Entries Tagged "banking"
Page 6 of 18
Protecting against insiders is hard.
Kluger and two accomplices—a Wall Street trader and a mortgage broker—allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades….
Kluger had access to information on M&A deals in Wilson Sonsini’s DMS, but he did not open the documents to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. “Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions,” the charges state….
Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it’s often easy to figure out the codes.
One of the pleasant side effects of being too busy to write longer blog posts is that—if I wait long enough—someone else writes what I would have wanted to.
The ruling in the Patco Construction vs. People’s United Bank case is important, because the judge basically ruled that the bank’s substandard security was good enough—and Patco is stuck paying for the fraud that was a result of that substandard security. The details are important, and Brian Krebs has written an excellent summary.
EDITED TO ADD (7/13): Krebs also writes about a case going in the opposite direction in a Michigan court.
Interesting research: Kirill Levchenko, et al. (2010), “Click Trajectories—End-to-End Analysis of the Spam Value Chain,” IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011.
Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam interventions focus on only one facet of the overall spam value chain (e.g., spam filtering, URL blacklisting, site takedown). In this paper we present a holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.
It’s a surprisingly small handful of banks:
All told, they saw 13 banks handling 95% of the 76 orders for which they received transaction information. (Only one U.S. bank was seen settling spam transactions: Wells Fargo.) But just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. In addition, “most herbal and replica purchases cleared through the same bank in St. Kitts, … while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia),” they said.
This points to a fruitful avenue to reduce spam: go after the banks.
Here’s an older paper on the economics of spam.
The well-preserved tally stick was used in the Middle Ages to count the debts owed by the holder in a time when most people were unable to read or write.
“Debts would have been carved into the stick in the form of small notches. Then the stick would have been split lengthways, with the creditor and the borrower each keeping a half,” explained Hille.
The two halves would then be put together again on the day repayment was due in order to compare them, with both sides hoping that they matched.
Note the security built into this primitive contract system. Neither side can cheat—alter the notches—because if they do, the two sides won’t match. I wonder what the dispute resolution system was: what happened when the two sides didn’t match.
EDITED TO ADD (5/14): In comments, lollardfish answers my question: “One then gets accused of fraud in court. In most circumstances, local power/reputation wins in fraud cases, since it’s not about finding of fact but who do you trust.”
This hack was conducted as a research project. It’s unlikely it’s being done in the wild:
In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a confirmation message tagged with a code that identifies the transaction.
PayPal handles its side of the process securely, says Wang, but Buy.com was relatively easy to fool. First the team purchased an item and noted the confirmation code used by PayPal. Then they selected a second item on Buy.com but did not pay up. Instead, they used the code from the first transaction to fake a confirmation message, which Buy.com accepted as proof of payment.
This story is just plain weird. Regularly, damaged coins are taken out of circulation. They’re destroyed and then sold to scrap metal dealers. That makes sense, but it seems that one- and two-euro coins aren’t destroyed very well. They’re both bi-metal designs, and they’re just separated into an inner core and an outer ring and then sold to Chinese scrap metal dealers. The dealers, being no dummies, put the two parts back together and sold them back to a German bank at face value. The bank was chosen because they accept damaged coins and don’t inspect them very carefully.
Is this not entirely predictable? If you’re going to take coins out of circulation, you had better use a metal shredder. (Except for pennies, which are worth more in component metals.)
Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks.
So what? These sorts of breaches happen all the time, and even more personal information is stolen.
I get that over 50 companies were affected, and some of them are big names. But the hack of the century? Hardly.
The thieves glue down the “enter,” “cancel” and “clear” buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account.
The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use the ATM touchscreen to finish their transaction, or become nervous when the keypad isn’t working and react by leaving the ATM unattended….
This is a clever development in ATM skimming technology. It’s a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it’s an ATM skimmer that requires no modification to the ATM.
Sidebar photo of Bruce Schneier by Joe MacInnis.