Posts Tagged ‘identity theft’

Information Leakage …

Posted: September 29, 2014 by IntentionalPrivacy in Identity theft, Tips, Vulnerabilities
Tags: , ,

Information leakage: what is it? It’s the unauthorized flow of information from a source to a recipient. Although unauthorized, it is not necessarily malicious, but it can still be detrimental.

Let me give you a couple of examples.

Our credit union is, in most cases, very accommodating. However, when it comes to paying bills online either through Bill Pay or the creditor’s site, I argued with them about printing my social security number on my account statement when I paid my Sally Mae loan.When I paid my credit card online, they printed my entire credit card number on my account statement. I called and talked to a  credit union customer service rep and could not convince her how bad using these numbers was. I wrote a letter to the credit union, the credit card company, and Sallie Mae, and Sallie Mae changed my account number (which they should have done in the first place). However, I could not convince the credit union to only print the last four digits of the card number.

Think about how many people could possibly see those numbers: database analysts, print and fold operators, customer service reps, postal clerks if the envelope rips … and if the credit union gets hacked, well, who knows?

I finally wrote letters to each member of the credit union board of directors, and voilà! The number displayed on my account statement is now only the last four digits.

Be persistent when this type of thing happens! It’s your information, and nobody else will care as much as you when your identity gets stolen. And other people’s information will be safer also.

Next up: our insurance company, who thinks it’s safe to use my social security number as our account number, as long as they add a three-digit number to it. Now my number is available to doctors, nurses, receptionists, technicians, customer service reps … the list goes on and on. Nobody will guess. Yup. The thinly-disguised-number-is-secure trick.

Jimmy Johns isn’t the only breach … Signature Systems PDQ point-of-sale systems

Posted: September 28, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach
Tags: , , , , , ,

According to KrebsOnSecurity.com, Jimmy Johns aren’t the only restaurants to get caught in this breach, which lasted from June 16 through mid-September (dates vary at some locations). Many small restaurants use Signature Systems PDQPOS point-of-sale systems. A total of 216 Jimmy Johns and 108 other restaurants are affected because “an authorized person gained access to a user name and password that Signature Systems used to remotely access POS systems.” This access allowed the attacker to install malware to steal payment card data, containing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.

I wonder if Signature Systems changed their passwords on a regular basis? Probably not. Did they use two-factor authentication? Long and strong passwords? Did they conduct employee training on anti-phishing techniques?

Unfortunately, as of October 28, 2013, PDQPOS was only acceptable for pre-existing deployments. So it’s possible that some of these restaurants may receive fines if the system was installed after that date.

What do the Goodwill, DQ, Jimmy Johns and Home Depot have in common?

Posted: September 13, 2014 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach
Tags: , , , , , ,

They’ve all had recent breaches.

How many well-known and large breaches have we had in the past year? A bazillion! Please see the page I’ve posted that shows a list of recent breaches.

What should you do if you’ve used a payment card–debit or credit–at a store with a recent breach?

  1. Check your financial statement to confirm that you used the card within the time period breached.
  2. If you have unauthorized charges, notify your financial institution immediately.
  3. Even if you don’t have unauthorized charges, ask your bank or credit union to replace your card.
  4. If the breached company is offering identity protection, sign up for it.
  5. If your identity has been stolen, this FTC site–Create an Identity Theft Report–will help you create documents for the various places you will need to contact.
  6. Don’t shop with a debit card online.
  7. Use the credit card option when shopping with a debit card.

KrebsOnSecurity stated last week that banks are seeing fraudulent ATM withdrawals from debit cards stolen in the Home Depot breach. Be vigilant!

The last thing to think about, if a company has a breach and only has a news release. Two recent examples include Dairy Queen and Jimmy John’s. There’s no additional information on their website, not even an apology! Should you continue to visit their establishment?  How do you know they’ve even cleaned up their payment systems?

I’m voting with my feet and I will never buy anything from either Jimmy Johns or Dairy Queen again.

More on the Target breach …

Posted: December 29, 2013 by IntentionalPrivacy in Security Breach
Tags: , , , ,

According to the NY Times, Target is partnering with a Verizon forensic team to investigate the breach, as well as the Secret Service and the Justice Department.

If you would like to learn more about PIN number analysis, read this article http://www.datagenetics.com/blog/september32012/. Nick Berry, the president of Datagenics, also gave a speech on July 23, 2013, on Ted Talks about how to use passwords and be safer on the Internet.

 

What to know about the Target breach …

Posted: December 27, 2013 by IntentionalPrivacy in Financial vulnerabilities, Identity theft, Security Breach, Tips, Vulnerabilities
Tags: , , , , , , ,

I shop at Target about once a week. Last Saturday, I was dismayed to discover that an estimated 40 million debit and credit cards used at Target had been stolen. This isn’t the first time my card number has been stolen, and it probably won’t be the last, unfortunately.

Many of those cards will be duplicate numbers, so the total number of cards stolen will probably be fewer than 40 million. Still, it is a very large breach, the second largest to date. The biggest breach—90 million credit/debit account numbers!—in the US occurred at TJX over a period of 18 months and was discovered on December 18, 2006 (TJX data theft).

First, let’s look at what happened:

  • On December 15, 2013, malware was discovered on Target’s point-of-sale systems at US stores. Target eliminated the malware, and notified card processors and payment card networks.
  • According to some sources (a Reuters story posted on Yahoo!), Target did not find the breach; it was discovered by a security researcher. That is worrisome.
  • According to Target, the issue only affected US stores; purchases made online at Target.com or in Canada were not part of the breach.
  • In their statement, Target explains the breach occurred between 11/27/2013 and 12/15/2013.
  • PIN data was stolen (Reuters – Target says PINs stolen, but confident data secure), but not the key, which according to Target’s statement, resides at the external card processing center. They are not giving out the name of their processing center. The PIN data is encrypted with Triple DES encryption.  To decrypt the PIN data, the thieves need the key.
  • There are 2 types of security codes used with credit/debit cards. Each card issuer calls the security codes by different names.
    • The first code is embedded in the magnetic stripe of the card and is used when you present the card to a merchant; it’s often called the CVV code. This one was included in the stolen data.
    • The second number, often called the CVV2 code, is not included in the magnetic stripe data and therefore was not stolen. This is the number used when you make card-not-present transactions, such as online or over the phone. American Express prints the four-digit number they use on the front side of the card, while most other issuers use a three-digit code printed on the back of the card next to the signature area.
  • The US Secret Service is investigating, as well as an unnamed outside investigator.
  • Stay tuned for more details. I don’t think investigators have a good handle on this theft yet, so the details are likely to change.

Note: PINs are not the safest way to protect your financial information; there are only 10,000 combinations (0000 to 9999). Europe uses electronic chips in their cards; another method is a dynamic pin generated through a text message or some other media, such as an RSA token. The problem with dynamic pins is that they’re slow and expensive.

According to Krebs on Security, stolen Target credit/debit card numbers are already being sold in underground black markets in batches of one million cards.

What to do?

  1. Monitor any account(s) used at Target at least daily for evidence of tampering.
  2. Check out the Target breach details.
  3. Get a copy of your credit report. You get 1 free credit report from each credit agency per year. https://www.annualcreditreport.com/index.action
  4. Target says they will pay for credit reporting; they will have more details later.
  5. Replace your card:
    • If you use a Target REDcard, contact Target for a replacement card.
    • Ask your bank or credit union to replace each card used at Target during the dates the breach occurred.
  6. If you choose not to replace your card, at least change your PIN number.
  7. When you choose a PIN, do not use your birth date or consecutive digits, such as “1234.”
  8. Some cards allow you to add an alert when it’s used; check with your card issuer to find out if they have this feature. The Target REDcard does give you this ability.
  9. Do not respond to any scam emails, texts, or phone calls asking for your PIN or your social security number or your credit card number.
  10. Some people suggest buying a prepaid credit card or using cash instead of using credit/debit cards. I’ve never used one, so I don’t know anything about costs, but I’m going to look into it.

If you notice fraudulent activity in your account:

  1. Notify your card issuer immediately at the number on the back of your card and cancel your card. This greatly limits the payment portion of fraud you’re responsible for.
  2. Put a block on your credit report at one of the three credit reporting agencies:
  3. Read the FTC’s tips for “Lost or Stolen Credit, ATM, and Debit Cards.”

Who pays the costs?

While it’s true that the banks and the merchant eat the losses initially; ultimately, we all pay the price of such theft through higher costs.

Electronic car fobs hacked by car thieves

Posted: June 6, 2013 by IntentionalPrivacy in Identity theft, Issues, Personal safety, Vulnerabilities
Tags: , , ,

Electronic car fobs broken by car thieves

I’ve said it before and I’ll say it again: Do not leave valuables in sight in your car. TODAY goes on to recommend that you don’t leave your garage door opener or your car registration in your car either. You’re leaving yourself open to a home invasion and identity theft as well.

Medical records thefts

Posted: May 6, 2013 by IntentionalPrivacy in Identity theft, Vulnerabilities
Tags: , ,

What is “medical record theft” and why would someone want to steal your medical information? Simple.

The hospital or clinic a person goes to most likely keeps their records on a computerized system called an “electronic medical record” or EMR. What is a thief looking for? Your medical record contains information like your insurance company information, other identity information, financial information, and drug information. The thieves use this information to steal medical services, obtain prescriptions, and maybe even identity and financial information to use in identity theft.

And what if the hospital or clinic shares information with another business partner, such as a consulting doctor?

Recent health care breaches:

  • 780,000 medical records stolen from the Utah Department of Health on April 9, 2012. The article stated that the cyber-hackers were operating out of Eastern Europe.

What can you do if your records are stolen? Here’s what the FTC recommends: http://ftc.consumerdev.org/bcp/edu/microsites/whocares/medicalidt.shtm

The FTC is holding hearings on Medical ID theft.

References: SC magazine http://www.scmagazine.com/id-thieves-find-gold-in-medical-data/article/236302/

New vulnerabiltity discovered in Universal Plug and Play (UPnP)

Posted: February 8, 2013 by IntentionalPrivacy in Identity theft, Privacy, Vulnerabilities
Tags: , , , , , , ,

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

FTC Cellphone PROTECT Initiative

Posted: November 2, 2012 by IntentionalPrivacy in Cell phone, Identity theft
Tags: , ,

The FTC’s new program to help combat cellphone theft started on November 1, 2012. The major carriers–AT&T, Sprint, T-Mobile, and Verizon–have launched databases for stolen smart phones, so when a cellphone user reports that their cellphone has been stolen, that device will not be able to be used again. http://www.fcc.gov/document/announcement-new-initiatives-combat-smartphone-and-data-theft

The FTC advises cellphone users to lock their phones with a passcode to protect any information on their phone, use software to help locate lost devices and either install a remote-wipe application or enable the feature to remotely wipe a stolen device.

If your cellphone has been provided by your employer, look to them for guidance first.

For more information on how to better protect your cellphone, your provider should provide more information. Search their website using keywords such as “lock,” “locate device,” and “remote wipe.”

Here are a couple articles on what to do:

http://www.pcmag.com/article2/0,2817,2352755,00.asp

http://forums.att.com/t5/Apple-Community-Discussion/How-to-SECURE-YOUR-new-iPhone-4S-PLEASE-TAKE-THE-TIME-TO-READ-IT/td-p/3210869

I use Prey at https://preyproject.com/ to track my Mac and Windows laptops. Prey will also work for iOS, Linux, Ubuntu, and Android. While I don’t currently use a smart phone, when I had an Android (company supplied), I tried the Remote Wipe feature provided by our IT department and it worked perfectly. I also used the free version of Lookout for Android.

Barnes and Noble credit and debit card thefts

Posted: October 24, 2012 by IntentionalPrivacy in Identity theft
Tags: , ,

Thieves hacked into Barnes and Noble credit card swipe machines to steal credit and debit card data. According to http://abcnews.go.com/WNT/video/barnes-noble-customer-credit-card-info-stolen-17557470 B&N has removed all swipe machines from their stores nationwide.

This is not the first time such a theft has occurred. Last year, Michaels crafts stores were hit by a similar scam.

The FBI is investigating.

Newer Entries