PC viruses plague wire-transfer shops

• Article
• Comments ()
• Click-2-Listen
• Videos

By Jordan Robertson ASSOCIATED PRESS

SAN FRANCISCO — For immigrants who send money to their home countries, wire-transfer shops are backbones of their neighborhoods. On some blocks in San Francisco's Mission District, every third or fourth business might offer some sort of money transfer service, and they're always bustling, even on a Sunday morning.

The customers probably don't suspect one danger that apparently often lurks in the storefronts: a startling number of viruses on the computers used to transmit their financial information.

Some 60 percent of the PCs examined in 300 wire-transfer businesses in Los Angeles and Las Vegas were infected with nasty viruses, according to a study due to be released Thursday by Spanish software vendor Panda Security.

The viruses Panda found included the worst kinds: keyloggers that record the users' every keystroke, and other types of malicious programs that give hackers backdoor access to the compromised machines. Some infected machines held troves of private data, from Social Security numbers to credit card numbers to tax documents.

The study wasn't able to determine whether any information had been successfully stolen because of the infections, which likely got onto the computers from everyday Web surfing by wire-transfer store employees. Researchers said the findings should serve as a warning that there are significant weaknesses in the shops.

"It's a disaster waiting to happen," said Carlos Zevallos, the lead researcher.

Wire transfers typically require that money senders provide limited personal information, such as a name and a telephone number, but the centers' PCs were still rich sources of information because remittance shops are eclectic businesses. Although many are mere check-cashing places, with stark waiting rooms with no chairs and clerks behind bulletproof glass, others double as something else, selling everything from soccer jerseys, furniture and flowers to tax preparation and passport photos.

When those side businesses operate on the same Internet-connected computers as the wire-transfer transactions, hackers might find a gold mine. Panda's researchers believe the infections they discovered because of the remittance centers' poor security controls could let criminals intercept money transfers - and cash them out themselves.

"It's pretty chilling," Mr. Zevallos said. "It's the equivalent of having a store with a broken window in a bad neighborhood with a bunch of stuff in there - sooner or later someone's going to come by and pick it up."

Mr. Zevallos said the infections reflect what can happen when any business gives its employees unrestricted access to the Internet without proper security software and hardware. But remittance businesses or their customers might be especially vulnerable targets, given how much money they transfer. The Inter-American Development Bank estimates that remittances to Latin America and the Caribbean, mostly from the United States and Spain, will top $67 billion this year.

The money transfer industry played down the threat. David Landsman, executive director of the National Money Transmitters Association, pointed out that most transactions are for less than $300, which makes the hassle of intercepting a transfer and forging an ID and getting someone in place to steal the delivery potentially more costly than the crime is worth.

"If an identity thief is looking for waters to troll in, these would not be very rich waters," Mr. Landsman said. "It's not that we're not concerned about our customers' data being secured. We just don't think this is a likely target. It wouldn't make sense."

Mr. Landsman said the industry's security policies are sufficient. He noted that the big money-transfer companies are heavily regulated by state auditors, including their computer security. The money transmitters usually provide encryption technology and proprietary software on remittance agents' machines to shield the transfers themselves from prying eyes, although oversight after that is limited.

Indeed, the study didn't find any weaknesses in the way the transfers themselves were handled. However, protections on those transactions might mean less if a hacker could log employees' every keystroke.