CU Info Security reports the Europay, MasterCard, Visa (EMV) standard, commonly used in most global markets, is coming to the U.S. The sooner issuers, acquirers and merchants initiate migrations, the better, says Stephanie Ericksen, head of authentication product integration at Visa. Visa has set aim on April 2013 and October 2015 as EMV-adoption target dates. And the card brand has created a roadmap and guidelines to help issuers and merchants successfully launch and complete their EMV rollouts. The catalyst for Visa’s EMV push: escalating incidents of card fraud. The United States’ continued reliance on magnetic-stripe card technology is perpetuating the spread and growth of global card fraud. MasterCard also has set an April 2013 EMV-compliance deadline for all U.S. ATMs because ATMs are the most often hit with skimming attacks.
The United States Department of Justice announced Yumeitrius Manuel and Margaret Kirksey, both of Montgomery, Ala., pleaded guilty to charges of conspiracy to defraud the government and aggravated identity theft. The two had been indicted by a federal grand jury on charges of conspiracy, aggravated identity theft, wire fraud, false claims and lying to federal agents. According to court documents, Manuel and Kirksey each owned and operated separate tax preparation businesses out of the same physical location in Montgomery. They fraudulently inflated tax refunds by placing false information on their clients’ tax returns. They also filed tax returns in the names and Social Security numbers of individuals who did not know about, and did not authorize, the filing of tax returns on their behalf. Both Manuel and Kirksey admitted that their offenses involved over $1 million in tax loss and more than 50 victims of identity theft.
The Register reports Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws. The most severe of the two holes allows hackers to remotely inject code into vulnerable systems – made possible because a service on TCP port 5631 permits a fixed-length buffer overflow during the authentication process. This line of attack ought to be blocked by a properly configured firewall, but it’s unwise to rely on that without patching vulnerable systems. The other flaw relies on overwriting files installed by pcAnywhere in order to escalate a user’s privileges, although miscreants will already need access to a vulnerable system to do this.
SC Magazine reports the University of Hawaii (UH) has settled a class-action data breach lawsuit brought by nearly 100,000 students, faculty, alumni and staff, according to the plaintiffs’ lawyers. The suit relates to five breaches in all, including one involving the inadvertent posting online of personal information by a faculty member who accidentally uploaded sensitive files to an unencrypted web server. Details included names, Social Security numbers, addresses, birth dates and educational data. In another incident, hackers gained access to a UH at Manoa parking office computer server that contained the personal data of 53,000 individuals, including 40,870 Social Security numbers and 200 credit card numbers.
Dark Reading reports attackers have developed a new way to infect your PC through email — without forcing you to click on an attachment. According to researchers at eleven, a German security firm, the new drive-by spam automatically downloads malware when an email is opened in the email client. The user doesn’t have to click on a link or open an attachment — just opening the email is enough. The new generation of email-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the email is opened, according to eleven. This is similar to so-called drive-by downloads, which infect a PC by opening an infected website in the browser. The current wave of drive-by spam contains the subject “Banking security update” and has a sender address with the domain fdic.com. If the email client allows HTML emails to be displayed, the HTML code is immediately activated.
Bank Info Security reports family-owned Cisero’s claims Elavon Inc., its former payments processor, and U.S. Bank, its former acquirer, illegally charged the Park City, Utah, restaurant fees and fines after an alleged card breach. Elavon and U.S. Bank are part of U.S. Bancorp. If Cisero’s is successful in its legal quest to have U.S. Bank’s indemnification ruled illegal, it could set a legal precedent that puts a contractual shift in motion for the ways response and liability are handled in the wake of card breaches.
Tom Webb at TwinCities.com Pioneer Press reports eleven additional suspects have been indicted in a $2 million identity-theft ring that operated in the Twin Cities and reached across the Midwest, according to the U.S. Justice Department. The ID-theft ring involved “a complex plot to defraud banks and retail businesses, primarily in the Midwest,” the Justice Department said. Earlier this month, prosecutors said that nearly 100 people were involved in the ring in some fashion. Prosecutors say that the scheme, which dates to 2006, involved low-tech methods of stealing driver’s licenses and checkbooks, as well as high-tech means of producing counterfeit checks. Dozens of victims’ accounts were pilfered. Charges also are expected against some bank employees and employees of businesses affected by the scheme. Banks hit by the suspects, according to court documents, include U.S. Bank, Wells Fargo, American Bank of St. Paul, Affinity Plus Credit Union and HealthEast Employees Credit Union.
WMAZ News in Macon Georgia, reports a man facing dozens of financial fraud charges in five states has been booked into the Baldwin County Jail. That’s according to the Baldwin County Sheriff’s Office. Capt. Brad King says Akop Taymizyam faces financial card transaction fraud and ID theft charges after the debit card information of a person living in Baldwin County was stolen and used in the Atlanta area. Kings says a photo at the bank where the fraudulent transaction was made, identified Taymizyam. He also faces 60 similar counts in Cobb county and 30 in Cherokee, says King. He says Taymizyam is also accused of about $1.5 million in credit card fraud in California.
Bank Info Security reports a 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald’s restaurant in Olympia, Washington. This insider scam highlights a card fraud trend the industry needs to watch, experts say. In the McDonald’s incident, the teen’s card-fraud scheme was foiled before exceeding $13,000 in losses, after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald’s when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts. The credit union found one commonality: All of the compromised cards had been used at the same McDonald’s. McDonald’s management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.
PR Newswire reports FICO released its analysis of data showing that major shifts have occurred in European card fraud patterns. However, criminals are shifting to card-not-present fraud because of chip and PIN success. FICO analyzed 55 million active credit cards represented in the FICO® Falcon® Fraud Consortium for Europe which showed that counterfeit fraud fell 60 percent between March 2009 and March 2011. FICO’s data also shows that card-not-present fraud accounted for 69% of all accounts victimized by fraud and 72% of all fraud losses. The top 10 merchant categories accounted for 30% of the total fraud losses, led by hotels/lodging, travel agencies and ATMs.
