Dangerous Business

Cybercrime is becoming more dangerous.

A convicted data thief has pleaded guilty to trying to hire a hit man to execute an informant, Wired.com's Threat Level blog reported Monday.

Pavel Valkovich admitted last week that in January he offered someone $10,000 to kill the unnamed informant in a drive-by shooting. The admission came as part of a guilty plea during his murder-for-hire trial.

Valkovich is already serving time after pleading guilty earlier this year to bank fraud. He is to be sentenced for that crime in February and faces up to 30 years for the financial crime, and up to another 20 years for the solicitation charge.

According to law enforcement officials, when authorities learned of the plot they transferred Valkovich to another jail. Undeterred, he tried to arrange a new murder contract, offering $40,000 to kill the original informant and the person he had initially asked to handle the killing, the officials said. He also insisted that one of the victims be beheaded, the officials said.

Valkovich and a partner, Brian Dill, were charged this year with conspiring to steal money from consumers' bank accounts and transfer it to bank accounts they controlled through the PayPal Inc. unit of eBay Inc.

Dill and the informant, whose job was to open PayPal accounts to receive the transfers and then forward the money, began working together on a scam last year, the officials said

Dill managed to move $632,000 from a business account into a PayPal account, and he and Valkovich later met with the informant to plan further thefts, the officials said.

However, the informant had already begun cooperating with the Department of Homeland Security, which recorded some of these meetings to build a case against Dill and Valkovich.

Bad on Paper

Data breaches don't always happen through hacked computers. In some cases improperly disposed paper can create a ton — literally — of exposed data.

"There was a case earlier this month in Missouri where 2,000 pounds of credit reports, blank checks and copies of Social Security statements were found in a dumpster," Linda Foley, a co-founder of the nonprofit watchdog group Identity Theft Resource Center, told The Washington Post's Brian Krebs for his "Security Fix" column Dec. 10.

So far this year, 27% of the disclosed data breaches have involved data printed on paper, up from 17% for all of 2008, the center said.

Indeed, there is so much printed data available that it's hard to quantify it when some goes missing, Foley said. "You pay by the pound for shredding these documents, and that's the best measure we have sometimes."

The recession may be part of the reason that figure has risen, Foley said. "Companies are going out of business and then they take these papers and just toss them or leave them for the building's cleaning crew to deal with," she told Krebs.

Many of the state laws on data-breach notification — as well as three proposed federal notification laws — do not explicitly require disclosure of breaches involving paper documents, Krebs wrote, because the focus is on electronic breaches.

However, many companies disclose paper breaches out of an abundance of caution, he wrote.

Mrs. Doubtfire 2009

Some children look very much like their parents — but perhaps not enough to get away with identity fraud.

Tita Nyambi of Franklin, N.J., is accused of trying to impersonate his mother and make a withdrawal from her account at a JPMorgan Chase & Co. branch's drive-up window, according to an article The Star-Ledger ran Dec. 8. A detective's court affidavit said Nyambi wore his mother's pink blouse, black coat and head scarf as part of the ruse and spoke in a high-pitched voice.

Nyambi presented his mother's driver's license and forged her signature on a bank form in his attempt to withdraw $700 from her account, the affidavit said.

Bank employees were not fooled by the disguise, and immediately summoned police, who arrived while Nyambi was still at the branch.

Uncensored

Black bars are good for redacting sensitive data on physical documents, but not so good for electronic documents.

HSBC Holdings PLC and the Transportation Security Administration both disclosed this month that documents made public in electronic form may have exposed more information than was intended, according to articles Computerworld ran on Dec. 4 and Dec. 11.

In both incidents black bars were "drawn" over words in a PDF document in an effort to obscure some of the imformation, but the words themselves remained in the file and were easily accessible to people who know how to see behind the bars, Computerworld said.

Barry Murphy, an analyst with Murphy Insights in Boston, told Computerworld that "If I put a lot of black magic marker on paper I am actually covering the data so that it is redacted … in the digital world that is not true."

In the HSBC incident, the sensitive information pertained to financial information on bankruptcy documents that were filed electronically. In the TSA incident, the information was from a procedure manual the agency posted online.

The tech blog BoingBoing.net described in a Dec. 6 post about the TSA incident how to see through the electronic redaction method: "drawing black blocks over the words you want to eliminate from your PDF doesn't actually make the words go away, and can be defeated by nefarious al Qaeda operatives through a complex technique known as ctrl-a/ctrl-c/ctrl-v" — in other words, highlighting the redacted text and copying it into another document.

Computerworld said members of the House Committee on Homeland Security are looking into the issue even though the TSA said the document, which was put online as part of a contract solicitation bid, is out of date.

The committee has asked for the Department of Homeland Security's guidelines and has asked the department to check that other documents that are availalbe online have been properly redacted.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.