Scope of debit card fraud may be widening
A global surge in debit card fraud has some worried that the impact of recent data compromises is
much worse than originally thought. Citibank is among the latest financial institutions to suffer a
breach, and customers immediately felt the impact when the company put transaction holds on an
unspecified number of Citi-branded MasterCard debit cards. It did so after detecting fraudulent
cash withdrawals in Britain, Russia and Canada. A number of institutions have been forced to block
transactions or reissue thousands of debit cards because of compromises in recent weeks, including
Bank of America, Wells Fargo and Washington Mutual Bank, along with a variety of credit unions
around the country. The North Carolina State Employees Credit Union, for example, has reissued more
than 27,500 debit cards in the last two weeks after Visa reported a security breach involving a
U.S. retailer, ComputerWorld recently reported. Leigh Brady, senior vice president with the credit
union, told the magazine that many of the compromised debit cards were being used fraudulently in
such countries as Rumania, Russia, Spain and Britain. "This is the largest [card re-issue] we've
had in quite a while," Brady said. Stamford, Conn.-based research firm Gartner Inc. said the
combined bank actions reflect the largest PIN theft to date, and point to a new wave of "PIN block"
card fraud. This crime involves stolen PINs being decrypted with
Requires Free Membership to View
SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!
Michael S. Mimoso, Editorial Director
a stolen key to create counterfeit
cards.
RSA and Panda bust Trojan factory
Bedford, Mass.-based RSA Security Inc. and Glendale, Calif.-based Panda Software say they've teamed
up to bring down several Web sites that were part of a complex system to build and sell "À la
carte" Trojans that could be used for espionage and theft of confidential personal and financial
data. In a joint statement, the vendors described how they came across the operation: Panda's
TruPrevent Technologies detected a new Trojan called Troj.Briz-A, and noticed "certain
peculiarities" that led them to the scam which has now been dismantled. "Panda contacted RSA
Cyota's 24/7 Anti Fraud Command Center, which implemented its process to disable the Web pages
involved by contacting the ISPs hosting the site and identifying it as a source of these illicit
Trojan services," the vendors said in the statement. Three Web sites selling Trojans were taken
down by the ISPs hosting them, as well as two others on which hackers could see information about
infections they've caused.
Firefox to get anti-phishing capabilities
Mozilla plans to build anti-phishing protection into an upcoming version of its popular Firefox
browser, and Google is supplying at least some of the technology. The new layer of security is to
be a key feature in Firefox 2, due out later this year, Mozilla technology strategist Mike Shaver
told CNET News.com. "Everybody understands that phishing is a significant problem on the Web,"
Shaver said. "We are putting antiphishing into Firefox, and Google is working with us on that."
While Firefox 2 will get a phishing shield, Shaver said it remains to be seen exactly how that
shield will be incorporated into the browser. "Google, like others who contribute to the project,
has contributed code and expertise for us to experiment with," he told CNET News.com. "We haven't
committed to a given approach, a given technology or a given partner."