Information Security News
Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards.
The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, "cashing crews" in cities in at least 26 countries withdrew more than $40 million in a similar fashion.
Prosecutors have labeled this type of heist an "unlimited operation" because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn't identify the payment processors except to say one was in India and the other in the United States.
PayPal's top security official is on a quest to kill passwords.
"Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet."
That's what Michael Barrett, chief information security officer at PayPal, told the network industry today at the Interop conference in Las Vegas. Barrett's second job is as president of the FIDO Alliance, a recently unveiled consortium trying to create an open standard that could replace passwords. Google, Lenovo, and other companies have representatives on FIDO's board of directors.
by Sean Gallagher
On Monday, the "hacktivist" group Syrian Electronic Army (SEA) briefly took over the Twitter account of the satirical news publication The Onion, posting a series of anti-Israeli "joke" stories and an anti-Obama "meme" image. The Onion returned fire with its own joke story, "Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels."
Putting all jokes aside, The Onion's technology team yesterday made a post describing how the SEA had managed to compromise the accounts of a number of employees and take control of the Twitter feed—a series of phishing attacks that took advantage of the organization's use of Google Apps.
According to The Onion's Chris Sinchok, the attack started as a series of phishing e-mails to Onion staff members, which included a link to what appeared to be a Washington Post article. The URL was actually a link to a hacked website that redirected to a fake Google Apps login page. "At least one Onion employee fell for this phase of the phishing attack," the security team reported in the blog post. That employee's credentials were used to gain access to the employee's Google Apps e-mail account, which was then used by the attackers to send further phishing attacks from an internal Onion address, using a link to the same fraudulent Google Apps login page.
bambenek \at\ gmail /dot/ com