Security Watch

Pager Alert

Pager messages recorded on Sept. 11, 2001, have been published online, answering some questions about the terrorist attacks but raising other questions about how secure most pagers really are.

CBS blogger Declan McCullagh called the messages "a boon for historians [and] a new source of concern for privacy advocates" in a Nov. 25 blog post about the messages, which were published that day on WikiLeaks.org.

Of particular concern are messages that contain sensitive personal information or confidential government information — especially since those messages were most likely intercepted and recorded by a third party, McCullagh wrote.

So how does a pager message get intercepted?

Easy — the messages themselves are not encrypted, and even a $10 pager can be modified to receive every message moving across its network, though it must be connected to a computer to store copies of all the messages, McCullagh wrote.

"Each digital pager is assigned a unique Channel Access Protocol code, or capcode, that tells it to pay attention to what immediately follows," he wrote.

"In what amounts to a gentleman's agreement, no encryption is used, and properly designed pagers politely ignore what's not addressed to them."

McCullagh likened the stored pager traffic to the stored search histories that Time Warner Inc.'s AOL LLC unit published in 2006. In that incident, even though the usernames were anonymized, some users' search terms included Social Security numbers and other sensitive data that could be used for identity theft and other malicious purposes.

"Without end-to-end encryption, and perhaps even with it, your correspondence is vulnerable to interception and publication," McCullagh wrote.

"And if you're the Secret Service responding to threats against the president … why are you letting anyone with a $10 pager and a Windows laptop watch what you're doing?"

Security expert Bruce Schneier responded to the column on his blog Nov. 26, and posed another question.

"It's disturbing to realize that someone, possibly not even a government, was routinely intercepting most (all?) of the pager data in lower Manhattan as far back as 2001," Schneier wrote. "Who was doing it? For what purpose? That, we don't know."

ACH Hack Attack

Hackers are exploiting the automated clearing house network to pool stolen money into a single compromised business account.

Hackers needed access to only one account to steal money from several businesses, The Washington Post's Brian Krebs reported in his "Security Fix" column Monday.

After gaining access to a corporate account, they initiated ACH debits to transfer funds into it from other businesses' accounts, and then withdraw the funds.

In one example, the compromised account belonged to Bill Anderson Publishing of Manteno, Ill., which received a $100,000 ACH transfer from a Washington, D.C., property management firm that Krebs did not name. Bill Anderson, who owns the publishing company, said his account received transfers from three companies in all, and that the hackers then attempted to withdraw the funds in smaller chunks.

Even though Anderson was not in on the scam, he too has suffered. Because Anderson's bank froze his account after discovering the suspicious transactions, "I don't even have access to my own funds anymore," he told Krebs.

An employee of the Washington firm involved in the incident said that hackers attempted to steal $1.3 million in three separate transfers, but that all were stopped.

Rayleen Pirnie, the senior manager for fraud and risk mitigation at the not-for-profit trade association Epcor, told Krebs that this method of theft is increasingly common. In such cases, criminals need only the account and routing number of the accounts from which they intend to steal.

"Instead of pushing money, which is what most of the criminals groups do through the payroll portion of ACH, they're utilizing another option in the service to credit their account and debit someone else's," Pirnie said.

In the D.C. incident, the unnamed woman told Krebs that her company was notified by its bank months ago that its account had been compromised. The company changed its username and password for online access, but not its account number.

Exposures

A recently stolen laptop had the Social Security numbers of 6,400 people who received treatment at Aurora St. Luke's Medical Center in Milwaukee.

The laptop also had patients' names, birth dates, diagnosis codes and medical record numbers (but not actual medical records), according to a Monday article in the tech and security publication SC Magazine. The computer, which belonged to an employee of the Cogent Healthcare of Wisconsin physician group, was stolen in October from a locked office. The affected individuals were patients of a Cogent physician.

Cogent is offering free credit protection to the 6,400 patients.


Penn State University alumni are threatening litigation after a computer virus on a professor's computer may have exposed the Social Security numbers of 303 individuals.

Mike McEvoy, who graduated in 2006, told the student paper The Daily Collegian he was upset that he was not notified until three months after the Aug. 3 discovery of the incident that his information had been exposed.

"I don't understand why it took the college three months to tell us," he told the paper. "A lot could have happened in three months."

Another 2006 alum, Ryan Davidson, said he and his fellow grads have "entertained the possibility of legal action" over the incident. "The school should've kept our information pretty confidential," he told the paper.

The Social Security numbers had been kept in an online grade book used by the professor.


The Social Security numbers of 943 people may have been exposed after a laptop was stolen from Children's Hospital of Philadelphia.

The computer was stolen Oct. 20 from a car outside an employee's home, according to a Tuesday article in The Philadelphia Inquirer. The information, used for billing, was password-protected, but the hospital determined that the protection could be cracked. The hospital is offering credit monitoring and identity restoration services to affected families, the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER