Weakest Link

Small and midsize businesses have lost at least $40 million to online banking fraud since 2004, the Federal Bureau of Investigation reported this week.

Ordinarily, the FBI does not publicize such losses, but the agency is taking the unusual step of promoting the magnitude of companies' losses to encourage those most at risk to adopt safeguards, Steve Chabinsky, a deputy assistant director of the FBI's Cyber Division, told Brian Krebs for his "Security Fix" column in The Washington Post Monday.

The FBI warned of a "sophisticated but increasingly common form of online banking fraud," in which criminals steal the victim's online banking credentials with malicious software distributed through spam.

The intruders then initiate a series of unauthorized bank transfers from the company's online account, keeping the amounts below $10,000 to avoid banks' anti-money-laundering reporting requirements.

The funds are sent to so-called money mules, willing or unwitting individuals typically recruited over the Internet through work-at-home job scams. When the mules withdraw the cash from their accounts, they are instructed to wire it (minus a small commission) abroad, typically to organized criminal groups in Eastern Europe, Chabinsky said. "What we're seeing is a trend towards [fraudsters] taking advantage of the weak link in the banking process, which is the customer."

The criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and midsize businesses, and have successfully made off with about $40 million, Chabinsky said.

To protect themselves, businesses should do their online banking from a dedicated computer that is not used for everyday Web browsing or e-mail, Krebs suggested.

Free Speech?

Is the reposting of legally obtained personal information online protected free speech, or is it, as the Commonwealth of Virginia insists, "crime-facilitating speech"?

At issue is the Virginia Watchdog Web site, run by the privacy advocate Betty Ostergren, who has worked for seven years to compel government agencies to stop posting such information online, Computerworld reported Oct. 21.

She draws attention to the issue by reposting the Social Security numbers of public figures she has found in government databases. These have included former Florida governor Jeb Bush, former Secretary of State Colin Powell and former House majority leader Tom DeLay.

Ostergren has agreed in the past to remove the data from her Web site on the condition that the agencies that initially exposed the numbers do the same.

Virginia has challenged Ostergren both in court and in its legislature, where last year it outlawed the reposting of even legally obtained personal information. The Virginia chapter of the American Civil Liberties Union filed a lawsuit on Ostergren's behalf, challenging the law as unconstitutional. The court agreed last year that it would be unconstitutional to use the law against Ostergren's work, though the commonwealth has appealed.

Prosecutors stressed that Ostergren's work presented "the very real prospect of devastating criminal predation" on the people whose data she reposts. As such, it should not be considered protected free speech, they argued.

Most recently, the Electronic Privacy Information Center has filed a friend-of-the-court brief siding with Ostergren. John Verdi, the center's senior counsel, said Ostergren's work is "exactly the type of speech that is protected by the First Amendment."

Pressure in Nigeria

Online scammers in Nigeria are feeling more pressure from local authorities.

Nigeria's Economic and Financial Crimes Commission has outlined an aggressive new approach to cracking down on the country's scammers: "Project Eagle Claw," which, though not yet fully implemented, has already led to 18 arrests and the shutdown of 800 scam Web sites, according to an Oct. 23 article from the technology news Web site Ars Technica.

Nigeria's earlier efforts were too slow to be effective at combating online fraud, Farida Waziri, the EFCC's chairman, said during a speech. By contrast, the new effort "will take Nigeria out of the top-10 list of countries with the highest incidence of fraudulent e-mails," Waziri said.

So-called Nigerian scams, sometimes called advance-fee scams, trick victims into paying fees up front for a promised — but never-delivered — larger payout later. They often originate in Nigeia.

Ars Technica noted that Nigerian scammers face another threat besides the new crackdown. "Scam baiters" are people who fight back by stringin along scammers. Some baiters go to extreme measures — tricking the scammers into traveling into dangerous regions or performing tasks that would attract the attention of law enforcement — in the hopes that the scammers would decide their ruses are too risky to continue.

Open Enrollment

Better sign up for next year's health insurance fast; employees of the Bullitt County, Ky., school district who procrastinated had their Social Security numbers mistakenly exposed in a reminder e-mail sent to 1,800 employees.

The e-mail, which included the names and Social Security numbers of 676 employees of the Bullitt County Public Schools, identified the affected people as not having completed the district's 2010 open-enrollment process, The Courier-Journal of Louisville reported Oct. 21.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.