Security Watch

Cameron Diaz Alert

Cameron Diaz fans better be careful.

The security software company McAfee Inc. has determined that people who surf the Internet for pictures and news of the actress are putting themselves at higher risk of being infected by a malicious program, msnbc.com reported Aug. 19.

According to McAfee, searches for Diaz have a 10% chance of calling up websites that distribute viruses or attempt to pull off a scam such as phishing financial information.

Behind Diaz on the list of celebrities whose names could lead searchers to dangerous websites were the actors Julia Roberts, Jessica Biel and Brad Pitt and the supermodel Gisele Bundchen.

Is It Safe?

Despite widespread reports of fraudulent purchases at Apple Inc.'s iTunes digital media store, there is no reason to suspect any flaws in Apple's security, according to a column published online at All Things Digital.

"There's no security hole in iTunes," John Paczkowski wrote Monday. Anyone complaining of fraudulent charges has "fallen victim to a bot attack or phishing scam — a variation on the one that's been around for years now. … iTunes has not been compromised and the company isn't aware of any sudden increase in fraudulent transactions."

Apple agreed with this assessment, and suggested that anyone affected by this scheme change their password and contact their financial institution to reverse the charges.

Many people complained about the fraudulent charges being billed to PayPal Inc. accounts that were linked to the users' iTunes account. The eBay Inc. unit said it would refund fraudulent charges.

Don't Overdo It

Though encryption is widely touted as a way to make it easier for merchants to comply with security standards, encrypting too much information may negate the method's security benefits.

Encryption is gaining popularity as a way to help merchants comply with the Payment Card Industry data security standard which requires them to eliminate or properly protect any card data they handle. Encrypting this data so that it is unreadable to any hacker who steals it is one way merchants are removing it from their systems.

However, "Encrypting all your data may actually make you more vulnerable to a data breach," Walter Conway warned in his Aug. 19 column at the retail technology news website StorefrontBacktalk. "A sophisticated attacker knows to focus on small fields with a limited number of possible values."

And the expiration date on a payment card fits that description perfectly, he wrote.

"The expiration date is a four-character field," Conway wrote. "Because most payment cards expire within 36 to 48 months, that field has a relatively small number of possibilities."

And if those dates are encrypted with the same key used to encrypt more sophisticated data, such as account numbers, all hackers need to do is break the encryption on the four-character expiration date to unlock all of a merchant's encrypted card data, Conway wrote.

Merchants can avoid this problem by encrypting only the primary account number, Conway wrote. This would still keep merchants in compliance with the PCI standard, he wrote.

Through the Roof

Fraudulent mortgage applications may have risen 17% in the past year, sharply reversing a trend of declining mortgage fraud.

The spike in fraud indicates that scammers have adapted to the stricter vetting put in place after the financial crisis. Instead of applying for no-documentation loans, they bring forged documents and stolen identities, The Wall Street Journal reported Monday. Many scammers also recruit bank insiders to help get their applications through, the story said.

In one instance in Phoenix, a suspect who was renting a home stole the homeowner's identity after intercepting some of the homeowner's mail. The suspect, who allegedly was helped by an insider at Compass Bank, is accused of getting a cashout mortgage of $245,000 on the property in the homeowner's name. The bank did not respond to the Journal's requests for comment and the suspect, Jose Victor Buencamino, did not respond to the charges and could not be located by the paper.

Mortgage fraud dropped 56% in the two years after 2006, the Journal reported, citing data from CoreLogic, but discrepancies in mortgage applications indicate that the fraud has rebounded. CoreLogic predicts possible fraud based on discrepancies, but the banks may not realize the fraud until years later when they must write off the loans, the article said.

Data from LexisNexis' Mortgage Asset Research Institute indicates that 59% of mortgage fraud involves applicants providing false personal information to lenders. Other forms involve providing false appraisals and false credit reports.

Stealing a Hernia

Would-be robbers learned the hard way that automated teller machines are heavy.

After extracting an ATM from its location in the lobby of an Atlanta hotel, thieves apparently were unable to lift the machine onto the back of a stolen pickup truck, The Atlanta Journal-Constitution reported Monday. So they just left it there and made their escape.

"Upon arriving at the scene, police observed the ATM lying outside of the location," Atlanta police spokesman Otis Redmond told the newspaper. Police responded after receiving a call from a witness at 3:40 a.m. Monday.

The truck, which had been reported stolen Aug. 15, was abandoned at another location.

Correction, Officer

An alleged bank robber in Germany was captured after he sent corrections to news outlets that had covered his exploits.

The suspect sent e-mails to police and to two newspapers correcting their description of his age, height, accent and escape method, Reuters reported Aug. 19.

Police then traced the e-mails to the suspect and arrested him within hours of receiving his messages.

A police spokesman described the situation as a "game of cat and mouse [that] went all wrong."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.