The #DataInsecurity Digest | Issue 23

Issue 23 | June 22, 2016

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Data security woes have reached the C-suite at the FTC and the heart of the presidential campaign. FTC Chief Technologist Lorrie Cranor became a victim of identity theft when her mobile phone account got hijacked. Cranor’s ID fraud problems are putting the spotlight on “SIM switch” scams, one way that hackers are looking to defeat increasingly common two-factor authentication technology. In other news, the Democratic National Committee’s opposition research file on Donald Trump was stolen, reportedly by Russian hackers–possibly an explanation for Clinton’s recent tough talk on cybersecurity. Meanwhile, it appears that web publishing platform VerticalScope may be the victim of a breach resulting in 40 million passwords from 1,100+ websites getting dumped onto the dark web, which occurred while the Internet is still reeling from aftershock of the record-setting breaches at MySpace, LinkedIn, and Tumblr. Hackers have wasted no time in using those compromised credentials and consumers’ tendency to re-use passwords to attack accounts at sites like Github. The news isn’t all bad, however. Two of the biggest spammers out there, including Sanford “Spam King” Wallace, are facing the music thanks to law enforcement crackdowns.

And now, on to the clips!

—————–

FTC Chief Technologist’s identity stolen through phone hijacking. When you’re in charge of advising the FTC Chairwoman about technology policy, the assumption is that you’re going to be better protected against identity fraud than the average person. Unfortunately, as FTC Chief Technologist Lorrie Cranor recently found out, no one is immune. Her description of how her mobile phone account was hijacked is riveting for data security geeks. Writes @lorrietweet, “[A] few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft.” Fortunately for us, Cranor used the opportunity as a teachable moment on how industry can work to help users avoid this form of identity fraud. She writes, “[T]he security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.”

Cranor also warns that “SIM switch” attacks are gaining popularity. Another way that fraudsters are getting around carrier security measures is with the “SIM switch” scam. Cranor used her phone hijacking story to warn about this as well. “Thieves first purchase the victim’s bank account info or acquire it through a phishing attack,” wrote Cranor. “They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.” (Source: FTC and Ars Technica)

Will hackers beat two-factor authentication with “SIM reset?” Any data security geek worth their salt (including yours truly) will tell you that turning on two-factor authentication is one of the best ways to protect your accounts. However, as racial justice activist DeRay Mckesson found out, it’s not foolproof. Writes @kateconger “…Mckesson became the most recent example of a high-profile account breach this morning, when his Twitter account suddenly began tweeting endorsements for Donald Trump. … After regaining control of his Twitter account, Mckesson explained that the hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.”(Source: TechCrunch)

Clinton says she’ll be “absolutely focused” on cybersecurity after DNC breach. Data security has increasingly made headlines in the presidential race, but not in the way one might think. Back in December, there was the kerfuffle over “Datagate” for the Bernie Sanders campaign. Then there are ongoing questions about the security of Secretary Clinton’s private email server. Those two instances could be trumped (pardon the pun) by the developing news about Russian hackers’ breach of the Democratic National Committee. Records compromised reportedly included the DNC’s opposition file on Donald Trump. @nakashimae reports,“[T]he depth of the penetration reflects the skill and determination of the United States’ top cyber-adversary as Russia goes after strategic targets, from the White House and State Department to political campaign organizations. This episode seems to have attracted the attention of Democratic nominee Hillary Clinton who stated in response to the hack that, ‘cybersecurity will be an issue that I will be absolutely focused on as president.’” (Source: New York Times)

Ohlhausen urges developers to put security ahead of rush to market. Last week, FTC Commissioner Ohlhausen kicked off the latest edition of the FTC’s “Start With Security” event series in Chicago with strong advice for developers more interested in shipping code than securing it: “Test your software and ensure you don’t leave consumers vulnerable to attack.” The event brought together experts from across the field to provide businesses with practical tips and strategies for implementing effective data security. (Source: FTC)

Ponemon: Average breach cost up to $4 million; even more for healthcare providers. Breach costs increasing is nothing new, but for industries like healthcare, the news is much worse. In the last year, the average cost of a data breach rose from $3.74 million to $4 million, according to a new report from IBM Security and the Ponemon Institute. @noyesk reports,“This year’s data uncovered a 64 percent increase in reported security incidents between 2014 and 2015. … In highly regulated industries like healthcare, the damage is even worse, reaching $355 per record.” The report faulted poor preparation for breaches as a major avoidable source of the high cost and highlighted that 70 percent of security executives do not have an incident response plan in place. (Source: CSO and IBM)

LexisNexis study finds that U.S. card issuers lose $10.9 billion a year to fraud. The study also found that fraudulent credit cards were the primary culprit behind 71 percent of all card fraud. The author of the study, Michael C. Smith, cautioned that although the financial industry is continuing to roll out EMV chip technology that makes card fraud more difficult, other types,such as application fraud, may proliferate. “With the window closing on easily replicable magstripe cards, we forecast a shift and bump in identity schemes—characterized by the use of synthetic identities and the misuse of true identities.” (Source Payment Source)

Morgan Stanley pays $1 million for failing to protect consumer information. The banking giant is just the latest in a string of financial service providers that have been in hot water over their data security (or lack thereof). Earlier this month, the U.S. Securities and Exchange Commission (SEC) settled with Morgan Stanley for an incident where 730,000 accounts were hacked and put up for sale online. “[G]iven the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” said Andrew Cersney, director of the SEC’s Enforcement Division. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.” (Source: SEC)

Breach du jour: 40 million passwords from 1,100 different sites. Motherboard’s @lorenzoFB reports that 1,100 websites, ranging from Autoguide.com to Techsupportforum.com, are the latest victims of breaches that may have resulted in 40 million passwords being compromised. If the initial numbers are correct, it would be among one of the largest password dumps yet. Speculation about the source of the breach points to a possible vulnerability in VerticalScope, a digital platform that all 1,100 compromised sites apparently relied on. “Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” wrote LeakedSource. (Source: Motherboard)

Compromised passwords used to target Github accounts. When 642 million passwords from sites like Myspace, LinkedIn, and Tumblr get dumped, there is bound to be some fallout at other websites amongst users who are guilty of reusing their passwords. This week, the repository hosting service Github became the latest victim of password dumping fallout. @thepacketrat reports, “On June 14, someone using what appears to have been a list of email addresses and passwords obtained from the breach of ‘other online services’ made a massive number of login attempts to GitHub’s repository service. A review of logins by GitHub’s administrators found that the attacker had gained access to a number of accounts.” (Source: Ars Technica)

Krebs: Number of Wendy’s restaurants affected by breach “significantly higher” than originally thought. Shortly after Wendy’s acknowledged a credit card breach that allegedly affected fewer than 300 of the fast food chain’s 5,800 locations, a number of fraud experts began complaining to @briankrebs:“…There was no way the Wendy’s breach only affected five percent of stores — given the volume of fraud that the banks have traced back to Wendy’s customers.” Krebs also received complaints that Wendy’s credit card fraud problems continued well after the five percent estimate came out, suggesting that the breach may not be contained. (Source:KrebsonSecurity)

Think Facebook Messenger is secure? Think again. A vulnerability recently uncovered in Facebook’s chat function and its popular Messenger app could allow hackers to alter old messages previously sent by Facebook users. As @wirelesswench reports, the vulnerability could allow attackers to “manipulate message history as part of fraud campaigns, changing the history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms … the vulnerability can be used as a malware distribution vehicle. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it.” (Source: Infosecurity)

“Spam King” sentenced to 2.5 years in prison. Sanford Wallace, infamous for sending more than 700,000 spam messages through MySpace and 27 million through Facebook, has been ordered to pay $310,000 in restitution and has been sentenced to 2.5 years in prison. When he gets out, he’ll still be on the hook for $1 billion in damages levied against him in civil suits by MySpace and Facebook, reports @cfarivar. (Source: Ars Technica)

In other spam news, FBI raids spammer’s house. It appears that infamous spam artist Michael A. Persaud’s time as a free man may be coming to an end. @briankrebs explains that although no charges in relation to this investigation have yet been brought, the “FBI asked for and was granted a warrant to search Persaud’s iCloud account, which investigators believe contained ‘evidence of illegal spamming’ and wire fraud to further [Persaud’s] spamming activities.” (Source: KrebsonSecurity)

Upcoming events

September 7 – Fall Technology Series: Ransomware – Washington, DC
The FTC’s first event in this year’s Fall Technology Series will take place on Wednesday, September 7, 2016 in Washington, DC. This half-day workshop will address how ransomware works, what victims should do, the role of education, and what technological measures can be taken to prevent a ransomware attack.

National Consumers League
Published June 22, 2016