Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Washington State Law Requires PCI Compliance; Allows Banks to Recover Data Breach Costs

eSecurity Planet: Washington last week became the third state to pass legislation that will allow banks to recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with current Payment Card Industry (PCI) standards. ...The law, which goes into effect on July 1 in Washington, follows similar laws passed in the states of Minnesota and Nevada and marks a fundamental change in the way government and private sector industries assign responsibility and accountability for preventing identity theft.

Read more at eSecurity Planet ...

Separating April Fools’ From Fraud on the Web

NewYorkTimes: On the Internet, every day is April Fools’ Day. ... Thinking about how people get fooled on April 1 is a good way to prepare for the year-round attempts by swindlers to bamboozle the naïve, the witless and those who just aren’t paying close attention. In other words, all of us. ... The same themes run through the e-mail solicitations of Nigerian princes waiting to share their riches, messages by banks to type in your PIN or frantic pleas from Facebook friends trapped overseas without any money. ... How do you tell the real from the surreal today?

Read more at the New York Times ...

New Inexpensive "Sniffer" Captures Keystrokes From Wireless Devices

TheRegister: Kit attacks Microsoft keyboards (and a whole lot more). ... Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls. ...Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Read more at The Register ...

Would You Have Spotted this ATM Fraud?

 KrebsOnSecurity.com: The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods. ... police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there.
 
 Read more at KrebsOnSecurity.com ...

Massachusetts Data Security Rules to Have National Impact

InternetLawCenter: Massachusetts sweeping data security regulations went into effect on March 1st. The regulations which are intended to provide “minimum standards” for safeguarding personal information for any businesses that own or sell personal data of Massachusetts residents. ... Companies possessing such data must develop and monitor a comprehensive written “Information Security Program,” designate an employee to be responsible for the Information Security Program,, implement training, establish policies regarding access to the data, use encryption and require that service providers comply with these requirements in all written contracts. The full regulations are available here. Consult your counsel for compliance requirements. Mass Data Security Regs.

Read more ...

Thanks to Bennet Kelley of ILC for this.

Monoprice.com Shuttered After Fraud Complaints

KrebsOnSecurity: Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information. ... Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Read more ...

Wyndham computers hacked into again for credit card names, numbers

USA Today: Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing customer's credit card information, according to an IDG New Service article on CIO.com. Wyndham operates chains including Days Inn, Ramada, Super 8 and Howard Johnson. ... It's the latest sign that computer hackers continue to target hotel networks to obtain sensitive guest data, which they can then use to purchase stolen goods. Earlier this month, Hotel Check-In reported that hotels had become hackers' No. 1 target last year, hitting hotels even more than banks and other financial service company sites.

Read more ...

Consumer Electronics Company Agrees to Settle Data Security Charges; Breach Compromised Data of Hundreds of Consumers

FTC: An online seller of computer supplies and other consumer electronics has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. ... According to the FTC’s complaint, Compgeeks.com (Compgeeks), which operates the www.geeks.com Web site, and its parent company, Genica Corporation (Genica), collect sensitive information from consumers to obtain authorization for credit card purchases. ... In January 2008, media reports revealed a data breach at the company. It was later confirmed that hackers accessed the sensitive information of hundreds of consumers. ... The proposed settlement ... requires them to implement and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. It also requires the companies to obtain, every other year for 10 years, an audit from a qualified, independent, third-party professional to ensure that the security program meets the standards of the order. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

Read more ...

5 More Indicted in Probe of International Carding Ring

Threat Level; Wired Magazine: Five eastern European men were indicted in New York on Monday as part of an international ring allegedly responsible for at least $4 million in credit card theft.

The ring, which authorities dubbed the Western Express Cybercrime Group, operated between 2001 and 2007 and trafficked in at least 95,000 known stolen credit card numbers, including some belonging to victims in New York, where the case is being prosecuted by the Manhattan District Attorney’s office.

The ring allegedly operated an online carding forum called the International Association for the Advancement of Criminal Activity, where thieves trafficked in stolen credit card numbers and other information. The defendants also allegedly forged credit cards using stolen numbers, and turned them into cash with the unwitting help of eBay users.

http://www.wired.com/threatlevel/2009/09/westernexpress/

Hacker to Plead Guilty in Major Identity Theft Case

Washington Post: Computer hacker Albert Gonzalez accused of masterminding one of the largest cases of identity theft in U.S. history agreed Friday to plead guilty and serve up to 25 years in federal prison.

Albert Gonzalez of Miami was charged with conspiracy, wire fraud and aggravated identity theft in federal courts in New York and Boston. Court documents filed in federal court in Boston indicate that the 28-year-old agreed to plead guilty to 19 counts and to have the two cases combined in federal court in Massachusetts.

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/28/AR2009082803779.html

U.S. payment-card industry grapples with security

BOSTON (Reuters) - Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures.

The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.

http://www.reuters.com/article/technologyNews/idUSTRE57N46F20090824

TJX Hacker Indicted in Heartland, Hannaford Breaches

Brian Krebs; Washington Post: A federal grand jury has indicted three individuals for allegedly hacking into credit and debit card payment processing giant Heartland Payment Systems last year, as part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted.

http://voices.washingtonpost.com/securityfix/2009/08/heartland_payment_systems_hack.html

Average cost of a data breach in 2008 grew to $202 per record, Ponemon Study Says

DarkREADING: Data Breach Costs Rose Significantly In 2008, Ponemon Study Says. Companies report average loss of $6.6 million per breach, study says.

The average cost of a data breach in 2008 grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record), according to the study. The average total cost per reporting company was more than $6.6 million per breach -- up from $6.3 million in 2007 and $4.7 million in 2006 -- and ranged from $613,000 to almost $32 million.

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213000466