Investigators: Businesses buying your credit card number: Via NorthWest Cable News.

$10 here. $15 there. 

By putting little charges on your credit card  some companies are making tens of millions of dollars a year. These are businesses that you never gave your credit card number to.

Some consumer groups call it fraud, but it may be perfectly legal.

Christie Frison-Thornton, of Rainier, spotted a $19.95 charge just a few weeks ago.   A company called "Privacy Matters" billed her credit card.

"I thought what the heck is this? Cause I really did not have a clue," said Frison-Thornton. [ Read more ... ]

TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

Cryptome Suspected of Money Laundering or Worse: Via cryptome.org .

PayPal has confiscated donations made to Cryptome since February 24, 2010.
The donations have have been refunded rather than leave them in the untrustworthy
control of PayPal for purposes contrary to those of the donors. The total
upsurge was about $5,300, not much but a peak.

The timing of the confiscation corresponds to the recent Microsoft-Network
Solutions copyright imbroglio and public attention given to the lawful spying
guide series including those of PayPal. PayPal's
legal
agreements describe a wide range of prohibitions -- among them
DMCA
infringement,
counter-terrorism,
violations
of AUP and catch-alls -- for use of its services and urges
reporting of violations.
It "limits" (suspend and/or close) an account without fully explaining the
reasons, some of which may be secret under spying law, others kept confidential
to avoid law suits or bad publicity.

[ Read more ... ]

What you buy and where you shop may affect your credit: Via creditcards.com .

New credit card law requires probe of issuers' use of purchasing data

As credit card companies continue to tighten their lending standards on card users, some are using purchasing data -- gleaned from millions of card transactions processed daily -- to weed out who may or may not be good credit risks.

Have you used your credit card at merchants specializing in secondhand clothing, retread tires, bail bond services, massages, casino gambling or betting? Your credit card issuer may be taking note -- and making decisions about your creditworthiness based on your purchasing behavior. The reason: Buying used clothing or retread tires may be an indication of financial distress and a preamble to missed credit card payments or defaults.

Now, Congress and federal regulators will be probing the extent to which credit card issuers have used information about where a person shops or what they buy as reasons to lower credit limits or increase interest rates. [ Read more ... ]

Another Debit Card Skimmer: Via Schneier on Security.

This one is installed inside gas pumps. There's nothing the customer can detect.

Read Original Article:(Via Schneier on Security.)

Banks mining social media sites for personal information: Via San Francisco News - abc7news.com .

Web users are becoming increasinly aware that companies are secretly gathering and selling the information they post on social sites like Facebook and Twitter. But now, banks may also be judging them based on their social network profile.

For the first time, banks can look pretty deeply into your private life by looking at your Facebook or other social media page and they may even consider your network of friends. The question is, "Will banks use your online persona to decide whether to give you credit?"

Personal finance expert Erica Sandberg is all over the Internet. Anyone can read about her on Facebook or LinkedIn. That's why she's very careful what she writes.

"It's very similar to standing in the middle of the park and screaming. Do you want to scream good things or do you want to scream crazy things?" she says. [ Read more ... ]

Should Tax Bills Be Public Information?: Via NYT > Privacy.

MANY people are phobic about letting others see their tax information. Perhaps they shouldn’t be.

If Americans all knew one another’s tax bill, they might be motivated to fill out their taxes correctly. “Disclosure could be an automatic enforcement device,” said Laurence J. Kotlikoff, professor of economics at Boston University.

And if the big inequalities in the tax system were brought to light — if you knew, for example, that a very wealthy neighbor paid no taxes at all — political support for tax simplification might climb.

Public disclosure of personal income tax filings is actually the norm in countries like Finland and Norway — and it was once practiced in the United States as well. [ Read more ... ]

EP ditches US SWIFT deal on bank data over privacy - : Via Banking : europa, europe | euronews.

An EU deal with the US has been judged not good enough for the European Parliament — the so-called SWIFT agreement on sharing bank data. This would have meant exposing ordinary Europeans’ accounts to American anti-terrorist investigators.

A nine-month interim agreement went into force provisionally at the start of this month. But Liberal, Socialist and Green euro-MPs opposed it. They said the correct balance between security and the protection of civil liberties was missing.

[...]

Washington previously had access to the data, collected by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which registers money transfers among states. EU diplomats say one way to regain access could be to seek bilateral agreements.

Read Original Article:(Via Banking : europa, europe | euronews.)

Researchers find huge weakness in European payment cards: Via Computerworld Security News.

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

Another View: Why Privacy Matters to the Swiss: Via DealBook Blog - NYTimes.com .

The United States, the European Union and its individual member countries, the Organization for Economic Cooperation and Development, a host of nongovernmental organizations and a phalanx of other interested parties have drawn a bead on Switzerland, howling that it refuses to see the light and pin up the names of foreign bank clients on the front doors of its banks.

[...]

Swiss banks in general, and the country’s banking secrecy laws in particular, have been blamed for a lot of the world’s evils, including tax evasion, tax fraud, capital flight, Third World poverty, money-laundering and the financing of terrorism. Let’s add climate change, continental drift and lumps in mashed potato to the charge sheet for good measure. But what exactly is this fabled “banking secrecy” now being harpooned by boatloads of Captain Ahabs, and why are the Swiss so attached to it? [ Read more ... ]

Online Credit/Debit Card Security Failure: Via Schneier on Security.

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it.

In a paper I'm presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it's becoming a fat target for phishing. So why did it succeed in the marketplace? [ Read more ... ]

Bookmark/Search this post with:

• Twitter
• Digg
• StumbleUpon
• Technorati
• del.icio.us
• Facebook
• Furl
• LinkedIn
• Yahoo

Bank sues victim of $800,000 cybertheft: Via Computerworld Security News.

In twist, Texas bank sues business customer, claiming cybertheft not its fault

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." [ Read more ... ]

How Rapleaf Is Data-Mining Your Friend Lists to Predict Your Credit Risk: Via CDT.

Fast Company

How Rapleaf Is Data-Mining Your Friend Lists to Predict Your Credit Risk

11/16/2009

It's only logical that marketers would be looking for value in that information. The question is: does the consumer have some awareness and control about what's being collected?

Jim Dempsey - Vice President for Public Policy, CDT

Consumer Privacy

Rapleaf is one of a multitude of innovative start-ups currently driving the burgeoning social media monitoring (SMM) space. [ Read more ... ]

Want Everyone To See Your Credit Card Transactions? Of Course You Do. Meet Blippy.: Via TechCrunch.

A new service, Blippy, launching today in private beta, has an interesting way to take something you do everyday, buy things with your credit card, and automatically push those transactions online for others to see and interact with.

Yes, I know this is a controversial idea — that’s part of what makes it potentially a great one. Imagine being able to see everything your friends buy with a credit card as they do it. This not only tells you what kind of things they’re actually into (rather than someone just saying they like something), but also other information like how cheap they are, as well as where they actually are at a given time. There is actually a lot of data tied into the transactions we make, and Blippy takes that and makes it social. [ Read more ... ]

IRS Information Returns: An Identity Thief's Dream?: Via Privacy Rights Clearinghouse.

An “information return” is used to report certain income and financial transactions to the IRS.  A copy must be mailed to the taxpayer.  Most people are familiar with W-2 Forms, which employers use to report wages and tips of employees.  However, there are many other types of income that must be reported on other IRS information returns.  For example, there are over 30 variations of IRS Form 1099. 

[...]

Until 2009, the IRS required that all information returns contain a full Social Security number.  A voluntary IRS pilot project will allow businesses to truncate (shorten to 4 digits) Social Security numbers on some information returns.  (Read the IRS's 2009/93 Notice on the pilot program.)  [ Read more ... ]

Fishy Android apps may have been malware, says researcher: Via Computerworld Security News.

Dubious apps appear, then disappear, from Google's Android Market

Suspicious applications that may have stolen users' online banking credentials have appeared on the Android Market, the Google-run app store for its mobile operating system.

Although the potentially-malicious applications first appeared on Google's online mart in December, news of them went public only today as several outlets and security companies noticed warnings posted by banks and credit unions. Google has since removed the applications from the online market.

One of those financial institutions, BayPort Credit Union of Newport News, Va., posted its alert Dec. 22 about a rogue Android app that promised its members easy access to their online banking. "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

First Tech Credit Union of Portland Ore. -- it also has branches in Salem and Eugene, Ore., as well as in the Seattle, Wash. area -- issued a similar warning the same day. [ Read more ... ]

Bank Thieves Foiled by GPS-Spiked Cash: Via Threat Level.

Forget exploding dye packs. Three thieves who made off with about $9,000 in cash from a bank were thwarted by a GPS device inserted in the cash that led authorities straight to their door, according to the Chicago Tribune.

Timothy Rucker, 33, Phillip Griffen, 31, and Brandon Barnes, 25, entered a branch of the TCF Bank on Dec. 30 with their faces concealed and pointed a gun at a teller, demanding cash.

The three made off with a nylon bag full of money. But unknown to them, the bag also contained two GPS-tracking devices hidden among the bills.

Signals from the devices led police to the home of one of the suspect’s parents, where the thieves were arrested about an hour after the robbery. [ Read more ... ]

PCI DSS, Come Forward and Be Judged: Via Computerworld Security News.

It wasn't supposed to be that big a deal. I was at an event in Boston put on by the 451 Group, and wasn't even sure I'd walk out of there with something to write about. Then Josh Corman, one of the firm's new analysts, got on stage and started picking apart the PCI Data Security Standard (PCI DSS) -- or, more specifically, the approach companies are taking in their compliance efforts.

Within five minutes of Corman finishing his talk, I had banged out this article and posted it:

Analyst: PCI Security a Devil, 'Like No Child Left Behind'Summary: Joshua Corman, research director for enterprise security at The 451 Group, says the private sector's obsession with PCI DSS compliance is blinding it to larger threats.

The story began: [ Read more ... ]

FBI investigating online New York school district theft: Via Computerworld Cybercrime/Hacking News.

A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation.

For three days starting Dec. 18, cybercriminals started transferring money overseas from the accounts of the Duanesburg Central School District, which has two schools with about 950 students about 20 miles west of Albany, New York. [ Read more ... ]

Alleged Ponzi Mastermind Stanford Pwned in Antigua: Via Threat Level.

In early 2008, while federal investigators were busy looking into disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands of customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.

According to a fraud investigator with firsthand knowledge of the break-in, the hackers responsible infiltrated a component of the Stanford Group’s network by exploiting vulnerabilities in the company’s web servers and databases. On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a website controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.

Once inside Stanford’s network, the unidentified hackers appear to have swiped the credentials from an internal network administrator. They soon had downloaded the user names and password hashes for more than 1,000 employees of Stanford Financial, Stanford Group, Stanford Trust and Stanford International Bank. [ Read more ... ]

Feds Warn Small Businesses to Use Dedicated PC for Online Banking: Via Threat Level.

In the wake of a rash of hacks on computers owned by small businesses, the FBI and the American Banking Association have issued an alert advising businesses to use only a dedicated PC for online banking, according to USA Today.

The alert was issued after numerous small businesses, universities and local governments have been targeted by hackers who installed keystroke loggers on their machines to steal banking credentials and siphon millions of dollars from their bank accounts.

The alert advises businesses to dedicate a single computer for online banking activity that is never used for reading e-mail or surfing anywhere else on the web. Using a dedicated computer would lessen the chance of the computer being infected with malware that can help crooks drain a bank account through wire transfers and automated clearinghouse transfers. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

Heartland hacker pleads guilty in third case: Via Computerworld Cybercrime/Hacking News.

The hacker who enabled the theft of millions of credit card numbers has pleaded guilty to two counts of conspiracy and will receive a prison term of at least 17 years.

Albert Gonzalez, the hacker, has already pleaded guilty in two other cases related to the theft. As part of his plea agreement in those cases, in Boston and New York, he agreed to ask for no less than 15 years in prison and the government agreed to ask for no more than 25 years. [ Read more ... ]

7-Eleven Hack From Russia Led to ATM Looting in New York: Via Threat Level.

Flashback, early 2008: Citibank officials are witnessing a huge spike in fraudulent withdrawals from New York area ATMs — $180,000 is stolen from cash machines on the Upper East Side in just three days.  After a stakeout, police arrest one man walking out of a bank with thousands of dollars in cash and 12 reprogrammed cards. A lucky traffic stop catches two more plunderers who’d driven in from Michigan. Another pair are arrested after trying to mug an undercover FBI agent on the street for a magstripe encoder. In the end, there are 10 arrests and at least $2 million dollars stolen.

The wellspring of the dramatic megaheist turns out to be more prosaic than imagined: It started with a breach of the public website of America’s most famous convenience store chain: 7-Eleven.com. [ Read more ... ]