Bad Pitch

Computers can usually identify scam antivirus software pitches by their overwhelming use of scare tactics — but at least one legitimate antivirus company is now accused of using the same methods.

Scam antivirus software typically pitches itself by infecting a user's computer, and doing everything imaginable — replacing desktop backgrounds, prompting pop-up alerts and blocking inquiries to legitimate antivirus vendors' websites — to make sure that the victim addresses the problem by handing over credit card details to the scammers to purchase antivirus protection. However, even though the alerts may disappear after the scammers have the victim's card details, the victim's computer is no better protected.

The tech news blog Ars Technica has observed similar behavior from Check Point Software Technologies Inc., a legitimate antivirus provider. Users of Check Point's ZoneAlarm firewall software have recently been subjected to an alert that proclaims " 'Your PC may be in danger!' in bright red, and urges the user to … 'GET PROTECTION,' " Ars Technica reported Friday. "The prompt is very poorly designed," the article said. "It looks a lot like malware masquerading as an antivirus."

Users who follow ZoneAlarm's prompt would indeed be given real antivirus software, but this might still make them less secure, since those users now view their responses to such prompts as a valid way to protect their computers. "Taking marketing advice from malware writers completely undermines the advice tech-savvy users give their friends: ignore these types of messages," the article said.

After angered users voiced their concerns over Check Point's methods, the company switched off its pop-up alerts. "We thought we were being proactive with our virus message … [but] it was never our intent to lead customers to believe they have a virus on their computer," a Check Point representative told Ars Technica.

Adding to ATMs

The use of biometrics could help combat the rising fraud against ATMs, an analyst with the Federal Reserve Bank of Atlanta's Retail Payments Risk Forum suggested.

The technology is already in use in Japan, with automated teller machines at Bank of Tokyo-Mitsubishi that scan customers' palm vein patterns to identify them for ATM transactions, Ana Cavazos-Wright, a senior payment risk analyst, wrote on the Atlanta Fed's Portals and Rails blog on Monday. In that instance the record of the biometric trait is stored on the card, so it would not be visible to bank employees. This method was implemented by 90% of banks for some forms of customer interaction after a 2006 law made banks in Japan liable for fraudulent ATM withdrawals.

In the U.S., the hurdles to this technology are largely issues of trust. "The thought of biometric technology may conjure up images of George Orwell's '1984,' " Cavazos-Wright wrote, and "U.S. consumers have historically shown reluctance to embrace new technologies until their reliability and trustworthiness have been vetted in the marketplace for a number of years." If biometrics is to become an effective method of controlling ATM fraud, banks must invest time and money into the technology to build that trust, though consumers already favor it over other authentication methods such as the use of a one-time passcode-generating key chain, she wrote.

However, Cavazos-Wright questioned whether biometrics, despite its widespread acceptance in Japan, would be enough to fully protect ATMs against all future fraud. "Is it the panacea?" she wrote, "Or is the key simply using technology more advanced than that employed by the bad guys, staying one step ahead of them rather than one step behind?"

Fraud After Dark

Gift card security at Wal-Mart Stores Inc. broke down at 1 a.m., when a store employee working the night shift was tricked into activating enough stolen gift cards to commit just over $11,000 in fraud.

The scammer posed as a tech staffer who needed a store employee to activate a certain number of gift cards, the retail news website StorefrontBacktalk reported Thursday. An employee at a store near Columbus, Ohio, obliged, activating numerous cards after the caller read the employee the card numbers and scratch-off codes over the phone.

The story said the weak point in this incident was training, since Wal-Mart had many other security measures in place to protect its payment data and prevent stolen gift cards from being switched on.

Wal-Mart's tech staff "spends millions on sophisticated encryption and protection techniques, all of which can be circumvented by a persistent thief doing rudimentary social-engineering scams," the story said. "How many Wal-Mart stores did the thief have to call before finding a cooperative associate in Columbus?"

The Weakest Link

A criminal gang has found a way to steal cash out of a safe without busting through the safe itself.

The gang targeted safes used by the French supermarket chain Monoprix because of how they are loaded: cash goes through pneumatic tubes to get deposited into the safes, the tech news blog Gizmodo reported Friday. Rather than drill through the safe, the robbers drilled through the tubes and used a vacuum to extract cash from the safes.

Robbers have used this technique more than a dozen times since 2006, and "what's most surprising is that Monoprix doesn't seem to have made any effort to change their cash-delivery method, despite it costing them nearly a million dollars in the last four years," Gizmodo said.

Though the robbers have been caught on camera, they were wearing ski masks, and police have no substantial leads in the case.

Tell-Tale Teller

A credit union robbery is being investigated as an inside job when police reviewing surveillance footage caught a teller allegedly communicating with the suspected robber by text message.

The text messages, sent from teller Kyle Lightner to robbery suspect Tyce Von Franklin, allegedly included instructions such as "just go in the front and walk straight … then u will see this hallway and my closet will be to the left."

Franklin allegedly hid in a bathroom at the branch until after it closed, Cnet News reported Thursday.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.