Hackers Hacked
The fraudsters who profit from data breaches
Data stolen from Carders.cc, a fraudster forum in Germany, was posted on a file-sharing network, Brian Krebs reported at his "Krebs on Security" website May 18. The data included many banking credentials that forum members intended to sell or misuse, though it also included members' own user names and passwords as well as copies of the communication among them.
Those that hacked Carders.cc "were able to compromise the forum because its operators had been sloppy with security," Krebs wrote. "Specifically, the curators of Carders.cc had set insecure filesystem permissions on the Web server, which essentially turned what might have been a minor site break-in into a total database compromise."
Though this hack could be taken as a blow to fraudsters, Krebs said it may actually hurt the good guys. Ongoing law enforcement investigations into stolen account data could be compromised if fraudsters, seeing that the information is no longer be valuable, abandon it in search of a more secure stash.
Card Fingerprints
MagTek Inc. said it will soon announce "a major U.S. retailer"
The retailer, which the Seal Beach, Calif., company would not name, plans to use the technology at about 30,000 locations. MagTek's system examines the unique physical traits of each card's magnetic strip, allowing its readers to identify each physical card as distinct; it is sometimes described as fingerprinting for individual cards. This method can tell the difference between an original card and a cloned card made by a thief using the original card's payment data, MagTek said.
Tom Patterson, MagTek's chief security officer, said that even though there is increasing talk of adopting chip-and-PIN security in the U.S., it would be a long transition, and MagTek's technology would remain relevant during that time. "The mag stripe is going to be a legacy for more than a decade at least," he told Computerworld.
MagTek plans to disclose the retailer's name within two months, the story said.
Spoiled Cheese
A trio of servers at a Cheesecake Factory Inc. restaurant allegedly left a trail of crumbs that helped the U.S. Secret Service pinpoint them as the front line of a card theft ring.
Nicole L. Ward and two other suspects
Investigators allege that the trio used handheld card skimmers to steal data as they took cards for payment. The suspects were identified because the Cheesecake Factory requires servers to swipe their own company identification card before they take each payment. Investigators said Ward was recruited by two men identified as "Slim" and "G," who supplied her with the skimmers and allegedly paid her $40 for each stolen card account. Ward is accused of recruiting two other servers, which the Secret Service did not name, and paying them $25 per stolen card. Altogether, Ward allegedly took in $5,000 for her role in the scheme, investigators said.
The fraudulent transactions were first detected by Citigroup Inc., which noticed that the cards had all been used at a Washington Ave. Cheesecake Factory before any fraudulent activity.
Intent Matters
Can the intent of an accused identity thief be determined by statistics?
Floor64's TechDirt blog examined the case of Gregory Parks, who was convicted in 2007 of committing identity theft 15 times using different Social Security numbers on applications for emergency disaster relief.
A 2009 Supreme Court decision in a separate case made clear that intent matters under the law, so Parks challenged his conviction, arguing that a key point was whether he knowingly used other peoples' Social Security numbers or whether he guessed them.
"Basically, the entire case hinged on a bit of probability," Floor64's president and chief executive, Mike Masnick, wrote on the TechDirt blog May 20. "If he just made up the numbers, and they all turned out to be legit by luck, then he
The government had to prove that it was unlikely for him to have guessed all 15 at random. Anyone has a 50% chance of guessing a single legitimate Social Security number, but to guess 15 in a row correctly is much less likely — 0.0003%, Masnick said, citing math from the Bureau of National Affairs Inc.'s TechLaw blog.
But since some areas have assigned more Social Security numbers than others, Parks may have lucked out if he guessed numbers from only those areas — this, Parks argued, gave him the much likelier 38% chance of guessing all 15 numbers correctly. Parks' conviction for identity theft was vacated, though he remains convicted of mail fraud.
The case "highlights how ridiculous it is to use Social Security numbers as identifiers, given just how easy it is to guess legit SSNs," Masnick wrote.
Life Unlocked
LifeLock Inc.'s chief executive, Todd Davis, who publicized his Social Security number to demonstrate his confidence in the company's identity theft protection services,
One incident, in which a Texas man used Davis' personal info to take out a $500 loan, has been known since 2007, and LifeLock, of Tempe, Ariz., has long described this as a one-time event, the Phoenix New Times reported May 13. But the paper obtained police reports describing at least a dozen other incidents where fraudsters had opened bank or mobile phone accounts using Davis' credentials.
Davis and LifeLock would not answer the paper's questions for the article.
"The fact that Davis has fallen victim to so many con artists illustrates how LifeLock cannot steel anyone from identity theft … and, as Davis insisted on the company's website, LifeLock customers can expect the same protection he himself has received," the story said.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
