Hi-Tech Hijinks

Card thieves with deep enough pockets never have to return to the scene of a crime, thanks to high-end, custom-built skimmers that can transmit card data to them wirelessly.

Typical skimming devices, which steal card data and PIN codes at automated teller machines, have no way to communicate with the card thief who planted them — they must be retrieved in person. However, a new generation of skimmers can send the stolen data over cell phone networks, but they are expensive, Brian Krebs reported online at "Krebs on Security" June 17.

These sophisticated skimming devices can cost $7,000 to $8,000 and Krebs said they are especially well designed. He described the skimmer itself, which can fit undetected over the machine's card reader, as "razor thin." The kit also comes with a PIN-pad overlay (to capture PIN codes) that spans the entire width of the ATM so as to hide any seams. It also hides what Krebs described as "the brains behind this custom skimming combo," a GSM module: "basically the guts of a cell phone that is capable of sending text messages to any phone," Krebs wrote.

Krebs said several clues led him to conclude that the seller lives in the Czech Republic.

Some photos of the skimmers included Koh-I-Noor brand pencils, presumably to demonstrate the relative size of the equipment. This pencil brand is made by the Czech company L&C Hardtmuth and has not been sold in the U.S. for more than 50 years.

Dennis Smith, the curator of the online pencil museum leadholder.com, told Krebs in an e-mail that the pencil in the photos "is of recent vintage, 1990s to present." A more recent American-made version exists, but has not been produced since the 1990s; the Czech version in the photos is not typically imported into the U.S.

Knowledge is Power

Knowledge-based authentication — using personal information from databases instead of predetermined security questions — is supposed to be more resistant to phishing. In response, fraudsters have turned their phishing efforts to the databases themselves.

Unlike the security questions users choose when they enroll, KBA questions do not ask them to name their favorite movie or high school mascot. "These are those questions where you have to scratch your head and jog your memory, i.e., what was that first car you drove, what year was your mother in fact born [she didn't like to talk about it]," and so on, Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., wrote on her blog June 17. Since these questions are not known to the user ahead of time, they are supposedly more difficult for bad guys to predict.

But in practice, the reverse has been true. "I have had a hard time figuring out how so many crooks have been so easily able to answer these questions successfully, when even the legitimate users have such a tough time remembering the right answers to them," she wrote.

What happened was the bad guys began targeting "employees who work at the public data aggregators that provide the original data and knowledge-based authentication systems used to authenticate users," Litan wrote. "They simply get access to these employees' accounts and get the keys to the data treasures. They can look up anything that is known about any of us, and armed with that information they can bypass most knowledge-based authentication systems."

Apple Peeled

Apple Inc.'s mobile products have been at the heart of two data breaches this month.

Most recently, customers of AT&T Inc. who logged on to their accounts to order the next iPhone found that, in some cases, they were viewing the personal information of other customers, the tech news site Gizmodo reported June 15.

When users logged on to order an iPhone, "despite entering their username and password, the AT&T system would take them to another user account," Gizmodo wrote. "This gives access to all kinds of private information about the mistaken customer: Addresses, phone calls and bills, along with the rest of private information, becomes exposed."

Though AT&T said last week that it was unable to reproduce whatever glitch exposed user information, it stressed that the most sensitive information, such as Social Security numbers and credit card numbers, would not have been visible.

Gizmodo also quoted an anonymous insider at a third-party order-processing facility for AT&T who said this has happened before. According to the insider, what customers are experiencing is "an issue with the databases that contain customer information." The bug can "cause a customer to be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It's a rare occurrence, but it has happened in the past," the insider said.

News of this exposure came shortly after AT&T disclosed that one of its websites gave out e-mail addresses for users of Apple's iPad if visitors entered a correct device ID number, which could be guessed through brute force.

Final Countdown

Microsoft Corp. will stop making security updates to a popular version of its Windows XP operating system next month — potentially creating problems for the many businesses that use it.

The affected Windows version is XP Service Pack 2, which was published in 2004. The current version is XP Service Pack 3, which launched in 2008 and will receive security updates through April 2014, or companies could update to Windows 7, according to an story Computerworld ran Tuesday.

Dean Williams, the services development manager for the Toronto tech firm Softchoice, said that in a survey of its customers, "Windows XP is deployed in 100% of the companies [surveyed] to some extent … on average, 36% of the PCs in every organization run SP2."

Williams said that ignoring this deadline and sticking with an unsupported version of Windows XP could create security problems for any company, and potentially make them more vulnerable to data breaches. "This isn't something you can safely ignore," he said in the story.

Williams said that updating to Windows 7 in three weeks is an unrealistic goal, but many companies could more easily switch to Windows XP SP3, which Microsoft provides as a free update.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.