Online Banking Ban

Even a top law-enforcement official can be duped by phishing scams.

Robert Mueller, the director of the FBI, admitted last week that he had come "just a few clicks away from falling into a classic Internet phishing scam," after receiving an e-mail that seemed to come from his bank, Computerworld reported Oct. 7.

Mueller said that the e-mail mimicked the appearance of his bank's messages "very well," but he caught on before he revealed any personal information. Still, he changed his password as a precaution.

Mueller said he described the incident to his wife as a "teachable moment."

To which she replied: "Well, it is not my teachable moment. However, it is our money. No more Internet banking for you."

Phried Phishers

Dozens of alleged phishers were arrested by the FBI last week, capping a major investigation into an international fraud ring.

Federal agents rounded up 53 suspects in Southern California, Nevada and North Carolina, while authorities in Egypt sought to detain 47 more alleged co-conspirators, The New York Times reported Oct. 8.

Officials said the gang had managed to steal at least $2 million between 2007 and September of this year, from accounts at Bank of America Corp. and Wells Fargo & Co.

The investigation, code-named Operation Phish Phry, began in 2007 when the banks tipped off the FBI to the scam.

The alleged ringleaders were Kenneth Joseph Lucas, his ex-girlfriend Nichole Merzi and a friend, John Clarke. The trio recruited other people to open accounts and withdraw funds that had been transferred from compromised accounts.

Keith B. Bolcar, the acting head of the FBI's Los Angeles bureau, said the phishing messages were created and sent from Egypt. When people revealed their personal data, Lucas and his colleagues allegedly transferred funds from the victims' accounts into their own, keeping most of the money and sending some to co-conspirators in Egypt.

The 53 suspects in the United States face charges of conspiracy to commit bank fraud and wire fraud, which carries a maximum sentence of 20 years in prison. Some of the defendants face other charges as well.

"It was very well done, it was very organized and everybody got paid," Bolcar told the Times.

Though the FBI said the bust netted the most suspects ever charged in a cybercrime case, security experts said it would do little to stem the flood of online scams.

"I would imagine there are many different groups doing similar things," said Chet Wisniewski, a senior security adviser at the Web security firm Sophos PLC. "You squash one bug and another one emerges. If there's an opportunity to make money, someone will be there to collect the bill."

Is Time Money?

Consumers might be eligible for compensation for the time spent dealing with cyberbreaches.

A federal judge in Maine last week reversed his own earlier decision, sending a class action to the state's Supreme Court, Wired.com's Threat Level blog reported Oct. 9. The higher court will have to decide whether people should be compensated for the time and energy they spend policing their accounts and trying to correct fraudulent charges after their personal details are compromised.

The suit relates to a breach that was revealed last year, in which the Hannaford Brothers supermarket chain discovered that hackers had obtained 4.2 million credit and debit card accounts; about 1,800 of those are known to have been used for fraud.

Consumers filed numerous suits in several states claiming that the grocer had failed to properly protect their data; the suits were later consolidated into a class action in Maine.

In May, Judge D. Brock Hornby, of the U.S. District Court for the District of Maine, tossed out all but one of the complaints, ruling that Hannaford Brothers had no binding contract with the consumers to protect their account data, and that banks' zero-liability policies shielded them from actual financial losses. As part of that ruling, Hornby concluded that time spent dealing with the incident did not constitute monetary losses.

The one claim that was not dismissed then involved a Vermont woman who reportedly was never reimbursed for financial losses; under Maine law, consumers can sue for damages that stem from merchants' negligence. In his May ruling, Hornby noted that "collateral consequences," such as time spent, are not covered by the law.

The plaintiffs filed a motion asking the judge to let the courts review that portion of the law.

In his decision last week granting the motion, Hornby wrote that Maine's Supreme Court should evaluate whether "time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury?"

It's an important issue for retailers, which generally have not been required to compensate customers for data breaches.

Bad Tweet

The Twitter account of a prominent security researcher was suspended last week, after he used it to warn people about a phishing scam.

Mikko Hypponen, the chief researcher at the cybersecurity firm F-Secure Corp., posted the warning in August through Twitter Inc.'s microblogging service; two months later his account was briefly shut down, ZDNet.com reported Oct. 9.

The message began: "I guess somebody will fall for it … a desperate Myspace phishing site at … ." After adding the URL, Hypponen concluded "(don't go there)." He also included spaces in the URL to prevent the software from turning it into a live link.

He was notified this month that the Twitter account had been suspended because of "strange activity."

When Hypponen complained, Twitter restored the account, noting that the suspension was because he had used "malware" and to be careful because the company scans everything for malware.

Hypponen told ZDNet that the incident had been an unpleasant surprise. "As I've worked with Twitter previously regarding Twitter worms and such, I really didn't expect this. In addition, I wasn't expecting them to ban me because of a tweet that was actually warning users to stay away from a phishing site. I think their process leaves a lot to be desired," he said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.