Too Much Access

Passwords were playing peek-a-boo on Apple Inc.'s FaceTime video chat service.

When the chat service, initially a feature of Apple's iPhone and iPod Touch products, was introduced last week for the Macintosh personal computer line, it had an odd security bug — once logged in, any user could change the FaceTime account's password without knowing it, Ars Technica reported Friday.

FaceTime uses the same login details that are used to authorize payments on Apple's iTunes digital media store. If a malicious user happens across a computer where FaceTime was left active and chooses to change the password, "the change instantly applies across the Apple ID account," the article said. "Subsequently accessing the iTunes store will result in a prompt from iTunes to re-enter your password, and the old one will not work."

In this way, even without knowing an account holder's password, a malicious user could go "on an iTunes store shopping spree" with the account.

The flaw was quickly fixed by Apple, according to The Unofficial Apple Weblog. Thanks to a fix Apple put in place on its servers, the "View Account" command that previously gave users the ability to change passwords "now does … precisely nothing. It just kicks you back to the account preferences tab," the TUAW blog reported Friday.

It described this remedy as "a somewhat silly workaround, and it's likely a temporary one," until the FaceTime software itself is updated.

Bigger Threat

The infamous Zeus malware, which is commonly used by criminal groups to steal banking credentials, is undergoing some changes.

The fraudsters behind the bug are rumored to have agreed to stop development of Zeus in order to merge its code with another piece of malware, the SpyEye Trojan, Brian Krebs reported online Sunday at krebsonsecurity.com.

Far from being the end of Zeus, "the move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber-crook," Krebs wrote.

The two malicious programs were earlier considered rivals, but the rivalry recently went quiet, and on Oct. 11 the author of SpyEye declared publicly on a fraud forum that he would take over maintenance of the Zeus program.

Krebs described the change as a possible response to a recent law enforcement crackdown on criminals using Zeus.

Steve Santorelli, the director of global outreach for Team Cymru, which studies underground economies, told Krebs, "Each time you have a group or piece of malware that starts to get near the level of heat or public attention that Zeus has gotten over the past year, it's inevitable that the bad guys are going to transition to something that's not on everyone's radar."

Bigger Target

Meanwhile, the current version of Zeus malware has been adapted for other targets, according to an article in Computerworld Monday.

A computer researcher at the University of Alabama said he has observed criminal groups that use Zeus making attempts to determine where their victims work, the article said. The researcher, Gary Warner, said that, in those cases, the bug would present a bank login screen that asks for the user's employer's name in addition to the username and password for the account.

This additional information may make the infected computer itself more valuable, Warner said in the article. "Your computer may be worth exploring more deeply because it may provide a gateway to the organization" that the user works for, such as a government agency.

This method may be particularly powerful for exploiting users' home computers, which lack the protections of a corporate network but may still be used occasionally to gain access to an employer's data, Warner said.

Fraud Fighter

Citigroup Inc.'s Australia business says it has fought off nearly all fraud attempts online.

Citi's Australia site requires users to type their passwords through an image of a keyboard displayed on-screen. Users must also input a username and answer a security question, but "given that all of these methods have been defeated, I remain skeptical about the claim" that Citi has virtually wiped out online fraud, said Robert Vamosi, a research analyst at Javelin Strategy and Research, on his company's blog Oct. 19.

Even so, Roy Gori, the chief executive of Citibank Australia, said his company is improving security by testing voice biometrics. Vamosi said this method is also defeatable; for example, it cannot tell twins apart.

Gori told The Australian that he is talking up the bank's security methods to show that his is "the smartest bank — so the fraudsters go after the dumbest ones."

But Vamosi suggested this tactic may backfire because insisting that one's defenses are unbreakable "amounts to a huge 'kick me' on the Internet."

Bad Copy

Photocopy with caution, or you could leave behind the sort of data that identity thieves covet, the Canadian broadcaster CBC has warned.

Refurbished copy machines sometimes retain sensitive information such as scanned tax returns and driver licenses from their past owners.

"While some documents are harder to retrieve than others — and require a full forensics search of the hard drives — others can be called up quickly and easily," the news organization reported Oct. 19.

CBC bought a used copy machine, then hired experts to scour its hard drive. John Juntunen, the chief operating officer of the forensic analysis company Digital Copier Security Inc. told the CBC: "Sometimes it's as easy as walking up to a machine, pushing a couple of buttons and pulling up documents that were stored on the hard drive."

Some insist that the only way to protect against identity thieves is to destroy your copier's hard drive once you are finished with it.

"You can't run a program that will clear a hard drive to 100%," Juntunen said. "There's still magnetic residue on the hard drive that is recoverable, although it would take a lot of time and a lot of money to be able to recover that information."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.