Time for FFIEC 2.0?

It may be time for regulators to update online banking security policies.

The Federal Financial Institutions Examination Council issued guidelines in 2005 that prompted many banks to strengthen their online banking systems' authentication measures. However, the guidelines were not specific about how to do this, and many of the approaches banks chose five years ago are less effective today, Brian Krebs wrote in his "Krebs on Security" blog March 3.

"Organized computer criminals are defeating these solutions with ease," he wrote. "Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software."

Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corp., told Krebs that regulators are mulling further guidance with an eye on improving security for commercial customers.

Though banks are not obligated to reimburse businesses for fraud losses, "we have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships," Drozdowski told Krebs. Banks are required to have "commercially reasonable" protections in place, he said, but "what is commercially reasonable is not well defined."

But times have changed, Drozdowski said. "There's an awareness that what might have been adequate security four years ago … is not adequate or may not be adequate now," he told Krebs.

Last month the council updated its guidance on retail payments (which is separate from its online banking guidance). The earlier retail payments guidance was published in 2004.

Skimming Scams

Getting an illegal card skimming device into a gas pump can be done quickly and seamlessly, using a key that The Sacramento Bee described as "standardized and widely available."

A March 5 story in the Bee said police had arrested two suspects they believe are part of an organized crime ring.

David Karapetyan and Zhirayr Zamanyan were allegedly found in possession of 11 skimming devices that each held data on 400 to 500 accounts. Skimming devices are typically placed over a card reader slot; they are designed to blend in with the surrounding machinery, but often can be spotted by careful observers. In this case the suspects are accused of hiding the devices inside the gas pumps, hidden from even the most alert motorists.

One of the devices was discovered within a gas pump by a station attendant who was changing receipt paper. Police replaced it with a decoy device; Karapetyan and Zamanyan later retrieved the decoy, the Bee reported.

Though the suspects are accused of modifying one Martinez, Calif., gas station operated by 7-Eleven Inc., they were arrested in possession of a GPS unit with the addresses of many more gas stations, leading police to investigate whether the suspects were involved with other reports of gas-pump tampering.

Other California gas stations have reported discovering skimming devices, but those incidents had not been linked to the Martinez case when the Bee ran its story.

A man named Albert Gonzalez has been arrested for an alleged financial crime, but not one as ambitious as the widespread hacks to which a younger Albert Gonzalez pleaded guilty last year.

The older Gonzalez, 39, of Lancaster, Calif., was arrested with two others on charges of conspiracy, identity theft, grand theft and computer access fraud, the Los Angeles Times reported Monday. Gonzalez and the other suspects have pleaded not guilty to charges of installing skimming devices on gas station pumps to steal credit and debit card data.

The younger Gonzalez, 28, pleaded guilty last year to the massive hacks disclosed by TJX Cos. Inc. and Heartland Payment Systems Inc. He is in custody in Boston awaiting sentencing.

Chew on This

A suspected account thief hoping to avoid prison food decided that some of the evidence against him — a USB flash drive — would be much easier to swallow.

Florin Necula was arrested outside a Queens, N.Y., bank in January for allegedly using skimming devices to steal card data from automated teller machine users. After swallowing a flash drive that was in his possession at the time of his arrest, Necula was also charged with obstruction of justice, the crime news Web site The Smoking Gun reported March 2.

Police began to suspect the flash drive had become an obstruction of a different kind when it did not reappear after four days, the article said; doctors had to be called in to extract the drive.

Hunting for WiFi

Many of the data security breaches resulting from stolen laptops could be prevented by turning off computers' wireless Internet capabilities, according to the security vendor Credant Technologies.

The vendor said that laptops constantly send out signals looking for online access points, and these signals can serve as a beacon to thieves, the magazine Infosecurity reported March 2.

Many modern laptops can take up to 30 minutes to go into sleep mode, and they still send out those signals during this period — even if, for example, a user has closed the machine and locked it into the trunk of a car.

WiFi detectors can look no different from key chains, so a prospective thief in a parking lot might look just like an ordinary motorist "waving their 'car keys' around, ostensibly trying to find their car, when in fact s/he is looking for the strongest WiFi signal," Sean Glynn, Credant's product manager, said in the article.

In addition to switching off WiFi or shutting the computers down completely when not in use, Credant advises encrypting sensitive data to further protect any sensitive information.

Head Count

There is more than one census being conducted this year — if you count the bogus census forms circulated by identity thieves.

According to one victim, the phishy forms look very much like the official ones, but with one exception: the scammers' forms ask for Social Security numbers and bank account information, The Union of Grass Valley, Calif., reported Tuesday.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.