Security Watch

Busy Signal

Banks can now warn customers by phone about potentially fraudulent transactions — so fraudsters have responded by blocking the call.

They do this by bombarding victims with diversionary calls, Wired.com reported in its Threat Level blog May 12. Robert Thousand Jr. was hounded in November with repeated 30-second recordings pitching a phone-sex line. That same month, thieves began making multiple transfers from his retirement account, eventually withdrawing nearly $400,000.

The Federal Bureau of Investigation said Thousand's case is one of 16 it has observed since November in which scammers pepper consumers with phone messages to distract them from real communications from their bank, the Wired.com story said.

The thieves sent automated messages to Thousand's home, work and cell phone lines and to a phone belonging to his son, the story said.

So why do the transfers proceed when the banks cannot reach the account holders to confirm they are authentic?

AT&T Inc. spokesman Marty Richter told Wired.com that the harassing calls to the victim are just half of the equation. While the victim's phone line is tied up, the scammers then call the financial company to check on the status of the stalled money transfers — and persuade the bank to allow the transactions to complete.

Richter said AT&T and other phone companies are warning customers who complain about harassing calls or disrupted service that someone may be trying to break into their bank accounts.

Phorgetful Phisher

An active phisher neglected to renew the domain name he used to send instructions to hacked websites, creating an opening for a security firm to see all of his illegal activity.

The domain belonged to a Nigerian who left traces at roughly 1,100 hacked websites, Brian Krebs wrote in a Monday post to his Krebs on Security site.

The hacked sites all contained reference to a specific domain name — one that was about to expire when the Charleston, S.C., security company PhishLabs discovered it a year and a half ago. When the name came up for renewal, PhishLabs grabbed it before the scammer could.

The security company was then able to observe activity at the site over the course of 15 months.

John LaCour, PhishLabs' founder and president, told Krebs that during that period the scammer set up two or three new phishing sites a day, typically receiving about 10 sets of stolen credentials with each one.

LaCour estimated that the scammer was able to sell each set of credentials for about $500; "we're talking about more than $4 million a year he's probably making," he told Krebs

Even so, Krebs wrote, this particular scammer is probably a "small fry." Many more phishing schemes, often much larger, can be attributed to organized crime.

'Friending' Security

Facebook Inc.'s new security practices mimic those used for online banking.

The social networking company said last week that it would begin allowing customers to approve specific computers and mobile phones for regular access to its website, CNN.com reported Friday.

To approve a new device for access, users would have to answer additional security questions, the article said. They would receive notifications when someone attempts to log in from an unrecognized device.

These changes, which users must opt in to use, do not address the privacy issues that have prompted some people to shut down their personal Facebook accounts, the article said.

Instead, these new features are meant to keep Facebook accounts secure against hackers, who have been known to take over accounts to impersonate users in an attempt to scam money from victims' social circle.

The article noted that Facebook has come under fire for making users seek out this security feature, rather than switching it on by default or even mandating it as banks do.

Break in TJX Case

Another suspect has been arrested in connection with the massive TJX Cos. Inc. breach.

The breach's mastermind, Albert Gonzalez, and several accomplices residing in the U.S. have already received prison sentences for their roles, but their suspected international partners in crime have proven elusive, according to an article Bloomberg Businessweek ran Friday.

Sergey Valeryevich Storchark, a Ukrainian, was charged in August 2008 with helping Gonzalez find buyers for stolen card data, but he was not arrested until this month, after disembarking from a plane in New Delhi.

India's Central Bureau of Investigation called the arrest a stroke of luck, since it is much easier for U.S. law enforcement agencies to extradite a suspect from India than it is from Ukraine or Russia.

"His extradition and prosecution would have been very unlikely had he reached his final destination of Ukraine," a spokesperson for India's CBI told Bloomberg Businessweek.

Storchark, known online as Fidel, is accused of selling card data in online forums such as DumpMarket.

Breach Veterans

The Department of Veterans Affairs has suffered another series of data breaches.

"Every year or so they admit that they've lost a computer that happens to contain unencrypted personal data on VA members," Mike Masnick, the president and chief executive of Floor64, wrote in the security company's TechDirt news blog. "And, each report seems to get worse than the previous one."

The agency recently disclosed that two laptops had been stolen from contractors within the past two months. Both had unencrypted data.

Though it appears that less data was exposed in these cases than in the past, what is worse about these incidents, Masnick wrote, is that they demonstrate that the agency has not complied with a congressional mandate to encrypt sensitive data.

The mandate followed a 2006 breach in which data on more than 26 million people was exposed after the theft of an unencrypted laptop. Congress has begun another investigation into the department's security practices.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.