All Business
Though businesses do not have the same legal protections that consumers have in limiting their liability for fraudulent transactions, a judge has decided that a Michigan metals shop should not be on the hook for half a million dollars in fraudulent transfers.
The company, Experi-Metal Inc. of Sterling Heights, was fooled in 2009 by a phishing email that impersonated Comerica Bank. The scammers tricked Experi-Metal's controller into accessing the company's bank account using a one-time passcode generated by a security token. Scammers then initiated transfers totaling $1.9 million, and all but $560,000 was recovered.
Experi-Metal sued its bank, alleging that Comerica's response was inadequate. For example, although the bank spotted the fraudulent transfers within four hours of the attack, it did not stop transfers that took place after that point.
On June 13, Judge Patrick J. Duggan wrote in his decision that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise."
A spokeswoman for Comerica Inc. of Dallas said in an email that its security measures, including the use of a token, comply with the Federal Financial Institutions Examinations Council's guidelines for strong authentication. The bank also expects the judge's decision will be reversed by an appellate court, she said.
Expert Brian Krebs
The Michigan decision has not yet specified how much Comerica should reimburse Experi-Metal, and the Maine decision, a magistrate's recommendation, has not yet been adopted by the U.S. district court, Krebs noted.
The two decisions may not affect other lawsuits, as "case law requires a published decision at the appellate level, and is only binding on the courts in the district where it is made," Krebs wrote. "Other district courts may consider and quote trial and appellate rulings, but they are not bound to follow them."
Sonic Chaos
Sega Corp., the video game developer famous for games featuring its speedy hero Sonic the Hedgehog,
The attack compromised the names, birth dates, email addresses and encrypted passwords of 1.3 million customers, Sega said Sunday. The Sega Pass online network has since been taken offline.
Yoko Nagasawa, a Sega spokeswoman, told Reuters that the company wants "to work on strengthening security."
The Reuters article, which ran June 20, notes that the scope of the Sega breach "paled compared to what PlayStation maker Sony Corp. experienced" in an attack on services including its PlayStation Network, which allows gamers to compete online and to buy downloadable games and other media. The Sony breach affected more than 100 million customers.
Sega Corp. is owned by Sega Sammy Holdings, which also makes slot machines. The Sega Pass system is run by the Sega Europe division, which discovered the breach June 16, the article said.
Lulz Security, a hacking group that has targeted other video game companies, "has unexpectedly offered to track down and punish the hackers who broke into Sega's database," Reuters wrote.
Penetration Testing
As more cyber-attacks make headlines, banks are turning to ethical hackers
Trustwave Holdings Inc.'s Nicholas Percoco, a senior vice president at the Chicago company. is one of the people hired to attempt to break past banks' defenses, in the hopes of finding the banks' weaknesses before the bad guys do, he told Reuters in a Friday article. Their responsibilities also include breaking into physical data centers, and Percoco said he has phoned CIOs from within their data centers to prove his ability to gain access.
Tom Kellermann, chief technology officer for AirPatrol Corp., said that computers remain the weak link in banks' security strategies. "I think there's been an over-emphasis in security on perimeter defenses, on the walls and moats of castles, and not enough attention is being paid on remote access and website security," he told Reuters.
Steven Kietz, a former Citigroup Inc. and JPMorgan Chase & Co. credit card executive who now works as a consultant, told Reuters that although banks strengthened online security in 2006 when they were under a regulatory mandate to do so, "five years later we've seen really no new efforts by any of the major banks to protect customers."
Bitcoin Goes Bust
A data breach caused the nascent online currency Bitcoin to
Bitcoins are a digital currency that relies on cryptography to ensure each Bitcoin is unique. A Bitcoin spender signs each transaction with a private key, and the recipient publishes a record of the transaction to a global network, proving that the coin was spent and has transferred ownership. This system is designed to prevent Bitcoins from being repeatedly spent by the same owner.
The price of the currency plummeted from $17 to pennies on Mt. Gox, a popular online exchange, the article said. The cause of drop in value was a data breach wherein usernames, email addresses and hashed passwords for thousands of Mt. Gox users were exposed online. Trading was suspended and Mt. Gox posted a notice explaining the incident and urging users to change their passwords on any other websites where they used the same login information.
The price of Bitcoins was already volatile, Ars Technica noted. In recent months it has ranged from a dollar to $30. The article said that Bitcoins should retain their value over time, as the currency's security was not compromised in the breach at the exchange.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
