by Bob | Jul 26, 2016 | Views
Now here’s an interesting data breach, it’s perhaps indicative of changing approaches by hackers. As companies thankfully become more savvy about protecting data, so hackers are having to become more creative. They augment stolen data by accessing more publicly available data sources – such as social media – to create more robust data sets that they can sell on to the criminal fraternity on the ‘dark net’. We reported here earlier in July that fraudster are harvesting details from social media accounts to create fraudulent duplicate identities; a technique known as ‘credential stuffing’. The BBC claimed on the Victoria Derbyshire programme on July 26th that “O2 customer data is being sold by criminals on the dark net” (here) However O2 deny that they’ve suffered a data breach. The initial credentials are likely to have been stolen in a data breach back in November 2013 from the gaming website Xsplit and the hackers have subsequently ‘stuffed’ those credentials with information sourced elsewhere. Those new ‘stuffed’ credentials would then be tried against various online services. The BBC reported that some victims have had accounts hacked on multiple sites – such as Gumtree and eBay. The message for consumers is a familiar one, don’t use the same password for multiple accounts – tempting though it might be – as hackers will try any passwords they acquire against any and every online services. And the message for businesses is equally familiar, you have a responsibility to your customers if you store their personal or payment data. Compliance3 can help businesses meet their personal and payment data obligations, get in touch and see how we...
by Bob | Jul 11, 2016 | Views
We read constantly of data breaches and of sensitive data being made available for sale on the ‘dark web’ – indeed as I reported here in February sometimes not even on the dark web. While we at Compliance3 tend to concentrate on the security of, and potential threats to, card data; the recent report from CIFAS suggested that any personal data can be used by criminals in creating identity theft profiles. For example, we learned recently that the online dating site ‘Muslim Match’ has been breached and some 150,000 log-ins have been made available for sale online, along with nearly 800,000 potentially very private messages between users. The data, which has been confirmed as genuine, includes Skype handles. And, given the sensitivity of some of the breached data, along with potential religious and cultural taboos, the risk of hacked users receiving blackmail threats are potentially higher than for other similar compromises at more ‘western’ sites like Ashley Madison, Match.com or Plenty of Fish. That said, the Daily Mail reported back in August 2015 (here) that some leaked Ashley Madison clients had been driven to commit suicide. And, once again, the breach at Muslim Match doesn’t look to have been too sophisticated, possibly a relatively simple SQL injection. One user of the site told the website Motherboard “I feel disappointed, but the site didn’t seem to be secure in the first place. They never used https.” At the time of writing, the Muslim Match site is down showing a message “We have been made aware of an alleged security breach and are reviewing our systems as we work to remedy the situation...
by Bob | May 25, 2016 | Views
We’ve written in the past about data breaches, where customers’ card details are stolen, and while the press tend to dwell on the ongoing risks to customers as a result of their data being compromised, it’s rare for the subsequent exploitation of data breaches to make news. This week, however, saw the news of an audacious and sophisticated attack using stolen account data to create 1,600 fake payment cards and then steal nearly $13 million dollars from South Africa’s Standard Bank. The thieves exploited the high maximum withdrawal amounts allowed in Japan, where the maximum amount that can be withdrawn from an ATM is ¥100,000 (or about £630), and withdrew that maximum amount 14,000 times from 1,400 machines. The targeted machines were installed in 7-11 stores across Japan, unusually for Japan these particular machines accept international cards. The thefts took place over a three hour period, early on the morning of Sunday May 15th, that would be late Saturday night in South Africa. While customers have not suffered any losses, Standard Bank estimate their total losses to be close to $19 million. Standard Bank described the heist as “a sophisticated, co-ordinated fraud incident” involving what it said was a “small number” of fake cards from account data belonging to...
by Bob | Apr 11, 2016 | Views
Possibly the most significant data breach of our age. We’ve seen data breaches come and go; they make headlines for a couple of days, maybe a couple of weeks and are largely forgotten, except by those whose data has been compromised and their subsequent victims. The ‘Panama Papers’ take data breach to a whole new level, they’ve already cost the Icelandic Prime Minister his job, and have made life very uncomfortable for David Cameron, the British Prime Minister, even if his sins would appear to be of lack of communication rather than financial impropriety. They’re not alone, though, 12 national leaders are listed among the 143 politicians. Well, Mossack Fonseca – the source of the data breach – is the world’s fourth biggest provider of offshore services; it has acted for more than 300,000 companies, more than half of which are registered in the UK or British administered tax havens. The scale of the breach in itself is mind boggling – 2.6 terabytes of data, comprising 11.5 million documents – extracted from Mossack Fonseca’s systems. That dwarfs the 1.7 gigabyte ‘Wikileak’ in 2010 or the 3.3 gigabyte leak of files from HSBC in 2015. The most recent breach is thought to have taken place in December 2015, but papers are currently being analysed by 370 reporters from 100 media organisations. The documents take the form of 4.8m emails, 3m databases, 2m PDFs, 1m images and 320,000 image files. And the source of the breach? Well the smart money currently suggests that Mossack Fonseca were using WordPress and Drupal plugins that stored database credentials in clear text. The Mossack Fonseca...
by Bob | Feb 14, 2016 | Views
We’ve written here, over the past twelve months, about some pretty significant data breaches. Some, like last October’s Talk Talk data breach, triggered an almost instant wave of spam and social engineering telephone calls. Elsewhere, the ‘dark web’ has long been the place for criminals to trade stolen data. The Daily Mail – last November – reported that a fraudster who called himself ‘The Martian’ was selling data stolen from Talk Talk for as little as £1.62 a time. Now, worryingly, stolen data has gone ‘mainstream’. The Times reported, on Saturday February 13th, that card data is now available for purchase on an openly available, if still illegal, website. The Times reports claims that details of 100,000 Brits were available on the site priced from just £1.67 per record, and that the site has been updated regularly with over 400,000 new records made available in the six weeks since the start of the year. The MP Keith Vaz, chairman of the home affairs select committee, described it as “deeply disturbing“, suggesting that the site could be funding terrorism and organised crime. He added that “The National Crime Agency must get this site closed.” and “I will be writing to the NCA to bring this to their attention.” One might hope that somebody at the NCA takes The Times. That said, the time of writing this, the site in question was still freely accessible, but even if it is taken down, the stolen data will doubtless be made available elsewhere. Update – a full week later the site was still publicly accessible. Stephen Orphei – the General Manager of the PCI...
