Saturday, July 18, 2009

Millions Stolen as Scam Put's Banks in One Helluva SMS

By Lavern de Vries

Gauteng police are working with Vodacom to trace the victims of a
multimillion-rand SMS banking authentication scam, described by a top
security firm as the first of its kind.

Police spokesperson Superintendent Lungelo Dlamini said on Thursday
that members of the Joburg Commercial Crimes Unit were liaising with
commercial crime units across the country to determine how many people
had been affected by the rip-off.

Security experts have billed the scam as a world first.

"This incident is, as far as we know, a world first, which only
enforces our opinion that SMS-based authentication, while, slightly
more secure than the simple username-password combos, is, outdated, and
in our fast-paced and highly evolving cyberworld no longer sufficient
by itself."

Costin Raiu, chief security expert at
Kaspersky Lab, suggested that banks deploy better and more advanced
technology to stay ahead of criminals.

"This incident is, as far as we know, a world first, which only
enforces our opinion that SMS-based authentication, while, slightly
more secure than the simple username-password combos, is, outdated, and
in our fast-paced and highly evolving cyberworld no longer sufficient
by itself."

He advised readers to check their online accounts often and notify the bank immediately if suspicious transactions are found.

Banks should be able to recover clients' money if they were notified promptly, Raiu said.

It is not known which banks were involved in the scam.

Dlamini would not be drawn on how much money was allegedly siphoned by
a Vodacom engineer and his accomplice through an elaborate scam
involving the blocking and delaying of SMS banking alerts to Vodacom

A Gauteng newspaper had reported that the Vodacom engineer and his
partner allegedly stole R2,4-million. Other media reports said that
when the pair appeared in the Johannesburg Commercial Crimes Court on
Monday, the State prosecutor received another docket for another R3,3m.

Dlamini said the docket was with the court and police would not comment on the issue.

On Tuesday Vodacom released an internal letter informing employees of
the scam and asking them to "convey the facts to our families, friends
and customers".

Signed and sent out by Vodacom chief communications manager Dot Field,
it explained that the alleged fraud was committed with the help of
fraudulently created temporary dual SIMs.

A customer's internet bank account would be logged into, and the
one-time password from the bank would be sent to the temporary dual
SIM, which enabled the transfer of money out of the customer's internet
bank account to their own account. When the transaction was successful,
the temporary dual SIM would be deleted.

The email also implied that customers would have to compromise their
PIN and password via phishing (when fraudsters get hold of sensitive
information such as usernames, password and credit card details by
masquerading as a trustworthy entity) for this type of fraud to occur.

Dlamini said police suspected a syndicate was behind the scam, and more arrests were expected.

    • This article was originally published on page 1 of The Star on July 17, 2009

Reblog this post [with Zemanta]

Almost 90% Don't Trust/Wouldn't Use Mobile Banking

We can see here that almost 90% of Smartphone owners said that they didn't trust mobile banking security 
or saw noneed to manage their finances from a mobile device.

Source: Blog

Mob Steals Data - Lexis-Nexis Breach Linked to Bonanno Crime Family

Lexis-Nexis Breach Linked to Crime Family
Analyst: 'Days of Amateurs Committing Breaches are Well Behind Us'

Excerpts from

How it Happened

According to the indictment, Lee Klein, one of eleven people charged in the indictment,  worked for the criminal "crew" ofThomas Fiore, an associate of the Bonanno organized crime family.

The indictment alleges that Klein illegally used "informationobtained from computer databases in order to acquire identificationinformation regarding potential victims of extortion" and peoplesuspected by Fiore's criminal organization of being involved with lawenforcement.

Klein allegedly provided Fiore with "corporation names,addresses and account numbers to facilitate the manufacture andnegotiation of counterfeit checks."  In addition, the indictment alleges that members of thecriminal crew used threats of force and violence, including conspiracyto commit murder, to advance the objectives of the enterprise.

Security Experts React to Mob Ties

"Althoughsensational in its headline 'Mob Steals Data,' we perhaps should focuson how the data was accessed and what was contained in theinformation," says information security and privacy expert Kevin Nixon,CISSP, CISM, CGEIT.

"We are experiencing some most extraordinary eventsrelated to global businesses, economics and confidential informationmovement via the merger and acquisition of companies, networks,databases and entire systems."

Analyst Nick Holland sees this case is indicative of the waythat data breaches are becoming the work of organized crime syndicates,both overseas and domestically. "The relative ease with which sensitivedata can be acquired by either high tech (malware) or low tech (placinga criminal within an organization) means makes it attractive fororganized criminals that have the resources to execute such attacks,"says Holland, of the Aite Group.

The Bonanno crime family was making money from the sale ofunauthorized identification documents (including social securitynumbers and health and life insurance applications). "If the mafiaconsiders that selling sensitive information is a legitimate line ofbusiness, then clearly the days of just amateurs committing breachesare well behind us," Holland observes.

Read the Article in it's Entirety

Reblog this post [with Zemanta]

Redecard's Internet Processing being Probed

Brazilian antitrust regulators areinvestigating Redecard SA, the local processor of payments forMastercard Inc., after the national internet association saidthe company impeded competition with conditions on onlinepayments.  Sao Paulo-based Redecard changed its contracts to requireonline payment systems such as EBay Inc.’s PayPal unit toprovide lists of clients and use its Komerci platform to processtransactions, the antitrust arm of Brazil’s Justice Ministrysaid in an e-mailed statement late yesterday. The antitrust bodybanned the contract changes as a preventive measure, accordingto the statement.  Redecard denied any wrongdoing and said it will cooperatewith authorities, according to a regulatory filing.

By Guillermo Parra-Bernal

SAO PAULO, July 17 (Reuters) - The antitrust unit of Brazil's Justice Ministry said it has opened an investigation into credit card operator Redecard (RDCD3.SA), sending the company's shares down 2.56 percent.   The Economic Law Secretariat at the Justice Ministry said Redecard would be investigated for imposing terms on online payments that might hamper free competition.

The probe comes as Brazil, Latin America's most populous country, moves to heighten competition in the $190 billion credit card industry, where customers and merchants complain about exorbitant costs and a dearth of options.

The Brazilian Internet Association, an industry guild based in Sao Paulo, asked regulators to investigate whether Redecard modified contractual terms to have online payment processors provide lists of clients.  Under the changes, Redecard would require Internet companies to provide a list with their customers and online stores.

As a preventive measure, the secretariat, known as SDE, banned the contractual changes, which were to take effect on Aug. 1. The association said the use of the MasterCard (MA.N) brand by Internet-based companies such as PayPal and Mercado Livre in Brazil would have become more restrictive, keeping consumer fees from falling.

Redecard, which has an exclusive contract with MasterCard, authorizes merchants, issuers and transactions and acts as a clearinghouse.

Reblog this post [with Zemanta]

Disqus for ePayment News