It has been a busy week in cybercrime. The FBI says it arrested fourteen individuals and charged them with bank fraud and conspiracy to commit bank fraud in the alleged theft of over US $1 million from Citibank using cash advance kiosks at casinos located in Southern California and Nevada. The individuals found and then exploited a security flaw in in Citibank’s electronic transaction security protocols.
The gist of the scheme was that the perpetrators would open multiple Citibank checking accounts. Next, they would make successive withdrawals—that combined were several times the amounts that had been deposited in the accounts—from the casino’s cash advance kiosks. They had to make these withdrawals in less than 60 seconds to exploit the flaw. The FBI stated that the individuals “were also careful to keep both their deposits and withdrawals under $10 000 in order to avoid federal transaction reporting requirements.”
How the flaw, which netted the group over $1 million, was initially discovered was not disclosed by the FBI. Did they just figure this flaw out over a couple of beers, or did one or more of the fourteen have some inside knowledge of Citibank’s ATM security process?
Next, thefirst lawsuit was filed against South Carolina’s Department of Revenue and Governor Nikki Haley for failing to protect taxpayers from a massive security breach involving some 3.6 million taxpayer Social Security numbers , 387 000 credit and debit cards, and information on over 657 000 South Carolina businesses. The breach occurred in September, and affects anyone filing tax returns in South Carolina going back to 1998.
According to WSAV-TV in Columbia, S.C., a cybercriminal was able to obtain the credentials of a tax collection agency employee to gain complete access to South Carolina’s tax database. State officials are refusing to say how this occurred—which is no big surprise.
Gov. Haley created a stir earlier this week when she insisted South Carolina’s government information security practices were adequate, and stated that the reason taxpayer Social Security numbers were not encrypted was because it was “cumbersome” and “there's a lot of numbers involved.” Not content to stop there, she dug her “I don’t have a clue” hole deeper by saying that, “The industry standard is that most SSNs are not encrypted,” and that lots of “agencies that you think might encrypt Social Security numbers actually don't.” More than a few IT security experts have already disagreed with the governor’s take on adequate cybersecurity practices.
Of course the real economic calculus behind Haley’s blasé attitude might hinge on the fact that the state’s liability for negligence in a breach such as this is likely limited to $600 000, while the cost to encrypt South Carolina’s sensitive taxpayer data is probably a lot higher than that. South Carolina is providing taxpayers one year of free credit monitoring service at Experian, which is the least the state can do. Literally.
Georgia (the country, not South Carolina’s neighbor) decided that it had had-enough from a Russian cybercriminal who “waged a persistent, months-long campaign that stole confidential information from Georgian government ministries, parliament, banks and NGOs,” ComputerWorld reported Tuesday. So the government’s Computer Emergency Response Team (CERT) set up a cyber document honey-trap that fooled the cybercriminal into downloading a file he thought contained sensitive government information but instead was spyware. With it, CERT was able to download documents from his computer—and even turn on the cybercriminal’s webcam for about 10 minutes and take his picture. The documents downloaded allegedly show that he did work for Russian security agencies.
Every year, Verizon, in cooperation with authorities in Australia, Ireland, the Netherlands, and the United States, compiles global security statistics. Verizon released its 2012 Data Breach Investigations Report (pdf) this week which showed that there were at least 855 incidents involving 174 million compromised records in 2011. The 77-page report indicated that, “2011 boasts the second-highest data loss total since [Verizon] started keeping track in 2004.”
The report went on to say that, “Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property.”
Government agencies and businesses aren’t the only target of cybercriminals, however. According to a study (pdf) released this week by California-based Kindsight Security Labs,13 percent of home networks are infected with malware. Furthermore, the report states that 6.5 percent of broadband customers are infected with high-level threats such as a bots, root-kits, and banking Trojans, and over 2 million infected users systems worldwide (685 000 in the United States alone) are infected with the botnet ZeroAccess. I would have guessed more given the amount of spam I receive on a daily basis.
Finally, returning to the good news, US cellphone companies have started as of Wednesday to rollout a database that will serve as a stolen cellphone blacklist repository, something they have long resisted doing. A story in ComputerWorld says that carriers AT&T and T-Mobile will offer a joint database that blocks a phone’s International Mobile Equipment Identity (IMEI) number, which is used to verify that it is a valid device when accessing a carrier’s network. Verizon and Sprint will be offering their own database soon.
By November 2013, the four carriers will combine their databases as well as link to those maintained overseas to prevent stolen phones that are locked out in the U.S. from being sold overseas. Nearly half the robberies in San Francisco this year were cellphone related.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.