Revolutionary
The response Facebook Inc. mounted against a state-sanctioned attempt to steal the passwords and IDs of Tunisian citizens using the social networking site to organize during the country's recent revolution, which ousted longtime dictator Zine el-Abidine Ben Ali this month, could be instructive to financial institutions concerned about malware.
In January, Facebook engineers noticed what looked like an enormous hack job into Tunisian accounts, the equivalent of a vast keystroke logger run by the country's military regime, which was stealing the passwords and IDs of all Tunisian using Facebook to organize, communicate with one another and receive critical information during the uprising. The information was fed back to the military, according to a story
Facebook engineers countered the malicious code by quickly creating a two-step process. First they routed Tunisian log-on requests to an https server — not an http server — that encrypts information being sent. The second step was to request that users identify pictures of friends when they logged back on, the equivalent of a dual-factor identification frequently used by banks. Though this approach was not 100% effective, Tunisians for the most part could continue using Facebook to reach each other.
Test of Metal
In a case that could have wide implications for banks, a small company is suing Comerica Inc., charging that the Dallas banking company did not do enough to protect the security of its treasury account, according to a Jan. 19 post by Brian Krebs on his blog
Two years ago cyber criminals allegedly stole $1.9 million from Experi-Metal Inc., a metal prototype tooling company in Sterling Heights, Mich. All but $560,000 was recovered, according to a
EMI claims Comerica only inquired about the first transactions conducted in the morning, which EMI told it not to honor, but the bank did not inquire about the following 38. Comerica claims EMI is not entitled to relief because the controller did not follow standard security protocol, including using a second user to approve wire transfers.
The case centers on whether banks are meeting their obligations under the Uniform Commercial Code, which holds transactions are legal provided security procedures have been followed and a bank can prove that it accepted the order in good faith. The case was filed Jan. 19 in U.S. District Court, Eastern District of Michigan, Southern Division.
Speed Trap
An unspecified percentage of the estimated 10 million users of a popular smartphone application that lets people identify police speed traps using their phones' GPS have been hacked, according to a Jan. 21 story in Wired.com's blog
According to Wired.com, Trapster notified its users via e-mail, saying, "If you've registered your account with Trapster, then it's best to assume that your e-mail address and password were included among the compromised data." As was the case with the Gawker.com hack in December, where some 400,000 people were affected, many users might be further exposed if they use the same ID and password for their online banking accounts.
Great Deal
The Federal Trade Commission has settled a case it brought against an online retailer, Daniel Greenberg, owner of the Classic Closeouts website operated out of New York, according to a Jan. 13
Consumers who contested the charges found that Greenberg countered their claims, fraudulently asserting that they had enrolled in a frequent shopping club. The FTC said banks thus reinstated the fake charges to consumers' accounts. Under the terms of the settlement, Greenberg must return the money he stole, and he is permanently banned from owning, controlling or consulting for any Internet retail business that accepts credit or debit cards. Greenberg recently filed for bankruptcy. His assets were frozen and placed in receivership in 2009 by the United States District Court for the Eastern District of New York.
Petty-Cure
The owner of a hifalutin salon that catered to the actresses Halle Berry, Jennifer Aniston, Cher and Anne Hathaway has pleaded guilty to stealing credit card information from her star clients and making fraudulent charges of nearly $300,000, according to a Jan. 22 story by
Maria Hashemipour, owner of the Beverly Hills salon Chez Gabriela, was arrested in August. She faces fines of up to $240,000, a maximum of 10 years in prison and possible deportation. Hashemipour immigrated from Mexico, though she claimed she came from Spain, according to the
Copy That
In a twist, the antivirus company Symantec Corp. of Mountain View, Calif. has found that many malware code writers are now copy-protecting their products by building in so-called Digital Rights Management technology, which is more typically used in the software world to prevent theft of intellectual property,
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
