Citi Veteran Busted
A former Citigroup Inc. accountant was charged this week
Gary Foster was arrested Sunday for allegedly moving the funds from Citi debt-adjustment and interest-expense accounts into a personal account he held with JPMorgan Chase & Co., The New York Times reported Tuesday. He was arrested Monday at Kennedy airport in New York after returning from an international trip. He pleaded not guilty Monday to charges of bank fraud, the article said.
Foster allegedly made eight separate transfers to move the money to his personal account, the article said. He used false contract or deal numbers in the reference line of the wire transfers to obscure the nature of the transactions, according to federal prosecutors. Foster quit his job for unknown reasons in January, the article said. According to his profile on LinkedIn, Foster is now a part-time hedge fund consultant.
Today Foster owns six properties across New York and New Jersey, including one so lavishly decorated that the bathroom mirrors become video screens when touched, the Times said.
The fraud was discovered when Citi conducted an internal audit in recent weeks, the article said. Citi said it immediately contacted law enforcement officers.
Separately, Citi said Friday that the hackers who compromised 360,000 of its credit card accounts
Staffing Issue
Sony Corp.
"Just two weeks before the April breach, Sony laid off" members of "the group that is responsible for preparing for and responding to security breaches," the lawsuit says, citing a confidential witness.
Ars Technica said in a Friday article that this accusation is "perhaps [the] most damning" claim in the lawsuit. Other allegations are weaker, the article said, such as an accusation that Sony is covering up for weak security when it refuses to disclose its encryption methods.
The suit says that Sony's security around consumer data was below its level of security for its development server, suggesting that Sony valued its own data above that of its customers.
Game Over
Lulz Security, the hacker group that has claimed credit for attacks on Sony Corp., Nintendo Co. Ltd. and other companies and law enforcement agencies,
The group claimed to have intended to operate for only 50 days, Ars Technica reported Monday. However, the group also claimed during its Friday exposure of data from the Arizona Department of Public Safety that it planned to release more documents. The conflict may simply be one of branding: "If such releases are made, they won't be under the LulzSec brand," the article said.
The decision may be behind the political motivations of the recent attacks on law enforcement agencies, Ars Technica said. "LulzSec always maintained that it was motivated by amusement rather than political principles, and yet the decision to specifically make law enforcement agencies the target was apparently a political one."
However, LulzSec hasn't shifted its ideology completely: one of its last breaches exposed data on users of forums linked to the video game Battlefield Heroes.
Another factor in the group's retirement might be a desire to just lay low, Ars Technica said. An opposing group recently posted "a substantial amount of data about members of LulzSec yesterday, and this release may have been the straw that broke the camel's back, forcing LulzSec to drop out of the public eye," the article said.
Struck Again
"Hacktivists" who disagree with MasterCard Inc.'s policies
MasterCard's website was indeed down briefly, according to MSNBC. The owner of the Twitter account @ibomhacktivist published a tweet blaming MasterCard's predicament on its decision to not allow payments to WikiLeaks. WikiLeaks confirmed on its own Twitter account that MasterCard, Visa, PayPal and others still refuse to allow it to receive payments. MSNBC said that the @ibomhacktivist account "does not appear directly related" to the prominent hacker groups Anonymous or LulzSec.
Guilty Plea
The man behind an attack on AT&T Inc. that exposed personal information for users of Apple Inc.'s iPad pleaded guilty last week in federal court in Newark, N.J., The Washington Post
Daniel Spitler confessed to being a participant in the hacking group Goatse Security. The group exposed the email addresses of 114,000 iPad owners.
"Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves," U.S. Attorney Paul Fishman said in a prepared statement. "Daniel Spitler's guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport."
PCI Perplexity
A security vendor recently had to issue a correction to its own sales pitch after it
The vendor, TF Payments, a unit of ThoughtFocus Technologies, was marketing its FocusPay product as compliant with the Payment Card Industry Data Security Standard for mobile payments, "when in fact no one can be," the article said.
"Vendors are feeling pressured to promise capability with non-existant standards — and hoping no one notices," the article continued. "This time, however, someone did."
The article said that although in some cases these false claims are outright lies, in other cases they stem from efforts by marketing people to build campaigns around PCI compliance "with no meaningful oversight from the technology people who know the areas better."
Daniel Stiel, the contractor who worked on the marketing campaign for FocusPay, said in the correction email that although the earlier email had a graphic that could be read as a logo indicating the mobile application was PCI-certified, "the reality is that there is no such thing as a 'PCI-certified' mobile payment app or an official mobile certification logo."
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
