Amateur Hour
The less trustworthy a website is,
Though spelling errors and poor design were once considered the telltale signs of a phishing attack, those same traits now may put online consumers at ease. A study in the Journal of Consumer Research, which is published by the University of Chicago, found that "the disclosure of private information is responsive to environmental cues that bear little connection, or are even inversely related, to objective hazards."
An article published Aug. 25 on the tech news website Ars Technica said the study's conclusion is "a bit of a surprise … most studies have assumed people were rational actors."
In one pair of tests, researchers presented participants with two websites: one that looked professional and suggested the backing of a major university; the other was made as amateurish as possible. Participants said the professional-looking site was the most trustworthy, but when they filled out surveys at each, they divulged more personal information to the sloppy one.
Participants even deemed the same questions to be less intrusive at the unprofessional-looking site. The differences in presentation "seemed to loosen participants up," Ars Technica said.
In another test, researchers asked participants to identify phishing sites before presenting the survey questions. This served as something of an equalizer, leading participants to be equally cautious on both the professional and amateurish websites.
The study did not ask about passwords and PIN codes, though the researchers expressed interest in requesting that type of information in later tests. So far they have only succeeded in manipulating people into divulging "salacious facts," the article said.
The conclusion, however, is clear, Ars Technica said: "users can be fooled by cues that are the exact opposite of those recognized by an independent observer. Which is precisely the reason that maintaining high security standards can be so difficult."
Cover Story
When fraudsters began to steal more than $600,000 from the Catholic Diocese of Des Moines,
To move the money out of the United States, the scammers relied on money mules, people who are found on job sites and told they are being hired for a legitimate job, only to discover later that they'd assisted a financial fraud, Brian Krebs reported Monday online at "Krebs on Security."
Mules are typically told they that they have landed jobs as accountants or payment processors and that they are to receive money into their own bank accounts and wire it away to another location.
Daniel Huggins was hired for such a scheme by a group posing as a company called Impeccable Group. The scammers told Huggins they found his contact information in a resume he had posted online.
When Huggins noticed that the payments he received seemed quite high — one for nearly $20,000 and another for nearly $10,000 — and that both came from the Catholic Church, he began to ask questions.
The scammers, however, had an answer ready, drawn from headlines about sex-abuse scandals. They said these payments were "going to be payouts to some of the settlements in the sex crimes cases against the Church," Huggins told Krebs.
Huggins' bank caught on to the scheme and froze his account. However, not all of the money could be returned; the $800 commission the thieves allowed Huggins to keep had already been spent to pay off his credit card debt. Huggins said he was told to expect a call from the lawyers for the diocese.
In all, about $180,000 of the stolen funds has been recovered by the Church, which expects to get the remainder paid by insurance, Krebs wrote.
A Numbers Problem
The benefits consultant for the state of Delaware accidentally posted
Aon Consulting put the information in a request for proposals to solicit bids from insurance companies that would provide vision coverage to Delaware employees and retirees, The News Journal in Wilmington reported Tuesday.
The document included other personal information that insurers need, such as the ages and sexes of those who would receive coverage. In place of names, which were not included, the document should have used random numbers as identifiers; instead it used individuals' Social Security numbers.
The document was then posted online; it was available from Aug. 16 to Aug. 20, when it was taken down. The state's Office of Management and Budget noticed the mistake after an insurer called with a question, prompting a state employee to download and view the document.
The Social Security numbers were not included in earlier versions of the document that had been extensively reviewed, the state said; they were added to the final version, and no one spotted the error until it was already online.
Aon notified the affected individuals by mail on Monday, the article said. The Chicago company also promised a year of credit monitoring.
One of the retirees affected said he felt that was poor compensation considering that Social Security numbers never expire.
"A free year? It should be a lifetime," Richard A. Phillips, a retired English teacher, told the paper.
The article noted that it was not Aon's first data breach. In 2008, a company laptop with the names and Social Security numbers of 57,160 people was stolen from a restaurant in New York City and has never been recovered.
Temper Tantrum
Not all financial crime is motivated by greed.
An automated teller machine was damaged to the tune of about $2,200 when Louis Dotti of Zephyr Hills, Fla., attacked it with a pair of scissors and then began to beat it with his fists when the scissors proved ineffective, the St. Petersburg Times reported Aug. 26. The machine had eaten Dotti's card.
Dotti was charged with criminal mischief, the newspaper said.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
