Posts Tagged ‘contactless’

Growing concern that Marks and Spencers' contactless payment terminals takes money from customer accounts without their permission

 

The British Broadcasting Corporation (BBC) broke the news today that certain Marks and Spencer (M&S) customers are experiencing issues with the use of contactless payment cards at stores in the UK.

BBC reporter Bob Howard (Radio 4’s ‘Money Box’ programme) appears to have been approached by a number of M&S customers who claim that payments have been taken from their RFID enabled / contactless cards, whilst still in their wallets but nonetheless in proximity to ‘point-of-sale’ terminals.

A BBC spokesperson said,

“Cards are supposed to be within about 4cm of the front of the contactless terminal to work.

But some customers say payments have been taken from cards while in purses and wallets at much greater distances.”

M&S remains (perhaps understandably) adamant that its payment processes are robust and entirely fit for purpose.   However, one customer told the BBC…

” I put my card into the reader and the assistant was asking whether or not I wanted cash back.

“Before I could answer, the transaction came up as complete and the till issued a receipt so I hadn’t put in a pin at all at that stage. I queried it with an assistant and she looked rather puzzled and looked at the receipt and compared it to my card and realised that the numbers didn’t tally.”

There have also been reports of  ‘double charging’ , where two contactless payment cards are charged simultaneously – however, the jury is currently out on whether this is a real problem or not.  Elsewhere amongst Britain’s press (n.b. The Daily Mail, The Telegraph) are articles reporting similar themes, and one claim that we have heard about is where a customer would like to make a cash payment for goods at the payment terminal, only to find that their item has already been checked out.  What may be happening in such instances, is that the person wishing to make a cash purchase has moved sufficiently close enough to the payment terminal for a contactless credit, debit or store card on their person to activate – and thus complete the sale.

Some will take the view that this is an invasion of privacy, although perhaps the overarching theme is merely that our choice as customers is being eroded, (i.e. our ability to determine exactly how, and when, we pay for goods).  However, by keeping our contactless payment cards safe within RFID protective sleeves we can take control quite easily – dictating when, and how, we are charged for goods – making payments on our terms.

To purchase low-cost RFID shielding sleeves for your contactless cards click here.

More on this extraordinary development can be found at the following link:

bbc.co.uk/news/business-22545804

https://contactless.files.wordpress.com/2011/11/appsdesigner_brief_page4.png?w=150&h=300&h=299

Above image: Copyright © 2012 RFID Protect

The Australian edition of Secure Business Intelligence magazine, (or SC to those in the know), has uncovered evidence of a new Android app capable of skimming customer data from contactless payment cards!  Earlier this year Thomas Cannon (ViaForensics) successfully demonstrated (on ITN Channel 4 News) a prototype app for NFC smartphones that could e-pickpocket the victims’ bank card account number, expiry dates and obtain sufficient details to enable purchases with a major online store.

It seems that Developer Thomas Skora, (Integralis), has taken Canons’ concept one step further – his new app called ‘paycardreader‘ not only skims card details, but it is claimed this tech can also access, “…transactions and merchant IDs” when tested against certain PayPass Mastercards.

Interviewed by SC during an awareness-raising event for the security industry,

Skora stated that his app was, “…only for technical demonstration”.

SC magazine suggests that the app, “…was available for download on the Google Play Store and on GitHub” although we were unable to track it down and suspect that it has since been removed for fear this technology will fall into the wrong hands.

Mindful that in Thomas Cannon and Thomas Skora we now have two independent app developers that have successfully produced a functional ‘e-pickpocket’ app for smartphones, important questions need to be asked of our security professionals. For instance, are there more developers working on similar applications we wonder? And just how long before organised crime produces its own version?  After all, it could be argued that the prospect of a ‘contactless’ theft – one where the victim doesn’t even realise they’ve been ‘mugged’ – will be an attractive proposition for career criminals; and therefore is likely to be an idea worthy of their time and investment.

Learn more about e-pickpocketing at: www.e-pickpocket.com

Or watch Thomas Cannon in action here: www.rfidprotect.co.uk/video6.html

Original source:  http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx

Everyone’s favourite daytime TV show This Morning featured a selection of RFID Protect products during a slot about credit card fraud and the fast-growing issue of ‘e-pickpocketing‘.  During a five-minute feature, presenter Phillip Schofield showcased RFID Protect’s latest Leather Multi-card Holder, which has been designed in collaboration with crime-reduction officers at Victoria Police, Australia and is new to the UK.

Mr Schofield was visibly shocked at the ease by which information can be ‘skimmed’ from a contactless credit or debit card; during a demonstration given by Thomas Cannon (Director of Research and Development) at American company ViaForensics.

First shown on Thursday 10th May, 2012 the programme can be viewed again for a limited period, at http://www.itv.com/thismorning/ and a direct link to their Crime File discussion area for this particular issue can be found at: http://www.itv.com/thismorning/life/crime-file-120510/

A spokesman for RFID Protect said,

“…we’re absolutely thrilled that ITV came to us for guidance on the whole issue of ‘e-pickpocketing’, and what members of the public can do to better protect their contactless bank cards.  Working with the team on This Morning has been a great pleasure; it’s great to receive so much positive feedback about our work and products.”

Adding,

“…ITV has very kindly agreed to provide viewers with a direct link to our products from their main website.  This will go live shortly, but in the meantime our full range of RFID shielding kit can be purchased on-line at: http://www.rfidprotect.co.uk/products.html

TWENTY million Brits are at risk of having their bank details stolen by electronic pickpockets, a Sun investigation has revealed!

Journalist Nick Francis of The Sun newspaper has spearheaded a major investigation into the potential for contactless crime, taking the work of RFID Protect to a national audience.  In an interview with RFID Protect spokesman [David Maxwell] The Sun revealed:

“…David is a former cop and director of RFID Protect, a firm specialising in products which combat RFID fraud.  It has been a big problem in America for a while and now it is getting to be a problem over here. It is a difficult thing to put statistics on because it’s hard to tell how your card details were skimmed.”

“If you ring your bank they will point out there are many ways to lose your card ID, which is true, and by the time you find out you’ve been skimmed it is too late to work out how.

“But the technology is out there and in the wrong hands.”

Source: The Sun (News International)

Date: Sunday 29 April 2012

Original author: Nick Francis

You can read the full story at this link:  “Robbed by Radiowave”  The Sun Newspaper (News International)  or get protected from contactless crime at: RFID Protect (click here)

Update | 05 May 2012:  This story has now captured the attention of numerous media agencies, and continues to expand its reach on a daily basis.  We are aware that the following players have run either similar features during the course of the past week, or intend to do so before long:

The Daily Mail

This is Money

DNA Daily News Analysis

This Morning (ITV.com)

If you’re a regular visitor to this blog then you’ll no doubt be familiar with RFID technology – and now it appears that our cousins in Australia are waking up to some of its potential vulnerabilities.  Linking automatically to a retailers ‘point-of-sale’ terminal (but without the need for a verification PIN or signature) makes Radio Frequency ID (RFID) payments quite different to normal transactions using a swipe card, cash or personal cheque.

The ability to process transactions rapidly means that RFID e-payment solutions are very attractive to retailers too, although it has been reported in the media that a growing number of consumers in Australia are not entirely convinced by industry claims that these ‘contactless’ systems are 100% foolproof!

ABC News 24 recently reported that, “…There’s been some very famous attacks where people have been reading passport numbers and other serial numbers from RFID-enabled cards. Proximity cards, such as the one that you use to get into your secured building, those have been cloneable for quite some time.”

Whilst Australia has been relatively slow to adopt ‘contactless’ systems – we’ve learned that as of March 2012 it’s going to be a case of ‘full steam ahead’ with major stores keen to deploy ‘tap-and-pay’ payment options.  More likely to ‘crack a mental’ than crack open the Champagne – some quarters are arguing that the roll-out of contactless e-commerce is fast becoming a headache for those involved.

A spokesperson at ABC News 24 urged caution reporting that, “…one of the first attacks that we’re most likely to see being used by criminals are probably relay attacks. When you have your phone in your pocket or your card in your wallet and attackers work out a mechanism to activate the card in your pocket, relay the transaction somewhere else, maybe not even in the country and perform a transaction at a terminal by another party, stealing money from that particular account. That’s probably the most likely attack that we’ll see occurring in the future.”

Here’s the link: http://www.abc.net.au/news/2012-01-30/consumers-warned-over-tap-and-pay-technology/3801162

The following link will take you to the RFID Protect webpage where any nervous Australians can get protected now! http://www.rfidprotect.co.uk/products.html

On 8th December 2011, news broke that US police officials had been deployed to North Miami Beach Senior High School to investigate the alledged theft of 2,000 student ID cards.  According to a local media outlet, these ID cards contained sensitive personal information on the holder – including details of each students’ social security number.

Commentators on the situation have said, “…it’s very concerning because it has our social security numbers [on the ID card].”

Some will suggest that this is an excellent example of how any ‘foolproof’ system, (not least one that’s designed to improve security for its participants), is only 100% effective until the moment when something goes wrong.

Expect the unexpected – these are words to live by.

The original article can be found at:  BayPay Forum

____________________

And the trend continues…

According to Alien Vault Labs, the U.S. Defense Department ‘Common Access Cards (CAC)’ and Windows smart card are now being targetted by a new variant of the already infamous Sykipot malware.  Re-engineered in March 2011, this new variant has ‘raised the bar’ – with dozens of attack samples evident over the past 12 months.  The malware would appear particularly interested in government agencies, and a view has been expressed elsewhere that China may be behind this development – since a main goal in these attacks is to access information specifically from the US defense sector.  (Smart cards are in common use across the US Defense sector as a means of identifying employees and allowing them access to facilities or services.)

Alien Vault Labs explain how these attacks work by stating, “…the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine. Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center.”

You can read the full report here: Alien Vault Labs

Once again this news adds weight to the growing argument that as encryption systems improve those of a criminal disposition will raise their game accordingly.  There’s probably nothing to worry about for the moment (unless you’re in the US defense industry?), but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

In early November 2011, BBC News services reported that malware attacks on UK Android Apps, and smartphone fraud in general had risen by a staggering 800% since this time last year!!!!  Today we learn from The Telegraph newspaper that,

“…the majority of Britons are scared of ‘wave and pay’, [and with] only a small minority of people keen to use their mobiles like wallets. [Many] fear that ‘wave and pay’ apps will lead to greater security breaches”. 

Emma Barnett, Digital Media Editor for the Telegraph elaborated stating,

“…[the] Intersperience study, which polled 1,000 people as part of a larger project entitled ‘Digital Selves’, found that phone hacking fears are dominating consumers’ security concerns when thinking about adopting new mobile wallet payment systems.”

A spokesperson for Paypal recently intimated that mass adoption of contactless payments for products using mobile phones, or smart credit cards is at least three years away.  This is perhaps not surprising given that very few UK retailers offer this type of payment option to their customers.

Meanwhile, UK company RFID Protect has announced its intentions to offer a solution for smartphone users wary of this technology.  It comes in the shape of a simple App that will be launched mid 2012, and made available to download from www.rfidprotect.co.uk

So before too long, iPhone and Android users will have the option to disable their NFC (Near Field Communication) feature and in the words of a RFID Protect spokesperson, “MAKE YOURSELF INVISIBLE’ to would be phone hackers, e-pickpockets and e-payment skimmers.  Apparently, there’s a timer function too – so users get to determine the amount of time their phone can be read by third parties.

Read the full Telegraph article at:

http://www.telegraph.co.uk/technology/news/8825183/Majority-of-Britons-are-scared-of-wave-and-pay.html

First published on the: 14 October 2011

Flashback to 2005 for a moment, and witness the arrival of new advice for the US banking sector concerning how best to marshal its risks in respect of online e-payments.  This guidance came from none other than the Federal Financial Institutions Examination Council (FFIEC) – an interagency body of the United States government empowered to prescribe uniform principles, and standards, across all US financial institutions.

Now fast forward to the present day.  Digital security expert, Adam Dolby of Gemalto, recently made the following comments,

“…the 2005 guidance was stricter than its predecessor because most banks had failed to take action. The FFIEC was hoping the banks would self- regulate, but that didn’t happen!”

It now transpires that rather than acting upon the FFIEC guidance, many key players within banking instead opted for a ‘minimum compliance’ approach, or in simple terms – ‘what can we get away with’.  So, if our banks are reluctant to spend money on payment authentication, and on-line security, then it’s perhaps not unreasonable to form the view that losses through fraudulent activities are merely absorbed by the banks; i.e. it’s just the price of doing business on-line.

Dolby continues stating,

“…when we rolled out internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers. And now everyone thinks it’s safe.”

It’s an interesting statement, one that hints to ongoing security threats for e-payments; ones which the banks are not necessarily equipped to counteract.  Movie fans may draw parallels with the Brad Pitt and Edward Norton film ‘Fight Club’.  In the movie, Norton’s character talks about how automotive giants determine whether a car should be recalled once found unsafe.

Edward Norton: A new car built by my company leaves somewhere travelling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, (A), multiply by the probable rate of failure, (B), multiply by the average out-of-court settlement, (C).

A x B x C = X.

If X is less than the cost of a recall, we don’t do one.

Woman on plane: Are there a lot of these kinds of accidents?

Edward Norton: You wouldn’t believe.

Woman on plane: Which car company do you work for?

Edward Norton: A major one.

So when your bank tells you that a new ‘contactless’ payment card is 100% secure, perhaps you’ll keep in mind their track record for ‘security’ and their approach to acting on the advice of independent regulators such as the FFIEC.  There’s probably nothing to worry about, but just to be on the safe side then why not avoid potential mayhem and consider a low-cost ‘anti-skim’ sleeve for that new ‘contactless’ credit or debit card; such as those that can be purchased from RFID Protect.

This article makes reference to an original story in Digital ID News:

Eavesdropping attacks on RFID enabled devices, such as e-passports and contactless credit cards or secure door entry systemsThis extraordinary academic paper, with its practical experiments, presents actual ‘proof-of-concept’ eavesdropping attacks across a range of RFID enabled devices.

The author, G.P. Hancke (of the British-based Smart Card Centre / Information Security Group at University of London), demonstrates how he implemented successful attacks on the three most popular High Frequency (HF) standards: ISO 14443A, ISO 14443B and ISO 15693.

What some may find particularly disturbing is that in each case Hancke not only describes the equipment needed to execute an attack, but also how an effective RFID receiver kit can be constructed for less than £50.

“Even though the self-build RF receiver did not achieve the same results as commercial equipment – it does illustrate that eavesdropping is not beyond the means of the average attacker.” says Hancke.

Read the full PDF report here

And then protect yourself against unauthorised ‘contactless’ eavesdropping here

A decade of database hacking?The UK banking sector appears pretty confident in its assertions that ‘contactless’ technology is 100% secure from unauthorised access, and similar claims are also made in respect of Britain’s e-passport.  The argument goes something like this; without an ability to cross-reference information that has been ‘skimmed’ from a contactless device with a user profile that is held within a central database – then the data obtained by the ‘skimmer’ is meaningless.  It’s a reasonable argument, one that makes sense and ought to offer us a very real measure of confidence in ‘contactless’ banking.  However, with the announcement that Sony’s PlayStation has fallen victim to a serious hacking incident, leaving users vulnerable to ID theft, some may wonder just how many customer databases elsewhere have been compromised in recent years?

The results of a very ‘quick and dirty’ trawl through certain internet news portals, looking for examples of database hacking, makes for unsettling reading.

But do keep in mind there’s no need to worry unduly about contactless crime; as a number of products are already available that will allow any concerned carrier of RFID-enabled cards or passports to shield their data. For instance RFID Protect in the UK, offers a wide range of ‘anti-skim’ shielding products.

So here’s a snapshot of some newsworthy hacks – or data losses – over the past decade.

28 February 2014: Suffolk hacker charged with accessing U.S. Federal Reserve servers

Four months following his arrest in Suffolk, England by UK law enforcement agencies, Lauri Love has been charged with gaining unlawful access to U.S. Federal Reserve and military computer servers.  He is further accused of widely disclosing sensitive information about individuals who use these systems; such as access names, email addresses and telephone details.

Although the extent of the data breach is not yet clear, the hacker appears to have deployed a “sequel injection” hacking technique and his transgression is considered serious enough to warrant a potential 10 year prison sentence.

Evidence has emerged that the hacker may have worked alongside three co-conspirators to infiltrate other systems; such as the U.S. Missile Defence Agency, NASA and the U.S. Environmental Protection Agency.

Source: http://uk.reuters.com/article/2014/02/27/uk-usa-crime-hacking-idUKBREA1Q1RL20140227?feedType=RSS&feedName=topNews

13 February 2014: Hackers gain access to over 2,000 Tesco.com customer accounts

UK supermarket giant Tesco.com is “urgently investigating” a significant data breach, which has seen over 2,000 customer accounts hacked by a third party.  BBC sources suggest that users’ passwords and email addresses were compromised; the details of which have been posted online in an attempt to acquire store vouchers unlawfully.

Tesco has issued a public statement of reassurance and claims it has contacted all customers who may have been affected by this security breach.

Cross-referencing customer information from other successful (and unrelated) hacking incidents elsewhere appears to have been central to the Tesco.com breach.

Source: http://www.marketingmagazine.co.uk/article/1280920/tesco-urgently-investigating-hacking-customer-data

12 January 2014: Hackers steal the personal information of at least 70 million customers from high-street retailers over the festive season

American luxury specialty department store, Neiman Marcus, has admitted that it has also fallen prey to a massive cyber attack – which began with Target’s December 19 disclosure that some 40 million payment card numbers had been stolen.

On Friday January 11 2014, a spokesperson for The Target Corporation issued a statement to the effect that, “…this data breach was worse than initially thought.”

A subsequent investigation has established that hackers successfully stole the personal information of at least 70 million customers; including names, mailing addresses, telephone numbers and email addresses.

70 million customers – in a word, staggering!

Source: http://uk.reuters.com/article/2014/01/12/uk-target-databreach-retailers-idUKBREA0B01A20140112

23 April 2013: UK Police Forces apologise after staff data sent to a private security firm

Cambridgeshire, Bedfordshire and Hertfordshire police forces issued formal apologies to over 1,000 staff after mistakenly releasing their personal details to G4S (a private security contractor). A spokesperson for the three police forces explained that the breach occurred during negotiations with G4S, concerning the potential to outsource certain office functions.

G4S confirmed that any files containing sensitive date had now been deleted, and the police authorities issued apologies to those staff affected.

David Craig from the union Unison said: “Many of the members of staff affected are understandably angry and will be reviewing their individual position following any determination by the ICO at the appropriate time.”

The Information Commissioner’s Office (ICO) has made a firm commitment to investigate this matter.

Source: http://www.bbc.co.uk/news/uk-england-22265315

29 August 2012: Cambridge University hacked

The University of Cambridge has announced it will investigate serious hacking claims linked to certain software systems on campus.  Media sources have revealed that several university departments and ‘secure’ databases were unlawfully accessed by hacking outfit ‘NullCrew’.  There is a growing suspicion that NullCrew has ties with hacking network ‘Anonymous’ and its action at Cambridge University has in some way been an attempt to support the WikiLeaks founder Julian Assange.

Source: http://www.bbc.co.uk/news/education-19409510

16 November 2011: Virginia Commonwealth University (VCU) hacked

Virginia Commonwealth University (VCU) released a statement regarding an incident of unauthorized access to a campus computing server. The VCU server housed files with the personal information on more than 175,000 current and former faculty, staff, students and affiliates. Servers supporting a VCU system uncovered suspicious files on one of its servers. During forensic investigation, subsequent analysis then showed the intruders had compromised a second server – thru the first server attack – which contained data on 176,567 individuals.

Data items included either a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information.

Source: http://www.cr80news.com/2011/11/16/virgina-cyber-attack-exposes-more-than-175-000-campus-affiliates?issue=cr80news_20111116

1 November 2011: UK local councils – a history of misplacing our private data

A new report makes the disturbing claim that some 132 authorities are implicated in over 1,034 individual instances of private data loss since 2008.  The report has revealed that, “…at least 244 laptops and portable computers, 98 memory sticks and 93 mobile devices went missing between 2008 and 2011.”

In light of this development, The Information Commissioner (ICO) reminded the 132 councils involved of their obligations under the Data Protection Act (2003), i.e. to keep private data secure.

Only 55 incidents were reported to the Information Commissioner’s Office (ICO) and just 9 people were ousted as a consequence, according to those councils which responded.

Source: http://www.bbc.co.uk/news/uk-15840373

15 June 2011: Citibank & International Monetary Fund (IMF) hacked

Last week’s data breach at Citibank, which is said to have compromised the personal details of up to 200,000 consumers, was followed on Monday by a reported hack at the International Monetary Fund (IMF). Serious incidents at two of the world’s most high-profile financial institutions within a matter of days of one another has once again highlighted the need for new legislation to govern online financial services and ensure authentication is in place.

Source: http://blog.gemalto.com/blog/2011/06/15/citi-data-breach-shows-need-for-new-ffiec-regulations/

14 June 2011: National Health Service (NHS) UK database hacked

Computer hackers have penetrated NHS systems, triggering fears that the security of highly sensitive patient records is at risk. The hackers are part of the same online gang that recently hacked into electronics giant Sony, accessing the images of a million users.  The self-styled ‘pirate ninjas’, known as Lulz Security, sent a warning to the NHS that its computer networks were vulnerable to cyber attack. In an email to health staff, hackers gave evidence of some of the passwords, saying: ‘While you aren’t considered an enemy – your work is of course brilliant – we did stumble upon several of your admin passwords.’

The hackers added: ‘We mean you no harm and only want to help you fix your tech issues.’

Source: http://www.dailymail.co.uk/news/article-2001816/NHS-computers-hacked-Fears-patient-data.html

21 May 2011: Lockheed Martin Corporation in near-miss hacking episode

Lockheed Martin Corp., the U.S. government’s top information technology provider, released a statement to the effect that it detected and thwarted, “a significant and tenacious attack” on its information systems network in May 2011.  The statement continued stating that Lockheed’s information security personnel, “…are working around the clock to restore employee access to the “information systems network” targeted in the May 21 attack.” Bethesda, Maryland-based Lockheed, the Pentagon’s No. 1 supplier by sales and the world’s largest aerospace company, has kept the “appropriate U.S. government agencies” informed of its actions, it added.

Source: http://www.msnbc.msn.com/id/43199200

27 April 2011: Sony’s PlayStation hacked

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.  Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.

Source: http://www.bbc.co.uk/news/technology-13206004

20 April 2011: Children’s Place says customer database hacked

(Reuters) – Children’s Place Retail Stores Inc said its customer database has been hacked, and clients were sent an unauthorized email directing them to a website where they were asked to enter their credit card numbers for a software upgrade. The company notified customers about the hacking on Tuesday evening through an email. “Our third party email service provider has informed us that only email addresses were accessed and no other personal information was obtained,” the company said in the email. “The Children’s Place would not ask you, in an email, to update any software or for other highly sensitive personal information,” the email said. The Secaucus, New Jersey-based company has been leaning heavily on e-commerce sales to boost business.

Source: http://www.reuters.com/article/2011/04/20/us-childrensplace-idUSTRE73J3DG20110420

18 April 2011: European Space Agency hacked

A hacker has claimed to have breached the European Space Agency, gaining access to and publishing online what appears to be 200 usernames, passwords and email addresses related to the organisation, along with details on root servers and databases.

Source: http://www.hotheadlines.com.au/redirect.php?artid=732151

14 April 2011: WordPress hacked

Open source blogging website WordPress.com suffered a hack attack on its servers, prompting the company behind the popular content management system to issue a warning about passwords. In a brief note from Automattic, it said that an intruder broke into WordPress.com and gained access to multiple servers and the source code that powers blogs for its VIP customers, including CNN, CBS, Flickr and TED. This attack follows a distributed-denial-of-service attack that knocked WP offline last month.

Source: http://newsofthemedia.com/2011/04/wordpress-com-hacked/

13 April 2011: Barracuda Networks Embarrassed By Database Hack

Hacked security company Barracuda lost email addresses of employees, channel partners and sales leads. Security software producer Barracuda Networks was hit by a SQL injection attack launched on April 9 while the company’s own Barracuda Web Application Firewall was offline for scheduled maintenance, Michael Perone, Barracuda Network executive vice president, wrote on the corporate blog. The attacker uncovered email addresses of select Barracuda employees with their passwords as well as name, email address, company affiliations and phone numbers of sales leads generated by the company’s channel partners. Barracuda does not store any financial information in that database. “The bad news is that we made a mistake,” Perone said.

Source:  http://www.eweekeurope.co.uk/news/barracuda-networks-embarrassed-by-database-hack-26539

4 April 2011: JPMorgan, Kroger Database Hacked

Personal information about some JPMorgan Chase & Co and Kroger Co customers was exposed as part of a data breach at a large online marketing vendor. The data breach included some email addresses of JPMorgan Chase customers and names and email addresses of Kroger customers, the companies said in separate statements on Friday. Epsilon, a unit of Alliance Data Systems Corp, said on Friday that a person outside the company hacked into some of its clients’ customer files. Some of Epsilon’s other clients include Verizon, Blackstone Group LP’s Hilton Hotels, Kraft, and AstraZeneca.

Source: http://malwareresearchgroup.com/2011/04/jpmorgan-kroger-database-hacked/

31 March 2011: IEEE member database hacked

Over 800 members’ credit card details exposed. A hacker stole the credit card details of over 800 members of the IEEE (Institute of Electrical and Electronics Engineers) last December, according to its law firm.  A team of IEEE-appointed forensic investigators “concluded that a file containing customer credit card information had been deleted on or about November 17, 2010”, the institute’s law firm told the Attorney General of New Hampshire in February.  The forensic team believed that 828 members’ credit card numbers, associated names, expiration dates and security numbers may have been accessed.

Source: http://www.itnews.com.au/News/252885,ieee-member-database-hacked.aspx

29 March 2011: Australia PM Julia Gillard’s computer ‘hacked'(original article Written by BBC News)

The government was alerted to the security breach by a US intelligence tip-off, Sydney’s Daily Telegraph said. It is reported that several thousand emails may have been accessed from the computers of at least 10 ministers. The Australian authorities have refused to confirm or deny on the reports. The cyber attacks are believed to have targeted the Australian Parliament House email network, the less secure of two networks used by MPs. Among the computers allegedly breached were those belonging to Foreign Minister Kevin Rudd and Defence Minister Stephen Smith.

Source:  http://www.digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=599:australia-pm-julia-gillards-computer-hacked&catid=1:latest-news&Itemid=50

24 March 2011: TripAdvisor database hacked – email addresses compromised

If you have ever rated something on TripAdvisor, you may be in for a nasty surprise in your inbox in the coming weeks. Last weekend, hackers penetrated the TripAdvisor member database and stole up to 20 million records. In a statement issued by TripAdvisor on their site, the only information they say was impacted involved email address. TripAdvisor does not store credit card information or other financial data and passwords are said to be secure. As a precaution, it may still be safe to change your TripAdvisor password and anywhere else you used that same password.

Source: http://www.gadling.com/2011/03/24/tripadvisor-database-hacked-email-addresses-compromised/

24 March 2011: Have cybercriminals hacked Visa/Mastercard 3-D Secure?

You’re probably familiar with the 3-D Secure system of card security for online transactions – aka Verified by Visa (for Visa) and SecureCode (for MasterCard) – but now a security researcher is reporting that cybercriminals may have found a way around the online transaction security. According to former Washington Post security researcher Brian Krebs, a dashboard panel in a cracking utility he accessed online has a tab labelled `Arcot.’ “Arcot Systems is the company whose software powers the authentication system used by MasterCard’s SecureCode and Visa’s Verified by Visa programs”, he says in his latest security blog. “What’s interesting is that the thieves could defeat these security systems by gathering personal data on victim card holders, which they appear to have done here”, he adds. Krebs goes on to note that the panel, like others used in tandem with Zeus – for example, Jabberzeus – is also is set up to alert the botmaster via Jabber instant message when a new set of credentials is stolen. Infosecurity notes that this is a potentially serious development, as the 3-D Secure passphrase system was developed to authenticate online users’ payment card transactions. If the technology has been subverted by hackers in an automated package/service in this way, there could be serious consequences for online card security.

Source: http://www.infosecurity-magazine.com/view/16821/have-cybercriminals-hacked-visamastercard-3d-secure/

21 March 2011: Hacked security firm leaves Aussies vulnerable

Hundreds of thousands of cryptographic tokens used by Australians who bank online, governments, airline staff and other large companies vulnerable to a potential hack attack.

Source: http://www.hotheadlines.com.au/redirect.php?artid=681369

21 February 2011: Hackers Penetrate Nasdaq Computers

Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter. The exchange’s trading platform—the part of the system that executes trades—wasn’t compromised, these people said. However, it couldn’t be determined which other parts of Nasdaq’s computer network were accessed. Investigators are considering a range of possible motives, including unlawful financial gain, theft of trade secrets and a national-security threat designed to damage the exchange.

“So far, [the perpetrators] appear to have just been looking around,” said one person involved in the Nasdaq matter. Another person familiar with the case said the incidents were, for a computer network, the equivalent of someone sneaking into a house and walking around but—apparently, so far—not taking or tampering with anything.

A spokesman for Nasdaq declined to comment.

Source: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

11 January 2011: UConn Customer Database Hacked

UConn is warning thousands of customers who bought items on it’s HuskyDirect.com website that their personal information may have been exposed in a data security breach. A hacker obtained access to the HuskyDirect.com database containing billing information for 18,000 customers. The website is used by people to buy sports gear from the UConn Co-op. The information at risk includes customers’ names, addresses, email, telephone number, credit card number, expiration date and security code, according to the university. The database is run by an outside vendor, which contacted the Co-op about the security breach. It is still unclear how many accounts were actually accessed, UConn said in a release. The Co-op instructed the vendor to take down the database, and has notified authorities, the release stated. Customers who purchased items in the Co-op with a credit card, or students to bought text books or made purchases in the store are not at risk. Those affected were notified by the Co-op, and a process has begun to arrange for credit protection for those customers, the university said.

Source: http://www.nbcconnecticut.com/news/local/UConn-Customer-Database-Hacked-113307219.html

20 December 2010: English Defence League donor details ‘stolen’ after database hacked

Police are believed to be investigating the security breach, which also included the far-Right groups’s payment system being illegally accessed, The Daily Telegraph can disclose. Amid fears of violence toward members, the EDL said it will support vulnerable people. They also urged members to change their online shopping details after concerns were raised that they would be published on the internet. Officials were forced to email supporters after the incident, which is understood to have occurred in recent days, apologising for the “attack”.

Source: http://www.telegraph.co.uk/news/uknews/crime/8212778/English-Defence-League-donor-details-stolen-after-database-hacked.html

13 December 2010: McDonald’s: Customer Database Hacked

McDonald’s Corp. says some of its customers’ private information was exposed during a data breach. The company said Monday that a third-party was able to get past security measures and see into a database of its customer information that included e-mail, phone numbers, addresses, birth dates and other specifics that they provided when signing up for online promotions or other subscriptions to its websites.

Source: http://www.huffingtonpost.com/2010/12/13/mcdonalds-customer-databa_n_796097.html

12 December 2010: Gawker Commenter Database Hacked

If you’ve ever commented on one of the Gawker Media sites, you might want to change your password. According to Mediaite, Gawker’s commenter database has been hacked. The database is home to about 1.5 million usernames, emails, and passwords. Gawker originally denied that there had been a breach. “No evidence to suggest any Gawker Media’s user accounts were compromised, and passwords encrypted anyway,” tweeted Gawker editorial directer Scott Kidder. However, Kidder eventually confirmed the hack.”Our user databases do indeed appear to have been compromised,” he said in a note on the site. “The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack You should change the password on Gawker (GED/commenting system) and on any other sites on which you’ve used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that might have appeared in your email messages.”

Source: http://www.pcmag.com/article2/0,2817,2374231,00.asp

9 December 2010: Cyberattacks against MasterCard, Visa, PayPal

Hackers launched cyberattacks yesterday against MasterCard, Visa, PayPal, a Swiss bank, Swedish prosecutors, Sarah Palin and others deemed an enemy of WikiLeaks and its jailed founder, Julian Assange. Calling themselves “Anonymous,” the hackers, who previously waged war against the Church of Scientology, overloaded the target Web sites with “denial of service” attacks. “If we let WikiLeaks fall without a fight, then governments will think they can just take down any sites they wish,” one hacker told The Guardian newspaper of Britain.

Source: http://www.nypost.com/p/news/national/site_foes_get_hacked_wTpSCLhT3i4GDr8CA4Gr4I#ixzz1KiHXbRVk

31 August 2009: UK Parliament Website Hacked

A hacker broke into the database of the UK Parliament website by exploiting an SQL injection vulnerability. The incident reveals very poor and questionable password security practices on behalf of the website administration. The security hole on parliament.uk was discovered by a Romanian greyhat hacker going by the online handle of “Unu,” who has made a habit of testing high profile websites for similar bugs. The website’s database is called parliament_live; fortunately, it cannot be accessed directly from a remote host. What is more disconcerting though is what a peak into the database table housing the website’s administrative accounts revealed. First of all, the passwords are stored in plain text, which is a major security oversight. Secondly, the passwords are very weak from a security perspective, many being identical to the username they are associated with and almost all of them being common words. One of the accounts called “fullera” is likely to belong to Alex Fuller, who, according to his LinkedIn profile page, is currently employed as a senior web producer for the UK Parliament. Two other accounts that have captured our attention are called “reida” and “moss,” but we are unable to confirm if these belong to Mr. Alan Reid, Liberal Democrat MP, and Mr. Malcolm Moss, Conservative MP.

Source: http://news.softpedia.com/news/UK-Parliament-Website-Hacked-120511.shtml

11 September 2009: RBS WorldPay downplays database hack reports

RBS WorldPay and a hacker are at loggerheads over the seriousness of a supposed breach on websites run by the payment processing firm. Security shortcomings – since blocked – on RBS WorldPay website exposed confidential information, including admin passwords and the contact details of partners, according to blog posts by Romanian hacker Unu. The grey-hat hacker previously exposed similar problems on the websites of the UK parliament and HSBC France, among many others. As before he published screenshots to back up his latest claims. RBS WorldPay initially responded to our inquiries by saying that the reported SQL injection attacks mounted by Unu were thrown against test websites. All the dummy data involved was fictitious and in no way confidential, so there was no breach.

Source: http://www.theregister.co.uk/2009/09/11/rbs_worldpay_security_snafu/

16 July 2009: Five NHS Trusts slammed by ICO for breaching Data Protection Act

The Information Commissioner’s Office (ICO) has issued more warnings to NHS bodies after five Trusts have been found to breach the Data Protection Act, with one trust leaving patient notes on a bus. The latest warnings join a long list of data protection warnings by the NHS, as the ICO once again warned hospital trusts about the importance of data security. In February, three trusts were hit with enforcement action within two weeks. Five trusts – Royal Free Hampstead, Chelsea and Westminster, Hampshire Partnership, Surrey and Sussex, and Epsom and St Helier — have signed formal undertakings to process personal data legally in future, the ICO said on Tuesday. NHS knuckle-rapped for lax data protection

Source: http://www.computerworlduk.com/news/security/15780/five-nhs-trusts-slammed-by-ico-for-breaching-data-protection-act/

10 June 2009: T-Mobile confirms customer records taken

T-Mobile has now confirmed that a hacker, known as “Pwnmobile,” gained unauthorized access to its records and that the stolen data Pwnmobile posted online is authentic. A spokesman for the wireless giant said,  “…regarding the recent claim, we’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers.”

Source: http://www.hackinthebox.net/modules.php?op=modload&name=News&file=article&sid=31706

11 May 2009: UC Berkeley Database Hacked, 160,000 Records Compromised

The FBI is investigating a data breach that occurred when hackers infiltrated a medical database shared by the University of California, Berkeley, and Mills College that contained health-care information and Social Security numbers for more than 160,000 students, alumni and their families. Security experts say the hack could have been prevented by protecting the sensitive medical information stored on easily accessible spreadsheets. News of the data breach came to light Friday after it was discovered that hackers had broken into a medical database UC Berkeley shared with Mills College that contained health-related information for students, alumni and their families.The stolen data included more than 97,000 Social Security numbers, as well as health insurance information and nontreatment medical information, such as immunization records and the names of some of the physicians the victims have seen for diagnoses or treatment. UC Berkeley officials said, however, that personal records, such as patients’ treatments and therapies, were stored on a separate system not affected by the data breach.

Source: http://www.crn.com/news/security/217400303/uc-berkeley-database-hacked-160-000-records-compromised.htm;jsessionid=oqI03+3oLKdTlpw4nL10TA**.ecappj01

30 April 2009: UK hospital loses the medical treatment details of 741 patients

Addenbrooke’s Hospital, in Cambridgeshire was instructed by the Information Commissioners Office (ICO) to overhaul its security in the wake of a massive data loss in 2008.  It transpires that a USB memory stick – (or ‘flash drive’) – containing the unencrypted medical treatment details of 741 patients went missing after, “…a member of staff left it in an unattended vehicle”.  Although the device was subsequently returned to Addenbrooke’s Hospital, its governing body Cambridge University Hospital NHS Foundation Trust was found to be in breach of The Data Protection Act (2003).

The Hospital has made a firm commitment to review its security measures and will seek to protect personal information more effectively in the future.

Source: http://news.bbc.co.uk/1/hi/england/cambridgeshire/8027709.stm

3 March 2009: Prime Minister’s health records breached in NHS database attack

Personal medical records belonging to Scotland’s rich and powerful – including Prime Minister Gordon Brown and Holyrood’s First Minister Alex Salmond – have been illegally accessed in a breach of a national database that holds details of 2.5 million people. The files contained names, ages, addresses, and occupations of the patients, in addition to medical information such as a list of any current medications and allergies to medicines, according to The Sunday Mail. The records of BBC newswoman Jackie Bird (an earlier version of this story mistakenly referred to her as “newsman”) and former Labour leader Jack McConnell and his culture chief wife Bridget were also accessed.

Source: http://www.hackinthebox.org/index.php?name=News&file=article&sid=30268

1 January 2009: Monster’s databases hacked – Data fraud hits job seekers

Monster Worldwide Inc., the popular global website for job hunters, said Tuesday that hackers have broken into its databases and stolen personal data. Monster spokeswoman Nikki Richardson confirmed that sites around the world had been targeted, but said some regions, notably Asia Pacific and eastern Europe, were spared. She said Monster was working with the “appropriate law enforcement agencies” but declined to say in which countries. In the United States, where the company is based, “an investigation is in progress.” Monster operates in 36 countries with millions of users, including 4.5 million in Britain. A statement on http://www.monster.com said: “We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.” The breach did not access resumes, social security numbers or financial data, Monster said. The company advised clients to change their password and said it had taken its own “corrective steps.”  The company processes 100 million payment card transactions every month for 175,000 businesses, USA Today daily reported.

Source: http://newsinfo.inquirer.net/breakingnews/infotech/view/20090128-186000/Monsters-databases-hacked

23 August 2005: U.S. Military Database Hacked – Air Force Personnel Files For 33,000 Officers And Others At Risk

A suspected hacker has tapped into a U.S. military database containing Social Security numbers and other personal information for 33,000 Air Force officers and some enlisted personnel, an Air Force spokesman said Tuesday. That figure represents about half of the officers in the Air Force, but no identity theft had been reported as of early Tuesday, said Tech. Sgt. James Brabenec, a spokesman at Randolph Air Force Base. The case was under investigation. “We are doing everything we can to catch and prosecute those responsible,” Maj. Gen. Tony Przybyslawski said in a statement. Social Security numbers, birth dates and other information was accessed sometime in May or June, apparently by someone with the password to the Air Force computer system, Brabenec said. On Friday, the people affected were notified of steps they can take to protect their identity, he said.

Source: http://www.cbsnews.com/stories/2005/08/23/tech/main792304.shtml

18 June 2005: 40 Million Credit Card Numbers Hacked – Data Breached at Processing Center (Washington Post Staff Writers)

More than 40 million credit card numbers belonging to U.S. consumers were accessed by a computer hacker and are at risk of being used for fraud, MasterCard International Inc. said yesterday. In the largest security breach of its kind, MasterCard officials said all credit card brands were affected, including 13.9 million cards bearing the MasterCard label. A spokeswoman for Visa USA Inc. confirmed that 22 million of its card numbers may have been breached, while Discover Financial Services Inc. said it did not yet know if its cards were affected. MasterCard officials said consumers are not held responsible for unauthorized charges on their cards, and that other sensitive personal data, such as Social Security numbers and birth dates, were not stored in the hacked system. So far, no evidence of fraudulent charges has emerged, they said. The breach occurred late last year at a processing center in Tucson operated by CardSystems Solutions Inc., one of several companies that handle transfers of payment between the bank of a credit card-using consumer and the bank of the merchant where a purchase was made. CardSystems’ computers were breached by malicious code that allowed access to customer data, said Josh Peirez, a MasterCard senior vice president. Peirez said MasterCard is certain only that 68,000 of its numbers were taken by the hacker over an unknown amount of time before the breach was discovered. But because the hacker had access to the full database, it is difficult to say how many more numbers may have been taken, he said. He said the breach was not confirmed until about two weeks ago. MasterCard said it has begun notifying banks that issue its cards, which in turn are responsible for notifying cardholders.

Source: http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR2005061701031.html

26 February 2005:  Bank of America loses a million customer records

A “small” number of backup tapes with records detailing the financial information of government employees were lost in shipment to a backup center, Bank of America said on Friday. The tapes contained information on the customers and accounts of the U.S. government’s SmartPay charge card program, which has more than 2.1 million members and annual transactions totaling more than $21 billion, according to the General Services Administration. Reports have pegged the number of cards affected at 1.2 million. The acknowledgment comes as several other cases of businesses losing consumer information have come to light. Last week, data collection company ChoicePoint announced that it had given information on approximately 150,000 subscribers to about 50 fake business fronts created by fraudsters.

Source: https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=15669

18 February 2003: Credit card database hacked

A computer hacker has gained access to more than 5 million Visa and Mastercard credit card accounts in the US. The two companies said on Tuesday that none of the information obtained, which would include credit card numbers, was used in a fraudulent way.But a UK-based business crime expert warned account holders could still be at risk if their cards were not reissued. Visa and Mastercard said the hacker breached the security system of a company that processes credit card transactions on behalf of merchants.The only way to eradicate the risks would be to reissue all 5 million… cards.

Source: http://news.bbc.co.uk/1/hi/business/2774477.stm

And so it goes on and on…

Find out even more information about what ‘black hat’ hackers may be plotting for the months to come at: http://linux-news.oribium.net/tag/security