Data breach | Bach Seat

Tag Archive for Data breach

RB | July 9, 2015

Data Breach Is No Monkey Business

Re Data Breach Is No Monkey Business ports are emerging that zoo’s across the nation have fallen victim to a POS attack and data breach. MLive warns anyone who made a purchase with a credit card at gift shops at the Detroit Zoo between March 23 and June 25, 2015, might be in danger of having the credit card information stolen. The Detroit Zoo posted a notice which claims that the only systems hacked were those run by Denver-based Service Systems Associates, the third-party responsible for running the systems at the Detroit Zoo’s retail stands.

SSA posted a notice on their site confirming a breach but no other details. Officials are investigating data breaches of the point-of-sale systems at nine or more U.S. zoos, including the Detroit Zoo. MLive reports that hackers gained access to card holders’ names, expiration dates, CVV security codes in addition to the credit and debit card numbers.

Sources claim the malware has been since identified and removed from the systems, though the case remains under investigation. In response, A separate credit card processing system was installed after the Zoo learned of the breach. Gerry VanAcker, Detroit Zoological Society chief operating officer, said in a release:

We are obviously concerned that the vendor’s system was compromised,” s “Transactions made since June 26 are not affected by the previous breach, and it is safe to use a credit or debit card at SSA’s retail locations.

Krebs on Security reports that the attack is widespread. Mr. Krebs cites financial industry sources that say the breach likely involves SSA concession and gift shops at zoo locations in Alabama, Arizona, California, Florida, Hawaii, Idaho, Indiana, Minnesota, Ohio, Oklahoma. Pennsylvania, South Caroline, Texas, and Tennessee.

Systems used at the Detroit Zoo for tickets food sales and membership sales were not affected by the breach and remain secure. Anyone who made a purchase via credit or debit card at a Zoo gift shop should check their bank statements immediately.

Those who expect that their identity has been stolen are asked to contact one of the consumer reporting agencies and place a fraud alert on their credit report.

rb-

Why don’t these POS companies give a damn? I have covered POS data breaches a number of times from the Bach Seat. POS breaches have been the largest source of data disclosure for at least 3 years. Of course, we know the answer, follow the money.

Firms like SSA have no accountability. There are no costs or fines or even a demerit on their permanent record when they get breached. It is less costly for companies like SSA to allow a breach to happen than it is to update their systems and stop the attackers.

Maybe that will change in the future. Beginning in October 2015 firms like SSA that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. – maybe.

Colorado Springs zoo gift store part of credit card security breach (denverpost.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2015, Credit card, Data breach, Debit card, Detroit, Detroit Zoo, Malware, Michigan, PII, POS, Security

RB | May 12, 2015

One comment

What Triggers a Data Breach?

Cyber-insurer Ace Group recently published data they say predicts a data breach. Based on their data (and the need to sell premiums) the insurer claims that all firms are at risk for a data breach. Matthew Prevost, vice president, ACE Professional Risk recently claimed data breaches are inevitable.

When it comes to cyber risk, it is not a question of if or when, but how – how can an organization proactively prepare for and then quickly respond to cyber-related breaches and interruptions?

ACE has a unique position to speculate, according to ClaimsJournal ACE has over 15 years of experience with cyber-risk. The firm has cataloged a considerable amount of lost data. They recently shared several key insights from their proprietary data. FierceITSecurity explains that based on cyber insurance provider ACE data, the top triggers for data breaches are:

Network security attacks – 25%
Lost or stolen devices – 20%
Human error -16%
Rogue employees – 15%
Faulty policies – 9%
Use of paper – 6%
Software error – 3%

The firm’s data says that lost and stolen devices that led to data breaches are:

Laptops – 70%
Memory devices – 28%
Smartphones – 2%

Former employees accounted for 25 percent of insider attacks, and financial incentive was the motive in 72 percent of insider attacks, according to ACE.

rb-

I have written about the cyber insurance market here and here. The most surprising factoid to me is that lost or stolen smartphones lead to data breaches 2% of the time. Perhaps the ACE data is old, or the security marketers have spread FUD and hubbub about the need for MDM, EMM, and remote wipes just to make a buck.

Do you agree with ACE’s stats?

Why small businesses should consider cyber liability insurance (hiscoxsmallbizblog.com)

Category: Uncategorized | Tags: 2015, Computer security, Credit card, Data breach, Insurance, Laptop, PII, Security

RB | April 21, 2015

Comments Off

EDU- The Most Bot-Infested Sector

DarkReading confirms, what I have pointed out to Bach Seat readers for a while, education people are terrible at IT security. The latest evidence comes from a BitSight report which concludes that the more bots in-house, the more a company is likely to have reported a data breach. The report finds that the education sector harbors the most botnet infections, according to a new study. The study highlights how bot infections correlate with a higher rate of data breaches.

The DarkReading article says BitSight, a security ratings firm, studied public breach disclosure data between March 2014 and March 2015 across the finance, retail, healthcare, utilities, and education industries. The study concluded that organizations with a botnet grade of B or below had experienced data breaches at a rate of 2.2 times more than organizations with an A grade. The report says there is a correlation between botnet infestations and data breaches; “This does not mean the infections were the cause of the breaches; rather, it means that the infections and breach incidents are correlated.”

The education sector fared poorly. Only 23% of institutions got an A as their botnet grade, and 33% get an F. The main botnets dogging schools and universities:

Jadtre (59.2%) – Downloads other malware and steals info;
Flashback (22.1%) – The Java exploit targeting Apple OS X;
TDSS (8.3%) – Discovered in 2011 It infects the master boot record of the target machine among other things it deletes other malware;
Zeus (6%) – Financial credential-stealing malware, and
Sality (4.4%) One of the longest-lived botnets. It was first discovered in 2003. Sality is considered to be one of the most complex and formidable forms of malware to date.

The report notes Flashback is malware that targets Apple computers by taking advantage of a Java vulnerability. Mac computers are popular among younger generations and educational institutions, intensifying the proliferation of this malware in education. Although the Flashback botnet itself has largely been shut down, the large number of infections that still exist indicates that people are running machines that have not been updated; thus, they are still vulnerable to other forms of infection.

Other industries received better scores better than Education.
• 74% of Financial Services firms got an A
• 57% of Retailers receive an A grade
• 53% of healthcare received an A grade
• 50% of Utilities received an A

there is a correlation between botnet infestations and data breaches The report concludes that organizations with bot-infected machines are more likely to report a data breach. “The implications for organizations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks.”

rb-

Been there done that … EDU people don’t get IT security. They don’t understand how much PII they collect and randomly hang onto. Their systems send data in clear text across the inter-tubes to change schools.

Someone is going to get breached and sued and maybe they will learn.

Trojan Horse, Zombies, and 15 Critical Cybersecurity Terms You Need to Know (coloradotech.edu)

Category: Uncategorized | Tags: 2015, AAPL, Apple, BitSight, Botnet, Data breach, Flashback, Jadtre, K12, Malware, School, Security

RB | March 19, 2015

Comments Off

ZOUP! POS Breached

Another day, another data breach. Zoup! the restaurant known for its soup, salad, and sandwiches is the latest retailer to have it POS system hacked. The hack exposed credit card information hacked according to MLive. From a statement posted on the Zoup! website Zoup! CEO Eric Ersher told their customers victims – too bad so sad, “… in the days ahead, we will work hard to preserve your trust.”

Apparently re-gaining my trust does not include telling me my information was stolen, or the usual credit monitoring or credit restoration services, according to MLive Southfield, MI-based Zoup! will not be contacting customers who were affected by the cyber-attack.

The stonewall goes beyond Zoup!’s customers. When contacted by security researcher Brian Krebs, for comment CEO Ersher referred calls to NEXTEP, who runs all of Zoup!s point-of-sale devices. Troy, MI-based NEXTEP President Tommy Woycik emailed Mr. Krebs a statement, which says in part, “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised.”

The MLive article reports that Zoup! learned March 4 of a payment card security issue that affected most of its U.S. locations. Between Feb. 2 and March 5, the malware installed on the point-of-sale system was tracking credit card numbers, and possibly PII data such as the cardholders’ name, card expiration date, and verification code.

POS vendors have a notorious track record for data security. One breach can impact 100’s of locations. The 2014 breach at the POS vendor Signature Systems Inc. affected Jimmy John sandwich shops and at least 100 other restaurants. The 2015 breach at Advanced Restaurant Management Applications (ARMA) affected many of its client restaurants. And now Nextep has impact up to 75 Zoup! locations and possibly 100,000’s of customers.

CEO Ersher stated in a statement in a statement, “… we moved as swiftly as possible to address the problem once we learned about it … ” Oh really? if they had read Bach Seat last year when I wrote about POS hacks or paid attention to US-CERT or warnings they would have been prepared.

The company set up a website for customers with concerns or call Zoup! at 800-343-9308, Monday – Friday, 8 a.m. – 5 p.m. ET.

rb-

I think that Zoup! should cool the attitude and review the info I posted in 2014 on how to avoid POS System breaches.

1. Change administrative passwords on all POS systems. (Hackers are scanning the Internet for easily guessable passwords).

2. Implement a firewall or access control list on remote access /administration services. (If hackers can’t reach your systems, they can’t easily steal from it).

3. Avoid using POS systems to browse the web (or anything else on the Internet).

4. Make sure your POS is a PCI DSS compliant application (ask your vendor)

5. Use password management software like LastPass to generate secure passwords. (LastPass allows you to avoid storing passwords in your browsers and can generate ready-to-use secure passwords for you).

Microsoft takes cafeteria payment kiosks offline as vendor deals with breach (geekwire.com)

Category: Uncategorized | Tags: 2015, Brian Krebs, Credit card, Data breach, Michigan, PII, POS, Security, Zoup

RB | March 17, 2015

Comments Off

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

When Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. eWeek.com provided a good overview of how Apple Pay’s approval process works:

The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
Apple checks to see if the card is already on file in iTunes, verifying it through a match
But most cards aren’t already in iTunes – so Apple sends card data, phone data, and iTunes account info to the card-issuing bank
If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

According to reports, criminals have set up iPhones with stolen personal information, which has been tracked back to accounts compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014, and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up. Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.

Apple Pay: Bridging Online and Big Box Fraud (krebsonsecurity.com)

Category: Uncategorized | Tags: 2015, AAPL, Anthem, Apple, Apple Pay, Authentication, Banking, Biometrics, Data breach, Fraud, Home Depot, iPhone, PII, Security, Target

« Older Entries Recent Entries »

Bach Seat

Tag Archive for Data breach

Data Breach Is No Monkey Business

Related articles

What Triggers a Data Breach?

Related articles

EDU- The Most Bot-Infested Sector

Related articles

ZOUP! POS Breached

Related articles

Banks Scramble to Fight Apple Pay Fraud

Related articles

Meta