Nacha Gotcha

Phishers will impersonate anyone to make a buck — even Nacha, the electronic payments association, an organization that is likely unknown to most consumers.

The target of the scam is therefore businesses, according to The Washington Post's Brian Krebs, who calls this scheme "The Nacha gotcha." In his "Security Fix" column Friday, Krebs wrote that the scam e-mails warn recipients of unauthorized or failed automated clearing house payments in an attempt to trick "people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line."

The e-mail contains a link to a "transaction report" that actually leads to a malicious program that can steal banking credentials and has already been used in several scams to drain businesses' bank accounts, Krebs wrote.

Most popular antivirus products would not flag the "report" as a piece of malicious software.

Hitting Twitter

An IBM security researcher in Turkey has made an attack on the social networking service Twitter to demonstrate a potentially dangerous weakness in online authentication systems.

The exploit by Anil Kurmus employs the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams using the Secure Sockets Layer protocol, PC World magazine reported Monday. The security hole has since been patched.

Client renegotiation gives a Web site such as Twitter a way to ask a user for an SSL certificate from a user who is already signed on. It's useful for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined Web surfers, PC World said, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks.

But there has been some debate about the seriousness of the flaw. Shortly after the bug was made public, IBM researcher Tom Cross said that, for the most part, major Web applications would not be affected by the issue.

But Cross later changed his mind, writing: "Unfortunately, the situation is worse than I thought."

Webmail applications, in particular, may also be at risk from this attack. And security experts also worry that other applications — databases, for example — may be at risk, PC World said.

The flaw was discovered by a researcher from PhoneFactor, a provider of two-factor authentication services. Steve Dispensa, PhoneFactor's chief technology officer, wrote in an e-mail message: "This flaw violates one of the core guarantees made by SSL — namely, that an attacker with access to the data stream can't make any changes to the encrypted data. When such a guarantee is violated, it's difficult to predict the consequences. I fear this Twitter attack is just the first of what may be many to come."

New iPhone Hack

The first iPhone bug simply mocked its victims for their poor security — a newer version actually steals their data.

Both the innocuous bug, which was discovered a week and a half ago, and the malicious one target phones that have been "jailbroken" to run software that has not been approved by iPhone maker Apple Inc. Vulnerable phones must also run the SSH network protocol and still use their default password.

The new version can run from an iPhone or a computer, and seeks out vulnerable iPhones on the same network, the tech news site Ars Technica reported Nov. 11. Whereas the earlier version simply made itself known by replacing the user's wallpaper image, the new version does not warn users of its presence. Instead, it copies all phone data — contact information, e-mails and any data stored by any apps loaded onto the phone — and stores them on the machine running the attack.

The article stressed that this program only works on jailbroken iPhones that are running default passwords. Users who have not modified the software of their iPhone are not vulnerable to the attack.

Torrent Tool Retired

Operators of The Pirate Bay shuttered the site's BitTorrent tracker Tuesday, six years after it was founded,'s Threat Level blog reported Tuesday.

Trackers — the servers that bootstrap each BitTorrent download — are no longer necessary since enhancements allow peers to locate one another without accessing a central server, site operators wrote in the Bay's blog.

"Now that the decentralized system for finding peers is so well developed, TPB has decided that there is no need to run a tracker anymore, so it will remain down!" the announcement said. "It's the end of an era."

The changeover does not decommission the Swedish site, whose four co-founders face a year in prison for facilitating copyright infringement. The site continues to host and index torrent files, Wired said.

Gains for MagTek

Momentum in commitments for MagTek Inc.'s card authentication technology is picking up, which could save some retailers from dealing with high holiday losses next year.

The Seal Beach, Calif., company said changes it made to its card authentication technology should make it substantially easier to deploy, and those changes have sped up talks it has had with issuers and merchants.

Several have said they will start deploying its system by the spring, the company said.

"It's too late to fix it this year, but … it's very possible that next year's buying season is going to be significantly safer for everybody," Tom Patterson, MagTek's chief security officer, said in an interview.

MagTek's system identifies cards not by the data written in their magnetic stripes but by the physical properties of the stripes themselves — in effect, the "fingerprints" of the metal particles on a card's magnetic stripe.

This cannot be copied even if the data stored on the stripe can, the company said.

MagTek modified its system in April, enabling it to be installed simply by swapping the reader heads in a terminal — it no longer requires replacing the entire terminal.

One of MagTek's clients, Banco de Credito e Inversiones in Chile, uses the technology on its automated teller machines and claims it has almost completely eliminated losses from cloned card use at its ATMs.