The Identity Theft Resource Center reports as of June 22 there have been 352 data breaches identified in 2010. Thirty-seven of the breaches have been perpetrated against financial institutions, including four credit unions. The ITRC compiles data breaches confirmed by various media sources and/or notification lists from state governmental agencies. The list is updated daily, and published each Tuesday.
Jason Kincaid at TechCrunch.com reports VentureBeat detailed a major Blippy privacy breach that exposed user credit card information to search engines. The breach appears to have occurred on a small scale — Blippy believes that only four users had their credit cards compromised — but the fact that it happened at all is unsettling. Blippy is a social-oversharing site, which lets members automatically post their purchases to the Internet for others to see.
First Data has published a white paper covering fraud threats that are expected to be particularly troublesome during the next 12 months. The white paper notes it is clear that today’s cybercriminals are more sophisticated than ever in their operations and their attacks, and that they are always on the lookout for new ways to exploit vulnerabilities in the global payments system. According to the 2009 Verizon Business Data Breach Investigations Report, 285 million consumer records were compromised in 2008—more than the previous four years combined. Data breach statistics from 2009 are expected to be even more grim due to the growth of increasingly sophisticated attack methods such as malware infections, which grew tenfold in 2009.
Tom Espinser at ZDNet UK blogs that a gang of four Londoners has been jailed for a Chip-and-PIN fraud operation which netted £725,000. The gang had modified Chip-and-PIN devices to allow them to capture card information and personal identification numbers. They burnt a hole in the back of the readers, and installed memory devices and Bluetooth, to steal the data.
In an interview with Bank Info Security, Don Rhodes, director of risk management for the American Bankers Association, discusses why chip and PIN doesn’t make sense for many U.S. banks. Rhodes says migrating to the EMV standard in the United States:
Cryptography Research, Inc. and MasterCard Worldwide announced that they have signed an agreement relating to Cryptography Research’s patent portfolio covering countermeasures to Differential Power Analysis (DPA). Under the agreement, MasterCard will require that vendors of smart cards and other cryptographic products that utilize DPA countermeasures be licensed from Cryptography Research in order to be used on MasterCard’s payment networks.
Tracy Kitten at Bank Info Security reports EMV chip cards are here, but notes the debate is about security vs. cost. She asks, “Is the U.S. ready for chip and PIN payment card authentication? Or are American financial institutions and merchants too invested in current technologies to even consider such a move?” She contends the chip and PIN debate has been re-ignited by two recent announcements:
The Sydney Morning Herald reports the Bank of New Zealand’s novel software-based technology for reducing credit-card fraud is being rolled out in Australia by its parent company, National Australia Bank. The “liquid encryption number” (LEN) technology is used on all BNZ credit and debit cards, and has cut the incidence of fraudulent transactions from “cloned” credit cards by 50 per cent. The technology works by changing numbers on a card’s magnetic stripe every time a transaction takes place, or an account balance is requested at an automatic teller (ATM).
Rocklin & Roseville Today reports three law enforcement agencies are on the trail of identity thieves after the discovery of identical credit card skimming machines inside gasoline pumps in Placer County, Folsom and Sacramento. The simple scanning devices have been found in pumps furthest from the clerk’s location and nearest to the street to avoid detection. Consumers are encouraged to pay inside the store using their credit cards or cash to avoid this type of fraud.
The Shreveport Times reports a Bossier City man faces theft charges after allegedly using a skimming device to steal people’s credit card information. Bossier City police arrested Sankeyno Rakeem Taylor, 21, on 10 counts of theft under Louisiana’s Anti-Skimming Act following a week long investigation. Taylor is accused of using a skimming device over the past several weeks to steal credit card information from customers in the drive-through lane at the McDonald’s Express restaurant where he was employed.
