Tag Archives: home depot

Pros and Cons of ApplePay Security

ApplePay, the mobile payments service introduced by Apple in October 2014, could ultimately set the security and privacy benchmarks for digital wallets much higher.

Even so, the hunt for security holes and privacy gaps in Apple’s new digital wallet has commenced. It won’t take long for both white hat researchers and well-funded criminal hackers to uncover weaknesses that neither Apple nor its banking industry partners thought of.

Here’s ThirdCertainty’s breakdown of the security and privacy issues stirred by Apple’s bold move into the digital wallet business.

ApplePay defined

Available on the iPhone 6 and Apple Watch, ApplePay stores account numbers on a dedicated chip. Apple refers to this chip as the “secure element” only available n the iPhone 6 and iPhone 6 plus. It is on this chip that your financial information is stored. It is only accessed when a random 16-digit number gets generated for a given transaction, and the number never makes it to the phone’s software, where hackers could reach it.

The devices then use near field communication (NFC) to send a simple token, instead of the full account number, to the merchant’s NFC-enabled point-of-sale register.

“This allows an ultra secure payment,” says Anthony Antolino, business development officer at Eyelock, a biometrics technology vendor. “The only remaining concern is keeping the smart phone under your control.”

Apple tightens down who can control each device by integrating itsTouch ID fingerprint scanner and its Passbook ticket-buying app into ApplePay. This new approach keeps personal information on the device – instead of moving account data into storage servers within easy reach of thieves. The hacks of big merchants in the U.S. and Europe, including Home Depot, Target, P.F. Chang’s and Neiman Marcus, show how adept data thieves have become at attacking stored data.

How ApplePay improves security

ApplePay validates a “data-centric security model,” argues Mark Bower, product management vice president at Voltage Security.

“The payments world needs to move on from vulnerable static credit card numbers and magnetic stripes to protected versions of data,” Bower says. “Tokenized payments reduce the risk of data breaches and credit card theft.”

Mathew Rowley, technical director at security consultancy NCC Group, observes that the U.S. payment card industry continues to require minimal security checks in authorizing credit and debit card purchases.

“Things like chip-and-PIN and two-factor credit cards have been implemented in other countries, but the U.S. seems to be behind the curve,” Rowley says. “Any additional logic built into the process of making payments will make it more secure.”

How ApplePay introduces new risks

Adding a mobile wallet function to the latest iPhone gives criminal hackers more incentive and opportunity to find fresh vulnerabilities, says Mike Park, managing consultant at Trustwave.

“Any new additions and functionality to a platform, even ones meant to enhance security, can expand the attack surface,” Park says. “With the introduction of this type of functionality into a platform, this makes every device a possible target.”

The more popular ApplePay becomes, the more likely cybercriminals will devote resources to cracking in. Research from legit sources already is available showing how to hack into NFC systems — for instance this 2012 report from Accuvant reseacher Charlie Miller.

It’s probable that elite criminal hackers “are looking to steal identities and mass harvest payment card information as they do in other platforms and verticals now,” Park says.

One simple crime would be to target Apple devices for physical theft. Another is to figure out how to remotely access and manipulate ApplePay accounts. “The weakest link is the consumer,” says Alisdair Faulkner, chief products officer at ThreatMetrix. “And ultimately a web page with a username and login, like iCloud, now has an unprecedented amount of information about you backed up into the cloud.”

Pushing payments to mobile devices makes Internet cloud services more complex – and complexity creates vulnerabilities.

“In the past, the only participants were the merchant, the merchant’s bank and your personal bank,” says Richard Moulds, vice president of product strategy at Thales e-Security. “Apple is stating that they will not know the details of individual transactions, which is very important; however, there is clearly the risk of attacks on the phone itself.”

How the Sony Hack Should Affect You

In the past two years have revealed anything, it’s that every conceivable mode of communication comes with its share of serious privacy and security issues. Email can be hijacked, mail servers can be breached and malware can turn your smartphone into a peepshow. Wikileaks revealed that even our phone conversations are at risk.

That said, don’t panic! It’s highly unlikely anyone is listening to your phone calls. (OK, it’s possible, but you’d have to be incredibly sloppy or unlucky enough to download call-intercepting malware, or targeted by folks who can handle a price tag that hovers north of the $1 million mark.) The more relevant point here is that the big data mills at the NSA that may or may not be crunching your calls don’t care if you’re negotiating the sale of Ford to General Motors, much less if you’ve been naughty or nice – unless you’re a world leader or someone perceived as a threat to America.

So what about the other, more likely ways you may be exposed? There are man-in-the-middle attacks that are fairly affordable for a hacker. There’s malware from friend (hard to spot) and foe (you can’t be alert to every danger every second of the day). It almost seems like the only way to be completely safe from intrusion is to have nothing you wouldn’t want broadcast or skywritten on your smartphone, nothing you wouldn’t want the world to know about in your browser history, not a single text message you want to keep private and no phone calls made or received that you don’t want to share with Dr. Phil and his audience.

Recent news has been nothing less than terrifying. JPMorgan Chase and Home Depot joined the ever-growing list of mega-breach victims. Sony Pictures was gutted, with career-killing emails sent hither and yon, servers erased and trade secrets and intellectual property joyously tossed like flower petals from a float in the Rose Bowl parade. The hack initially stopped the release of “The Interview,” costing the studio millions, and that’s not taking into account future losses associated with class-action lawsuits brought by current and former employees whose personally identifiable information was stolen and published for the world to see, or enforcement actions by various and sundry state and federal regulators. It’s major stuff. And then there were all those other cybercrimes. It all makes for a really uneasy feeling at the workplace.

The trend here is simply too clear: Nothing is sacrosanct, and nothing is beyond reach. And while there may be no way to keep prying eyes out of our email, there is a way to keep the most sensitive information pertaining to your business out of reach. With that thought foremost in my mind, it is, indeed, time to make some serious changes.

Call me old-fashioned, but I think I’d rather take my chances with the government listening to my phone calls. How about you? When I say, “phone call,” I mean literally, like, on the phone-and I say this because, of all the ways we communicate, a landline affords the better shot at privacy and a more secure mode of communication.

The act of getting out of a chair and walking down the corridor to talk to a colleague helps to burn off holiday excesses, builds inter-office rapport and can’t be hacked. Email and text have supplanted the collegial walk-by. There are those who will say that it’s not efficient to pick up the phone. I’m not sure I buy that. Email and text streamline workflow only in theory. Each is just a swipe or click away from the major time-sucks provided by social media. And the interaction that happens without the interference of keystrokes or thumbing a screen provides sparks that just don’t happen in the dynamic-free zone of tit-for-tat correspondence. And again, a face-to-face or headset-to-headset conversation is probably the most secure mode of communication in the post-Sony hack world.

I’m sure it will take some getting used to, but if anyone at my office needs a fast answer from me, I’m going to ask that whenever possible they tap my doorframe or give me a call. Beyond the security considerations, the truth is that I actually like talking to people, and I ultimately learn more about whatever it is we’re talking about. For all their convenience, emails and texts are far from perfect modes of communication. Much meaning is lost when communicating by keystroke. Anyone who’s emailed a sarcastic quip that was taken literally will confirm this.

There are other options. Sony Pictures had to revert to communication via fax during the days following the hack, but faxes leave too much to chance because you never know who’s waiting on the other end of your transmission, and there’s the added possibility that you might dial a wrong number.

If smoke signals weren’t so easy to spot, I’d suggest that route. And while it’s true that you never know when a fake cell tower’s going to roll into your neighborhood, using the phone and having more face-to-face discussions at the office are perhaps the better ways to engage in team building through a group commitment to data security.

It’s Time for a Data Breach Warning Label

The breach at Home Depot is only the most recent in a torrent of high-profile data compromises. Data and identity-related crimes are at record levels. Consumers are in uncharted territory, which raises a question: Is it time to do for data breaches and cybersecurity what the nutritional label did for food? I believe we need a Breach Disclosure Box, and that it can be a powerful consumer information and education tool.

Once just a normal part of doing business, data breaches today can sap a company’s bottom line — and that’s the best-case scenario. At their worst, data breaches represent an extinction-level event. The real-world effects for consumers can be catastrophic. Because there is a patchwork of state and federal laws related to data security—some good, some bad, all indecipherable—and none that work together, it’s impossible to know just how safe your personally identifiable information is, and has been, at the places where you shop and with the companies and professional organizations where you do business.

Data security, identity-related consumer issues and privacy are all areas screaming for big-picture solutions. This is a situation in search of a paradigm shift—one that produces tools that enable consumers to make informed choices.

There is a precedent that could serve as a template. It was passed in 1988, though not implemented until 2000. You may recognize its name—it’s called the Schumer Box. This is the law that put the fine print of credit terms and conditions in your face—bigger, bolder and easier to understand. You see it all the time featured in those countless pleas for your credit business that land in your email and your mailbox.

The Schumer Box is simple. It requires that financial services companies provide certain information to the consumer when making a pitch for their business—information like long-term rates, the annual percentage rate for purchases and the cost of financing—and that the information be displayed in a standardized fashion. The Schumer Box is to credit cards what the nutritional label is to food.

A Concise Disclosure for Breaches

The Breach Disclosure Box that I am proposing would need to be simple, too. While I believe it is important to create a system that informs consumers about breaches, bear in mind that all breaches are not alike. There are breaches where the only piece of compromised information was a credit card number, which can be easily replaced and for which the consumer had zero liability. Then there are breaches involving Social Security numbers, detailed banking data or personal health information. These are very different situations. But they all share one thing in common: Something about you is “out there” and can be used by a criminal to commit either a crime against you or in your name.

The “solution” — regardless of a breach’s severity — is the same. I place “solution” in scare quotes because it’s a misnomer to talk about solutions and identity-related crime in the same breath. There is no solution to the pandemic, only containment strategies and best practices.

The Breach Disclosure Box would be a crucial part of data-related best practices at the consumer level where it’s all about the 3 M’s: Minimizing your exposure, monitoring your public records and financial accounts and managing any damage that occurs from data compromises.

Best practices can mean the difference between having a bad day and being financially ruined (or worse), and knowledge of a company’s data security track record can help consumers be better-informed about the risks they’re taking – and ultimately to decide if the risk is worth it.

The Breach Disclosure Box would also be a catalyst for companies to step up their game on data security as well as design and implement a breach preparedness plan that promotes an urgent, transparent and empathetic response to any compromise of consumer and employee data.

While the following list of Breach Box disclosures could be longer or shorter, the basic idea of a Breach Disclosure Box is essential to consumer safety in this ever-changing and crafty world of data-related crime and data breaches. The box should list:

  • How many times has this company been breached within the past five years?
  • If there has been a breach, what kind(s) of information was exposed?
  • Does this company encrypt all consumer and employee data?
  • Does this company have a breach notification policy?
  • What did the company offer affected consumers?
  • What type(s) of information are customers obligated, or not obligated, to provide?
  • Best practices for avoiding victimization (The 3 M’s)

The contents of the Breach Disclosure Box would ultimately have to be framed by lawmakers and interested parties intent on limiting the amount of ink spilled (or bytes used) to comply with whatever the legislation looks like when it leaves committee; but this bipartisan issue goes way beyond blue state-red state politics. When it comes to data-related crime, we’re all in the same state—a state of emergency.

Healthcare Breaches: How to Respond

The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale,  healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management.

Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws.

Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans,

Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.)

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data.

Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, “big data” and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business.

As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws.

As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach.

Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices.

Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.

How Stolen Credit-Card Data Is Used

Reports of high-profile data breaches have been hard to miss over the past year. Most recently, it was a breach involving 56 million customers’ personal and credit card information at Home Depot.

This is just the latest volley in a wave of sophisticated electronic thefts including Target, Neiman Marcus, Michael’s, P.F. Chang’s and Supervalu. Much like in the other attacks, the suspected culprit in the Home Depot data breach is a type of malware called a RAM scraper that effectively steals card data while it’s briefly unencrypted at the point of sale (POS) to authorize a transaction.  Reports of this type of attack have become increasingly common in the months since the Target breach.

Whether the cause is a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, a phishing attack storing customers’ card information insecurely, the result is the same: Credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

The Basic Process: The journey from initial credit card data theft to fraudulent use of that data to steal goods from other retailers involves multiple layers of transactions. The actual thief taking the card numbers from the victim business’ POS or database doesn’t use it him or herself.

First, a hacker – or a team of them – steals the credit card data electronically. Most of these schemes begin in Russia or other parts of Eastern Europe, and much of what you might call the “carding trade” is centered there.

Next, brokers (also referred to as “re-sellers”) buy the stolen card numbers and related information in bulk and trade them in online carding forums. A hacker may also sell the card data directly to keep more of the profits, though that’s riskier and more time-consuming than using a broker. These exchanges are found on the dark net (aka the dark web). That’s a part of the Internet you won’t find through Google, where all manner of illegal and unsavory things can take place. Online prices vary depending on:

  • The type of card,
  • Credit limit (if known),
  • How much additional data is available (CVV codes from the backs of cards and associated Zip codes make stolen cards more valuable),
  • The card owner’s geographic location (a fake card used in the vicinity of the legitimate card holder is less likely to raise suspicion), and
  • How recently the cards began appearing in the carding forums (which relates to the likelihood of card cancellation).

Prices for the individual cards have come down significantly in the past few years because of the sheer amount of records available, though brokers can still do quite well from bulk sales of card data. Despite being on the dark web, many of the brokers conduct themselves like regular online businesses and will provide replacements or the equivalent of store credit if cards purchased from them don’t work.

The people who buy the card data from the brokers are called “carders.” Once the carders have the stolen card data, there are at least two distinct variations on the scam:

1) Physical, in-store purchases using fake credit cards.

2) Stolen card numbers used to charge pre-paid credit cards that are, in turn, used to purchase store-specific gift cards (which are less suspicious than general gift cards). Purchases are made online.

Variant 1 (“Mystery Shopper”): This variation starts with carders printing up the fake credit cards for use in stores. Once they have the stolen card data, the equipment needed to make the fake cards isn’t that expensive. The carder then usually works with one or more recruiters to find people to use the fake cards (though a carder may do the recruiting himself). The enticement to get people to use the fake cards will generally be in the form of email spam and ads in Craigslist or similar sites offering easy money to be a “mystery shopper” or “secret shopper” as part of a “marketing study” or some other semi-plausible justification.

Not surprisingly, the items purchased tend to have high resale value. After the physical purchases are made, the “mystery shopper” can either send items to the recruiter/carder (generally via a secure drop site like a vacant office) or directly to someone who has “purchased” an item via an auction site in response to a posting from the recruiter/carder. If sent straight to the carder, she then auctions the items directly on eBay, Craigslist or an underground forum on the dark web.

The people who actually make the purchases with the fake cards may have no clue what they’re involved in (though sometimes they’re active participants in the scheme or simply low-level criminals looking to use the cards for themselves). They are effectively the “drug mules” of the credit card scam, taking the most risk and getting paid the least.

You’ve probably seen one step retailers take to try and stop in-person card fraud. On a counterfeit credit card, the numbers on the magnetic strip and the front of the card generally don’t match — it’s too expensive to create individual fakes. Some retailers have their personnel type in the last four digits on the physical card into the register after the card is swiped. If the numbers don’t match, the card is rejected as a fake.

Variant 2 (“Re-shipping”): Rather than making physical cards, in this variation carders use the stolen card data to purchase pre-paid credit cards that are then used to buy store-specific gift cards (Amazon, Best Buy, etc.). As with the “mystery shopper” scheme, recruiters typically use ads and spam emails to entice people, though this time it’s people (especially in the U.S.) seeing “work from home” promises. Sometimes, the recruiters will employ a more personalized approach, even going so far as to start a fake “relationship” with the intended target. Then — wait, there’s more — the gift cards are used to purchase items online, and those items are shipped to the people responding to the ads, spam or “relationship” overtures. That’s where the “work from home” angle comes in.

The people initially receiving the packages directly from an online retailer are called “re-shippers.” People in the U.S. are used because U.S.-based addresses raise fewer red flags with the retailers. Like the “mystery shoppers,” the re-shippers are the drug mules here (and they are sometimes referred to as  “money mules” or “shipping mules”). And, as with the “mystery shopper” scheme, re-shippers can either send items to the recruiter/carder or directly to someone who has “purchased” the item through an auction site.

While this may sound a little convoluted, the shell game-like nature of using one card to buy another and then another makes it more difficult for stores to catch onto this scheme before the purchase has already been made and shipped out.  After that, it’s generally too late.