Wednesday, June 22, 2016
Taking a break
I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!
Wednesday, June 8, 2016
IRS level-ups consumer security: the good, the bad, and the ugly
On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.
The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.
But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.
The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.
The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.
But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.
The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.
Thursday, June 2, 2016
TeamViewer Hacked? Maybe, maybe not - but take precautions
TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.
It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.
The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.
Regardless, a few precautions can limit the potential for harm.
Thursday, May 26, 2016
How to fail at mobile user experience
Some posts I write because I am curious, and some to share a project I have worked on, or a security risk to be aware of. And then there are posts like this, written out of sheer annoyance.
It began with a simple link to a news article, shared by a fellow Central Texas security pro:
It began with a simple link to a news article, shared by a fellow Central Texas security pro:
At first glance, I thought the article pertained to a story I have been following (and have written about) - a series of coordinated ATM heists over the past few years, involving large numbers of stolen payment cards and large numbers of hired hands, stealing millions of dollars from thousands of ATMs at once.
Alas, I could not read the story.
Clicking the link in Twitter's client for my Android phone did not open the story on the ABC web site. Instead, the link opened Google Play Store, asking me to install the ABC News mobile app.
Monday, May 23, 2016
Coordinated heist steals $12.7 million from 1,400 ATMs in Japan
 |
| "Automatic teller machine trailer" by Thilo Parg, used under license CC BY-SA 3.0 |
This is a bit more sophisticated than the run-of-the-mill heist. On May 15, an as-yet unidentified crime ring pulled off the theft of the equivalent of $12.7 million USD, using 1600 stolen payment cards at 1400 Japanese ATMs, all in the span of 2 hours.
This is not the first coordinated attack against ATMs. A similar heist in 2011 used prepaid cards from a Florida bank to withdraw some $13 million USD from ATMs across Europe. Then, in February 2013, yet another crime organization pulled off the theft of over $40 million USD from ATMs around the world in a coordinated attack lasting 10 hours.
The details of the most recent attack are a little bit unclear to me - I suspect something may be lost in translation. The original story says the attack used cloned credit cards stolen from South Africa, but ATM withdrawals require PIN transactions, which typically means debit or ATM cards. Regardless, there are a few things you can do to protect yourself.
- Avoid the use of debit / ATM cards as much as possible. A debit or ATM card is directly connected to your bank account, while a credit card is using the bank's money until you pay the bill at the end of the month.
- When withdrawing cash from an ATM, if you have a choice, favor an ATM indoors at a brick-and-mortar bank. Brian Krebs has done some enlightening research into ATM skimmers, including a fascinating series on a particular ATM fraud method in Mexico. ATMs in public places (shopping centers, hotels, convenience stores, event venues) are prime targets for crooks to steal card data.
It takes only a few seconds to insert a skimmer - a physical device that copies the card information when you insert a card into the machine. More sophisticated attacks will place the skimmer inside the machine, or install malware on the machine so the machine itself will copy the card data and send it to the attacker. ATMs inside legitimate banks are less likely to be compromised, simply because there is greater risk to the criminal.
- Set up transaction alerts with your bank. Your bank will send you an email or SMS/text message, generally for transactions over a set dollar amount. While this does not prevent the fraud from happening, the sooner you know about it and report it to your bank, the sooner the fraudulent transactions can be reversed.
Wednesday, May 18, 2016
Rumor mill: LinkedIn password breach
Update May 18 10:00 CDT: LinkedIn has confirmed that the password dump is real, but that it originated from the 2012 data breach. The social media site is notifying affected users and requiring a password change for anyone who had an account in 2012, and has not changed their password since.
The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.
Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.
If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time.
Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.
As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.
Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.
The rumor mill has it that some 170 million LinkedIn username and passwords are available on the black market, offered for sale to anyone willing to pay the equivalent of a few thousand dollars US.
Several investigators that I trust have suggested it is likely true - but also likely old news. LinkedIn confirmed a data breach in 2012 involving usernames and passwords, though on a much smaller scale. The most reliable sources I have suggest that these 170 million passwords are in fact from the 2012 breach.
If you haven't changed your LinkedIn password since 2012, do so now. We know there was a confirmed breach at that time.
Even if you have changed your password since then, it can't hurt to change it again. It takes about 30 seconds, and it renders the rumored password dump useless against you, whether or not it contains your actual password. LinkedIn provides simple instructions for changing your password.
As an additional step, consider enabling multifactor authentication for your LinkedIn account. With multifactor authentication enabled, you add your phone number to your LinkedIn account. LinkedIn will send a one-time-use code to you via SMS (text message) anytime a login request comes from a device you have not logged in from before. As I have written before, phone-based multifactor is possible to defeat - but it is far stronger than just a password.
Your LinkedIn profile is an extension of your professional identity; a stolen password could allow someone to embarrass you. Possibly worse, with access to your LinkedIn account, an attacker could reach out to your connections to abuse their trust in you. Your connections would assume the attacker was in fact you. For that reason, social media accounts should be well protected.
Wednesday, May 11, 2016
SIM swap fraud targets SMS-based two-factor authentication
This method of security is becoming common enough for criminals to come up with ways to defeat it. One such method seen lately in the UK is a so-called "SIM swap" - the crook gains enough information to impersonate you, then calls your mobile carrier to claim your phone has been stolen. Your phone number is re-activated, but on the crook's phone - so the crook now receives the SMS or text codes meant for you.
Multi-factor authentication that uses a mobile app (or a separate token generator) is stronger security, but if SMS is what your bank offers, I still recommend enabling it. It's still far better than just a password.
What you should do
- Enable any two-factor or multi-factor feature provided by your bank. A hardware token (a physical device generally about the size of a USB flash drive) is the strongest solution, though it's probably not practical to carry token generators for every important account. A mobile app (Google Authenticator and Duo Mobile are popular options) is the next best thing, and even an SMS or text message code still raises the bar that a criminal must overcome.
twofactorauth.org is a great website with links to "how-to" documentation at many, many banks and service providers.
- Be mindful of the personal information you share publicly. The more a criminal can learn about you (address, current location, date of birth, email addresses, children's names, payment card numbers, bank account numbers, etc.), the easier he or she can impersonate you to a service provider. If the identity thief can convince tech support that they are you, then for all intents and purposes, to that service provider they are you.
Subscribe to:
Posts (Atom)