Security Watch

Skimmers for Sale

A skimming device was discovered — but not recovered — at a Wachovia-branded Wells Fargo & Co. branch in Alexandria, Va., in February.

The device was spotted by an automated teller machine technician who photographed it but left it in place while he went to notify bank officials, security writer Brian Krebs reported in his "Krebs on Security" blog March 25. When the technician returned, the device had gone missing.

So where did the device come from? "Interestingly, after my last story on ATM skimmers, I received several spammy comments on the entry directing readers to a site that specializes in selling ATM skimming devices," Krebs wrote, and on that site he found a skimmer built to blend in with Diebold Inc. machines that looked like the skimmer on the Wachovia machine.

A basic model of the Diebold-specific skimming device costs $1,500; adding Bluetooth or mobile-phone wireless capabilities bumps up the cost by $500 to $1,000 and would let scammers retrieve card data remotely, Krebs wrote.

If those prices are too steep for the aspiring skim-schemer, "the site also advertises a sort of rent-to-own model for would-be thieves," Krebs wrote. Under that setup, the vendor uses the wireless feature to keep some of the vital data, divulging it only on a predetermined "cashout day" in exchange for half the buyer's profits.

"Of course," Krebs wrote, "the entire site could be little more than a very clever scheme to bilk gullible thieves out of $1,000." And there are no chargebacks among thieves, Krebs noted: "The site owners only accept irreversible forms of payment, such as wire transfers and money orders."

Custom-Built Crime

When it comes to bank robberies, Gerald Blanchard certainly did his homework.

In one case, the brazen Canadian installed his own surveillance equipment in a bank branch as it was being built, according to a profile published in Wired magazine last week.

In that incident, Blanchard came across an Alberta Treasury branch under construction in Edmonton in 2001 and later made several trips inside disguised as a courier or construction worker. During those visits he planted surveillance equipment and took note of the locks in use on the automated teller machines. Later he ordered the same locks online to practice taking them apart — eventually, he burglarized the completed branch and took away $60,000, the article said.

A more lucrative 2004 heist, in which Blanchard stole more than half a million dollars from several Canadian Imperial Bank of Commerce ATMs, further illustrated the thief's thoroughness, Wired said. Though Blanchard emptied all but one of the branch's machines — he said he left one untouched to confuse investigators — police who arrived at the branch eight minutes after the alarm went off found no trace of him and initially considered the incident a false alarm, the article said.

Eventually, Blanchard became involved in a card-skimming ring and helped cash out cloned cards by using them for withdrawals at ATMs in foreign countries. He was arrested shortly after returning home to Canada because his phones had been tapped by police — they had caught on to Blanchard after the CIBC heist when a car Blanchard had rented in his own name was spotted by an employee of a neighboring Wal-Mart Stores Inc. outlet. The worker thought the vehicle had been left overnight in the parking lot, the article said.

Heads Up

Two alleged would-be bank robbers gave the bank enough warning that branch employees were able to have the police on hand to meet them.

The two suspects allegedly phoned the bank to ask the tellers to set aside $100,000 for them, CNN reported March 24. When the suspects arrived, one allegedly handed a stick-up note to the teller while the teller was on the phone with police.

"I've never had somebody call ahead and say, 'Get the money, we're coming,' "Det. Lt. Michael Gagner of the Fairfield, Conn., police department told CNN.

Though social engineering scams — wherein the perpetrator steals money by talking the victim into handing it over under some pretense (such as by phishing) — can be successful, in this case, the alleged robbers lacked finesse.

In fact, "we were all kind of cracking up with the call-ahead aspect of it," Gagner told CNN.

The suspects, a 27-year-old Bridgeport, Conn., resident named Albert Bailey and a juvenile who was not named in the article, were arrested outside the branch after receiving $900 from the teller.

According to the article: "Gagner added that the robbers insisted that the money waiting for them not be put in a dye pack. Their wishes were not followed, and a bag of cash exploded in dye when one of the suspects threw it on the ground."

See You in 20

Albert Gonzalez — the mastermind behind the TJX Cos. Inc. and Heartland Payment Systems Inc. breaches, among many others — has been sentenced to two 20-year prison terms.

For the TJX breach and several others, Gonzalez received a 20-year sentence, Wired.com's "Threat Level" blog reported March 25, describing the punishment as "among the longest imposed for a financial crime" and eclipsing the 13-year sentence recently handed down to hacker Max Ray Vision.

For the breaches on Heartland Payment Systems and other companies not covered by the TJX sentence, Gonzalez received a sentence of 20 years plus a day, Wired.com reported Friday, the day that sentence was announced.

The plea agreements said the sentences are to be served concurrently. Gonzalez may also have to pay restitution of an amount yet to be determined, the articles said.

Exposure

A stolen data drive has caused big problems for Educational Credit Management Corp.

The personal information of 3.3 million student borrowers was stored on the drive, which was stolen March 20 or 21 from ECMC, a nonprofit company that services loans for students who have filed for bankruptcy, according to an article Computerworld ran Monday.

ECMC did not say whether the data on the stolen storage device was encrypted. The stolen data includes names, addresses, birth dates and Social Security numbers, but not bank account or credit card data, the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER