents that they are in no immediate danger for identity theft or other fraud.
"I regard this as an extremely serious failure by HMRC and appropriate steps are in place," Darling said. "There is no evidence of unusual activity and police have no reason to believe the data has fallen into the wrong hands."
He added that HMRC has now introduced changes in its security procedures and that "the government took the protection of personal data extremely seriously".
Calling the incident a "catastrophic mistake," Shadow Chancellor George Osborne asked: "What is the point of this House passing laws to protect people's private data if those laws are not followed by government?"
Industry figures were quick to condemn HMRC and the government.
Tom de Jongh, product manager at encryption specialist SafeBoot, said: "The responsibility must lie with the people in charge, and it is only right that Mr. Gray resigned. Under his leadership, mandatory security measures should have been in place to make sure these mistakes do not occur."
Greg Day, security analyst at McAfee, said that the loss of the data by HMRC served as "yet another example of the danger of putting sensitive information on an easy-to-lose format, such as disks, and the result of internal policies not being backed up by good security practice."
Jamie Cowper, director of European marketing at PGP said: "These disks should never have been transported in the first place. Information of this type should only be transmitted using the strongest security protocols available, such as encrypted batch transfer. But more to the point, these details should not have been stored in this medium."
