Zack Whittaker reports via TechCrunch: A reader contacted TechCrunch after his [OkCupid] account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password. OkCupid didn’t send an email to confirm the address change — it just blindly accepted the change. “Unfortunately, we’re not able to provide any details about accounts not connected to your email address,” said OkCupid’s customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages. It wasn’t an isolated case. We found several cases of people saying their OkCupid account had been hacked.
But several users couldn’t explain how their passwords — unique to OkCupid and not used on any other app or site — were inexplicably obtained. “There has been no security breach at OkCupid,” said Natalie Sawyer, a spokesperson for OkCupid. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.” Even on OkCupid’s own support pages, the company says that account takeovers often happen because someone has an account owner’s login information. “If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach,” says the support page. In fact, when we checked, OkCupid was just one of many major dating sites — like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony — that didn’t use two-factor authentication at all.
Read more of this story at Slashdot.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.
Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks.
Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.
Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse.
Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.
Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information.
As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.
A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included.
A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.
For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.
Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Consumer Data and Malware appeared first on .
Around the world, hundreds of thousands of employees in thousands of companies receive an email from the company’s payroll department. It contains a PDF attachment with the details of the employees’ end of year bonuses. Some, the more cautious among them, delete the email, sensing that it could be a phishing attack. Others open the attachment, and release the worst cyberattack in history. 43% of the world’s devices are affected, all of their files encrypted. The cost of this attack reaches a staggering $85 billion.
Fortunately, the world is yet to see anything of this kind. However, according to a study by the Cyber Risk Management (CyRiM) project in Singapore, this is a scenario that we could well experience. The investigation was carried out to illustrate the catastrophic consequences that an incident of this type could have on the economy. It describes an advanced ransomware attack, called Bashe, in detail, along with the devastating effects that it could have.
The study describes several scenarios: the “best case”, in which 43% of the world’s devices are encrypted, causing costs of $85 billion; and the “worst case”, where 97% of devices are encrypted, and costs spiral to $193 billion.
Development of a large-scale attack
The study describes how the developers of the ransomware are recruited to create this malware and design the attack. One of the cybercriminals’ goals is to avoid the pitfalls of previous global attacks. As such, the Bashe attack is designed to use a vulnerability without a patch, and efforts are made to ensure that there is no possibility of an online kill-switch being discovered, as happened with WannaCry.
As with so many other malware campaigns, it is delivered inside attachments, in this case a PDF with the subject “Year-End Bonus”. The malware is able to imitate the email domain of the victim, and thus spoof the ‘sent from’ part of the email header. In this way, the email seems to be coming from someone in the victim’s company.
Once the attachment is opened, the malware is executed, downloading the ransomware worm, encrypting all the data on all the computers that share the network with the infected device. It demands a ransom of $700. To make sure the ransomware spreads as far as possible, the worm automatically forwards the malicious email to all the victim’s contacts. .
In 24 hours, Bashe has encrypted the data on around 30 million devices all around the world.
Companies start to respond
The study explains that the worst hit industries would be retail, healthcare, and manufacturing. In the retail sector, the costs stem from encrypted payment systems, and the collapse of e-commerce thanks to inoperative websites. The healthcare sector is affected due to its heavy reliance on antiquated systems, just as we saw with the WannaCry attacks. As for manufacturing, the encryption of infrastructure and machines necessary for their activity, along with possible problems in shipping networks, logistics, and inventory would be the main problems caused by this kind of attack.
Many companies rely on IT systems to carry out their day-to-day business; this leads around 8% of them to pay the ransom in order to return to normality as quickly as possible. The criminal organization makes between $1.14 and $2.78 billion this way. Smaller companies are most likely to pay the ransom, given their limited capacity to manage disasters of this kind.
Beyond the economic costs detailed above, one of the most immediate outcomes is an increase in distrust of connected devices, along with stricter controls on the use of corporate email.
Another repercussion of the Bashe attack is a dramatic increase in the demand for IT security. Companies want to protect their corporate networks and their assets in order to avoid similar attacks in the future. Cybersecurity training becomes mandatory for employees, and cyberrisk management courses a requirement in order to get an IT security insurance policy.
How to protect yourself against advanced attacks
Although an attack on the same scale as Bashe is unlikely, any kind of cyberattack can have extremely serious repercussions for a company, regardless of its size:
1.- Employee training. We’ve said it time and time again, but one of the most important steps in protecting against the most advanced cyberthreats is awareness. Companies mustn’t wait until an incident like this one occurs to start to train employees in cybersecurity.
2.- Careful with emails. Email plays a key role in the cataclysmic scenario we’ve just seen. And it is far from being the only kind of threat that uses email as an attack vector. In fact, 87% of IT security professionals have admitted that their company has had to deal with some kind of threat that came via email. If you have even the slightest doubt about where and email has come from, the best course of action is to contact the company’s security team.
3.- Advanced security solutions. An IT security suite such as Panda Adaptive Defense can help to detect any attempted attack that tries to get in via email. It does so by using of cognitive intelligence and a real-time detection system. What’s more, it includes a managed Threat Hunting service, which actively searches for the most advanced threats, so that your network is always protected.
The post Bashe: the hypothetical $193 billion ransomware attack appeared first on Panda Security Mediacenter.
Cash is slowly but steadily becoming one of the least popular payment methods in the developed countries. Here in the US, the amount of consumer purchases done with plastic cards is approximately ten times higher when compared to cash payments. Consumers are giving up on checks and cash handling and are opting in for the convenience, protection, and rewards often offered by the issuing banks.
Very often credit card companies manage to attract the attention of clients by offering them comprehensive reward points systems, sign-up bonuses, and perks such as early access to concert tickets and invitations for special events organized for clients of a particular network – VISA, MasterCard, American Express, or Discovery. Credit cards enable cardholders to purchase goods and services – the transactions are based on the cardholder’s promise to pay back for the borrowed amounts as well as other additional charges such as interest and monthly services fees.
Credit card issuers are in possession of all sorts of personal information that includes current and previous addresses, income, full name, and DOB. There is no harm there; it’s normal for businesses to ask for personal information so they can verify your identity and determine your trustworthiness. However, personal information is not the only valuable thing that credit card holders are giving away when they start a relationship with a credit card company.
While issuing banks are known to profit out of fees associated with the usage of credit cards; consumers are giving up vast amounts of personal information that might be used by the credit card companies and may end up shared with third parties. Such information includes your spending habits, shopping patterns, preferences, life secrets, and in some cases, even your location.
What information do you give to credit card issuers and how do credit card companies keep track of your buying habits?
If you are using mobile banking the chances that your credit card issuer is aware of your location at all times is high. The information collected could be used for both marketing and security purposes. If you tend to spend a lot of money on dining, you might be offered a new credit card that gives you even more rewards for money spend on a night out. Sharing your location with your credit card issuer helps banks battle fraud too – your credit card issuer would not be concerned if they see an international transaction if you tend to travel a lot.
Spending habits and patterns
Credit card issuers can learn a lot about you from your spending habits and patterns. If you end up spending a lot of money on international trips they might use the information to suggest travel cards with no foreign transaction fees. Or guide you to an affiliated travel website so you can spend more using the same card. Yearly, monthly, and weekly patterns show banks what your day looks like and gives them an idea of what products and services you may need.
Bank issuers use your transaction history to decide on whether you are trustworthy and reliable. You may qualify for a credit card limit increase if your income and debt ratios are on an acceptable rate, all your payments are on time, and you pay a regular monthly fee to a luxury car maker. Banks love people who pay their bills on time! It won’t be a surprise if you get offered better credit card conditions if your credit score keeps growing over the years. Banks may even disregard lousy credit if you are a long term client and they see a pattern that they like – you are considered a valued customer as long as you use their card and pay your bills on time.
How do they use the data?
At the age of big data, your card transaction history tells a lot about yourself and how you live your life. So it is not a surprise that many organizations would want access to such data. Life insurance companies might give more favorable quotes to people who go to the gym four times a week, do not spend money on tobacco nor liqueur and buy organic. So you can imagine that apart of providing you with better solutions that suit your lifestyle, card issuers often partner up with data mining companies whose goal is to make you spend more money.
Banks also share transactional data with third parties such as data brokers, that work with advertisers and marketers, who are always ready to target you with what they believe are relevant marketing campaigns of goods and services that you may be willing to purchase. If you do not want your data analyzed, you can opt out you VISA cards here, and MasterCard cards here. The opt requests last only five years so if you want to maintain your opt-out choice, you have to manually enter the card details of every new or replacement card you receive.
Is this enough to be secure and to prevent your data from being spread around?
Not really, the best way to know what data you are sharing with your credit card issuer is to read the Terms & Conditions agreement they give you on sign up. Having antivirus software installed on all your connected devices also helps – being protected will prevent cybercriminals the ability to obtain the missing piece about you from the constant data leaks that have been happening over the last decade.
The post How much does your credit card issuer know about you? appeared first on Panda Security Mediacenter.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about new routines for encryption of JobCrypter ransomware. Also, understand how Emotet has managed to evolve into one of the most notorious cyber threats in existence.
A variant of JobCrypter ransomware was observed by Trend Micro using new routines for encryption and features the ability to send a screenshot of the victim’s desktop to an email address.
In the future, industrial robots may create jobs, boost productivity and spur higher wages. But one thing seems more certain for now: They’re vulnerable to hackers.
Microsoft CEO Satya Nadella is a major proponent of the the recent European data regulation GDPR, which came into force in May 2018.
While advanced components to support utilities, critical infrastructure, and more can bring numerous benefits, these solutions also open both urban and rural areas to new risks and cyber threats.
The Department of Homeland Security has issued a rare “emergency” directive ordering federal civilian agencies to secure the login credentials for their internet domain records out of concern that they could be vulnerable to cyberattacks.
While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.
Over a period of just five years, Emotet has managed to evolve into one of the most notorious cyber threats in existence – one that causes incidents that cost up to $1 million dollars to rectify.
An online casino group has leaked information on over 108 million bets, including details about customers’ personal information, deposits and withdrawals.
France’s data protection regulator, CNIL, has issued Google a €50 million fine (around $56.8 million USD) for failing to comply with its GDPR obligations.
More than 70% of tech professionals said security spending has increased in the past year, according to a Ping Identity report.
More than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, was temporarily exposed online.
What do you think are some other risks smart cities will create within the next years? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
The post This Week in Security News: Ransomware and Cyber Threats appeared first on .