Thursday, February 26, 2009
FBI Uncovers Worldwide $9M ATM Card Scam
FBI Uncovers Worldwide $9M ATM Card Scam
Tuesday , February 03, 2009
ADVERTISEMENTHackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from bank customers — and they could strike again, according to an investigation by FOX 5 TV in New York.
Customers' personal information might also have been compromised in what federal agents are calling one of the most well-coordinated such schemes they've seen, MyFOXNY.com reported.
The FBI said it uncovered the plot and is investigating. The alleged hackers are still at large and could orchestrate another attack.
In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8, according to the FBI.
Part of the heist was caught on security camera images obtained by the TV station. The photos show people the FBI calls "cashers" — low-level participants in the plot who allegedly used bogus ATM cards with stolen information — at the machines.
The scheme worked as follows: Plotters hacked into a computer system for a company called RBS WorldPay, which allows employers to transfer workers' pay directly to a payroll card.
The scam artists were then able to infiltrate the system and steal personal data needed to make duplicate ATM cards.
"We've seen similar attempts to defraud a bank through ATM machines but not anywhere near the scale we have here," FBI Agent Ross Rice told FOX 5. "We've never seen one this well coordinated."
The FBI has no suspects and has made no arrests thus far.
An Atlanta attorney filed a class-action lawsuit against RBS WorldPay for the alleged security breach.
The company told FOX 5 they'd hired a security firm to investigate and try to prevent identity theft in the future.
Tuesday , February 03, 2009
ADVERTISEMENTHackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from bank customers — and they could strike again, according to an investigation by FOX 5 TV in New York.
Customers' personal information might also have been compromised in what federal agents are calling one of the most well-coordinated such schemes they've seen, MyFOXNY.com reported.
The FBI said it uncovered the plot and is investigating. The alleged hackers are still at large and could orchestrate another attack.
In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8, according to the FBI.
Part of the heist was caught on security camera images obtained by the TV station. The photos show people the FBI calls "cashers" — low-level participants in the plot who allegedly used bogus ATM cards with stolen information — at the machines.
The scheme worked as follows: Plotters hacked into a computer system for a company called RBS WorldPay, which allows employers to transfer workers' pay directly to a payroll card.
The scam artists were then able to infiltrate the system and steal personal data needed to make duplicate ATM cards.
"We've seen similar attempts to defraud a bank through ATM machines but not anywhere near the scale we have here," FBI Agent Ross Rice told FOX 5. "We've never seen one this well coordinated."
The FBI has no suspects and has made no arrests thus far.
An Atlanta attorney filed a class-action lawsuit against RBS WorldPay for the alleged security breach.
The company told FOX 5 they'd hired a security firm to investigate and try to prevent identity theft in the future.
U.S. Consulate Mistakenly Sells Secret Files in Jerusalem
U.S. Consulate Mistakenly Sells Secret Files in Jerusalem
Tuesday , January 27, 2009
By Reena Ninan
ADVERTISEMENTEXCLUSIVE: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.
"We couldn't believe what we found," said Paula, who purchased the cabinets and asked that her last name not be published. "We thought of calling the American consulate right away, and then we thought, you know they'll just hide it and say, 'Oh, we made a mistake.'"
The consulate was unaware of the missing files until FOX News contacted U.S. officials. Initially they said that no filing cabinets were sold in the auction, but later they acknowledged the sale. The State Department has now launched an investigation.
The files contained social security numbers of U.S. Marines and State Department employees stationed in Israel, and documentation of how U.S. government money is allocated to fund sensitive programs in the region. Among the papers was also a report labeled "secret" that documented an encounter a U.S. Marine had with an Israeli woman at a bar in Jerusalem.
Robert Baer, a former CIA agent who spent years working in the Middle East, calls the incident a serious security failure.
"It's a major breach because the government, at all cost, wants to keep these records out of foreign hands, whether Israeli or any other country," Baer says. "We spy on Israel; they spy on us. The Marines are vulnerable because they are young, and they are inevitably single. You're looking at what is called a honey trap. You run a girl into an employee. You actually get him to fall in love and then you get them to break the security clearance and go and steal documents or whatever."
The head of security at the U.S. consulate approached Paula asking for the documents to be returned. When she refused to turn them in the consulate asked Israeli police to intervene. After she was threatened with criminal charges, she returned the files, but not before FOX News had a thorough look at them.
The American consulate in Jerusalem routinely holds furniture auctions to dispose of unwanted items. The woman purchased the cabinets in December of 2005 but decided to come forward with the files after hearing about a Sept. 22, 2008 incident in which a Palestinian teenager crashed a BMW into a group of Israeli soldiers.
Paula, whose son's unit was the one that was struck by the car, says she was angered when she heard that the car was purchased from an auction held by the consulate.
U.S. officials insist the car was never linked to them. A FOX News investigation also found there was no connection.
Paula, an Israeli who also holds U.S. citizenship, says she wanted to expose the incident because her loyalty is to the state of Israel.
Tuesday , January 27, 2009
By Reena Ninan
ADVERTISEMENTEXCLUSIVE: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.
"We couldn't believe what we found," said Paula, who purchased the cabinets and asked that her last name not be published. "We thought of calling the American consulate right away, and then we thought, you know they'll just hide it and say, 'Oh, we made a mistake.'"
The consulate was unaware of the missing files until FOX News contacted U.S. officials. Initially they said that no filing cabinets were sold in the auction, but later they acknowledged the sale. The State Department has now launched an investigation.
The files contained social security numbers of U.S. Marines and State Department employees stationed in Israel, and documentation of how U.S. government money is allocated to fund sensitive programs in the region. Among the papers was also a report labeled "secret" that documented an encounter a U.S. Marine had with an Israeli woman at a bar in Jerusalem.
Robert Baer, a former CIA agent who spent years working in the Middle East, calls the incident a serious security failure.
"It's a major breach because the government, at all cost, wants to keep these records out of foreign hands, whether Israeli or any other country," Baer says. "We spy on Israel; they spy on us. The Marines are vulnerable because they are young, and they are inevitably single. You're looking at what is called a honey trap. You run a girl into an employee. You actually get him to fall in love and then you get them to break the security clearance and go and steal documents or whatever."
The head of security at the U.S. consulate approached Paula asking for the documents to be returned. When she refused to turn them in the consulate asked Israeli police to intervene. After she was threatened with criminal charges, she returned the files, but not before FOX News had a thorough look at them.
The American consulate in Jerusalem routinely holds furniture auctions to dispose of unwanted items. The woman purchased the cabinets in December of 2005 but decided to come forward with the files after hearing about a Sept. 22, 2008 incident in which a Palestinian teenager crashed a BMW into a group of Israeli soldiers.
Paula, whose son's unit was the one that was struck by the car, says she was angered when she heard that the car was purchased from an auction held by the consulate.
U.S. officials insist the car was never linked to them. A FOX News investigation also found there was no connection.
Paula, an Israeli who also holds U.S. citizenship, says she wanted to expose the incident because her loyalty is to the state of Israel.
Labels: US Consulate
Credit card hackers find new, rich targets
Credit card hackers find new, rich targets
Posted: Friday, January 23 2009 at 05:00 am CT by Bob Sullivan
Few noticed on Christmas Eve when the news broke that electronic payment services firm RBS WorldPay had been hit by hackers who stole personal data on 1.5 million consumers. After all, that's small potatoes these days. But when Heartland Payment Systems announced on Inauguration Day that it had suffered a serious security breach, some experts noticed a pattern -- and not just the companies' standard penchant for releasing bad news on days while the public is distracted.
"I have heard that the payment processers are the main target for hackers now," said Avivah Litan, security expert at consultancy firm Gartner.
Heartland has not released an estimate of the number of accounts impacted by the attack, but Litan said it might be the biggest data leak ever: The firm handles 100 million transactions every month for 250,000 clients. Heartland has said it was alerted by Visa and MasterCard to a pattern of fraud on its networks last fall, but only discovered the security hole in its network last week . That gave hackers access to potentially hundreds of millions of transactions over several months.
The largest known data leak to date involved retailer TJ Maxx, which lost the data on 45 million credit cards in 2007. But this time, there are signs the haul, and the targets, might be astonishingly large.
In its release, Heartland said it was the victim of a "widespread global cyber fraud operation." CFO Robert Baldwin told the Wall Street Journal that the firm had been targeted by malicious software that was "light-years more sophisticated" than standard computer viruses. Those ominous statements, combined with the news about RBS WorldPay, suggests to Litan that hackers have now trained their relentless keyboards on payment processing firms.
Few American consumers have ever heard of Heartland or RBS WorldPay. But these firms -- and others including First Data, TSYS, and Nova Information Systems -- regularly capture and transmit personal information about nearly every American.
Payment processors handle credit-, debit- and gift-card transactions from the moment you swipe your card at a store until your bank debits your account and adds the money to the store's account. These are complicated processes -- the processor must make sure you have the money (or the credit limit) to afford the purchase, then tell your bank to send money to the store's bank. Often, third-party firms – such as software companies that manage store cash registers – add to the complexity.
Right now, consumers have no way of knowing if their data was stolen RBS WorldPay or the Heartland attacks; they may never find out. Retailers rarely advertise which payment systems they use. Heartland has said publicly that nearly half of its transactions come from restaurants, but has declined to identify its clients. It’s also declined to identify consumers who might be victims.
That's where the data is
It makes sense for hackers to target processing companies -- that's where the most data is. A firm like Heartland has access to far more credit and debit card numbers on a given month than any single retailer.
But there's another factor that makes processors vulnerable, Litan said. While payment industry rules require that credit card data be encrypted while it's stored by retailers, processors, and banks, there is no requirement that the data be encrypted while in transit over private networks. That's a weakness which hackers have now targeted, she said.
Heartland isn’t saying how a computer virus was able to get onto its systems. But once there, its makers would have had a fairly easy time sniffing out credit card data, Litan said.
"The likelihood is that there was malicious software sitting on a server (at Heartland) looking for transmissions that represented authorization requests, and then the malware would turn on and capture that data," she said.
In August of last year, Visa issued a warning to payment services companies predicting exactly that kind of attack.
“Visa has noticed an emerging trend in which computer hackers use packet sniffers to intercept and collect cardholder data,” it said in a security alert sent to clients. “Recent investigations have uncovered evidence of packet sniffers being used by network intruders to capture payment card data as it is transmitted over the network during authorization. This threat involves compromising the system and then installing a sniffer program or installing a hardware sniffer. …. Once network intruders gain entry into a merchant’s system, the packet sniffer programs are installed and can be difficult to detect.”
Adding encryption tools would foil such packet sniffing, but doing so is a logistical challenge; all the various parties would have to agree on encryption key management. Still, Litan said, such a step would not be impossible -- and she criticized banks as “lazy” for not requiring encryption.
"They could do it. It's just very costly," she said.
Then again, so is a major security breach.
Posted: Friday, January 23 2009 at 05:00 am CT by Bob Sullivan
Few noticed on Christmas Eve when the news broke that electronic payment services firm RBS WorldPay had been hit by hackers who stole personal data on 1.5 million consumers. After all, that's small potatoes these days. But when Heartland Payment Systems announced on Inauguration Day that it had suffered a serious security breach, some experts noticed a pattern -- and not just the companies' standard penchant for releasing bad news on days while the public is distracted.
"I have heard that the payment processers are the main target for hackers now," said Avivah Litan, security expert at consultancy firm Gartner.
Heartland has not released an estimate of the number of accounts impacted by the attack, but Litan said it might be the biggest data leak ever: The firm handles 100 million transactions every month for 250,000 clients. Heartland has said it was alerted by Visa and MasterCard to a pattern of fraud on its networks last fall, but only discovered the security hole in its network last week . That gave hackers access to potentially hundreds of millions of transactions over several months.
The largest known data leak to date involved retailer TJ Maxx, which lost the data on 45 million credit cards in 2007. But this time, there are signs the haul, and the targets, might be astonishingly large.
In its release, Heartland said it was the victim of a "widespread global cyber fraud operation." CFO Robert Baldwin told the Wall Street Journal that the firm had been targeted by malicious software that was "light-years more sophisticated" than standard computer viruses. Those ominous statements, combined with the news about RBS WorldPay, suggests to Litan that hackers have now trained their relentless keyboards on payment processing firms.
Few American consumers have ever heard of Heartland or RBS WorldPay. But these firms -- and others including First Data, TSYS, and Nova Information Systems -- regularly capture and transmit personal information about nearly every American.
Payment processors handle credit-, debit- and gift-card transactions from the moment you swipe your card at a store until your bank debits your account and adds the money to the store's account. These are complicated processes -- the processor must make sure you have the money (or the credit limit) to afford the purchase, then tell your bank to send money to the store's bank. Often, third-party firms – such as software companies that manage store cash registers – add to the complexity.
Right now, consumers have no way of knowing if their data was stolen RBS WorldPay or the Heartland attacks; they may never find out. Retailers rarely advertise which payment systems they use. Heartland has said publicly that nearly half of its transactions come from restaurants, but has declined to identify its clients. It’s also declined to identify consumers who might be victims.
That's where the data is
It makes sense for hackers to target processing companies -- that's where the most data is. A firm like Heartland has access to far more credit and debit card numbers on a given month than any single retailer.
But there's another factor that makes processors vulnerable, Litan said. While payment industry rules require that credit card data be encrypted while it's stored by retailers, processors, and banks, there is no requirement that the data be encrypted while in transit over private networks. That's a weakness which hackers have now targeted, she said.
Heartland isn’t saying how a computer virus was able to get onto its systems. But once there, its makers would have had a fairly easy time sniffing out credit card data, Litan said.
"The likelihood is that there was malicious software sitting on a server (at Heartland) looking for transmissions that represented authorization requests, and then the malware would turn on and capture that data," she said.
In August of last year, Visa issued a warning to payment services companies predicting exactly that kind of attack.
“Visa has noticed an emerging trend in which computer hackers use packet sniffers to intercept and collect cardholder data,” it said in a security alert sent to clients. “Recent investigations have uncovered evidence of packet sniffers being used by network intruders to capture payment card data as it is transmitted over the network during authorization. This threat involves compromising the system and then installing a sniffer program or installing a hardware sniffer. …. Once network intruders gain entry into a merchant’s system, the packet sniffer programs are installed and can be difficult to detect.”
Adding encryption tools would foil such packet sniffing, but doing so is a logistical challenge; all the various parties would have to agree on encryption key management. Still, Litan said, such a step would not be impossible -- and she criticized banks as “lazy” for not requiring encryption.
"They could do it. It's just very costly," she said.
Then again, so is a major security breach.
Labels: Credit Card Hackers
Providence to Pay First HIPAA Fine of $100,000
Providence to Pay First HIPAA Fine of $100,000
Date Posted: July 18, 2008
Providence Health & Services agreed to pay $100,000 to resolve HIPAA privacy and security allegations, in the first such monetary settlement since the privacy rules took effect in 2003. The U.S. Department of Health and Human Services (HHS) had received more than 30 privacy and security complaints against Providence for its widely publicized losses of laptops and other sensitive items in 2005 and 2006.
Providence, an integrated health system based in Seattle, also will implement a detailed corrective action plan to settle a joint enforcement action by HHS’ Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS). Providence did not admit liability in the settlement, which obviated the need for HHS to undergo HIPAA’s official process for imposing civil monetary penalties.
The HHS investigation stemmed from five incidents, the main one being a December 2005 theft from a Providence employee’s car of backup tapes and disks containing unencrypted health information on about 365,000 home health care patients. Providence already had agreed to provide free credit monitoring and step up security measures in a September 2006 settlement with the state of Oregon.
“We are committed to effective enforcement of health information privacy and security protections for consumers,” OCR Director Winston Wilkinson said in a statement. “Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
“Effective compliance means more than just having written policies and procedures,” added CMS Acting Administrator Kerry Weems. “Covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
“The protection of patient information is a top priority for Providence Health & Services,” said Eric Cowperthwaite, Providence’s chief information security officer, in the HHS statement. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures,” he said. “Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”
HIPAA’s privacy and security rules and their enforcement are detailed in the Employer’s Guide to HIPAA Privacy Requirements.
Date Posted: July 18, 2008
Providence Health & Services agreed to pay $100,000 to resolve HIPAA privacy and security allegations, in the first such monetary settlement since the privacy rules took effect in 2003. The U.S. Department of Health and Human Services (HHS) had received more than 30 privacy and security complaints against Providence for its widely publicized losses of laptops and other sensitive items in 2005 and 2006.
Providence, an integrated health system based in Seattle, also will implement a detailed corrective action plan to settle a joint enforcement action by HHS’ Office for Civil Rights (OCR) and Centers for Medicare and Medicaid Services (CMS). Providence did not admit liability in the settlement, which obviated the need for HHS to undergo HIPAA’s official process for imposing civil monetary penalties.
The HHS investigation stemmed from five incidents, the main one being a December 2005 theft from a Providence employee’s car of backup tapes and disks containing unencrypted health information on about 365,000 home health care patients. Providence already had agreed to provide free credit monitoring and step up security measures in a September 2006 settlement with the state of Oregon.
“We are committed to effective enforcement of health information privacy and security protections for consumers,” OCR Director Winston Wilkinson said in a statement. “Other covered entities that are not in compliance with the privacy and security rules may face similar action.”
“Effective compliance means more than just having written policies and procedures,” added CMS Acting Administrator Kerry Weems. “Covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
“The protection of patient information is a top priority for Providence Health & Services,” said Eric Cowperthwaite, Providence’s chief information security officer, in the HHS statement. “Since these incidents occurred, we have reinforced our security protocols and implemented new data protection measures,” he said. “Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training.”
HIPAA’s privacy and security rules and their enforcement are detailed in the Employer’s Guide to HIPAA Privacy Requirements.
Labels: Providence Health and Services
Heartland Payment Systems hacked
Heartland Payment Systems hacked
Payments processor said breach did not involve merchant, cardholder data
AP-
updated 5:19 p.m. CT, Tues., Jan. 20, 2009
PRINCETON, N.J. - Payments processor Heartland Payment Systems Inc. said Tuesday its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached last year, but asserted that merchant and customer data were not affected.
Robert H.B. Baldwin Jr., president and CFO, said the company found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as Visa and MasterCard.
Heartland, based in Princeton, N.J., said the breach did not involve merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers. And the company said none of its check management or Canadian or payroll systems or the recently acquired Network Services and Chockstone processing platforms were affected.
Baldwin said in an interview that the only information breached were card numbers and cardholders' names, or one or the other.
Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said.
Heartland is increasing security in its systems and will establish a program to flag "network anomalies" as they occur and enable law enforcement to arrest those suspected of interfering with computer systems.
Heartland also has established a Web site, http://www.2008breach.com, to provide information about the incident and advised cardholders to examine their monthly statements and report suspicious activity to their card issuers.
Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
Payments processor said breach did not involve merchant, cardholder data
AP-
updated 5:19 p.m. CT, Tues., Jan. 20, 2009
PRINCETON, N.J. - Payments processor Heartland Payment Systems Inc. said Tuesday its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached last year, but asserted that merchant and customer data were not affected.
Robert H.B. Baldwin Jr., president and CFO, said the company found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as Visa and MasterCard.
Heartland, based in Princeton, N.J., said the breach did not involve merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers. And the company said none of its check management or Canadian or payroll systems or the recently acquired Network Services and Chockstone processing platforms were affected.
Baldwin said in an interview that the only information breached were card numbers and cardholders' names, or one or the other.
Heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in Heartland's network, it said.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said.
Heartland is increasing security in its systems and will establish a program to flag "network anomalies" as they occur and enable law enforcement to arrest those suspected of interfering with computer systems.
Heartland also has established a Web site, http://www.2008breach.com, to provide information about the incident and advised cardholders to examine their monthly statements and report suspicious activity to their card issuers.
Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
Labels: Heartland Payment Systems
