It is important to note two things. All Buckle Stores have EMV readers: they can read the electronic chips in most, BUT NOT ALL, cards. Not all banks have adopted chips in cards. But worse yet, not all EMV readers HAVE THE READER TURNED ON! For example, the Walmart store in my area does not: you still have to swipe your card, which means that my card is vulnerable to compromise.
The reason for this is vendors got greedy: they convinced merchants that they MUST upgrade their card readers to EMV compatibility! So the merchants did. But the vendors didn't tell them that to enable the EMV reader was an additional software upgrade, so many merchants didn't do the second bit.
These hacks target magnetic stripe information because that info is really easy to clone and copy on to new blank cards, then use those cards for online purchases. The fraudsters make their money by making big dollar value online purchases, like iPhones and Xboxes, having them shipped to money mules (those "make big dollars working from home" ads) who return them to physical stores, convert the money to money orders while taking a percentage, then wiring the money overseas. The mules are committing a felony by doing so, and every year many of them go to prison while the overseas contacts just vanish.
KMart was AGAIN recently compromised, which made me pause for some reflection. On the negative side, we get my wife's meds there every few weeks. But on the positive side, they implemented EMV, and we always use that, so our info was probably secure. And probably on the mega-negative side, the store is closing, so lots of jobs are going to be lost locally.
When stores have implemented EMV, and your card has an EMV chip, you usually cannot swipe it. So that's good.
So take a look at your wallet. Do any, and I mean ANY, of your cards not have chips? If they do not, complain to the issuing institution. The USA is the last country in the G20 to NOT REQUIRE EMV chips. And we have to put up with shitty hackers like this CONSTANTLY compromising our information. Banks really need to step up. Every time this happens it costs the banks money to reissue cards. And that means increased fees for bank customers.
1. Financial institution is hacked
2. Malware is implanted on a merchant's network, possibly on point of sale (POS) card scanners
3. Hardware is covertly installed on or in POS card scanners
You can't do anything about #1. The first time my banking information was compromised was about seven years ago. I was at my parent's house in Phoenix, heading to Las Vegas to a convention when I saw a charge on my checking account for $80ish at a truck stop in North Carolina, a state where I hadn't been in five years. Turns out that a check processing company in Albuquerque had been hacked and they managed to create a bank card from that info. That hack never hit the news.
#2 is the classic Target hack, though that was an extreme example where the criminals managed complete subversion of their cash register system. They could have done what North Korea did to Sony over the release of The Interview. Arby's, Wendy's, CiCi's, you name it. And you can't do anything about this, either.
#3 is something that you can attempt a bit of defense with.
Skimming comes in two flavors, an overlay or an insert. The overlays are easy. The criminals somehow manufacture a flimsy plastic module containing electronics, generally a card reader for capturing card information, a camera for capturing PINs, and a Bluetooth radio for transmitting the info. The whole thing can be quickly slipped over a card reader at a cashier station. It's a two or three man job: distract the cashier, obscure the overhead security camera, slip the shell over the reader. The shell is precisely made for specific models of card readers and will only fit on those models. There are a few 'tells' that help identify an overlay. The colors will be slightly off. It will feel like thin plastic. The graphics won't look quite right. The dimensions will be slightly off. If you pay attention to the card terminals that you use, you might notice these.
But the best way to notice is to tug. Give the terminal a squeeze and a pull. It should feel solid and it should be solidly anchored to the pedestal that it's secured to.
Gas stations are a slightly different problem. These will sometimes have overlays, so a visual inspection and a tug test is good, but they also may have internal skimmers. These are tiny circuit boards that are actually slipped in to the card slot that read the inserted card and store the info. They don't collect as much information as an overlay, but it's still enough to cause you problems with card theft, and it's not easy to spot these.
Gas stations have taken some defensive measures. You'll notice there are security tape seals where the panels open on the pumps to show they haven't been tampered with, but let's face it, it wouldn't be hard to make fakes of those. But they've also improved the design of the pump faces to try and make it harder for skimmers to be installed, ATM makers have also tried defensive design with varying success.
Brian Krebs' suggestion is that the best defense is to never use a debit card at a terminal that you don't have absolute confidence in, only use a credit card. The reason for this is that credit cards have legal limits for fraud protection, debit cards do not. Your bank may limit your liability if your debit card is compromised, but they are not REQUIRED to by law. So you can trust your bank if you like, but you need to know that they don't have to back you.
Another way to defend yourself, if you have a fairly recent smartphone with Near Field Communications (NFC) and your merchant supports it, is to use Apple Pay or Google Pay. Microsoft tried to set up a wallet system, but it never gained traction and has been relegated to the dustbin of history. BE WARNED: these payment systems take a little getting used to! I set up Apple Pay last week: I've used it four times, I've been successful ONCE. I know how I failed the first time, and I suspect how I failed the other two times, so I think I have it figured out, but still, be prepared for a learning curve.
Apple has an exhaustive explanation of how their system works, and it is really elegant. From what I understand, even if the POS terminal has malware installed, if you use Apple Pay the criminals will get nothing usable. The information is not just encrypted, it's done with a one-way encryption that cannot be reversed after it's transmitted, so no card information can be recovered by an intercepting criminal. The merchant identifier and transaction amount is appended, the packet is sent to your financial org, which authorizes it, and the bill is paid. Your information is never exposed.
I'm sure Google's system works in a similar fashion, but the info that I easily found didn't go in to nearly as much detail as what I found with a casual search for Apple's system.
And I have to tell you, the Apple method for registering a card was amazingly cool: take a picture of your credit card. I was sitting in my partially demolished computer area, in somewhat poor lighting, and it said to take a picture of your card. So I pulled out my personal debit card, and it read it perfectly. Done. Pulled out the debit card in my name for my wife's checking account. For some reason, within about a month of receiving it the gold paint on the letters is completely gone. There was no strong side lighting to provide contrast for the lettering, yet my iPhone 6S had no trouble reading the card! I was VERY impressed. The third card that I registered was my credit card, and that one also registered fine, except it got the expiration date wrong, and that was easy to correct.
You can also manually enter the card information.
You can also use Apple Wallet for concert tickets! I used them for Jethro Tull, which was convenient because I forgot to take the printouts. It looked to me like 75% of the people in line were using smart phones for their tickets.
iPhone 6 series and later, which includes the SE, have NFC. Apple Wallet can be configured to use a fingerprint to authorize rather than the phone's password, regardless of whether you use a password to unlock the phone. Androids that run version 4.4 of the OS or later should have NFC. I saw that sometimes Android updates can cause headaches for Wallet users.
Anyway, that's enough blathering. The best defense, of course, is to always pay in cash. But that brings up two problems: carrying large sums of cash, and do you get the cash from the bank, which may involve lots of inconvenience, or do you trust the ATM to not have been compromised?
It seems to be never-ending.
The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.
Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.
Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.
Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.
When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.
The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.
Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.
Anyway, you might want to check out this site, it's interesting.
Can you spell HIPAA violation? I knew you could.
I can't believe someone would allow crap like this to continue in this day and age. I remember a certain credit card company, it might have been Citi, had the exact same company upwards of a decade ago. Completely inexcusable. And looking at the account number of the person who tipped Brian Krebs to the problem, they have perhaps two million customers. Not good.
The flaw has been (supposedly) fixed, they're now in the phase of trying to figure out how many people's information may have been accessed and doing notification.
This next one is a biggie. Sabre Corp's hospitality unit was hacked. They provide reservation services for 32 THOUSAND properties. Currently no information has been released as to how long the breech existed or how many cards may have been compromised. If you do a lot of corporate travel, your employer might want to know about this.
“The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.”
Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers.
Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted.
The method was depressingly simple. ADP had a web portal for its clients, which makes sense. But if a company had not registered on said portal, they were vulnerable: fraudsters were able to siphon confidential info from a variety of sources, create an account for said ADP customer, and all of the client's payroll information was instantly available. And Robert's your mother's brother.
In other hacking news, there's a free web site called Have I Been Pwnd that I've mentioned before. I mention it because there was a similar for-profit business called Pwnedlist that did largely the same thing. They just closed their business as they got pwned, and as their business model was that clients would pay subscriptions and get informed if their data ever appeared in a dump, they would be notified. Well, they got notified because Pwnedlist got hacked through a major bad programming vulnerability that gave anyone who wanted it admin access to accounts that didn't belong to them.
By contrast, Have I Been Pwned only stores the compromised email address and what site's hack it was taken from. Nothing of value. And in the case of sensitive dumps, like Ashley Madison users, you have to register at the site to find out if your email was contained in that dump.
For an interesting read, you should take a look at HIBP's Twitter feed. He describes new dumps received as the number of accounts compromised and the number of emails that are ALREADY IN THE SYSTEM. I've been fortunate: I have three active email accounts, the two used regularly for email were both compromised in the Adobe hack, which is no big deal as those accounts didn't have credit card information attached and they were passwords not used elsewhere. My other email account of any importance is only used for Paypal, and it has not been compromised.
If for whatever reason you used a credit card at a Trump hotel between May '14 and June '15, you might have been compromised.
First, it is operated by a security researcher who downloads all of the major web site dumps that he can get his hands on and extracts email addresses and aggregates them here. You can enter your email address and it will tell you if your email appears in any dump that he's been able to get his hands on, including Ashley Madison.
Two of my regular email addresses have been compromised, both thanks to Adobe. I was happy to see that my PayPal email address has not been compromised. And you can register your email address with him and he'll tell you if it appears in a future dump.
Second, it's a Microsoft SQL Server Azure project and he blogs about how well Azure is working as a platform for him. Interesting if you're in to super geeky stuff.
Not to dwell on the Ashley Madison hack, but there are some interesting facets since their entire email server was compromised and published. First, there was email traffic that AM HACKED another online dating site! They pulled all of their subscribers and plugged them in to AM! So even if you didn't register with AM, it's possible that your email address appears there! It'll be interesting to see if the Feds investigate this off-shoot.
There was news that a man, on a spur of the moment thing, looked for his address in the AM dump. And he found it. He immediately went to his wife and said 'I did not do this!' His wife accepted what he said. They dug further and found that someone with a similar name (Smithe instead of Smith, like that) had registered. They had a vaguely similar description but vastly different physical builds. The man who was wronged is going after the other guy to get a certified statement saying that he created the AM account impersonating the first guy. It'll be interesting to see how it plays out.
AM is not the first adult dating site to be compromised, Adult Friend Finder was also hacked a couple of years ago. One thing that was found in both hacks is that an overwhelming majority, like 95%, of the accounts are men. And an overwhelming majority of accounts for women are fronts for people in the company, just to bring the numbers up.
I personally don't know anyone who's used these adult sites for a hook-up, but I did meet my wife on a (now defunct) dating site, so they do have a chance of working.
There are companies preying on people who registered at AM, and as shown above, they might not have registered there in the first place. There are reports of blackmail, people being solicited for class-action lawsuits, etc. So basically the vultures are circling. But the part that I find the most ridiculous is that people registered using GOVERNMENT AND MILITARY EMAIL ADDRESSES! One of the concerns of security clearance background checks is that you have not done things that could make you vulnerable to blackmail by a foreign power. GUESS WHAT. I have a feeling a lot of security clearances are going to be revoked in a few months, and a definite chance of people losing jobs over this. There have already been two reported suicides of people who were uncovered in the dump, but I don't know if they've established a positive link between being exposed and the suicide. It might just be a coincidence.
The thieves got in through a Citrix portal used by employees on the road.
"...“The attackers somehow had login credentials of a district manager,” Curlovic said. “This guy was not exactly security savvy. When we got his laptop back in, we saw that it had his username and password taped to the front of it.”
ETA: why did a district manager have wide access to the company network? Managers should have access to financial databases. Even IT people should have controls to prevent a single password compromise from betraying the whole network. When I was at the police department in the '90s, we had two computers: one was used for administrative work and had no email or internet access, the other was our normal working computer. (there were no virtual machines back then) If I ever become a manager, I'm going to implement the same thing: your admin work will be done through a VM and won't have email access.
I think this manager who had his username and password taped to the front of the computer is fully deserving of a major demotion or outright firing. That is one of the most boneheaded moves that I've ever heard of.
Here's the premise. Little Kim's mad at a movie coming out on 12/25 called The Interview, a Seth Rogen movie, where two guys run a popular TV talk show and score an interview with the leader of North Korea. And are then recruited by the CIA to assassinate said leader.
For some reason this made some people unhappy.
Regardless of who did it, the attackers got deep in to Sony Pictures corporate network, pulling out all sorts of employee information, including health care info, salary info, etc. and posted it all online. Researchers have confirmed that the data looks real by referencing people in the files with Linkedin job descriptions. More than enough to do some pretty serious identity theft. And they dumped it all online. Apparently the hack was so bad that Sony IT advised everyone to turn off WiFi on all devices and don't use any corporate computers.
At least this time it wasn't Sony Online.
At least two states are investigating Experian. This makes me very happy.
The fault really lies in the original company that was bought out by Experian, and I'm sure it takes some time to conduct a full audit when you buy a company. It's possible that they shut the guy down as soon as they detected him, I'd like to think that. But considering how these data aggregaters work with zero oversight and how they've managed to conflate my dad's traffic accidents with my records because we have one name in common, I'm not holding my breath that they're lily-white.
I would say that I'm sorry for Sony, but I'm not. They've pulled so much crap over the years, things like their music CD's installing rootkits on people's computers to stop piracy, that they get no sympathy for me.
Most recently, they got hacked. The Play Station Network went down in flames. Sony Online Entertainment was taken offline. Something on the order of 200,000 user accounts were compromised, including a lot of credit cards. People almost immediately started getting strange phone calls from telemarketers who obviously had some of that credit card info.
Sony allegedly fixes their problems and starts bringing their networks back online. It's then discovered that one of their servers (or a server farm, I'm not sure) in Asia is a malware host. They're not allowed to bring up PSN in Japan because of security concerns. It comes out that the re-done and tightened PSN network account passwords can still be reset by using the email and birthdate, said information was compromised in the first round.
Here's the latest: ""As Sony struggles to restore the Playstation Network we receive news today of another breach, this time at Sony Ericsson in Canada. 'Sony Corp. spokesman Atsuo Omagari said Wednesday that names, email and encrypted passwords may have been stolen from the Sony Ericsson Canada website, but no credit card information was taken.' Another group managed to penetrate Sony Entertainment Japan yesterday as well. I almost feel bad for them."
That's it for me. There's no point in writing anything about Sony. They've become a laughingstock when it comes to network defense, and they're a major international corporation. They made little or no effort to keep their public-facing servers patched for known vulnerabilities even when they were made aware of such problems. They obviously rushed out patches to get the PSN network back online and blew it. It's understandable that they'd want to get it back online ASAP because they're losing a lot of money every minute that it's down, but as serious as this breach is, they owed it to their customers to get it right. And they didn't.
I know I'll continue to see movies made by Sony and maybe occasionally buy music from Sony. But I'm never going to use one of their services or buy any hardware from them again.
I'm also not going to write about their getting hacked again. It's just not worth it. If you use their monthly services and they have your credit card number(s) and you continue using their services, it's your lookout.
Sony will offer one month of free play plus one day for every day the network is down.
The estimate is that almost 13,000 credit cards and banking information was compromised out of 25,000 accounts.
The official Sony Online announcement: http://www.soe.com/securityupdate/
I believe this takes the number of compromised accounts to over 90,000.
[EDIT] Just read a comment on Slashdot. Guy played EverQuest, dropped it in 2001. Just got a letter from Sony saying that his personal information was compromised. Wow.
The only good thing about this is that Sony did ont store the CVN on the back of the card with the card data, so it was not compromised. This makes it much harder to make charges on the stolen cards and greatly reduces their value.
This also affects Sony's Qriocity network, whatever that is. Apparently PSN and Qriocity are operated and managed by an outside marketing company, not that it absolves Sony of any responsibility.
One thing that I find interesting is that the credit card industry has standards that businesses must follow to secure credit card data. (Remember the TJ Maxx hack?) If you're a small merchant and all you have is machines to process in-person credit card purchases, it's no big deal. But if you store credit card data for repeat purchases, i.e. monthly network access, you are expected to have pretty good security. Clearly Sony is in gross noncompliance with these directives. I've read them, it takes a very skilled and serious staff to implement, maintain, and audit them.
Here's an article on Wired theorizing about who might have committed the hack. There's some very interesting comments, possibly indicating that some of the information may already have been sold to telemarketers and scammers.
The law suits have already begun, and it's guaranteed that they'll seek class action status. And as Sony and the network provider was so grossly negligent, it's going to hurt Sony as they so deserve.
The scary thing is that they're saying that a reduction in the number of compromised records does not mean that IT shops are doing a better job of implementing security.
Here's some highlights from the Verizon report:
* The average time from compromise to data breach was minutes to days, not weeks or months (see report Figure 37).
* The average time between compromise and the victim discovering it was weeks to months.
* The average time from discovery to containment was weeks to months as well, including 2 percent that took years to never. I suspect this latter stat is far higher in the real world.
* Eighty-six percent of the time, the breach was discovered and reported to the victim by a third party (see report Figure 39), even though the breach probably could have easily been found by the victim if he or she had deployed normal detection systems. Sixty-nine percent of victims had event log evidence of the compromise (see report Figure 41).
* Only 8 percent of attacks required a high level of complexity (see report Figure 34).
* External agents were responsible for 92 percent of attacks and 99 percent of data breaches (see report Figures 7 and 12).
* Insiders were involved in 16 percent of all cases; the crossover with the 92 percent external agent figure is due to collusion.
* The role makeup among internal attackers was as follows: 85 percent were normal end-users, 22 percent were accounting or financial staff, 11 percent were management, and only 9 percent were IT related. (emphasis mine)
An insider's view on protecting/removing APTs: http://www.infoworld.com/print/141896
The H-Online article is a very good read and links to Verizon's report.