Business Security Information

ATM skimming has been around for a number of years.  Unfortunately, though, since I wrote the article entitled “ATM Skimming and Other Fraud Methods,” ATM skimming has become more difficult to detect.

ATM skimming involves criminals planting or installing fake card readers on ATM machines and other places you use your credit or debit card, including gas stations and other similar types of businesses.  Research data shows that approximately ten percent of fraud victims experience ATM cash withdrawals while nearly twenty percent have their PIN numbers also stolen.

**Before reading this article, please refer to my previous article on identifying phishing attacks.  A number of the typical identifiers used to identify a phishing are no longer as important.  Some recent changes made by these scam or social engineering artists makes it hard to easily identify such e-mails as phishing attacks.

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

If you have not heard yet, the FTC (Federal Trade Commission) is changing the date they will start enforcing the Red Flags Rule.  The enforcement for this rule was to start last week on November 1, 2009, but has been delayed by the FTC until June 1, 2010.  This was announced by the FTC on Friday, October 30, 2009.

The Red Flags Rule is part of the Fair and Accurate Credit Transaction Act of 2003.  As discussed in my last article, “Complying with the Red Flags Rule”, businesses that are financial institutions or creditors must comply with the rule.  So, how do you know if this applies to you?  The definition of a financial institution is pretty straight forward and includes state or national banks, savings and loan associations, credit unions and any other institution that directly or indirectly holds a transaction account belonging to a consumer.  This transaction account is a deposit account or an account from which a consumer can make payments or transfers to third parties.  The definition of a creditor is a little more obscure.

When I was at my dentist’s the other day for my scheduled appointment, the receptionist asked me for my driver’s license and then made a copy of it.  Curious about why they did that and concerned about protecting my personal information, I asked them why they needed a copy of my driver’s license.  The lady explained that they were getting copies of all patient’s drivers’ licenses to comply with the FTC (Federal Trade Commission) Red Flags rule.  Now I knew some about the Red Flags rule, and it just did not seem necessary to make and store a copy of all your patients drivers’ licenses.  I discussed this issue with the dentist, who is also the owner of the practice, during my appointment, and I found out they were just going by information they had received as a member of the ADA (American Dental Association).  The dentist really did not know much about the Red Flags rule but was just following what he had received from the ADA because he was worried about getting in trouble from the FTC if they ever investigated his business.

If you have not read my two articles on phishing, I would recommend that you do that before reading this article.

1. Do I need My Boat to Go Phishing?
2. VOIP Phishing Scam

A new twist on this scam has come out recently, and I wanted to make sure everyone was aware of it.  RSA Security, a security firm that provides businesses with a variety of consulting services and products, has discovered what they call “chat-in-the-middle” attack.  Like most phishing scams, the attacker uses a fake web page which is set up to look like a banking website.  They get people to go to the site by sending out e-mails which contain a link to the fake website.  The difference in this attack is that the website has live chat support so the attackers can interact with their victims.

What is ATM Skimming?

ATM Skimming involves a device called a skimmer to gather and store the information from your ATM card.  A crook also has to install a hidden camera, usually a wireless camera, pointed at the keypad so your pin number can be gathered or transmitted.  There are some small cameras or hidden cameras on the market that have built in flash drives or digital video records that can store information so the bad guy does not have to be nearby to gather the PIN numbers.  Another method is to use a fake keypad or keypad overlays which, when slipped over the original keypad, can either transmit or store the information.  Watch this YouTube video to see an actual skimming device and hidden camera.

I have written about PCI Compliance in a previous article and will not repeat that information here, but I did want to discuss the issues of PCI Compliance related to a recent data breach at Network Solutions.  If you have not heard anything about this particular case, the incident occurred on March 12th of this year but was not discovered until July 13th.  Approximately 573,928 credit card accounts were compromised in this attack.  Currently, it appears that it was an outside attack.

Many businesses today use social media sites as a marketing tool as well as to touch base with existing customers.  Some of the most popular social media sites include Twitter, Facebook, Linkedin, and Myspace.  Of course, there are others out there, and it seems like new ones are becoming available almost on a daily basis.  Do you ever think about what information you are providing others when you  use these sites?  A little information can go a long way.  For example, I read a story recently about a businessman who owned and operated a video-related business from his home and decided to go on vacation with his family.  He is a Twitter user and also has his own website for his business.  While on vacation, he sent Twitter messages out to his followers. When he returned home, he discovered that someone had burglarized his home and had stolen a lot of his video equipment.  An additional note:  he also had his own Flickr page where he had posted pictures of his computers, bicycles, his flat-screen television, and other related items.  It is not known for sure, but it is believed that the information that the businessman put on Twitter about being away from home and updates related to their vacation may have allowed the burglar to know when they would be returning home, and that the home was currently empty.