Sunday, November 30, 2008
November - News & Views Below
CU SECURITY & TECHNOLOGY News - Providing a brief summary of news and information related to security and technology issues for credit unions - Plus some interesting and fun web sites.
(Click on photos to enlarge)
(Click on photos to enlarge)
Wednesday, November 26, 2008
Symantec puts value of underground transactions at $275M
Those of you looking for statistics to justify your security budgets for next year, look no further: Symantec has released their view of the underground economy as it has evolved over the past year.
The qualitative information in the report is amusing, but the quantitative information has far more value to anyone trying to build a justification for infrastructure and security services related to PCI-DSS. For example, the report puts the market value of the traded goods, including financial credentials, at around $275M. This total market value is dwarfed by the potential amount of cash that can be extracted by the underground using these accounts.
If you ignore the numbers, there is not too much new for those of you who have been following how pilfered data is traded on the underground. Most of the statements made in the document have been previously reduced to platitudes and anecdotes that have circulated at conferences and blogs for some time now. However, it is pretty rare that such data is collected with rigor and provided with solid analysis, and for that reason the report is useful.
The qualitative information in the report is amusing, but the quantitative information has far more value to anyone trying to build a justification for infrastructure and security services related to PCI-DSS. For example, the report puts the market value of the traded goods, including financial credentials, at around $275M. This total market value is dwarfed by the potential amount of cash that can be extracted by the underground using these accounts.
If you ignore the numbers, there is not too much new for those of you who have been following how pilfered data is traded on the underground. Most of the statements made in the document have been previously reduced to platitudes and anecdotes that have circulated at conferences and blogs for some time now. However, it is pretty rare that such data is collected with rigor and provided with solid analysis, and for that reason the report is useful.
A Holiday Killer. Unless You Get Hit
A recession is when your neighbor gets laid off. A depression is when you get terminated. With credit cards, fraud is not a big deal. Unless it’s your number that’s for sale, online.
A Symantec report says the underground economy is booming. The total value of goods and services was “more than” $276 million. The most popular stuff: Bank account credentials and credit cards that have CVV2 security codes with them.
But bank account credentials can be had for as little as $10. Credit cards with security codes? As little as 10 cents, up to $25 each.
What does the thief get?
Symantec figures the average balance per credit card at $4,000, yielding a potential spend of $5.3 billion. Average bank account? $40,000, yielding a potential spend of $1.7 billion.
All told, about $7 billion of money to spend. If you’re willing to go underground and get it.
That’s not chump change — if the sellers can get buyers to cough up the $276 million to buy $7 billion of purchasing “power.”
But it’s not a holiday killer. Online merchants are likely to pull in $32 billion of sales this Christmas, Hannukah and general gift-giving season, according to eMarketer. And Nielsen, at least as of October 9, was still predicting in-store sales this holiday season to rise 4.7% to $98 billion. Unit sales may be flat, but dollar sales will be up, the research firm said.
So even if every one of the 1.3 million credit cards and 42,500 bank accounts at risk, by interpolating Symantec’s numbers, are purchased and exploited to the full, that would only pump up the holiday season another 5%.
Until the sales got reversed by complaining card and account holders and start to wipe out merchants’ earnings.
Tuesday, November 25, 2008
A Most Interesting and Must See Web Site
This is a very unsual web site. It's for a department store and displays a number of their products. It's in a foreign language (The Netherlands) so don't worry about reading. It's the visuals that are interesting. Before you leave the home page, you will have viewed every product on that page.
It would be interesting to see a credit union site along these lines showing all the CUs services. Go to: http://producten.hema.nl/
Allow a minute for the downloading.
It would be interesting to see a credit union site along these lines showing all the CUs services. Go to: http://producten.hema.nl/
Allow a minute for the downloading.
TEN things to say when caught sleeping @ your desk
10. "They told me at the Blood Bank this might happen."
9. "This is just a 15 minute power nap they raved about in the time management course you sent me too."
8. "Whew! Guess I left the top off the Whiteout. You probably got here just in time."
7. "I wasn't sleeping! I was meditating on the mission statement and envisioning a new business strategy."
6. "I was testing my keyboard for drool resistance."
5. "I was doing a highly specific Yoga exercise to relieve work-related stress. Are you discriminatory toward people who practice Yoga?"
4. "Darn! Why did you interrupt me? I had almost figured out how to handle that big accounting problem."
3. "Did you ever notice sound coming out of these keyboards when you put your ear down real close?"
2. "Who put decaf in the wrong pot?!?"
NUMBER ONE best thing to say if you get caught sleeping at your desk........
1. Raise your head slowly and say, "...in Jesus name,"Amen."
9. "This is just a 15 minute power nap they raved about in the time management course you sent me too."
8. "Whew! Guess I left the top off the Whiteout. You probably got here just in time."
7. "I wasn't sleeping! I was meditating on the mission statement and envisioning a new business strategy."
6. "I was testing my keyboard for drool resistance."
5. "I was doing a highly specific Yoga exercise to relieve work-related stress. Are you discriminatory toward people who practice Yoga?"
4. "Darn! Why did you interrupt me? I had almost figured out how to handle that big accounting problem."
3. "Did you ever notice sound coming out of these keyboards when you put your ear down real close?"
2. "Who put decaf in the wrong pot?!?"
NUMBER ONE best thing to say if you get caught sleeping at your desk........
1. Raise your head slowly and say, "...in Jesus name,"Amen."
School Credit Union Customers Have Accounts Cleaned Out
The Seminole Schools Federal Credit Union is trying to figure out how at least eight of its members fell victim to what they believe is a skimmer scam. Somehow, the credit union believes, all eight victims had their credit cards cloned and their accounts cleaned out.
Skimming are on the up-tick nationwide, but no one seems to know the common purchase point, where all the local victims swiped a card and thieves swiped their account information.
Sanford police poured through page after page of account data Monday morning, the first business day after at least eight Seminole Schools Federal Credit Union members found that every dollar in their checking accounts had been stolen from right under their nose.
"I came in crying," victim Gemara Goodwin said.Like many credit union members, Gemara teaches in the Seminole County Public School District. She only realized the $800 in her account had been stolen when she logged in online. [Read story at WFTC.com].
Skimming are on the up-tick nationwide, but no one seems to know the common purchase point, where all the local victims swiped a card and thieves swiped their account information.
Sanford police poured through page after page of account data Monday morning, the first business day after at least eight Seminole Schools Federal Credit Union members found that every dollar in their checking accounts had been stolen from right under their nose.
"I came in crying," victim Gemara Goodwin said.Like many credit union members, Gemara teaches in the Seminole County Public School District. She only realized the $800 in her account had been stolen when she logged in online. [Read story at WFTC.com].
CU TECH CONFERENCE HELD IN NEW ORLEANS
The CU InfoTech conference, now in its 11th year, was held in New Orleans. Aproximately 100 attendees from credit unions across the country were in attendance. Program highlights included Tom Glatt, Sr. on Technology Planning, Rick Sirois on Mobile Banking for Credit Unions, Bob Frank discussed Server Virtualization, Patrick Spencer on Member Business Lending, Bill Rogers discussing Biometric ID Solutions for Credit Unions Dana Turner on Technology and Security Issues and Quintin Sykes discussing Emerging Technology and Delivery.
This was the 14th annual credit union technology conference for credit unions and the only on-going conference totally devoted to technology issues.
This was the 14th annual credit union technology conference for credit unions and the only on-going conference totally devoted to technology issues.
Monday, November 24, 2008
Jack Henry Touts Mobile Banking Signings
A year after it was launched, Jack Henry & Associates said it now has 103 financial institutions using its mobile banking solution.
goDough was introduced in November 2007 and is supported by 34 mobile service carriers and is compatible with any Web-enabled mobile device, the company said.
Functionality includes transfers, transaction viewing and support of checking, CDs, money market, loan and lines-of-credit accounts, the company said, as well as alerts and payments.
The goDough service is integrated into two of Jack Henry’s core processing platforms for banks and the Symitar Episys platform for credit unions.
goDough was introduced in November 2007 and is supported by 34 mobile service carriers and is compatible with any Web-enabled mobile device, the company said.
Functionality includes transfers, transaction viewing and support of checking, CDs, money market, loan and lines-of-credit accounts, the company said, as well as alerts and payments.
The goDough service is integrated into two of Jack Henry’s core processing platforms for banks and the Symitar Episys platform for credit unions.
Wednesday, November 19, 2008
Study Shows Gender Differences in Risky Driving
If “men are from Mars and women are from Venus,” then the roads on which Martians tread are likely extremely treacherous. The findings of a new study conducted by Quality Planning, the ISO company that validates policyholder information for auto insurers, suggests a noticeable difference in the number and type of traffic violations received by men versus women.
Specifically, the data indicates that men possess a greater propensity toward certain risky driving behaviors, such as speeding, failure to yield and so forth.
Drawing upon traffic code violations data for a one-year period, from 2007 to 2008, the study examined male and female perspectives on the laws of the road. Quality Planning analyzed 12 months of 2007 policyholder information for U.S. drivers, comparing the number of moving and non-moving violations for both sexes. Overall, the data indicates that men are much more likely to receive a traffic citation than women, and that this difference in driving behavior is consistent across all age groups.
According to Quality Planning, when it comes to traffic laws, women are more observant of them than men, and that the laws violated more frequently by men are those laws designed to safeguard people and property. The study found that men are cited for reckless driving 3.41 times more than women. Reckless driving is considered one of the most serious traffic offenses by courts, as it implies a disregard for the rights and safety of persons or property.
“We were not surprised to see that men have slightly more — about +5 percent — violations that result in accidents than women,” said Dr. Raj Bhat, president of Quality Planning. “Men are more likely to violate laws for speeding, passing, and yielding. The resulting accidents caused by males therefore lead to more expensive claims than those caused by women.”
Interestingly, women drivers were also about 27 percent less likely than men to be found at fault when involved in an accident. Again, this underscores the finding that women are on average less aggressive and more law-abiding drivers, attributes that can also translate to fewer accidents.
Specifically, the data indicates that men possess a greater propensity toward certain risky driving behaviors, such as speeding, failure to yield and so forth.
Drawing upon traffic code violations data for a one-year period, from 2007 to 2008, the study examined male and female perspectives on the laws of the road. Quality Planning analyzed 12 months of 2007 policyholder information for U.S. drivers, comparing the number of moving and non-moving violations for both sexes. Overall, the data indicates that men are much more likely to receive a traffic citation than women, and that this difference in driving behavior is consistent across all age groups.
According to Quality Planning, when it comes to traffic laws, women are more observant of them than men, and that the laws violated more frequently by men are those laws designed to safeguard people and property. The study found that men are cited for reckless driving 3.41 times more than women. Reckless driving is considered one of the most serious traffic offenses by courts, as it implies a disregard for the rights and safety of persons or property.
“We were not surprised to see that men have slightly more — about +5 percent — violations that result in accidents than women,” said Dr. Raj Bhat, president of Quality Planning. “Men are more likely to violate laws for speeding, passing, and yielding. The resulting accidents caused by males therefore lead to more expensive claims than those caused by women.”
Interestingly, women drivers were also about 27 percent less likely than men to be found at fault when involved in an accident. Again, this underscores the finding that women are on average less aggressive and more law-abiding drivers, attributes that can also translate to fewer accidents.
Tuesday, November 18, 2008
Achieving Financial Goals
34 percent of credit union members,
39 percent of regional or local bank customers and
47 percent of national bank customers are less than
satisfied with how their bank helps them achieve
their financial goals.
A Recovering American Soldier
When doing your Christmas cards this year, take one card and send it to this address. If we pass this on and everyone sends one card, think of how many cards these wonderful special people who have sacrificed so much would get.
When you are making out your Christmas card list this year, please include the following:
A Recovering American Soldier
c/o Walter Reed Army Medical Center
6900 Georgia Avenue, NW
Washington,D.C. 20307-5001
If you approve, please pass it on.
If for some reason you don't do Christmas, just send a thank you card during this time of the season to thank these fine men and women who have sacrificed so much for you to have the privilege to live in American and be free to choose how you want to live and worship!
Scammers take advantage of financial crisis, holiday
Scammers are taking advantage of the financial crisis and may earmark the upcoming holidays by launching new attacks to steal personal information for possible fraud.
According to the Wisconsin Credit Union League, consumers should be wary of e-mails or ads that ask them to update, validate or confirm account information (Wisconsin State Journal Nov. 14). Credit unions can help get the word out to their members about these claims.
One claim says that a company recently acquired the recipient's mortgage and asks for an update of personal information, the league said.
UW CU, Madison, Wis., warned its members about a "secret shopper" scam that sends recipients fake checks for consumer research and asks the recipients to deposit the checks and wire the money.
Members can expect more scams to take advantage of the holidays, similar to one that occurred last Thanksgiving Day in Manitowoc County, Wis., said the league.
That scam--timed to occur when financial institutions are closed--dialed 40,000 area residents and got 20,000 people to answer the phone. It claimed the recipients' bank account was frozen, provided a toll-free number to call to reinstate it and asked the recipients to verify their personal information.
According to the Wisconsin Credit Union League, consumers should be wary of e-mails or ads that ask them to update, validate or confirm account information (Wisconsin State Journal Nov. 14). Credit unions can help get the word out to their members about these claims.
One claim says that a company recently acquired the recipient's mortgage and asks for an update of personal information, the league said.
UW CU, Madison, Wis., warned its members about a "secret shopper" scam that sends recipients fake checks for consumer research and asks the recipients to deposit the checks and wire the money.
Members can expect more scams to take advantage of the holidays, similar to one that occurred last Thanksgiving Day in Manitowoc County, Wis., said the league.
That scam--timed to occur when financial institutions are closed--dialed 40,000 area residents and got 20,000 people to answer the phone. It claimed the recipients' bank account was frozen, provided a toll-free number to call to reinstate it and asked the recipients to verify their personal information.
Monday, November 17, 2008
U.S. ATMs: On the Decline or Poised for a New Wave of Growth
Banks continue to seek new ways to extract value from, and provide value through, their investments in ATM technology. This article explores how the ATM’s history can guide its future, steering us toward the next wave of innovation and growth in the United States.
Twelve years after the advent of surcharging in the U.S., the promise of increased profitability has largely evaporated for financial institutions and for all but the largest, most efficient ISOs. While some high volume ATM locations are profitable, many are not. However, this does not suggest the death of the ATM channel. What it means is that we are returning to a holistic view of the bank-consumer relationship, where the ATM is just one element of the customer experience, and where channel profitability is judged not on a transaction basis, but on a long-term relationship basis. In other words, a return to the prevailing view of the ATM in the early 1990s and before.
We believe the next big ATM opportunity in the U.S. is not in added services for existing users, but in new services for new users in new locations. In one such scenario, the next generation of ATM may not be an ATM as we know it, but a financial service station for a new group of consumers with limited or no banking relationships or experience.
Read the entire article at: http://www.edgardunn.com/uploads/100030_english/100307.pdf
Laptops stolen from auditors may have members' info
Two Oregon credit unions have notified members that laptops stolen from outside auditors may have contained their names, account numbers and balances for certain types of deposit accounts but not critically sensitive information.
OnPoint Community CU, based in Portland, said a laptop that belonged to a Michigan-based auditing firm was stolen after the auditors left the office of OnPoint Community CU on Oct. 29. OnPoint Community President/CEO Robert A. Stuart told members about the theft in a letter to members posted Nov. 4 on its website.
And local media in Eugene, Ore., reported that Oregon Community CU, based in Eugene, sent out similar letters last week to members informing them that laptops had been stolen from auditors after they left the credit union for a required audit, also on Oct. 29 (KMTR.com Nov. 14).
The auditors could not confirm they deleted all OnPoint information from the laptop before leaving the offices, as required by OnPoint policy, Stuart said. "Because of this uncertainty, we are taking a number of precautions, including proactively notifying our members," he said.
He noted the information did not include any credit card information, debit card information or passwords. It also did not include any Social Security numbers, taxpayer ID numbers, birthdates or other information typically used in identity theft.
OnPoint Community CU, based in Portland, said a laptop that belonged to a Michigan-based auditing firm was stolen after the auditors left the office of OnPoint Community CU on Oct. 29. OnPoint Community President/CEO Robert A. Stuart told members about the theft in a letter to members posted Nov. 4 on its website.
And local media in Eugene, Ore., reported that Oregon Community CU, based in Eugene, sent out similar letters last week to members informing them that laptops had been stolen from auditors after they left the credit union for a required audit, also on Oct. 29 (KMTR.com Nov. 14).
The auditors could not confirm they deleted all OnPoint information from the laptop before leaving the offices, as required by OnPoint policy, Stuart said. "Because of this uncertainty, we are taking a number of precautions, including proactively notifying our members," he said.
He noted the information did not include any credit card information, debit card information or passwords. It also did not include any Social Security numbers, taxpayer ID numbers, birthdates or other information typically used in identity theft.
Labels:
ID theft,
laptop,
OnPoint Community CU,
Oregon Community CU
Symitar Uses Video for Users Comments
For nearly 25 years, Symitar has relied on client endorsements as their primary sales tools. After all, what can possibly speak louder about the quality of products and service standards than a satisfied client? That's why as a rule, the company provides their entire client list to new prospects, rather than just a select few "reference" clients.
You can check out users video comments at: http://www.cu-tube.com/
You can check out users video comments at: http://www.cu-tube.com/
Saturday, November 15, 2008
Biometrics Penetrating Consumer Markets, Says ABI Research
Long the domain of government and law enforcement agencies, biometric systems are increasingly moving into the market for personal data management and security. Laptops, mobile phones, storage drives and other personal devices will increasingly include biometric options to provide an additional layer of access security.
The combined growth in both government, law enforcement and private sectors for biometrics will drive spending on biometrics systems over the next five years up to $7.3 billion by 2013, up from around $3 billion in 2008.
Complete article at: http://www.centredaily.com/business/technology/story/963701.html
The combined growth in both government, law enforcement and private sectors for biometrics will drive spending on biometrics systems over the next five years up to $7.3 billion by 2013, up from around $3 billion in 2008.
Complete article at: http://www.centredaily.com/business/technology/story/963701.html
Tuesday, November 11, 2008
Insufficient Funds
Why do banks and credit unions charge a fee on 'insufficient funds' when they already know there is not enough money?
Sunday, November 9, 2008
ZabaSearch - Search public information for people, phone numbers, ip addresses, and more for free
If you need to find some information on a person, such as previous addresses or if you need to look up the address for a phone number, then ZabaSearch is one place you can go to find this type of information for free. The key here being that it’s free. Most of the other sites that have people search, such as WhitePages, just tell you that they found the name, but don’t give you any other information unless you buy their service.
I searched my name on ZabaSearch and it popped up with all of addresses that I have lived in for the last five years! That’s impressive considering I don’t actually have my own place as of yet. And that’s not it! It also gave me the year and month I was born, and my home phone number! You might find this like a breach of privacy, but all of this information is publicly available and that’s why ZabaSearch is able to bring it up.
http://WWW.zabasearch.com
I searched my name on ZabaSearch and it popped up with all of addresses that I have lived in for the last five years! That’s impressive considering I don’t actually have my own place as of yet. And that’s not it! It also gave me the year and month I was born, and my home phone number! You might find this like a breach of privacy, but all of this information is publicly available and that’s why ZabaSearch is able to bring it up.
http://WWW.zabasearch.com
Friday, November 7, 2008
Malware steals log-on data to accounts
The log-ons to more than a half million bank, credit and debit card accounts have been stolen over the past two-and-a-half years by a single cyber crime group using a Trojan horse spyware that "morphs" to avoid detection.
Researchers at RSA Security Inc.'s FraudAction Research Lab discovered the stolen data while they were tracking the Sinowal Trojan horse, also known as Mebroot and Torpig. They tracked the spyware to a drop server that contained the stolen data (Computerworld Oct. 31).
RSA investigators found more than 270,000 online banking account credentials, plus about 240,000 credit and debit account numbers and other personal information lifted from Microsoft Windows PCs (WashingtonPost.com Oct. 31).
The Trojan horse malware has been active since at least February 2006. Once on a system, the malware waits for the user to enter the address to an online bank, credit card company site or another financial URL. It then substitutes a fake address. The malware is triggered by more than 2,700 specific Web addresses, a much larger number than other Trojan horses.
The fake sites collect the log-on usernames and passwords to banks and other financial institutions. They trick users into disclosing information legitimate financial institutions would never collect online, such as Social Security numbers. They transmit the pilfered data to the drop server.
RSA Security said it suspected the group responsible is based in Russia. The malware was distributed globally, but Russia was the one region that had no infections.
Researchers at RSA Security Inc.'s FraudAction Research Lab discovered the stolen data while they were tracking the Sinowal Trojan horse, also known as Mebroot and Torpig. They tracked the spyware to a drop server that contained the stolen data (Computerworld Oct. 31).
RSA investigators found more than 270,000 online banking account credentials, plus about 240,000 credit and debit account numbers and other personal information lifted from Microsoft Windows PCs (WashingtonPost.com Oct. 31).
The Trojan horse malware has been active since at least February 2006. Once on a system, the malware waits for the user to enter the address to an online bank, credit card company site or another financial URL. It then substitutes a fake address. The malware is triggered by more than 2,700 specific Web addresses, a much larger number than other Trojan horses.
The fake sites collect the log-on usernames and passwords to banks and other financial institutions. They trick users into disclosing information legitimate financial institutions would never collect online, such as Social Security numbers. They transmit the pilfered data to the drop server.
RSA Security said it suspected the group responsible is based in Russia. The malware was distributed globally, but Russia was the one region that had no infections.
Wednesday, November 5, 2008
Fly Naked
Fly naked, redux: Now there are fears that women will wear exploding bras, set to go off when they are frisked.
Scotland Yard has sent details of the bombs - which are primed to go off as the wearer is frisked by security staff - to all the major airports, including busy Heathrow and Gatwick.
The memo warns one suicide bomber in Colombo, Sri Lanka, killed herself and four police officers. "The device exploded as the attacker was being searched by two female constables," it says. "The police have determined she was wearing an improvised explosives-laden bra wired to detonate if tampered with." ....
One anti-terrorist officer said: "It may sound a little silly but you can't take anything for granted these days."
The bombers lull officers into a false sense of security by showing their bare midriff to prove they are not wearing a "bomb jacket" - but then the bra explodes.If this weren't so sick and so real, it'd be a straightline with so many punchlines.
Back in December 2001, when a jerk tried to blow up a plane with a bomb in his shoe, some said the only solution is to fly naked.
Some people feel this may be a booby trap.
Scotland Yard has sent details of the bombs - which are primed to go off as the wearer is frisked by security staff - to all the major airports, including busy Heathrow and Gatwick.
The memo warns one suicide bomber in Colombo, Sri Lanka, killed herself and four police officers. "The device exploded as the attacker was being searched by two female constables," it says. "The police have determined she was wearing an improvised explosives-laden bra wired to detonate if tampered with." ....
One anti-terrorist officer said: "It may sound a little silly but you can't take anything for granted these days."
The bombers lull officers into a false sense of security by showing their bare midriff to prove they are not wearing a "bomb jacket" - but then the bra explodes.If this weren't so sick and so real, it'd be a straightline with so many punchlines.
Back in December 2001, when a jerk tried to blow up a plane with a bomb in his shoe, some said the only solution is to fly naked.
Some people feel this may be a booby trap.
Subscribe to:
Posts (Atom)