Tag Archive for Visa

| December 30, 2015
Comments Off on Target Wish List Leaking Your Data

Target Wish List Leaking Your Data

Target Wish List Leaking Your DataThe holiday shopping season has not been merry for mega-mart Target. You would think the mega-retailer that leaked info on 110 million customers would learn how to keep their customers’ info secure but NOOOO. The anti-virus firm AVAST has discovered the Target (TGT) Wish List app is leaking your data, your personally identifiable information (PII).

Data leakThe Avast Blog says that if you created a Christmas wish list using the Target app it is leaking your data.  it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses.

Alarmingly, for a firm that has privacy issues, the Target app’s backend interface is not secured. This allowed the database to be accessed over the Internet. The author reports that the Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need to parse all the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

Leaking your data

while developers investigate

The JSON file that the AVAST researchers requested from Target’s API leaked lots of interesting data. The leaked data included: users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. The AVAST researchers did not store any PII, but they did aggregate data from 5,000 inputs for statistical analysis.

The AVAST researchers took the sample and looked at which some of the data they got. It included; brands, states the Target app users are from, and the most common names of people using Target’s app.

Leasked info

This appears to be a classic case of security by obfuscation. The app developers created the online API for data that is uploaded by Target. They also set up a separate API in tandem so that the retail chain could download and process the uploaded data – but without any security measures in place.

Target has reached a $39.4 million settlementIn a post on Ars Technica, a Target spokesperson said that it has suspended elements of the app while developers investigate. Hopefully, this should mean that the data-leaking has stopped while the backend has been disabled.

In other Target data breach news FierceITSecurity reports that Target has reached a $39.4 million settlement with banks and credit unions over claims they lost millions of dollars as a result of the massive 2013 data breach at the retailer. The massive data breach at Target exposed the credit and debit card numbers of 40 million customers to hackers and personal information on another 70 million.

The settlement, if accepted, will resolve class-action lawsuits by the banks and credit unions seeking reimbursement for fraudulent charges and issuing new cards. Of the $39.4 million, $20.25 million will be paid to banks and credit unions, and $19.11 million will be paid to reimburse MasterCard card issuers.

cautionary taleThis follows settlements that Target reached with Visa card issuers for $67 million and with customers for $10 million. Target estimated that the breach so far has cost it $290 million, with insurers picking up $90 million, according to a filing with the Securities and Exchange Commission last week. Target is not out of the woods yet. It still has to deal with shareholder lawsuits and a probe by the Federal Trade Commission and state attorneys general related to the data breach.

Fred Donovan at FierceITSecurity says Target is a cautionary tale for any enterprise. Despite handling billions of dollars in credit card transactions, the retailer did not have one person responsible for IT security at the time of the breach. While it had a network security system in place, it did not have IT security personnel skilled enough to recognize an alarm the system set off months before Target discovered the breach.

rb-

Cash is king, especially at Target.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| October 16, 2014
Comments Off on How to Spot Phishing

How to Spot Phishing

Phishing scams are spam emails sent by cyber-criminals that can lead to identity theft at home and data breaches at work. Phishing attacks pretend to be from a legitimate person or organization to trick you into revealing personal information. A phishing attack begins when a cyber-criminal sends an email that looks like it originates from your bank.

PhishingThe email might hint at a problem with your account asking you to “confirm” account information by clicking on a link that takes you to a fake website. The fake website asks you to type in your bank account user name and password. The goal is to convince the target that the web page is legitimate so that they will enter their credentials. Once entered, attackers can access an individual’s finances.

Phishing attacks

RSA reports 2013 was a record year for phishing attacks. They report that nearly 450,000 phishing attacks were launched in 2013 with losses estimated to be nearly $6 Billion. The security firm believes that these attacks will continue for the foreseeable future. They point out that it only costs an attacker $65.00 to spam 500,000 email addresses.

spoofed financial organizationsSymantec reports (PDF) that 1 in every 392 emails a user receives is a phishing attempt. 71% of the phishing attacks were related to spoofed financial organizations and login credentials for accounts seem to be the main information phishers are looking for. Dell SecureWorks delved into the depths of the online underground economy and found the value of personally identifiable information (PII).

value of personally identifiable information

  • Visa and Master Card account numbers are worth up to $15
  • American Express account numbers are worth up to $18
  • Date of Birth (DOB) is worth up to $25

On his excellent website, Brian Krebs revealed the black market value of hacked credentials.

  • Active accounts at Facebook and Twitter retail for just $2.50 apiece,
  • $4 buys hacked credentials at wireless providers ATT.com, Sprint.com, Verizonwireless.com, and Tmobile.com,
  • Groupon.com accounts fetch $5,
  • Fedex.com, Continental.com, and United.com accounts for go for $6.
  • iTunes accounts go for $8 on the cyber underground economy.

medical records

In a new phishing twist, attackers are going after medical records to exploit the broken healthcare industry. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cybercrime protection company.

With these threats in mind, PhishMe developed an infographic, click on the image below to see the complete image.

How to Spot a Phish

PhishMe infographic

rb-

Since many cyberattacks originate with phishing emails, the best way for organizations and individuals to protect themselves online is to recognize and avoid phishing emails.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,