Thursday, February 25, 2010
Top 9 Breaches of 2009
Top 9 Breaches of 2009
Linda McGlasson, Managing Editor
December 14, 2009
The top breaches of 2009 can be described in many ways, but the first word that comes to mind is "big."
With the announcement in January of the breach that surpassed the 2005 TJX breach, Heartland Payment Systems leads all of the hacks that hit or affected the financial services industry in 2009.
Here's the chronological list of the biggest breaches of 2009, and updates in the various cases since they were first announced:
1. Heartland Payment Systems
Princeton, NJ
Date: January 20
Records Taken: 130 million credit and debit card account numbers
Heartland Payment Systems announced on Jan. 20 that its network had been breached. The payment processor handles transactions for 250,000 merchants. Subsequently, it was revealed through indictments that 130 million credit/debit cards were compromised by the breach. While the outcome of several class action lawsuits has not been decided yet, the criminal accused of perpetrating the hack, Alberto Gonzalez, of Miami, FL, was indicted in August and is prepared to plead guilty. Financial institutions will watch closely the developments in the class action suits as they move through the courts in 2010.
2. RBS WorldPay
Atlanta, GA
Date: November 2008/February 4, 2009
Records Taken: 1.5 million credit and debit cards
In February 2009 the FBI continued to search for suspects in what was being called a well-orchestrated ATM card scam, when the true extent of RBS WorldPay's hack was revealed. In a news report on February 4, FBI law enforcement said that a network of thieves withdrew $9 million from 130 ATMs in 49 cities around the world just after midnight on November 8 with cloned cards created from stolen data taken in the RBS WorldPay hack. Eight men from Eastern Europe were indicted for the crime in November 2009 and face stiff fines and lengthy jail sentences if convicted.
3. Countrywide Financial
Fort Worth, TX
Date: May 4, 2009
Records Taken: 4,000 account numbers
A man posing as an Air Force reservist seems to have gotten thousands of account numbers from Countrywide Financial in Forth Worth, TX. The investigators tracked the case to his accomplice, a customer service rep. The Air Force impostor stole $500,000.
4. Chase Bank
New York, NY
Date: May 18, 2009
Records Taken: Unknown
Four Romanian men were arrested in Florida after being accused of skimming a Central New York Chase Bank ATMs. Police say several customers who used the ATM at a Chase Bank in Cicero later found cash had been withdrawn from their accounts from ATMs in New York City, totaling about $40,000. A skimmer was found in the card slot of the machine.
5. Network Solutions
Herndon, VA
Date: June 8, 2009
Records Taken: 573,000 credit and debit cardholders information
A data breach at Internet domain administrator and host Network Solutions compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers.
6. American Express
Phoenix, AZ
Date: July 7, 2009
Records Taken: Thousands of card numbers
Two Phoenix men are accused of stealing thousands of American Express card numbers and swindling more than $1 million dollars from customers. Police discovered during their investigation that a former employee had not only worked as a computer database analyst for American Express; he was one of the few who could have possibly downloaded all of their account holders information, including the PIN numbers used to access money from ATM machines at the different banks, according to court records.
7. Capitol One Bank
Minneapolis, MN
Date: September 6, 2009
Records taken: Unknown number of bank customer accounts
Prosecutors in Minneapolis say between July 2008 and April 2009 a crime ring purchased the personal information of Capitol One Bank customers from an online source in the Ukraine. It says the group then used the information to create counterfeit credit card accounts, withdrawing more than $652,205.49 from more than 170 ATMs throughout the Twin Cities. Eleven people have been charged in the counterfeit credit card scheme, eight of them are in custody.
8. PayChoice
Moorestown, NJ
Date: October 15, 2009
Records Taken: Unknown
PayChoice, a New Jersey-based payroll processor, alerted its online customers on October 15 that its network had been breached for a second time in less than a month. The payroll processing company warned its customers by email about the new breach after some clients reported "phantom" employees showing up on their payrolls.
9. Bank of New York Mellon
New York, NY
Date: October 28, 2009
Records Taken: 150 identities of employees
A computer technician was indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.
Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. He is accused of stealing the identities of dozens of employees and using them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia and Washington Mutual.
Linda McGlasson, Managing Editor
December 14, 2009
The top breaches of 2009 can be described in many ways, but the first word that comes to mind is "big."
With the announcement in January of the breach that surpassed the 2005 TJX breach, Heartland Payment Systems leads all of the hacks that hit or affected the financial services industry in 2009.
Here's the chronological list of the biggest breaches of 2009, and updates in the various cases since they were first announced:
1. Heartland Payment Systems
Princeton, NJ
Date: January 20
Records Taken: 130 million credit and debit card account numbers
Heartland Payment Systems announced on Jan. 20 that its network had been breached. The payment processor handles transactions for 250,000 merchants. Subsequently, it was revealed through indictments that 130 million credit/debit cards were compromised by the breach. While the outcome of several class action lawsuits has not been decided yet, the criminal accused of perpetrating the hack, Alberto Gonzalez, of Miami, FL, was indicted in August and is prepared to plead guilty. Financial institutions will watch closely the developments in the class action suits as they move through the courts in 2010.
2. RBS WorldPay
Atlanta, GA
Date: November 2008/February 4, 2009
Records Taken: 1.5 million credit and debit cards
In February 2009 the FBI continued to search for suspects in what was being called a well-orchestrated ATM card scam, when the true extent of RBS WorldPay's hack was revealed. In a news report on February 4, FBI law enforcement said that a network of thieves withdrew $9 million from 130 ATMs in 49 cities around the world just after midnight on November 8 with cloned cards created from stolen data taken in the RBS WorldPay hack. Eight men from Eastern Europe were indicted for the crime in November 2009 and face stiff fines and lengthy jail sentences if convicted.
3. Countrywide Financial
Fort Worth, TX
Date: May 4, 2009
Records Taken: 4,000 account numbers
A man posing as an Air Force reservist seems to have gotten thousands of account numbers from Countrywide Financial in Forth Worth, TX. The investigators tracked the case to his accomplice, a customer service rep. The Air Force impostor stole $500,000.
4. Chase Bank
New York, NY
Date: May 18, 2009
Records Taken: Unknown
Four Romanian men were arrested in Florida after being accused of skimming a Central New York Chase Bank ATMs. Police say several customers who used the ATM at a Chase Bank in Cicero later found cash had been withdrawn from their accounts from ATMs in New York City, totaling about $40,000. A skimmer was found in the card slot of the machine.
5. Network Solutions
Herndon, VA
Date: June 8, 2009
Records Taken: 573,000 credit and debit cardholders information
A data breach at Internet domain administrator and host Network Solutions compromised personal and financial data for more than 573,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers.
6. American Express
Phoenix, AZ
Date: July 7, 2009
Records Taken: Thousands of card numbers
Two Phoenix men are accused of stealing thousands of American Express card numbers and swindling more than $1 million dollars from customers. Police discovered during their investigation that a former employee had not only worked as a computer database analyst for American Express; he was one of the few who could have possibly downloaded all of their account holders information, including the PIN numbers used to access money from ATM machines at the different banks, according to court records.
7. Capitol One Bank
Minneapolis, MN
Date: September 6, 2009
Records taken: Unknown number of bank customer accounts
Prosecutors in Minneapolis say between July 2008 and April 2009 a crime ring purchased the personal information of Capitol One Bank customers from an online source in the Ukraine. It says the group then used the information to create counterfeit credit card accounts, withdrawing more than $652,205.49 from more than 170 ATMs throughout the Twin Cities. Eleven people have been charged in the counterfeit credit card scheme, eight of them are in custody.
8. PayChoice
Moorestown, NJ
Date: October 15, 2009
Records Taken: Unknown
PayChoice, a New Jersey-based payroll processor, alerted its online customers on October 15 that its network had been breached for a second time in less than a month. The payroll processing company warned its customers by email about the new breach after some clients reported "phantom" employees showing up on their payrolls.
9. Bank of New York Mellon
New York, NY
Date: October 28, 2009
Records Taken: 150 identities of employees
A computer technician was indicted in New York Supreme Court, charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to steal more than $1.1 million from charities, non-profit groups and other entities.
Adeniyi Adeyemi, a 27-year-old man from Brooklyn, was charged with grand larceny and identity theft. Prosecutors say Adeyemi worked in the bank's Information Technology Department and committed the crimes between November 2001 and April 30, 2009. He is accused of stealing the identities of dozens of employees and using them to open more than 30 bank and brokerage accounts with several financial institutions including E*Trade, Fidelity, Citi, Wachovia and Washington Mutual.
Heartland Pays $3.6 Million to American Express
Heartland Pays $3.6 Million to American Express
First Settlement to Result from Landmark Data Breach
Linda McGlasson, Managing Editor
December 18, 2009
Heartland Payment Systems will pay $3.6 million to American Express to settle charges relating to Heartland's landmark data breach.
The payment, Heartland says in a press release announcing the settlement, resolves "all intrusion-related issues between the two parties" regarding the breach of an estimated 130 million credit and debit cards.
"We are pleased to have reached an equitable settlement with American Express," says Bob Carr, Heartland's chairman and chief executive officer. "This settlement marks the first agreement with a card brand related to the intrusion."
The U.S. Department of Justice has charged Albert Gonzalez and other accomplices with the Heartland attack, and says that it was only one of several other companies that Gonzalez and the other hackers targeted with SQL injection attacks.
The other companies hacked include 7-Eleven and Hannaford Brothers. Credit card companies, including American Express, Visa and MasterCard, were forced to cancel and reissue credit cards because of the Heartland data breach. Banks and credit unions have also sued the payments processor to recoup the costs of reissuing cards and to cover the cost of fraud that resulted from the breach.
Earlier this year, Heartland said it had put aside more than $12 million to cover the charges related to the breach. Heartland is expected to be fined by other brands, including Visa and MasterCard.
First Settlement to Result from Landmark Data Breach
Linda McGlasson, Managing Editor
December 18, 2009
Heartland Payment Systems will pay $3.6 million to American Express to settle charges relating to Heartland's landmark data breach.
The payment, Heartland says in a press release announcing the settlement, resolves "all intrusion-related issues between the two parties" regarding the breach of an estimated 130 million credit and debit cards.
"We are pleased to have reached an equitable settlement with American Express," says Bob Carr, Heartland's chairman and chief executive officer. "This settlement marks the first agreement with a card brand related to the intrusion."
The U.S. Department of Justice has charged Albert Gonzalez and other accomplices with the Heartland attack, and says that it was only one of several other companies that Gonzalez and the other hackers targeted with SQL injection attacks.
The other companies hacked include 7-Eleven and Hannaford Brothers. Credit card companies, including American Express, Visa and MasterCard, were forced to cancel and reissue credit cards because of the Heartland data breach. Banks and credit unions have also sued the payments processor to recoup the costs of reissuing cards and to cover the cost of fraud that resulted from the breach.
Earlier this year, Heartland said it had put aside more than $12 million to cover the charges related to the breach. Heartland is expected to be fined by other brands, including Visa and MasterCard.
Flagstar Bank Warns Customers of Potential Breach
Flagstar Bank Warns Customers of Potential Breach
Vendor Lost Laptop Holding Social Security Numbers
Linda McGlasson, Managing Editor
December 8, 2009
A missing laptop may have caused a security breach at Flagstar Bank in Grand Rapids, MI, according to a letter the bank sent to some of its customers on Nov. 25.
The bank's letter tells customers that a laptop owned by an unidentified bank vendor was stolen and held an undisclosed number of customer social security numbers.
"We have no reason to believe that the files with this information will be accessed or used inappropriately," says the letter. "However, in the interest of caution, we felt it was important to inform you of this incident. We also have taken steps to place an alert on your home equity checking account and other deposit accounts in our system."
Letters were sent only to customers who may have been affected. According to a bank official, the vendor is a company that helps Flagstar with bank services.
Flagstar Bank, based in Troy, MI, has 180 branches in Michigan, Indiana and Georgia and assets of more than $16 billion.
Vendor Lost Laptop Holding Social Security Numbers
Linda McGlasson, Managing Editor
December 8, 2009
A missing laptop may have caused a security breach at Flagstar Bank in Grand Rapids, MI, according to a letter the bank sent to some of its customers on Nov. 25.
The bank's letter tells customers that a laptop owned by an unidentified bank vendor was stolen and held an undisclosed number of customer social security numbers.
"We have no reason to believe that the files with this information will be accessed or used inappropriately," says the letter. "However, in the interest of caution, we felt it was important to inform you of this incident. We also have taken steps to place an alert on your home equity checking account and other deposit accounts in our system."
Letters were sent only to customers who may have been affected. According to a bank official, the vendor is a company that helps Flagstar with bank services.
Flagstar Bank, based in Troy, MI, has 180 branches in Michigan, Indiana and Georgia and assets of more than $16 billion.
HSBC Reports Accidental Exposure of Customer Bankruptcy Info
HSBC Reports Accidental Exposure of Customer Bankruptcy Info
Software 'Bug' Revealed Personal Data Online
Linda McGlasson, Managing Editor
December 9, 2009
An undisclosed number of HSBC customers had personal data exposed online about their bankruptcy proceedings, according to a data breach notification letter dated November 20 and sent to the New Hampshire attorney general's office. The letter was made public last week.
The bank says a bug in its imaging software - which should have redacted sensitive data about customers going through Chapter 13 bankruptcy proceedings -- ended up exposing the proof of claim forms that were filed electronically. The "bug" was discovered by HSBC Taxpayer Financial Services, Inc. on July 9, 2009. The notification letter says the information turned out to be viewable "as a result of the deficiency in the software used to save imaged documents." The exposed data included claim forms filed between May 1, 2007 and October 17, 2009.
HSBC did not say what the problem was with the imaging software, but says a limited number of customers were affected. The company sent letters to affected customers in October and is offering them one year of free credit monitoring.
Some customers of the following HSBC companies are affected: HSBC Taxpayer Financial Services, Beneficial New Hampshire and Household Finance Corporation. The exposed data may include HSBC credit card, line-of-credit or mortgage information, the company says.
Based in London, HSBC is one of the largest banking and financial services companies in the world. HSBC lists assets of more than $390 billion, according to the Federal Reserve's list of top 50 Bank Holding Companies.
Analysis of Breach
If the exposed data was truly due to a "bug" in the software, then there isn't much HSBC could have done technically, says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm. "In most cases, these 'bugs' are actually misconfigurations of the software," Davis says.
Often, Davis adds, vendors are required to provide a technical implementation guide that says how to install software properly. "When doing PCI DSS audits, it's one of the first things I look for with clients using commercial software -- to see if they have that guide and followed it," he says. "Unlike electronics manuals, in these cases, you definitely need to read the instructions."
What HSBC should have done, he says, is some sort of audit or assessment of the application to ensure the effectiveness of the encryption/redact controls. "It's the old 'trust but verify.' If you think about it, the testing necessary was simply sampling the records. It's a bit sad really, as it looks like they were trying to do the right thing."
Software 'Bug' Revealed Personal Data Online
Linda McGlasson, Managing Editor
December 9, 2009
An undisclosed number of HSBC customers had personal data exposed online about their bankruptcy proceedings, according to a data breach notification letter dated November 20 and sent to the New Hampshire attorney general's office. The letter was made public last week.
The bank says a bug in its imaging software - which should have redacted sensitive data about customers going through Chapter 13 bankruptcy proceedings -- ended up exposing the proof of claim forms that were filed electronically. The "bug" was discovered by HSBC Taxpayer Financial Services, Inc. on July 9, 2009. The notification letter says the information turned out to be viewable "as a result of the deficiency in the software used to save imaged documents." The exposed data included claim forms filed between May 1, 2007 and October 17, 2009.
HSBC did not say what the problem was with the imaging software, but says a limited number of customers were affected. The company sent letters to affected customers in October and is offering them one year of free credit monitoring.
Some customers of the following HSBC companies are affected: HSBC Taxpayer Financial Services, Beneficial New Hampshire and Household Finance Corporation. The exposed data may include HSBC credit card, line-of-credit or mortgage information, the company says.
Based in London, HSBC is one of the largest banking and financial services companies in the world. HSBC lists assets of more than $390 billion, according to the Federal Reserve's list of top 50 Bank Holding Companies.
Analysis of Breach
If the exposed data was truly due to a "bug" in the software, then there isn't much HSBC could have done technically, says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm. "In most cases, these 'bugs' are actually misconfigurations of the software," Davis says.
Often, Davis adds, vendors are required to provide a technical implementation guide that says how to install software properly. "When doing PCI DSS audits, it's one of the first things I look for with clients using commercial software -- to see if they have that guide and followed it," he says. "Unlike electronics manuals, in these cases, you definitely need to read the instructions."
What HSBC should have done, he says, is some sort of audit or assessment of the application to ensure the effectiveness of the encryption/redact controls. "It's the old 'trust but verify.' If you think about it, the testing necessary was simply sampling the records. It's a bit sad really, as it looks like they were trying to do the right thing."
Phishing Scam Expands to Three More States
Phishing Scam Expands to Three More States
Bank, Credit Union Customers Fooled by Bogus Text Messages
Linda McGlasson, Managing Editor
December 7, 2009
Banking customers in three additional states have received bogus text messages purporting to be from their institutions.
As part a growing wave of similar phishing attempts throughout the nation, customers in Cincinnati, Ohio, St. Louis, Missouri and Lewiston, Idaho last week reported receiving text messages stating their bank accounts had been frozen.
These attacks mirror those against bank customers in October in Pennsylvania, Nebraska and New York, and are part of a continuing wave of phishing attacks that have shot up 600 percent over last year, according to the Anti-Phishing Working Group.
In Ohio, one Cincinnati US Bank customer told law enforcement about receiving the text message, calling the phone number listed and then giving out an account number, expiration date and PIN. The next day, the customer became suspicious and called the number again and heard the following message: "This is a message from the Federal Trade Commission. The telephone number you've just called has been disconnected because it may be involved in a scam."
The customer called US Bank, had the card replaced and didn't lose any money. Law enforcement reported a number of banks had been targeted in the scam.
Similar reports come in from Bridgeton, MO-based Vantage Credit Union customers who reported to the credit union they received the text message phishing scam.
According to Eric Acree, executive vice president at Vantage, the phishers began sending fake text messages over the weekend. Phishing scammers have posed as the credit union before, and Vantage is trying to educate customers about its security procedures, Acree says. When the number in the text message was checked early last week, the recording states it also has been disconnected by the FTC.
The Idaho Credit Union League (ICUL) also warned its membership about the text message scam. According to news release from the group, early last week several credit unions reported that their members and non-members had received text messages requesting them to send their account information because "restrictions have been discovered/placed on your account."
The credit union league says these text messages appear to have originated from the credit union's phone number and web address, but in fact are fraudulent. Potlatch No. 1 Federal Credit Union was reportedly one of the credit unions targeted by the scam.
Bank, Credit Union Customers Fooled by Bogus Text Messages
Linda McGlasson, Managing Editor
December 7, 2009
Banking customers in three additional states have received bogus text messages purporting to be from their institutions.
As part a growing wave of similar phishing attempts throughout the nation, customers in Cincinnati, Ohio, St. Louis, Missouri and Lewiston, Idaho last week reported receiving text messages stating their bank accounts had been frozen.
These attacks mirror those against bank customers in October in Pennsylvania, Nebraska and New York, and are part of a continuing wave of phishing attacks that have shot up 600 percent over last year, according to the Anti-Phishing Working Group.
In Ohio, one Cincinnati US Bank customer told law enforcement about receiving the text message, calling the phone number listed and then giving out an account number, expiration date and PIN. The next day, the customer became suspicious and called the number again and heard the following message: "This is a message from the Federal Trade Commission. The telephone number you've just called has been disconnected because it may be involved in a scam."
The customer called US Bank, had the card replaced and didn't lose any money. Law enforcement reported a number of banks had been targeted in the scam.
Similar reports come in from Bridgeton, MO-based Vantage Credit Union customers who reported to the credit union they received the text message phishing scam.
According to Eric Acree, executive vice president at Vantage, the phishers began sending fake text messages over the weekend. Phishing scammers have posed as the credit union before, and Vantage is trying to educate customers about its security procedures, Acree says. When the number in the text message was checked early last week, the recording states it also has been disconnected by the FTC.
The Idaho Credit Union League (ICUL) also warned its membership about the text message scam. According to news release from the group, early last week several credit unions reported that their members and non-members had received text messages requesting them to send their account information because "restrictions have been discovered/placed on your account."
The credit union league says these text messages appear to have originated from the credit union's phone number and web address, but in fact are fraudulent. Potlatch No. 1 Federal Credit Union was reportedly one of the credit unions targeted by the scam.
ATM Fraud: New Skimming Scheme Spreads
ATM Fraud: New Skimming Scheme Spreads
MD, IL, GA Banks, Customers Targeted by Fraudsters
Linda McGlasson, Managing Editor
December 7, 2009
Three ATM skimming operations in Maryland, Illinois and Georgia have netted thieves more than $120,000, according to law enforcement agencies investigating the crimes. These discoveries follow several recent incidents of ATM skimming in other states.
Maryland State Police report that an ATM skimmer was placed on a Bank of America ATM in Eldersburg, MD, and that possibly $30,000 was taken last week. Police have removed the skimmer, but say there could be more. State police have reported other incidents at various other banks in Northern Virginia and Maryland. Two men reportedly were photographed installing the skimming device, which collected card information from customers. The men then come back, removed the device, made counterfeit ATM cards with their stolen information and withdrew money.
In Illinois, thieves used a Bank of America ATM to steal $20,000. Police report the criminals installed a skimming device on a drive-up ATM in Mt. Prospect. The skimmer reportedly was used on Oct. 11, 12, 24, and 25, as well as Nov. 26-29 to steal $20,192 from 316 debit card accounts. The criminals removed the skimmer before employees could find it. Several bank customers complained Monday, Nov. 30, about unauthorized withdrawals.
That report came a week after a similar ploy in Buffalo Grove, where more than $70,000 was taken from an ATM at a Chase Bank branch. Chase Bank officials told police that security video recorded two suspects placing a camera and recording device on the ATM inside the lobby of the bank on November 14. The two then returned on Nov. 16 and used account information that was recorded to withdraw funds from multiple accounts.
The Savannah-Chatham, GA. Metro Police report they were tipped off to two skimming incidents.
Detective Ray Woodberry of the Savannah-Chatham Metro Police says they have seen three reports of skimming over the past few months, including the most recent one at a Bank of America ATM on Victory Drive in Savannah.
Woodberry reports an ATM technician discovered the skimming devices at the Bank of America and reported it to police. There is no word yet how many customers may have been victimized by thieves.
MD, IL, GA Banks, Customers Targeted by Fraudsters
Linda McGlasson, Managing Editor
December 7, 2009
Three ATM skimming operations in Maryland, Illinois and Georgia have netted thieves more than $120,000, according to law enforcement agencies investigating the crimes. These discoveries follow several recent incidents of ATM skimming in other states.
Maryland State Police report that an ATM skimmer was placed on a Bank of America ATM in Eldersburg, MD, and that possibly $30,000 was taken last week. Police have removed the skimmer, but say there could be more. State police have reported other incidents at various other banks in Northern Virginia and Maryland. Two men reportedly were photographed installing the skimming device, which collected card information from customers. The men then come back, removed the device, made counterfeit ATM cards with their stolen information and withdrew money.
In Illinois, thieves used a Bank of America ATM to steal $20,000. Police report the criminals installed a skimming device on a drive-up ATM in Mt. Prospect. The skimmer reportedly was used on Oct. 11, 12, 24, and 25, as well as Nov. 26-29 to steal $20,192 from 316 debit card accounts. The criminals removed the skimmer before employees could find it. Several bank customers complained Monday, Nov. 30, about unauthorized withdrawals.
That report came a week after a similar ploy in Buffalo Grove, where more than $70,000 was taken from an ATM at a Chase Bank branch. Chase Bank officials told police that security video recorded two suspects placing a camera and recording device on the ATM inside the lobby of the bank on November 14. The two then returned on Nov. 16 and used account information that was recorded to withdraw funds from multiple accounts.
The Savannah-Chatham, GA. Metro Police report they were tipped off to two skimming incidents.
Detective Ray Woodberry of the Savannah-Chatham Metro Police says they have seen three reports of skimming over the past few months, including the most recent one at a Bank of America ATM on Victory Drive in Savannah.
Woodberry reports an ATM technician discovered the skimming devices at the Bank of America and reported it to police. There is no word yet how many customers may have been victimized by thieves.
Hancock Fabrics Linked to Fraud in 3 States
Hancock Fabrics Linked to Fraud in 3 States
CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions
Linda McGlasson, Managing Editor
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Hancock Fabrics (HFKI) is a Baldwyn, MS-based fabrics and sewing supplies retailer, operating 264 retail stores in 37 states. Hancock so far as not responded to repeated calls inquiring about these breaches and their possible link to the retailer.
California Crimes
Charter Oak Bank in California had four customers report money missing from their accounts, says Tom Ragusa, vice president and compliance officer.
Losses from the four customers are under $10,000, Ragusa says, and the bank has issued the new cards to the customers. The bank has also contracted with its core service provider, Jack Henry, to put in new measures on transactions, including IP address restrictions. The bank also will hold a fraud presentation for its cash management customers to educate them about these threats and other types of fraud.
"We're monitoring our customers' accounts, and time will tell how many more will be affected," he says. "Some customers don't look at their statements, so we don't know until they come forward."
The Napa Police Department has also received information from the Sacramento County Sheriff's Department of tampering in at least five card swipe machines at other Hancock Fabric locations, McGovern says.
Wisconsin Spree
In Wisconsin, the cash withdrawals came over several days from the Milwaukee area in mid-October from customers who made purchases at Hancock Fabrics stores in August and September, says Portage Sheriff's Department Detective Gary Koehmstedt.
He estimates the total loss is in the $40,000 range. It appears that the thefts are related to ones that occurred in Napa and in Sacramento over the same weekend, Koehmstedt notes.
Missouri Thefts
In Missouri, local news reports say theft cases are being investigated in O'Fallon, Chesterfield, Richmond Heights, Des Peres, Town and Country, St. Charles, St. Peters, and St. Louis. All the customers who reported money missing shopped at Hancock Fabrics, according to reports.
Local law enforcement agents say the common denominator in all of these reported scams is Hancock Fabrics. Investigators believe the previous credit card readers at the stores may have been capturing account and pin numbers. At least $3,000 was taken from two of the customers' bank accounts, according to police reports.
Another in a Line of Breaches
This year's most noted breach is Heartland Payment Systems, which reportedly involves 130 million compromised accounts.
Other companies have been breached and credit card and debit card information taken, such as this summer's announcement by the Radisson hotel chain that a breach had occurred, and an undetermined amount of data was taken.
The Payment Card Industry Security Standards Council released a resource this past summer to help merchants and other companies to better recognize and understand the inherent vulnerabilities in the use of point of sale terminals and terminal infrastructure.
CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions
Linda McGlasson, Managing Editor
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St. Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Hancock Fabrics (HFKI) is a Baldwyn, MS-based fabrics and sewing supplies retailer, operating 264 retail stores in 37 states. Hancock so far as not responded to repeated calls inquiring about these breaches and their possible link to the retailer.
California Crimes
Charter Oak Bank in California had four customers report money missing from their accounts, says Tom Ragusa, vice president and compliance officer.
Losses from the four customers are under $10,000, Ragusa says, and the bank has issued the new cards to the customers. The bank has also contracted with its core service provider, Jack Henry, to put in new measures on transactions, including IP address restrictions. The bank also will hold a fraud presentation for its cash management customers to educate them about these threats and other types of fraud.
"We're monitoring our customers' accounts, and time will tell how many more will be affected," he says. "Some customers don't look at their statements, so we don't know until they come forward."
The Napa Police Department has also received information from the Sacramento County Sheriff's Department of tampering in at least five card swipe machines at other Hancock Fabric locations, McGovern says.
Wisconsin Spree
In Wisconsin, the cash withdrawals came over several days from the Milwaukee area in mid-October from customers who made purchases at Hancock Fabrics stores in August and September, says Portage Sheriff's Department Detective Gary Koehmstedt.
He estimates the total loss is in the $40,000 range. It appears that the thefts are related to ones that occurred in Napa and in Sacramento over the same weekend, Koehmstedt notes.
Missouri Thefts
In Missouri, local news reports say theft cases are being investigated in O'Fallon, Chesterfield, Richmond Heights, Des Peres, Town and Country, St. Charles, St. Peters, and St. Louis. All the customers who reported money missing shopped at Hancock Fabrics, according to reports.
Local law enforcement agents say the common denominator in all of these reported scams is Hancock Fabrics. Investigators believe the previous credit card readers at the stores may have been capturing account and pin numbers. At least $3,000 was taken from two of the customers' bank accounts, according to police reports.
Another in a Line of Breaches
This year's most noted breach is Heartland Payment Systems, which reportedly involves 130 million compromised accounts.
Other companies have been breached and credit card and debit card information taken, such as this summer's announcement by the Radisson hotel chain that a breach had occurred, and an undetermined amount of data was taken.
The Payment Card Industry Security Standards Council released a resource this past summer to help merchants and other companies to better recognize and understand the inherent vulnerabilities in the use of point of sale terminals and terminal infrastructure.
ATM Fraud: 7 Growing Threats to Financial Institutions
ATM Fraud: 7 Growing Threats to Financial Institutions
Skimming, Ram Raids Target Consumers and Their Cash
Linda McGlasson, Managing Editor
June 8, 2009
The Heartland Payment Systems (HPY) data breach may be the fraud story of year (so far), but ATM and debit card thefts are growing steadily and frighteningly at financial institutions.
Witness the recent announcement by law enforcement in New York City that a criminal gang had stolen $500,000 from hundreds of customers' bank accounts via skimming devices that read and stored account information at Sovereign Bank branches in Staten Island. The gang installed cameras onto the machines, catching victims typing in their PIN numbers. They also used the information to clone the card information, according to police.
A recent survey by security vendor Actimize shows that almost 70 percent of financial institutions experienced an increase in ATM/debit card fraud claims in 2008 compared to 2007. Twenty-three percent of respondents say those claims jumped by 5 to 9 percent, while the rest noted growth of anywhere between 10 and 74 percent. These numbers are only expected to grow in 2009, as a result of the recession.
Half of the institutions surveyed say they were hit with fraud complaints that came out of some of the major data breaches, with more than 30 percent saying they had seen fraud incidents as a result of the TJX hack, and 30 percent cited the Heartland hack.
Approximately 80 percent of the survey respondents say the big data breaches can decrease consumer confidence in ATM/debit card use. About 15 percent say they have reissued cards to more than 20 percent of their cardholder customers. In 2008, the financial institutions surveyed lost an average of $744,321 -- with some as high as $12 million -- to ATM fraud alone, and an average of $145,560, or as high as $1 million, to data breaches.
ATM Fraud Trends
The reason that criminals target ATMs is simple. "Criminals like cards and PINs. It is much easier to cash them out, rather than to hire a mule or repackager with stolen credit cards," says fraud expert Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. If the magnetic stripe data and pin is available, it is easy money for the criminal to get the cash out of the ATM. "There is no fence, no making an authentic card to use at a retailer," he says. While this crime is much harder to perpetrate, criminals prefer this over other types of credit card fraud, such as signature-based fraud.
Here are the top ATM/debit card fraud trends:
#1. Skimming -- The upswing in skimming at institutions has caught fraud experts' attention. "A higher percentage of criminals are going straight to a bank and installing a PIN pad overlay and card reader," Urban says. "This is where the transaction goes through, and the customer doesn't realize that their ATM card or debit card has been compromised. I've seen a steady increase over the last couple years on this type of fraud."
#2. Ghost ATMs -- There are also the "Ghost ATMs," where the entire ATM card reader is blocked off and customers can't perform a transaction. "The customer swipes their card, enters their PIN, and then the fake ATM says it can't complete the transaction," Urban explains. There were several of these types of ghost ATMs that popped up on the east coast back four years ago. One arrest was made in those cases, he notes.
#3. Ram Raids -- Criminals continue to target ATMs in various ways, with "ram" raids happening more often in the US. Ram raids are perpetrated when criminals physically break out ATMs from the wall at the institution. In Texas, the number of ram raids has spurred institutions to partner with law enforcement, and a task force has been formed to fight the raiders. "The opportunity that some non-hardened criminals see is an exterior ATM that can be pulled out, loaded with thousands of dollars," Urban says. "So in terms of crimes of opportunity, people feeling desperate will attempt this crime."
#4. PIN ID's -- One of the other trends Urban sees happening is where criminals are testing systems to identify PINs. One particular technique is where the criminal captures the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.
#5. Automated PIN Changes -- Another trend Urban sees is criminals go through the financial institution's telephone banking service to change PIN numbers. "They will use the ANI to change the information on the phone they're calling out from to appear like they are calling from the consumer's phone," Urban notes. If they can find the basic information on the card holder, name, card account number, last four digits of the social security number, then they're trying to take that info and go to the call center and change the PIN number over the phone. "Thus, while more time-consuming, the overhead cost is cut to near nothing other than their own work to deceive the bank call center," Urban says. Then with the changed PIN, the criminals drain the account. "The easier it is for the consumer to change their account, those are the financial institutions that will be targeted," Urban says.
#6. SMS attacks -- "Smishing" is the attack that comes through the Short Message Service (SMS) or text venue, onto a smart phone or a cell phone. Urban has personally seen three examples come through in the last month from institutions that he has no affiliation with, asking him for his account number and pin. Where the criminals are able to get the information from the customer, they then turn and clone the ATM or debit card and use it to withdraw cash.
The bank or credit union, if it is not checking for the CVV value, or the full name or expiration date, and just accepts the card transaction, will be hit with counterfeit cards made from data taken in this type of attack. These "smishing" attacks hit several midwest institutions in 2008.
#7. Malware -- Security researchers say they have found malware code that lets a criminal take control over ATMs. SpiderLabs, the forensics and research arm of TrustWave, found a Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers warn that the malware may be headed toward US banks and credit unions, as well as other parts of the world. The malware lets criminals take over the ATM to steal data, PINs and cash.
That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.
Skimming, Ram Raids Target Consumers and Their Cash
Linda McGlasson, Managing Editor
June 8, 2009
The Heartland Payment Systems (HPY) data breach may be the fraud story of year (so far), but ATM and debit card thefts are growing steadily and frighteningly at financial institutions.
Witness the recent announcement by law enforcement in New York City that a criminal gang had stolen $500,000 from hundreds of customers' bank accounts via skimming devices that read and stored account information at Sovereign Bank branches in Staten Island. The gang installed cameras onto the machines, catching victims typing in their PIN numbers. They also used the information to clone the card information, according to police.
A recent survey by security vendor Actimize shows that almost 70 percent of financial institutions experienced an increase in ATM/debit card fraud claims in 2008 compared to 2007. Twenty-three percent of respondents say those claims jumped by 5 to 9 percent, while the rest noted growth of anywhere between 10 and 74 percent. These numbers are only expected to grow in 2009, as a result of the recession.
Half of the institutions surveyed say they were hit with fraud complaints that came out of some of the major data breaches, with more than 30 percent saying they had seen fraud incidents as a result of the TJX hack, and 30 percent cited the Heartland hack.
Approximately 80 percent of the survey respondents say the big data breaches can decrease consumer confidence in ATM/debit card use. About 15 percent say they have reissued cards to more than 20 percent of their cardholder customers. In 2008, the financial institutions surveyed lost an average of $744,321 -- with some as high as $12 million -- to ATM fraud alone, and an average of $145,560, or as high as $1 million, to data breaches.
ATM Fraud Trends
The reason that criminals target ATMs is simple. "Criminals like cards and PINs. It is much easier to cash them out, rather than to hire a mule or repackager with stolen credit cards," says fraud expert Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. If the magnetic stripe data and pin is available, it is easy money for the criminal to get the cash out of the ATM. "There is no fence, no making an authentic card to use at a retailer," he says. While this crime is much harder to perpetrate, criminals prefer this over other types of credit card fraud, such as signature-based fraud.
Here are the top ATM/debit card fraud trends:
#1. Skimming -- The upswing in skimming at institutions has caught fraud experts' attention. "A higher percentage of criminals are going straight to a bank and installing a PIN pad overlay and card reader," Urban says. "This is where the transaction goes through, and the customer doesn't realize that their ATM card or debit card has been compromised. I've seen a steady increase over the last couple years on this type of fraud."
#2. Ghost ATMs -- There are also the "Ghost ATMs," where the entire ATM card reader is blocked off and customers can't perform a transaction. "The customer swipes their card, enters their PIN, and then the fake ATM says it can't complete the transaction," Urban explains. There were several of these types of ghost ATMs that popped up on the east coast back four years ago. One arrest was made in those cases, he notes.
#3. Ram Raids -- Criminals continue to target ATMs in various ways, with "ram" raids happening more often in the US. Ram raids are perpetrated when criminals physically break out ATMs from the wall at the institution. In Texas, the number of ram raids has spurred institutions to partner with law enforcement, and a task force has been formed to fight the raiders. "The opportunity that some non-hardened criminals see is an exterior ATM that can be pulled out, loaded with thousands of dollars," Urban says. "So in terms of crimes of opportunity, people feeling desperate will attempt this crime."
#4. PIN ID's -- One of the other trends Urban sees happening is where criminals are testing systems to identify PINs. One particular technique is where the criminal captures the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.
#5. Automated PIN Changes -- Another trend Urban sees is criminals go through the financial institution's telephone banking service to change PIN numbers. "They will use the ANI to change the information on the phone they're calling out from to appear like they are calling from the consumer's phone," Urban notes. If they can find the basic information on the card holder, name, card account number, last four digits of the social security number, then they're trying to take that info and go to the call center and change the PIN number over the phone. "Thus, while more time-consuming, the overhead cost is cut to near nothing other than their own work to deceive the bank call center," Urban says. Then with the changed PIN, the criminals drain the account. "The easier it is for the consumer to change their account, those are the financial institutions that will be targeted," Urban says.
#6. SMS attacks -- "Smishing" is the attack that comes through the Short Message Service (SMS) or text venue, onto a smart phone or a cell phone. Urban has personally seen three examples come through in the last month from institutions that he has no affiliation with, asking him for his account number and pin. Where the criminals are able to get the information from the customer, they then turn and clone the ATM or debit card and use it to withdraw cash.
The bank or credit union, if it is not checking for the CVV value, or the full name or expiration date, and just accepts the card transaction, will be hit with counterfeit cards made from data taken in this type of attack. These "smishing" attacks hit several midwest institutions in 2008.
#7. Malware -- Security researchers say they have found malware code that lets a criminal take control over ATMs. SpiderLabs, the forensics and research arm of TrustWave, found a Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers warn that the malware may be headed toward US banks and credit unions, as well as other parts of the world. The malware lets criminals take over the ATM to steal data, PINs and cash.
That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.
ATM Fraud: New Skimming Scheme Hits Banks
ATM Fraud: New Skimming Scheme Hits Banks
Tenn. Incidents Part of Growing International Wave
Linda McGlasson, Managing Editor
November 16, 2009
A series of skimming crimes that hit the Nashville, TN area recently is but one of many ATM fraud schemes preying upon financial institutions and their customers.
Nashville police reported last week that they were investigating an ATM card skimming scheme where at least 600 individuals were potential victims. Investigators say five Bank of America ATMs were hit, as well as an unknown number of US Bank machines. A total of 60 people had fraudulent withdrawals from their accounts for anywhere between $100 to $5,000 dollars. Investigators suspect that the skimming schemers have now moved on to other cities.
The problem is not isolated to Nashville, says Terrie Ipson, fraud expert at Diebold, an ATM manufacturer. "No one vendor or ATM type is more susceptible over another," Ipson says, "so everyone needs to be aware of this threat."
Ipson notes that a report from the ATM Industry Association (ATMIA) earlier this summer shows the growing nature of the international threat of card skimming. Among recent incidents:
•In Las Vegas, 75 skimming attacks were reported over a three-month period, as compared to previous rates of 2-3 incidents per year.
•In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman saying the devices used are "becoming smaller, more sophisticated and capable of storing more data."
•In California, investigators reported that skimmers and card duplicators could be bought from overseas sellers on the Internet for a few thousand dollars.
Card skimming is not new. Early forms of skimming device and even dummy ATMs installed in empty shop fronts were used to capture card information in the 1990s. What has changed are the scale and geographical spread of such attacks, Ipson says.
The ATMIA recommends these steps to help prevent ATM fraud:
•Build awareness among customers, branch employees and ATM service teams to help detect devices added to ATM exteriors. Visual clues include tape residue near or on a card reader that would show a skimming device had been placed on the ATM.
•Chip-based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce.
•Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions.
•Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.
"There is no single silver bullet that will solve ATM skimming," Ipson says. "Skimming continues to be an emerging threat. The criminals are investing lots of money to develop these devices, [and] consumers can be fooled into thinking they are legitimate."
Tenn. Incidents Part of Growing International Wave
Linda McGlasson, Managing Editor
November 16, 2009
A series of skimming crimes that hit the Nashville, TN area recently is but one of many ATM fraud schemes preying upon financial institutions and their customers.
Nashville police reported last week that they were investigating an ATM card skimming scheme where at least 600 individuals were potential victims. Investigators say five Bank of America ATMs were hit, as well as an unknown number of US Bank machines. A total of 60 people had fraudulent withdrawals from their accounts for anywhere between $100 to $5,000 dollars. Investigators suspect that the skimming schemers have now moved on to other cities.
The problem is not isolated to Nashville, says Terrie Ipson, fraud expert at Diebold, an ATM manufacturer. "No one vendor or ATM type is more susceptible over another," Ipson says, "so everyone needs to be aware of this threat."
Ipson notes that a report from the ATM Industry Association (ATMIA) earlier this summer shows the growing nature of the international threat of card skimming. Among recent incidents:
•In Las Vegas, 75 skimming attacks were reported over a three-month period, as compared to previous rates of 2-3 incidents per year.
•In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman saying the devices used are "becoming smaller, more sophisticated and capable of storing more data."
•In California, investigators reported that skimmers and card duplicators could be bought from overseas sellers on the Internet for a few thousand dollars.
Card skimming is not new. Early forms of skimming device and even dummy ATMs installed in empty shop fronts were used to capture card information in the 1990s. What has changed are the scale and geographical spread of such attacks, Ipson says.
The ATMIA recommends these steps to help prevent ATM fraud:
•Build awareness among customers, branch employees and ATM service teams to help detect devices added to ATM exteriors. Visual clues include tape residue near or on a card reader that would show a skimming device had been placed on the ATM.
•Chip-based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce.
•Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions.
•Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.
"There is no single silver bullet that will solve ATM skimming," Ipson says. "Skimming continues to be an emerging threat. The criminals are investing lots of money to develop these devices, [and] consumers can be fooled into thinking they are legitimate."
FTC warns firms, organizations of widespread data breach
FTC warns firms, organizations of widespread data breach
Mon Feb 22, 4:35 PM
WASHINGTON (AFP) - The US Federal Trade Commission (FTC) said Monday it has notified nearly 100 companies and organizations of data breaches involving personal information about customers or employees.
The FTC declined to identify the companies or organizations involved, but said they were both "private and public entities, including schools and local governments."
The companies and organizations ranged in size from "businesses with as few as eight employees to publicly held corporations employing tens of thousands," the FTC said in a statement.
It said sensitive data about customers and employees had been shared from the computer networks of the companies and organizations and made available on Internet peer-to-peer (P2P) file-sharing networks.
The information was accessible to "any users of those networks, who could use it to commit identity theft or fraud," the FTC said.
"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC chairman Jon Leibowitz said.
"For example, we found health-related information, financial records, and drivers' license and social security numbers -- the kind of information that could lead to identity theft," Leibowitz said.
"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," he said.
"Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing," he added.
P2P file-sharing software is used in a variety of ways including for playing games, making online telephone calls or sharing music, video and documents.
The FTC, in the notification letters to the companies and organizations, urged them to review their security practices "to ensure that they are reasonable, appropriate, and in compliance with the law.
"It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers," the letters stated.
Mon Feb 22, 4:35 PM
WASHINGTON (AFP) - The US Federal Trade Commission (FTC) said Monday it has notified nearly 100 companies and organizations of data breaches involving personal information about customers or employees.
The FTC declined to identify the companies or organizations involved, but said they were both "private and public entities, including schools and local governments."
The companies and organizations ranged in size from "businesses with as few as eight employees to publicly held corporations employing tens of thousands," the FTC said in a statement.
It said sensitive data about customers and employees had been shared from the computer networks of the companies and organizations and made available on Internet peer-to-peer (P2P) file-sharing networks.
The information was accessible to "any users of those networks, who could use it to commit identity theft or fraud," the FTC said.
"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC chairman Jon Leibowitz said.
"For example, we found health-related information, financial records, and drivers' license and social security numbers -- the kind of information that could lead to identity theft," Leibowitz said.
"Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure," he said.
"Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing," he added.
P2P file-sharing software is used in a variety of ways including for playing games, making online telephone calls or sharing music, video and documents.
The FTC, in the notification letters to the companies and organizations, urged them to review their security practices "to ensure that they are reasonable, appropriate, and in compliance with the law.
"It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers," the letters stated.
Monday, February 22, 2010
Mozilla shuts Firefox e-store after security breach
Mozilla shuts Firefox e-store after security breach
Blames firm that runs store's backend ops; no details on what was accessed, when or how
Gregg Keizer
August 5, 2009 (Computerworld) Mozilla shuttered its online store late Tuesday after finding out that the firm it hired to run the backend operations of the company's e-tailing business had suffered a security breach.
It was unclear whether the vendor, St. Louis-based GatewayCDI, which bills itself as a "promotional products distributor and incentive company," notified Mozilla or whether the browser maker found out about the breach some other way.
"Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach," Mozilla said in a warning on its Web site. "Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised."
Mozilla also took the international edition of its e-store offline as a precaution, although that effort is maintained by a separate partner.
Late Tuesday, both stores displayed messages that they were "closed for maintenance;" neither message, however, spelled out the reason.
The stores sell promotional items, such as T-shirts, backpacks, coffee mugs and mouse pads emblazoned with company logos, as well as the Firefox browser on CD.
Mozilla's announcement did not detail the extent of the breach, what information hackers might have accessed or stolen, or how the breach happened. GatewayCDI was not available late Tuesday, and there was no notice on its site that it had sustained a breach.
"Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised," said Mozilla. "GatewayCDI is currently investigating their systems and determining the cause and extent of the breach."
According to Mozilla, its online store may be closed for some time. "The store will only be reinstated once we have a satisfactory assurance of ongoing login security and data privacy," the company said.
The incident was the first for Mozilla, an open-source developer that prides itself on its operational transparency.
The company's Firefox accounts for about 22.5% of the browser market, according to the most recent data from Web metrics firm Net Applications.
Blames firm that runs store's backend ops; no details on what was accessed, when or how
Gregg Keizer
August 5, 2009 (Computerworld) Mozilla shuttered its online store late Tuesday after finding out that the firm it hired to run the backend operations of the company's e-tailing business had suffered a security breach.
It was unclear whether the vendor, St. Louis-based GatewayCDI, which bills itself as a "promotional products distributor and incentive company," notified Mozilla or whether the browser maker found out about the breach some other way.
"Today, Mozilla discovered that GatewayCDI, the third-party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach," Mozilla said in a warning on its Web site. "Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised."
Mozilla also took the international edition of its e-store offline as a precaution, although that effort is maintained by a separate partner.
Late Tuesday, both stores displayed messages that they were "closed for maintenance;" neither message, however, spelled out the reason.
The stores sell promotional items, such as T-shirts, backpacks, coffee mugs and mouse pads emblazoned with company logos, as well as the Firefox browser on CD.
Mozilla's announcement did not detail the extent of the breach, what information hackers might have accessed or stolen, or how the breach happened. GatewayCDI was not available late Tuesday, and there was no notice on its site that it had sustained a breach.
"Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised," said Mozilla. "GatewayCDI is currently investigating their systems and determining the cause and extent of the breach."
According to Mozilla, its online store may be closed for some time. "The store will only be reinstated once we have a satisfactory assurance of ongoing login security and data privacy," the company said.
The incident was the first for Mozilla, an open-source developer that prides itself on its operational transparency.
The company's Firefox accounts for about 22.5% of the browser market, according to the most recent data from Web metrics firm Net Applications.
Fake ATM doesn't last long at hacker meet
Fake ATM doesn't last long at hacker meet
Robert McMillan
August 2, 2009 (IDG News Service) Criminals running an ATM card-skimming scam made a big mistake this week: They tried to hit the Defcon hacker conference in Las Vegas.
As the conference was kicking off a few days ago, attendees noticed that an ATM placed in the Riviera Hotel, which plays host to the annual event, didn't quite look right, according to a senior conference organizer who identified himself only as Priest. "They looked at the screen where there would normally be a camera," he said. "It was a little bit too dark, so someone shined a flashlight in there and there was a PC."
The ATM looked like a working system, but when people would put their cards in the machine, it would scan their card information and record the PINs they entered. He didn't know how long the ATM had been at the Riviera.
Conference organizers notified local law enforcement who hauled away the machine on "Thursday or Friday," said Priest, who said he works as a "civil servant" in his day job.
Credit card skimmers -- small devices installed on top of card readers to steal information -- and fake ATMs are a common problem. Once the criminal records the card information and PIN, he can use that to create a fake ATM card and then empty the victim's account.
Previously unsophisticated criminal gangs are increasingly using these devices, Priest said. "They're realizing that this is a great way to make money without getting caught."
The criminals probably didn't realize that they were installing their ATM in a hotel that was soon going to be flooded with more than 8,000 security professionals, he added.
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance."
Robert McMillan
August 2, 2009 (IDG News Service) Criminals running an ATM card-skimming scam made a big mistake this week: They tried to hit the Defcon hacker conference in Las Vegas.
As the conference was kicking off a few days ago, attendees noticed that an ATM placed in the Riviera Hotel, which plays host to the annual event, didn't quite look right, according to a senior conference organizer who identified himself only as Priest. "They looked at the screen where there would normally be a camera," he said. "It was a little bit too dark, so someone shined a flashlight in there and there was a PC."
The ATM looked like a working system, but when people would put their cards in the machine, it would scan their card information and record the PINs they entered. He didn't know how long the ATM had been at the Riviera.
Conference organizers notified local law enforcement who hauled away the machine on "Thursday or Friday," said Priest, who said he works as a "civil servant" in his day job.
Credit card skimmers -- small devices installed on top of card readers to steal information -- and fake ATMs are a common problem. Once the criminal records the card information and PIN, he can use that to create a fake ATM card and then empty the victim's account.
Previously unsophisticated criminal gangs are increasingly using these devices, Priest said. "They're realizing that this is a great way to make money without getting caught."
The criminals probably didn't realize that they were installing their ATM in a hotel that was soon going to be flooded with more than 8,000 security professionals, he added.
They were smart enough to place the machine in one of the few spots in the hotel where there was no security camera to catch them, Priest said. "It was literally right next to the hotel security entrance."
Man is first to be charged with Web name theft
Man is first to be charged with Web name theft
He allegedly stole prime domain name, sold it to NBA player for over $100K
The Associated Press
updated 6:35 p.m. CT, Mon., Aug 3, 2009
UNION, N.J. - A northern New Jersey man is charged with stealing a prime piece of Internet real estate and reselling it to basketball player Mark Madsen in one of the nation's first prosecutions of a suspected domain name thief.
Daniel Goncalves, 25, of Union, hacked into an online account belonging to one of the owners of the P2P.com domain name, New Jersey State Police said Monday. He allegedly shifted ownership to himself and resold the Web site address on eBay to Madsen, a Los Angeles Clippers forward who did not know the name was stolen.
Goncalves, who works for an online research firm, was arrested Thursday on felony charges of theft by unlawful taking or deception, identity theft and computer theft. Julian Castellanos, a state police spokesman, said each of the three counts carries a maximum sentence of 10 years. Goncalves, who did not respond to a reporter's phone calls, is free after posting a $60,000 cash bail.
Wake-up call for authorities
Jeremiah Johnston, president of the Washington, D.C.-based Internet Commerce Association, said the criminal prosecution is the first of its kind and should serve as a wake-up call for other law enforcement agencies.
"They're usually a few years behind new technology trends," Johnston said. "That's frustrating when you have domain names selling for seven figures."
The State Police estimate the true worth of P2P.com at up to $200,000 because of its relation to the peer-to-peer, or P2P, file-sharing phenomenon.
Domain names are the addresses used by computers to find Web sites and route e-mail.
Hundreds of registration companies, such as Scottsdale, Ariz.-based Go Daddy Group, sell them for typically less than $10 apiece. Entrepreneurs, meanwhile, make their living off buying and selling easy-to-remember names like P2P.
Marc Ostrofsky, one of the legitimate owners of P2P.com, estimates that the ownership group spent 30 months and $500,000 trying to reclaim the domain name. They have a pending civil suit against Goncalves and his brother, Madsen and Go Daddy Group, which runs the system Goncalves allegedly hacked.
Madsen, who did not know P2P.com was stolen when he bought it for $111,000, retains the domain name to this day. Madsen did not comment in response to a reporter's calls.
"The reason this case is so important is that it brings to light the lack of specific laws protecting domain name owners," Ostrofsky said, insisting that Go Daddy Group was slow to respond to the ownership group's theft report.
Arrests rare
Laurie Anderson, Go Daddy Group's disputes manager, said safeguards exist. They include a 60-day waiting period before a transaction is finalized, during which time owners are sent an e-mail informing them of the pending sale.
The owners of P2P.com didn't report its alleged theft in May 2006 for 13 months, she said. That's one month after Goncalves allegedly sold it to Madsen.
"It does happen," Anderson said of domain name theft. "This is the first arrest that I know of."
Steve Rinehart, a Salt Lake City-based attorney who focuses on domain name disputes, said that estimate is spot on. He's represented five victims of domain name theft — worth a combined $500,000 — without ever securing a criminal prosecution.
Colonel Rick Fuentes, superintendent of the New Jersey State Police, said part of the problem is the industry's failure to provide domain name owners with deeds. Most have only a system login and password.
Robert Morgester, a deputy attorney general in California, said arrests for domain theft are very rare. He said he's seen a few — mostly spammers who temporarily hijacked Web sites to barrage people with unwanted e-mails — but has never seen a case where a thief kept the domain name and sold it.
P2P.com co-owners include Albert Angel, 52, who said he tried and failed to persuade Florida prosecutors to pursue a case against Goncalves in Florida. The former assistant U.S. attorney, who served the antitrust division in Washington, D.C., from 1979 to 1984, said a victim without his extensive legal background would face an even harder time trying to navigate the legal and law enforcement communities.
"The reality is that this area of the law is unsettled," Angel said.
Det. Sgt. John Gorman, who led the investigation for the New Jersey State Police Cyber Crimes Unit, said Goncalves won the lottery for picking the wrong victim, a former prosecutor.
© 2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
URL: http://www.msnbc.msn.com/id/32270824/ns/technology_and_science-tech_and_gadgets/
He allegedly stole prime domain name, sold it to NBA player for over $100K
The Associated Press
updated 6:35 p.m. CT, Mon., Aug 3, 2009
UNION, N.J. - A northern New Jersey man is charged with stealing a prime piece of Internet real estate and reselling it to basketball player Mark Madsen in one of the nation's first prosecutions of a suspected domain name thief.
Daniel Goncalves, 25, of Union, hacked into an online account belonging to one of the owners of the P2P.com domain name, New Jersey State Police said Monday. He allegedly shifted ownership to himself and resold the Web site address on eBay to Madsen, a Los Angeles Clippers forward who did not know the name was stolen.
Goncalves, who works for an online research firm, was arrested Thursday on felony charges of theft by unlawful taking or deception, identity theft and computer theft. Julian Castellanos, a state police spokesman, said each of the three counts carries a maximum sentence of 10 years. Goncalves, who did not respond to a reporter's phone calls, is free after posting a $60,000 cash bail.
Wake-up call for authorities
Jeremiah Johnston, president of the Washington, D.C.-based Internet Commerce Association, said the criminal prosecution is the first of its kind and should serve as a wake-up call for other law enforcement agencies.
"They're usually a few years behind new technology trends," Johnston said. "That's frustrating when you have domain names selling for seven figures."
The State Police estimate the true worth of P2P.com at up to $200,000 because of its relation to the peer-to-peer, or P2P, file-sharing phenomenon.
Domain names are the addresses used by computers to find Web sites and route e-mail.
Hundreds of registration companies, such as Scottsdale, Ariz.-based Go Daddy Group, sell them for typically less than $10 apiece. Entrepreneurs, meanwhile, make their living off buying and selling easy-to-remember names like P2P.
Marc Ostrofsky, one of the legitimate owners of P2P.com, estimates that the ownership group spent 30 months and $500,000 trying to reclaim the domain name. They have a pending civil suit against Goncalves and his brother, Madsen and Go Daddy Group, which runs the system Goncalves allegedly hacked.
Madsen, who did not know P2P.com was stolen when he bought it for $111,000, retains the domain name to this day. Madsen did not comment in response to a reporter's calls.
"The reason this case is so important is that it brings to light the lack of specific laws protecting domain name owners," Ostrofsky said, insisting that Go Daddy Group was slow to respond to the ownership group's theft report.
Arrests rare
Laurie Anderson, Go Daddy Group's disputes manager, said safeguards exist. They include a 60-day waiting period before a transaction is finalized, during which time owners are sent an e-mail informing them of the pending sale.
The owners of P2P.com didn't report its alleged theft in May 2006 for 13 months, she said. That's one month after Goncalves allegedly sold it to Madsen.
"It does happen," Anderson said of domain name theft. "This is the first arrest that I know of."
Steve Rinehart, a Salt Lake City-based attorney who focuses on domain name disputes, said that estimate is spot on. He's represented five victims of domain name theft — worth a combined $500,000 — without ever securing a criminal prosecution.
Colonel Rick Fuentes, superintendent of the New Jersey State Police, said part of the problem is the industry's failure to provide domain name owners with deeds. Most have only a system login and password.
Robert Morgester, a deputy attorney general in California, said arrests for domain theft are very rare. He said he's seen a few — mostly spammers who temporarily hijacked Web sites to barrage people with unwanted e-mails — but has never seen a case where a thief kept the domain name and sold it.
P2P.com co-owners include Albert Angel, 52, who said he tried and failed to persuade Florida prosecutors to pursue a case against Goncalves in Florida. The former assistant U.S. attorney, who served the antitrust division in Washington, D.C., from 1979 to 1984, said a victim without his extensive legal background would face an even harder time trying to navigate the legal and law enforcement communities.
"The reality is that this area of the law is unsettled," Angel said.
Det. Sgt. John Gorman, who led the investigation for the New Jersey State Police Cyber Crimes Unit, said Goncalves won the lottery for picking the wrong victim, a former prosecutor.
© 2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
URL: http://www.msnbc.msn.com/id/32270824/ns/technology_and_science-tech_and_gadgets/
Consultant pleads guilty to FBI curiosity hacks
Consultant pleads guilty to FBI curiosity hacks
Robert Lemos 2006-07-06
A technology consultant agreed to plead guilty to four charges of exceeding authorized access after he used common hacking tools to breach the security of FBI systems during his stint upgrading the agency's computers, according to a Thursday article in the Washington Post.
The network engineer, BAE System's employee Joseph Thomas Colon, used an FBI agent's credentials in 2004 to get access to a file that contained the encrypted versions of nearly 38,000 users' passwords, the Post stated. Using a common security tool available online, he decrypted the passwords and broke into systems that contained information on the Witness Protection Program and details on counterespionage activities, the article stated.
The incident underscores the problems that both the FBI and other government agencies are having with computer security. The U.S. Department of Justice, which includes the FBI, received a 'D' for computer security in 2005, as ranked by an audit of government agencies required by the Federal Information Security and Management Act (FISMA). The FBI also had to cancel a previous computer upgrade to its case and information management system, known as Virtual Case File. The National Security Agency--the secretive military agency responsible for protecting U.S. communications and breaking those of other nations--has had similar problems.
In the most recent case, Colon lost his job at BAE Systems and his top-secret clearance has been revoked, according to the article. The consultant claimed that the local FBI office approved of his actions, the Post said. He faces up to 18 months in prison.
Robert Lemos 2006-07-06
A technology consultant agreed to plead guilty to four charges of exceeding authorized access after he used common hacking tools to breach the security of FBI systems during his stint upgrading the agency's computers, according to a Thursday article in the Washington Post.
The network engineer, BAE System's employee Joseph Thomas Colon, used an FBI agent's credentials in 2004 to get access to a file that contained the encrypted versions of nearly 38,000 users' passwords, the Post stated. Using a common security tool available online, he decrypted the passwords and broke into systems that contained information on the Witness Protection Program and details on counterespionage activities, the article stated.
The incident underscores the problems that both the FBI and other government agencies are having with computer security. The U.S. Department of Justice, which includes the FBI, received a 'D' for computer security in 2005, as ranked by an audit of government agencies required by the Federal Information Security and Management Act (FISMA). The FBI also had to cancel a previous computer upgrade to its case and information management system, known as Virtual Case File. The National Security Agency--the secretive military agency responsible for protecting U.S. communications and breaking those of other nations--has had similar problems.
In the most recent case, Colon lost his job at BAE Systems and his top-secret clearance has been revoked, according to the article. The consultant claimed that the local FBI office approved of his actions, the Post said. He faces up to 18 months in prison.
More than 75,000 computer systems hacked in one of largest cyber attacks
More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says
By Ellen Nakashima
Washington Post Staff Writer
Thursday, February 18, 2010; A03
More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.
The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.
News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.
This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness's chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups' sophistication in cyberattacks is approaching that of nation states such as China and Russia.
The attack also highlights the inability of the private sector -- including industries that would be expected to employ the most sophisticated cyber defenses -- to protect itself.
"The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats," Yoran said. "The things that we -- industry -- have been doing for the past 20 years are ineffective with attacks like this. That's the story."
The intrusion, first reported on the Wall Street Journal's Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.
The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or "bots," enabled the attackers to commandeer users' computers, scrape them for log-in credentials and passwords -- including to online banking and social networking sites -- and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.
"Because they're using multiple bots and very sophisticated command and control methods, once they're in the system, even if you whack the command and control servers, it's difficult to rid them of the ability to control the users' computers," Yoran said.
The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.
Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage.
Among the companies hit were Cardinal Health, located in Dublin, Ohio, and Merck, according to the Wall Street Journal. A spokesman for Cardinal said the firm removed the infected computers as soon as the breach was found.
Also affected were educational institutions, energy firms, financial companies and Internet service providers. Ten government agencies were penetrated, none in the national security area, NetWitness said.
The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico, the firm said.
Staff researcher Madonna Lebling contributed to this report.
By Ellen Nakashima
Washington Post Staff Writer
Thursday, February 18, 2010; A03
More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.
The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.
News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.
This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness's chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups' sophistication in cyberattacks is approaching that of nation states such as China and Russia.
The attack also highlights the inability of the private sector -- including industries that would be expected to employ the most sophisticated cyber defenses -- to protect itself.
"The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats," Yoran said. "The things that we -- industry -- have been doing for the past 20 years are ineffective with attacks like this. That's the story."
The intrusion, first reported on the Wall Street Journal's Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.
The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or "bots," enabled the attackers to commandeer users' computers, scrape them for log-in credentials and passwords -- including to online banking and social networking sites -- and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.
"Because they're using multiple bots and very sophisticated command and control methods, once they're in the system, even if you whack the command and control servers, it's difficult to rid them of the ability to control the users' computers," Yoran said.
The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.
Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage.
Among the companies hit were Cardinal Health, located in Dublin, Ohio, and Merck, according to the Wall Street Journal. A spokesman for Cardinal said the firm removed the infected computers as soon as the breach was found.
Also affected were educational institutions, energy firms, financial companies and Internet service providers. Ten government agencies were penetrated, none in the national security area, NetWitness said.
The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico, the firm said.
Staff researcher Madonna Lebling contributed to this report.
Programmer Indicted in Theft of Goldman Software By JACK LYNCH
Programmer Indicted in Theft of Goldman Software By JACK LYNCH
Federal prosecutors said Thursday that Sergey Aleynikov, a former computer programmer at Goldman Sachs, had been indicted on charges that he stole proprietary software that the firm uses to make rapid-fire trades in the financial markets.
The indictment accuses Mr. Aleynikov of theft of trade secrets, transporting stolen property in foreign commerce and unauthorized computer access. If convicted, Mr. Aleynikov would face up to 25 years in prison, the United States Attorney’s Office in Manhattan said.
Mr. Aleynikov, who worked at Goldman until June 5, 2009, has pleaded not guilty to charges of theft and transporting trade secrets aboard. He left Goldman to join Teza Technologies, which hired him to develop its own version of a high-speed trading platform, prosecutors said.
Court documents filed in July said Mr. Aleynikov was suspected of stealing Goldman’s proprietary computer code that allows the firm to “engage in sophisticated high-speed and high-volume trades on various stock and commodities markets.”
Prosecutors say that Mr. Aleynikov, on his last day at Goldman, transferred substantial portions of Goldman’s code to an outside computer server in Germany.
Mr. Aleynikov “encrypted the files and transferred them over the Internet without informing Goldman Sachs,” the United States Attorney’s Office said in a statement. “After transferring the files, he deleted the program he used to encrypt the files and deleted his computer’s ‘bash history,’ which records the most recent commands executed on his computer.”
Prosecutors also asserted that Mr. Aleynikov, during time he was at Goldman, transferred thousands of files of computer code related to Goldman’s proprietary trading program to his home computers.
Prosecutors said Mr. Aleynikov flew to Chicago on July 2 to attend meetings at Teza’s offices, bringing his laptop computer and another storage device that contained Goldman Sachs’s proprietary source code. He was arrested on his return on July 3 as he got off a plane at Newark Liberty International Airport.
“In today’s information age, a theft of valuable intellectual property represents a serious breach of economic security,” Preet Bharara, the United States attorney for the Southern District of New York, said in a statement.
Federal prosecutors said Thursday that Sergey Aleynikov, a former computer programmer at Goldman Sachs, had been indicted on charges that he stole proprietary software that the firm uses to make rapid-fire trades in the financial markets.
The indictment accuses Mr. Aleynikov of theft of trade secrets, transporting stolen property in foreign commerce and unauthorized computer access. If convicted, Mr. Aleynikov would face up to 25 years in prison, the United States Attorney’s Office in Manhattan said.
Mr. Aleynikov, who worked at Goldman until June 5, 2009, has pleaded not guilty to charges of theft and transporting trade secrets aboard. He left Goldman to join Teza Technologies, which hired him to develop its own version of a high-speed trading platform, prosecutors said.
Court documents filed in July said Mr. Aleynikov was suspected of stealing Goldman’s proprietary computer code that allows the firm to “engage in sophisticated high-speed and high-volume trades on various stock and commodities markets.”
Prosecutors say that Mr. Aleynikov, on his last day at Goldman, transferred substantial portions of Goldman’s code to an outside computer server in Germany.
Mr. Aleynikov “encrypted the files and transferred them over the Internet without informing Goldman Sachs,” the United States Attorney’s Office said in a statement. “After transferring the files, he deleted the program he used to encrypt the files and deleted his computer’s ‘bash history,’ which records the most recent commands executed on his computer.”
Prosecutors also asserted that Mr. Aleynikov, during time he was at Goldman, transferred thousands of files of computer code related to Goldman’s proprietary trading program to his home computers.
Prosecutors said Mr. Aleynikov flew to Chicago on July 2 to attend meetings at Teza’s offices, bringing his laptop computer and another storage device that contained Goldman Sachs’s proprietary source code. He was arrested on his return on July 3 as he got off a plane at Newark Liberty International Airport.
“In today’s information age, a theft of valuable intellectual property represents a serious breach of economic security,” Preet Bharara, the United States attorney for the Southern District of New York, said in a statement.
Criminal hacker 'Iceman' gets 13 years
Criminal hacker 'Iceman' gets 13 years
Robert McMillan
February 12, 2010 (IDG News Service) A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers.
Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in U.S. District Court in Pittsburgh on charges of wire fraud and identity theft. In addition to his 13-year sentence, Butler will face five years of supervised release and must pay US$27.5 million in restitution to his victims, according to Assistant U.S. Attorney Luke Dembosky, who prosecuted the case for the federal government.
Dembosky believes the 13 year sentence is the longest-ever handed down for hacking charges.
Butler, also known as Max Vision, pleaded guilty to wire fraud charges in June last year.
He gained notoriety for hacking into carder forum Web sites, where stolen credit card numbers are bought and sold, and forcing members to conduct their business through his own site -- CardersMarket.com. Criminals used the stolen credit card numbers to create fake debit and credit cards that were then used to steal money or merchandise.
This isn't Butler's first time facing a federal hacking sentence.
After a promising start as a security consultant who did volunteer work for the U.S. Federal Bureau of Investigation, Butler was arrested for writing malicious software that installed a back-door program on computers -- including some on federal government networks -- that were susceptible to a security hole.
Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday. "I was homeless, staying on a friends couch. I couldn't get work," he wrote. In desperation, he turned again to cybercrime. By the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world.
"It is a shame that someone with so much ability chose to use it in a manner that hurt many people," Dembosky said in an e-mail message. "This sentence sends a message that cyber crime is taken very seriously."
Butler's public defender, Michael Novara, could not immediately be reached for comment.
The court is recommending that Butler be incarcerated at the minimum-security Federal Prison Camp in Sheridan, Oregon.
Robert McMillan
February 12, 2010 (IDG News Service) A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers.
Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in U.S. District Court in Pittsburgh on charges of wire fraud and identity theft. In addition to his 13-year sentence, Butler will face five years of supervised release and must pay US$27.5 million in restitution to his victims, according to Assistant U.S. Attorney Luke Dembosky, who prosecuted the case for the federal government.
Dembosky believes the 13 year sentence is the longest-ever handed down for hacking charges.
Butler, also known as Max Vision, pleaded guilty to wire fraud charges in June last year.
He gained notoriety for hacking into carder forum Web sites, where stolen credit card numbers are bought and sold, and forcing members to conduct their business through his own site -- CardersMarket.com. Criminals used the stolen credit card numbers to create fake debit and credit cards that were then used to steal money or merchandise.
This isn't Butler's first time facing a federal hacking sentence.
After a promising start as a security consultant who did volunteer work for the U.S. Federal Bureau of Investigation, Butler was arrested for writing malicious software that installed a back-door program on computers -- including some on federal government networks -- that were susceptible to a security hole.
Butler served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday. "I was homeless, staying on a friends couch. I couldn't get work," he wrote. In desperation, he turned again to cybercrime. By the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world.
"It is a shame that someone with so much ability chose to use it in a manner that hurt many people," Dembosky said in an e-mail message. "This sentence sends a message that cyber crime is taken very seriously."
Butler's public defender, Michael Novara, could not immediately be reached for comment.
The court is recommending that Butler be incarcerated at the minimum-security Federal Prison Camp in Sheridan, Oregon.
Michigan firm sues bank over theft of $560,000
Michigan firm sues bank over theft of $560,000
Experi-Metal says Comerica Bank's online security practices resulted in theft
Jaikumar Vijayan
February 12, 2010 (Computerworld) A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year.
In a lawsuit filed in December, Experi-Metal Inc. (EMI) of Sterling Heights blamed the loss on its financial institution Comerica Bank's security practices, and on the bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
The complaint, filed in Macomb County Circuit Court, demanded that Comerica reimburse EMI for the loss, along with interest, attorney's fees and any other damages the court saw fit to impose. News of the lawsuit was reported by Bankinfosecurity.com earlier this week.
The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e-mail that purported to come from the bank.
The credentials were then used to initiate wire transfers totaling $560,000 from EMI's account to numerous accounts in Russia, Estonia, Scotland, Finland, China, and the U.S. Once deposited, the funds were quickly withdrawn.
In its lawsuit, EMI alleged that the phishing scam had worked only because of Comerica's routine practice of sending e-mails to customers asking them to click on a link to update their security information.
EMI said that between 2000 and 2008, Comerica had used digital certificates to authenticate users to its online banking system. During this time, the bank would send e-mails asking customers to click on a link and submit specific information in order to renew their digital certificates, EMI claimed in its suit.
The complaint also alleged that the token-based authentication system that replaced Comerica's digital certificates was not adequate enough to protect against the kind of attack that resulted in the theft.
"Comerica knew or should have known that the technology of the two-factor authentication procedure which it instituted in 2008 was known to be lacking in any reasonable fortification against 'man in the middle' phishing attacks," EMI said.
"[It was in] reality a downgrade as a security measure from the digital certificate technology that was previously used by Comerica," the company said.
The complaint also faulted Comerica for ignoring signs of fraudulent activity on EMI's account. The company said that it had initiated just two wire transfers in total before the unauthorized withdrawals began.
Then, over a three-hour period, 47 wire transfers and 12 transfer-of-fund requests were initiated from EMI's account. The bank did not check with EMI about the unusual activity for several hours, and even after it was asked not to honor any transfers, the bank did not take action until another 38 wire transfers had taken place, the complaint alleged.
In its response, Comerica claimed that EMI's loss was solely its own fault. "Valid credentials assigned to an EMI employee were used to authenticate a logon for purposes of online banking transactions," the bank said. "If some unknown criminals used those credentials, rather than the EMI employee to whom they had been entrusted, this was caused solely by the actions of that EMI employee."
The bank also said it should have been obvious "to any reasonably alert person" that the phishing site where the EMI employee entered the company's banking credentials was not a legitimate site.
Neither EMI nor Comerica responded immediately to a request for comment. The case is not scheduled to go to trail until the end of this year.
The dispute is similar to several other disputes in front of courts around the country. One example is a lawsuit involving Lubbock, TX-based PlainsCapital bank and its customer Hilary Machinery Inc of Plano, which was robbed of over $800,000 in a fashion very similar to EMI. In that case however, it is the bank that has filed a lawsuit asking a federal district court to absolve it of any blame.
In Illinois, a couple whose bank account was robbed has been allowed to sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises.
Meanwhile, in New York, the Town of Poughkeepsie is slamming its bank, TD Bank NA for failing to notice or stop numerous unauthorized transfers totaling over $500,000 from its account.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.
Experi-Metal says Comerica Bank's online security practices resulted in theft
Jaikumar Vijayan
February 12, 2010 (Computerworld) A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year.
In a lawsuit filed in December, Experi-Metal Inc. (EMI) of Sterling Heights blamed the loss on its financial institution Comerica Bank's security practices, and on the bank's alleged failure to heed signs that should have alerted it to the fraudulent activity.
The complaint, filed in Macomb County Circuit Court, demanded that Comerica reimburse EMI for the loss, along with interest, attorney's fees and any other damages the court saw fit to impose. News of the lawsuit was reported by Bankinfosecurity.com earlier this week.
The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e-mail that purported to come from the bank.
The credentials were then used to initiate wire transfers totaling $560,000 from EMI's account to numerous accounts in Russia, Estonia, Scotland, Finland, China, and the U.S. Once deposited, the funds were quickly withdrawn.
In its lawsuit, EMI alleged that the phishing scam had worked only because of Comerica's routine practice of sending e-mails to customers asking them to click on a link to update their security information.
EMI said that between 2000 and 2008, Comerica had used digital certificates to authenticate users to its online banking system. During this time, the bank would send e-mails asking customers to click on a link and submit specific information in order to renew their digital certificates, EMI claimed in its suit.
The complaint also alleged that the token-based authentication system that replaced Comerica's digital certificates was not adequate enough to protect against the kind of attack that resulted in the theft.
"Comerica knew or should have known that the technology of the two-factor authentication procedure which it instituted in 2008 was known to be lacking in any reasonable fortification against 'man in the middle' phishing attacks," EMI said.
"[It was in] reality a downgrade as a security measure from the digital certificate technology that was previously used by Comerica," the company said.
The complaint also faulted Comerica for ignoring signs of fraudulent activity on EMI's account. The company said that it had initiated just two wire transfers in total before the unauthorized withdrawals began.
Then, over a three-hour period, 47 wire transfers and 12 transfer-of-fund requests were initiated from EMI's account. The bank did not check with EMI about the unusual activity for several hours, and even after it was asked not to honor any transfers, the bank did not take action until another 38 wire transfers had taken place, the complaint alleged.
In its response, Comerica claimed that EMI's loss was solely its own fault. "Valid credentials assigned to an EMI employee were used to authenticate a logon for purposes of online banking transactions," the bank said. "If some unknown criminals used those credentials, rather than the EMI employee to whom they had been entrusted, this was caused solely by the actions of that EMI employee."
The bank also said it should have been obvious "to any reasonably alert person" that the phishing site where the EMI employee entered the company's banking credentials was not a legitimate site.
Neither EMI nor Comerica responded immediately to a request for comment. The case is not scheduled to go to trail until the end of this year.
The dispute is similar to several other disputes in front of courts around the country. One example is a lawsuit involving Lubbock, TX-based PlainsCapital bank and its customer Hilary Machinery Inc of Plano, which was robbed of over $800,000 in a fashion very similar to EMI. In that case however, it is the bank that has filed a lawsuit asking a federal district court to absolve it of any blame.
In Illinois, a couple whose bank account was robbed has been allowed to sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises.
Meanwhile, in New York, the Town of Poughkeepsie is slamming its bank, TD Bank NA for failing to notice or stop numerous unauthorized transfers totaling over $500,000 from its account.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.
Top 25 Programming Errors: Should Software Developers be Liable?
Top 25 Programming Errors: Should Software Developers be Liable?
Group Proposes Accountability; Expert Calls Plan' Silly'
Linda McGlasson, Managing Editor
February 16, 2010
Should software developers be held liable for their programming errors? A consortium of international cybersecurity experts says yes - and will present its plan for such a program on Tuesday. But at least one dissenting voice calls the effort "counterproductive and silly."
In Washington, D.C., on Tues., a group of more than 30 U.S. and international cybersecurity organizations, led by MITRE and SANs, will release a new list of the 25 most dangerous programming errors. These mistakes have been the cause of almost every major type of cyber attack, the group says, including the recent strike on Google, power utilities, military systems, small businesses and consumers' PC's.
A similar list of programming errors was released in January 2009 and had the backing of the National Security Agency and the Department of Homeland Security's National Cyber Security Division.
Vendors Held Accountable
In addition to naming the most common programming errors, this year's panel of experts has also agreed upon a standard for contract language between software buyers and developers that would essentially hold vendors accountable for their programming errors.
"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," says Alan Paller, Director of Research at the SANS Institute. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor."
A safe harbor provision in a contract reduces or eliminates a party's liability on condition that, in this case, the software develop performs its action in good faith.
The latest announcement is "the foundation for the safe harbor for software vendors," Paller says. One of the leaders in the development of the standard for contract language was Wil Pelgrin, director of New York State's Office of Cyber Security & Critical Infrastructure Coordination. The draft states that the "'highest applicable industry standards' should be defined as the degree of care, skill, efficiency and diligence that a prudent person possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances."
"Software vendors can be held liable for their errors because we know have a definitive minimum standard of due care," Paller says. "The use of this contract language helps ensure buyers are not held liable for software containing faulty code." Coding errors are a common gateway for attackers to penetrate networks, he adds.
This year's Top 25 is a big improvement to the 2009 list, Paller says, but the spirit and goals are the same. The list prioritizes its entries using inputs from 28 different organizations that have evaluated each weakness based on prevalence and importance. The new list introduces focused profiles to allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also gives a small set of the most effective mitigations, to aid in reducing or wiping out entire groups of weaknesses.
Reaction: "Counterproductive and Silly"
While last year's Top 25 List garnered much fanfare when first announced, one global software security expert doesn't see this annual exercise doing much good in the fight against cyber attacks and cyber crime.
Gary McGraw, CTO at Cigital, a software security company, says his thoughts on these lists of bugs remains pretty much the same as last year, when he published his response, "Top Eleven Reasons Why Top Ten Lists Don't Work."
While McGraw says he does agree that awareness and further education for programmers is needed, and that he welcomes the spotlight being turned on software security flaws and bad code in general, "I think procurement language linked to a list of specific bugs is counterproductive and silly." Based on his experience as an expert in litigation, "My prediction is that there will be zero lawsuits, and that this list will do nothing to provide safe harbor in the case of insecure software," McGraw says. "There is much more to building secure software than hunting down 25 bugs."
Group Proposes Accountability; Expert Calls Plan' Silly'
Linda McGlasson, Managing Editor
February 16, 2010
Should software developers be held liable for their programming errors? A consortium of international cybersecurity experts says yes - and will present its plan for such a program on Tuesday. But at least one dissenting voice calls the effort "counterproductive and silly."
In Washington, D.C., on Tues., a group of more than 30 U.S. and international cybersecurity organizations, led by MITRE and SANs, will release a new list of the 25 most dangerous programming errors. These mistakes have been the cause of almost every major type of cyber attack, the group says, including the recent strike on Google, power utilities, military systems, small businesses and consumers' PC's.
A similar list of programming errors was released in January 2009 and had the backing of the National Security Agency and the Department of Homeland Security's National Cyber Security Division.
Vendors Held Accountable
In addition to naming the most common programming errors, this year's panel of experts has also agreed upon a standard for contract language between software buyers and developers that would essentially hold vendors accountable for their programming errors.
"Nearly every attack is enabled by mistakes programmers make that provide a handhold for attackers," says Alan Paller, Director of Research at the SANS Institute. "The only way programming errors can be eradicated is by making software development organizations legally liable for the errors. And that can only be done if there is a safe harbor."
A safe harbor provision in a contract reduces or eliminates a party's liability on condition that, in this case, the software develop performs its action in good faith.
The latest announcement is "the foundation for the safe harbor for software vendors," Paller says. One of the leaders in the development of the standard for contract language was Wil Pelgrin, director of New York State's Office of Cyber Security & Critical Infrastructure Coordination. The draft states that the "'highest applicable industry standards' should be defined as the degree of care, skill, efficiency and diligence that a prudent person possessing technical expertise in the subject area and acting in a like capacity would exercise in similar circumstances."
"Software vendors can be held liable for their errors because we know have a definitive minimum standard of due care," Paller says. "The use of this contract language helps ensure buyers are not held liable for software containing faulty code." Coding errors are a common gateway for attackers to penetrate networks, he adds.
This year's Top 25 is a big improvement to the 2009 list, Paller says, but the spirit and goals are the same. The list prioritizes its entries using inputs from 28 different organizations that have evaluated each weakness based on prevalence and importance. The new list introduces focused profiles to allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also gives a small set of the most effective mitigations, to aid in reducing or wiping out entire groups of weaknesses.
Reaction: "Counterproductive and Silly"
While last year's Top 25 List garnered much fanfare when first announced, one global software security expert doesn't see this annual exercise doing much good in the fight against cyber attacks and cyber crime.
Gary McGraw, CTO at Cigital, a software security company, says his thoughts on these lists of bugs remains pretty much the same as last year, when he published his response, "Top Eleven Reasons Why Top Ten Lists Don't Work."
While McGraw says he does agree that awareness and further education for programmers is needed, and that he welcomes the spotlight being turned on software security flaws and bad code in general, "I think procurement language linked to a list of specific bugs is counterproductive and silly." Based on his experience as an expert in litigation, "My prediction is that there will be zero lawsuits, and that this list will do nothing to provide safe harbor in the case of insecure software," McGraw says. "There is much more to building secure software than hunting down 25 bugs."
ACH Fraud: 7 Tips for Secure Transactions
ACH Fraud: 7 Tips for Secure Transactions
Start with a Dedicated Computer, Then Monitor Access Closely
Linda McGlasson, Managing Editor
February 15, 2010
To help avoid malware-enabled wire and ACH fraud, here are seven tips for financial institutions to share with their customers:
1. Use a Dedicated Machine
Computers are relatively inexpensive; use a separate dedicated machine for all of your online financial transactions. If multiple people need transaction access, each person must have an additional, separate computer - or leverage terminal services to create a system of clients and dumb terminals.
2. Segregate it from the Network
This dedicated machine must not be part of a Windows domain. Utilize a Local Administrator account that can operate on the account access information. This avoids the "Clampi effect" of one compromised machine leading to a fully infiltrated network where miscreants can more easily steal sensitive account information.
3. Turn off Computer When Not in Use
As trivial as this sounds, shut the machine down when it is not in use; this can limit your exposure - many of the modern worms/trojans exploit vulnerabilities in the Windows Operating System, and contrary to popular belief do not require the user to have taken any actions such as opening emails or visiting malicious websites.
4. Monitor Traffic
Implement firewall/proxy instrumentation on both your ingress and egress points, monitoring and logging all traffic to/from your machine to ensure unauthorized access is denied no matter from what point it is initiated. The machine should be used for financial transactions only; all non-business essential network traffic should be denied to/from this machine.
5. Regulate Changes
Implement a change management process for any work that is to be done on machines performing financial transactions (this should include any changes to proxy or firewall settings that could impact these machines). Changes must require multiple party approvals. Convenience is not an acceptable reason to open access.
6. Think Virtual
Virtualized environments are another option employees can leverage; the solution can work for multiple employees, or employees who travel and who need to perform financial functions on the road. Again, computers are cheap; use a netbook or comparable alternative dedicated exclusively to financial transactions.
7. Mind Your Media
Leverage dedicated, bootable media (CD/DVD/USB...) when performing financial transactions. One could even go a step further and remove the ability to write to the hard drive, so that nothing can actually be stored on the machine, other than the core operating system and key applications.
Source: Rodney Joffe, Senior Technologist at Neustar, Inc., a Sterling, VA-based security firm.
See Also: New Banking Trojan Targets Online Payments
Start with a Dedicated Computer, Then Monitor Access Closely
Linda McGlasson, Managing Editor
February 15, 2010
To help avoid malware-enabled wire and ACH fraud, here are seven tips for financial institutions to share with their customers:
1. Use a Dedicated Machine
Computers are relatively inexpensive; use a separate dedicated machine for all of your online financial transactions. If multiple people need transaction access, each person must have an additional, separate computer - or leverage terminal services to create a system of clients and dumb terminals.
2. Segregate it from the Network
This dedicated machine must not be part of a Windows domain. Utilize a Local Administrator account that can operate on the account access information. This avoids the "Clampi effect" of one compromised machine leading to a fully infiltrated network where miscreants can more easily steal sensitive account information.
3. Turn off Computer When Not in Use
As trivial as this sounds, shut the machine down when it is not in use; this can limit your exposure - many of the modern worms/trojans exploit vulnerabilities in the Windows Operating System, and contrary to popular belief do not require the user to have taken any actions such as opening emails or visiting malicious websites.
4. Monitor Traffic
Implement firewall/proxy instrumentation on both your ingress and egress points, monitoring and logging all traffic to/from your machine to ensure unauthorized access is denied no matter from what point it is initiated. The machine should be used for financial transactions only; all non-business essential network traffic should be denied to/from this machine.
5. Regulate Changes
Implement a change management process for any work that is to be done on machines performing financial transactions (this should include any changes to proxy or firewall settings that could impact these machines). Changes must require multiple party approvals. Convenience is not an acceptable reason to open access.
6. Think Virtual
Virtualized environments are another option employees can leverage; the solution can work for multiple employees, or employees who travel and who need to perform financial functions on the road. Again, computers are cheap; use a netbook or comparable alternative dedicated exclusively to financial transactions.
7. Mind Your Media
Leverage dedicated, bootable media (CD/DVD/USB...) when performing financial transactions. One could even go a step further and remove the ability to write to the hard drive, so that nothing can actually be stored on the machine, other than the core operating system and key applications.
Source: Rodney Joffe, Senior Technologist at Neustar, Inc., a Sterling, VA-based security firm.
See Also: New Banking Trojan Targets Online Payments
Tuesday, February 16, 2010
French Judge Issues Arrest Warrant for U.S. Cyclist Floyd Landis
French Judge Issues Arrest Warrant for U.S. Cyclist Floyd Landis
A French judge has issued an arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.
A French judge has issued an arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.
Landis, whose surprise victory at the 2006 Tour de France was stripped after he tested positive for synthetic testosterone, was banned from cycling for two years and only returned to the sport last January.
He now faces far a more serious inquiry, according to prosecutors in the Paris suburb of Nanterre.
French judge Thomas Cassuto is seeking to question Landis about computer hacking dating back to September 2006 at the Chatenay-Malabry lab, which uncovered the abnormally elevated testosterone levels in Landis' urine samples.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
The American cyclist challenged the drug test results before an arbitration hearing in California -- claiming that computer files were mishandled and erased -- but was still stripped of his Tour de France title.
"Landis used the hacked files for his defense, that's how we discovered the whole scheme," said Pierre Bordry, France's anti-doping chief. "He wanted to show that the lab made mistakes in the handling of the tests."
Landis did not immediately respond to a phone call and e-mail seeking comment.
Judge Cassuto issued the warrant Jan. 28 because Landis did not respond to a summons in November, Bordry said.
"Apparently the judge traced the case back to the beginning," Bordry said. "I can't say I'm happy with this news because I would have preferred there was no Landis case."
Cassuto also issued a national warrant for Arnie Baker, a retired doctor and longtime Landis coach and adviser, the prosecutor's office said.
After discovering the hacking, the French lab upgraded security to protect its computer systems.
Landis' urine samples were tested at the lab and found to contain elevated testosterone-to-epitestosterone levels, less than a week after he won the Tour de France.
On July 20, 2006, the Tour's 17th stage, Landis started more than eight minutes behind leader Oscar Pereiro after losing the yellow jersey to the Spaniard the previous day. But Landis produced an amazing ride during the mountainous stage to cut Pereiro's lead to 30 seconds before taking the title.
Landis' samples taken after that stage revealed a testosterone/epitestosterone ratio of 11:1 — nearly three times the 4:1 limit.
The Chatenay-Malabry lab is accredited by the International Olympic Committee and World Anti-Doping Agency. It helped develop tests for the endurance-enhancing drug EPO.
Landis returned to competition at the Tour of California last year. He recently competed in a minor race staged in New Zealand.
The Associated Press contributed to this report.
A French judge has issued an arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.
A French judge has issued an arrest warrant for disgraced U.S. cyclist Floyd Landis for allegedly hacking into a lab computer at a facility run by the country's anti-doping agency, the agency's head told Reuters.
Landis, whose surprise victory at the 2006 Tour de France was stripped after he tested positive for synthetic testosterone, was banned from cycling for two years and only returned to the sport last January.
He now faces far a more serious inquiry, according to prosecutors in the Paris suburb of Nanterre.
French judge Thomas Cassuto is seeking to question Landis about computer hacking dating back to September 2006 at the Chatenay-Malabry lab, which uncovered the abnormally elevated testosterone levels in Landis' urine samples.
French officials filed a criminal complaint in 2006 over the hacking, which they said was designed to discredit the drug tests they had conducted on Landis. No charges were filed against the 34-year-old at the time.
The American cyclist challenged the drug test results before an arbitration hearing in California -- claiming that computer files were mishandled and erased -- but was still stripped of his Tour de France title.
"Landis used the hacked files for his defense, that's how we discovered the whole scheme," said Pierre Bordry, France's anti-doping chief. "He wanted to show that the lab made mistakes in the handling of the tests."
Landis did not immediately respond to a phone call and e-mail seeking comment.
Judge Cassuto issued the warrant Jan. 28 because Landis did not respond to a summons in November, Bordry said.
"Apparently the judge traced the case back to the beginning," Bordry said. "I can't say I'm happy with this news because I would have preferred there was no Landis case."
Cassuto also issued a national warrant for Arnie Baker, a retired doctor and longtime Landis coach and adviser, the prosecutor's office said.
After discovering the hacking, the French lab upgraded security to protect its computer systems.
Landis' urine samples were tested at the lab and found to contain elevated testosterone-to-epitestosterone levels, less than a week after he won the Tour de France.
On July 20, 2006, the Tour's 17th stage, Landis started more than eight minutes behind leader Oscar Pereiro after losing the yellow jersey to the Spaniard the previous day. But Landis produced an amazing ride during the mountainous stage to cut Pereiro's lead to 30 seconds before taking the title.
Landis' samples taken after that stage revealed a testosterone/epitestosterone ratio of 11:1 — nearly three times the 4:1 limit.
The Chatenay-Malabry lab is accredited by the International Olympic Committee and World Anti-Doping Agency. It helped develop tests for the endurance-enhancing drug EPO.
Landis returned to competition at the Tour of California last year. He recently competed in a minor race staged in New Zealand.
The Associated Press contributed to this report.
