Security Watch

Wild Toss

Some fans participating in last week's ticker-tape parade for the New York Yankees threw caution — and a few Social Security numbers — to the wind.

In lieu of ticker tape, many people threw shredded documents from their office windows — and some unshredded ones as well, some local reporters discovered.

The New York Daily News reported Saturday that an employee of the stock trading firm Alan Sarroff LLC hurled several paychecks from the 17th story of his office building. The company would not identify the worker, but described him as an "overenthusiastic" fan who did not realize he had thrown out confidential information. The paychecks had names, addresses, and Social Security numbers.

Separately, Fox News reported Friday that its own reporters found unshredded forms bearing medical and financial data that they described as "the perfect tools for identity theft."

Fox speculated that most of the information it found was from an insurance company with offices in downtown Manhattan, where the parade took place. Fox said it was contacting the people whose information it had found.

New Threats

The author of what may be the first malicious program for the Apple Inc. iPhone wants to teach you a lesson: don't hack your phone unless you don't want other people to hack it too.

"Who cares its only your bank details at stake," says an apostrophe-free comment buried in the program's coding; the application seems designed more to attract attention than to cause trouble, since all it apparently does is replace the user's phone wallpaper with a photo of the singer Rick Astley (the image also boasts that the software is "never gonna give you up"). The bug affects only those phones that have been "jailbroken," or hacked to allow users to install software from outside Apple's app store ecosystem, the online tech news site Ars Technica reported Monday.

The malware, which apparently began spreading from Australia, infects jailbroken phones that run the SSH network protocol and have not changed their default passwords. Although the Rick Astley bug apparently does nothing malicious, a hacker could use the same technique to steal any bank passwords typed into a compromised phone, the article said.

Apple has tried to hinder developers' efforts to jailbreak its phones. Many of the iPhone's software updates include coding intended to thwart hackers.

 


 

The phishers asking people to reveal their MySpace passwords don't seem to actually care about the MySpace passwords.

Instead, the scammers are impersonating News Corp.'s social networking Web site in an attempt to build credibility before attempting a more complicated scam, The Washington Post's Brian Krebs reported in his "Security Fix" column Monday.

Researchers at the University of Alabama at Birmingham examined some of the MySpace phishing messages, and noticed that they never seem to test the credentials for the social networking site.

"It's not clear whether the attackers really care about the login information," Krebs wrote, "as the bogus sites will authenticate a user regardless of the supplied user name and password."

Once they're "authenticated," the victims are presented with the real scam: the Zeus program, a notorious stealer of banking credentials, disguised as a "MySpace Update Tool" victims are asked to download, Krebs wrote.

A similar scam has targeted users of Facebook Inc.'s social networking site, but was shut down when it was determined that servers hosting the fake Web pages also were hosting malicious software. Gary Warner, the university's director of research in computer forensics, said that the MySpace version of the scam might be more effective because the servers hosting the phony Web pages do not also host the Zeus program on the same machine.

"Many countries don't care if you send spam, but those same countries often will nuke a site if they can confirm reports that it's serving up malware," Warner told Krebs. "In this case, the phishing sites are likely to live longer because of the fact that there's no longer malware on them."

Shield Pierced

The personal financial information of 850,000 health-care professionals was compromised when a laptop was stolen in late August from the Blue Cross Blue Shield Association.

The insurer said it discovered Sept. 2 that a laptop had been stolen Aug. 25 in the Chicago area. It delayed notifying the affected people so that it could assign credit-monitoring codes to the providers, a spokeswoman for Anthem Blue Cross and Blue Shield of Connecticut, which licenses the Blue Cross name, told the Hartford Courant for a Tuesday article.

A Blue Cross spokesman told the Courant that the provider data was unencrypted and had been put on the laptop by an employee, in violation of the association's policy. The employee hoped to work over the weekend and put the information on a personal laptop; the laptop was left in a car overnight, and the car was then burglarized.

Connecticut's attorney general, Richard Blumenthal, said he was upset at the delay in the notification to the 19,000 Connecticut providers. "These health-care professionals were left uninformed and unprotected for two months," he told the paper.

Blumenthal noted that although state law does not mandate a deadline for disclosing a breach, it does allow for fines in some situations.

Blumenthal has already convinced Anthem to extend its free credit-monitoring offer to two years instead of one, the paper reported.

Carl R. Baum, a pediatric doctor in the emergency room at Yale-New Haven Children's Hospital, told the paper that because identity theft can go on for years, "to think that one year was satisfactory was crazy."

Indicted

Federal prosecutors announced indictments Tuesday against eight individuals suspected of breaching Royal Bank of Scotland Group PLC's processor, RBS Worldpay Inc.

The eight people, who come from Eastern European countries, are accused of stealing data on 1.5 million people in November, The Wall Street Journal reported Tuesday. They allegedly used the data to create bogus automated teller machine cards, which were used to withdraw money from 2,100 ATMs in 280 cities, the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER