Wednesday, May 06, 2009

Phishing Scams

US FINRA recently fined Centaurus Financial, Inc. (CFI) USD175,000 for its failure to protect certain confidential customer information. Centaurus was also ordered to provide notifications to affected customers and their brokers and to offer these customers one year of credit monitoring at no cost.

From April 2006 to July 2007, CFI failed to ensure that it safeguarded confidential customer information. Its improperly configured computer firewall - along with an ineffective username and password on its computer facsimile server - permitted unauthorized persons to access stored images of faxes that included confidential customer information, such as social security numbers, account numbers, dates of birth and other sensitive, personal and confidential data. The firm's failures also permitted an unknown individual to conduct a "phishing" scam. When CFI became aware of the phishing scam, the firm conducted an inadequate investigation and sent a misleading notification letter to approximately 1,400 affected customers and their brokers.

On 15 July 2007, CFI's fax server was used by an unauthorized third party to host a phishing scam. Phishing scams are designed to trick computer users into divulging personal information such as usernames, passwords and bank and credit card information. A file simulating a popular Internet auction site was uploaded to CFI's fax server and over a three-day period there were 894 unauthorized logins by 459 unique IP addresses, most of them from recipients of a mass email sent by the perpetrators of the scam.

Following the discovery of the phishing scam, CFI sent a misleading letter to approximately 1,400 customers and their brokers, inaccurately stating that the unauthorized access was limited to one person and that information on the server was not openly available. The letter failed to state that other unauthorized logins had occurred and did not inform the customers that the unauthorized access was made possible by the inadequate firewall and weak username ("Administrator") and password ("password") on its computer fax server.


Phishing scam is a serious problem, but withholding of a serious problem is even more severe.

No comments:

Post a Comment