Debt to Society

A computer contractor who used his specialized skills and access to steal nearly $2 million from four credit unions must pay most of it back and spend five years behind bars.

Zeldon Morris of Provo, Utah, was sentenced last week after pleading guilty to initiating fraudulent automated clearing house transfers at Family First Credit Union, Alpine Credit Union, Deseret First Credit Union and First Credit Union, Computerworld reported April 29.

Morris was a contractor for Open Source Solutions Inc. of Provo, which the credit unions hired to perform system upgrades, the article said. The victimized credit unions gave Morris unrestricted access to their systems as part of those projects, according to Computerworld.

Morris was convicted of stealing $1.2 million from Family First, about $82,000 from Alpine, about $635,000 from Deseret and $93,000 from First Credit over the course of two years, Computerworld reported.

Morris' crimes were detected not by the credit unions but by a business partner of his who noticed suspiciously large ACH payments into their joint business account, the article said. After his prison term, Morris must submit to five years of supervised release.

He has also been ordered to repay more than $1.8 million in restitution.

When Autos Attack

ATM heists are commonly associated with pickup trucks and forklifts, which have the necessary heft to pry the machines loose and crack them open. Some New York thieves, however, are robbing ATMs with a bit more style.

Police are seeking a Cadillac, which The Wall Street Journal playfully described as "a 4 1/2-foot-tall, 4,000-pound suspect."

The suspects' faces were not visible in security camera footage from any of the 11 heists linked to the car, the Journal reported April 28.

Most of the crimes took place in Lower Manhattan, though the first, on Jan. 23, was farther north, at East 33rd Street, the article said. The biggest haul was $13,000, which police say is roughly three times the average amount stolen in a branch robbery.

In some cases the thieves attached a chain to an ATM and used the Cadillac to drag the machine from its restraints. In other cases they broke into the ATMs using crowbars and used the car as a getaway vehicle.

The Cadillac was a black Brougham model built between 1987 and 1991 and sporting "chrome trim, bumpers and grill and spoked rims," the article said.


The U.S. Bureau of Engraving and Printing's home page, which typically provides details about how to spot counterfeit currency, was replaced by a counterfeit website controlled by hackers, a security vendor said.

The altered website was "virtually undetectable" and contained code that redirected visitors to a site hosted in the Ukraine that distributes malicious software, according to an article Computerworld ran Tuesday.

The security vendor AVG Technologies USA Inc. said it discovered the incident Monday, and by Tuesday morning the government agency's website had been taken down. The Treasury Department, which owns the affected Web domains, did not respond to requests for comment, the article said.

Two weeks ago the Treasury began relying on the engraving and printing bureau's site to promote the new design of the $100 bill.

Citizen's Arrest

There is such a thing as being too prepared.

A suspect in the would-be robbery of a Florida credit union reportedly put on a shopping bag as a mask well before it was his turn in line at the teller — giving an observer enough time to leave the branch and return, armed, to prevent the robbery.

The alleged robber, Floyd Francis, was outmatched — the robbery note even said that he had no gun, the Orlando television station WESH reported Friday.

Ruben Torres, the credit union patron who realized something was up, got his gun and — as WESH phrased it — "put a stop payment on the crime."

Torres said he put the gun at Francis' back and ordered him to the floor. Francis obeyed and remained under Torres' control until police arrived.

Torres said he felt it was important to act before police would have had time to arrive.

"I figured somebody had to stop this guy," he said.

The suspect's handwritten note would have instructed the teller at Space Coast Credit Union in Palm Bay to "put di money innah di bag" and then, in the next two lines, to "always smoke weed, get high."

Protecting PFM

A user of Intuit Inc.'s has suggested ways users could augment security at the personal financial management website.

Mint, like other PFM providers, allows users to see their spending data from several bank accounts in one password-protected website but does not allow users to transact from the PFM site.

Jason Owens, a security professional, wrote an article for the Gawker Media site that told users how they can further protect this sensitive data when accessing over a public WiFi system.

One thing users need to be aware of, Owens wrote, is that displays the users's login name at the top of the screen — revealing users' account names to passersby.

Another issue is that does not use challenge questions for password resets, Owens wrote. It sends a link to the user's e-mail, and that e-mail can be intercepted easily if the user checks e-mail messages while connected to a WiFi hotspot with outdated security — or if a hacker has set up a dummy hotspot to capture this information.

"At this point, as the attacker I have everything I need," Owens wrote. "I don't need to get the victim to request a password reset because I can submit it myself, because I know the e-mail address of the account."

How to defend against this?

"Don't use your regular e-mail address, set up one specifically for" and do not check that account over public WiFi, Owens wrote. The e-mail address should be random, protecting it against brute force attacks, and users should be protective of the information displayed on their screens in public.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.