Business Security Information

ATM skimming has been around for a number of years.  Unfortunately, though, since I wrote the article entitled “ATM Skimming and Other Fraud Methods,” ATM skimming has become more difficult to detect.

ATM skimming involves criminals planting or installing fake card readers on ATM machines and other places you use your credit or debit card, including gas stations and other similar types of businesses.  Research data shows that approximately ten percent of fraud victims experience ATM cash withdrawals while nearly twenty percent have their PIN numbers also stolen.

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

If you have not heard yet, the FTC (Federal Trade Commission) is changing the date they will start enforcing the Red Flags Rule.  The enforcement for this rule was to start last week on November 1, 2009, but has been delayed by the FTC until June 1, 2010.  This was announced by the FTC on Friday, October 30, 2009.

The Red Flags Rule is part of the Fair and Accurate Credit Transaction Act of 2003.  As discussed in my last article, “Complying with the Red Flags Rule”, businesses that are financial institutions or creditors must comply with the rule.  So, how do you know if this applies to you?  The definition of a financial institution is pretty straight forward and includes state or national banks, savings and loan associations, credit unions and any other institution that directly or indirectly holds a transaction account belonging to a consumer.  This transaction account is a deposit account or an account from which a consumer can make payments or transfers to third parties.  The definition of a creditor is a little more obscure.

When I was at my dentist’s the other day for my scheduled appointment, the receptionist asked me for my driver’s license and then made a copy of it.  Curious about why they did that and concerned about protecting my personal information, I asked them why they needed a copy of my driver’s license.  The lady explained that they were getting copies of all patient’s drivers’ licenses to comply with the FTC (Federal Trade Commission) Red Flags rule.  Now I knew some about the Red Flags rule, and it just did not seem necessary to make and store a copy of all your patients drivers’ licenses.  I discussed this issue with the dentist, who is also the owner of the practice, during my appointment, and I found out they were just going by information they had received as a member of the ADA (American Dental Association).  The dentist really did not know much about the Red Flags rule but was just following what he had received from the ADA because he was worried about getting in trouble from the FTC if they ever investigated his business.

If you have not read my two articles on phishing, I would recommend that you do that before reading this article.

1. Do I need My Boat to Go Phishing?
2. VOIP Phishing Scam

A new twist on this scam has come out recently, and I wanted to make sure everyone was aware of it.  RSA Security, a security firm that provides businesses with a variety of consulting services and products, has discovered what they call “chat-in-the-middle” attack.  Like most phishing scams, the attacker uses a fake web page which is set up to look like a banking website.  They get people to go to the site by sending out e-mails which contain a link to the fake website.  The difference in this attack is that the website has live chat support so the attackers can interact with their victims.

Well, here is a new one on me.  I have to credit Tom Slovenski from www.cellularforensics.com with bringing this one to my attention.  The term Smishing was a term I had not heard used before.  Smishing is basically a phishing attack using cell phone text messages.  The term is derived from SMS technology used in text messaging and the term phishing.

What is ATM Skimming?

ATM Skimming involves a device called a skimmer to gather and store the information from your ATM card.  A crook also has to install a hidden camera, usually a wireless camera, pointed at the keypad so your pin number can be gathered or transmitted.  There are some small cameras or hidden cameras on the market that have built in flash drives or digital video records that can store information so the bad guy does not have to be nearby to gather the PIN numbers.  Another method is to use a fake keypad or keypad overlays which, when slipped over the original keypad, can either transmit or store the information.  Watch this YouTube video to see an actual skimming device and hidden camera.

Vishing

Basically a form of social engineering where the criminal uses the telephone network to scam people.  The criminal uses this technique to get information or money from those they contact by pretending to be a legitimate business, usually using a technique called “Caller ID Spoofing.”  The term vishing comes from the two words voice and phishing.  You can read more about phishing in a previous article I wrote.

Vishing attacks are currently being used to steal credit card numbers, personal information or to sell bogus products.  Vishing attacks are also being combined with phishing, which is an e-mailed type scam.

Scams abound in today’s society, but the scams of today are not that different from those of the past. The only difference is the method of delivery and the number of people that can be reached at one time.  Today’s technology now allows large numbers of people to be reached all at once through “phishing,” one of the most popular scams.  Phishing is a form of e-mail fraud in which the scam artist tries to obtain personal and financial information from someone.  It generates millions of dollars even when only a low percentage of people respond to the phishing e-mails.