Gone in a Flash

Banks and payment processors are being hit by "flash attacks" — so named because their speed and potential for damage are reminiscent of a flash flood.

Each attack begins as any other card-cloning scheme does: Scammers first tamper with point of sale terminals to steal card data, according to an Oct. 26 explanation by Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., on her blog.

The thieves then make "hundreds or thousands of counterfeit debit cards" using the stolen information, she wrote. They distribute the cloned cards to a small army of accomplices, then use them all at once to withdraw as much money as possible before the issuers catch on.

"Within 10 minutes, simultaneous withdrawals … add up to about $100,000 in proceeds," Litan wrote. "They repeat this exercise a few times more over the course of a month," earning up to $500,000 altogether.

The best way for issuers to fight such an attack is to determine the point where the cards were compromised, then reissue all cards for accounts that were used with that merchant, Litan wrote. Stronger authentication methods, like Chip and PIN, might also help.

Bad Deal

Google Inc. is warning shoppers not to pay all of the Google Checkout invoices they receive — some are scams.

Checkout, Google's online payment service, lets people pay with a credit or debit card without exposing their payment information to the merchant they are paying. On its blog for Checkout, Google warned Oct. 28 that the fake invoices add payment options that Google does not support: "wire transfer, money transfer services such as Western Union or Moneygram, or direct bank transfers."

Steven Chen, Google's manager of trust and safety, wrote on the blog: "This is a clear scam because Google Checkout does NOT support money transfers in any of these ways."

The false invoices are usually linked to fraudulent vehicle purchases. The scammer in these instances is the purported seller of the vehicle, and Google's name is invoked to assure the buyer that the purchase will have some form of protection from Google's Checkout system.

"In fact, the transaction is fraudulent and has nothing to do with Google Checkout," Chen wrote.

Chen advised anyone receiving a scam invoice to report it to the Internet Crime Complaint Center or other authority.

Biting for Bugs

Google wants to have a security breach so badly it is willing to pay for one, The New York Times reported Monday.

The breach would be preemptive — Google is seeking to discover the flaws in its family of websites, including Google, YouTube, Blogger and Orkut. If Google can spot these flaws before anyone else does, it could fix them before they are exploited, the Times reported on its "Bits" technology blog.

Google's rewards for finding these flaws vary based on the complexity of each hack. A small bug would earn its finder $500, but a major one could earn up to $3,133.70 — a number chosen because some pronounce it "eleet," indicating the level of skill needed to have found the bug.

For investigators who prefer fame over fortune, Google has also established a "thank you" section of its website where it lists the names of researchers who want to receive credit for their discoveries.

New Target

The vast majority of viruses are written for computers running Microsoft Corp.'s Windows, but alternative operating systems may no longer be the sanctuary they are widely believed to be.

A prominent worm has been adapted to target users of Apple Inc.'s Mac OS X, Brian Krebs reported Oct. 27 at "Krebs on Security." Mac users are being targeted as part of what the security software firm Intego calls a "multiplatform attack." Users of the Linux operating system are also vulnerable to the worm, which exploits a Java applet for its attack.

Java, a platform that lets computers run programs across different operating systems, "is now the leading vector of attacks against Windows systems," Krebs wrote, so "it is not surprising that attackers would begin leveraging Java to attack Mac users with threats that have traditionally only menaced Windows users. … Java was designed to be a cross-platform technology."

Krebs earlier had advised avoiding Windows to sidestep most viruses and other malware. He once spotlighted a business whose bank account was compromised when it broke its own rule about not using Windows machines.

Since the worm, called Koobface, infects users through their Web browsers, Krebs suggested switching off Java in the security panel of the Safari browser that comes with Mac computers.

The version of Java on Mac computers is updated through Apple's own software update system. It was most recently updated in the second half of October, Krebs wrote.

Some reports indicate that Apple may be preparing to stop supporting Java in future versions of Mac OS, which might force malware writers to find another avenue of attack.

Password Tips

Many opinions exist on how best to handle password security; and The New York Times has published — and evaluated — several reader suggestions.

Some suggested keeping passwords in a program that stores them securely, but the Times' "You're the Boss" blog on Oct. 28 stressed that this option is only as secure as the device on which the software runs. If it is on a smartphone, for example, and the phone is lost, then the passwords may be unrecoverable.

One reader suggested using passwords based on words from foreign languages to make it harder for hackers to guess, but the Times cautioned that many hackers already use password-guessing tools that draw upon dictionaries from multiple languages.

Challenge questions, such as those that aim to verify a user's identity by asking, for example, where they used to live or attend school, may also have their flaws. "If someone takes the trouble to learn some stuff about your youth, they have a pretty good chance of getting into your bank account and more," the Times wrote.