Hacking & Security

Apple revealed on monday that it received between 4,000 and 5,000 data requests in six months from U.S. law enforcement for user information and affected accounts. Apple said the most common forms of requests involved investigating robberies and other crimes. Period between December 1, 2012 and May 31, 2013, federal, state and local law enforcement had requested customer information up to

The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country.

Source: Mybanktracker.com

Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.

“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”

The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.

Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.

“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”

McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.

“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.

“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so.  Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far.  However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”

Conroy said the key challenge for banks is that they can’t detect in real-time when an item has been deposited via the mobile channel, and then deposited at a branch.

“There are some anti-fraud services that can help detect multiple presentments at multiple banks via mRDC, so to the extent that the banks are subscribing to those services, that can help minimize the risk somewhat,” Conroy said.

According to Conroy, the other aspect of mRDC that has many bankers nervous is the consequential damages provision that was part of the enabling regulation.  That provision says that if an item is deposited twice, and that second deposit causes harm to the maker of the item, then the bank responsible for the second presentment has to cover any consequential damages that may result.

“So, to give you the worst case scenario, say I write you a check, and you deposit it once via mRDC, and a second time at a bank branch,” Conroy said. “The second deposit causes my account to go into overdraft status, and the very next check that would have cleared was my homeowners insurance check.  That check bounces, and the next day my house burns down.  Technically, the bank where that second presentment occurred could be on the hook for the cost of my house if my homeowners insurance lapsed due to that bounced check.  No banks have seen much in the way of losses due to this provision, but the possibility of unlimited losses is scary — as is the potential that the consequential damages provision itself could be gamed by the bad guys.”

The first beta of version 4.11 of the KDE Software Collection, also referred to by its actual version number of 4.10.80, has been released and brings experimental Wayland support to KWin and more Qt Quick in Plasma Workspaces    

Patient monitors, medical pumps, and analysis devices – like industry control systems, the equipment used in hospitals is increasingly connected to networks. Now, ICS-CERT says that some 300 devices from 40 manufacturers have backdoors    

Integrated authenticator simplifies interconnect complexity in medical sensors and industrial applications

In this edition of the Open Recall, MIMO at the TDF, openSUSE 13.1's second milestone, the latest Parted Magic, Minecraft cloned in assembler, LibreOffice's code cleaning, playing Pong with WebRTC and GStreaming on iOS devices    

Boldon James Classifie delivers data classification in order to prevent highly sensitive information from entering the public domain

They are demanding a switch on our smartphones that would theoretically brick them after they're stolen. But would it be effective?

If you have followed the startling revelations about the scope of the US government's surveillance efforts, you may have thought you were reading about the end of privacy, and about the Enemies of the Internet. “My computer was arrested before I was.” a perceptive comment by an internet activist who had been arrested by means of online surveillance. Online surveillance is a growing danger for

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That's where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That's where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That's where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

If you run a small business, you have a lot of choices to protect your network. You can buy a consumer-grade router for less than $50, you can spend more than $4,000 for an enterprise firewall, or you can select something in between.

That's where unified threat management (UTM) products fit. UTMs integrate five basic security features: firewall, IDS/IPS, anti-virus/anti-spam, VPN and outbound content filtering to prevent phishing and browser-based attacks. UTMs offer easy setup and they can support a 25-person small business for an average of around $1,500.

The US District of Utah has re-opened the SCO v IBM court case, six years after SCO filed for Chapter 11. The case has been resurrected because SCO's motion to re-open the case was wrongly denied    

The next step for Java EE 6 was planned to be cloud support but the collapse of ambitious developer plans has meant Java EE 7 arrived with few fundamentally new aspects, representing more a consistent effort to round off existing features    

The FDA hasn't seen patient deaths or injuries, but it has seen malware clogging up hospital equipment, passwords passed around like candy, and disregard for updating/patching old equipment.

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.