Archive for the ‘HACKERS’ Category

Chick-fil-A Restaurant chain investigates hack into credit card payment data

child hacker on line at screen image www.intelagencies.com

Chick-fil-A is investigating a possible breach of credit card data that occurred in mid-December.

Chicken sandwich chain Chick-fil-A is investigating a possible data breach at some of its restaurants, the company announced Friday, saying it was working with cybersecurity firms and federal law enforcement to determine whether its payment system was hacked.

In a terse statement, the fast food company said “payment industry contacts”, likely meaning credit card companies and banks, had reported suspicious activity on 19 December. After those initial reports, Chick-fil-A contacted authorities and cybersecurity companies to help investigate the activity, which it described only as “involving payment cards at a few restaurants”.

A spokesperson for the company declined to comment; the company’s statement declares it “premature for us to comment further given the pending investigation”.

Cybersecurity journalist and expert Brian Krebs first reported a possible breach in mid-December, saying that several financial institutions had traced the common point-of-purchase on cards with suspicious activity to Chick-fil-A locations. An anonymous source told Krebs that most of the restaurant locations affected were in a handful of states, including Pennsylvania, Maryland, Virginia, Georgia and Texas.

Krebs believes a breach of Chick-fil-A’s locations would likely have affected only a fraction of the company’s nearly 2,000 restaurants. He compared the breach to those of other medium-sized chains, such as Dairy Queen, that use third-party companies to manage their purchase systems. In those cases, hackers installed malware in the third party’s point-of-sale (POS) software — the technology in a credit card terminal — allowing the thieves to steal data encoded on the back of cards.

If confirmed, the December breach would add to a year of similar attacks on major US corporations. In November, hackers installed malware on Home Depot’s self-checkout systems, netting them 53m emails and compromising 56m credit and debit card numbers. In December 2013, Krebs revealed a data breach of Target’s system; the company discovered that criminals had compromised personal information of about 110 million customers, and also likely used POS infiltration.
Advertisement

In the digital arms race between authorities and hackers, corporations and security firms are struggling to keep pace. In September, the Ponemon Institute, a data protection research group, found that 43% of US firms had experienced a data breach in the past year. In October, a majority of experts told Pew Research they expected major cyber attacks to cause widespread harm in the next 10 years. And nearly two years ago, Symantec, the world’s largest antivirus software company, admitted that its technology could no longer defend against the most sophisticated cyber attacks.

With a wealth of credit card data and personal information, hackers can either create counterfeit cards or sell the information to others. Chick-fil-A said that if investigation confirms a data breach, customers will not be held liable for relevant charges, adding that it would arrange identity protection services for affected customers.

Krebs knocked down that offer “as a means of placating nervous customers”, and both he and Chick-fil-A encouraged customers keep a close eye on bank and card statements to look out for suspicious activity and possible identity theft.

www.clublibido.com (8)

MORE> www.intelagencies.com

jy6j

Henry Sapiecha

Stolen credit card details available for £1 each online

Guardian finds batch of 100 stolen cards on sale for £98 on ‘dark web’ amid heightened fears about identity theft in wake of TalkTalk hack

cyber attacker on dark keyboard image www.intelagencies.com

To bulk buy stolen data at lower prices, fraudsters head to the dark web via the Tor browser. Photograph: Thomas Trutschel/Photothek via Getty Image

UK credit card details are on sale for as little £1 each online, the Guardian has learned, as fears rise over the security of personal data in the wake of the TalkTalk cyber-attack.

More than 600,000 individuals had their personal details stolen from UK companies in 2014, according to the Financial Times, underlining the scale of online crime in this country. It is likely that some of that data will have ended up on a website used by criminals wanting to buy high-end UK credit card data.

Visa and Mastercard details stolen on Tuesday were offered to the Guardian the following day – provided payment was made in the cypto-currency bitcoin – on a website which is registered in Russia but run in English.

The site did not reveal where the details were harvested from, but the ownership of the cards was clear. One credit card was registered to a person in Craigavon in north County Armagh; another belonged to a resident of Chelmsford, Essex, who lost their platinum Visa card earlier this week. Platinum cards are particularly attractive to fraudsters because of their high credit limit. Scores more card details, registered to addresses up and down the country, from Aberdeenshire to Devon, were openly for sale on the site.

734

The example of the Russian-registered site is striking because it is on the “surface” web, and easily available to conventional internet users. It has a high-end design and layout, offers customer support and promises an 80% success rate for the buyers of stolen cards. It sits at the luxury end of the identity theft market, and charges accordingly – it wanted $72 (£47) for each card sold to us.

To bulk buy stolen data at lower prices, however, fraudsters head to the dark web. This can be accessed via the Tor browser, rather than conventional browsers used by the vast majority of users. It bounces a connection through multiple encrypted relays before it hits its destination. This obscures where the site’s server is located, allowing would-be identity thieves to connect to hidden services, and sites not accessible to non-Tor users.

Searching through Tor, it is possible to access a site which will sell 100 credit cards (with the CVV2 digits – the three numbers on the reverse of the card) for just $150 (£98), around £1 per card. The site also sells PayPal accounts at $100 for 100, while other hidden services will offer €1,250 of counterfeited notes for €500. Free shipping is included.

Buying the stolen information is just the first step in a process that criminals use to convert digital data bought online into hard cash. The credit cards are used to load money onto easily obtained pre-paid debit cards. These are payment cards that function similar to credit cards, and can be used to shop online, but can be opened without the sort of checks wanted by banks when opening a current account.

These pre-paid debit cards are used to buy online gift cards. In turn, these gift cards are used to buy high-value electronics, such as iPhones or games consoles, which are sold at a discount – an iPhone 6S for $430 or an Xbox One for $240. That cash goes in the pocket.

But how do these dark websites get the data? A significant source of stolen information, particularly in the US, is old-fashioned card-skimming: a compromised terminal or company employee on the take, who steals the details of a card in the process of completing a transaction.

Just as common is the 21st-century equivalent: malware. This is the catch-all term for malevolent software that infects an individual’s computer to monitor communications for confidential information such as banking passwords, credit card details and social media logins. The data is uploaded to a central server where it is sold on or used to further spread the malware.

The Gameover Zeus malware, disrupted by a joint UK-US operation in June 2014, was one such attack. This acted as a form of “ransomware”, encrypting the infected computer and demanding payment in bitcoin to release the data.

The third major source of data for sale is large-scale hacks, of the type that was flagged by telecoms operator TalkTalk on 23 October. Sometimes the stolen information can be used directly, especially where the company has irresponsibly stored credit card data or passwords on their servers in plaintext; or it may be used as the first step in stealing someone’s identity, where information from two or more hacks is linked to build a profile that can be used to apply for bank accounts or credit cards.

TalkTalk boss: we’re unsure how many customers were affected by cyber-attack – video

Security experts call the organised criminal hacks “advanced persistent threats”. But the attack on TalkTalk has left researchers bemused. A 15-year-old boy from Northern Ireland is on police bail in connection with the cyber-attack, while on Friday a 16-year-old boy was arrested in London.

TalkTalk appears to have been the victim of a relatively amateur and opportunistic hack, according to experts. The company’s chief executive, Dido Harding, said the perpetrator exploited a “sequential injection” attack. Security researchers, realising she meant to say “SQL injection” – a common form of attack in which a hacker tricks the website into releasing information from a database – had a field day.

“It’s not the lowest-hanging fruit of all,” said David Enn, a researcher at information security firm Kaspersky. “But certainly in terms of attacking core infrastructure of the business, we’re not looking at a concerted, targeted attack. What you’re talking about here is like managing to sneak through the security barrier just by slipstreaming an employee.”

TalkTalk declined to discuss its defences in detail, given the ongoing police investigation, but said it continually invested in improving its systems, and constantly monitored and scanned its network to detect any weaknesses.

“We defend against all manner of attacks on a day by day basis,” a statement said. “Each day we have to block over 170m scamming emails to our customers, and we block over 1m nuisance calls to our customers each day.

“It is a constantly evolving fight against cybercrime and individual companies on their own can’t tackle this problem.”

197_banner

www.intelagencies.com

www.scamsfakes.com

Henry Sapiecha

How Hackers Found a Way to Thwart Chip and PIN Credit Cards

Make no mistake, the tech is not invulnerable.

credit card closeup blue image www.creditcardseasy.net

After years of preparation, chip and PIN credit cards are finally arriving in the United States. But while a chip and PIN might be much more secure than a signature, hackers have shown that it’s not invulnerable, and now we know how they pulled it off.

As Ars Technica reports, a number of chip and PIN cards were stolen in France back in 2011, and somehow, the fraudsters who took them were able to start using them in Belgium, despite the security enhancements that credit card companies are wont to hold up as unimpeachable. Security researchers expressed their doubts about the tech as early as 2010, but the incident in Belgium was the first (and so far only) instance of an actual exploit.

Now, the researchers behind the investigation have published a paper that explains how the hack worked. At least as well as they can tell; the actual cards are still untouchable due to being evidence in a criminal proceeding. As Ars Technica explains:

The fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card’s original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, “making insertion into a PoS somewhat uneasy but perfectly feasible,” the researchers write.

Essentially, that small extra chip would sit between the card’s actual chip and the point of sale, and assure both sides that everything about the transaction was on the up-and-up, even though it wasn’t.

The problem is solvable, the regulators behind the chip and PIN system say it’s already been solved. But that a vulnerability was present at all is still troubling. The all-around weakness of signature based authentication meant that credit card companies had little choice but to eat the cost of plausible and frequent fraud. But if those same companies hold up chip and PIN as infallible, it could make claiming fraud much harder or virtually impossible.

Yes, chip and PIN will hopefully make credit card fraud much rarer, but if credit card companies continue to treat it as fool-proof when it very well may not be, the next vulnerability could prove very expensive for the victims.

www.clublibido.com (5)

www.intelagencies.com

www.scamsfakes.com

GUKYGT

Henry Sapiecha

Apple Pay bridging bricks-and-mortar and online credit card fraud

The Apple Watch will be able to make payments using Apple Pay.

The Apple Watch will be able to make payments using Apple Pay. Photo: Reuters

Lost amid the Apple media firestorm these past few weeks is a stark and rather unsettling reality.

Apple Pay – the company’s answer to a mobile (and wearable) wallet – makes it possible for cyber thieves to buy high-priced merchandise from bricks-and-mortar stores using stolen credit and debit card numbers that were until now only useful for online fraud.

To understand what’s going on here, a quick primer on card fraud first: If you’re a fraudster and you wish to walk into a big retailer and walk out with a big screen TV or Xbox console on someone else’s dime, you’re going to buy “dumps” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like TargetHome Depot and countless others over the past year. Dumps buyers encode the data onto new plastic cards, which they then use in-store at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $US10-$30, but the payoff in stolen merchandise per card is often many times that amount.

R7IG5

SOME 8 WAYS TO SEE IF YOUR CREDIT CARD IS BEING SCAMMED BELOW-CLICK LINK

http://creditcardseasy.net/2015/01/21/credit-card-fraud-eight-ways-to-get-your-info-hijacked/

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $US1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method for their iPhone or Watch using little more than a hacked card account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner, explained in a blog post published earlier this month that Apple provides banks with a fair amount of data to aid in their efforts at “identity proofing” the customer, such as the customer’s device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories, there is a robust cybercrime underground trade for hijacked iTunes accounts, which retail for about $US8 each.

tjygtiu6

Litan’s column continues:

“Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.

“For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.

“Identity proofing in a non-face-to-face environment is anything but easy but there are some decent solutions around that can be stitched together to significantly narrow down the population of fraudulent transactions and identities. The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.

“This problem is only going to get worse as Samsung’s LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major US retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.”

Sure, the banks could pressure Apple Pay to make their users take a picture of their credit cards with the iPhone and upload that data before signing up. That might work for a short while to deter fraud, at least until the people at underground document forgery sites like Scanlab see a new market for their services.

RUI

But in the end, most banks coming online with Apple Pay are still using customer call centers to validate new users, leveraging data that can be purchased very cheaply from underground identity theft sites. If any of you doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the US Senate Commerce Committee.

The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.

Even more deliciously ironic, as noted in Cherian Abraham’s insightful column at Droplabsis how much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple’s own brick-and-mortar stores. That banks end up eating the fraud costs from this activity is just the cherry on top.

Abraham said the banks are in this mess because they didn’t demand more transparency and traceability from Apple before rushing to sign customers up (or “provision” them, in banker-speak) for Apple Pay.

“One of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate,” Abraham wrote. “As long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well.”

Both Abraham and Gartner’s Litan say banks need to take a step back and take the time to develop more robust, thoughtful and scalable solutions to identity proofing customers, particularly as other mobile providers begin rolling out their mobile payment systems without the customer data advantages that Apple has in their relatively closed environment.

“The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps,” Litan wrote. “Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”

www.clublibido.com (5)

www.intelagencies.com

www.scamsfakes.com

Henry Sapiecha

HACKERS GET INTO CREDIT CARDS OF COSMETIC COMPANY

Customers warned

as hackers target

cosmetics retailer

Megan Levy
February 15, 2011

Thousands of online shoppers who recently purchased items from the popular cosmetics group Lush have been warned to contact their banks after the company’s Australian and New Zealand website was targeted by hackers.

Lush has taken down its website this morning and replaced it with a statement warning that customers’ personal details, including credit card numbers, may have been compromised.

‘‘We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable,’’ the company’s website says.

It follows a similar attack on the UK branch of the handmade cosmetics company last month, during which anyone who placed an online order between 4 October and 20 January was exposed to the privacy breach.

Following that attack, many Lush customers reported that their cards had been used fraudulently.

In today’s statement, Lush said the Australian and New Zealand websites were not linked to the Lush UK website, but had been separately targeted.

‘‘As a precautionary matter we have removed access to our website while we carry out further security checks,’’ the statement says.

‘‘Lush is working with the police, forensic investigators and banks and doing all that we can to investigate the breach in privacy.

‘‘We are currently in the process of contacting each of our online customers individually by email.’’

The security breach has not affected customers who used the mail order phone line, the statement says.

‘‘Again, we would like to say that we are truly sorry and thank all our customers for standing shoulder to shoulder with us during this difficult time,’’ the website says.

Lush has previously been praised by green campaigners for not using animal fats in its products, as well as its stance against animal testing. Tests are performed on human volunteers instead.

RTERCU

www.intelagencies.com

www.scamsfakes.com

Sourced & published by Henry Sapiecha