Time for FFIEC 2.0?
The Federal Financial Institutions Examination Council issued guidelines in 2005 that prompted many banks to strengthen their online banking systems' authentication measures. However, the guidelines were not specific about how to do this, and many of the approaches banks chose five years ago are less effective today, Brian Krebs wrote in his "Krebs on Security" blog March 3.
"Organized computer criminals are defeating these solutions with ease," he wrote. "Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software."
Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corp., told Krebs that regulators are mulling further guidance with an eye on improving security for commercial customers.
Though banks are not obligated to reimburse businesses for fraud losses, "we have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships," Drozdowski told Krebs. Banks are required to have "commercially reasonable" protections in place, he said, but "what is commercially reasonable is not well defined."
But times have changed, Drozdowski said. "There's an awareness that what might have been adequate security four years ago … is not adequate or may not be adequate now," he told Krebs.
Last month the council updated its guidance on retail payments (which is separate from its online banking guidance). The earlier retail payments guidance was published in 2004.
Skimming Scams
Getting an illegal card skimming device into a gas pump can be done quickly and seamlessly, using a key that The Sacramento Bee described as "standardized and widely available."
A March 5 story in the Bee said police had arrested two suspects they believe are part of an organized crime ring.
David Karapetyan and Zhirayr Zamanyan were allegedly found in possession of 11 skimming devices that each held data on 400 to 500 accounts. Skimming devices are typically placed over a card reader slot; they are designed to blend in with the surrounding machinery, but often can be spotted by careful observers. In this case the suspects are accused of hiding the devices inside the gas pumps, hidden from even the most alert motorists.
One of the devices was discovered within a gas pump by a station attendant who was changing receipt paper. Police replaced it with a decoy device; Karapetyan and Zamanyan later retrieved the decoy, the Bee reported.
Though the suspects are accused of modifying one Martinez, Calif., gas station operated by 7-Eleven Inc., they were arrested in possession of a GPS unit with the addresses of many more gas stations, leading police to investigate whether the suspects were involved with other reports of gas-pump tampering.
Other California gas stations have reported discovering skimming devices, but those incidents had not been linked to the Martinez case when the Bee ran its story.
A man named Albert Gonzalez has been arrested for an alleged financial crime, but not one as ambitious as the widespread hacks to which a younger Albert Gonzalez pleaded guilty last year.
