[This should make you feel better about GAK] New York Times: Thursday, November 21, 1996 Social Security Workers Held In Frauds Using Credit Cards By LYNDA RICHARDSON Federal officials announced the arrests of a group of Social Security Administration employees Wednesday, charging them with passing confidential information on at least 1,000 people to credit-card thieves for bribes as little as $10. Under the scheme, the employees would give out confidential information that would allow the credit-card thieves to use the cards when they made purchases. The authorities think the thieves were able to obtain the cards by stealing them through the mail, in some cases. The authorities said six current or former employees and a former security guard with the agency were arrested Tuesday in the scheme, which resulted in at least $10 million in losses to credit card issuers from October 1995 to this June. The credit card issuers are Citibank, Visa and Mastercard. The employees were charged with bribery and misuse of a government computer, and face prison terms of 2 to 15 years and fines up to $250,000. The arrests resulted from a federal investigation that began in February into what computer experts say may be one of the biggest breaches of security of federal government data on residents. Officials said 20 people have been arrested, including 10 current or former employees of the Social Security Administration. The scheme was first detected in February by Citibank, which noticed an unusual amount of fraudulent charges on credit cards it had mailed to customers but that the customers said they had not received, officials said. Like many banks, Citibank has a security procedure that requires customers who receive new cards to activate them by calling a toll-free telephone number and provide some personal information, like their mother's maiden name, to activate the credit card. The bank discovered that its security system had been foiled in dozens of cases in which cards were activated by someone who was not the cardholder but had access to the cardholder's mother's maiden name. Investigators for the Social Security Administration, which keeps files of maternal maiden names and records the identification number of employees who call up files, determined that an employee at the Brooklyn Social Security office had illegally looked at the personal records of nearly two dozen people and sold the information to conspirators, who activated credit cards, said Philip A. Gambino, an agency spokesman. Based on information from that employee, the agency identified several other employees who had illegally released confidential information, often in exchange for bribes. Those arrested this week were described as low-level workers, including claim representatives and clerks. In 1,000 cases, credit cards were activated using information illegally provided by the government employees, Gambino said. ``Most have been fired and the others are in the process of being fired,'' he said. Officials said the thieves who approached the Social Security employees already had access to Social Security numbers and wanted the numbers run through the agency's database. Social Security numbers are the closest thing to a universal identifier that Americans have, and are widely available from public sources like college and employee ID cards and hospital tags, and even driver's licenses in more than 30 states. The investigation has resulted in the arrests of nine people, including seven Nigerians, who are accused of receiving or using the stolen confidential information to commit various types of credit card fraud, said Brian F. Gimlett, the special agent in charge of the Secret Service in New York. He said the stolen or reissued credit cards were used to buy merchandise, obtain cash advances and line-of-credit checks and make illegal withdrawals from automated teller machines. Gimlett said the conspirators who approached the government workers were not part of an organized crime ring. ``Actually, most were individual operations, but doing the same type of crime,'' he said. ``This is another example of greedy people finding new ways to compromise the security systems to financially gain from credit card fraud and other types of fraud.'' EFT Report: November 20, 1996 Micro Card Targets U.S. Smart Card Market Bull CP8 Transac, of France, says it wants to help U.S. banks issue smart cards through its U.S. subsidiary, Micro Card Technologies, of Billerica, Mass. The company believes that 60 percent of the smart card opportunity resides here, says Gerald Hubbard, vice president of marketing. That market is expected to grow to a total of about $100 million to $200 million by the year 2000, according to industry figures. Debit and stored-value cards are targeted as the first smart-card applications to be issued in the United States. As a result, Micro Card is forming alliances throughout the card industry to penetrate the U.S. market. It recently partnered with NBS, of Plainfield, N.J., one of the nation's largest card manufacturers. Bull's strategy is similar to that of its competitors, says Ben Miller, president of CardTech/SecurTech in Bethesda, Md. All the world's major smart card firm are bringing smart card capabilities in from offshore and have set up acquisitions or partnerships with U.S. card manufacturers to build strength and confidence from American bankers, Miller says. Schlumberger, also of France, recently bought Malco. The existing manufacturing facilities are secure and card association compliant, helping the companies earn industry trust. The firms, in turn, receive an existing revenue stream from the magnetic stripe sales, Miller says. Micro Card claims it has the longest U.S. history of its competitors. It set up shop here in 1984 and has since participated in several smart card closed-system initiatives. For example, U.S. Marine Corp.'s recruits in Parris Island, S.C., receive their pay on CP8 Micro Cards, which are accepted at post exchanges for cash withdrawals and purchases. Micro Card also has been selected to provide half of the card readers in the Citibank and Chase Manhattan Bank smart card pilot in New York. Micro Card sells readers, encoders and several different types of cards ranging from the basic one-issuer, multiple-application system, called SCOT, to its high-end electronic purse card that can handle multiple applications from several unconnected service providers, says Hubbard. Its crypto card uses public key cryptography to secure transactions, Hubbard says. Micro Card's systems all contain microprocessors and comply with Europay, MasterCard and Visa (EMV) standards as well as International Standards Organization specifications, he adds. Micro Card also is partnering with Redmond, Wash.-based Microsoft and several smart card vendors to develop integration standards for smart cards and personal computers. Evening Standard (London): Monday, November 18, 1996 Smart Card Code is Cracked By Flora Hunter A Cambridge scientist has broken the smart card code, casting doubt over the card's future as the ultimate security device. Dr Ross Anderson's work, published today, has been kept secret for six months to allow institutions such as the Bank of England to review security. The Cambridge University computer expert claims his methods of accessing information from smart cards, which were previously thought impenetrable, could be used by organised criminals using simple equipment. He is warning banks and other financial institutions to rethink their security operations, as his breakthrough could lay bare the private financial secrets of everyone from governments to the holders of High Street bank accounts. Smart cards are used as identity tokens in satellite TV cards and bank cards. They are also used as top-level security passes at nuclear installations. The Government recently announced plans to store information such as driving licence, tax, social security and pension details on individual smart cards. Today, Dr Anderson said: 'For a number of years these smart cards and processors have been marketed as tamper-proof. If you try and get into their chip using whatever method, they are supposed to be inaccessible. 'We have developed techniques that can get into most of these smart cards and I believe they can all be accessed. Banks are moving away from magnetic cards towards smart cards to improve security but they are going to have to think again. 'They are going to have to rethink their whole security process because we have shown the security processors can be attacked with the kind of equipment available to any undergraduate. 'Organised criminals could use the techniques to cause disaster to financial institutions.' Smart cards can store information on a tiny microchip embedded in the plastic which lets the user access electronic and computer systems. Banks and other financial institutions must now make immediate changes to their sophisticated security systems, which could cost millions of pounds. In conjunction with an American colleague, Dr Anderson has perfected techniques that could cause havoc. Dr Anderson said: 'We have been in consultation with the Bank of England and various national intelligence agencies. We agreed to postpone publishing our paper to give them a chance to look at the findings. A lot of people have put all their eggs in one basket by relying on smart cards for security. Now the basket has been tipped over.' American Banker: Thursday, November 21, 1996 Wells, 31 Others Ease Downloading of Account Data from Internet By DREW CLARK Wells Fargo & Co. and 31 community banks and credit unions announced that their customers will be able to download account information from the Internet with the click of a button. The technology is one of the first uses of Microsoft Corp.'s set of standards for electronic financial connections, which were introduced last March. Called Active Statement Technology, advocates say that it will simplify the process of transferring account files from the World Wide Web to personal financial software programs. Making data on Web sites easier to download is likely to encourage banking customers to go to the sites, industry observers said. That, in turn, would offer banks more chance to promote their services on the Internet. "Today we offer both our Quicken and our Microsoft Money customers the ability to download information into their software spreadsheets," said Wells Fargo spokeswoman Janet Otsuki. But the features of Microsoft's new technology "will allow Money customers to have a more direct and more efficient downloading experience." The benefits of that arrangement are hardly accidental from the standpoint of Microsoft, which has been aggressively battling Intuit Inc. for a greater share of the personal financial software market. Intuit's Quicken leads Money by 75% to 20%, according to a recent independent consumer study. Microsoft offers its technology for free to all financial institutions, and it encourages banks to link their Web sites so that their customers will find a trial offer for the Money product. Competing Web browsers will be able to download financial data, but Microsoft Money 97 is the only financial software able automatically to receive the information. "We expect this will be a de facto technology that any bank would want to incorporate," said Matthew Cone, a business development manager at Microsoft. Others familiar with Active Statement Technology said the program's ability to recognize information that has already been recorded offers a crucial advantage over the widely used Quicken Import Format. "Comparing the Quicken Import Format to (Microsoft's technology) is like comparing apples to oranges," responded Intuit senior vice president Eric Dunn. "Automatic reconciling has been possible in both Quicken and Money for over a year." By now, 275 financial institutions offer some form of PC banking, and 46 let customers gain access to their accounts from the Web, according to the Seattle-based Online Banking Report. But encouraging customers to come over via the Web may hold benefits for banks. "Instead of starting with Money or Quicken, customers start at the bank's Web site," said Paul Fiore, chief executive of Digital Insight. The Camarillo, Calif., company has helped 28 credit unions develop transactional Web sites. Without having to pay Microsoft for a direct connection, all those institutions now offer their customers the ability to download their finances easily into Money 97. How soon will that affect consumers at those institutions? Cathi Cavanagh, home banking coordinator at the Plano, Tex., Community Credit Union, is already watching: "I am personally going to look to see if people are converting from Quicken to Microsoft Money."