Tag Archive for Home Depot

| February 4, 2017
Comments Off on State of Michigan Data Breach

State of Michigan Data Breach

State of Michigan Data BreachData breaches are no surprise these days. I have covered a number of data breaches here on the Bach Seat here, here, and here. Now the State of Michigan (SOM) has joined the ranks of data leakers like Yahoo, Home Depot, Target, BCBS, and the US government. MLive is reporting that the State of Michigan has spilled the personal data of millions of Michigan citizens. On February 03, 2017, the Michigan Department of Technology Management and Budget (DTMB) announced the Michigan data breach. The breach leaked the Personal information of nearly 20% of Michigan residents who were vulnerable to unauthorized access for four months.

Unemployment Insurance Agency

Unemployment Insurance AgencyThe article reports that in October 2016, a software update to the Michigan Data Automated System (MiDAS) system was used by the state’s Unemployment Insurance Agency (UIA). MiDAS was created by Fast Enterprises of Centennial, CO, and went live in 2012 as part of a modernization of the unemployment benefits and tax system. A flaw allowed employers and human resources firms to get access to names and social security numbers of nearly 1.9 million Michigan residents they were not authorized to view.

The state identified the Michigan data breach on Jan. 30 and fixed it on Jan. 31, 2017. Contracted payroll service providers had unauthorized access to the MiDAS system, according to UIA spokesperson Dave Murray. Anybody working for a company that uses one of those payroll service providers may have had their personal information compromised. DTMB official Caleb Buhs warned, “If you are an employee in Michigan and your company uses a payroll vendor to process payroll, then you can potentially be included.

Impacted by the Michigan data breach

According to a report on MLive, the 31 vendors with unauthorized access to Michigan citizens’ PII included:

  • 7-Eleven
  • Aatrix
  • Accountants World
  • Acrisure
  • ADP
  • Benepay
  • Casper Willson Wilson
  • Computing Resources
  • Connectpay LLC
  • CoStaff National Services Inc
  • Craft Accounting
  • CSS Payroll Inc
  • DTMB
  • DM Payroll
  • Dominion Systems
  • GT Independence
  • Heins Acctg
  • Hewitt Assoc
  • Highpoint Business Services LLC
  • Infiniti HR LLC
  • Julie Lepper Acctg
  • Mercantile Bank
  • My Pay Solutions
  • Nieland & Kosanke PC
  • One Source Virtual
  • Paychex
  • Paycomm Payroll LLC
  • Paycor
  • Paylocity Corp
  • Payroll 1
  • Payroll Tax Mgt
  • Professional Systems
  • Ultimate Software
  • VenSure HR Inc
  • Wayne County Regional
  • Zen Payroll

Data security is a top priority for the state of MichiganDTMB Director and State CIO David Behen stated, “Data security is a top priority for the state of Michigan … We will work with our third-party vendors and our state team to check our processes and procedures to avoid incidents like this in the future.

Recommendations

Here’s what the SOM is recommending those who may have had their PII exposed do:

  1. Call the state hotline at 855-707-8387 between 8 a.m. and 4 p.m. on weekdays to make inquiries about this issue.
  2. Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  3. Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian, and TransUnion – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission.
  4. Take steps to monitor their personally identifiable information and report any suspected instances of identity theft to their local law enforcement.

MiDAS has been in the news before. MiDAS’ “robo-adjudication” feature wrongly flagged at least 20,000 people for unemployment fraud between October 2013 and August 2015. MiDAS would automatically flag a discrepancy and send a message to a seldom-used internal unemployment system. When the victims didn’t respond, the system would automatically find they had committed fraud and issue a 400% fine.

rb-

The way data breach report work is that the originating firm under-estimates the number of records lost by half. So it is possible that the SOM has released nearly 4 million or 38% of all Michiganders personal records.

Michigan State Police Cyber CommandDespite the Michigan State Police Cyber Command being on the job, it is likely that nothing will happen to the perpetrators – nothing ever does. DTMB spokesman Buhs said, “We are learning from this.” I hope so.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| March 17, 2015
Comments Off on Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay FraudSearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

Apple Pay logoWhen Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. eWeek.com provided a good overview of how Apple Pay’s approval process works:

  • The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
  • Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
  • If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
  • Apple checks to see if the card is already on file in iTunes, verifying it through a match
  • But most cards aren’t already in iTunes – so Apple sends card data, phone data, and iTunes account info to the card-issuing bank
  • If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

criminals have set up iPhones with stolen cardl info from Target and Home Depot hacksAccording to reports, criminals have set up iPhones with stolen personal information, which has been tracked back to accounts compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014, and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up.  Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,