Bank phone calls diverted by trojan
Post-transaction attacks, designed to conceal fraudulent activity while the crooks transfer money or conduct more unauthorized transactions, are increasing with the advancement in malware toolkits. Security software firm Trusteer has discovered a modified variant of ZeuS that enables cyber criminals to divert post-transaction verification phone calls from the victims' banks to numbers controlled by the attackers. Ice IX manipulates content displayed in browsers and injects rogue forms into online banking websites. In addition to extracting online banking credentials, the newest variant also creates a form asking victims to update their contact phone numbers, which are used to conduct post-transaction fraud. Help Net Security has the details.
Merchant vs. bank & PCI
In what is the first official challenge of the PCI Data Security Standard (PCI DSS), a Utah merchant has filed suit against US Bank for wrongfully seizing money from its merchant bank account. When a data breach to Cisero's Resorante's network in 2008 resulted in fraudulent charges on customer bank cards, a PCI-required forensic investigation revealed unencrypted card data on the restaurant's POS system. US Bank subsequently seized nearly $10,000 from the restaurant owner's account to recoup a portion of the $90,000 in PCI fines imposed on the bank by Visa and MasterCard. When US Bank filed suit against Cisero's owners, Stephen and Theodora McComb, to recoup the remaining balance of the fines, the McCombs filed a countersuit. The countersuit alleges that US Bank forces merchants to sign one-sided contracts that include arbitrary changes without notice and imposes random fines without proof of a breach or fraudulent losses. Infosec Island has more on the story. View a copy of Cisero's countersuit at Wired.
Crime fighting ATMs
According to research director and fraud analyst Julie McNelley at Aite Group, skimming is the primary contributor of debit fraud losses in 2011, which for the first time outpaced losses associated with credit fraud. Aite's reported dollar amount per skimmed ATM averages $50,000 compared to ADT Security Solution's average of $30,000 in 2010. As card thieves turn to more sophisticated methods to launch attacks against ATMs, ATM manufacturers are turning to advancing technology to fight back, reports ATM Marketplace.
ID thieves ID'd
Annual tax statements have been issued and millions of taxpayers are filing tax returns. As is customary this time of year as well, identity thieves come out in droves to prey on vulnerable taxpayers. Joining forces with the Department of Justice, the IRS is striking back to prevent and detect identity theft and refund fraud. A nationwide crackdown by the joint task force has resulted in the arrest of 105 people in 23 states for the potential theft of thousands of identities and taxpayer refunds. The search warrants and arrests led to 69 indictments involving 939 criminal charges. NetworkWorld has the details and more efforts being taken by the IRS to educate and protect consumers.
Easy prey for hackers
Radio-frequency identification (RFID) chips contain a radio transmitter that emits a coded identification number when queried by a reader device. Once verified, the number is used to unlock a database file or, when used in credit cards, to transmit financial data. RFID cards are not swiped through a scanning machine like a traditional credit card. Security concerns surround RFID cards due to the ability of a hacker to grab the data from a card using an RFID reader regardless of the encryption or security measures in place. The ease with which this can be done was demonstrated by Recursion Ventures security researcher Kristin Paget at the 2012 ShmooCon hacker conference in Washington, D.C. PC World has the story.
CAPTCHA...if you can
Yet another variant of a banking trojan known as Cridex, similar to the notorious ZeuS, has been discovered running rampant over the internet with its ability to bypass CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) security to send out emails and propagate itself. It harvests data from web sessions, targeting US banking services and PayPal — giving it potential access to financial account details — as well as social networking sites. TechWorld has the details. Threatpost has video of the malicious malware in action.
Rallying for email security
Nationally known columnist and political commentator Mark Shields said "there is always strength in numbers. The more individuals or organizations that you can rally to your cause, the better." Financial firms Bank of America Corp, Fidelity Investments and PayPal are rallying with Microsoft, Google, and others to reduce online scams perpetrated through email spam campaigns. The Internet and financial conglomerates have formed a group going by the name DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. Using two existing technologies for email authentication (SPF and DKIM), the group will develop a set of email security standards to prevent fraudsters from sending out spoofed emails that appear to come from banks and corporate email addresses. Get the details at Bank Systems & Technology.
FTC tackling mobile technology
What was once considered a trend is becoming reality - electronic wallets for mobile payments are replacing traditional leather billfolds and plastic cards. What remains the same is that financial institutions ultimately fund the technologies used to make mobile payments and are most impacted by the risk of financial losses. The Federal Trade Commission (FTC) is holding a free workshop in April for industry experts, technologists and consumers to tackle the wide range of issues surrounding mobile payments, reports PC World. Comments are being accepted by the FTC prior to the workshop. This is a good opportunity to put in your two cents about consumer protection issues and mobile security concerns.
Hack attacks unreported by HTTP provider
The leading global provider of SSL (secure socket layer) certification VeriSign Authentication Services, now part of Symantec, has admitted in an SEC filing that it suffered multiple data breaches in 2010 involving the loss of undisclosed data. While VeriSign executives reported that they don't believe the attacks breached the servers supporting their Domain Name System (DNS) network, the company offers other security services for major commercial, government and financial websites. While data loss reporting is now mandatory under SEC guidelines, news of the attacks is just now surfacing because the company's security team didn't report the incidents to Verisign's management team until September 2011. MSNBC has the story.
Updates, Patches and Alerts...
US-CERT: Current Activity
Threatpost: Apple ships huge set of patches for OS X
CIO: Firefox 10: Better business support and a new version for Android
ALERT: InfoSec Island: MSUpdater trojan smuggles data as Windows Update traffic
|
|
Print Friendly Version!
Email This Article!
Discuss NOW!
