thewayne: (Default)
It is indeed a doozy, perhaps the largest data privacy leak in history. Equifax has been collecting information on people for decades, and they do it without our express permission. But at the same time, they are used for credit scores and to generate bank decisions for our getting loans and such. Yet I never signed a contract with Equifax allowing them to collect information on me.

And they have, through zero fault of my own, personally screwed me over.

A couple of years ago my wife and I decided to shop car insurance. Our current insurer was doing some corporate shenanigans that we didn't care for, and it should have been possible to shave some bucks off our premiums, and it never hurts to shop. I called the car club AAA, we ran through my information, and they told me that they couldn't take me because I had three accidents on my record. I'm accident-free. Equifax had taken three accidents OF MY FATHER, whose name is Andrew Donald, and put them on my record, where my name is Donald Wayne. We lived at the same address some years back, but I was living in New Mexico at the time of the accidents and have never owned a Buick. As it happens, we were born in the same month, but not on the day and clearly not in the same year. No two digits in our birth date or year are the same. There's no reason to conflate us and put the accidents on to my record, except for pure sloppy processes.

So I have a pretty poor opinion of these credit bureaus.

What happened to Equifax is pretty simple. They built their data framework on an open source software package called Apache Struts. Like virtually all software packages, bugs are found and patches are issued. A particularly big problem with Struts was first patched in March, but the intruders were in Equifax's system from mid-March through July - approx 2.5 months. Thus it is perfectly reasonable for Equifax to blame open source software for its breach. [sarcasm off] Struts is a framework for Java programs to run either on servers or web browsers, and after updating the framework you have to recompile literally hundreds of programs, and doing that would be a tremendous PITA, but it MUST be done, otherwise shit like this happens. Apparently some management at Equifax didn't like to pay overtime, and now they have to cope with a tremendous amount of shit.

In some late-breaking news from this afternoon, Equifax's Chief Information Officer and Chief Security Officer are both "retiring", proving that for once, shit started at the top. In "there is occasionally some justice, or perhaps there will be" news, the Federal Trade Commission is investigating the breech. It will be interesting to find out what they learn, assuming they ever issue a report. I wonder if Congress will hold public hearings. The breech is being compared by some news agencies to Enron. According to the Reuter's story, "Shares of Equifax fell 2.4 percent on Thursday and trading volume hit a record high. The shares have lost 32 percent since the company disclosed the hack on Sept. 7.

Senate Democratic leader Chuck Schumer compared Equifax to Enron, the U.S. energy company that filed for bankruptcy in 2001 after revelations of a widespread accounting fraud."

But you see, this is not just a problem for people in the USA. Equifax holds information for people in Canada and Mexico. And Argentine, and possibly other Latin American countries. And the BBC is reporting that 400,000 UKians have information that was compromised in the theft, but their information exposure was minimal and should not lead to identity theft. Well, we'll see about that! In Argentine, apparently Equifax's software used the highly-[in]secure account/password combination of admin/admin.

This is one of my favorite stories, and it may be behind a paywall since it's from the Wall Street Journal. Here's the Slashdot summary:

Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.

The title of the story is "Equifax Lobbied for Easier Regulation Before Data Breach", it's by Michael Rapoport and AnnaMaria Andriotis. f you do a little searching, you might be able to find a copy.

Now, the breech itself is extremely bad. If you were compromised, and there's a very good chance that you were, then the information that was stolen includes: your full name, social security number, previous addresses, list of jobs, all sorts of amazing things. Information about you that never changes. Information about you that you use to apply for credit cards, loans, mortgages, JOBS. The best thing you can do is to approach all four credit bureaus and put a FREEZE, not monitor, but FREEZE your credit. That means that no credit can be taken out in your name without postal correspondence going back and forth with your house. No credit reports can be pulled. It's about the best that you can do. Brian Krebs has an excellent post that he has to pull out a few times every year to discuss this. Definitely worth a read. Me? I'm unemployed. Banks would have to be idiots to issue credit under my information, still, I plan on freezing my accounts.

But that's not the worst.

For reasons unknown, Equifax had credit card transaction information, 200,000 transactions worth dating back to last November, sitting on their servers, apparently unencrypted. Massive violation of PCI compliance rules.

And who knows, there may be more yet to come.

I won't bother providing links to the stories about your surrendering your right to sue if you signed up for their monitoring service, that's been rescinded. There were at least two class-action law suits in development, along with a couple of States Attorneys General beginning investigation.

One more thing to mention: an op ed piece by Bruce Schneier, a very well-known and respected expert on encryption and privacy. He has some facts wrong, I think he wasn't as well-versed on the scope of the breech as perhaps he should have been when he wrote it. But at the beginning of the piece he talks about how the public are not customers of Equifax, we are what is being sold, and we have no say in the matter. And there are THOUSANDS of data brokers out there that we can't come close to naming all of them.

Equifax's feet will be in the fire for some time, I imagine.
thewayne: (Default)
The only good thing to say is that it appears that they have done the sensible thing of isolating their corporate network from their payment terminal network. The penetration happened approximately six months ago but was just detected in January. They're in the process of investigating and cleaning up their act.

Target, when they were hacked a few years ago, had not separated their network. Testers were able to access 2,000 cash registers by compromising a digital scale at a deli counter.

The sad thing is that almost all initial infections that lead to these breaches can be avoided by one thing: do not give users administrator access to their computers! There is no good reason why they should, and if you have software that requires admin to run, then you need to hold the vendor's feet to the fire and force them to fix their bad code so it does not!

The other is for Microsoft to get off their butt and fix their stupid macro system! Macros hidden in Word document and Excel spreadsheets is how most of these infections get started. This article has an excellent example: email received by a hotel that says we have a dozen people arriving for a week and this document contains the specifications of the rooms that we need. No hotel is going to hesitate opening a document that promises booking a dozen rooms for multiple days. Apparently the scammers will go to the trouble of creating a web site to add verisimilitude so that the email doesn't arrive from a Gmail account. It all looks above board, so why not open the email?
thewayne: (Default)
Needless to say, it hasn't stopped while I haven't written about it.

The latest victims, and I mean corporations, are Arby's fast food (I hesitate to call them a restaurant) and Holiday Inn hotels. Arby's says the malware that stole credit cards was limited to their corporate stores, over a thousand locations of their 3,300 locations in the United States. Of course it's entirely possible that some of their franchisees have been compromised, especially if there are big corps with many locations that use a third-party credit card processing solution.

And it is a BIG breach. The president and CEO of the National Association of Federal Credit Unions is saying the number of cards is in the "hundreds of thousands". So that malware, since remediated, has been sitting there for a while. Arby's did not previously announce the hack at the request of the FBI while they were still investigating it.

Someone posted a comment/question asking if a specific location was compromised, I posted this reply:
Call them and ask them if they're a corporate store or a franchisee. If the former, then probably yes. I'm going to be doing that Monday with my semi-local store. Regardless, watch your bank account online for probe charges: a charge for $1-4 from cities and businesses that you don't do business in/with.

A friend of mine was hit by the Wendy's hack. He's on the road a lot and I told him about the probe charges. Sure enough, they appeared on his credit card. Fortunately when the serious charge appeared, he was in a town that had an office for his credit card and he was able to get a replacement sent there.

The Holiday Inn hack was very specific, it targeted just a few hotel restaurants and bars in high-profile and high-dollar areas in San Francisco, San Jose, Chicago, etc. The malware was present from August to December 2016. It was not found on the hotel's front desk systems.
thewayne: (Cyranose)
This one is slightly different. The thieves were more careful with how they're using the cards, and credit unions are being hit hard. One CU manager mentioned in the story said that they've gone through half their budget for credit fraud for the year -- IN JANUARY.

I have lunch at Wendy's once or twice a week, and I always use my debit card. I haven't seen any activity on my account since the information about the breech surfaced a month and a half ago, still, I should either start carrying more cash for lunch or use my credit card more. The credit card is still vulnerable to data breeches such as this, but American law gives you stronger protection and reduced liability for a credit card versus a debit card. The problem with going to cash for such transactions is that my bank doesn't have a branch or ATM down here, so I'd be getting nibbled by out of network fees.
thewayne: (Cyranose)
Back in June, many news sources reported that OPM got hacked and basically if you applied for a job with the Federal government in the last 20 years, your information was compromised.  Didn't matter if you were a park ranger or an office admin or what, you were compromised.  A more recent revelation is that fingerprint scans were also compromised.  Bruce Schneier has a recent post about this and the risk of trusting centralized, networked, databases with our information.

Now for a slight diversion.

Salon had a recent article about how a certain KGB agent was amazing at correctly identifying CIA agents in foreign countries.  He applied basic common sense and deduced certain patterns: CIA agents when they were undercover at an embassy always had offices in the secure part of the embassy, always took over the apartment that their predecessor had, did not attend certain functions, when they had meetings out of town they were almost always at night during certain hours.  But the most important tell of all is that their biographies had gaps.  A non-spy in the State Department had a complete and easily verified biography.  Spies did not, theirs had gaps.

Back to the OPM hack.

Two days ago, several news sources reported that the CIA was pulling their agents out of China.  The OPM hack compromised the full information of over 20,000,000 Federal employees, including CIA agents.  China is believed responsible for this hack, so they have all this information.  And basically the CIA knows that China now knows all its agents and has the fingerprints for most of them.

If you know who works for the State Department, and you know "Bob" came in to the country allegedly working for State yet he is not on the list of known State employees, he's probably a spy.  So the CIA pulled them before they could get caught or in trouble.

If China really wanted to screw with us, they'd shop that list around and sell it to Russia, North Korea, etc.

In other glorious news, Experian was hacked again.  This time a specific server or dataset was compromised, and it belonged to the cell phone carrier T-Mobile.  If you applied for a T-Mobile line from September '13 to September '16, the following info was compromised: "Social Security numbers, dates of birth and home addresses."  But that's only for 15,000,000 people, so no worries.

It is important to remember that it was not T-Mobile that was hacked, it wsa the credit reporting agency/data aggregator Experian that was hacked.  When you applied for cell service, you fill out an application and it's run through Experian to determine if your credit is sufficient to pay for a contract.  Common sense would say that after the credit is approved or denied, a summary should be passed on to T-Mobile, a notation made on the person's credit report, and the application should be purged.  But apparently that wasn't good enough for Experian and they decided that they needed to keep the actual application.

Oh, well.
thewayne: (Cyranose)
A "gang" who claims to be an international syndicate but is more likely a small group, paid for a couple of criminals to lob Molotov cocktails at a company who discovered a Trojan that the gang developed to compromise ATMs. They sent threats to the security researchers, giving them a deadline to remove the research from their web site, and when they didn't, some punk ran up to a building and threw a single firebomb, then ran away. The damage was minimal.

This was all going on in Kiev, St. Petersburg, and Ukraine.

In another story, Brian Krebs spent time in Mexico recently. There's been a huge increase in ATM skimmers and malware that they can apparently order the ATM to spit out money.
thewayne: (Cyranose)
October 1 is the deadline for merchants to be switched over to the new readers in the USA, otherwise they can be liable for any theft that takes place. But what is utterly ridiculous is that THEY DID A HALF-ASSED IMPLEMENTATION OVER HERE. No, correct that, quarter-assed. They would have to improve their implementation to be half-assed. THEY DO NOT REQUIRE A PIN! So if someone lifts your wallet and you have an EMV card, they can spend their way to heaven until you cancel the card.

I am curious how European cards, which have PINs, will work over here. Likewise, I wonder how our PINless EMV cards would work in Europe.
thewayne: (Cyranose)
This is why we can't have nice things. You can't trust major merchants like Target and Home Depot and Nieman Marcus to keep their systems secure. Mom & Pop companies can't afford a proper IT department, so they go to a POS vendor, only in this case POS doesn't mean point of sale.

In this particular case, to quote from Krebs post, "NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.

The acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup, a chain of some 75 soup eateries spread across the northern half of the United States and Canada."

So we're screwed, but the truth is that we've been screwed for years. Use cash when you can, use a bona fide credit card when you can't as you have better laws behind you for recovering stolen funds.

The saddest thing is that the one improvement that U.S. banking could make to really make life hard for these criminals is to implement Chip & PIN. Every card has a crypto chip, and you have to enter a PIN number. Two factor security. If your card is stolen or forged and they don't know the PIN, they can't use it. So American banking is doing a half-assed implementation and putting in the crypto chip, but no PIN. Also no signature required. So no verification whatsoever. The reasoning is probably that they don't want to burden people with remembering a PIN, which we've been doing for 25 years anyway.

thewayne: (Cyranose)
For $10-$27 a card, you can get a new (stolen) credit card for a loved one!

The breech seems to have been between November 18 and 28, but it is unclear if it might have started earlier or possibly still be on-going. Bebe decided they didn't want to talk to Krebs, so apparently they're still in denial. Evidence suggests that this was another card reader compromise and that their online store was not breeched.

One thing that I don't know since I don't know anyone who shops there is how valuable the cards are. If Bebe is a high-end store, the cards could be worth a lot. Also, the cards are up for sale in a hitherto not known carder forum, so the stolen card retailers have another store that you can buy from.

UPDATE: Bebe confirmed the breech.

"Bebe stores said its investigation indicates that the breach impacted payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014. The data may have included cardholder name, account number, expiration date, and verification code." They claim the breech has been stopped.

So at least they caught it before Black Friday, that greatly reduces the number of compromised cards.
thewayne: (Cyranose)
Sadly, it looks like Security By Obscurity is still the mode they want to play, so expect more compromised retailers this season.
thewayne: (Cyranose)
A bank in New England got took for $120,000 in fraudulent C&P charges emanating from Brazil. The issue? The bank haven't issued any C&P cards yet.

One part of C&P is a built-in counter that is part of the transaction data stream. If your bank receives a second transaction with the same counter number, you know it's fraudulent. But since it's not implemented, it's largely ignored. Apparently some criminals in Brazil bought a bunch of Home Depot stolen cards, got ahold of a credit card terminal, and manipulated the data stream to cram the cards through. The bank recovered about $80k of the stolen money and is trying to get the rest back. Meanwhile, Mastercard is saying that they're responsible for the remainder.

After the Home Depot theft, the bank decided not to re-issue potentially compromised cards as they represented a fairly large portion of their customer base. I would guess that they're reconsidering that right now.

There's no doubt that C&P will greatly reduce fraud, but it's not easy to implement, so chances are that we'll see as much and maybe more as it begins to be rolled out next year. In the case of this New England bank, an upstream provider authorized the charges when the bank's systems were offline and couldn't directly authenticate the transactions.

ETA: Bruce Schneier wrote about C&P attacks a while back, it's called a Pre-Play Attack.
thewayne: (Cyranose)
Does this qualify as irony? Apparently someone exploited a weakness in their internet shopping cart code and compromised some 5,000 cards from mid-April to mid-June this year.
thewayne: (Cyranose)
This is very limited, the theft specifically struck three states (NY, NJ, PA) and only about eleven stores. Very little information is available, though it appears to be a cash register malware attack. I'm thinking that maybe it was detected early before the fraudsters could roll out a larger scale breech. Still, I'm sure this will force a chain-wide audit, which consists of some 1,800 stores across the USA.

No mention as to how many cards were compromised or how long the breech lasted.
thewayne: (Cyranose)
Sears Holdings just announced it, no indication as to how many cards or a date range but they are saying that no cards are yet being used fraudulently. We'll see how long that holds true. They're also saying only Track 2 data was compromised, so no personal identity info stolen that could promote ID theft, just simple credit theft. It was a point of sale hack, so either the same group that did Target/Michaels/Home Depot/etc or someone using the same malware package.

The Dairy Queen breach was suspected in August but only now confirmed, no indications how long or how many cards were compromised. This one was a cash register compromise, so probably a different batch of crooks.

I just had my card replaced because of the Home Depot hack, we use Kmart as my wife's pharmacy and both of us have used our cards there. So if our cards ever stop working, now we know why, and at least it's a good thing that our bank is actually being preemptive.
thewayne: (Cyranose)
First, Apple. Today they released a patch for OS-X to fix Bash, the question is how complete is the patch. Everything that I've heard thus far is that the patches for various *nix distros are partial and that a further patch will be required. So I don't know where that stands. I was not able to find the patch in Mac's Update service, but the direct links in the article worked fine. No computer restart required.

Now, Jimmy John's sandwich shop hack. 216 JJ's were compromised, the number of cards stolen is not mentioned in the article. Here's the problems, and I'm using the plural purposely. First, it was a service vendor, Signature Systems, that was compromised, so another 100 mostly mom & pop operations were also affected. They're spread all over the USA, no significant geographic clumping.

But the fun doesn't end there, oh no! Anyone who processes credit cards has to be certified to be PCI-compliant, there are different levels of certification depending on how what your credit card volume is. The auditor company who certified Signature Systems is the only auditor to have their accreditation CANCELLED by the processing card industry.

But wait, there's more! In addition to the auditor losing their certification and going out of business, one model of cash register system installed by Signature Systems was not certified as of late October 2013, and many systems were installed after that date! Even though lawsuits would be flying around regardless, these are going to be interesting because clearly Signature Systems was grossly negligent.

And finally, my wife and I had an interesting experience in Las Cruces last week. While we were in town, every time I used my card on my wife's account, it was declined. We called the bank and we had a very healthy balance in the account, unfortunately my wife left her wallet at home, so we had to use my cards. Fortunately my account's card worked fine. We thought maybe it was because we were 100 miles from home, but we're frequently in 'Cruces, so it was odd. When we got back to Alamogordo that night, it was declined yet again at a bookstore (three Eric Clapton CDs). As it happened, the clerk also worked at the issuing bank, and she said a whole bunch of cards had been cancelled because of the Home Depot breech. Checked my mail the next day and there was a brand new, bright shiny card. The old one met the shredder. I got my Amazon account reconfigured, received a text message from DirecTV and got them reconfigured, and I think I'm now good.
thewayne: (Cyranose)
Apparently a number of Goodwill stores all had their credit card processing done by one company, and that was the infiltration point. The vendor claims that only 25 cards have been used fraudulently since the compromise, a number that I'm frankly dubious of. But there are a couple of things to remember, and that is that Goodwill purchasers are not always high-value people, so it's quite possible that when word got out at how low of credit limit the cards typically were, they just gave up on the batch. Still, I find the number dubious.

The article points out a very big hole in the reporting laws of lots of states, this is a very good explanation of the problem. To quote from the Krebs article:

The magnetic stripe on a credit or debit card contains several areas, or “tracks,” where cardholder information is stored: “Track 1″ includes the cardholder’s name, account number and other data. “Track 2,” contains the cardholder’s account, encrypted PIN and other information, but it does not include the account holder’s

Most U.S. states have data breach laws requiring businesses that experience a breach involving the personal and financial information of their citizens to notify those individuals in a timely fashion. However, few of those notification requirements are triggered unless the data that is lost or stolen includes the consumer’s name (see my reporting on the 2012 breach at Global Payments, e.g.).

This is important because a great many of the underground stores that sell stolen credit and debit data only sell Track 2 data. Translation: If the thieves are only stealing Track 2 data, a breached business may not have an obligation under existing state data breach disclosure laws to notify consumers about a security incident that resulted in the theft of their card data.

And in the case of the Goodwill breech, only track 2 info was being sold.
thewayne: (Cyranose)
The thieves are exploiting weak bank phone voice response systems to reset the PINs then use the forged cards in ATMs. Some are also calling the bank direct using MagicJack phone numbers and telling them they're traveling in Italy, so one bank obligingly increased the daily withdrawal limit and it lost $300,000 in two hours.
thewayne: (Cyranose)
It could go back to April or May of this year, and it looks like all stores were affected, which means a main server breech. And it was probably the same group that did Target et al.
thewayne: (Cyranose)
Looks like. In the case of DQ, it looks a lot like the breech of the Jimmy John sandwich chain and the car wash in the east, probably a remote access hack of franchisees who use a common point of sale system getting compromised.

I've never been to Jimmy John's, but I do to go DQ a couple of times when I'm in Phoenix. I'm safe, I always pay cash.

One thing that I like is the mention of weak and easily guessed passwords. While a password and a direct hack of your account is the least likely way that your information will be compromised because criminals are looking for mass amounts of information that they can profit from, thus going after large dumps, it's still important to use strong passwords and to not re-use passwords on important systems.
thewayne: (Cyranose)
The info on Albertsons is just emerging and it involves all of their properties, so this looks like a breech in their datacenter like Target. His discussion of carding is quite interesting as it hits on two points that I thought were pretty amazing. One is that the rate of attacks seems to be going up and it probably because the USA hasn't instituted Chip & Pin, which most of the first world has done. Thus, America is a vulnerable market, and since Mastercard & Visa have stated an October 2015 deadline for merchants to implement C&P, the criminals have a narrowing window of opportunity to exploit and try to get rich easily.

The fact that the USA is the only country in the G20 to not have implemented C&P I thought was quite interesting.

But his second point blew me away: he thinks the market for stolen card dumps is saturated. Krebs estimates that only 2-4% of the cards stolen in the Target breech were actually used for fraud, based on numbers that were reported to him when he called some banks that were victimized. The process for taking the card data, coding it on to a new card, then buying merchandise, selling it, and transferring the money takes a lot of work and with the volume of cards stolen in the breeches, the criminals don't have enough infrastructure to convert the stolen info to money in their pocket.

Which isn't to say that they're going to stop stealing credit card info, just that there is a difference between the number of cards stolen and the number used for fraud.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:35 pm
Powered by Dreamwidth Studios