Talk to Me


Yet another communication tool has been taken over by phishers, according to RSA Security.

This time, it's the chat windows that some banks use to help reach customers who are surfing their Web sites. RSA said last Wednesday that it has observed this method in action once and expects imitators.

"If the fraudsters who developed this approach feel it is successful, history demonstrates they will use it again," Sean Brady, a product marketing manager for RSA's identity protection and verification business, said in an e-mail to American Banker.

"Plus," he wrote, "it is likely it will draw copycats — after all, there are no patents in online fraud."

The method, which RSA calls "Chat-in-the-Middle," is reminiscent of the "Man-in-the-Middle" attacks wherein a scammer manages to create a bogus Web site that operates between a consumer and their bank's site, intercepting all communications without tipping off the victims.

In this new attack, the scam starts out at a phishing Web site before passing the consumer along to the legitimate bank Web site to avoid detection. As that pass-off happens, a bogus chat window appears, within which the scammer impersonates a bank employee, according to RSA, which is a unit of EMC Corp.

During the chat session, the scammer attempts to get personal information that the consumer might not normally divulge during a normal online banking session. These details may include the answers to the extra security questions that some banks use to authenticate users logging in from an unrecognized computer.

RSA, which refused to identify the financial company that was targeted in this new technique, said the scammers are not yet attempting to duplicate the look and feel of banks' chat systems.


No-So-Easy Steps


Apple Inc.'s iPhone can now block phishing Web sites, but only for people who follow instructions that the technology news blog ReadWriteWeb claims are counterintuitive and hard to follow.

The antiphishing feature blocks malicious Web sites, such as those attempting to steal financial data. Though the security feature was part of this month's 3.1 update to the iPhone's software, Apple did not provide clear instructions for how to use it — an issue that perplexed security researchers, who even wondered if it was inoperative, the Sept. 16 article said.

The researchers tested the antiphishing system by attempting to visit well-known phishing Web sites. In the tests the ReadWriteWeb article highlighted, the iPhone did not display any warning message when loading most of the sites.

Apple responded to its critics by explaining through a representative how to use the antiphishing protection, though the company did not make these instructions available to the general public through its online description of the 3.1 update's features, ReadWriteWeb reported.

To switch on the antiphishing feature, the iPhone must be charging with its Web browser open and its screen turned off. Though Apple said this would be an automatic process for most users, "we would have to disagree," ReadWriteWeb's article said. In most cases, iPhone users "close down any open applications before plugging in the phone to charge."

Even those who follow the steps exactly may not be fully protected, the article said. If the user unplugs the phone before the process ends, the iPhone would only have a partial list of phishing sites to block.


Beware the Internet


That guy on the Internet asking you for your Social Security card and birth certificate as part of an application for a government job may not actually be the governor of West Virginia.

Matthew Don Reed of Hinton, W.Va., has been charged with impersonating a public official — West Virginia Gov. Joe Manchin — as well as impersonating a state Division of National Resources officer and forging a public document, The Register-Herald of Beckley, W.Va., reported Sept. 17.

Police said Reed asked people from across the country to visit a nonexistent West Virginia address as part of an application process for a job with the state government. He allegedly sent out letters purporting to be from Gov. Manchin but with "some serious red flags," as the article described them, notably atrocious spelling.

One read: "It's nice to have you as an employee of West Virginia. Your super (boss) Matt talk a lot of thangs about you. I hope you stay with us a long time. If you got ? please ask Matt."

Police said that Reed has admitted to some of the allegations against him and that a search of his home produced evidence he may have committed other crimes.

Google Inc.'s YouTube is host to many how-to videos — including, last week, one that explained how to assemble a skimming device for stealing payment card data.

Though the video has since been taken down as a violation of Google's policies, it was live Saturday when the tech blog Gizmodo highlighted it.

"Card skimmers are not cute hacks or experiments," Gizmodo writer Dan Nosowitz wrote in his rant against the video. "They're illegal devices used to steal money from innocent people."

So why spotlight the how-to video on a gadget blog?

"I realize that by writing about these dorks I'm giving them publicity," Nosowitz wrote, "but I'm hoping that publicity only results in something very, very bad happening to them."

Computer users are encouraged to keep updating their device drivers, the programs that allow hardware components to communicate, but in one case this practice exposed some users to a malicious Trojan horse virus.

The bug affected users of computer keyboards and mice from Razer USA Ltd., a company that specializes in hardware for computer game enthusiasts. Razer's own systems had been infected, and the bug attached itself to the company's drivers, thereby spreading to any users that wanted to keep their home computers up to date, according to an article Computerworld ran Monday.

The infection was discovered by the computer security firm Trend Micro Inc., which said it is not surprising that Razer didn't notice the bug immediately. "The malware had very low detection rates, with only seven out of 41 vendors offering generic detection," Rik Ferguson, a Trend Micro researcher, said in the article.

Razer said it is investigating the issue with Trend Micro and that it has taken its support Web site, where the drivers are offered, offline until the issue is resolved.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.