Krebs on Security reports a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine: A silver, plexiglass device had been attached to the ATM’s card acceptance slot, in a bid to steal card data from unsuspecting ATM users. But the customer and the bank’s employees initially overlooked a secondary fraud device that the unknown thief had left at the scene: A sophisticated, battery operated and motion activated camera designed to record victims entering their personal identification numbers at the ATM.
Carrie-Ann Skinner at CSO Security and Risk writes that more than a third of smartphone owners are not aware of the security risks associated with using their handset to access their bank accounts and other financial services, says AVG. Research conducted by the security firm in conjunction with the Ponemon Institute revealed that just 29 percent of smartphone owners have considered downloading free or paid-for antivirus software for their handset. Furthermore, 13 percent said that location-tracking tools had been embedded in their phone without their knowledge at the time, allowing others to track their location, and six percent had experienced a mobile phone app transmitting confidential payment information such as credit card details without the user’s knowledge or consent.
The Federal Reserve Bank of Atlanta blogs that combating fraud in credit and debit card payments is a challenge for all payment system participants, from the banks that issue the cards to the merchants that accept those cards as payments for goods and services. One particularly troubling channel, with a rising incidence of card fraud, is on the Internet. Retailers are increasing their efforts to attract customers online with discounts, online-only specials, and free shipping and returns. While the use of cards for website payments, also known as card-not-present (CNP) transactions, is inherently riskier than face-to-face transactions at a merchant’s point-of-sale, the dramatic rise in e-commerce suggests it is a trend that is here to stay. As the mobile channel develops for card payments, can the security capabilities of mobile handsets protect consumers against CNP fraud?
Visa announced a new Payment Card Industry Data Security Standard (PCI DSS) compliance program that will fuel dynamic data authentication through the continued merchant deployment of EMV-compatible chip terminals capable of processing either contact or both contact and contactless payments. An industry first, Visa’s Technology Innovation Program (TIP), will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals. To qualify, terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. Visa Europe has announced a similar program.
The 2011 CyberSecurity Watch Survey, conducted by CSO and sponsored by Deloitte, revealed that more attacks come from outside entities. But it’s the insider attacks that seem to cause the most grief. Respondents said, insider attacks are becoming more sophisticated, with a growing number of insiders (22 percent) using rootkits or hacker tools compared to just 9 percent a year ago.
Bank Info Security reports a study, conducted by the Ponemon Institute and sponsored by solutions provider Tripwire, finds that companies that regularly review and maintain compliance with leading industry security standards save three times more annually than companies and agencies that fall out of compliance. The study found that most compliant companies and agencies spend, on average, $3.5 million annually on security; non-compliant companies spend an estimated $9.4 million. And the most-often focused on standard, across the board, is the Payment Card Industry Data Security Standard.
George Hulme at Threatpost.com advises, “Having the communications and action plan in place is the key. Most of the lasting impression after a security breach – or any IT crisis – isn’t going to be how the breach occurred, what technologies broke down, or even what data was stolen. It’s much more likely to be how well, or how poorly, a company responded.”
Matt Liebowitz at MSNBC.com writes Identity thieves can lurk in the unlikeliest of places, including your local library. Police in a posh suburb of Manchester, England, have issued a cybercrime alert after they found keystroke loggers plugged into computers at two libraries, according to the Manchester Evening News. Keystroke loggers look similar to USB drives, and capture all keyboard activity while they are plugged into a keyboard port (often located in the back of the computer). A typical logger looks inconspicuous – if it’s noticed at all. But when the owner returns for it, the stored information – which could include e-mail passwords and bank account information – is theirs ( is theirs correct?) for the taking.
The Palm Beach Post reports a southern Broward County man is charged with using stolen information skimmed from a Palm Beach Gardens ATM to steal thousands, authorities said. Gricha Lubenov Goleminov, 54, of Hallandale, is charged with identify theft, fraud under $20,000, and organized scheme to defraud. Authorities nationwide and around the world have been pursuing eastern Europeans, in several unrelated groups, who allegedly skim ATMs. Detectives say criminals place a device over the card slot that reads the data stripe and install a hidden camera that records customers entering PINs.
BuffaloNews.com reports a Coral Springs, Fla., man was sentenced to 18 months in federal prison Friday for his role in a credit card counterfeiting ring that cheated victims out of more than $510,000. Zheng Qiang Liang, 46, was sentenced by U. S. District Judge William M. Skretny. He pleaded guilty last year to a felony bank fraud charge. Liang and others fraudulently used the bank account information of hundreds of people to create fake credit and debit cards. The counterfeit cards were used to withdraw money at bank machines at casinos, including Seneca Niagara and Seneca Allegany, Assistant U. S. Attorney Aaron J. Mango said.
