GPS Locates Loot

Exploding dye packs not high-tech enough? Banks are now thwarting robbery attempts with GPS units that can lead police straight to the stolen cash.

The technology was used to catch suspects in an armed robbery of a Calumet City, Ill., branch of TCF Financial Corp.'s TCF Bank, the Chicago Tribune reported last week.

A Federal Bureau of Investigation affidavit said this was the first time the technology had been successfully used to nab bank robbery suspects in the Chicago area. The global positioning system units are about the size of a credit card, and two of them were hidden among the wads of cash reportedly found with the suspects.

The robbery took place Dec. 30, the article said. Suspects Timothy Rucker, Phillip Griffen and Brandon Barnes are accused of entering the bank wearing black clothing and masks, demanding cash from a teller at gunpoint and driving off in two cars with $9,000 in a blue nylon bag.

The two GPS units led police to Rucker's parents' home in Dolton, Ill. Police said they found most of the cash, the tracking devices and a handgun in the house's basement.

The technology has been used before, the Tribune said, though it did not specify when or where. In that case a GPS unit was used to determine that a locksmith working at a bank branch had stolen some money (and the GPS along with it) while left unsupervised in the bank's vault.

Wired.com's "Threat Level" blog said the technology is precise enough that police searching a parking lot for stolen cash could determine which car has a GPS device hidden inside. "Threat Level" described in a blog post last week an incident in which a GPS device led police to stolen cash had been hidden inside a wall.

The Tribune noted that GPS has one disadvantage when compared to dye: It is not obvious when someone has a GPS unit.

The paper described two incidents when exploding dye packs led to arrests, either by marking the cash or the suspect. By contrast, in the locksmith incident, police let the suspect walk out the door with the cash, and the GPS, the Tribune reported.

Droidlocks

All it takes to unlock a password-protected "Droid" cell phone is a phone call, the tech news blog TechCrunch reported Monday.

The Droid, a Motorola Inc. phone that runs the latest version of Google Inc.'s Android mobile operating system, can be set to block access to the phone unless a user traces a specific pattern across its screen. This is meant to prevent unauthorized access to sensitive data stored on the device.

However, after the phone receives a call, a user can press the phone's "back" button to bypass the security feature and access all of the phone's data. Google confirmed the issue and told the blog it was working on a fix.

TechCrunch noted that a similar security flaw was discovered in the Apple Inc. iPhone in 2008.


Beware of "unofficial" mobile banking apps — they may be the smart phone equivalent of phishers' spoof banking sites.

Even smart phones' official app stores may not be perfectly safe, the tech news blog Engadget warned in a blog post Monday. The software developer "Droid09" created a mobile banking app for Android phones that steals any bank information typed into it, though the app has since been pulled from the Android Market.

First Tech Credit Union in Beaverton, Ore., published a fraud alert last month that described how the app worked. "It creates a shell of mobile banking apps that tries to gain access to a consumer's financial information," the credit union said. First Tech does not offer an Android app, and advised members to log in through the phone's Web browser instead.

First Tech's alert suggested that Droid09 may be harder to remove than most apps. "If you did download the Droid09 app, please remove it from your phone and take it to your mobile provider to ensure it's completely removed," the alert said.

Hobo and CEO

Nineteen people have been charged with setting up shell IT companies to obtain fraudulent lines of credit.

The scam's alleged mastermind is Michael Faulkner, a former Southlake, Texas, resident, whose e-mails were included in court filings unsealed last week, according to an article Computerworld ran Tuesday.

Faulkner is accused of using the identities of homeless people, who were paid off in cash and alcohol, to serve as chief executives of his shell companies, which provided Internet hosting services, the article said. One of Faulkner's e-mails allegedly read: "As our clients pre-pay … we can effectively catch up on all our bills, payroll, and then some, and launch another profitable endeavor, long before we even get a bill from Verizon," which is one of the companies whose services Faulkner's companies resold.

The Department of Justice said Faulkner might be dead, citing an anonymous Internet report. Other suspects include employees and business partners of Faulkner's who said they were unaware of any illegal activities, according to the article.

Poorly Kept Secrets

Computer programs that offer to remember your passwords may not be keeping them secure, according to an article the news blog Gizmodo.com ran Monday.

Some applications, such as the instant messaging program Pidgin, store passwords in plain text. The developers of Pidgin defended this decision by saying they do not want to give their users a false sense of security by pretending their program does anything more, the article said.

Even though most programs attempt to be more secure, there are enough free password-recovery tools available online that someone who steals your computer may be able to extract any banking or e-mail passwords stored on it, the article said.

The best way to keep this data secure is to encrypt it either in a dedicated password locker program or by using an operating system's encryption tools. The article cautioned, however, that the master password used to protect the other passwords should be long and complex, or else it could easily be broken using a brute-force tool.

"If you used a weak and pathetic password like 'secret,' it could be broken in a matter of minutes with a brute force cracking tool, but a decent 8+ random character password will take at least 73 years for a brute force attack," the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.