Group items tagged

Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today. "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.

"In a bizarre case of cyber crime, the Wall Street Journal reported today that Russian hackers may have stolen tens of millions of dollars from Citigroup, a charge the bank denies. " Citing anonymous government officials, the newspaper reported that the hackers were connected to a Russian cyber gang and that two other computer systems, at least one connected to a U.S. government agency, were also attacked. The FBI is investigating the case, according to the Wall Street Journal, but the company has flatly denied the story. "We had no breach of the system and there were no losses, no customer losses, no bank losses," the banking giant said in a statement. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

Visa Inc. said recent alerts it sent to credit card issuers are not related to a new breach, countering reports that a second payment processor had been compromised. In a statement issued Friday, San Francisco-based Visa said the alerts "were part of an existing investigation and are not related to a new compromise event." Credit unions last week reported receiving alerts from Visa and MasterCard about credit and debit card accounts that were exposed in the breach of a payment processor. They reported that the compromise was unrelated to the breach announced by Heartland Payment Systems in January. Information about newly affected accounts was relayed to banks and credit unions Feb. 9, via Visa's Compromised Account Management System (CAMS). The system, which informs banks of compromised account numbers, gives issuers the ability to monitor, close, or block the compromised accounts. Visa's statement did not say what existing investigation the alerts are related to and a company spokesman said he couldn't provide that detail. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," the company said in its statement. "In addition, Visa is risk-scoring all transactions in real-time, helping card issuers better distinguish fraud transactions from legitimate ones." Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said it's impossible to draw any conclusions based on the Visa statement. "It doesn't say if the breach is public or not, so it may be older but not revealed yet," he wrote in an email. "In other words, it just adds to the confusion. I assume the full story will come out eventually, and since they don't identify the breach it's hard to really evaluate this at all." Heartland disclosed Jan. 20 that its systems were compromised by a hacker in 2008. The breach forced hundreds of banks and credit unions to replace thousands of credit and debit cards.

Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, like the origins and perpetrators of so many individual data breaches, mystery also lies behind the aggregated numbers. "I'm not sure that this says breaches are increasing," ITRC founder Linda Foley tells Digital Transactions News. "What we know is the reporting of breaches is increasing." A handful of states now require some disclosure of data breaches to authorities, Alaska being the most recent. And some companies that have been hacked are starting to report breaches voluntarily, Foley says. While data breaches can compromise all manner of personal and business records, they often involve credit and debit card data and bank-account information. ITRC lists five major categories of breached entities, with the so-called banking/credit/financial sector accounting for 10% of 2008's breaches. Businesses, which include physical and Internet retailers, insurance companies and other private enterprises, accounted for 36.8%. Schools accounted for 21.3%; government and military facilities, 17%; and health-care facilities, 14.9%. IRTC also categorizes breaches by how they happened, such as through hackings-break-ins into computers and related systems, insider thefts, data lost in physical transit, and by other methods. The number of 2008 hackings through late June in the banking/credit/financial category was 10-double the five for all of 2007. The estimated number of records compromised as a result was 227,864. In 2007, the reported number of compromised records at financial institutions through hackings was 83,500. But Foley says not to put too much stock in the records numbers because so many breached organizations don't know or fail to report the number of compromised records when they report a bre

It's funny. Was it just a month ago that we were enjoying the holiday respite, wondering what 2009 would have in store for us? Mind you, I didn't have any delusions. After the breaches, news events and regulatory issues of 2008, I didn't think we were going to turn the calendar page and emerge in a new world of a healthy economy and soaring consumer confidence. But neither did I think, four weeks later, we'd already have our first major security breach of the year - Heartland Payment Systems (HPY) and that it would so dominate our industry's attention. I get it, though, why we're so enamored of this case. It speaks to our biggest fears, first of all, that unknown electronic assailants can sneak into our systems and pry away our customers' names and critical information. Then there's the unknown enormity - we truly don't know how big this breach was. And, finally, it hits home. For you, the banking institution, you're the one left replacing your customers' cards and explaining why. For me, the banking customer ... well, mine is one of the banks doing the explaining. Needless to say, we're monitoring accounts closely. So, we were among the first to break the Heartland story when it first broke last Tuesday, and we've continued to follow it closely. After the initial media surge, where we saw news outlets and solutions providers tripping over one another to opine over what they think happened to Heartland and what it all means, here is what I believe we've learned so far from the case: 1) The Damage Goes Far Beyond the Breach. Heartland execs absolutely did the right thing by stepping forward last week and saying "We were breached," but the company has suffered for it ever since. The market responded to the news by gutting the company's value from over $14 per share last Tuesday to a low of just under $8 this week. Reputationally, you just can't measure the damage - Heartland is now synonymous with "breach," and that's a tough tag to shake. Unable to answer quest

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach. In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires

"It's the easiest way for a bad guy to pretend to be you." So why are banks still using SSNs as a major form of customer identification?

Most Americans believe the world financial crisis has increased their risk of identity theft or related crimes, according to the latest Unisys Security Index. The biannual survey of consumers in nine countries found that more than two-thirds of Americans are "extremely or very concerned" about other people obtaining and using their credit or debit card details -- with 90 percent at least "somewhat concerned." In addition, computer security remains a major concern. More than 40 percent of Americans are extremely or very concerned about security in relation to viruses or unsolicited emails. Three-quarters of Americans believe that the world financial crisis will increase the risk that they will personally experience identity theft or related crimes. More than one-quarter believe that the risk will increase substantially. "Financial security for Americans has moved from third place to front and center, number one," Tim Kelleher, vice president of enterprise security at Unisys, provider of information technology consulting services, told SCMagazineUS.com Monday. "People feel they are much more financially at risk." This has major implications for banks and other financial institutions, as well as internet businesses, he said. "Banks and businesses need to understand that customers are more wary than ever about using services that may compromise their personal data," Kelleher said. "If economic concerns increase these fears, companies need new strategies to strengthen customer confidence through accountability and transparency, which also plays to part of the Obama administration's call to action for government and business." The U.S. Security Index is based on a random telephone survey of 1,004 persons ages 18 and over. The first wave of the study was conducted in August 2007.

www.killdo.de.gg Most quality online stores. Know whether you are a trusted online retailer in the world. Whatever we can buy very good quality. and do not hesitate. Everything is very high quality. Including clothes, accessories, bags, cups. Highly recommended. This is one of the trusted online store in the world. View now www.retrostyler.com

Days after Visa seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems and RBS WorldPay, the credit card company now is saying that there was no new security incident after all. In actuality, Visa said in a statement issued Friday, alerts that it sent recently to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor say why it is continuing to keep the name under wraps. Visa said that it had sent lists of credit and debit card numbers found to have been compromised as part of the investigation to financial institutions "so they can take steps to protect consumers." It added that it currently "is risk-scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones." Visa's latest statement follows ones issued by both it and MasterCard International earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on January 20 and suggested that a new breach had occurred.

Up to 21,000 Floridians may have been affected by a data breach at Wyndham Hotels & Resorts last year, prompting Attorney General Bill McCollum to ask consumers to keep a close eye on their credit statements. According to a statement released today, Wyndham reported to the Attorney General's Office that it contacted affected consumers in December and notified them that unauthorized access to Wyndham systems had potentially compromised their personal data on their debit and credit cards. The data breach has since been disabled. McCollum encouraged consumers to report any suspicious activity on their accounts to law enforcement. Affected consumers are encouraged to take precautionary steps, including obtaining a free fraud alert from one of the credit reporting agencies. Anyone who believes they may be a victim of identity theft should also request that the national credit bureaus place a fraud alert on their credit reports. Consumers should notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

Eight years ago, a woman we'll call Sarah discovered that she was not biologically related to the father she had known all her life. Sarah, her mother revealed, was "donor-conceived." Her parents, after trying without success for a pregnancy of their own in the late 1970s, turned to a fertility center, where Sarah's mother was artificially inseminated with sperm from an anonymous donor. At the time sperm banks did not offer detailed donor profiles. Upon discovering the truth, Sarah was told what her parents had been told about her biological father: He was a medical student, possibly of Scandinavian ancestry. Sarah, who describes her family as "loving and stable," was shocked. Today she is also sick. A year before finding out about her conception, she began to experience severe, unexplained bladder problems. She has been seeing doctors at Johns Hopkins; so far they haven't figured out the cause. Recently married, Sarah worries that she may pass the illness on to future children. The medical history of her biological father could provide a crucial piece of the diagnostic puzzle. But in the early days of artificial insemination, clinics often shredded or burned files to ensure donor anonymity and client privacy. Sarah's father's identity may be locked away in storage somewhere, or it may have been destroyed. Although aware of the likely futility of her search, Sarah still continues-writing the clinic, nurses, her doctor-in the hope that someone can help. Faced with stories like this, the fertility industry and a few state governments are trying to come up with a way to ensure that future donor-conceived children will have access to their fathers' medical files. A national registry, for example, could allow banks to monitor how many times a man donates semen and how many children are born from his seed, to share updates about medical issues and to facilitate long-term research on health outcomes. But any such registry poses a threat to the p

Ah, social networking. It's become the fabric of today's Internet generation. Don't have a Twitter account? Heavens, even Sen. John McCain has a Twitter account. Signed up with Facebook? Only losers don't have a Facebook account. MySpace? Not bad, but it's so five minutes ago. But as lovely as social networking may be, there are a few problems. One of the biggest appears to be that you can kiss your privacy good-bye. Now, I'm not talking about the predilection of some people to share intimate details about themselves on social networking sites. I'm actually referring to the other things that might help contribute to your financial ruin. Those most enthusiastic about social networking are cybercriminals. They drool at the prospect of seeing the personal information of the 175 million people on Facebook. And they know how to use that information. For example, cybercrooks take great interest in the names of pets or grandparents on Facebook pages. That's the kind of information that banks and credit-card companies use to verify who you are when you bank online. "There are so many people on social-networking sites that it is becoming profitable for bad guys to go there," David Perry, global director of education at software security firm Trend Micro, recently told Agence France-Presse (AFP). "Bad guys can see all the things you post. You may be revealing personal information that is extremely valuable." Now Facebook has made revealing personal information even easier. This past week, it announced that users can change their privacy settings so everyone can see their profile. The company was actually responding to a request from many users who wanted the ability to share their information with even more people. As I said, cybercrooks are drooling.

Government Information Security Podcasts Credit Eligible As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Lessons Learned from TJX: Eric Fiterman, Cyber Crime Expert August 13, 2008 Interview with Cyber Crime Expert Eric Fiterman In the wake of the arrests of 11 hackers tied to the TJX data breach, security experts everywhere are warning of bigger, bolder threats to come. So, what should banking institutions have learned from TJX-style breaches, and what can they do now to protect their customers and critical financial/informational assets? In this interview, former FBI agent Eric Fiterman, founder of Methodvue, offers: Insights on the TJX and other breach investigations; How banking institutions can better protect their assets; The types of crimes institutions need to look out for in the months ahead.

All but one of the legal claims filed against Hannaford Bros. -- the Maine-based retailer that suffered a security breach exposing some four million credit and debit cards -- has been dismissed. U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure to protect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims, Hornby ruled that without any actual and substantial loss of money or property, consumers could not seek damages. The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bank for fraudulent charges on her bank account following the Hannaford breach.

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. The company said it took a $2.5 million loss for the quarter as a result of spending more than $12.6 million in legal bills, fines from MasterCard and Visa and administrative costs. The announcement was made during the company's financial earnings call, where Carr said the costs associated with the breach could continue to climb. "Our defense of the claims regarding the processing system intrusion remains ongoing," he said. "Much of the legal work remains to be done and it is difficult to anticipate when these matters will come to a conclusion." Carr also admitted for the first time that since the Princeton, N.J.-based processing giant announced a breach of its systems, some of the payment processor's clients have switched to competitors as a result of the breach. He said some competing processors resorted to scare tactics. "We have had many competitors that have been very supportive and professional, and we certainly don't want to tar all of our competitors with the same brush," Carr said. "We have had some competitors telling merchants falsely that they would be fined $10,000 a day if they stay with Heartland. We think we're through the worst of that." Car said less than $1 million of the breach costs were fines levied by MasterCard and Visa against the company's sponsored banks. The fines are being contested, he said. More than $500,000 relates to a fine assessed by MasterCard against the sponsored banks in which the card company said Heartland failed to take appropriate action upon learning that a breach was suspected. Carr said the fine is in direct violation of both the MasterCard rules and law.

An insider at the California Water Service Company in San Jose broke into the company's computer system and transferred $9 million into offshore bank accounts and fled the country. Abdirahman Ismail Abdi, 32, was an auditor for the water company, which delivers drinking water throughout the state and is located in San Jose, Calif. Abdi resigned from his position on April 27. Allegedly, that night he went back to work and made three wire transfers totaling more than $9 million from the company's accounts to an account in Qatar. Abdi was seen by a janitor on the night of the crime, according to the San Jose Mercury News, citing court documents filed Wednesday in the federal court at San Jose. The next morning, the water company discovered what had been done and worked with their bank to have the money returned to their account. The company notified police, who are currently investigating the case, Jose Garcia, public information officer at the San Jose Police Department, told SCMagazineUS.com on Friday.

Internal controls failure.

Consumers and companies are vulnerable to hackers and identity thieves even after U.S. authorities arrested a man they said was a master hacker who stole 170 million credit and debit card numbers. Estimates on the total financial impact of breaches vary, but a study by Forrester Research put the cost at $90 to $305 per compromised record when considering the cost of upgrades, notifying customers and legal and marketing expenses. "Under our banking laws, it's the financial institutions that will be stuck paying for fraudulent use of credit cards. We have the consumers responsible for $50 and the rest winds up on the card issuer," said Joel Reidenberg, a professor at Fordham Law School who teaches privacy law. Banks in turn pass along costs to retailers as fines and fees. On Monday, three men were indicted on charges of stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believed was the largest hacking and identify theft case ever prosecuted in the United States