Pepperoni Pilferers

Two junk-food addicts who allegedly tried their hand at ID theft got arrested on charges of using stolen cards to buy $10,000 worth of pizza from the same place, police say.

"I've never quite seen anything like that with pizzas," Bobby Herring, an investigator for the Caddo sheriff's office in Louisiana, told KSLA, a television station in Shreveport.

Whereas most card thieves profit by buying items they can resell for cash, the two suspects, Francis Gallagher, 21, and Taylor Powell, 17, are accused of using stolen cards to place repeated orders to a Domino's Pizza Inc. store for delivery.

Domino's caught on when it received complaints from cardholders about bogus charges and has since refunded the charges to the victims, the report said.

Gallagher and Powell, avid online video game players, allegedly met another gamer online who supplied them with stolen card numbers, the article said. Though most of the transactions covered just the cost of pizza — some orders topped $100 — the pair also allegedly overtipped by about $50 and asked for some of that money back in cash.

Police say a third person of interest is being sought in the investigation, though the report did not identify him or her.

What about Watt?

The coder who supplied the software used in Albert Gonzalez' massive card data thefts at TJX Cos. Inc. and other companies made no money on the scheme but still must pay a hefty price for his actions.

Stephen Watt began his two-year sentence last week and also must pay $171.5 million in restitution to TJX for his role in the crime, Wired.com reported in its "Threat Level" blog last week. Gonzalez' restitution amount has not been specified, but he has received concurrent 20-year prison sentences for his hacking crimes.

Watt wrote "blabla," the packet sniffing application Gonzalez used to break into corporate systems and steal card data. Watt has said he wrote the program as a favor, and received neither payment for the software nor a cut of the funds it was used to steal, Wired.com wrote.

But being poorly compensated is no excuse, U.S. District Judge Nancy Gertner said. "You cannot be a cog in this wheel knowing that someone else is stealing … even if you didn't get a dime for it," Gertner said during one hearing, according to the article.

Wired.com wrote: "If Watt had remained in prison after his 2008 arrest, he'd likely be out by now for time served. But he never believed he'd get prison time for what prosecutors and the judge acknowledge was a minor role in Gonzalez' criminal enterprise."

The Power of PCI

The Payment Card Industry Data Security Standard specifically covers only card data, but some companies are taking their compliance efforts a step further to protect other bank account data.

"Some of the more far-sighted enterprises I talk to plan to implement data protection around bank account numbers and data as well as payment card data at the same time they implement PCI-related security measures," Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., wrote in a blog post Monday. "It's a good idea to do that — even if a company is not obligated to do so under any external rules or regulations," she wrote.

Checking account data may be left unprotected even when technology is in place to protect card data because no stakeholder is on the check side with the same influence the card brands have, Litan wrote. "Visa and MasterCard represent highly organized and centralized payment systems that have lots of enforcement muscle — and a corollary does not exist on the U.S. bank/deposit account side."

Crooks, however, have not ignored check data, she wrote.

"Depending on the exact information [in the] stolen record, bank account info sells for at least 10 times more than payment card info does in the black market," Litan wrote. "After all, it's generally much easier to turn stolen bank account information into cash than it is turning a credit card record into cash."

Anti-Antivirus

A newly discovered hack can fool antivirus software into thinking malicious programs are legitimate.

The security research website Matousec.com published a finding last week that demonstrates an "argument-switch attack," a method of fooling antivirus programs, Computerworld reported Tuesday.

Most antivirus programs operate by screening applications' program instructions to detect malicious applications before they are permitted to run. The hack discovered by Matousec.com would allow a malicious program to replace its own coding with friendly code during this vetting process and then switch back to hostile code when it runs, the article said. Matousec.com says it verified this technique on a Windows XP system.

Computerworld got a mixed response from antivirus vendors.

Some, such as F-Secure Corp. and Trend Micro Inc., stressed the seriousness of the finding. Others, such as McAfee Inc. and Kaspersky Lab ZAO, said the hack could not work unless the system was previously compromised and that it would not work against all security products.

Alfred Huger, the vice president of engineering at the Palo Alto, Calif., antivirus company Immunet Corp., sided with F-Secure and Trend Micro.

Though Huger told Computerworld that there are "lots of easier ways to game antivirus" than Matousec.com's discovery but that this "doesn't lessen the impact."

A Cambridge Link

Scammers are trying to dupe residents of Cambridge, Mass., by claiming to be their neighbors.

The Cambridge Police Department's electronic crime unit says it has observed a spike in advanced fee scams by companies claiming to operate out of the city, according to an alert the Cambridge Chronicle published May 6.

The companies offer loans to people, then request a fee be sent to them by wire transfer, police said. If the victim complies, the companies keep requesting money.

The companies, Selkirk Solutions and J&K Loan Institution, "are claiming to have Cambridge office addresses," police said, but these "are unfounded." The electronic crime unit is "working on locating the individuals involved."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.