Twitter Takeover
Twitter Inc.'s microblogging service
In one instance the flaw was used to open a window to a Japanese pornography site for followers of former British Prime Minister Gordon Brown's wife, Sarah Brown, the security firm Sophos PLC highlighted on its blog Tuesday.
In other, less alarming examples, hackers testing the flaw posted pop-up messages to anyone on the receiving end of a hacked tweet. The links can also be hidden behind bars of solid color, making them less obvious.
In addition to opening unwanted browser windows, the malicious code can also force victims to retweet the code to their own followers, causing the code to spread like a computer virus, Sophos said.
The flaw works by exploiting onMouseOver Javascript code. Twitter said Tuesday morning that it had fixed the flaw. Before it did so, users were still able to access the microblogging service safely either by using third-party software or disabling Javascript in their Web browsers.
During the time the flaw could be exploited, hackers appeared to use it "for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code," Graham Cluley, senior technology consultant for Sophos, wrote on his company's blog.
Outsmarted
A would-be bank heist was thwarted not by branch security
Mark Smith allegedly tried to rob a bank in Watsonville, Calif., for $2,000 to pay a friend's rent, according to a story in the Sept. 9 Santa Cruz Sentinel.
Though police say Smith claimed to have a bomb, the bank manager treated him as a prospect for a sale — she suggested that rather than rob the bank, Smith fill out a loan application. The manager then called 911, the Sentinel reported.
Upon Smith's arrest, police determined he had no bomb or other weapon.
"Quick-thinking staff kept the man calm and distracted him with some paperwork until we arrived," Police Lt. Darren Thompson told the newspaper.
ID Theft Goes Global
Federal authorities have broken up
Korean immigrants used stolen Social Security numbers, most of which came from Chinese nationals working in American territories, to obtain credit cards, the Associated Press reported Sept. 16.
An FBI special agent characterized the scheme as "a virtual crime superstore, with one-stop shopping for a variety of criminal needs."
Fifty-three people are accused of taking part in the identity theft ring. All but six of them were arrested by the time the AP story ran, and another suspect was in state custody facing charges for the murder of a New Jersey family. (Police said the murders also may have been linked to a financial fraud scam.)
Another 10 people were arrested on charges of participating in a similar scheme, allegedly selling stolen identities through ads in Korean-language newspapers.
Those Social Security numbers also apparently were stolen from immigrants working in U.S. territories, as the stolen numbers all began with the same prefix, 586. That prefix was issued in very limited numbers in U.S. territories, the AP said.
James Van Dyke, the principal and founder of Javelin Strategy and Research in Pleasanton, Calif.,
"We've long seen both Latinos and African-Americans suffer greater impact" than other ethnic groups, and "recent trends have pointed to Latinos suffering the worst of ID crimes, which I believe to be connected to immigration," Van Dyke wrote.
Undocumented immigrants seek out stolen identities so they can live in the U.S., and they prefer Social Security numbers and other credentials belonging to someone with whom they share a last name, Van Dyke wrote.
"The account of the recent wave of identity crimes against Asians appear to support my earlier theory that higher rates of immigration among particular ethnic groups leads to higher risk of identity crime," Van Dyke said in the blog.
The victims may have a poor grasp of English and the U.S. financial system, which may make them "easy prey for identity thieves," Van Dyke wrote,
Stronger Logins
With its recent commitment to two-factor authentication for many of its online services, Google Inc.'s security
Google said that organizations that rely on Google Apps may now choose to require users to type in a one-time-use passcode while logging in. That code could be sent to users' mobile phones, adding a layer of security that exists separately from the machine that the user was logging in from.
This system "effectively means Google will be offering more secure authentication than many U.S. financial institutions currently provide for their online banking customers," Krebs wrote.
Administrators at organizations that opt for this added security do not have to require it of users at every login. They can set certain devices, such as home computers, to be considered trusted for a period of 30 days, allowing access with just the user's static password.
The added security will also be made available to consumers within the next few months, Krebs wrote. If a Google user cannot access the one-time code, the company also provides administrators with a short list of backup codes that can be used to disable the requirement for end users until the users' problem (such as a lost phone) is addressed.
Krebs stressed that this extra security is not foolproof, as phishers can still trick users into revealing their one-time-use codes.
However, he wrote, "it is more robust than requiring a simple user name and password, which is more or less what many commercial banks rely on right now."
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
