WebProNews

Tag: Security Breach

  • Identity Theft A Serious Problem During The Holidays

    Nothing puts a serious damper on holiday shopping quite like identity theft.

    Identity theft is what happens when a person obtains your personal information and then uses it without your permission.

    This action can result in stolen money or severely damaged credit.

    Unfortunately, identity theft is a rising problem in the United States.

    “With so much of our time spent online, the security of our personal information, and more importantly our identities, is being put at risk on a daily basis,” said Mark Weiner, the CMO for Centrify Corporation.

    According to the results of a recently released survey by Centrify, it’s estimated that as many as one-third of Americans have been a victim of identity theft at one point or another—and a number of U.S. citizens remain completely unaware of the fact!

    Of those surveyed, 1 in 10 was fortunate enough to fix the issue the same day.

    1 in 5 of those persons was not as lucky. It took these hapless individuals weeks to sort through the mess created by an identity thief.

    The survey results also gave some interesting news as to how victims felt they came to have an identity theft problem.

    “According to our survey,” said Weiner, “Online purchases were the top reason that users thought they became victims of identity theft, underscoring the importance of having confidence in one’s own online security.”

    It appears that where you spend your money online, and the online security in place, can play a MAJOR role in how secure your purchases are.

    This information could have important ramifications for the weekend ahead, which will officially usher in the Christmas shopping season.

    Black Friday in particular may be at risk for some major retailers following a series of massive security breaches.

    You don’t have to live in fear of identity theft.

    Be mindful of where and how you spend money. Opt for cash purchases when possible.

    Also, keep a close eye on your credit report, as it is often the first line of defense in spotting a serious issue and correcting it as soon as possible.

  • Data Breach At Home Depot: Where Is The Panic?

    Data Breach At Home Depot: Where Is The Panic?

    The shifting attitude of American shoppers with regard to data breaches is a little surprising.

    When Target announced back in December 2013 that hackers had made off with the card information of thousands of holiday shoppers, it was a situation that hit the retailer’s brand pretty hard.

    The announcement came ahead of Christmas, the most important time of the year for businesses like Target.

    While Target is still reeling from negative public perception over their data breach crisis, Home Depot’s almost casual announcement that a breach occurred suggests it isn’t too worried about long-term ramifications.

    Home Depot’s breach could impact as many as 40 million shoppers.

    You would think there would be pandemonium.

    However, Home Depot boasts a few advantages that Target lacks.

    It’s important to note that this particular breach occurred during the retail equivalent of low tide. Things are already slow at Home Depot as spring, the company’s busiest time of year, is months behind it.

    Therefore there are no immediate consequences to be felt by this security breach. Compare that to Target, whose scandal hit during peak season.

    The customers who shop at Home Depot tend to be more loyal to the company’s unique brand than the people who shop at Target. That loyalty may be partially due to the fact that Home Depot sells specific products and that alternative companies are few.

    Target struggled in recent years thanks in large part to the recession. As for Home Depot, the company has been boosted by a turnaround in the housing market, raising profits 13.5 percent.

    Lastly, Target’s unfortunate situation served to shield Home Depot from the sensation of shock and panic. Because major breaches have already occurred, the public is more inclined to feel annoyed rather than afraid.

    While this is understandable, should customers take the reality of data breaches for granted? The fact remains that inadequate security puts their financial information and money at risk.

    However casually the latest data breach may be viewed, it doesn’t change the fact that something must be done.

  • Michaels Security Breach Affected Three Million Cards

    Michaels Security Breach Affected Three Million Cards

    Michaels, North America’s largest specialty arts & crafts store, has confirmed that a security breach exposed data from millions of transactions from May 8th, 2013, to January 27th, 2014.

    “Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” said Chuck Rubin, CEO.

    We’d known about a possible breach at Michaels (and their subsidiary Aaron Brothers) since January, when the company notified customers that they were investigating the possibility. In January, the Krebs on Security blog confirmed that the company and the U.S. Secret Service were launching an investigation into a data breach.

    Today, Michaels has confirmed everything, stating that approximately 2.6 million cards could have been impacted (via Michaels transactions) and an additional 400,000 cards affected through Aaron Brothers transactions.

    This comes to about 7% of all the cards used at Michaels stores during the breach period.

    The company blames “highly sophisticated malware that had not been encountered previously by either of the security firms,” as the root of the issue.

    “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers,” said Rubin.

    Right now, Michaels admits to a “limited number” of reports from cardholders and banks that their cards were used fraudulently as a result of the data breach.

    This news comes on the heels of several other high-profile data breaches of major retailers, including Target and Neiman Marcus. As a way to assuage consumer anxiousness, Target offered all customers a year of free credit monitoring. Michaels is doing the same.

    Image via Wikimedia Commons

  • Heartbleed Bug Gives Hackers Access To User Data And Passwords

    A major online bug called CVE-2014-0160, more popularly known as “Heartbleed”, allows hackers to retrieve data from online services and websites. The bug was recently found by Neel Mehta of Google’s security team with a team of engineers from security company Codenomicon.

    To those who know how to work around it, Heartbleed can reveal the contents of a server’s memory—and this is where the most sensitive data is stored. This makes private data such as passwords and credit card numbers available to third parties. Hackers can also gain access to a server’s digital keys, and then use it to decrypt information and communications from the past, and potentially the future.

    Particularly prone to the bug are online services that use OpenSSL, which secures sites that use HTTPS encryption to keep data protected.

    The good news is that the bug has affected only certain versions of OpenSSL so far—versions 1.0.1 and 1.0.2 beta—and fixes for these have already been issued. The bad news is that the bug was only recently discovered while the vulnerable OpenSSL versions have been in use for two years. There is no way to tell which kinds of data hackers have already collected and used through Heartbleed.

    Social and blogging service Tumblr has released a note advising its users to change all their passwords immediately. Software developers and online security companies are looking into the extent of the bug, with some reporting that through Heartbleed they were able to access hundreds of Yahoo usernames and passwords.

    Yahoo and several other affected sites have issued statements letting users know that they have updated their codes and have taken care of the situation. It is predicted that many websites will take a while to protect themselves from possible Heartbleed breaches as this will entail rewriting codes and revoking security certificates.

    Heartbleed Bug Explained

    Image via YouTube

  • Target Tech Chief Resigns Following Massive Data Breach

    Target Tech Chief Resigns Following Massive Data Breach

    The chief information officer (CIO) of Target Corporation has turned in her resignation following months of a devastating data breach.

    Since 2008, Beth Jacob served as executive vice president of technology services and chief information officer of the retail company. She first started out as an assistant buyer at a store division in 1984. Then, in 2002 she became the director of Target’s contact centers.

    Most recently, Jacob played a major role in overseeing the company’s latest futuristic technology lab in San Francisco.

    According to the Los Angeles Times, Chief Executive Gregg Steinhafel confirmed in a statement Wednesday that they are now looking for a new interim CIO who can “guide Target through this transformation.”

    Target announced during the holidays that “40 million payment card accounts were hacked during the pre-Christmas shopping season, and added later that about 70 million customers may have also had their addresses, phone numbers and other information compromised.”

    Most customers believed that the one to blame for the breach is Jacob.

    Here is an interview featuring Jacob in January 2013:

    Some experts feel that her resignation may have been in response to the ever-changing roles that a CIO has to conform to daily. Not only does the public expect them to supervise technology, but also the security of the company systems now that data hacking is gaining momentum.

    Jacob apparently left because she felt that it was “time for a change,” but some assume that her departure was definitely provoked by public criticism.

    “People are questioning Target’s security and she was the fall guy,” said a New York-based retail consultant.(image)

    Target’s data theft is reportedly the most notorious scandal ever witnessed in retail history.

    “To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target,” he said in a statement, according to the Los Angeles Times.

    The corporation is currently working with Promontory Financial Group, which will help them move forward with a $100 million technology and infrastructure renovation. Target plans to implement payment cards designed with encrypted chips. The company expects this new system to improve future security within their information database.

    The company continues to suffer from a decline in consumer loyalty. Since last week, they have witnessed their profits fall 46 percent and their revenue by 5.3 percent.

    Target’s hacking expenses cost the corporation $61 million, but they’re hoping that insurance will cover most of it.

    Here is Steinhafel’s full statement tweeted by a FOX TV reporter:

    Image via YouTube

  • Nun Sentenced To Prison For Peace Activism

    The 84-year-old nun, Sister Megan Rice, is no stranger to activism. She has been protesting and wreaking havoc on sites that deal with nuclear power for decades. Now, she has been sentenced to nearly three years in prison.

    She doesn’t seem to mind though, because she was quoted by Al Jazeera as saying that being in prison for an extended time would allow her “to serve the other women in prison.”

    “Please have no leniency on me,” Rice told the judge. “To remain in prison for the rest of my life would be the greatest honor you could give me.”

    In prison, Rice said she learned to see her fellow inmates not as perpetrators but as “victims” of a system that gave them few options.

    Regardless of her preferences or beliefs, on Tuesday, a U.S. Judge sentenced her to 35 months in prison for breaking into a Tennessee defense facility where enriched uranium for nuclear bombs is stored, known as the Y-12 National Security Complex. Both of Rice’s accomplices, Michael Walli, 65, and Gregory Boertje-Obed, 58, received 62-month terms, more than Rice because of their previous acts of civil disobedience. All three were collectively fined in excess of $53,000 for damages.

    The catalyst to this escapade, strangely enough, created some serious embarrassment when the facility, also known as the country’s Fort Knox of uranium, was so easily accessed.

    Rice and her cohorts decided to stage a protest to draw attention to the U.S. nuclear arsenal. Outdated cameras and fences couldn’t prevent the three elderly people from damaging what some believe was an extremely secure facility, raising questions about how they might restrain professional thieves with less idealistic intentions.

    Some members of Congress even thanked Rice and her accomplices for bringing the Y-12 facility’s security problems to the nation’s attention.

    The three activists were prepared for the worst. “We were very aware that we could have died,” Rice said.

    Their activism was twofold. It brought attention to the easily accessible arsenal of nuclear weaponry, as well as to drew attention to the U.S nuclear stockpiles.

    Rice called it “hypocritical” to demand other countries to disarm, when in 2008, for example, the U.S. was spending at least $52 billion a year on nuclear weapons, according to the Carnegie Endowment for International Peace. And only 10 percent of that spending is devoted to disarmament.

    Image via YouTube

  • Never Use Your Debit Card During Security Breach

    Never Use Your Debit Card During Security Breach

    In light of the recent security breach at Target and now Neiman Marcus (NM) the topic has been on a lot of people’s minds. Which card is better, debit or credit, when looking at extra protection needed during this crisis?

    An investigation by F.B.I., The Secret Service, the Justice Department and numerous others found that hackers stole the personal information of at least 70 million customers, not the 40 million first suspected, and that theft included names, mailing addresses, telephone numbers and email addresses.

    Although for years financial gurus have strongly advised against using credit cards frequently because of the expense. This because of the tenancy for most American’s to run those cards up to limits that are exasperating, incurring outrageous interest fees as well. But during one of the most heightened security breach crimes on the books, there is a change in the consensus.

    Even though both cards were affected during the Target and NM breach, and Target has assured its customers that they won’t be held financially responsible for any fraud that occurs on their credit or debit card, the best solution of course, is to use neither.

    But, with a debit card, you are less protected and have fewer rights when it comes to purchases that you didn’t authorize. And, if you do have charges to your account made by thieves, your liability is greater with a debit card as is the time to resolve the theft.

    A debit card requires that you notify your bank within two days of the transaction in question. If you read that little fine print that comes along with your card, you’ll note that the Federal Deposit Insurance Corporation (FDIC) states, “To be fully protected under the law, you must submit specific information about unauthorized debit and ATM card transactions within a short time period,” stressed Kirk Daniels, an FDIC Supervisory Consumer Affairs Specialist. “That’s also why it’s important to review your bank statements and report a problem as soon as possible.”

    So what if you don’t contact them within that short time period? Your liability fully depends on how quickly you report it to your bank. If you notify them after the required two days, under the law you could lose up to $500, or more. Depending on your bank, they may waive all liability for unauthorized transactions but that is completely up to them.

    Another downfall is that banks have much more time to conduct an investigation after the theft is reported. Some banks could take up to 20 days and in special circumstances up to 45 – 90 days to figure out what happened, but most will refund the stolen funds on a temporary basis. Don’t count on that though, each bank is slightly different.

    “Until the bank provides provisional credit, you could temporarily be out of pocket for the amount in dispute,” said Richard Foley, an FDIC attorney who specializes in consumer issues. “This would not typically happen with a credit card because consumers can withhold payment of the amount in dispute.”

    With a credit card you have much better control. By withholding payment and filing a fraud report, disputing charges can be addressed immediately and not directly affect your bank account.

    Image via Wikimedia Commons

  • Target Hackers Pounced On Outdated Security System

    Target Hackers Pounced On Outdated Security System

    In the aftermath of the second-largest credit card security breach in American history, new details are emerging regarding what lead to it—and why it may very well happen again.

    On December 19th, the retailer Target announced that upwards of 40 million credit card numbers were hacked between the period ranging from the day before Thanksgiving until about December 15th. While the company conveyed in its message that the customers were not at fault and that they likely would not be in any serious danger, it fell on deaf ears. Customers were very upset, especially when it became impossible for victims of the theft to contact company personnel to ask important questions.

    Target hoped to do damage control by offering first a 10% discount to all shoppers for a couple of days and then a free credit check. The efforts seem to be coming up short in the eyes of the public. First there are those who were negatively impacted by a credit limit imposed by JPMorgan Chase as a security precaution. As a result, last minute Christmas shopping would be extremely curtailed for those who braved Target’s checkout lines.

    The free credit check is hardly generous since a free credit report is available annually from only one source: A government-sponsored website called Annual Credit Report. Regardless of Target’s mentioning it, consumers could go to the same place…So just how generous is this offer really? As for the 10% discount, it remains to be seen if it will make a dent in the negative publicity.

    If you are an impacted consumer who intends to take your business elsewhere or are breathing a sigh of relief at having avoided this particular catastrophe, then there is something you need to know. According to security experts, the problem that lead to the massive hacking is not Target’s fault alone. It’s actually an American problem. The very cards you use have an outdated security measure – the magnetic strip on the back.

    The card strips are based on the very same technology that gave us cassette tapes. That’s right, CASSETTE TAPES. Think about when those tapes were a dominant music medium and count the decades between then and now. Other wealthy countries have moved on to cards that use digital chips to hold information. These cards are secure to the point that it’s too much work to hack them. Why bother when you have one of the wealthiest nations on the planet using measures that are decades behind?

    If you were hoping to avoid a major breach in the future by taking your credit or debit card elsewhere, don’t bother. Experts say that it’s just a matter of time before the next breach happens. The only way to get around it would require millions of Americans to be upgraded to more secure and better made cards. Unfortunately, this is a pricy solution that many companies will not bother with if they don’t have to. As for the stolen cards, hackers have already started putting fake versions on the black market.

    To avoid immediate detection, it seems these individuals are selling the cards in the same areas they were stolen from. Financial institutions tend to be more mindful of card transactions that take place far from the zip code location where a card owner resides and shops. If a stolen card is being used within the same area as the victim, unless that card has been reported stolen then odds are they won’t notice.

    The best bet for all victims is to cancel the cards immediately and get new ones. Additionally, persons must carefully consider where and how they use their cards and be mindful of their credit information. If you really think about it, these are the sort of measures that sensible shoppers are meant to use regardless.

    Image via Target Official Facebook Page

  • Target Discount Bullseye or Miss?

    Target Discount Bullseye or Miss?

    Retailer Target is definitely looking as red-faced as its logo following a massive security breach affecting potentially tens of millions of customers. The handling of the matter has been less than stellar. The initial message to consumers regarding what happened was both inadequate in explanation and down right condescending in tone. After major backlash over the event and the company’s inability to be reached on the matter, Target is doing what it can in terms of damage control. The company announced a ten percent discount for all shoppers in hopes of getting back into the good graces of shoppers and encouraging customers to return to their stores following the breach.

    Many Target customers have expressed a great deal of anger at the security breach happening and frustration at being unable to talk to anyone at the company. Target has tried to communicate via its Facebook page that it is aware of customer concern and anger:

    Post by Target.

    Post by Target.

    “We’re in this together,” says company CEO Gregg Steinhafel in a video at the company’s website. “In that spirit, we are extending a 10 percent discount, the same amount our team members receive, to guests who shop in US stores on December 21 and 22.”

    JP Morgan Chase isn’t taking any chances, limiting daily credit card spending on customers who shopped at Target. This step is meant to keep accounts secure until at-risk customers can be sent new cards. They may have to move fast as ABC News reports that the stolen numbers are being sold on the black market as fake credit cards. Unfortunately with the last days of shopping prior to Christmas upon us, it means that some last minute shoppers will be reaching for gift cards instead of pricier presents.

    Whether or not the discount will be a hit or miss is unknown. Perhaps a bigger discount in the wake of events may have encouraged nervous customers to return to the stores. It could be that customers may feel moved to spend money on discounts elsewhere on future Black Fridays–and every day in between.

    Image via Target Facebook Page

  • Verizon Data Breach Report Available as a Free iBook

    Verizon’s 2012 Data Breach Investigations Report was released as a PDF back in March, but now those interested in the world of digital espionage can kick back and read the report on their iPad, as Verizon is releasing the entire report as an iBook. The report revealed that Anonymous “hacktivism,” is on the rise worldwide. “Hacktivism” is generally understood to be system security breaches by individuals or groups motivated by political disagreement or protest.

    The iBook is only available in English, but Verizon states that the iBook format is more easily digestible than the PDF. Charts and graphs in the report have been placed closer to their reference text and they can now be interacted with for a zoom-view. Users can also now search through the text more easily to find specific topics.

    “Earlier this month, we announced that the full ‘2012 Data Breach Investigations Report’ is available for the first time in six additional languages, and now we are delivering an iBook version to meet the overwhelming interest in the report from the business and security communities,” said Wade Baker, director of risk intelligence for Verizon. “Today users have multiple ways of getting to our data and using it to make better informed security decisions as well as to bolster their security defenses.”

    This year’s report is Verizon’s fifth annual Data Breach Investigations Report. It includes analysis by the Verizon Research Investigations Solutions Knowledge (RISK) team of 855 data breaches and over 174 million compromised records. The report can be downloaded now in the Apple App Store or through iTunes.

  • ICANN System for New gTLDs to Reopen

    It was recently reported that The Internet Corporation for Assigned Names and Numbers’ (ICANN) system for submitting applications for new generic top-level domains (gTLDs) has been down as of late, and now ICANN engineers plan to reopen the application platform on May 22, with the new deadline for submitting applications being May 30.

    The application platform, called TLD application system (TAS), was taken down after a glitch was reported which allowed applicants to see each other’s user names and file names. ICANN set April 12th as the last day to submit applications before taking the system offline, after its board of directors approved an increase of the number of gTLDs from the current amount of 22 last June. ICANN, who moderates the address system of the internet, also began accepting non-traditional domain name endings this year, including ‘.sport,’ ‘,food,’ and ‘.bank,’ in hopes to prompt innovation in web commerce. Though, some critics have stated that the new extensions might only confuse consumers and force established online storefronts to spend millions on securing new versions of their brand web addresses.

    ICANN had recently stated that the glitch in their system only affected a small number of users, and that there is no evidence that anyone exploited the security breach. ICANN has been in the process of notifying those who were affected by the problem, and should finally have the system running again after tying up loose ends.

  • What ICANN Should Do To Rebuild Trust After Security Breach

    During what was supposed to be the exciting early stages of an Internet domain name “revolution,” ICANN is finding itself in a heap of controversy over its new generic top-level domain program. In January, the Internet Corporation for Assigned Names and Numbers began rolling out its historic decision to open up the domain name market.

    The application process was supposed to end on April 12, but was shut down and postponed indefinitely after ICANN detected a technical issue in its TAS software. Furthermore, the glitch allowed some applicants to see the user or file names of other applicants.

    Does ICANN’s security glitch put the entire new gTLD program into question? What do you think?

    There have been many groups that have opposed ICANN’s decision from the start. The Association of National Advertisers (ANA) has been one of the biggest forces in speaking out against the move and, believes these recent developments are proof of the concerns they have raised all along.

    Dan Jaffe, Group Executive Vice President of Government Relations at ANA “It is of concern that the system that they said had to be moving forward rapidly has been closed down more than 18 days,” Dan Jaffe, the Group Executive Vice President of Government Relations at ANA, told WebProNews.

    ICANN has not been very forthcoming with the details about its glitch, which has raised even more concerns over the incident. Jaffe believes the issue is more than just a “glitch” since the system has been shut down for such a long time.

    ANA has reached out to ICANN requesting that it bring in a third party consultant to investigate the issue. It would like ICANN to release a full report explaining how the incident happened, who was impacted, and what ICANN is doing to make sure everyone involved is being treated fairly.

    “It’s a little hard, however, even if they extend the application period, if some groups have better information than all the others,” said Jaffe. “I don’t know they’re going to put everybody on the same footing.”

    Jaffe went on to say that ANA encouraged ICANN to ensure that its system was running effectively before the application process began. He pointed out that a program that was intended to transform the way people use the Internet needed to be handled with more “care and caution” than it was given.
    At this point, ICANN has not issued any type of response to ANA. The association, however, also reached out to the Commerce Department’s Larry Strickling asking that it get involved in addressing the concerns. Jaffe told us that he hopes the department presses ICANN for answers and doesn’t allow it to move forward with its plan until applicants are assured of protection.

    When asked if he thought the new gTLD program should be suspended as a result of these developments, Jaffe told us that he wasn’t sure if such a drastic measure was necessary. He would like to see ICANN take action on the “Do Not Sell” approach, which ANA has proposed, that would protect brands from applying for new top-level domains for defensive purposes, but, again, it has not received a response on it.

    “We think it’s inappropriate, and we are hopeful that ICANN would do something about it,” said Jaffe. “So far, they have not taken any steps to protect brand holders in that area either.”

    ICANN is currently notifying the applicants that were compromised and is expected to re-open the application process once everyone is informed, which is supposed to be by May 8. Here’s the latest statement from ICANN’s COO Akram Atallah on the issue that includes statistics of the breach:

    ICANN is in the process of notifying applicants whether they were affected by the software glitch that caused us to take the TLD Application System, or TAS, offline. As we announced earlier this week, we plan to complete this notification process on or before 8 May.

    As we notify applicants, we want to share some data that gives insight into the scope of the problem and the number of applicants affected.

    At the time we took the system offline, there were 1268 registered users and some 95,000 file attachments in the system. Of these, there were approximately 455 instances where a file name and the associated user name might have been viewed by another applicant. We are continuing to review system logs and packet-level traffic to confirm how many viewings actually did occur.

    Our review has determined that approximately:
    • 105 applicants might have had file names and user names viewed by another applicant.
    • 50 applicants might have viewed file names and user names from one or more other applicants.

    Work continues on enhancing system performance and testing the fix for the glitch.

    We recognize and regret the inconvenience to applicants as they try to plan their schedules and resources in anticipation of TAS reopening. As we have previously announced, we will keep the system open for at least five business days to allow applicants to assure themselves that their applications remain as they intended.