James Verni recounts the chilling and deceptive cybercrime wave created by mastermind Alberto Gonzalez in a New York Times Magazine article. As Verni notes, “Gonzalez, law-enforcement officials would discover, was more than just a casher. He was a moderator and rising star on Shadowcrew.com, an archetypal criminal cyberbazaar that sprang up during the Internet-commerce boom in the early 2000s. Its users trafficked in databases of stolen card accounts and devices like magnetic strip-encoders and card-embossers; they posted tips on vulnerable banks and stores and effective e-mail scams.”
Elinor Mills at CNET News reports in a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches. Database breaches, social engineering attacks, and hacking incidents happen at companies every day, but very few end up being reported publicly. That’s because organizations fear–and rightly so–damage to their reputation, public humiliation, and loss of customer confidence. Verizon is officially launching today its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others.
Memento Security reports that a debit-card security breach at a discount grocery chain that operates in 11 states, is costing Five Star Bank as much as $850,000 in fraud losses. Financial Institutions, the Warsaw-based parent of the bank, expects to suffer a pretax loss of about $750,000 to $850,000 in the fourth quarter in connection with fraudulent debit transactions, the company disclosed in a regulatory filing with the Securities and Exchange Commission. In the filing, the company said that it “began experiencing an increase in the number of customers reporting third-party fraudulent debit card usage” in October.
The Seattle Times reports Seattle police passed along information to federal agents that pointed to a high-tech credit card fraud scheme on Capitol Hill. Members of the Secret Service’s Seattle Electronic Crimes Task Force, who have advanced training in computer forensics, were sent to the neighborhood and “were immediately able to put a stop to the fraud,” Bob Kierstead, assistant special agent in charge of the service’s Seattle field office, said Friday.
The Wall Street Journal reports fraud involving debit cards and personal-identification numbers is on the rise as criminals go where the cash is—even targeting banks’ own automated teller machines. Techniques such as “skimming,” in which criminals capture card information and personal-identification numbers, have existed for years, often on a small scale. Though the dollar losses still are relatively modest, organized gangs now are pulling off more-sophisticated attacks.
CTV Montreal reports three men have been arrested in connection with a debit card cloning scheme. Police discovered the three men always operated the same way by installing a data storage device and a miniature camera at the debit banking machine. They were then able to read and store PIN numbers through the device, and then cloned debit cards to make fraudulent withdrawals.
Laura Bruce at Bankrate.com reports that experts say crime rings sometimes skim ATMs, and the damage can be extensive. A New York ring installed more than 20 modified ATMs and compromised more than 26,000 transactions and thousands of cards from 1,400 issuers. Losses were pegged at $3.5 million before the case was cracked.”
Bank Info Security reports on the top four skimming threats. Credit and debit card skimming can take many forms. Here are the top four credit and debit card skimming attacks hitting U.S. businesses, financial institutions and their customers.
1. Hand-Held POS Skimming Device
2. Retail POS Terminal “Swaps”
3. ATM and Unattended Self-Service Terminal Skimming
4. Dummy ATMs
RSA, The Security Division of EMC, today announced its RSA® Data Protection Manager product designed to give customers comprehensive application data protection capabilities. The product combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security. This combination of data protection and key management technologies is engineered to make data more secure, while lowering operational costs of data protection by consolidating the management layer.
Tim Horton at First Data discusses tokenization in the context of PCI. He notes, “We’ve talked a lot about how tokenization can reduce PCI scope. As discussions in the industry focus on the future of data security and PCI compliance, I want to revisit this topic using some thoughts from Rob McMillon at RSA for the foundation. Tokenization eliminates a merchant’s storage of actual cardholder data. From a merchant’s perspective, if the cardholder data is never stored, it’s far less likely to be stolen.”
