Archive for the ‘Financial Services’ Category

Infected PC Compromises Pentagon Credit Union

January 12, 2011

Infected PC Compromises Pentagon Credit Union: “

The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware was used to access a database containing the personal and financial information of customers.


(Via threatpost – The First Stop for Security News.)


Bank Of America Employee Charged for Plotting to Deploy ATM Code for Theft

April 7, 2010

Bank Of America Employee Charged for Plotting to Deploy ATM Code for Theft: “An AP newswire article by Mike Baker, via The Sun News, reports:

A Bank of America Corp. employee plotted to deploy malicious computer code within the company’s systems so that ATM machines would dispense cash without any record of a transaction, federal prosecutors allege in court documents.

Rodney Reed Caverly was tasked with maintaining and designing computer systems at the bank, including computers that conducted ATM transactions. Prosecutors in the western district of North Carolina said he sought to use computer code within the company’s protected computers so that the ATMs would make fraudulent disbursements.

Caverly was able to obtain more than $5,000 during a seven-month period in 2009, prosecutors allege.

The details of Caverly’s case were filed on Thursday in a ‘bill of information’ document, which typically signals that a plea deal is forthcoming. An attorney for Caverly, Christopher Fialko, declined to comment. Federal prosecutors didn’t return a phone call.

More here.

(Via Fergie’s Tech Blog.)

PNC: Former National City Bank Accounts Hacked

March 23, 2010

PNC: Former National City Bank Accounts Hacked: “

Some presents just aren’t the kind you want. You buy a new product get it home only to find it’s busted. PNC Financial Services Group Inc. found that out the hard way recently after they purchased National City Bank. Turns out that prior to the acquisition there was a data breach affecting customers. Much like herpes, it was an unpleasant surprise.


Bank officials were made aware of the data breach earlier this week, but Solomon would not say how many customers’ accounts have been compromised or how much money was stolen.

PNC Financial, which is based in Pittsburgh, said some customer debit cards were compromised shortly before the company acquired Cleveland-based National City Corp. in December 2008.

This naturally begs the question, why did it take so long to discover? I’d be interested to read more on this story as the details emerge.

Article Link

(Image used under CC from elycefeliz)

UPDATE: Here is more on this story from Channel 9 WCPO

Some Charged More than $1,000

Other customers were hit harder.

* Cynthia Suchoski e-mailed to say ‘there was a charge made yesterday at Macy’s in Costa Mesa, California for $1,300″ on her old National City debit card. She was not in California.
* Jonathan Vasiladis told me his old debit card was hit for $4,000 in bogus charges, many of them happening in England.
* And another, who asked that we not use his name, e-mailed to say his PNC account ‘is more than one $1,000 overdrawn,’ again, after unauthorized charges in California.
* A fourth viewer reports another series of unauthorized charges, supposedly from March of Dimes.

(Via Liquidmatrix Security Digest.)

Online finance flaw: Ameriprise III – please make it stop

March 23, 2010

Online finance flaw: Ameriprise III – please make it stop: “NOTE: This issue was disclosed responsibly and repaired accordingly.

‘Now what?’, you’re probably saying. Ameriprise again? Yep.
I really wasn’t trying this time. Really.
There I was, just sitting in the man cave, happily writing an article on version control and regression testing.
As the Ameriprise cross-site scripting (XSS) vulnerabilities from August 2009 and January 2010 were in scope for the article topic, due diligence required me to go back and make sure the issue hadn’t re-resurfaced. 😉
I accidentally submitted the JavaScript test payload to the wrong parameter.
What do you think happened next?
Nothing good.
I reduced the test string down to a single tic to validate the simplicity of the shortcoming; same result.

At the least, this is ridiculous information disclosure, if not leaning heavily towards a SQL injection vulnerability.
As we learned the last two times we discussed Ameriprise, the only way to report security vulnerabilities is via their PR department, specifically to Benjamin Pratt, VP of Public Communications.
Alrighty then, issue reported and quickly fixed this time (same day)…until some developer rolls back to an old code branch or turns on debugging again.

We all know the ColdFusion is insanely verbose, particularly when in left in debugging mode, but come now…really?
I really didn’t want to know the exact SQL query and trigonometry required to locate an Ameriprise advisor.
Although, after all this, I can comfortably say I won’t be seeking an Ameriprise advisor anyway.

Please Mr. Pratt, tell your web application developers to make it stop.

Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)


Computer forensics tool for banks aims to trace Trojans

March 23, 2010

Computer forensics tool for banks aims to trace Trojans: “Computer forensics tool for banks aims to trace Trojans”

(Via The Register – Security.)

Banks Fail to Provide Effective Online Security

February 16, 2010

Banks Fail to Provide Effective Online Security: “

By Robert Siciliano, ID Theft Expert and Security Consultant to

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered ‘commercially reasonable’.

The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim.

How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks.

There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas.

The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts.

It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts.

These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks.

The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place.

Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too.

I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system.

If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue.

Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages.

It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

1. Get a credit freeze. Go online now and search ‘credit freeze’ or ‘security freeze’ and go to and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

* * *

Stay Informed With ISR News Alerts:


by FeedBurner

* * *

Robert Siciliano is an expert on personal security and identity theft as the CEO of An American television news correspondent, security analyst, and author of ‘The Safety Minute: How to take control of your personal security and prevent fraud’. Featured on the The Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, Inside Edition, EXTRA, Tyra Banks, Stern, and in USA Today, Forbes, Tech Republic, SC, CSO, Search Security, Tech News World, EWeek, SecurityInfoWatch, NY Times, Boston Globe, LA Times, Wash Post, Chicago Tribune, AP, UPI, Reuters, and Entrepreneur.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)

New Banking Trojan Discovered Targeting Businesses’ Financial Accounts – DarkReading

February 15, 2010

New Banking Trojan Discovered Targeting Businesses’ Financial Accounts – DarkReading: “”

(Via .)

PCI Stresses Small Business and Web Hosting Companies

February 9, 2010

PCI Stresses Small Business and Web Hosting Companies: “

‘Mike,’ the owner of a midsized web-hosting company, talks about the effects of the Payment Card Industry Data Security Standard (PCI/DSS) on web hosting companies and small online merchants who are his customers.

s: If PCI/DSS were enforced today, what would happen?

m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is ‘Either I say yes to everything or my business is destroyed…’ What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, ‘Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?’ I don’t remember ever doing that. I don’t remember ever saying, ‘Dear VISA, yes, I agree, I’ll do it!’

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, ‘we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.’

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to ‘please, hand-write me a check from now on.’ And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the ‘Laura’s Online Candle-Shop’ and ‘Best-Fishing-Lures-in-Arkansas Dot Com’ and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all ‘web hosting companies’ are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, ‘Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.’ That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. ‘Hey, we’ve got to rewrite this code,’ or ‘Hey, we’ve got to reconfigure this network,’ We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? ‘My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.’ If our only answer is ‘no,’ we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging- let’s say urging or demanding- entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could- perhaps magically- ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

Sherri Davidoff
PGP-signed text: 2010-02-08 (current)

Did you like this article? Share it!


(Via philosecurity.)

BofA Discloses “Undisclosed” Breach

February 9, 2010

BofA Discloses “Undisclosed” Breach: “

Recently, a friend of mine received a letter from Bank of America informing her that ‘some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.’

The letter went on to state that BofA had reviewed her account and saw ‘no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.’ BofA also informed her that ‘we will close your existing account and issue you a new account number and credit card(s).’

Imagine if your doctor sent you a letter informing you that ‘you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.’

The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.

BofA referenced a web site where they talk about data compromise:

According to this site, ‘When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.’

In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.

Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept ‘secret,’ but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.

Here’s my favorite section of BofA’s data compromise FAQ:
‘Is it safe to use my new card?
‘We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.’

Yes… an ‘isolated incident,’ just like the other 285 million records that were compromised last year. Take these pills and carry on.

Sherri Davidoff
PGP-signed text: 2010-01-24 (current)

Did you like this article? Share it!


(Via philosecurity.)

PCI DSS In Full Effect in Nevada and NH

January 7, 2010

PCI DSS In Full Effect in Nevada and NH: “

On January 1, 2010, two important state data security and privacy laws
took effect in Nevada and New Hampshire that create new
obligations for most companies that do business in Nevada and for
health care providers and business associates in New Hampshire. Read the full article. [Hunton & Williams Law Blog]

Shorten URL: Click to copy to clipboard or post to Twitter

ZeroClipboard.setMoviePath( ‘’ );
var clip = new ZeroClipboard.Client();
clip.setHandCursor( true );
clip.glue( ‘short_url_link’ , ‘short_url_cont’ );

(Via threatpost – The First Stop for Security News.)