Fed Intrusion

A Malaysian man alleged to have breached a computer security wall at the Federal Reserve Bank of Cleveland was apprehended while selling stolen credit card numbers in New York, police said.

Secret Service agents posing as buyers arrested Lin Mun Poo at a Brooklyn diner, the New York Daily News reported Nov. 19. Poo had been in New York only a matter of hours before he allegedly began selling some of the 400,000 credit card numbers police found encrypted on his laptop. He is accused of earning $1,000 from those activities.

Poo is suspected of visiting the U.S. to meet with other hackers about using the information pilfered from the Cleveland Fed, NBC News reported separately.

According to court papers, Poo broke into the Fed system and caused major damage. (The Fed later claimed Poo only broke into a test system and had not compromised sensitive data.) Officials said he had come to the U.S. to steal more credit card numbers and PIN codes so he could pilfer from ATMs. Court documents allege Poo had previously broken into a number of international banks and a large defense contractor. He faces 10 years in prison if convicted on charges of fraud and identity theft.

Life Unlocked

Nearly 1 million customers of the popular identity-protection provider LifeLock Inc. have started getting checks that were part of a $12 million settlement for deceptive advertising, according to a Nov. 19 story in Computerworld.

The Federal Trade Commission and 35 state attorneys general sued LifeLock for making deceptive statements, alleging that it did not protect consumers against some of the most basic types of identity theft, such as theft of personal bank data.

LifeLock had earlier received negative publicity when Todd Davis, the company's CEO, published his own Social Security number in company advertisements, as a way to show his confidence in LifeLock's services, which typically cost $10 per month.

Davis was subsequently the subject of at least 13 successful identity theft attempts, Computerworld reported.

The fraudulent accounts opened in Davis' name include a loan and a wireless phone contract. LifeLock defended itself by claiming that the 13 incidents were the only successes out of hundreds of identity theft attempts that have been made since LifeLock began publishing Davis' Social Security number.

The settlement was reached in March. The checks are for $10.87 each and must be cashed within 60 days.

Gram Cracker

Startups are in a rush for just about everything, and sometimes that means overlooking important security issues.

Case in point: the photo-sharing site Instagram.com, which signed up hundreds of thousands of users in the course of a few weeks, also accidentally transmitted user passwords in plain text — rather than the secure encryption standard SSL, which would have protected the data from eavesdroppers — for those using its iPhone application, Techcrunch.com, a technology news site, reported Nov. 18.

Instagram also asked for Tumblr and Foursquare credentials, and those too were transmitted in plain text.

A fix is already in the works, Instagram said.

Kevin Systrom, the company's chief executive and co-founder, wrote on its blog: "We've been hard at work for the last couple weeks on making our product secure and safe. Security is a huge priority for this release. A fix has been submitted to Apple and should be available shortly. If you have any questions, you should feel free to e-mail me personally."

Just don't include passwords.

Deposit-Only ATMs

Two men were convicted of running an $80 million Ponzi scheme that involved buying shares in 4,000 nonexistent ATMs, the Houston Press reported Nov. 17.

Walter Netschi and his business partner Vance Moore 2nd were tripped up by an eager investor who wanted to see the automated teller machines in person. The scheme lasted from 2005 to early 2008, Bloomberg News reported separately, and involved telling current investors their money was being used to invest in new ATMs, when it was actually being used to pay off earlier investors.

Netschi had a long list of previous crimes and misdemeanors, including bank fraud and loan defaults.

Both men were convicted on 10 criminal counts in U.S. District Court in Manhattan, including conspiracy to commit wire fraud and wire fraud. They could be sentenced to 200 years in prison.

Ware and Tear

More websites are being infected by malware, programs that can steal bank account details and other sensitive data without the user's knowledge.

The number of compromised websites doubled in the third quarter to 1.2 million compared with a year earlier, according to a study the security firm Daisent published Nov. 22.

As websites have become more interactive and page views by consumers have exploded, hackers have taken advantage of new kinds of infections, called "drive-bys," where consumers merely visit an infected website, the study said. "Malvertisements," which typically embed malicious code in what appears to be an online advertisement, have also exploded, with 1.5 million served per day in the third quarter.

The report predicted an explosion of malware infections in social media sites like Facebook, Myspace and Twitter next year. This year, there were numerous attacks against government websites like the Treasury Department, and the report predicted that attacks like these will also increase.

ATM Theft

One member of a pair of suspected ATM thieves did not make a complete withdrawal.

Ramon Johnson Jr., a New Haven, Conn., resident, was arrested Tuesday on burglary and other charges for allegedly breaking into a gas station to steal its ATM, the Record-Journal of Meriden, Conn., reported. A second suspect escaped in a van, police said. The ATM has been recovered.

ATM thefts typically involve the use of a vehicle to dislodge the machine and remove it from the crime scene to be opened at another location.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.