Posts tagged ‘[Other]’

Krebs on Security: 3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

Krebs on Security: Critical Java Update Plugs 37 Security Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

javamessThe latest update for Java 7 (the version most users will have installed) brings the program to Java 7 Update 55. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP).

According to Oracle, at least four of the 37 security holes plugged in this release earned a Common Vulnerability Scoring System (CVSS) rating of 10.0 — the most severe possible. According to Oracle, vulnerabilities with a 10.0 CVSS score are those which can be easily exploited remotely and without authentication, and which result in the complete compromise of the host operating system.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

Krebs on Security: Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

Krebs on Security: Crimeware Helps File Fraudulent Tax Returns

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”

ULTIPRO USERS TARGETED

I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”

PROTECT YOURSELF FROM TAX FRAUD

According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.

Krebs on Security: Heartbleed Bug: What Can You Do?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet’s Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator’s credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

For this reason, I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

http://heartbleed.criticalwatch.com/

https://lastpass.com/heartbleed/

As I told The New York Times yesterday, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (e.g., I’m not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you’re concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).

It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of Internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-Web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, e.g.). The SANS Internet Storm Center is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.

For those in search of more technical writeups/analyses of the Hearbleed bug, see this Vimeo video and this blog post (hat tip once again to Sandro Süffert).

Finally, given the growing public awareness of this bug, it’s probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question.

Krebs on Security: Fact-Checking Experian’s Talking Points

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

“It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

-No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

“Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

-Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale? 

-Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.

True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.

-Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.

This publication has never stated that there was a breach of 200 million records. But it is true that KrebsOnSecurity.com was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator – had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.

A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.

If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: Databreaches.net has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).

Original story:

Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? 

Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.

“There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.

For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.

“We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.

In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.

Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.

The Hacker Factor Blog: Test Time

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

It must be that time of the year… I’ve been hearing those dreaded three-letter initials over and over in the news: SAT, ACT, GRE.

Back when I took the SAT (OMG, has it really been 25 years???), those tests were promoted as a massive sign of stress. “Make good scores or you won’t get into college!” “Bad scores mean a low-paying job!” “We won’t think any less of you if you don’t do well.”

Of course back then, there was a small but vocal minority of complaints. That the test did not test knowledge, was racially biased, was gender biased, did not evaluate college readiness, and more. And each year the groups that run the tests say that they would address these issues.

Since I took those exams, there have been some changes. The ACT is now an accepted alternative to the SAT. (It might have been around back in the 1980s, but I do not recall it being an option for me.) They also added an essay section and claim to have made other changes to refocus the test.

However, I just looked at the online sample tests for the SAT and ACT and I really think nothing significant has changed. These are not tests that measures knowledge; they measure your ability to take a test.

Important for the wrong reasons

There’s a lot of emphasis on the test results. Colleges require good scores for admission. Summer programs use them to filter who gets into special activities. And as Our Lady of Infinite Loops noted, low scores can really damage a child’s self-esteem. “Try to convince kids that they’re smart after they bomb the SAT, though, and good luck.” A lot of self-doubt can continue for years.

I believe these standardized tests are important, but I do not believe they are important for evaluating the student’s knowledge level or subject proficiency. For example, the SAT still uses a bell-curve scoring from 200 to 800 on each section. 800 is a perfect score and you get 200 for writing your name. 500 is “average”. For me, I received 720 on math and 430 on English. (The test is so stressful that you are likely to remember your score decades later.) My scores say that I do no speak English. (I found it ironic since most of the math problems are word problems; if you cannot understand English, then you probably won’t break 550.) Ironically, when I took the GRE after 4 years of college, I ended up getting 760 on math, 780 on analytics, and 430 (again!) on English.

Since then, this non-English speaker has written three books, numerous articles and white-papers (some public, some just for customers), and I have this ongoing blog that is read by more than 12 people. While readers may debate the technical accuracy of this blog, the grammar and sentence structure is generally excellent. (And I haven’t taken any classes to improve my writing since college.)

I actually think that I failed the English sections because I over-thought every problem. The test does not measure depth of thought or your thinking process; it only counts correct marks. I certainly cannot give any tips about the reading section. However, I know exactly why I got such high scores on the math and analytics, and it had very little to do with being good at math and logic.

Hacking a standardized test

Back when I was in high school, there were 3 different teachers named “Mr. Clark”. One taught math, one covered English, and one did history. It was the English teacher who taught a class on “mass media” that I still think was one of the best courses I have ever taken. (How to spot good/bad reporting, the different parts of a paper, how advertisements work, etc.) He also gave a three-day after-school talk on how to take the SAT. His extracurricular talk changed everything for me.

The SAT, ACT, GRE, PSAT, LSAT, etc. are not about knowledge. They are about “how to take a test”. And since you will be tested over and over in life, these tests are a wonderful introduction. These tests won’t help you get a good job — I’ve never had an employer ask for my scores — and they don’t tell anything about how smart you are. (Dumb people can get high scores.) Their content won’t prepare you for college and beyond.

Colleges may require these tests, but there’s lots of stupid requirements in life — just go with it. This is what I really got out of Mr. Clark’s seminar: if you don’t like the system, don’t fight it. Instead, game the system. Find the flaws and exploit them. Take what you are given and apply it differently. That is the definition of ‘hacking’.

There are really just three rules that you need to remember:

  1. Time. The first rule is unbreakable. Like gravity or dividing by zero, ignoring it is a fatal mistake: these are timed tests. When the time is up, you are done. Time management is your single most important task.

  2. Correct answers. You only get positive points for correct answers. There may be a hundred questions for you to answer. Some questions may be harder than others, but all scoring is unweighted; a point is a point, regardless of the problem’s difficulty. For the best score based on the given time, do the easy questions first. Skip the hard ones and go back to them if you have time.
  3. Guessing. Some tests penalize for wrong answers. (When I took the SAT, it was a 1/4 point deduction for every wrong answer.) This does not mean that you should not guess. Instead, it means that you should optimize your guessing!

I cannot give you tips to extend the time limit — the duration is fixed and you cannot change it. What I can do is give you a couple of simple tips to best manage your time and improve the number of correct answers.

Tip #1: Minimize work
These tests have a lot of questions to answer and very little time per question. If there are 100 questions and only 50 minutes, then you cannot spend more than 30 seconds per question. What you want to do is find shortcuts so you can answer questions in under 30 seconds. If you can answer 10 questions in 10 seconds each, then you can saved up 290 seconds (nearly 5 minutes) that you can spend on harder questions later.

Don’t bother tracking your time. (“I saved 10 seconds here.” “I saved another 3 seconds there.”) It takes time to track time and the test is tracking the time for you. (You will stop when it is over.) Just go as fast as you can.

You are allowed to write notes in the test booklet (but not on the answer sheet!!!). You can use this to help your time management. For example, make small marks so it will be easier to go back. If I guessed or skipped a question, then I circled the question number. And if I didn’t understand the question or knew it was a type of problem that I was slow at solving, then I circled it twice. If I had time at the end, I would go back and focus on the circled questions. And if I still had time, I would try the double-circle questions.

Since all points are equal, you want to do the easy problems first. These circles save time by identifying the harder problems as I go back for a second pass.

Similarly, if I knew one of the multiple-choice answers was incorrect, I would cross out the letter so I could ignore it if I went back to that question. And no matter what, I always circled the correct letter in the booklet. This way, if time permitted, I could go back and double-check my answers without wasting time looking up my response on the answer sheet.

Tip #2: Short circuit
In computer programming, there is an algorithmic concept called a “short circuit“. Let A, B, C, and D be complex conditions that need to be evaluated. If you are given a test condition like “if (A or B or C or D) then …”, then you may not need to test every complex condition. Instead, you just test A. If A is true, then you can ignore B, C and D and enter the body of the condition. If A is false, then test B. It should be rare for you to need to test all four conditions. (The same short-circuit concept works with “and” conditions; the first failure stops the evaluation.)

This same idea works with standardized tests for math and analytics. In these tests, there are a fixed number of answers. You can use the short-circuit concept to reduce the number of options. If there is only one option left, then stop reading the question since you know the answer. For example, this question comes from the ACT online sample test:

A car averages 27 miles per gallon. If gas costs $4.04 per gallon, which of the following is closest to how much the gas would cost for this car to travel 2,727 typical miles?
A. $ 44.44
B. $109.08
C. $118.80
D. $408.04
E. $444.40

There’s a couple of ways to solve this problem. The first option is to brute-force solve it. 2,727 miles divided by 27 miles per gallon is 101 gallons. 101 gallons costs $4.04 per gallon, so that is $408.04. The answer is “D”.

The short-circuit approach would be a little simpler. We have one division and one multiplication and we just need to solve that first, hundredths digit. “7″ (from 27mpg) goes into “7″ (from the last digit of 2727) once. 1×4 (the last 4 in 4.04) is 4. This means that the last digit must be a “4″. We can immediately rule out B, C, and E since they do not end with a “4″. That leaves two options. At this point, we can easily guess “D” because 2727 (miles) is 2 decimal places larger than 27 (mpg); the value from “A” is too small. We would guess “D” and we be correct.

Solving one digit is much faster than solving the entire problem. And if A and D were closer together, then we could try solving for another digit.

This type of shortcut is also great for logic puzzles, where they list a bunch of conditions. Take each condition as you read it and test the answers. If the first condition does not work for “D”, then scratch off “D” as an answer. If the next condition does not work for “A”, then scratch off “A”. When there is only one answer left, you know the correct answer. You don’t have to solve the puzzle; you just have to find an answer that solves the puzzle. For example, this question comes from “Free SAT Math Questions“:

Mon Tue Wed Thu Fri Sat Sun
66 78 75 69 78 77 70

The table above shows the temperatures, in degrees Fahrenheit, in a city in Hawaii over a one-week period. If m represents the median temperature, f represents the temperature that occurs most often, and a represents the average (arithmetic mean) of the seven temperatures, which of the following is the correct order of m, f, and a?
(A) a < m < f
(B) a < f < m
(C) m < a < f
(D) m < f < a
(E) a = m < f

Identifying the average (a=73.29) is hard and time consuming because you have to add every number and then divide by the total. Even computing the median (m=75) is slow because it requires sorting the values and finding the one in the middle. But finding the value that occurs most often (f=78) is fast. 78 is also the highest value, so we can immediately rule out B and D. That leaves determining the relationship between a and m. At this point, I would solve m by sorting the values. I would find a by doing a rough average: (highest + lowest) / 2 = (78+66)/2 = 72. The rough average shows that a is likely < m. So I would guess “A” (and I would be correct).

That’s right: I said “guess”. It’s not worth my time to solve the problem. It’s better time management to rule out unlikely options and go with whatever is left.

Tip #3: Fitness
Rather than using the question to derive the answer, just see if each answer fits the question. For example, “Free SAT Math Questions” has a question that says:

If k is divisible by 2, 3, and 15, which of the following is also divisible by these numbers?
(A) k + 5
(B) k + 15
(C) k + 20
(D) k + 30
(E) k + 45

Rather than thinking about how to simplify the problem, I’d just go down the numbers. Is “5″ divisible by 2? No, so scratch “A”. 15 is not divisible by 2, so scratch “B”. 20 is not divisible by 3, so scratch “C”. 30 works for 2, 3, and 15. Stop there — “D” is the correct answer. I would not even look at “E”; evaluating “E” is a waste of time, and time is the most important factor to this test.

Tip #4: Trick
All of these questions may first look intimidating, but they all have a trick. If you recognize the trick, then you can solve it fast. If you don’t see the trick, then circle the question and move on.

Tricks are usually in the form of specially chosen numbers or key words in paragraphs. For example, the trick in the gas mileage problem were the numbers: 27 into 2727 (see the 27 repeated?) is 101 and 4.04 is 4×1.01. See how “101″ keeps appearing? That’s the trick. 101 is a special number because you can multiple any number from 0 to 99 without a value carried between the units and hundreds columns. (In other words, they expect it to be easy enough to do in your head.) If you noticed the trick, then you know that the value must end with “.04″ — there’s only one answer that works. You may also notice that $408.04 is the only palindromic answer with a relationship to 101 (another palidrome). If you noticed the repetition of 101, then you could solve the problem without ever knowing what they were asking.

Similarly with the divisor problem, the trick is that 3 is a divisor of 15, so you can ignore it. You really just need to check for multiples of 2 and 15. “2″ is special because it means every answer must be even (that rules out A, B, and E). You may also recognize that the lowest common denominator is 30 (only D works). Again: you can find the answer fast if you saw either of these tricks. And every problem has some kind of trick.

Tip #5: Guess!
With the SAT that I took, there was a 1/4 point (25%) deduction for every incorrect answer. With five answers, random guessing means that I will guess correctly 20% of the time. Or if we look at it another way: on average, 1 out of every 5 guesses will be correct. So 1 point for the correct answer and 4×-0.25=-1 for the wrong answers. As points go, guessing is a wash and doesn’t hurt.

However, if I can rule out just one bad answer from the five possible answers, then I can guess at a profit. If I can exclude just one answer then, on average, 1 out of every 4 guesses will be correct. That’s 1 point for being correct – 0.75 points for 3 wrong answers yields a positive difference of 0.25. That’s much better than the alternative of not guessing and getting zero points.

If you can rule out 2 of 5 answers, then guessing gives you an overall positive score of 0.5 (+1 for the correct and -0.25×2 for the two wrong guesses). And if you can narrow it down to two possible answers, then it’s not just a 50/50 chance of guessing correctly, it’s a net guessing total of 0.75 positive points (+1 – 0.25). That’s like playing roulette in Las Vegas when 3/4ths of the wheel are black! (With those kinds of odds, why would you ever bet on red? Or in this case, why would you ever not guess?)

And of course, if there is no penalty for guessing, then absolutely guess! But still, see if you can narrow down the choices in order to increase the likelihood of guessing correctly.

Tip #6: Practice! Practice! Practice!
There are lots of sample tests online. There are books you can get that have sample exams. (Try the used bookstores first.) There’s even classes you can take that will issue a sample test. Try doing a sample test every few days in the months before the actual test. If you run out of sample test material, then retake some of the earlier tests. If your friends have sample tests that are different from your samples, then trade with them.

Remember: these exams are not about knowledge. If the test was measuring your knowledge on the topic, then taking practice exams would not improve your score. These tests do not teach you anything about math or analytics or even English. They will not expand your understanding of the subject.

Instead, these tests measure your ability to take a standardized test. With practice, you will spot the tricks faster and gain experience in managing your time. Just the act of sitting and focusing on the exam for hours can be exhausting — both physically and mentally. Practice will build up your tolerance. Repeated practice will improve your score.

One other thing to remember: the score is based on a bell curve. You’re score is compared against everyone else who takes that test. A lot of people won’t practice — assume that they will be at the low end of the bell curve because they are not used to taking this type of exam. Just by repeatedly practicing with sample tests, you can move to the middle or upper end of the test range.

In my opinion, this is the real reason that colleges like these tests. The scores show that you can focus on a subject for extended periods and that you are willing to put in some effort. If you look at college entrance requirements, you’ll see that they do not require perfect scores. They just want people who are better than average. The people who are not willing to put in the effort are going to be below average.

Baseline Metrics

These tests are not completely bogus. They do check for a basic knowledge of math. You must know how to read a math problem, how to do very basic algebra and maybe a little geometry. You need to know the definitions for words like “arithmetic mean” and “hypotenuse”. You need to know basic math principles, like how to find the perimeter or area of an object, and the difference between obtuse and acute angles.

However, these tests never actually check your baseline knowledge of these basic concepts. Did you miss the ‘hypotenuse’ question because you didn’t know the word, or because you added a number wrong?

Standardized tests really just check to see if you can answer problems quickly and (mostly) accurately. They do not determine if you actually know how to apply math or if you have a deeper understanding of the concepts. These exams only check if you know how to take a test when the set of possible answers are known. In the real world, you usually don’t know all of the possible outcomes ahead of time. (And if you do, then the test is probably rigged.)

However, I did end up taking away some life lessons from the experience. For example, do the best you can with the time you have. An educated guess is usually better than not answering. If it looks hard then there is probably a trick to it. Regardless of what you do, you can improve with practice. And most importantly: knowing the requirements and how success is measured allows you to hack the system.

Krebs on Security: KrebsOnSecurity.com Wins Awards

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

mlaIn February, this blog and its author were recognized for three separate awards. At the RSA Security conference in San Francisco, KrebsOnSecurity.com was voted the “Most Educational Security Blog” at the Security Bloggers Meetup (for the second year in a row). The judges at the meetup also gave KrebsOnSecurity.com the honor of the “Best Blog Post of the Year,” for my reporting on the Adobe breach.

Separately, I am honored to have received the Mary Litynsky Award for Protecting the Online Community, a lifetime achievement recognition given by the Messaging, Malware and Mobile Anti-Abuse Working Group. M3AAWG’s announcement about the award is here. Past recipients of this award are listed here.

Krebs on Security: Card Backlog Extends Pain from Target Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week’s story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions.

carddominoesTurns out, while the crooks responsible for monetizing the Target breach seem to have had little trouble counterfeiting stolen cards, the process by which banks obtain legitimate replacement cards for their customers is not always quite so speedy.

I recently spoke with a gentleman who heads up security at a small federal credit union, and this individual said his institution ended up printing their own cards in-house after being told by their financial services provider that their order for some 2,000 new customer cards compromised in the Target breach would have to get behind a backlog of more than 2 million existing orders from other banks.

The credit union in question issues Visa-branded cards to its customers, but the actual physical cards are produced by Fiserv, a Brookfield, Wisc. financial services firm that also handles the online banking portals for a huge number of small to mid-sized financial institutions nationwide. In addition to servicing this credit union, Fiserv also prints cards for some of the biggest banks in the world, including Bank of America and Chase.

Shortly after the holidays, the credit union began alerting affected customers, notifying them that the institution would soon be reissuing cards. But when it actually went to place the order for the new cards, the institution was told it would have to get in line.

“They informed us that there was a backlog of 2 million cards, and said basically, ‘We’ll get to you when we get to you’,” the credit union source told KrebsOnSecurity.

Murray Walton, chief risk officer at Fiserv, acknowledged that the company has experienced extraordinarily high demand for new cards in the wake of the Target breach, but that Fiserv is quickly whittling down its existing backlog of orders.

“A large breach injects additional demand into a system that is already operating at near-peak capacity at year-end,” Walton said. “As a result, producers face the challenge of juggling existing contractual commitments with this incremental demand, and turn to mandatory overtime and staff augmentation to get the most out of their equipment and infrastructure.   We believe we are managing this situation as well as possible, and are beginning to see our cycle times (order to delivery) diminish compared to a few weeks ago.  Meanwhile, we note that fraud prevention is a multi-faceted challenge, and card reissue is only one arrow in the quiver.  Alert consumers and behind-the-scenes fraud management programs are also essential.”

Faced with mounting customer service requests from account holders who’d been told to expect new cards, the credit union decided to take matters into its own hands.

“We have the capability to print out the cards ourselves at a local branch, so some of our software developers wrote some scripts to export the customer data and we had two people who ended up burning the midnight oil for several days making these cards by hand.”

The Hacker Factor Blog: Just a Few More Hours

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

It’s the last day of 2013. Usually people use this time to reflect on the last year or pontificate about next year. However, I usually link back to previous blog entries when topics come full circle. Also, I often speculate about future events, challenge people to protect themselves online, question facts, and assist others. So devoting an entire blog entry to review or speculation seems kind of redundant.

There have been a couple of topics this year that I have intentionally not discussed. School shootings, domestic spying, whistleblowers vs traitors, drones… If the only information I have comes from media opinions, where facts are hand-picked to support a biased argument, then there no value in further speculations. Besides, I believe that keeping the names and actions of shooters in the news only helps make other people idolize the villains. I have a huge amount of respect for our local NBC affiliate, 9news, because they made the explicit decision to not name the last shooter and to keep the attention on the victims and the young woman who was killed.

There are a couple of topics that I do plan to cover in the upcoming year. I think there is much more to Facebook’s privacy policies than is currently being covered. I’m finding more and more interesting things with a couple of image formats that I’ll probably make public. And I have a new side-project ready to go — I’m just waiting for antagonists to trigger the trap. (Being an election year, I know the trap will catch someone by at least August, and probably much sooner than that. We may have a two-party political system, but I live in a one-party state.)

Behind the scenes, we’re doing a lot more work with FotoForensics. We’re hoping to add more tutorials and samples to the site, more disk space, and maybe a new feature or two. (If we can get it to work, one of the features ought to be really fun, even if it isn’t ‘scientific’.) Right now, one new feature (not what you’d expect) is almost ready to go, but I’m holding off until the site’s anniversary for the release.

Meanwhile, I’m winding down 2013 by preparing for 2014. New hardware has arrived, new software is being tested, new projects, new research, new publications… 2014 is going to be fun. Happy New Year!

Krebs on Security: Happy 4th Birthday, KrebsOnSecurity.com!

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Dec. 29 marks the 4th anniversary of KrebsOnSecurity.com! Below are a few highlights from this past year, and a taste of what readers can look forward to here in 2014.

targets4

If there was an important data breach in 2013, chances are that news of it first broke on this blog. Among KrebsOnSecurity’s biggest scoops this year were stories about breaches at Adobe, Bit9, Experian, LexisNexis, Target and The Washington Post.

Some of these stories are ongoing and will unfurl reluctantly but gradually throughout 2014. Look for a more thorough explanation of what really happened when Experian sold more than a year’s worth of consumer credit data directly to an underground service marketed to identity thieves, for example. And of course, we will almost certainly learn more about the “how” and “who” of the massive attack on Target.

The audience for this blog has grown tremendously in the past year. The site now attracts between 10,000 and 15,000 visitors per day. For the first time in its existence, KrebsOnSecuirty is on track to exceed more than 1 million pageviews this month (fittingly, this should come to pass sometime today).

That growth would not have been possible without you, dear loyal readers. 2013 featured more blog posts and more in-depth investigations than perhaps any other year, but the real value in this site comes from the community that has sprung up around it. Readers submitted more than 10,000 comments this past year. More than two dozen of you also supported this site directly via the PayPal or Bitcoin donation links in the blog sidebar. Whichever way you supported this site in 2013, a hearty THANK YOU for your contribution and encouragement.

Krebs on Security: Non-US Cards Used At Target Fetch Premium

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An underground service that is selling credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.

On Dec. 20, this blog published a story about the “card shop” rescator[dot]la. That piece explained how two different banks — a small, community bank and a large, top-10 bank — had bought back their customers’ stolen cards from the fraud service and discovered that all of the purchased cards had been used at Target during the breach timeframe. The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items than can easily be fenced or resold.

As I wrote in that story, a key feature of this particular shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle” (also an island in the Caribbean long associated with pirates). The small bank similarly found that all of the cards it purchased from the card shop also bore the Tortuga base name, and all had been used at Target.

Cards stolen from non-US customers who shopped at Target are sold under the "Barbarossa" base.

Cards stolen from non-US customers who shopped at Target are sold under the “Barbarossa” base.

On Friday, the proprietor of this card shop announced the availability of a new base — “Barbarossa” — which consists of more than 330,000 debit and credit cards issued by banks in Europe, Asia, Latin America and Canada [side note: one Russian expert I spoke with said Barbarossa was probably a reference to Operation Barbarossa, the code name for Germany's invasion of the Soviet Union during World War II].

According to one large bank in the U.S. that purchased a sampling of cards across several countries — all of the cards in the Barbarossa base also were used at Target during the breach timeframe.

As with cards sold under the Tortuga base, debit and credit cards for sale as part of the Barbarossa base list the country of origin for the issuing bank, and then directly underneath include the state, city and ZIP code of the Target store from which the card numbers were stolen.

When I first became aware that this card shop was selling only cards stolen from Target stores, I noticed a discussion on a related crime forum wherein customers of this shop seemed very enthusiastic about this ZIP code feature. I couldn’t figure out what the big deal was: I’d assumed the state, city and ZIP described the bank that issued the card.

Later, I learned from a fraud expert that this feature is included because it allows customers of the shop to buy cards issued to cardholders that live nearby. This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder’s immediate geographic region.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

The cards for sale in the Barbarossa base vary widely in price from $23.62 per card to as high as $135 per card. The prices seem to be influenced by a number of factors, including the issuing bank, the type of card (debit or credit), how soon the card expires, and whether the card bears a special notation that often indicates a higher credit limit, such as a Platinum card.

The prices also appear to be influenced partly by how rare it is to find cards for a specific bank available on the black market. The highest-priced cards I found for sale were issued by banks in Singapore, South Korea and the United Arab Emirates.

Barbarossa base cards  issued by Canadian banks. Note that city, state and ZIP code listed indicate the location of the Target store from which the card was stolen.

Barbarossa base cards issued by Canadian banks. Note that city, state and ZIP code listed indicate the location of the Target store from which the card was stolen.

Krebs on Security: Cards Stolen in Target Breach Flood Underground Markets

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

targetgoboom

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the "base" name, this "Dumps" shop sells only cards stolen in the Target breach.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the "Tortuga" base.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

Have you seen:

Non-US Cards Used At Target Fetch Premium”…An underground service that is selling millions of credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.

Krebs on Security: Sources: Target Investigating Data Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.


It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

Have you seen:

Cards Stolen in Target Breach Flood Underground Markets”…Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

Krebs on Security: The Biggest Skimmers of All: Fake ATMs

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This blog has spotlighted some incredibly elaborate and minaturized ATM skimmers, fraud devices that thieves attach to ATMs in a bid to steal card data and PINs. But a skimmer discovered in Brazil last month takes this sort of fraud to another level, using a completely fake ATM designed to be stacked directly on top of a legitimate, existing cash machine.

On Saturday, Nov. 23, a customer at a Bank of Brazil branch in Curitiba, Brazil approached the cash machine pictured below, dipped his ATM card in the machine’s slot, and entered his PIN, hoping to get a printed statement of his bank balance.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

A completely fake ATM discovered in Brazil, designed to sit directly on top of the real cash machine.

When the transaction failed, the customer became suspicious and discovered that this ATM wasn’t a cash machine at all, but a complete fake designed to be seated directly on top of the real cash machine. Here’s what the legitimate ATM that was underneath looked like.

The real ATM.

The real ATM underneath.

When the cops arrived, they pulled the fake ATM off the real cash machine. Here is the fake ATM, set down on the floor.

FakeATMfloor

The backside of the phony cash machine reveals what may be a disassembled laptop with the screen facing outward. The entire apparatus is powered by two large batteries (right). Notice the card skimming device (top right, with the green light) and a side view of the component for the fake PIN pad (top).

The backside of the fake ATM shows what appears to be laptop and skimmer components powered by two huge batteries.

The backside of the fake ATM shows what appears to be laptop and skimmer components powered by two huge batteries.

It’s not clear from the reporting in these stories from the Brazilian media (nor from the Youtube video from which the above photos were taken) exactly what hardware was included in this device. It seems difficult to believe that thieves would go to all this trouble without incorporating some type of GSM or 3G components that would allow them to retrieve the stolen information wirelessly. I don’t imagine it would be easy to simply walk away from a cash machine unnoticed while holding a giant fake ATM, and a wireless component would let the skimmer scammers offload any stolen data even after their creations were seized by the authorities.

This device appears to be nearly identical to a fake ATM found in April 2013 in Santa Cruz do Rio Pardo. The story about that April incident has much higher resolution photos, and states that the fake ATM indeed included a 3G mobile connection, ostensibly for sending the stolen card and PIN data to the thieves wirelessly via text message.

Interestingly, much like grammatical and spelling errors that often give away phishing emails and Web sites, the thieves who assembled the video for the screen for the fake ATM used in the April robbery appear have made a grammatical goof in spelling “país,” the Portuguese word for “country”; apparently, they left off the acute accent.

Most skimming attacks (including the two mentioned here) take place over the weekend hours. Skimmer scammers like to place their devices at a time when they know the bank will be closed for an extended period, and when foot traffic to the machine will be at its highest.

Keep a keen eye out for anything that looks amiss when you visit the ATM; if you see something that doesn’t look right, notify the bank or owner of the machine, and go somewhere else to get your cash. More importantly, make sure you’re aware of your physical surroundings when you go to withdraw money, and whenever possible use cash machines in well-lit, open places. Most people probably have a better chance of being physically mugged while at the ATM than they do getting scammed by a skimmer. According to a January 2013 report by the U.S. State Department, this is especially true for foreigners in São Paulo, Brazil, where “express kidnappings” occur when criminals force their victims to extract their daily cash limit from an ATM machine.

Finally, although it would not have helped the victims of these fake Brazilian ATMs, using your hand to cover the PIN pad while you enter your digits is a great way to foil most skimmers, which tend to rely on hidden cameras as opposed to fake PIN pads or PIN pad overlays.

Fascinated by ATM skimmers? Check out my series on these fraud devices: All About Skimmers.

The Hacker Factor Blog: Thoughts In My Head

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For me, blogging is a writing exercise. A friend recommended that I try to do it in order to improve my ability to write white papers on any topic. As an exercise, I can totally see an improvement. I can usually just sit down and write on a topic without that two hours of staring at a blank page and thinking about Plants vs Zombies.

At first I just tried to write on topics that interest me. I used my blog as an informal journal, open for anyone to read and comment on. Then I tried doing other writing exercises, such as changing writing styles. First person, third person narrative, sarcastic, ironic, formal, informal… one of these days I’ll even try writing it in verse.

As more people read and comment on my blog entries, I’ve really tried to keep the writing informal but the topics formal. If other people are going to read my technical journal, then I might as well try to keep it interesting.

I also try to blog at least once a week, but sometimes work gets the best of me. (If I spend a week writing for work, then I really don’t feel like writing for exercise.) But at the same time, I feel like I need to blog since I haven’t done it in a week.

Having said that… I haven’t had time to prepare a good blog entry on a consistent topic. So here’s some unrelated topics that are just bouncing around my head.

Thanks for Playing!

According to news reports last week, a school in Texas decided to stop giving people “participation trophies”. Trophies should go to the winners. The top tier may get win, place, and show, but everyone else gets a smile and a “thanks for playing”; last place doesn’t get a trophy for trying.

I think this is a great idea. I hate to say it, but losing builds character and there is an art to being a gracious loser. Awarding a kid for failing teaches them nothing except that they have no reason to strive to better themselves. It’s kind of like that Tom Lehrer song from the 60′s, New Math — accuracy doesn’t matter, “the idea is the important thing!”

Of course, this also reminds me of the recent government shutdown. After forcing a shutdown, the House Republicans wanted something in return for failing to perform their primary duty of managing the country’s budget. They wanted a “concession“. I view it more as a participation trophy. They lost — they should not get a trophy.

More Shopping

Three weeks ago news broke that Adobe had a major compromise. They reportedly lost about 2.9 million accounts, as well as source code for Adobe Acrobat and ColdFusion. Earlier today, Brian Krebs reported that the compromise was significantly worse: 38 million accounts and the source code for Photoshop.

I previously commended Adobe on their public acknowledgement and response to this situation. While I haven’t heard any follow-up response regarding this latest news, I still think this is a horrible situation for Adobe and I believe they will continue to take proper steps to mitigate the damage.

More Work

The next few weeks are going to be crazy. I’m preparing for a three-hour presentation, revising a slideset for a different presentation, writing another white paper, extending a cool profiling system (that has not yet been made public), writing more tutorials, and doing all of my ongoing work. And I still need to carve my pumpkin for Halloween!