Accounting.

And fraudsters these days are likely to walk away with a six-figure haul. The median fraud loss for U.S. organizations is $105,000, according to the Association of Certified Fraud Examiners’ just-released 2010 Report to the Nations.

There’s plenty of technology out there that can help thwart would-be company thieves. Insisting on proper oversight of Finance computers and monitoring activity on them can be a good start.

But often, the best defense is a good offense. If you know what to watch out for,  you can minimize your risk throughout the organization. Patterns for who to keep an eye on emerge from the Report to the Nations.

The typical corporate fraudster in 2010 is:

• male
• between ages 36 and 45
• with your company for 1-5 years
• with a college degree
• an employee (vs. a manager, though that gap is extremely narrow), and
• working in Accounting.

Of course, remind IT staffers these are just typical patterns. And be sure to emphasize that no one is to be singled out and “watched” without probable cause. Otherwise “investigating” could easily cross the line into a witch hunt.

Info: To download the entire ACFE Report to the Nations, go to www. acfe.com/RTTN/2010-highlights.asp

That’s good news for the makers of the encryption software that the authorities have been trying, and failing, to hack.

The FBI was enlisted to help after the Brazilian  National Institute of Criminology (INC) failed to crack the passphrases used to secure the drives of suspect banker, Daniel Dantas.

It seems Dantas was the belt and suspenders type who used two programs to encrypt the drives, one of which was the much-used and free open source program TrueCrypt.

Experts in both countries have been trying for months to figure out the passphrases using a dictionary attack, a technique that involves trying out large numbers of possible character combinations until the correct sequence is found.

But no luck.

So yes, this is good news for Dantas and anyone else out there who’s looking to protect data from prying eyes.

Another TrueCrypt feature that should be appealing (especially to finance folks who might like to hide the fact that the data even exists) is the “deniable file system” approach to encrypting whole hard drives. With this design, the existence of the encrypted partition isn’t apparent to anyone looking at the drive.

Data? What data?

ATMs, which revolutionized the way bank customers access their cash, haven’t just added billions in fees  to banking coffers, they’ve also drastically reduced the costs associated with human tellers doing those transactions.

Now, a savvy and well-known hacker claims to have created a multi-platform rootkit for the machines. What’s more, he plans to unveil it to the world this summer with a talk he’s calling “Jackpotting Automated Teller Machines,” at the Black Hat security conference in Las Vegas, July 28 and 29.

Security researcher Barnaby Jack touts his talk this way: “I’ve always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I’ve got that kid beat.

“The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

“Last year, there was one ATM; this year, I’m doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.”

Jack had planned to deliver a talk at the conference on the security vulnerabilities of ATMs, but his appearance was canceled at the last minute when his employer, Juniper Networks, feared what he had to say might be misused by the unscrupulous.

To get around that particular muzzle, Jack’s switched employers and now works for the computer security services firm IOActive.

Bank security teams may want to be sure to take a listen when Jack talks at Black Hat. Claiming due diligence in the face of these new security threats might be tough if thieves are able to pick up on Jack’s tricks.

For more on the conference and its presenters, visit here.

One of the big downsides to Paypal is also one of its strengths: A lot of people use it. Easy and convenient, all it really takes to get set up with Paypal is an e-mail address and a pulse. The simplicity also makes Paypal a prime target for hackers and cyberthieves who routinely target the site for their activities.

Associating with a site that has routine security breaches could tarnish a business’s image — and for an organization that depends on a squeaky clean reputation (attorneys, physicians, dentists, accountants, etc), that’s to be avoided.

For many businesses, however, the price of accepting credit card payments can far exceed Paypal costs. Although Paypal charges transaction fees that are similar to those of a credit card company, businesses can save in overhead and personnel costs by using the online service because they don’t have to:

• Pay monthly service fees
• Hire staff to process card payments
• Rent card machines to perform transactions, or
• Install a separate phone line for credit card machines.

One caution: Professionals need to make sure that the way Paypal functions doesn’t conflict with any professional ethics guidelines.

Criminals are successfully attacking small and mid-size company bank accounts at an unprecedented rate. On top of this, banks aren’t doing as much as they could to intercept fraudulent activity or reimburse customers who are victims. The result:

Many of these businesses are firing their banks after thieves break into their accounts.

That’s conclusion of a recent report by the folks at Guardian Analytics and the Ponemon Institute, two online security firms.

“Banks have a new troubled asset — their customers,” said Terry Austin, CEO, Guardian Analytics. “The survey data proves that financial institutions are failing to protect the small and medium businesses that are at the heart of our economic recovery. [Small and mid-size businesses] are fed up with the banks that are leaving them vulnerable to fraud and not reimbursing them when they are attacked. Banks that do not improve their fraud prevention practices will lose customers and hurt their own recovery.”

The jointly produced 2010 Business Banking Trust Survey points out where security, communication and trust have deteriorated between SMBs and their banks.

It also shows how a breakdown of trust is hurting everyone involved.

Some highlights (or rather, lowlights) of the fraud report:

1. Attack Rate: 55% of businesses reported they were hit with fraud in the last year; 58% of the fraud involved online banking activities
2. Detection Rate: 80% of banks didn’t manage to catch the fraud before the money was moved
3. Loss Recovery: 87% of the time, the money was long gone and the bank couldn’t get it back
4. Loss reimbursement: 57% of companies that had their accounts targeted were not fully compensated by their banks; more than a quarter of the victims (25%) got no compensation at all for their losses
5. Customer churn: These losses and the banks’ actions both before and after the attacks caused 40% of businesses targeted to switch banks after the fact, and
6. Transparency: 24% of businesses said their banks didn’t provide a policy that explained the bank’s responsibilities regarding security and protection of accounts; 39% of customer businesses didn’t even know if their bank had such a policy.

So the question for banks becomes this: How much will it cost to put better safeguards in place and beef up security for the institution versus how many commercial clients (and their assets) will be lost if banking fraud goes undetected and continues to rise?

Commercial customers need to find out what their banks’ policies are regarding fraud, reimbursement and responsibility when it comes to these cybercrimes.

We posted a story not too long ago about a bank that was actually suing a customer that had been victimized by fraud.

The bank wanted a court to confirm — for the record — that it had done everything possible to prevent the fraud.

The bottom line is that banks won’t just automatically replace money swiped from your account using online banking. Unlike the traditional bank robbery — where a crook either breaks into the vault or holds up a teller at a bank branch — banks are now claiming that the thieves had accomplices in the crimes.

And the accomplices are the victims  — their very own customers.

Are banks starting to feel more like casinos these days than guardians of assets? You know, the house, er bank, can’t lose because they make the rules. And all risk is on the player, not the folks who are running the games of chance.

While online banking has grown in popularity over the years and has saved banks billions of dollars in brick and mortar branches, personnel and other costs, it seems that these institutions are  doing as much as they can to push off the risk of these technology-driven transactions onto the customers that support them.

Will banking reform legislation tackle these problems as well? Your thoughts?

On second thought, don’t take the case. Stay as far away from something like this as you can.

In a nutshell: An Alaska fisherman suddenly found an extra $230,000 in his credit union account. The money was intended for his employer, which had an account at the same place but with a number than was one digit different from the fisherman’s account number.

It was a simple mistake that can happen during a wire transfer, and it would have been simple to fix if the fisherman hadn’t gotten overly excited by the number of zeros following $23.

Seems the euphoric fellow bought himself a new car and wardrobe, then checked into a hotel with his girlfriend, who was also pretty excited by  her boyfriend’s newfound prosperity.

In celebration, the girlfriend got knee-walking drunk, started raising a rukus and prompted a visit by the cops.

The newly well-heeled fisherman blabbed about his good fortune to the peace officers who’d been alerted by investigators about the source of the man’s good fortune.

Lesson: If a bank’s computer accidentally gives you money, don’t even think that it belongs to you. Just think of it as misplaced and alert the institution of its whereabouts.

The company teamed up with the independent research firm Sperling’s BestPlaces to come up with the U.S. metro areas where computer users are most vulnerable to cybercrime.

Dare we also suggest that the research will also be a great marketing map for the folks at Symantec?

In order, the most dangerous U.S. cities online are:

1. Seattle
2. Boston
3. Washington, DC
4. San Francisco
5. Raleigh, NC
6. Atlanta
7. Minneapolis
8. Denver
9. Austin, TX
10. Portland, OR

Researchers came up with the rankings by looking at Symantec’s Security Response data on cyberattacks and malware infections along with third-party data about things like local online behavior — stuff like WiFi hotspot access and online shopping.

Seattle, one of the country’s most beautiful and livable cities,  took top honors by scoring big in research categories like cyberattacks and potential infections. The city also has lots of online shoppers and bankers, plus it’s full of wireless Web access (think about all those Starbucks full of coffee-drinking Internet addicts.)

Boston and Washington, D.C., likely ranked high, say the Symantec folks, because both cities are rife with WiFi hotspots.

Both Raleigh and San Francisco — two tech-savvy cities — also draw lots of attention from cybercriminals, which goes to show that even folks who know what they’re doing with technology aren’t immune from online risks. San Francisco has the most WiFi hotspots per capita in the nation.

Atlanta made the top 10 because its citizens experience the most cyberattacks and potential infections. Minneapolis and Portland ranked high because of their “risky behavior” scores.

And Minneapolis and Portland made the list for being consistently vulnerable across the board. Many things done well, I guess, or should we say badly?

Norton’s advice: As you can imagine, their top tip is to use software that provides comprehensive and legitimate protection against attacks. Let’s think about who makes that kind of software.

They also recommend regular and timely operating system and software patches along with staying up to date on the most recent threats and attack vectors.

But you knew that already.

And in case you were wondering, the official list has 50 U.S. cities on it. The distinction of being No. 50 goes to one of the country’s most crime-riddled metro regions — Detroit. Go figure.

To see the full list, visit here.

The whistle blowers at Cryptome managed to annoy both the world’s most powerful software company and the Web’s big money changer all in one fell swoop recently by publishing a top-secret Internet surveillance guide normally shown only to law enforcement agencies.

The 22-page Global Criminal Compliance Handbook is full of info gathered by Microsoft from its Windows Live services, including Hotmail, Messenger, MSN Groups, and even Xbox Live.

The guide goes into some fascinating detail about customer info that Microsoft hangs onto.  It also details how the info can be  available to police and security services.

Of course, Microsoft wasn’t keen on the public knowing this and convinced the site host to take it down — which happened temporarily.

Then PayPal got into the act and cancelled Cryptome’s account, claiming that the site violated PayPal’s Acceptable Use policy by participating in illegal activity.

But then PayPal users got into the act and starting dumping their accounts in protest. Cryptome managed to convince them that none of their activities were illegal,  just pretty annoying to the rich and powerful (which in some circles can be construed as illegal.)

Bottom line: Cryptome is back online and its PayPal account’s been restored — albeit after a week of hassles.

PayPal thinks they may have found one and they’re recommending it to their users. The online payment service  says Iconix eMail ID can protect customers by visually identifying genuine messages. Once a customer installs the software, they’ll see an icon (a gold lock with a check mark) next to a PayPal logo whenever they receive authentic e-mail messages from the firm.

The free program works with most of the major e-mail services like Gmail, MSN Hotmail, Windows Live Hotmail, Yahoo Mail, Outlook and Outlook Express.

Check out the PayPal notice to users here

Here’s a link to the Iconix site where you can download the free software.

Sweden has overtaken the United States in the annual survey of 50 countries around the world. The United States had held the top spot, but this year Sweden dominated by scoring strongly in two big areas: broadband deployment and skilled workers.

Frequent use of internet banking, internet commerce and e-government were also cited.

Sweden took over first place after finishing second last year to its U.S. competition. Norway, which had placed fifth on the 2009 Scorecard, moved up to third place for 2010. (It should be noted that Norway has also weathered the global economic meltdown much better than most countries. This may mean that Norwegians have had more money to spend on their IT infrastructure and advancements.)

As a matter of fact, except for the U.S. coming in at No. 2, the Scandinavians dominated the six top spots with Denmark, the Netherlands and Finland taking over spots four through six.

After that,  Australia, the United Kingdom, Canada and Japan rounded out the top 10.