Tag Archives: fraud

[ISN] Global Payments to Buy Heartland for $4.3 Billion

www.bankinfosecurity.com/global-payments-to-buy-heartland-for-43-billion-a-8753 By Tracy Kitten @FraudBlogger Bank Info Security December 16, 2015 Two leading payments processors that each suffered massive data breaches are consolidating. Atlanta-based Global Payments Inc. plans to buy its smaller rival, Princeton, N.J.-based Heartland Payment Systems Inc., for $4.3 billion. The deal that is expected to close during the fiscal fourth quarter ending May 31, 2016. Industry observers are weighing in on whether the merged companies will successfully build a strong culture of security. “Heartland really took its breach to heart and was one of the best examples of how to learn from such an event and turn it into a leadership opportunity,” says Al Pascual, director of fraud and security at Javelin Strategy & Research. “I give the CEO [Bob Carr] a lot of credit for that. Global Payments was quite the opposite, with one of the least transparent breach events in the payments industry. I’m hoping the security culture of Heartland becomes the dominant one.” But Tom Wills, managing director of payments security consultancy Secure Strategies, says it could be difficult for the new company created through the merger to improve security. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Michaels Breach: How the Fraudsters Pulled it Off

www.bankinfosecurity.com/michaels-breach-how-fraudsters-pulled-off-a-8696 By Tracy Kitten @FraudBlogger Bank Info Security November 20, 2015 More than four years after the point-of-sale attack that struck 80 Michaels craft stores throughout the U.S., compromising nearly 100,000 payment cards, details about how the attackers pulled off their scheme have finally emerged. On Nov. 17, Crystal Banuelos of California, a lead defendant named in the 2011 Michaels debit breach, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft (see Michael’s Breach: What We’ve Learned). Banuelos’ sentencing date has not yet been set. She faces a maximum sentence of 32 years in prison and a $1 million fine. In her plea filed with a New Jersey District Court, Banuelos notes that she conspired to steal credit and debit card data, as well as PINs, from Michaels’ customers, and knowingly used counterfeit cards created from that stolen data to conduct fraudulent cash withdrawals at ATMs. In all, authorities believe Banuelos and Angel Angulo, a co-defendant named in the indictment whose case is still pending, stole $420,000 from banks through fraudulent ATM withdrawals. Banks defrauded in the scheme, according to the indictment, include U.S. Bank, BMO Harris, Bank of America, JPMorgan Case, TD Bank, Beneficial Bancorp and Wells Fargo. To perpetrate their crime, prosecutors allege Banuelos, Angulo and other unnamed conspirators swapped out 88 legitimate POS devices at 80 different Michaels locations across 19 states with manipulated terminals that were used to capture and store card data and PINs. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] When Security Experts Gather to Talk Consensus, Chaos Ensues

http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ By Kim Zetter Security Wired.com 10.01.15 SECURITY RESEARCHERS AND vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That’s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. “I spent $2,000 [to come to this meeting],” Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there’s a second meeting, “should at least be an option” for discussion. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Banks: Card Breach at Hilton Hotel Properties

http://krebsonsecurity.com/2015/09/banks-card-breach-at-hilton-hotel-properties/ By Brian Krebs Krebs on Security Sept 25, 2015 Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims. In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity. However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts. In a written statement, a Hilton spokesperson said the company is investigating the breach claims. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Guilty Plea in Morgan Stanley Insider Breach

http://www.bankinfosecurity.com/guilty-plea-in-morgan-stanley-insider-breach-a-8546 By Tracy Kitten @FraudBlogger Bank Info Security September 22, 2015 A former wealth management adviser at Morgan Stanley pleaded guilty this week to stealing confidential information linked to more than 700,000 client accounts over a period of several years. Some fraud-prevention experts say the investment banking firm could have taken steps to detect the suspicious insider activity sooner. Galen Marsh, who worked for the firm’s Manhattan office until he was fired in January 2015, told the U.S. District Court for the Southern District of New York on Sept. 21 that he illegally accessed account holders’ names, addresses and other personal information, along with investment values and earnings, from computer systems used by Morgan Stanley to manage confidential data, according to court records. Between June 2011 and December 2014, Marsh conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded the information on 730,000 clients to a server at his home in New Jersey, the court documents show. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Casino robbery: A whopping $258 million stolen from junket operating at Wynn Macau in China

http://www.nydailynews.com/news/crime/258-million-stolen-wynn-macau-casino-china-article-1.2361034 BY DAVID BOROFF NEW YORK DAILY NEWS September 15, 2015 It was quite a mugging. A whopping $258 million was stolen recently from a junket operating at the Wynn Macau casino in China, according to reports. The money was stolen from Dore Entertainment Co., Bloomberg News reported. Junket operators work as middlemen for big gamblers. A former Dore manager acted in such a way which “severely impacted the company’s interest and reputation,” Dore said in a statement, according to Bloomberg. “Due to the seriousness of this event, which involved fraud, the group has filed a police report.” Dore has two VIP rooms with more than 25 tables at the casino, UBS Securities analyst Anthony Wong told Bloomberg. The Wynn Macau had nearly 500 tables at the end of 2014, according to a public filing obtained by Bloomberg. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Fake EFF site serving espionage malware was likely active for 3+ weeks

http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-malware-was-likely-active-for-3-weeks/ By Dan Goodin Ars Technica Aug 28, 2015 A spear-phishing campaign some researchers say is linked to the Russian government masqueraded as the Electronic Frontier Foundation in an attempt to infect targets with malware that collects passwords and other sensitive data. The targeted e-mails, which link to the fraudulent domain electronicfrontierfoundation.org, appear to be part of a larger campaign known as Pawn Storm. Last October, researchers at security firm Trend Micro brought the campaign to light and said it was targeting US military, embassy, and defense contractor personnel, dissidents of the Russian government, and international media organizations. Last month, Trend Micro said the espionage malware campaign entered a new phase by exploiting what then was a zero-day vulnerability in Oracle’s widely used Java browser plugin. Separate security firm FireEye has said the group behind the attacks has ties to Russia’s government and has been active since at least 2007. EFF staff technologist Cooper Quintin wrote in a blog post published Thursday that the round of attacks involving the electronicfrontierfoundation.org site may have the ability to infect Mac and Linux machines, as well as the normal Windows fare. On Windows, the campaign downloads a payload known as Sednit that ultimately installs a keylogger and other malicious modules. Its use of the same path names, Java payloads, and Java exploits found in last month’s campaign mean it’s almost certainly the work of the same Pawn Storm actors that struck last month. Quintin wrote: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FDIC on Why Banks Need a Disaster Plan for Cyber Threats

http://www.bankinfosecurity.com/blogs/fdic-on-banks-need-disaster-plan-for-cyber-threats-p-1924 By Tracy Kitten @FraudBlogger Bank Info Security August 27, 2015 Federal banking regulators have for the last year been pushing community banks and credit unions to enhance their cybersecurity assessment and risk management strategies. The Federal Deposit Insurance Corp.’s “Supervisory Insights” summer 2015, published this week, reminds these smaller financial institutions about an online resource they can use to conduct exercises designed to help them prepare to deal with emerging cyber risks. “In addition to preparing for natural disasters and other physical threats, business continuity now also means preserving access to customer data and the integrity and security of that data in the face of cyber-attacks.” The FDIC’s “cyber challenge” program offers a series of videos and exercises to help banks consider appropriate steps for dealing with key threats, including account take-over, malware infections and other risks related to third parties and vendors. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail