Hot Line
Bombarded by phone calls from fraudsters, some victims were
The idea behind the phone harassment is simple: "If the financial institutions can't reach the victims to ask about the suspicious activity, the transactions often go through," the article said.
One duped banking customer, a dentist in Florida, lost nearly $400,000 from a TD Ameritrade account last December, the Journal reported. That victim was reimbursed.
Timothy Ryan, supervisor for the cyber-investigations unit of the Federal Bureau of Investigation's Newark, N.J., office, told the Journal, "They overwhelm a victim's phones so that the bank can't call the victim and the victim can't call them."
The hackers' concept was a "twist" on "so-called denial-of-service attacks, in which hackers overload financial services websites with information in order to crash them," the article said. The FBI issued an alert for consumers about telephone denial-of-service attacks in June.
A fraud ring that was recently broken up through arrests in the United States, the United Kingdom and Ukraine is believed to have used this technique. The ring allegedly took over victims' accounts, transferring funds to new ones set up by "mules," or accomplices, who collected funds and transferred them elsewhere.
The telephone bombardments lasted as long as a week, sometimes forcing victims to disconnect their lines or switch phone numbers, which bought the suspects time to raid their accounts.
The Journal reported that the attacks on financial institutions originated from Eastern Europe, and many but not all of the mules were students visiting the U.S. from Russia. The ring is suspected of attacking accounts at JPMorgan Chase & Co., E-Trade Financial Corp., and TD Ameritrade Holding Corp., the FBI said. All three companies said they are cooperating with the investigation, the article said.
Big Target
Krebs, who has previously advocated removing Java entirely — particularly since updated versions of Java do not always remove their less secure earlier versions — wrote that "Java vulnerabilities are by far the most useful, comprising more than 90% of all successful exploits" for one particular piece of malicious software. Blackhole is an exploit kit that searches for any vulnerability it can find in common Web browsers, to use them to infect other computers. Blackhole is successful about 10% of the time, Krebs wrote.
Other exploit kits use Java, which is made by Oracle Corp., for more than 50% of their successful installations of malicious software, Krebs wrote.
As for why Java is so favored among hackers, Krebs wrote that "many consumers simply aren't aware that they have this software installed, or that it needs fairly frequent updating," as Oracle markets it as a business product.
By default, Java automatically checks for updates on the 14th of every month, Krebs wrote, but this may not be frequent enough for computer users who want to stay protected. Users can request that the software make daily checks for updates, though Krebs said in his experience even this may not be enough, since it does not always detect new versions.
His best advice: "If you don't use Java, consider removing it. You can always reinstall it later if you find you need it."
After That ATM!
The
Time called it "this recession's hottest crime," and it attributes the rise to the recession at least in part because there is no other clear explanation. By contrast, bank robberies have dropped in 2010 after rising in 2009, the article said.
In most cases, the automated teller machine itself is dislodged or even dragged off entirely by a vehicle so that it can be cracked open at a more secluded location. The Time article even included an embedded surveillance video online of a suspect breaking into a convenience store to loop a cable around a standalone ATM near the store's entrance. After the suspect stepped back outside, the vehicle (which was not captured on camera) connected to the other end of the cable then drove off, pulling the ATM loose — destroying the store's entrance in the process — and driving off with it.
Though crooks may perceive ATM theft as being extremely lucrative, since some can hold up to $200,000, their profits are not always that high. Many machines have a lower supply of cash at night when they are left unattended, and there has even been one report of crooks who stole an ATM that was completely empty.
However, Time noted, there have been some reports of crooks hitting six figures after just one or two thefts.
And law enforcement agencies are stepping up their response to the crime. San Diego, for example, formed a task force this year focused on ATM theft, the article said.
Helpful Customers
When combating fraud,
James Van Dyke, Javelin's principal and founder, wrote on its blog Oct. 4 that "account-holders and identity-holders are willing and able to join the battle against a common enemy," but banks are often unwilling to invite their customers to help.
"When working to stop fraudulent transactions the customer is often treated as though they are unnecessary or even dangerous," he wrote, and financial institutions instead use a "near-exclusive 'back-end' fraud-mitigation strategy."
Van Dyke suggested that a strategy that welcomes victims' participation could be particularly useful in fighting the Zeus program favored by fraudsters for its ability to break through banks' defenses by exploiting customers' online banking sessions.
Banks that do involve the customer to help spot and block fraudulent activity could find there are other perks to this deeper relationship, such as increased cross-sales and loyalty, Van Dyke wrote.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
