Security Watch

Help Unwanted

Businesses lucky enough to continue hiring in a bad economy may want to think twice before clicking on any attached resume.

A Jan. 19 press release from the Internet Crime Complaint Center, a joint task force of the Federal Bureau of Investigation and the White Collar Crime Center, said that criminals eager to commit automated clearing house or wire-transfer fraud have contacted businesses that post job offerings, placing malware in e-mails that look like responses to the job listings. When the prospective employer opens the e-mails, their computers become infected with the Zeus Trojan, which can steal banking log-ins and passwords.

The complaint center reports that more than $150,000 has been stolen from businesses in this way in recent months.

Just a Trim

In a case that could have implications for banks that use older forms of password authentication, Amazon.com Inc. reportedly failed to convert some of its older account passwords to a higher standard, allowing inexact passwords to grant access to their accounts, according to a Jan. 28 article on Wired.com's blog Threat Level.

The flaw affected only customers who have not changed their passwords in several years, and it appears to have occurred when the company encrypted those passwords using software that truncates longer passwords, the blog post said.

Because this system checked only the first eight characters in a password, anything typed after the eighth character would be recognized as legitimate.

ACHs and Pains

Banks' best defense against automated clearing house fraud is to rely on tools they already have, according to a Jan. 31 posting on the Federal Reserve Bank of Atlanta's blog Portals and Rails.

Since many attacks on wire-transfer services use malware that is frequently undetectable, experts say banks should rely on out-of-band authentication, alerts and the use of dual-person controls to make transfer payments.

Exposure limits, origination calendars and prenotifications are extra, low-tech layers of security that can help. The blog pointed out that it is the responsibility of both banks and their corporate customers to remain vigilant about the growing danger of these attacks.

In Plain Sight

To lessen the risk of being detected tampering with an automated teller machine, criminals are placing their card readers on the card-enabled locks that secure the entrances to ATM foyers in or near most bank lobbies, according to the blog Krebs on Security, written by the journalist Brian Krebs.

The skimmers are used in tandem with cameras hidden in mirrors at the ATM to log the PIN codes of people who have just swiped their cards to gain entry.

The Price Is Right

The marketplace for stolen financial data functions much as legal markets do: The price for everything is based on demand and perceived value.

Researchers from Panda Security SL in Spain went undercover to find out what the price tags were on some very common items, according to a Jan. 21 report by Cnet.com. For example, credit card details can sell for $2 to $90, but the physical card can go for $190 or more. And bank credentials can sell for $80 to $700 — if a balance can be guaranteed.

Machines that clone credit cards can cost $200 to $1,000, and fake ATMs often run as high as $35,000.

Criminals can even buy money-laundering services if they agree to pay a 10% to 40% commission. And websites exist that sell the sundry items needed to commit fraud, where criminals can add products to virtual shopping carts just as they would at a legitimate online retailer, the report said.

Kept It in His Pants

When police in Pennsylvania pulled over a motorist from Queens, N.Y., for a traffic infraction, they said they smelled marijuana — which, in turn, led them to catch a whiff of a possible card scam.

The incident began when police pulled over 22-year-old Matthew L. Norman on Interstate 80 near Pocono Township, according to a Jan. 28 story in the Allentown Morning Call.

During a pat-down, Norman tried to flee, but police shot him with a stun-gun and then arrested him, the article said.

Officers said they then discovered 22 counterfeit debit cards in the waistline of Norman's pants. The New Yorker allegedly later told officers he was on his way to nearby Dickson City to use the cards.

Norman was charged with drug possession, access device fraud, possession of an instrument of crime and resisting arrest, according to the report.

Hackers Harassed

The group responsible for hacking AT&T Inc.'s iPad servers, gaining access to about 120,000 accounts, was itself hacked, according to a Jan. 26 article by Cnet.com.

Hackers replaced the home page of Goatse Security, the group's website, with an obscenity-laden screed.

The hackers also made insulting comments about AT&T and Apple Inc., according to the story. A Goatse spokesman confirmed the hack. The site was back to normal by the end of the day, according to the report.

Status Update

Facebook Inc. is now letting its users encrypt sessions in much the same way banks have let their customers conduct online banking sessions for years, according to a Jan. 26 story in PCMag.com.

The announcement came after the Jan. 25 hacking of Facebook chief Mark Zuckerberg's fan page on the popular social media site. Facebook is now implementing so-called https protocol to secure user sessions on an opt-in basis. Google Inc.'s Gmail and Microsoft Corp.'s Hotmail already use https as a security feature, the article said.

Facebook will also soon start a social authentication procedure, tested successfully during the recent unrest in Tunisia, to help secure users in that country against government break-ins; it asks users to verify faces of people they know during log-in.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.