Modern Frauds

Hackers have discovered that the check is no longer in the mail — it's probably stored in an image archive, and the bad guys have found a way in.

Scammers who are believed to be living in Russia are accused of writing $9 million in fake checks drawn from 1,200 accounts after accessing online databases of check images, the Associated Press reported July 28.

Three companies, which the article did not name, were targeted in the scam, which was discovered by the Atlanta security firm SecureWorks Inc. The company is working with the Federal Bureau of Investigation to pursue the hackers.

Check forgery is considered somewhat old-fashioned among financial criminals, the article said, because it is slower and less lucrative than draining accounts with stolen online banking passwords.

But this scheme makes check counterfeiting more modern by using image archives to obtain enough account numbers to make the forgery profitable enough to pursue, SecureWorks said.

"Check counterfeiting is kind of old school, but these guys have figured out how to make it highly automated," Joe Stewart, SecureWorks' director of malware research for its counterthreat unit, told the AP. "They can get all this data and use that to write counterfeit checks all day long."

Because the scammers are based overseas, they must still rely on an inefficient process to move the money out of the U.S., the article said. They typically rely on "money mules," people recruited through online job posting to cash the bogus checks and send the money to them.

Automated teller machines can do more than dispense cash — with the right hacking skills, they can be made to play slot machine music as they spill their contents.

As demonstrated last week during the Black Hat security conference, researcher Barnaby Jack was able to take over two ATMs he owns through direct access — using a key — and remotely, the Associated Press reported Monday. The end result: the machines would dispense any amount of cash Jack desired and, according to a video of his presentation uploaded to, he could even make one of the machines proclaim "Jackpot!!" and play slot machine music as it did so.

Jack, the director of security research at IOActive Inc. of Seattle, said he found two ways into the machines, which are the standalone style typically seen in convenience stores. One was using a master key — having purchased three of the machines, Jack discovered that the same physical key that came with one of them opened all machines from that manufacturer. With physical access, he could plant a program that gave him control of the machines.

He also found that it was possible to gain control of ATMs remotely. According to the AP article, Jack was light on the details of this approach since his presentation was not meant to be instructional. His purpose is "to raise the issue and have ATM manufacturers be proactive about implementing fixes," he said.

Jack did not name the manufacturers of the ATMs he hacked and blocked the manufacturers' logos in an attempt to keep them anonymous. However, during his presentation, the logo of Tranax Technologies Inc. appeared on one of the machines' screens. The AP said it reached out to Tranax but did not hear back.

Free Speech, SSNs

Betty "B.J." Ostergren's "Virginia Watchdog" website, which highlights Social Security numbers she has found in government databases, may continue to keep publishing Social Security numbers, a court has ruled.

Ostergren's site attempts to highlight security lapses on government websites by reposting sensitive material found online, especially personal information of the public officials empowered to remove this information. She has received some pushback from those officials — in particular, a 2008 Virginia law made Ostergren's activities illegal.

Last week, an appeals court expanded a 2009 ruling against the enforcement of that law, the Richmond Times-Dispatch reported July 27. The 2009 ruling found that it was fine for Ostergren to publish the Social Security numbers of public officials that were already available online on government websites. Neither party in the lawsuit was happy with that ruling — the Virginia attorney general's office felt it was too permissive, and Ostergren felt it was still too restrictive because it only focused on public officials.

The July appeals court ruling sided with Ostergren's free-speech argument and expanded the earlier ruling to also allow the publication of information on private citizens if that information was already available online through government websites.

Ostergren founded her website in 2003 and began posting Social Security numbers online in 2005. She said she did so to highlight the security issues surrounding online databases of deeds and mortgage documents that can contain Social Security numbers.

Silent Victims

Most people who surrender their credit card numbers to "scareware" scams do not dispute the charges made to their cards, Brian Krebs reported on his "Krebs on Security" website July 27.

Scareware scams work by tricking a computer user into buying fake antivirus software to clean up a very real computer infection. The victim's computer is held hostage by the scammer until the victim pays up for purported antivirus software, but after the payment the victim's computer is no more secure than it was beforehand.

According to records Krebs obtained detailing the financials of one distributor of scareware, most of the people who are tricked by this scam do not cancel or reverse the charge on their card statements.

In some cases, it is because the victims never realize they were scammed. One victim Krebs interviewed was searching for the antivirus software of the legitimate antivirus vendor Symantec Corp. when his computer was infected. Until Krebs contacted him, that victim, Raymond Zens of Jamestown, N.D., believed he had simply purchased the legitimate software he initially planned to buy.

Another victim, Brad Pierson of Austin, knew he had been scammed but was too ashamed to pursue a reversal of the charge.

"The embarrassment and feeling of degradation that goes with that made me want to blow it off," Pierson told Krebs. "I just kind of thought, 'That's the price you pay for being had.' I didn't try to do anything about it."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.