Paper Caper

A California man is alleged to have come up with a novel way to steal cash from an automated teller machine: by causing a paper jam.

Many crooks set up skimming devices to read data from ATM cards as they are swiped, and others have stolen the entire machine to crack it open by force.

The San Francisco man is accused of stealing cash from ATMs by clogging their cash slots with napkins.

The suspect allegedly used napkins to block at least two ATMs from dispensing cash, The San Francisco Examiner reported Nov. 4 on its crime blog, and then unjammed the machine after frustrated customers failed to withdraw cash.

If the customer did not figure out that the cash dispenser was blocked, the cash would be left behind for the perpetrator to retrieve later, the Examiner reported.

Old Habits

There are reports that the ZeuS Trojan, which has been linked to a large amount of online financial fraud, would soon be phased out by its developer — but its audience may not be willing to give it up.

ZeuS is reported to have discontinued development to be absorbed into a new bug called SpyEye, but earlier versions of ZeuS persist, Brian Krebs reported Monday on krebsonsecurity.com.

Roman Hussy, who tracks ZeuS activity, told Krebs that ZeuS is too tried and true to disappear easily, even though the bug's creator reportedly has stopped updating it.

"Why should they give up something that works and pay for a new tool?" Hussy said, referring to the scammers who favor ZeuS. Hussy has identified just 25 botnets created by SpyEye, compared with about 100 created by ZeuS.

Slow and Steady

The best weapons that fraudsters have developed against banks and consumers are patience and self-control.

Fraudsters can get away with theft if the dollar value of each bogus transaction is too small to make it worth "the inevitable series of hold music performances" that consumers have to endure to report unauthorized transactions to their bank, Evan Schuman reported Nov. 4 online at the retail news site StorefrontBacktalk. As long as fraud artists steal small amounts, such as by staying under $5, consumers may not notice the theft — or may not consider it substantial enough to act upon.

"Fortunately, with criminals, greed and speed will invariably trump wisdom," so they will try to steal larger amounts over time, Schuman wrote. But "if the attacks are carefully planned and the victims chosen even more carefully, thieves can make a nice living as long as no single bank or customer gets hit for too much," he wrote.

PayPal App Attack

PayPal Inc.'s mobile app briefly made it possible for hackers to observe users' passwords under certain conditions.

An earlier version of the app, which was fixed with an update PayPal published Nov. 2, did not confirm that it was communicating with the proper PayPal website by verifying the site's digital certificate, The Wall Street Journal reported Nov. 4. To exploit this, "a hacker would need skill and luck," the paper said, since only a customer connecting with an Apple Inc. iPhone through a WiFi network would be vulnerable.

The eBay Inc. unit's app for Google Inc.'s Android and its mobile website are not affected by this bug. The most obvious way to exploit the bug would be to trick an iPhone user into connecting through a WiFi hot spot that the hacker controls, the article said.

"To my knowledge it has not affected anybody," Amanda Pires, a PayPal spokeswoman, told the Journal. "We've never had an issue with our app until now."

In all, 4 million users have downloaded the PayPal app.

Mobile Mayhem

Some mobile banking apps have been storing sensitive information on phones, making that data available to anyone with access the phones — even if the user does not have access to the banking apps themselves.

Wells Fargo & Co., Bank of America Corp., TD Ameritrade Holding Corp. and USAA Federal Savings Bank have all agreed to update their apps to fix this flaw, The Wall Street Journal reported Nov. 5.

Wells updated its Android app on Nov. 3 to stop it from storing customers' username and password on phones. George Tumas, Wells' chief information officer, told the Journal that "as far as we know there were no customers impacted," and that Wells Fargo may change its development process to avoid repeating this mistake.

USAA's Android app stored some of the data that users could view within the app, such as transaction details, the article said. It also published an update Nov. 3.

Bank of America's app was storing the answer to a security question in plain text on Android handsets, the article said. A spokeswoman told the Journal that although B of A planned a fix, the stored data was not easy to retrieve and was not enough by itself to grant access to a customer's bank account.

TD Ameritrade's apps for Android and iPhone handsets stored customers' usernames, which the company said was not enough to grant access by itself. Still, TD Ameritrade plans to take care of the problem within 30 days, it told the Journal.

Sentencing

A stolen ATM can be worth a lot of money to a successful criminal — or a lot of time in jail to an unsuccessful one.

Keane Bradley Bergstedt of Sioux Falls, S.D., will spend at least 10 years in prison for attempting to steal an ATM, the Argus Leader of Sioux Falls reported Tuesday.

Bergstedt was caught on video attempting to steal a machine from Home Federal Bank in Crooks, S.D. He is also a suspect in an attempted ATM theft at a food store and other locations.

Bergstedt received a sentence of 15 years for attempted grand theft and another 20 years for distributing methamphetamine, the article said. Fifteen years were suspended, and Bergstedt will be eligible for parole in 10 years.

Though Bergstedt fled the scenes of his attempted ATM thefts, his vehicle was identified, and police found a sledgehammer, bolt cutters and other tools inside his truck when they investigated, the article said.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.