Monday, December 14, 2009
Radiant Systems sued over hacked accountsBy Péralte C. Paul
Radiant Systems sued over hacked accountsBy Péralte C. Paul
The Atlanta Journal-Constitution
10:08 a.m. Friday, November 27, 2009
A group of Louisiana restaurant owners may proceed as a group in a lawsuit against the Georgia-based maker of a credit card payments system they say allowed hackers to steal customer account numbers.
The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.”
The suit alleges the Aloha program illegally stored all the magnetic stripe information after the card was swiped. Storage of card information violates the security standards with Visa, MasterCard, American Express and Discover.
Card issuers are vigilant because fraud costs them $500 million a year and those costs are passed onto consumers. The Louisiana breaches were discovered after restaurant customers began reporting unauthorized charges.
Radiant, facing a second suit in Louisiana with similar claims, says the charges are baseless, and such breaches are not uncommon in the restaurant industry.
“It is Radiant’s policy not to comment on the details of pending litigation,” said Paul Langenbahn, president of Radiant’s hospitality division. “What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Computer World is named in the suit because its technicians installed a remote-access program on the Aloha system that allowed them to access the hardware and software off-site and fix any technical problems. That remote-access program was vulnerable to attack because the technicians used the same passwords and log-ins for all the restaurants.
Neither Computer World nor its attorney returned telephone calls seeking comment.
The Atlanta Journal-Constitution
10:08 a.m. Friday, November 27, 2009
A group of Louisiana restaurant owners may proceed as a group in a lawsuit against the Georgia-based maker of a credit card payments system they say allowed hackers to steal customer account numbers.
The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.”
The suit alleges the Aloha program illegally stored all the magnetic stripe information after the card was swiped. Storage of card information violates the security standards with Visa, MasterCard, American Express and Discover.
Card issuers are vigilant because fraud costs them $500 million a year and those costs are passed onto consumers. The Louisiana breaches were discovered after restaurant customers began reporting unauthorized charges.
Radiant, facing a second suit in Louisiana with similar claims, says the charges are baseless, and such breaches are not uncommon in the restaurant industry.
“It is Radiant’s policy not to comment on the details of pending litigation,” said Paul Langenbahn, president of Radiant’s hospitality division. “What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Computer World is named in the suit because its technicians installed a remote-access program on the Aloha system that allowed them to access the hardware and software off-site and fix any technical problems. That remote-access program was vulnerable to attack because the technicians used the same passwords and log-ins for all the restaurants.
Neither Computer World nor its attorney returned telephone calls seeking comment.
Radiant Systems sued over hacked accountsBy Péralte C. Paul
Radiant Systems sued over hacked accountsBy Péralte C. Paul
The Atlanta Journal-Constitution
10:08 a.m. Friday, November 27, 2009
A group of Louisiana restaurant owners may proceed as a group in a lawsuit against the Georgia-based maker of a credit card payments system they say allowed hackers to steal customer account numbers.
The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.”
The suit alleges the Aloha program illegally stored all the magnetic stripe information after the card was swiped. Storage of card information violates the security standards with Visa, MasterCard, American Express and Discover.
Card issuers are vigilant because fraud costs them $500 million a year and those costs are passed onto consumers. The Louisiana breaches were discovered after restaurant customers began reporting unauthorized charges.
Radiant, facing a second suit in Louisiana with similar claims, says the charges are baseless, and such breaches are not uncommon in the restaurant industry.
“It is Radiant’s policy not to comment on the details of pending litigation,” said Paul Langenbahn, president of Radiant’s hospitality division. “What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Computer World is named in the suit because its technicians installed a remote-access program on the Aloha system that allowed them to access the hardware and software off-site and fix any technical problems. That remote-access program was vulnerable to attack because the technicians used the same passwords and log-ins for all the restaurants.
Neither Computer World nor its attorney returned telephone calls seeking comment.
The Atlanta Journal-Constitution
10:08 a.m. Friday, November 27, 2009
A group of Louisiana restaurant owners may proceed as a group in a lawsuit against the Georgia-based maker of a credit card payments system they say allowed hackers to steal customer account numbers.
The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.”
The suit alleges the Aloha program illegally stored all the magnetic stripe information after the card was swiped. Storage of card information violates the security standards with Visa, MasterCard, American Express and Discover.
Card issuers are vigilant because fraud costs them $500 million a year and those costs are passed onto consumers. The Louisiana breaches were discovered after restaurant customers began reporting unauthorized charges.
Radiant, facing a second suit in Louisiana with similar claims, says the charges are baseless, and such breaches are not uncommon in the restaurant industry.
“It is Radiant’s policy not to comment on the details of pending litigation,” said Paul Langenbahn, president of Radiant’s hospitality division. “What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”
Computer World is named in the suit because its technicians installed a remote-access program on the Aloha system that allowed them to access the hardware and software off-site and fix any technical problems. That remote-access program was vulnerable to attack because the technicians used the same passwords and log-ins for all the restaurants.
Neither Computer World nor its attorney returned telephone calls seeking comment.
Hackers attempt to take $1.3 million from D.C. firm
Hackers attempt to take $1.3 million from D.C. firm
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.
On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.
The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.
Most of the fraud against small businesses that I have been chronicling succeeded because the fraudsters were able to steal the victim's online banking credentials and initiate a series of bogus payroll payments directly to so-called money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).
But according to this woman's bank, the attackers set the unauthorized transfers in motion by using another company's compromised account to initiate a "pull" or withdrawal from her company's bank account. The crooks instructed nearly $1 million to be transferred from the D.C. firm to a company in West Virginia, and about $100,000 was sent to a company in Manteno, Ill. called Bill Anderson Painting.
I caught up with owner Bill Anderson, who acknowledged that his account was the intended recipient of the transfer from the woman's company even though he had never done work for it before. In addition, he said his company was the beneficiary of a large batch of transfers from two other companies that he did not request.
Anderson told Security Fix that his bank suspects that the attackers had used his company's online banking account credentials to initiate the pulls. Once the money was in his account, the criminals then sent some of it in sub-$10,000 chunks to numerous money mules. Anderson said the thieves succeeded in moving about $115,000 out of his account, which is now frozen by his bank pending the outcome of an investigation.
"Now I can't get into it at all, and the balance says negative $115,000," Anderson said. "My bank froze it and closed it. I don't even have access to my own funds anymore."
The system by which organizations move money from one bank account to another is known as the automated clearing house or "ACH" network, and this case is a stellar example of just how automated the ACH network can be, said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Pirnie said the ACH system is most typically used for credits - such as when a company wants to directly deposit an employee's paycheck. But it can also be used for debits or pulls, which can be initiated by any entity with access to the ACH network, provided that entity knows the target's account and routing numbers.
"Unfortunately, there is no policing of that activity because it's an electronic environment," Pirnie said. "So instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's."
Pirnie said it is likely that the thieves knew the account and routing numbers of the Washington, D.C.-based property management firm, but did not have the user name and password that would allow them to push money out of the firm's online bank account directly to the money mules. Rather, she said, they probably used their access to the ACH system to pull the funds to an account they did control.
When asked about this possibility, the woman from the D.C. firm told Security Fix that indeed her company's bank account information had been compromised a few months before this incident: At the time, her firm's bank called to say they'd detected someone logging into the account from an unusual location online. In response, the company was given a new online banking user name and password, and it tossed out the compromised PC. The company's bank account and routing numbers, however, remained the same.
Pirnie said this type of ACH fraud involving unauthorized pulls is becoming more common, citing a recent case she helped investigate involving a $1.7 million loss at a large company in New Jersey. In that case, the thieves initiated a pull from a small veterinary clinic in Ohio whose online banking credentials they had compromised using a password-stealing Trojan horse program.
"In that case, it looks like the criminals only knew how to operate or only had access to one ACH cash management system but not the other," Pirnie said.
Pirnie said organizations can protect themselves from fraudulent pulls by asking their bank to disallow pulls altogether. Still, she said, companies can best protect themselves against ACH fraud by reconciling their accounts daily and by quickly alerting their bank to any fraudulent activity.
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.
On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.
The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.
Most of the fraud against small businesses that I have been chronicling succeeded because the fraudsters were able to steal the victim's online banking credentials and initiate a series of bogus payroll payments directly to so-called money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).
But according to this woman's bank, the attackers set the unauthorized transfers in motion by using another company's compromised account to initiate a "pull" or withdrawal from her company's bank account. The crooks instructed nearly $1 million to be transferred from the D.C. firm to a company in West Virginia, and about $100,000 was sent to a company in Manteno, Ill. called Bill Anderson Painting.
I caught up with owner Bill Anderson, who acknowledged that his account was the intended recipient of the transfer from the woman's company even though he had never done work for it before. In addition, he said his company was the beneficiary of a large batch of transfers from two other companies that he did not request.
Anderson told Security Fix that his bank suspects that the attackers had used his company's online banking account credentials to initiate the pulls. Once the money was in his account, the criminals then sent some of it in sub-$10,000 chunks to numerous money mules. Anderson said the thieves succeeded in moving about $115,000 out of his account, which is now frozen by his bank pending the outcome of an investigation.
"Now I can't get into it at all, and the balance says negative $115,000," Anderson said. "My bank froze it and closed it. I don't even have access to my own funds anymore."
The system by which organizations move money from one bank account to another is known as the automated clearing house or "ACH" network, and this case is a stellar example of just how automated the ACH network can be, said Rayleen Pirnie, senior manager for fraud and risk mitigation at EPCOR, a not-for-profit association that offers payment risk management education and training to financial institutions.
Pirnie said the ACH system is most typically used for credits - such as when a company wants to directly deposit an employee's paycheck. But it can also be used for debits or pulls, which can be initiated by any entity with access to the ACH network, provided that entity knows the target's account and routing numbers.
"Unfortunately, there is no policing of that activity because it's an electronic environment," Pirnie said. "So instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's."
Pirnie said it is likely that the thieves knew the account and routing numbers of the Washington, D.C.-based property management firm, but did not have the user name and password that would allow them to push money out of the firm's online bank account directly to the money mules. Rather, she said, they probably used their access to the ACH system to pull the funds to an account they did control.
When asked about this possibility, the woman from the D.C. firm told Security Fix that indeed her company's bank account information had been compromised a few months before this incident: At the time, her firm's bank called to say they'd detected someone logging into the account from an unusual location online. In response, the company was given a new online banking user name and password, and it tossed out the compromised PC. The company's bank account and routing numbers, however, remained the same.
Pirnie said this type of ACH fraud involving unauthorized pulls is becoming more common, citing a recent case she helped investigate involving a $1.7 million loss at a large company in New Jersey. In that case, the thieves initiated a pull from a small veterinary clinic in Ohio whose online banking credentials they had compromised using a password-stealing Trojan horse program.
"In that case, it looks like the criminals only knew how to operate or only had access to one ACH cash management system but not the other," Pirnie said.
Pirnie said organizations can protect themselves from fraudulent pulls by asking their bank to disallow pulls altogether. Still, she said, companies can best protect themselves against ACH fraud by reconciling their accounts daily and by quickly alerting their bank to any fraudulent activity.
PATIENT PRIVACY: FBI probing UMC data leaks
PATIENT PRIVACY: FBI probing UMC data leaks
Disclosures of patient information alleged in violation of federal privacy laws
By SCOTT WYLAND
LAS VEGAS REVIEW-JOURNAL
The FBI is investigating claims that sensitive patient information was leaked from University Medical Center, violating federal privacy laws.
Hospital officials suspect at least one employee sold documents with confidential data about accident victims to local attorneys who could use it to solicit business from these patients.
"We're trying to find out how widespread it is," hospital spokesman Rick Plummer said, noting that the FBI investigation began Friday morning. "It goes against everything we stand for. Whatever attorney's office this went to should be very nervous."
Those who flout the federal Health Insurance Portability and Accountability Act, also known as HIPAA, face a possible $250,000 fine and 10 years in prison for each offense.
The State Bar of Nevada has received no complaints about attorneys inappropriately receiving or using UMC patient information, spokesman Phil Pattee said.
But Pattee said a combination of ethics rules prohibits lawyers from engaging in the kind of activity alleged in the UMC case.
"Essentially you cannot give nonlawyers anything of value for referring a client to you," he said.
While lawyers are allowed to advertise, they are not allowed to solicit business directly from prospective clients, although there are exceptions, Pattee said.
Because federal laws might have been broken, local authorities probably won't get involved, said Bill Cassell, a spokesman for the Metropolitan Police Department.
The U.S. Attorney's office will handle the case if an arrest is made, according to an official in the district attorney's office.
Daniel Bogden, the U.S. attorney for Nevada, said he could neither confirm nor deny that a matter is under investigation.
But he said he is not aware of any past federal prosecutions in Nevada involving HIPAA violations.
UMC is a county hospital with a trauma center that handles a high volume of patients who have been in car wrecks.
An unnamed tipster showed a Las Vegas Sun reporter "face sheets" containing personal data on accident victims, including birth dates, Social Security numbers and injuries, Plummer confirmed. The newspaper informed the hospital's chief executive Kathy Silver, who said she had heard rumors about leaks months before.
Silver declined to comment Friday.
Clark County Commissioner Rory Reid said he told both Silver and the county manager to launch an investigation. The hospital must prevent further breaches of privacy and notify the patients whose personal information was disclosed, Reid said. The county also should do an internal audit to help pinpoint the leaks, he said.
This is the latest blow to a hospital struggling to improve its finances and image. UMC's deficit ballooned to more than $80 million this year and is expected to remain deep in the red next year.
Lacy Thomas, the hospital's former chief executive, was fired nearly three years ago amid allegations that he mismanaged funds and funneled lucrative contracts to Chicago friends who did no work in return.
Commissioner Lawrence Weekly, who sits on UMC's board of trustees, said he was upset that the hospital suffered a setback in regaining the public's trust. The leaks unfairly blemish the hospital employees who are honest and dedicated to helping patients, he said.
"It's frustrating and it's disheartening," Weekly said. "This kind of nonsense is unacceptable."
Review-Journal writer Carri Geer Thevenot contributed to this report. Contact reporter Scott Wyland at swyland@reviewjournal.com or 702-455-4519.
Disclosures of patient information alleged in violation of federal privacy laws
By SCOTT WYLAND
LAS VEGAS REVIEW-JOURNAL
The FBI is investigating claims that sensitive patient information was leaked from University Medical Center, violating federal privacy laws.
Hospital officials suspect at least one employee sold documents with confidential data about accident victims to local attorneys who could use it to solicit business from these patients.
"We're trying to find out how widespread it is," hospital spokesman Rick Plummer said, noting that the FBI investigation began Friday morning. "It goes against everything we stand for. Whatever attorney's office this went to should be very nervous."
Those who flout the federal Health Insurance Portability and Accountability Act, also known as HIPAA, face a possible $250,000 fine and 10 years in prison for each offense.
The State Bar of Nevada has received no complaints about attorneys inappropriately receiving or using UMC patient information, spokesman Phil Pattee said.
But Pattee said a combination of ethics rules prohibits lawyers from engaging in the kind of activity alleged in the UMC case.
"Essentially you cannot give nonlawyers anything of value for referring a client to you," he said.
While lawyers are allowed to advertise, they are not allowed to solicit business directly from prospective clients, although there are exceptions, Pattee said.
Because federal laws might have been broken, local authorities probably won't get involved, said Bill Cassell, a spokesman for the Metropolitan Police Department.
The U.S. Attorney's office will handle the case if an arrest is made, according to an official in the district attorney's office.
Daniel Bogden, the U.S. attorney for Nevada, said he could neither confirm nor deny that a matter is under investigation.
But he said he is not aware of any past federal prosecutions in Nevada involving HIPAA violations.
UMC is a county hospital with a trauma center that handles a high volume of patients who have been in car wrecks.
An unnamed tipster showed a Las Vegas Sun reporter "face sheets" containing personal data on accident victims, including birth dates, Social Security numbers and injuries, Plummer confirmed. The newspaper informed the hospital's chief executive Kathy Silver, who said she had heard rumors about leaks months before.
Silver declined to comment Friday.
Clark County Commissioner Rory Reid said he told both Silver and the county manager to launch an investigation. The hospital must prevent further breaches of privacy and notify the patients whose personal information was disclosed, Reid said. The county also should do an internal audit to help pinpoint the leaks, he said.
This is the latest blow to a hospital struggling to improve its finances and image. UMC's deficit ballooned to more than $80 million this year and is expected to remain deep in the red next year.
Lacy Thomas, the hospital's former chief executive, was fired nearly three years ago amid allegations that he mismanaged funds and funneled lucrative contracts to Chicago friends who did no work in return.
Commissioner Lawrence Weekly, who sits on UMC's board of trustees, said he was upset that the hospital suffered a setback in regaining the public's trust. The leaks unfairly blemish the hospital employees who are honest and dedicated to helping patients, he said.
"It's frustrating and it's disheartening," Weekly said. "This kind of nonsense is unacceptable."
Review-Journal writer Carri Geer Thevenot contributed to this report. Contact reporter Scott Wyland at swyland@reviewjournal.com or 702-455-4519.
Hancock Fabrics Linked to Fraud in 3 States
Hancock Fabrics Linked to Fraud in 3 States
CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions
Linda McGlasson, Managing Editor
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Hancock Fabrics (HFKI) is a Baldwyn, MS-based fabrics and sewing supplies retailer, operating 264 retail stores in 37 states. Hancock so far as not responded to repeated calls inquiring about these breaches and their possible link to the retailer.
California Crimes
Charter Oak Bank in California had four customers report money missing from their accounts, says Tom Ragusa, vice president and compliance officer.
Losses from the four customers are under $10,000, Ragusa says, and the bank has issued the new cards to the customers. The bank has also contracted with its core service provider, Jack Henry, to put in new measures on transactions, including IP address restrictions. The bank also will hold a fraud presentation for its cash management customers to educate them about these threats and other types of fraud.
"We're monitoring our customers' accounts, and time will tell how many more will be affected," he says. "Some customers don't look at their statements, so we don't know until they come forward."
The Napa Police Department has also received information from the Sacramento County Sheriff's Department of tampering in at least five card swipe machines at other Hancock Fabric locations, McGovern says.
Wisconsin Spree
In Wisconsin, the cash withdrawals came over several days from the Milwaukee area in mid-October from customers who made purchases at Hancock Fabrics stores in August and September, says Portage Sheriff's Department Detective Gary Koehmstedt.
He estimates the total loss is in the $40,000 range. It appears that the thefts are related to ones that occurred in Napa and in Sacramento over the same weekend, Koehmstedt notes.
Missouri Thefts
In Missouri, local news reports say theft cases are being investigated in O'Fallon, Chesterfield, Richmond Heights, Des Peres, Town and Country, St. Charles, St. Peters, and St. Louis. All the customers who reported money missing shopped at Hancock Fabrics, according to reports.
Local law enforcement agents say the common denominator in all of these reported scams is Hancock Fabrics. Investigators believe the previous credit card readers at the stores may have been capturing account and pin numbers. At least $3,000 was taken from two of the customers' bank accounts, according to police reports.
Another in a Line of Breaches
This year's most noted breach is Heartland Payment Systems, which reportedly involves 130 million compromised accounts.
Other companies have been breached and credit card and debit card information taken, such as this summer's announcement by the Radisson hotel chain that a breach had occurred, and an undetermined amount of data was taken.
The Payment Card Industry Security Standards Council released a resource this past summer to help merchants and other companies to better recognize and understand the inherent vulnerabilities in the use of point of sale terminals and terminal infrastructure.
CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions
Linda McGlasson, Managing Editor
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Hancock Fabrics (HFKI) is a Baldwyn, MS-based fabrics and sewing supplies retailer, operating 264 retail stores in 37 states. Hancock so far as not responded to repeated calls inquiring about these breaches and their possible link to the retailer.
California Crimes
Charter Oak Bank in California had four customers report money missing from their accounts, says Tom Ragusa, vice president and compliance officer.
Losses from the four customers are under $10,000, Ragusa says, and the bank has issued the new cards to the customers. The bank has also contracted with its core service provider, Jack Henry, to put in new measures on transactions, including IP address restrictions. The bank also will hold a fraud presentation for its cash management customers to educate them about these threats and other types of fraud.
"We're monitoring our customers' accounts, and time will tell how many more will be affected," he says. "Some customers don't look at their statements, so we don't know until they come forward."
The Napa Police Department has also received information from the Sacramento County Sheriff's Department of tampering in at least five card swipe machines at other Hancock Fabric locations, McGovern says.
Wisconsin Spree
In Wisconsin, the cash withdrawals came over several days from the Milwaukee area in mid-October from customers who made purchases at Hancock Fabrics stores in August and September, says Portage Sheriff's Department Detective Gary Koehmstedt.
He estimates the total loss is in the $40,000 range. It appears that the thefts are related to ones that occurred in Napa and in Sacramento over the same weekend, Koehmstedt notes.
Missouri Thefts
In Missouri, local news reports say theft cases are being investigated in O'Fallon, Chesterfield, Richmond Heights, Des Peres, Town and Country, St. Charles, St. Peters, and St. Louis. All the customers who reported money missing shopped at Hancock Fabrics, according to reports.
Local law enforcement agents say the common denominator in all of these reported scams is Hancock Fabrics. Investigators believe the previous credit card readers at the stores may have been capturing account and pin numbers. At least $3,000 was taken from two of the customers' bank accounts, according to police reports.
Another in a Line of Breaches
This year's most noted breach is Heartland Payment Systems, which reportedly involves 130 million compromised accounts.
Other companies have been breached and credit card and debit card information taken, such as this summer's announcement by the Radisson hotel chain that a breach had occurred, and an undetermined amount of data was taken.
The Payment Card Industry Security Standards Council released a resource this past summer to help merchants and other companies to better recognize and understand the inherent vulnerabilities in the use of point of sale terminals and terminal infrastructure.
Settlement OK’d over hacking into financial firm
Settlement OK’d over hacking into financial firm
StoryDiscussionCLAIR JOHNSON Of The Gazette Staff | Posted: Thursday, November 12, 2009 9:30 pm | Loading…
Font Size:Default font sizeLarger font sizeA federal judge approved a settlement Thursday in a class action lawsuit against D.A. Davidson & Co. over clients’ information that was compromised by a computer hacker almost two years ago.
Chief U.S. District Judge Richard Cebull called the agreement “fair and reasonable.”
The settlement could affect 226,000 current and former customers; about 90,000 of them are Montana residents.
The civil settlement makes available $1 million to class members for reimbursement if they suffer losses through identity theft. The agreement also gives class members until June 2011 to file a claim for losses.
“This case was about peace of mind,” said John Heenan, a Billings attorney who represented the plaintiffs. Now investors know money is available if they have expenses or losses, he said.
D.A. Davidson’s attorney, Jim Goetz of Bozeman, said the company is pleased with the agreement. The company took immediate steps to protect its customers after learning of the security breach by providing on its own two years of credit protection monitoring, he said. So far, there has been no evidence of losses from identity theft. “This is insurance just in case,” Goetz said.
On Dec. 20, 2007, a D.A. Davidson database of confidential personal and financial information of current and former clients was hacked using sophisticated techniques. The company learned of the problem on Jan. 16, 2008, immediately contacted law enforcement and other regulators and hired a forensic security consultant to investigate. The hacker did not gain access to the company’s operating systems or account information, and no trading accounts were affected.
The settlement is the result of more than a year of negotiations between parties after lawsuits were filed.
The parties reached a preliminary agreement in August. A few class members objected to the proposed settlement, but only one of the objections was determined to be substantial. In a mediation session on Tuesday before U.S. Magistrate Judge Carolyn Ostby, the problems were resolved. At the request of the plaintiffs, the deadline for filing a claim was extended.
Meanwhile, a criminal investigation into the hacking of Davidson’s computer files appears to have borne fruit. Investigators followed a trail that led to the arrest of three Latvians in the Netherlands. The suspects allegedly were to pick up money from the company in an extortion plot in which D.A. Davidson initially was advised to send the money to Russia.
The three Latvian suspects were extradited from the Netherlands and arrived in the United States on Oct. 22. Aleksandrs Hoholko, 29, Jevgenijs Kuzmenko, 25, and Vitalijs Drozdovs, 33, pleaded not guilty during an arraignment in Great Falls on Oct. 26.
A fourth “John Doe” defendant, identified as Robert Borko, has not appeared on charges.
Prosecutors allege that it was the fourth defendant who hacked into D.A. Davidson’s computer system and downloaded more than 300,000 client files.
He then sent the company an e-mail advising that their clients’ financial information had been compromised and attached 20,000 account records to prove his claim. In more e-mails, the hacker suggested that the company may want to keep the breach confidential, identified himself as a information technology security consultant and agreed to delete all the stolen information and identify security weaknesses.
Hoholko allegedly picked up or attempted to pick up money wired to the Netherlands from Montana, transactions that were confirmed by the alleged hacker in more e-mails to D.A. Davidson.
The five-count indictment charges conspiracy, extortion, fraud, obtaining financial records through unauthorized access to computers and threatening communications and receipt of extortion proceeds. The defendants face a maximum 20 years in prison and a maximum $250,000 fine if convicted.
StoryDiscussionCLAIR JOHNSON Of The Gazette Staff | Posted: Thursday, November 12, 2009 9:30 pm | Loading…
Font Size:Default font sizeLarger font sizeA federal judge approved a settlement Thursday in a class action lawsuit against D.A. Davidson & Co. over clients’ information that was compromised by a computer hacker almost two years ago.
Chief U.S. District Judge Richard Cebull called the agreement “fair and reasonable.”
The settlement could affect 226,000 current and former customers; about 90,000 of them are Montana residents.
The civil settlement makes available $1 million to class members for reimbursement if they suffer losses through identity theft. The agreement also gives class members until June 2011 to file a claim for losses.
“This case was about peace of mind,” said John Heenan, a Billings attorney who represented the plaintiffs. Now investors know money is available if they have expenses or losses, he said.
D.A. Davidson’s attorney, Jim Goetz of Bozeman, said the company is pleased with the agreement. The company took immediate steps to protect its customers after learning of the security breach by providing on its own two years of credit protection monitoring, he said. So far, there has been no evidence of losses from identity theft. “This is insurance just in case,” Goetz said.
On Dec. 20, 2007, a D.A. Davidson database of confidential personal and financial information of current and former clients was hacked using sophisticated techniques. The company learned of the problem on Jan. 16, 2008, immediately contacted law enforcement and other regulators and hired a forensic security consultant to investigate. The hacker did not gain access to the company’s operating systems or account information, and no trading accounts were affected.
The settlement is the result of more than a year of negotiations between parties after lawsuits were filed.
The parties reached a preliminary agreement in August. A few class members objected to the proposed settlement, but only one of the objections was determined to be substantial. In a mediation session on Tuesday before U.S. Magistrate Judge Carolyn Ostby, the problems were resolved. At the request of the plaintiffs, the deadline for filing a claim was extended.
Meanwhile, a criminal investigation into the hacking of Davidson’s computer files appears to have borne fruit. Investigators followed a trail that led to the arrest of three Latvians in the Netherlands. The suspects allegedly were to pick up money from the company in an extortion plot in which D.A. Davidson initially was advised to send the money to Russia.
The three Latvian suspects were extradited from the Netherlands and arrived in the United States on Oct. 22. Aleksandrs Hoholko, 29, Jevgenijs Kuzmenko, 25, and Vitalijs Drozdovs, 33, pleaded not guilty during an arraignment in Great Falls on Oct. 26.
A fourth “John Doe” defendant, identified as Robert Borko, has not appeared on charges.
Prosecutors allege that it was the fourth defendant who hacked into D.A. Davidson’s computer system and downloaded more than 300,000 client files.
He then sent the company an e-mail advising that their clients’ financial information had been compromised and attached 20,000 account records to prove his claim. In more e-mails, the hacker suggested that the company may want to keep the breach confidential, identified himself as a information technology security consultant and agreed to delete all the stolen information and identify security weaknesses.
Hoholko allegedly picked up or attempted to pick up money wired to the Netherlands from Montana, transactions that were confirmed by the alleged hacker in more e-mails to D.A. Davidson.
The five-count indictment charges conspiracy, extortion, fraud, obtaining financial records through unauthorized access to computers and threatening communications and receipt of extortion proceeds. The defendants face a maximum 20 years in prison and a maximum $250,000 fine if convicted.
Connecticut Attorney General Investigating BCBS Data Breach
Connecticut Attorney General Investigating BCBS Data Breach
On Monday, Connecticut Attorney General Richard Blumenthal (D) said he is investigating whether the BlueCross BlueShield Association violated state law by waiting nearly two months to inform affected individuals about a data security breach, the Hartford Courant reports.
Connecticut state law requires organizations that experience data breaches to inform affected individuals with "reasonable" speed. The law does not specify a time frame for disclosure (Gosselin, Hartford Courant, 11/10).
Breach Details
A laptop stolen in Chicago in August contained information on about 850,000 BCBS-affiliated physicians nationwide, including about 18,800 Connecticut health care providers. The association did not inform affected individuals until October, Blumenthal said.
The compromised data included addresses, names and official identification numbers (Baruzzi, New Haven Register, 11/10).
BCBS spokesperson Jeff Smokler said about 18% of the entries contained Social Security numbers (Blesch, Modern Healthcare, 11/9).
The stolen laptop did not include any patient information (Miller, Danbury News-Times, 11/9).
Credit Monitoring
Blumenthal also criticized BCBS for offering affected physicians only one year of identity theft protection.
On Monday, BCBS said they would extend credit monitoring services for two years (Dixon, Connecticut Post, 11/9).
On Monday, Connecticut Attorney General Richard Blumenthal (D) said he is investigating whether the BlueCross BlueShield Association violated state law by waiting nearly two months to inform affected individuals about a data security breach, the Hartford Courant reports.
Connecticut state law requires organizations that experience data breaches to inform affected individuals with "reasonable" speed. The law does not specify a time frame for disclosure (Gosselin, Hartford Courant, 11/10).
Breach Details
A laptop stolen in Chicago in August contained information on about 850,000 BCBS-affiliated physicians nationwide, including about 18,800 Connecticut health care providers. The association did not inform affected individuals until October, Blumenthal said.
The compromised data included addresses, names and official identification numbers (Baruzzi, New Haven Register, 11/10).
BCBS spokesperson Jeff Smokler said about 18% of the entries contained Social Security numbers (Blesch, Modern Healthcare, 11/9).
The stolen laptop did not include any patient information (Miller, Danbury News-Times, 11/9).
Credit Monitoring
Blumenthal also criticized BCBS for offering affected physicians only one year of identity theft protection.
On Monday, BCBS said they would extend credit monitoring services for two years (Dixon, Connecticut Post, 11/9).
Fraud ‘hits’ follow local data breach
Fraud ‘hits’ follow local data breach
School employees’ Social Security, bank information stolen
By Howard Buck
Columbian staff writer
Social Security numbers of Vancouver Public Schools’ 3,000-plus employees are assumed to be stolen, district officials said Tuesday.
A security breach disclosed on Monday also involves personal banking account information for those employees who use direct payroll deposit, officials said.
Vancouver Police Department computer forensics experts continue to investigate the incident.
Already, several Vancouver district employees have reported "hits" of suspicious personal banking account activity after their financial institutions were alerted to possible fraud, by the district or by employees directly.
"They are out there," Steve Olsen, VPS chief fiscal officer, said of the Social Security numbers, along with names, birth dates and other personal identification and banking information believed compromised.
It now appears someone who gained I.D. password access cracked into the Citrix software "server farm" hosted by Educational Service District 112, based in Vancouver. That person obtained personal payroll data, said Olsen and Linda Turner, the district’s technology officer.
An out-of-order "process," or computer data run, first drew attention of managers last Friday, Turner said.
"We believe it was an outsider that hacked into the system," Turner said.
Vancouver Superintendent Steve Webb on Tuesday urged all employees to take precautions: Each should notify their bank, credit union or other institution and ask that their account(s) be flagged for monitoring.
District employees also were advised to contact one of three nationwide credit reporting agencies to request a fraud alert for identity theft. They were directed to telephone the firms Equifax, Experian or TransUnion to complete a "several-minute process," which should guard them from any unauthorized charges.
Webb told employees the district acted quickly on Monday to notify all Vancouver-Portland area banks and credit unions. The plan was to contact large national banks Tuesday, Webb said.
The unsettling news has jolted faculty members, said Ann Giles, head of the Vancouver district teachers’ union.
Reaction covered "a variety of emotions" that include fear and anger, Giles told school board members during a meeting on Tuesday.
Investigation so far points to unauthorized access of what is called the Vancouver PS WESPaC Fiscal system, housed in the Southwest Regional Data Center.
The center is an arm of ESD 112 that supports computerized student (including student grades) and fiscal systems for K-12 school districts across the ESD’s five-county, Southwest Washington territory.
ESD held a special meeting on Tuesday to update school representatives from across Clark County and the region.
It’s believed the security breach was limited only to Vancouver district data, said Brant Russell, the data center director.
Russell noted that Vancouver district officials immediately changed all employee passwords for its Citrix and WESPaC access after discovering the breach.
In turn, the regional data center is supported by the Washington School Information Processing Cooperative. The Everett-based, nonprofit co-op oversees student and fiscal software systems for 282 of Washington state’s 295 school districts.
The cooperative is assisting the Vancouver district, ESD 112 and Vancouver police in the investigation, said Marty Daybell, WSIPC executive director.
Daybell said internal inspection showed the co-op’s master software firewall had not been breached to expose any other school system’s data. But he was no less troubled by an apparent intrusion at the ESD 112 end, he said.
"We have not had direct exposure. This could very well be the first," Daybell said. The extent of Vancouver data pilfered could "run the scale from simple to catastrophe," he said, awaiting more word from investigators.
School employees’ Social Security, bank information stolen
By Howard Buck
Columbian staff writer
Social Security numbers of Vancouver Public Schools’ 3,000-plus employees are assumed to be stolen, district officials said Tuesday.
A security breach disclosed on Monday also involves personal banking account information for those employees who use direct payroll deposit, officials said.
Vancouver Police Department computer forensics experts continue to investigate the incident.
Already, several Vancouver district employees have reported "hits" of suspicious personal banking account activity after their financial institutions were alerted to possible fraud, by the district or by employees directly.
"They are out there," Steve Olsen, VPS chief fiscal officer, said of the Social Security numbers, along with names, birth dates and other personal identification and banking information believed compromised.
It now appears someone who gained I.D. password access cracked into the Citrix software "server farm" hosted by Educational Service District 112, based in Vancouver. That person obtained personal payroll data, said Olsen and Linda Turner, the district’s technology officer.
An out-of-order "process," or computer data run, first drew attention of managers last Friday, Turner said.
"We believe it was an outsider that hacked into the system," Turner said.
Vancouver Superintendent Steve Webb on Tuesday urged all employees to take precautions: Each should notify their bank, credit union or other institution and ask that their account(s) be flagged for monitoring.
District employees also were advised to contact one of three nationwide credit reporting agencies to request a fraud alert for identity theft. They were directed to telephone the firms Equifax, Experian or TransUnion to complete a "several-minute process," which should guard them from any unauthorized charges.
Webb told employees the district acted quickly on Monday to notify all Vancouver-Portland area banks and credit unions. The plan was to contact large national banks Tuesday, Webb said.
The unsettling news has jolted faculty members, said Ann Giles, head of the Vancouver district teachers’ union.
Reaction covered "a variety of emotions" that include fear and anger, Giles told school board members during a meeting on Tuesday.
Investigation so far points to unauthorized access of what is called the Vancouver PS WESPaC Fiscal system, housed in the Southwest Regional Data Center.
The center is an arm of ESD 112 that supports computerized student (including student grades) and fiscal systems for K-12 school districts across the ESD’s five-county, Southwest Washington territory.
ESD held a special meeting on Tuesday to update school representatives from across Clark County and the region.
It’s believed the security breach was limited only to Vancouver district data, said Brant Russell, the data center director.
Russell noted that Vancouver district officials immediately changed all employee passwords for its Citrix and WESPaC access after discovering the breach.
In turn, the regional data center is supported by the Washington School Information Processing Cooperative. The Everett-based, nonprofit co-op oversees student and fiscal software systems for 282 of Washington state’s 295 school districts.
The cooperative is assisting the Vancouver district, ESD 112 and Vancouver police in the investigation, said Marty Daybell, WSIPC executive director.
Daybell said internal inspection showed the co-op’s master software firewall had not been breached to expose any other school system’s data. But he was no less troubled by an apparent intrusion at the ESD 112 end, he said.
"We have not had direct exposure. This could very well be the first," Daybell said. The extent of Vancouver data pilfered could "run the scale from simple to catastrophe," he said, awaiting more word from investigators.
RBS WorldPay: 8 Hackers Indicted in $9 Million ATM Theft
RBS WorldPay: 8 Hackers Indicted in $9 Million ATM Theft
Expert: 'I Don't Think it Will Take a Big Bite Out of Crime'
Linda McGlasson, Managing Editor
November 12, 2009
Eight members a hacker ring that made off with more than $9 million in a massive ATM fraud scheme last November were indicted in an Atlanta, GA courtroom this week.
The eight men, all from eastern European counties, are accused of hacking into a computer system at RBS WorldPay, the U.S. payment-processing division of Royal Bank of Scotland Group. They then allegedly cloned prepaid ATM cards, which they used to draw out cash from 2,100 ATMs in 280 cities around the world within a couple of hours.
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as "Hacker 3" were charged in a federal grand jury indictment for hacking into a computer network operated by the Atlanta-based credit card processing company.
The 16-count indictment charges Tsurikov, Pleshchuk, Covelin and "Hacker 3" with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft. The indictment states the accused group used sophisticated hacking techniques to compromise the data encryption used by RBS WorldPay to protect customer data on payroll debit cards.
Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, each of Tallinn, Estonia, were indicted for access device fraud.
Reactions
The RBS WorldPay indictments may have stopped this small group of criminals, but the banking industry should not think that this is the end of this type of crime, say industry security and fraud experts.
"These hacking crimes are on par with bank robberies -- small groups of criminals running around looking for the next big heist," says Mike Urban, Senior Director Fraud Solutions at FICO. Urban notes the efforts of law enforcement to bring them to justice, saying we need more of that kind of international cooperation. "However, for every criminal who is picked up for prosecution, there are many more out there testing the industry's defenses."
Rick Howard, Director Security Intelligence at VeriSign's iDefense group, also gives a thumbs up to law enforcement's efforts to corner this group. "I think its great they got these guys. We don't applaud them (law enforcement) enough; they did a good job."
But he agrees that there are many more hackers out there trying to get in. "I don't think it will take a big bite out of crime," Howard says. "I don't think we can ever go back to 'normal.'"
In fact, says Gartner analyst Avivah Litan, "It can happen again, and it probably will." Litan sees no shortage of highly skilled and well educated criminals who have no legitimate work opportunities in their home countries and "therefore turn to what seems like 'harmless and bloodless' crime against the capitalist West as a way to leverage their skills and earn some money."
Internet Carding Operations Offline
The latest indictments may have caused at least three of the major underground carding websites to go dark, says Howard. Several high-profile carding communities have been inaccessible since late Monday and Tuesday as well. "Perhaps just coincidental? But the timing is odd," he says. The same thing happened when the Russian Business Network was taken down, he says. The carding sites and the criminals who operate on them may be regrouping and preparing to rebound, Howard notes.
Howard also says one of the men indicted on Tuesday, Oleg Covelin, was also indicted in September in connection with the New York-based "Western Express" cyber crime syndicate. Covelin could be linked to the same group with connections to the former Russian Business Network, Howard states. "We always speculated that members of that group would pop up somewhere else," he adds.
Howard describes the eight as being "typical cyber crime kings of the world. They are professional and way beyond the old model of 'script kiddies' hacking into a network for fun."
How Group Attacked RBS WorldPay
The group apparently studied the RBS network "for some time," says Gartner's Litan. "They understood exactly which tables they needed to access and which data they needed to modify to commit their crimes," she says. The RBS network configuration must have been relatively easy for them to navigate once they got in, and "It's likely they got in through malware or SQL Injection attacks," Litan notes. While she is not sure how they broke the encryption, but says what she is learning from forensic investigators, "Generally speaking, the criminals are taking over super-user accounts and gaining administrator privilege into these sensitive systems, in which case they have access to decrypted data," Litan says.
Who's Next?
The two latest, largest data breaches happened at RBS WorldPay and Heartland Payment Systems, so the obvious question is: Who will be next? The biggest bullseyes for hackers are painted on networks across the payments industry, says Gartner's Litan. She sees the bullseyes equally distributed across payment processors, Visa, MasterCard, Amex and Discover, and the card issuing banks themselves. "The criminals will be relentless in finding, targeting and studying the network and database infrastructures and processes of those firms that have the most valuable data that can be turned into cash," she says. "Certainly, the ATM networks are a prime target."
Litan warns that the attacks are increasingly sophisticated, and there is no reason to think they will end soon. "I certainly don't see any reduction in the number and frequency of attacks," she says. "These attacks are not unbeatable however - with the right technology, policies and processes, most criminal activity can certainly be stopped. It's just a matter of bringing the right resources to bear in order to solve these thorny problems."
Expert: 'I Don't Think it Will Take a Big Bite Out of Crime'
Linda McGlasson, Managing Editor
November 12, 2009
Eight members a hacker ring that made off with more than $9 million in a massive ATM fraud scheme last November were indicted in an Atlanta, GA courtroom this week.
The eight men, all from eastern European counties, are accused of hacking into a computer system at RBS WorldPay, the U.S. payment-processing division of Royal Bank of Scotland Group. They then allegedly cloned prepaid ATM cards, which they used to draw out cash from 2,100 ATMs in 280 cities around the world within a couple of hours.
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as "Hacker 3" were charged in a federal grand jury indictment for hacking into a computer network operated by the Atlanta-based credit card processing company.
The 16-count indictment charges Tsurikov, Pleshchuk, Covelin and "Hacker 3" with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft. The indictment states the accused group used sophisticated hacking techniques to compromise the data encryption used by RBS WorldPay to protect customer data on payroll debit cards.
Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, each of Tallinn, Estonia, were indicted for access device fraud.
Reactions
The RBS WorldPay indictments may have stopped this small group of criminals, but the banking industry should not think that this is the end of this type of crime, say industry security and fraud experts.
"These hacking crimes are on par with bank robberies -- small groups of criminals running around looking for the next big heist," says Mike Urban, Senior Director Fraud Solutions at FICO. Urban notes the efforts of law enforcement to bring them to justice, saying we need more of that kind of international cooperation. "However, for every criminal who is picked up for prosecution, there are many more out there testing the industry's defenses."
Rick Howard, Director Security Intelligence at VeriSign's iDefense group, also gives a thumbs up to law enforcement's efforts to corner this group. "I think its great they got these guys. We don't applaud them (law enforcement) enough; they did a good job."
But he agrees that there are many more hackers out there trying to get in. "I don't think it will take a big bite out of crime," Howard says. "I don't think we can ever go back to 'normal.'"
In fact, says Gartner analyst Avivah Litan, "It can happen again, and it probably will." Litan sees no shortage of highly skilled and well educated criminals who have no legitimate work opportunities in their home countries and "therefore turn to what seems like 'harmless and bloodless' crime against the capitalist West as a way to leverage their skills and earn some money."
Internet Carding Operations Offline
The latest indictments may have caused at least three of the major underground carding websites to go dark, says Howard. Several high-profile carding communities have been inaccessible since late Monday and Tuesday as well. "Perhaps just coincidental? But the timing is odd," he says. The same thing happened when the Russian Business Network was taken down, he says. The carding sites and the criminals who operate on them may be regrouping and preparing to rebound, Howard notes.
Howard also says one of the men indicted on Tuesday, Oleg Covelin, was also indicted in September in connection with the New York-based "Western Express" cyber crime syndicate. Covelin could be linked to the same group with connections to the former Russian Business Network, Howard states. "We always speculated that members of that group would pop up somewhere else," he adds.
Howard describes the eight as being "typical cyber crime kings of the world. They are professional and way beyond the old model of 'script kiddies' hacking into a network for fun."
How Group Attacked RBS WorldPay
The group apparently studied the RBS network "for some time," says Gartner's Litan. "They understood exactly which tables they needed to access and which data they needed to modify to commit their crimes," she says. The RBS network configuration must have been relatively easy for them to navigate once they got in, and "It's likely they got in through malware or SQL Injection attacks," Litan notes. While she is not sure how they broke the encryption, but says what she is learning from forensic investigators, "Generally speaking, the criminals are taking over super-user accounts and gaining administrator privilege into these sensitive systems, in which case they have access to decrypted data," Litan says.
Who's Next?
The two latest, largest data breaches happened at RBS WorldPay and Heartland Payment Systems, so the obvious question is: Who will be next? The biggest bullseyes for hackers are painted on networks across the payments industry, says Gartner's Litan. She sees the bullseyes equally distributed across payment processors, Visa, MasterCard, Amex and Discover, and the card issuing banks themselves. "The criminals will be relentless in finding, targeting and studying the network and database infrastructures and processes of those firms that have the most valuable data that can be turned into cash," she says. "Certainly, the ATM networks are a prime target."
Litan warns that the attacks are increasingly sophisticated, and there is no reason to think they will end soon. "I certainly don't see any reduction in the number and frequency of attacks," she says. "These attacks are not unbeatable however - with the right technology, policies and processes, most criminal activity can certainly be stopped. It's just a matter of bringing the right resources to bear in order to solve these thorny problems."
4 Hackers Indicted in $9.5 Million Bank Card Attack
Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay. They allegedly used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours.
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”
The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.
The case is being prosecuted by the U.S. Attorney’s office for the Northern District of Georgia, in Atlanta.
RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a multitude of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), gift cards, customer-loyalty cards, prepaid cards, credit card and ATM-processing services. The processor discovered last November 10 that it had been hacked and that the intruders had accessed account details for 100 payroll cards. The hackers also obtained Social Security numbers of about 1.1 million account holders.
Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment (.pdf) charges that the four hackers “compromised the data encryption” that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards, as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.
According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.
Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit more than 2,000 ATMs in less than 12 hours, netting about $9.5 million. Three Estonian defendants charged for their role in cashing — Ronald Tso, Evelin Tsoi and Mihhail Jevgenov — allegedly were responsible for withdrawing about $289,000 from ATMs in Tallinn, Estonia.
The cashers kept 30 to 50 percent of the loot before transmitting the remainder back to the hackers in Eastern Europe through Western Union and Web Money, a Russia-based digital currency service. The hackers, still in RBS’s network, were able to observe the withdrawals of funds from ATMs as they occurred in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals.
Once the mission was completed, the hackers tried to erase their tracks on the RBS network.
Tsurikov was arrested earlier this year in Estonia and is being held there pending extradition to the United States. The Justice Department will not comment at this time on the status of Pleshchuk and Covelin, a spokesman told Threat Level.
Tsurikov, Pleshchuk, Covelin and “Hacker 3″ face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.
Covelin was also indicted in September in New York as part of a gang that authorities dubbed the Western Express Cybercrime Group. That group, operating between 2001 and 2007, trafficked in at least 95,000 known stolen credit card numbers.
The group worked with a New York-based company called Western Express International, which authorities allege was used to coordinate and facilitate the illegal activities and launder the ring’s ill-gotten gains.
Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described as “perhaps the most sophisticated and organized computer fraud attack ever conducted.”
The hack involved reverse-engineering PINs for payroll debit card accounts — the holy grail of bank card hacking. Another four people based in Estonia were also indicted on access-device fraud charges in connection with the hack.
The case is being prosecuted by the U.S. Attorney’s office for the Northern District of Georgia, in Atlanta.
RBS WorldPay, the payment-processing arm of the Royal Bank of Scotland, provides a multitude of electronic payment processing services, including debit card transactions, electronic benefits transfer payments (EBT), gift cards, customer-loyalty cards, prepaid cards, credit card and ATM-processing services. The processor discovered last November 10 that it had been hacked and that the intruders had accessed account details for 100 payroll cards. The hackers also obtained Social Security numbers of about 1.1 million account holders.
Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment (.pdf) charges that the four hackers “compromised the data encryption” that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards, as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.
According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.
Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit more than 2,000 ATMs in less than 12 hours, netting about $9.5 million. Three Estonian defendants charged for their role in cashing — Ronald Tso, Evelin Tsoi and Mihhail Jevgenov — allegedly were responsible for withdrawing about $289,000 from ATMs in Tallinn, Estonia.
The cashers kept 30 to 50 percent of the loot before transmitting the remainder back to the hackers in Eastern Europe through Western Union and Web Money, a Russia-based digital currency service. The hackers, still in RBS’s network, were able to observe the withdrawals of funds from ATMs as they occurred in real time in order to monitor the amounts being taken by cashers and lock the accounts to prevent further withdrawals.
Once the mission was completed, the hackers tried to erase their tracks on the RBS network.
Tsurikov was arrested earlier this year in Estonia and is being held there pending extradition to the United States. The Justice Department will not comment at this time on the status of Pleshchuk and Covelin, a spokesman told Threat Level.
Tsurikov, Pleshchuk, Covelin and “Hacker 3″ face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and other wire-fraud counts, and up to five years in prison for conspiracy to commit computer fraud as well as up to five or 10 years for each count of computer fraud. They also face a two-year mandatory minimum sentence for aggravated identity theft and fines up to $3.5 million dollars.
Covelin was also indicted in September in New York as part of a gang that authorities dubbed the Western Express Cybercrime Group. That group, operating between 2001 and 2007, trafficked in at least 95,000 known stolen credit card numbers.
The group worked with a New York-based company called Western Express International, which authorities allege was used to coordinate and facilitate the illegal activities and launder the ring’s ill-gotten gains.
Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says
Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says
When their data is leaked by a business, individuals are four times more likely to suffer identity theft, Javelin study says
By Tim Wilson, DarkReading
Nov. 4, 2009
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=221600348
Consumers who have received data breach notifications within the past year are at a much greater risk for fraud than typical consumers, according to a new study.
According to a report published last week by Javelin Research, individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud. This result runs contrary to the common mantra among breached companies, which often say that they have no indication that the compromised data has been used by criminals.
"Data breach notifications are intended to help consumers take protective action," said Mary Monahan, managing partner and research director at Javelin. "Notification is critical because consumers are over four times more likely to encounter actual fraudulent transactions if they receive a data-breach notification."
But the Javelin study also indicates that most consumers don't see a direct relationship between breach notifications and identity theft.
"During each of the past three years, an average of 11 percent of consumers received a breach notification," Javelin said. "Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach."
The Javelin report, "Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud," is based on multiple years of data and includes updates on 2009 data breaches. The report also presents a timeline overview of the most recent and egregious data breaches in U.S. history, with recommendations for how individuals and companies can increase safety.
When their data is leaked by a business, individuals are four times more likely to suffer identity theft, Javelin study says
By Tim Wilson, DarkReading
Nov. 4, 2009
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=221600348
Consumers who have received data breach notifications within the past year are at a much greater risk for fraud than typical consumers, according to a new study.
According to a report published last week by Javelin Research, individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud. This result runs contrary to the common mantra among breached companies, which often say that they have no indication that the compromised data has been used by criminals.
"Data breach notifications are intended to help consumers take protective action," said Mary Monahan, managing partner and research director at Javelin. "Notification is critical because consumers are over four times more likely to encounter actual fraudulent transactions if they receive a data-breach notification."
But the Javelin study also indicates that most consumers don't see a direct relationship between breach notifications and identity theft.
"During each of the past three years, an average of 11 percent of consumers received a breach notification," Javelin said. "Slightly more than 33 percent of breach victims experienced exposure of their Social Security numbers, and 15 percent of breach victims had their ATM PINs compromised. [But] despite 19.5 percent of breach victims suffering some kind of fraud in the past year, only 2 percent attribute their fraud to the breach."
The Javelin report, "Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud," is based on multiple years of data and includes updates on 2009 data breaches. The report also presents a timeline overview of the most recent and egregious data breaches in U.S. history, with recommendations for how individuals and companies can increase safety.
Men allegedly broke into computers of former employer
Men allegedly broke into computers of former employer
By Dan Goodin in San Francisco
Posted in Crime, 5th November 2009 00:12 GMT
Federal authorities on Wednesday filed intrusion charges against two men accused of accessing the computer systems of their former employer.
Scott R. Burgess, 45, of Jasper, Indiana, and Walter D. Puckett, 39, of Williamstown, Kentucky, both worked as managers for Indiana-based Stens Corporation until taking jobs with a competing company in Ohio, according to an indictment filed in federal court. On at least 12 occasions, they used old passwords to access their former employer's computer and access proprietary information, prosecutors allege.
Although the men left their jobs in 2004 and early 2005, they were able to use the outdated passwords successfully as late as September of 2006. On at least two occasions, administrators at Stens grew suspicious and terminated old passwords. The men simply tried different login credentials - and succeeded several times.
If convicted, they face five years in prison each and a $250,000 fine. Attorneys for the men weren't available to comment. ®
By Dan Goodin in San Francisco
Posted in Crime, 5th November 2009 00:12 GMT
Federal authorities on Wednesday filed intrusion charges against two men accused of accessing the computer systems of their former employer.
Scott R. Burgess, 45, of Jasper, Indiana, and Walter D. Puckett, 39, of Williamstown, Kentucky, both worked as managers for Indiana-based Stens Corporation until taking jobs with a competing company in Ohio, according to an indictment filed in federal court. On at least 12 occasions, they used old passwords to access their former employer's computer and access proprietary information, prosecutors allege.
Although the men left their jobs in 2004 and early 2005, they were able to use the outdated passwords successfully as late as September of 2006. On at least two occasions, administrators at Stens grew suspicious and terminated old passwords. The men simply tried different login credentials - and succeeded several times.
If convicted, they face five years in prison each and a $250,000 fine. Attorneys for the men weren't available to comment. ®
Bank of New York Mellon Employee Charged with ID Theft
Bank of New York Mellon Employee Charged with ID Theft
Computer Technician Alleged to Have Used ID's to Steal $1.1 Million
Linda McGlasson, Managing Editor
October 30, 2009
A computer technician has been indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.
Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft in a 149-count indictment. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. While employed at BONY, he stole the identities of dozens of employees and used them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia, and Washington Mutual. Prosecutors say Adeyemi used these accounts as dummy accounts for the purpose of receiving stolen funds.
The Manhattan District Attorney's office says Adeyemi then stole money from the bank accounts of charities and non-profit organizations and funneled it into those dummy accounts, later withdrawing the stolen funds or transferring them to a second layer of dummy accounts. The prosecutors say that charities are easy prey for identity thieves with computer expertise because they readily disseminate their banking details on the internet to facilitate donations. Adeyemi used this to his advantage, the prosecutors allege, using the internet for most of his crimes.
The charities and organizations that Adeyemi allegedly stole money from include: Goodwill Industries of Greater New York and Northern New Jersey, Iris Ministries, the Kalgidhar Trust, the Sudanese American Community Development Organization, Ravi Zacharias International Ministries, AFK Foundation, the American Community School at Beirut, the Jacksonville Humane Society, American Friends of Birdlife International, the International Association of Women Judges, the Space Generation Advisory Council, and the American Association for Clinical Chemistry. Prosecutors allege Adeyemi also stole from Bank of New York employees.
To stay under anti money laundering monitoring thresholds set by banks, Adeyemi is alleged to have structured all wire transfers to be just under $10,000. This is the threshold where all banks must report transactions to the US Treasury. He then allegedly used the stolen monies to purchase more than $100,000 in USPS money orders, and used them to pay personal expenses including apartment rent and credit card bills. He also redeemed the money orders to ship "substantial" amounts of goods overseas, primarily to Nigeria, prosecutors allege.
Law enforcement began watching Adeyemi after suspicious Internet activity was traced back to wireless Internet connection's in Adeyemi's apartment building in Brooklyn.
The New York/New Jersey Electronic Crimes Task Force of the United States Secret Service investigated the connections and found during a search of the building Adeyemi's apartment turned up dozens of Bank of New York employees' credit reports on his computer, along with many other documents that had personal information of more than 150 BONY employees. Adeyemi was arrested during the search and has remained in jail since April 30.
Law enforcement also found in a rented storage locker notebooks containing hundreds of names, social security numbers, account numbers and other personal data, along with numerous credit cards in Bank of New York employees' names. They also recovered $30,000 in cash from his apartment.
If convicted of all the 149 counts in the indictment, Adeyemi could face more than 50 years in prison.
Computer Technician Alleged to Have Used ID's to Steal $1.1 Million
Linda McGlasson, Managing Editor
October 30, 2009
A computer technician has been indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.
Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft in a 149-count indictment. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. While employed at BONY, he stole the identities of dozens of employees and used them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia, and Washington Mutual. Prosecutors say Adeyemi used these accounts as dummy accounts for the purpose of receiving stolen funds.
The Manhattan District Attorney's office says Adeyemi then stole money from the bank accounts of charities and non-profit organizations and funneled it into those dummy accounts, later withdrawing the stolen funds or transferring them to a second layer of dummy accounts. The prosecutors say that charities are easy prey for identity thieves with computer expertise because they readily disseminate their banking details on the internet to facilitate donations. Adeyemi used this to his advantage, the prosecutors allege, using the internet for most of his crimes.
The charities and organizations that Adeyemi allegedly stole money from include: Goodwill Industries of Greater New York and Northern New Jersey, Iris Ministries, the Kalgidhar Trust, the Sudanese American Community Development Organization, Ravi Zacharias International Ministries, AFK Foundation, the American Community School at Beirut, the Jacksonville Humane Society, American Friends of Birdlife International, the International Association of Women Judges, the Space Generation Advisory Council, and the American Association for Clinical Chemistry. Prosecutors allege Adeyemi also stole from Bank of New York employees.
To stay under anti money laundering monitoring thresholds set by banks, Adeyemi is alleged to have structured all wire transfers to be just under $10,000. This is the threshold where all banks must report transactions to the US Treasury. He then allegedly used the stolen monies to purchase more than $100,000 in USPS money orders, and used them to pay personal expenses including apartment rent and credit card bills. He also redeemed the money orders to ship "substantial" amounts of goods overseas, primarily to Nigeria, prosecutors allege.
Law enforcement began watching Adeyemi after suspicious Internet activity was traced back to wireless Internet connection's in Adeyemi's apartment building in Brooklyn.
The New York/New Jersey Electronic Crimes Task Force of the United States Secret Service investigated the connections and found during a search of the building Adeyemi's apartment turned up dozens of Bank of New York employees' credit reports on his computer, along with many other documents that had personal information of more than 150 BONY employees. Adeyemi was arrested during the search and has remained in jail since April 30.
Law enforcement also found in a rented storage locker notebooks containing hundreds of names, social security numbers, account numbers and other personal data, along with numerous credit cards in Bank of New York employees' names. They also recovered $30,000 in cash from his apartment.
If convicted of all the 149 counts in the indictment, Adeyemi could face more than 50 years in prison.
Regulators want more authority to protect nation’s power grid
Regulators want more authority to protect nation’s power grid
Oversight agencies support House bills that would fill gaps in current law
•By William Jackson
•Oct 28, 2009
Regulators overseeing the nation’s power generation and distribution system say this critical infrastructure is at risk because they do not have the power to quickly respond to threats and vulnerabilities to the system.
Representatives from the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. and the Energy Department told a House panel Tuesday that legislation now pending in the House could help correct current problems.
“The [Federal Energy Regulatory Commission’s] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system,” Joseph McClelland, director of FERC’s Office of Electric Reliability, told the Energy and Commerce subcommittee on Energy and the Environment. “These types of threats pose an increasing risk to our nation’s electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now.”
Two bills, HR 2165, the Bulk Power System Protection Act of 2009, and HR 2195, an amednment to the Federal Power Act, have been introduced in the House to revamp security regulation of the nation’s power grid. The bulk power system is defined by law as generation and high voltage transmission systems, and does not include distribution substations and lower voltage networks that distribute electricity to customers. Alaska, Hawaii, and Guam are specifically excluded from reliability regulations, as are many major cities and population centers such as New York and Washington, D.C.
“Both H.R. 2165 and H.R. 2195 address the principal gap that NERC sees in the current law,” said NERC vice president and general counsel David Cook. That gap is that “the federal government lacks sufficient authority to act to address an imminent and specific cyber security threat to the critical infrastructure of the United States.”
FERC oversees the nation’s bulk power system under the Energy Policy Act of 2005, and has certified NERC as the electric reliability organization representing the industry. FERC enforces standards but does not create them; NERC creates standards but does not enforce. NERC, as the designated ERO, has responsibility for proposing security standards and requirements for the bulk power system, which FERC can either accept, reject or suggest revisions to.
The process is time-consuming and does not respond to rapidly emerging and evolving cyber threats. NERC proposed a set of 40 Critical Infrastructure Protection Standards in 2006, which FERC adopted in 2008, to become mandatory in 2010. But those standards still are being finalized, and requirements for compliance are being phased in gradually.
One of the weaknesses in the CIP standards is that they apply only to critical infrastructure, as identified by the 1,800 entities that own and or operate the Bulk Power System. So far, many organizations have not identified these.
“At this point, however, it is clear that all critical assets and associated critical cyber assets have not been identified and therefore made subject to the protection requirements of the CIP standards,” McClelland said. “This represents a significant gap in cyber security protection.”
Another problem is that the Bulk Power System covered under existing regulation does not include the entire power grid. It excludes Alaska and Hawaii, as well as some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York. This precludes commission action to mitigate cyber or other national security threats to these facilities, McClelland said.
Security issues are becoming more urgent with the development of a smart grid, a next-generation intelligent power system that will include two-way flows both of energy and data. The Recovery Act provided $4.5 billion to jumpstart research and development of smart grid technology, and some elements of it such as smart metering already are being implemented.
The National Institute of Standards and Technology is developing security standards for this new infrastructure, and this summer issued Release 1.0 of the “NIST Framework and Roadmap for Smart Grid Interoperability Standards” as well as Draft NISTIR 7628, “Smart Grid Cyber Security Strategy and Requirements.”
“The need for vigilance will increase as new technologies are added to the bulk power system,” McClelland said. “Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure.”
But current regulations lack clear and rapid enforcement authority.
“NERC believes that the U.S. government needs additional emergency authority to address specific, imminent cyber security threats,” Cook said. “With immediate emergency authority in the hands of government, NERC would be better positioned to develop and implement longer-term cyber security and critical infrastructure protection Reliability Standards.”
Under the bills introduced, FERC would be authorized to issue an Emergency Security Directive to owners and operators of the Bulk Power System, covering a specific period of time, if the secretary of Energy has determined that a power grid emergency exists. The emergency would have to be addressed within 60 days.
HR 2165 covers the bulk power system only. HR 2195 is broader and covers all “critical electric infrastructure,” defined in the legislation as generation, transmission, distribution, and metering infrastructure.
About the Author
William Jackson is a senior writer for GCN.
Oversight agencies support House bills that would fill gaps in current law
•By William Jackson
•Oct 28, 2009
Regulators overseeing the nation’s power generation and distribution system say this critical infrastructure is at risk because they do not have the power to quickly respond to threats and vulnerabilities to the system.
Representatives from the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. and the Energy Department told a House panel Tuesday that legislation now pending in the House could help correct current problems.
“The [Federal Energy Regulatory Commission’s] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system,” Joseph McClelland, director of FERC’s Office of Electric Reliability, told the Energy and Commerce subcommittee on Energy and the Environment. “These types of threats pose an increasing risk to our nation’s electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now.”
Two bills, HR 2165, the Bulk Power System Protection Act of 2009, and HR 2195, an amednment to the Federal Power Act, have been introduced in the House to revamp security regulation of the nation’s power grid. The bulk power system is defined by law as generation and high voltage transmission systems, and does not include distribution substations and lower voltage networks that distribute electricity to customers. Alaska, Hawaii, and Guam are specifically excluded from reliability regulations, as are many major cities and population centers such as New York and Washington, D.C.
“Both H.R. 2165 and H.R. 2195 address the principal gap that NERC sees in the current law,” said NERC vice president and general counsel David Cook. That gap is that “the federal government lacks sufficient authority to act to address an imminent and specific cyber security threat to the critical infrastructure of the United States.”
FERC oversees the nation’s bulk power system under the Energy Policy Act of 2005, and has certified NERC as the electric reliability organization representing the industry. FERC enforces standards but does not create them; NERC creates standards but does not enforce. NERC, as the designated ERO, has responsibility for proposing security standards and requirements for the bulk power system, which FERC can either accept, reject or suggest revisions to.
The process is time-consuming and does not respond to rapidly emerging and evolving cyber threats. NERC proposed a set of 40 Critical Infrastructure Protection Standards in 2006, which FERC adopted in 2008, to become mandatory in 2010. But those standards still are being finalized, and requirements for compliance are being phased in gradually.
One of the weaknesses in the CIP standards is that they apply only to critical infrastructure, as identified by the 1,800 entities that own and or operate the Bulk Power System. So far, many organizations have not identified these.
“At this point, however, it is clear that all critical assets and associated critical cyber assets have not been identified and therefore made subject to the protection requirements of the CIP standards,” McClelland said. “This represents a significant gap in cyber security protection.”
Another problem is that the Bulk Power System covered under existing regulation does not include the entire power grid. It excludes Alaska and Hawaii, as well as some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York. This precludes commission action to mitigate cyber or other national security threats to these facilities, McClelland said.
Security issues are becoming more urgent with the development of a smart grid, a next-generation intelligent power system that will include two-way flows both of energy and data. The Recovery Act provided $4.5 billion to jumpstart research and development of smart grid technology, and some elements of it such as smart metering already are being implemented.
The National Institute of Standards and Technology is developing security standards for this new infrastructure, and this summer issued Release 1.0 of the “NIST Framework and Roadmap for Smart Grid Interoperability Standards” as well as Draft NISTIR 7628, “Smart Grid Cyber Security Strategy and Requirements.”
“The need for vigilance will increase as new technologies are added to the bulk power system,” McClelland said. “Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure.”
But current regulations lack clear and rapid enforcement authority.
“NERC believes that the U.S. government needs additional emergency authority to address specific, imminent cyber security threats,” Cook said. “With immediate emergency authority in the hands of government, NERC would be better positioned to develop and implement longer-term cyber security and critical infrastructure protection Reliability Standards.”
Under the bills introduced, FERC would be authorized to issue an Emergency Security Directive to owners and operators of the Bulk Power System, covering a specific period of time, if the secretary of Energy has determined that a power grid emergency exists. The emergency would have to be addressed within 60 days.
HR 2165 covers the bulk power system only. HR 2195 is broader and covers all “critical electric infrastructure,” defined in the legislation as generation, transmission, distribution, and metering infrastructure.
About the Author
William Jackson is a senior writer for GCN.
Massive bot attack spoofs Facebook password messages
Massive bot attack spoofs Facebook password messages
'Bredolab' Trojan rides fake reset messages, reaches at least 735,000 users
Gregg Keizer
October 28, 2009 (Computerworld) A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers.
The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password.
In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others. The downloader grabs a variety of malware from hacker servers, including fake security software, or "scareware," and installs attack code and rogue antivirus applications on the compromised PCs.
Multiple security companies, including Symantec, Trend Micro, MX Lab and Websense, have put out warnings about the attack campaign. "This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet," said Shunichi Imano, a security researcher at Symantec, in a post to the firm's security blog.
Jamie Tomasello, Cloudmark's abuse operations manager, said today that her company alone has detected nearly three-quarters of a million phony Facebook messages since Monday, and nearly 250,000 in the last 24 hours. "Our count continues to go up, and is at about 735,000 now," said Tomasello. "It's a pretty high volume."
According to Tomasello, both desktop clients and ISPs that use Cloudmark to filter potentially malicious mail have reported receiving the fake Facebook e-mail.
At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder -- where Cloudmark has placed it -- because they think it's real, Tomasello said. Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab, however.
"The numbers are equal to or higher than other Facebook malware or phishing campaigns," Tomasello claimed. She said that Cloudmark is currently revising that 8% estimate upwards.
Because of its huge base -- last month Facebook said it had more than 300 million users -- the site is a frequent target for hackers and identity thieves.
Last March, for example, the Koobface worm made the rounds on Facebook, as well as other social networking sites such as MySpace and Friendster, infecting large numbers of users.
Facebook confirmed that the attack is being conducted via e-mail, not on Facebook, the tactic that other malware, including Koobface, has used. "We're educating users on how to detect this through the Facebook Security Page," a Facebook spokesman said today. Users should be wary of suspicious or unexpected e-mail that claims to be from Facebook. "Facebook will never send you a new password as an attachment," he added.
'Bredolab' Trojan rides fake reset messages, reaches at least 735,000 users
Gregg Keizer
October 28, 2009 (Computerworld) A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers.
The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password.
In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others. The downloader grabs a variety of malware from hacker servers, including fake security software, or "scareware," and installs attack code and rogue antivirus applications on the compromised PCs.
Multiple security companies, including Symantec, Trend Micro, MX Lab and Websense, have put out warnings about the attack campaign. "This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet," said Shunichi Imano, a security researcher at Symantec, in a post to the firm's security blog.
Jamie Tomasello, Cloudmark's abuse operations manager, said today that her company alone has detected nearly three-quarters of a million phony Facebook messages since Monday, and nearly 250,000 in the last 24 hours. "Our count continues to go up, and is at about 735,000 now," said Tomasello. "It's a pretty high volume."
According to Tomasello, both desktop clients and ISPs that use Cloudmark to filter potentially malicious mail have reported receiving the fake Facebook e-mail.
At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder -- where Cloudmark has placed it -- because they think it's real, Tomasello said. Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab, however.
"The numbers are equal to or higher than other Facebook malware or phishing campaigns," Tomasello claimed. She said that Cloudmark is currently revising that 8% estimate upwards.
Because of its huge base -- last month Facebook said it had more than 300 million users -- the site is a frequent target for hackers and identity thieves.
Last March, for example, the Koobface worm made the rounds on Facebook, as well as other social networking sites such as MySpace and Friendster, infecting large numbers of users.
Facebook confirmed that the attack is being conducted via e-mail, not on Facebook, the tactic that other malware, including Koobface, has used. "We're educating users on how to detect this through the Facebook Security Page," a Facebook spokesman said today. Users should be wary of suspicious or unexpected e-mail that claims to be from Facebook. "Facebook will never send you a new password as an attachment," he added.
