ATMs Continue To Be Huge Target For Hackers

Hackers are the new bank robbers in a very literal sense. Increasingly, hackers have taken to infiltrating bank networks specifically for the purpose of infecting ATMs attached to their network with malicious code that makes stealing from them a snap.

Once the malware has been installed on a target machine, a lower level member of the hacker’s organization can simply walk up and activate the code via a pre-defined numeric sequence, causing it to spit out money.

All the low-level hacker has to do is pocket it, take it back to HQ, and divide the spoils.

It gets even better from the hacker’s point of view, though. The same malware that can be triggered to launch the “Cash Out” style attack described above can also collect debit card information from anyone who uses the machine, enabling them to double dip, stealing not just from the bank, but also from a growing collection of its customers.

Considering the extreme risks involved with “Old School” bank robbing, this is a pretty attractive option, and it’s not at all hard to see why hackers have been increasingly drawn to it.

Thus far, attacks like these have been seen in the Far East, but haven’t yet made their way to Europe or America in any significant way. Given their level of success, however, it’s just a matter of time before we start seeing similar attacks here.

So far, the largest attack of this type occurred in Taiwan, in July 2016, when a group of hackers orchestrated a highly coordinated attack that struck 41 different ATMs and saw the group make off with a hefty $2.7 million in cash.

Again, this is small potatoes compared to some other, more mainstream attacks. Take the malware Carbanak, for instance, which has been tied to bank thefts totaling more than $1 billion dollars in a combination of fraudulent wire transfers and ATM attacks. Even so, the trend is a growing one, and it’s all but inevitable that we’ll start seeing them in the US, probably sooner rather than later.

Whole Foods Reports Credit Card Breach

It seems that hardly a week goes by that we don’t hear about another high-profile data breach. This time in the hot seat, we find Amazon-owned Whole Foods. Specifically, we find Whole Foods Market locations. The company is reporting that hackers were able to gain unauthorized access to credit card information at an undisclosed number of its scores in the US, the UK and Canada.

So far, the company has not released details relating to which stores were impacted, only that POS terminals were targeted, and that some customer credit and debit card data was compromised, though a company spokesperson did stress that the breach did not allow the hackers to access purchase information.

Whole Foods has called in an outside firm to help it investigate the breach, is working with law enforcement agencies and has posted a brief notice on their website.

The company encourages anyone who has shopped at Whole Foods Market to monitor their credit card statements closely to make sure there’s been no unauthorized activity.

As corporate responses go, Whole Foods’ has been less than perfect. So far, the company has not released any details about the exact number of stores impacted, where they were, and how many customers have been affected.

Further, to this point, there’s no indication that the company has made any attempt to reach out to the impacted customers and notify them, or offer them any form of free credit monitoring or related services. Although, to be fair, the situation is still unfolding and the company may take these actions at some point down the road.

The situation is still quite fluid, and if and as additional information becomes available, we’ll have more to say about this. For the time being, the important takeaway is that if you’ve shopped at Whole Foods Market, keep a close watch on your credit or debit card. It may have been compromised.

Google Has Announced Earbuds That Translate Language In Real Time

Google Labs has produced some amazing ideas. Some of them have found their way to the market, and many others have not. The one thing they have in common, though, is that they’re all intriguing and exciting.

That’s especially true of Google’s latest offering, Google Pixel Buds.

If you’ve ever read “The Hitchhiker’s Guide To The Galaxy,” then you know the term “Bable Fish.” If you grew up watching Star Trek, then you know all about the Universal Translator. Well, Google has built the version 1.0 of that very device.

The new earbuds are able to translate forty different languages in something close to real time. Close enough, in any case, to be useful in day to day conversation.

Obviously there are some glitches and limitations at this point, just as there were in the first smartphones and computers, but the fact that this new technology exists at all, in any form, is nothing short of amazing.

The potential applications are limitless, and the number will only grow as the technology matures. We can see the possibility of seamless global communications that cut across language barriers. It boggles the mind.

If you do business with vendors all over the globe, imagine how much simpler this is going to make your life. As mentioned, it’s a given that early adopters will face certain limitations and no doubt chafe under the shortcomings of the early versions of the device, but that’s been true of just about every invention we’ve ever seen enter the marketplace.

Consider speech-to-text technology, for example. The early versions were quite buggy and you could count yourself lucky if they successfully interpreted 40 percent of your words, translating them into text. These days, that percentage is closer to 98.

The best way to help this new product succeed is to jump in and start using it, bugs, flaws, shortcomings and all. Kudos to Google Labs!

Google Personal Data Requests Are On The Rise

Google’s latest Transparency Report is out, and the results have raised concerns with privacy advocates from around the world.

This time last year, Google received 44,943 requests relating to 76,713 user accounts from the governments around the world. This year’s figures have increased to 48,941 requests relating to 83,345 accounts. The company acceded to 65 percent of requests made.

The US government was, predictably, the biggest requestor, with the German, British and French governments also featured prominently.

Note that these figures specifically do not include FISA (Foreign Intelligence Surveillance Act) requests, as such requests are subject to a six-month reporting delay.

Of interest, a key component of FISA is set to expire at the end of 2017, and Google is working with Congress to try and pass a reform that will improve netizens’ privacy protections.

The core argument is that processing requests from foreign governments is too slow, and could be replaced by an update to the US Electronic Communications Privacy Act (ECPA). According to Richard Salgado, Google’s Director of Law Enforcement and Information Security:

“ECPA should also be updated to enable countries that commit to baseline privacy, due process, and human rights principles to make direct requests to US providers.

Providing a pathway for such countries to obtain electronic evidence directly from service providers in other jurisdictions will remove incentives for the unilateral, extraterritorial assertion of a country’s laws, data localization proposals, aggressive expansion of government access authorities and dangerous investigative techniques. These measures ultimately weaken privacy, due process, and human rights standards.”

It’s too soon to say whether Google’s efforts will bear fruit, but if they do, it would be a big step in the right direction, and an unqualified win for privacy watchdog groups everywhere.

Interestingly, Apple also released its annual Transparency Report, which revealed a six percent drop in government requests, compared to last year’s figures. At the same time, though, the number of FISA requests Apple received soared from 2750-2900 related to 2000-2249 accounts to 13,250-13,499 related to 9000-9249 accounts.

Regardless of what happens to FISA in congress later this year, the main takeaway is that governments around the world are making an increasing number of requests for personal data of our biggest tech companies, which is a disturbing trend that is sadly not unexpected.

Sonic Drive-In Latest Company With Credit Card Breach

<img class=”alignleft size-full wp-image-7004″ src=”” alt=”” width=”300″ height=”225″ />Another week, another data breach, and this time, popular fast food chain Sonic found itself in the crosshairs.

The breach came to light when a Brian Krebs, a journalist for Infosec, spotted a large batch of credit card data for sale on an underground website.

IBM’s “X-Force” division confirmed Krebs’ findings, and later that same day, Sonic confirmed the report, offering all of its customers two years of free fraud and identity theft protection.

At this point, the company has released no details on how many of their 3600 locations were impacted, or how many customers might have been affected. However, Krebs noted that the cache he saw contained some five million records, which at least gives us some indication as to the scope and scale of the attack.

Given the relative lack of information about the incident so far, the best thing you can do if you frequent any Sonic location is to monitor your credit and debit card statements closely and take advantage of the free credit monitoring service offered.

It’s no great surprise why hackers are so interested in credit card data. Each record sells for between $25 and $50, so that cache of five million records represents a significant payday.

The fear, as pointed out by numerous security experts of late, is that given how easy it has been for hackers to breach company POS systems, the hackers will up the ante and begin introducing ransomware to the payloads they install on these systems.

Without a functioning POS system, business grinds to a complete halt, so the thinking is that most businesses facing this kind of attack would pay the ransom immediately, making the hackers’ payday even sweeter.

While this type of attack hasn’t been seen yet, most experts agree that it’s just a matter of time, making it one more thing to worry about. This is all the more reason to make sure your own POS terminals are as secure as you can possibly make them. You definitely don’t want to be next!

Hackers May Have Accessed Corporate Document Filings At The SEC

The hackers of the world have been busy recently, but this latest report from the SEC shows that not only has the number of their attacks been increasing, but also that the level of sophistication continues to grow by leaps and bounds as well.

Specifically, the SEC reported that hackers may have gained access to their “EDGAR” (Electronic Data Gathering, Analysis, and Retrieval) system. This is a database that handles and lists corporate filings and disclosures, and the hackers may have used the data they mined from that system to illegally profit from stock market trades.

Essentially, they pried open the database and got a sneak peek at sensitive corporate filings before they were made available to the public. Armed with that knowledge in advance, they knew exactly which companies were going to appreciate in value, and which companies were going to take a hit to their stock prices, which made it child’s play to make profitable trades.

It gets worse, though. The SEC is also looking into instances where phony filings records may have been injected into the database with the specific intention of creating a stock price appreciation or tumble for specific companies.

This, then, isn’t a typical attack at all, where hackers attempt to breach a system to get at customer lists or credit card information to resell on the dark web. This is much more refined and complex, and in addition to making unknown sums of money for its architects, it has the effect of undermining confidence in the entire economic system as a whole, which makes it doubly dangerous.

Of course, as part of the SEC’s official statement, they say that the issue has been identified and patched, and that they’re cooperating fully with law enforcement officials. Both of those are good things, but unfortunately, they will do little to restore consumer confidence any time soon.

The lesson, of course, is this: no one is immune, and your company could be next.

The IRS Awards Security Contract To Equifax Even After Hack

<img class=”alignleft size-full wp-image-7010″ src=”” alt=”” width=”300″ height=”225″ />You’ve probably heard about Equifax’s recent troubles. More than 145 million consumer data files were exposed, including names, addresses, social security numbers and more.

The problem was viewed as so serious that Equifax’s CEO stepped down and congressional hearings were launched, but then, a funny thing happened. Equifax got awarded a no-bid government contract worth millions ($7.25 million, to be exact) to help the IRS verify taxpayer identities in order to prevent fraud.

One might wonder how this happened, especially since the company recently got raked over the coals for profiting from the very hack they tried to prevent. During the congressional hearing on the matter, Senator Elizabeth Warren pointed out that Equifax stood to make millions by selling credit monitoring services to the very customers whose data they were supposed to be protecting, so it’s a fair question.

The answer lies in the fact that the IRS regards this service as being critical, and one that cannot stand interruption of any kind. Based on their research, they have concluded that Equifax is the only company capable of providing it.

That conclusion seems strange, given that there are, in fact, two other similar credit reporting agencies, but in any case, the contract was awarded to Equifax in spite of their recent troubles.

The move is understandably raising eyebrows in various sectors, with government watchdog groups and privacy advocates both crying foul.

Unfortunately, in the immediacy, there’s little to be done. This is a case where the wheels of government just don’t turn quickly enough to keep pace with current events. Until another company can be approved to get the job done, Equifax is the only game in town, as far as the government is concerned. Needless to say, this is not exactly what one would call confidence-inspiring.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

A Million Imgur Users Affected By Breach

Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:

  • Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.
  • At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.
  • In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.

All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Car Tracking Device Company Had Its Passwords Leaked

We’ve seen a lot of hacking attacks so far this year, but the successful breach of SVR Tracking may take the prize as the most invasive attack of 2017.

If you’re not familiar with the company, SVR Tracking provides a vehicle tracking service. This is accomplished by mounting a small, unobtrusive device on your car in an area where an unauthorized driver is unlikely to notice or look.

Once the device is attached, it reports the vehicle’s location back to the app database in two-minute intervals when the vehicle is in motion, and in four-hour intervals when the vehicle is stationary. One-hundred and twenty days of vehicle location information is available to anyone with the proper login credentials.

On September 18, researchers from Kromtech Security Center discovered files in an unsecured Amazon S3 bucket containing login credentials for more than half a million SVR Tracking accounts. Note that the total number of vehicles this could impact is likely far higher than half a million, because the app is frequently used by companies that manage entire fleets of vehicles, so one account may have dozens (or more) vehicles associated with it.

The exposed files contained account names, passwords, vehicle maintenance reports, dealer contracts and more.

There are two primary ways that a hacker could profit from this information. First and most obvious is that if you know exactly where a vehicle is, and when it’s likely to be sitting idle for hours at a time, then it’s incredibly easy to steal it.

Second, and less obvious, is that knowing where a vehicle goes allows hackers to build a detailed profile about the person driving the car, which can be used to provide better email targeting for attacks down the road.

In any case, the offending files have now been removed and the server locked down, but there’s no way of knowing how many unauthorized people accessed those files while they were publicly visible. If you use the SVR Tracking app, just to be safe, you should change your password immediately.