Weakest Link
Ordinarily, the FBI does not publicize such losses, but the agency is taking the unusual step of promoting the magnitude of companies' losses to encourage those most at risk to adopt safeguards, Steve Chabinsky, a deputy assistant director of the FBI's Cyber Division, told Brian Krebs for his "Security Fix" column in The Washington Post Monday.
The FBI warned of a "sophisticated but increasingly common form of online banking fraud," in which criminals steal the victim's online banking credentials with malicious software distributed through spam.
The intruders then initiate a series of unauthorized bank transfers from the company's online account, keeping the amounts below $10,000 to avoid banks' anti-money-laundering reporting requirements.
The funds are sent to so-called money mules, willing or unwitting individuals typically recruited over the Internet through work-at-home job scams. When the mules withdraw the cash from their accounts, they are instructed to wire it (minus a small commission) abroad, typically to organized criminal groups in Eastern Europe, Chabinsky said. "What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer."
The criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and midsize businesses, and have successfully made off with about $40 million, Chabinsky said.
To protect themselves, businesses should do their online banking from a dedicated computer that is not used for everyday Web browsing or e-mail, Krebs suggested.
Free Speech?
Is the reposting of legally obtained personal information online protected free speech, or is it, as the Commonwealth of Virginia insists, "crime-facilitating speech"?
At issue is the Virginia Watchdog Web site, run by the privacy advocate Betty Ostergren, who has worked for seven years to compel government agencies to stop posting such information online, Computerworld reported Oct. 21.
She draws attention to the issue by reposting the Social Security numbers of public figures she has found in government databases. These have included former Florida governor Jeb Bush, former Secretary of State Colin Powell and former House majority leader Tom DeLay.
Ostergren has agreed in the past to remove the data from her Web site on the condition that the agencies that initially exposed the numbers do the same.
Virginia has challenged Ostergren both in court and in its legislature, where last year it outlawed the reposting of even legally obtained personal information. The Virginia chapter of the American Civil Liberties Union filed a lawsuit on Ostergren's behalf, challenging the law as unconstitutional. The court agreed last year that it would be unconstitutional to use the law against Ostergren's work, though the commonwealth has appealed.
Prosecutors stressed that Ostergren's work presented "the very real prospect of devastating criminal predation" on the people whose data she reposts. As such, it should not be considered protected free speech, they argued.
Most recently, the Electronic Privacy Information Center has filed a friend-of-the-court brief siding with Ostergren. John Verdi, the center's senior counsel, said Ostergren's work is "exactly the type of speech that is protected by the First Amendment."
