From Romania with...fraud|
Four Romanian cyber criminals have been charged with conspiracy to commit computer fraud, wire fraud and access device fraud for remotely hacking into more than 200 point-of-sale (POS) systems at retailers in the U.S. to steal payment card data. Accused of compromising card accounts of more than 80,000 consumers, the four defendants conducted millions of dollars in unauthorized purchases using the stolen information. How they pulled off their attacks and the sentences they face for this multi-million dollar fraud are reported in TechWorld.
Thieves thwart two-factor authentication
Employing social engineering tactics and taking advantage of the mobile phone number portability regulation that permits wireless users to transfer their existing phone number to another line, cyber criminals pilfered $45,000 from an Australian business owner's bank account. Armed with details obtained by calling the victim's office and home under false pretenses, the fraudsters were able to have his mobile number “ported” to a new device. With calls being routed to a phone operated by the thieves, they obtained an account verification code the bank sends to users' mobile devices as part of their two-factor authentication security measures.
Help Net Security has more on how the perpetrators pulled off this scam before the activity was detected by the bank. If your institution sends verification codes to mobile devices, make sure you have a system in place to verify that the mobile number has not been recently ported.
Mobile financial fraud rising
Cyber criminals are increasingly moving from targeted email phishing attacks to mobile messaging. Financial fraud via SMS (short messaging service) is growing at a rate of over 300 percent year over year. Global messaging security solutions provider Cloudmark reports that it's presently tracking more than 20 unique, financial related SMS attacks in the U.S., with thousands of variants on each attack. These targeted attacks appear as if they are coming from a major bank or credit card company and are designed to extract users' financial account information for fraudulent use. In some cases, users are tricked into thinking they have received a gift card - a ploy that consumers are especially vulnerable to at this time of year. PC Magazine has more details, including a link to the Cloudmark article containing images of sample messages being sent to victims' mobile devices.
Enhanced mobile security solution
With sensitive corporate and personal information now regularly stored on mobile devices, the need for enhanced mobile security incorporating more stringent authentication is greater than ever. Srikar Sagi, a security architect for PayPal, has developed an experimental method that links user accounts to usernames and specific phones. Password Less Authentication (PLA) gathers authentication data over the Internet as well as carrier cellular networks and ties them together to positively identify the user logging into online banking accounts and other secure websites. Using this method of authentication, an attacker would need to have the username, password and the mobile device in his possession to compromise an account. Network World has more details.
Banks score low on identity safety
Despite updated online authentication guidance from the FFIEC, a study conducted by Javelin Strategy & Research reveals that top U.S. banks and credit unions are putting their customers at risk for identity theft. Javelin's 7th Annual Banking Identity Safety Scorecard surveyed the country's top 25 banks and credit unions (by deposit size) and found that many institutions continue to rely on Social Security numbers for authentication, such as verifying a customer's identity over the telephone or to reset an online password. The New York Times has more on the study and why using Social Security numbers for authentication leaves consumers vulnerable to identity theft.
Card security loopholes
Card security measures put in place by major card providers Visa and MasterCard may not be as secure as you think. Visa's Verified by Visa and MasterCard's SecureCode are part of “3 Domain Secure (3DS),” a program designed to reduce card fraud and shift fraud liability from online merchants to the card-issuing banks. Researchers from Trend Micro have brought to light a security loophole in the program's authentication process, reports Krebs on Security. This may be the first time you're hearing about this but data thieves have been on to this vulnerability for quite some time.
The more mobile the merrier
Development of new payments-related mobile products and services targeted at financial institutions and mobile network operators will be the goal as major players mFoundry and MasterCard team up on mFoundry's SaaS (software-as-a-service) mobile banking platform. SaaS enables banks and other providers to offer their customers mobile banking options, including payments. Its partnership with MasterCard will provide the opportunity for bank users to take advantage of PayPass and NFC (near field communication) technology and may expand to mobile contactless payments. TechCrunch has the details.
Successful e-banking strategies
According to a recent ABA survey, 62 percent of U.S. adults polled cited online banking as their preferred banking method, up from just 36 percent in 2010. For consumers, e-banking is time-saving, cost-effective, and convenient. For financial institutions, e-banking has a number of advantages like low set up and operational costs, offering personalized services to a more far-reaching customer base, and reduced burden on in-branch banking. The greatest risk of e-banking to both consumers and banks is the security of their financial data. Bank Systems & Technology explores the path to navigating e-banking success with strategies for account opening, personal financial management, and addressing the next-generation of security threats.
Merry season for malware
'Tis the season for giving and receiving gifts from friends and loved ones. Gift cards are a great option when you aren't sure what to buy someone and provide the recipients the flexibility to purchase something they want. Cyber crooks are taking advantage of the holiday season spirit of giving to spread malware disguised as gift cards from the nation's leading online retailer Amazon. An Adobe software upgrade notification is also making the rounds in a phishing email containing the ZeuS banking trojan, reports MSNBC. US-CERT has issued its holiday season advisory for consumers and businesses with tips at Infosec Island you can share with your customers on staying alert and protecting their financial data from holiday grinches.