HawaiiNewsNow reports Honolulu prosecutors on Tuesday secured an eight-count indictment against three California men suspected of stealing financial information from nearly 200 people in Hawaii. Court documents say the men from California flew to Hawaii and victimized 194 people by opening front panels on gas pumps and installing devices that could capture data from the magnetic strips on cards. Prosecutors say the men later returned to the gas stations to retrieve their devices and then flew back to California, where they used the information to acquire $170,000 from six financial institutions in Hawaii.
KGW.com reports Vancouver, Washington police arrested a man suspected of putting a “skimming” device on an ATM. Detectives said they got a tip from someone who saw a photo on the news. Nicholas Duncan, 18, of Vancouver, was arrested on one count of fraud. Last week a customer at the LaCamas Credit Union on Southeast 31st Street noticed the device over the card slot and called police. Officers found a pinhole camera mounted just over the keypad to capture customers’ PINs as they entered them.
Tracy Kitten of Bank Security Info reports warm weather and easy targets have made self-service gas pumps in Arizona attractive targets for card-skimmers. Card fraud linked to pay-at-the-pump gas terminals in Arizona tourist spots such as Tucson, is on the rise, as travel season gears up for spring. Last week, Tucson, Ariz., Police Sgt. Michael Garcia told a local TV station that pay-at-the-pump skimming has been on the rise since January, when Tucson police confiscated the city’s first gas pump card skimmer. Local law enforcement quickly responded in mid-January by telling gas station owners to check card readers on fuel pumps more regularly, as well as warn consumers about the dangers of paying with plastic at the pump.
ThreatPost writes the high profile compromise of Comodo, a Certificate Authority (CA), has raised the specter of a security compromise in one of the Internet’s few security pillars: SSL (Secure Sockets Layer) encryption that secures a dizzying array of Internet- and Web based transactions. With news that forged SSL certificates had been issued for some of the Web’s top domains, enterprises are in the difficult position of having to cross their fingers by trusting certificates from a CA that has admitted to a serious security breach, or migrating their certificates to a new CA. ThreatPost goes on to cite five tips for securing an enterprise’s certificate infrastructure.
Credit Union Info Security reports an old payment card fraud scheme seems to have resurfaced in France, according to one U.S. credit union’s report of suspicious low-dollar charges coming in from European toll booths. International Airline Employees Federal Credit Union of Briarwood, N.Y., reported earlier this month to the National Association of Federal Credit Unions that suspicious transactions, usually for amounts ranging from $10 to $15, have been hitting IAEFCU Visa cards. IAEFCU President and CEO John Gebhard says the fraud does not appear to involve stolen card numbers; rather, fraudsters are likely creating cards using nothing more than the credit union’s bank identification number. So far only small charges have been made in France, usually at tolls. The volume and dollar amounts are too low for chargeback rights.
The Register reports system failure has replaced negligence as the single biggest source of data breaches involving UK firms, the cost of which rose for the third successive year. The average data breach cost UK organizations £1.9 million or £71 per record, an increase of 13%from the year before, according to a Symantec-sponsored survey. Cost of breaches ranged from £36,000 to £6.2 million. The 2010 edition of the survey blamed malicious or criminal attacks for 29 per cent of all data breaches, up from 22% during 2009. The costs arising from data breaches include cleanup costs as well as increased customer churn due to diminished trust. More than a third (37% of the cases scrutinized during the study involved system failure, up 7 percentage points from 2009.
BBC News reports hackers have stolen data about the security tokens used by millions of people to protect access to bank accounts and corporate networks. RSA Security told customers about the “extremely sophisticated cyber attack” in an open letter posted online. The company is providing “immediate remediation” advice to customers to limit the impact of the theft. It also recommended customers take steps, such as hardening password policies, to help protect themselves.
Robert McMillon at RSA, blogs that he wrote about how the approaches taken with security today aren’t effective at protecting organizations from skilled and dedicated attackers. With that in mind, he posts some New Year’s Resolutions that he thinks the industry should follow:
1. Get rid of our assumptions – Whether you are at the conference or not, let’s get rid of our pre-conceived notions about what is needed or not in security. Approach all of our security issues with an open mind, as opposed to going automatically down the well-worn path created by our assumptions.
2. Remember that no solution is perfect – There is no such thing as a perfect anything. Even the things that are very, very good at what they do have a weakness that can be exploited. That’s why good security is built in layers, where the weakness of one layer is protected by the strength of another. That leads to my next resolution,
3. Try to think like an attacker – When we look at the new announcements that are sure to happen next week, think about things from the attacker’s point of view and try to imagine how it could be exploited. Because the more exploits we can come up with, the better we will be at creating those layers.
4. Don’t only pay attention to the established players – There will be a lot of great ideas coming from non-traditional players, and we do ourselves a disservice by just flocking to the industry giants. As security continues to be mainstreamed, security ideas will come more and more from new directions. And finally,
5. Let security lead to compliance, not the other way around – Even though PCI did just issue their new guidelines, it is just an iteration. There isn’t a new regulation or mandate that everyone is scrambling to solve. Let’s take advantage of the relative lull to evaluate our security posture and the compromises we might have made in an effort to “get compliant”. We need to get back to recognizing that good security is the right end-goal; and it will naturally lead to both an improved risk posture and compliance with external mandates and guidelines.
The Lansing State Journal reports an Eaton Rapids woman who admitted making more than $120,000 in ATM withdrawals using her employer’s debit card pleaded guilty to two counts of a felony superseding indictment. Rebecca Sue Kellogg, 35, admitted that from September 2008 to September 2009, while she was employed as an office manager at Capitol Communication Systems Inc. of Lansing, she had unauthorized access to a corporate debit card, according to U.S. Attorney Donald A. Davis. The card had been issued to the company’s former comptroller. Kellogg said she used the debit card and made frequent withdrawals of $500 from Lansing-area ATMs.
Fox Business reports Identity theft may be happening less often, but victims are paying a higher price. Last year, the number of identity thefts fell 28% to 8.1. million, from an estimated 11 million in 2009, according to a recent survey from Javelin Strategy & Research. This was the sharpest drop in the history of the eight-year study. It also found the odds of being hit by identity theft fell to 3.5% in 2010 from 4.8% in 2009. The total annual reported fraud also fell from $56 billion to $37 billion. Despite the drop in instances, those who suffered from identity theft last year faced higher consequences, the study found. The average out-of-pocket loss nearly doubled, going from $387 to $631 per incident. Consumers also reported spending an average of 59 hours recovering from a “new account” instance of ID theft, up from 41 hours in 2009.
