Name Game

Some fraud artists are impersonating employees at the organizations whose names they are co-opting.

In one case, scammers pretending to be Federal Trade Commission Secretary Donald Clark called from a phone number with the Washington, D.C., area code, 202. The victim, a Washington state resident named Ralph, phoned the number back where an answering machine said he had reached the FTC, MSNBC's Bob Sullivan reported Oct. 30 in his column "The Red Tape Chronicles."

The ruse itself was a typical advance-fee scam, asking Ralph to wire money to receive the $500,000 he was told he'd won. Ralph had entered a sweepstakes recently and was not surprised to be told he had won something, but he called the 202 number anyway just to be sure.

"It was very believable," he told Sullivan.

Betsy Broder, who heads the FTC's privacy and identity theft division, said there have been other instances of con artists impersonating FTC employees.

"Some of our people have been very shaken up once they find out their personal names were used. … This is particularly pernicious because it gives people a sense that this is legitimate and reliable," Broder told Sullivan.

Insider Indicted

A Bank of New York Mellon Corp. employee targeted his peers in an eight-year financial crime spree, according to Manhattan District Attorney Robert M. Morgenthau.

Adeniyi Adeyemi is accused of using the identities of 150 bank employees to steal funds from them and from other bank clients from Nov. 1, 2001, to April 30, 2009. He faces 149 charges of grand larceny, identity theft, money laundering, scheme to defraud, computer tampering and unlawful possession of personal identification information, according to an Oct. 28 announcement from Morgenthau's office.

According to Morgenthau, Adeyemi used employees' names to open dummy accounts at other financial institutions to receive stolen funds. He then allegedly stole money from those employees as well as several organizations with accounts at Bank of New York Mellon, where Adeyemi worked as a computer technician.

The New York/New Jersey Electronic Crimes Task Force traced the transfer instructions to a wireless Internet connection in Adeyemi's apartment building, where mail associated with the fraudulent transactions was also sent, according to Morgenthau. Further evidence, such as the computerized credit reports of many bank employees, was uncovered when a warrant for a search of Adeyemi's apartment was executed on April 30, the announcement said.

Going Viral

Microsoft Corp. has admitted that its Autorun feature, meant to be a convenience to users who want CDs and other devices to play automatically when placed in a computer, has helped some prominent malicious programs reach more targets.

The same feature that lets music play without any prompting from the computer's user can also let viruses on a disc or a USB drive activate before a user even realizes it is there, The Washington Post's Brian Krebs reported in his "Security Fix" column Monday.

In Microsoft's latest Security Intelligence Report, the company said that a pair of bugs that exploit the Autorun feature have infected more than 10 million computers. One of those bugs, a password stealer called Taterf, uses Autorun as its exclusive method of infection.

Microsoft did not enable the Autorun feature for USB devices in its newest operating system, Windows 7, though CDs and DVDs still run when inserted. A patch Microsoft put out in August switched off the Autorun feature for USB devices in earlier versions of the Windows operating system, the article said, though that patch was not distributed through the automatic update system that Microsoft uses to distribute most security fixes.

Krebs wrote that Autorun, which was introduced in 1995, had "a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun the default option for as long as it did."

Credit Freeze

LifeLock Inc., the Tempe, Ariz., company that promotes the effectiveness of its identity theft prevention by putting its chief executive's Social Security number in its ads, has agreed to shut down its automated fraud alert service.

The agreement was part of a confidential settlement ending a more than three-year court battle initiated by the credit bureau Experian Information Solutions Inc., The Arizona Republic reported Oct. 23. Both companies said that they consider the settlement, which still must be approved by a judge, to be favorable.

At issue was LifeLock's use of the fraud alert system, which Experian argued was meant to be used directly by consumers who believed themselves to be victims of fraud. With a fraud alert on a consumer's credit file, financial services providers must perform extra verification of the consumer's identity before granting a new loan or credit. Experian argued that consumers could not outsource this task to a company like LifeLock, which kept these alerts constantly active on its clients' credit reports.

Though LifeLock has agreed to stop collecting the data it would need to place and renew these alerts, it says the lawsuit spurred it to change its approach to identity theft prevention, the article said.

"The unintended consequence that Experian may not realize is we have a better service than we did before," Todd Davis, LifeLock's CEO, told the newspaper. LifeLock began moving its clients to its new service about two months ago and has not lost any customers during the transition, he said.

Red-Flag Lag

The FTC said Oct. 30 that it had extended to June 1, 2010, the enforcement of the "Red Flags" rule, which requires companies to implement identity theft prevention programs.

The enforcement date for the rule, part of the Fair and Accurate Credit Transactions Act, has been delayed before and had earlier been set for Nov 1, 2009. The FTC said in a press release that it put off the rule's enforcement again "at the request of members of Congress."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.