It seems like we can’t go a few weeks without news of a new data breach. The most recent came by way of Staples, which announced earlier this week that it was looking into a possible flaw in protecting customer credit card data. But these aren’t isolated events. The frequency of data breaches has been increasing every year. And according to one new study, consumers don’t want to take it anymore.
Market research firm Annalect estimates that one in five consumers claims to have been affected by a data breach. But the firm’s latest report also shows that breaches have lasting effects on consumer psychology. Based on an ongoing study of 2,100 adults who use the Internet more than once a month, Annalect found that 72% of those who had their data compromised said that their perception of the company involved changed for the worse. Twelve percent refused to shop at those retailers following the breach.
People aren’t blaming credit card companies, either. Half of those surveyed blamed the retailers directly, and more are now concerned over how their data is being used than ever. Annalect’s quarter-to-quarter findings also suggest that popular awareness of personal data vulnerabilities has grown after Edward Snowden leaked documents showing how the U.S. government surveils its own citizens.
But so far, it seems few major retailers are immune to breaches. So it might be that everyone is simply worse off.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.
Staples Investigates Reports of Possible Credit Card Data Breach
The world’s biggest office-supply retailer, Staples, is investigating reports of a possible data breach of customers’ credit cards after banks detected a pattern of unusual charges concentrating on a group of shoppers. Reports of fraudulent charges recently surfaced on an independent security blog, which noted that the bulk of the card data appeared to come from a group of stores clustered in the northeast, including seven in Pennsylvania, three in New York and one in New Jersey. [Time]
Apple Pay Suffers Early User Glitches
Scattered reports of double payments and failed transactions have begun to bubble to the surface after what initially looked like a relatively smooth introduction of Apple Pay. Some Bank of America customers reported Tuesday that they were charged twice for purchases made through Apple’s new payment system. [Payments Source]
President Obama Tightens Security on Government-Issued Debit Cards
Even the federal government is feeling uneasy about the security of debit and credit cards. Reacting to the incredible number of data breaches at major retail chains, the United States government will now require that all federal benefits issued via debit cards be done so with cards that contain chip technology. [LowCards.com]
Citibank to Start Offering Free Credit Scores to Credit Card Customers
Citibank in January will become the second major credit card issuer to provide FICO credit scores to customers every month. The move signals this will become the norm in the near future. Citi is the nation’s third largest credit card issuer by amount of credit issued, behind Bank of America and Chase. Both these larger banks said they’re considering doing the same. [The Plain Dealer]
Apple Pay Threatens a Competing Approach to Simplifying Payments
Apple Pay went live this week, casting a shadow over the future of cash and credit cards–and of two young companies called Coin and Plastc. Buoyed by strong iPhone sales, Apple Pay allows users to make purchases with recent iPhones at more than 220,000 merchant locations across the U.S. This poses a bit of a challenge for Coin and Plastc, which also aim to make payment safer and easier–but by consolidating users’ credit card information on a single, physical smart card. [The Wall Street Journal]
A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency.
The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.
The agency’s approval was also seen as a solid endorsement for Samsung’s Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.
An unnamed researcher, however, on Thursday published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
The report goes on to explain that the PIN can be used to retrieve a password hint. If an attacker has access to the phone and can retrieve the PIN, he can use a “Password forgotten?” field to get a password hint that turns out to be the first and last character of the supposed secret code, in addition to the exact length of the password.
“So now it is pretty obvious that Samsung Knox is going to store your password somewhere on the device,” the report says, adding that in fact he found the encryption key in a container folder.
Samsung, the report says, buried the manner by which Knox generates the key deep inside a myriad of Java classes and proxies. The report also said that the unique Android ID for each device is used as well to derive the key.
“Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule,” the report says. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach.”
The researcher points out that the built-in Android encryption uses Password-Based Key Derivation Function (PBKDF2) which does not persist on the device.
“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device,” the report says. “There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.”
KATU reports that the Oregon Employment Department recently began notifying 851,322 people that their personal information may have been exposed when the department’s WorkSource Oregon Management Information System (WOMIS) was hacked.
According to the Statesman Journal, the information potentially exposed includes Social Security numbers, birthdates, addresses, and other data usually found on a job application.
The department only learned of the breach when it was notified by an anonymous tipster on October 6, 2014.
“Work began immediately [on October 6] — in coordination with the state’s Chief Information Office — to validate the information in the anonymous tip,” the department said in a statement. “Once validated, WOMIS was shut down while steps were taken to correct the security vulnerability to eliminate the possibility of retrieving Social Security information. The personal information was then secured to prevent any further threats.”
The breach was then publicly disclosed four days later, on October 10 — but letters weren’t mailed to those affected until two weeks after the breach was first discovered.
Still, department legislative and public affairs manager Andrea Fogue told KATU the notification was handled as quickly as possible. “We didn’t know until we reviewed 1.9 million records that there were hundreds of thousands of individuals affected,” she said.
Fogue said the breach goes back to at least 2008, when the WOMIS system was first implemented.
Oregon resident Patricia Miller told KATU she received the notification letter from the employment department on October 20, 2014. “This is too little too late,” she said.
Those impacted by data breaches are often frustrated by the delay between the discovery of a breach and the delivery of notification letters.
A class action lawsuit was filed in April 2014 claiming that Arizona’s Maricopa Community College District (MCCCD) took too long to notify 2.5 million people that their personal information had been stolen. In that case, MCCCD took more than six months to notify those affected that their personal information had been exposed.
And 171 students were notified in August 2014 that their personal information may have been exposed when an unencrypted laptop was stolen from New Mexico State University (NMSU) almost two months earlier.
“Why in the hell did it take this long to let us know?” Ronald Thomas, whose wife was one of the affected students, asked the Albuquerque Journal at the time. “And what have they done about it?”
NMSU chief information officer Norma Grijalva said the notification letters were sent out as soon as those affected were identified. “By law we have 60 days to notify victims,” she said. “We were within that timeframe.”
Alia Luria, an associate attorney at law firm Akerman LLP, recently told eSecurity Planet that it’s crucial to ensure that breach notifications are handled correctly. “The notification must be in compliance with the state of residence of the affected person,” Luria said. “[My] primary advice is to make sure you hit deadlines for notification and involve legal counsel and an auditor if needed.”
Photo courtesy of Shutterstock.
Here’s a roundup of this week’s data breach news:
Staples Staples – On Monday, Brian Krebs first reported that banks had noticed fraudulent transactions on cards used at Staples locations. Staples then confirmed that the retailer is investigating a potential breach, but has not given more details as to how long the breach may have lasted or how many stores were impacted. At this point, the breach is believed to happening primarily in the Northeast—including seven stores in Pennsylvania, three in New York City, and one in New Jersey.
NeedMyTranscript.com – The personal information of nearly 100,000 people was exposed on NeedMyTranscript.com, a website that helps people get their high school transcripts, according to the Washington Post. Breached data included “names, addresses, email addresses, phone numbers, dates of birth, mothers’ maiden names, and the last four digits of users’ Social Security numbers.” The breach happened because of a flaw in the website’s design that has likely been present since the website was started two years ago. A user first notified the Washington Post that he or she had accessed a link to a “publicly available subdirectory” while attempting to sign in, which had the information of 98,000 individuals. NeedMyTranscript.com—which works with all 50 states and more than 18,000 high schools—is investigating and has hired a cybersecurity firm.
iCloud – According to security experts, Apple Apple’s iCloud servers in China may be under attack, allowing hackers to see usernames, passwords, and personal information, according to the Wall Street Journal. In a statement, Apple said, “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information,” but did not specify where the attacks were occurring. Apple warned against using iCloud if your web browser cannot verify the identity of the website—a good tip to keep in mind even if you’re not in China. The worries started over the weekend, when Chinese internet users started noticing warning messages when accessing iCloud. Some have blamed the Chinese government for the attack, but the source is still unknown.
Sourcebooks – Sourcebooks wins the prize for the most ironic breach of the week. On Thursday, Brian Krebs reported that the publisher for his upcoming book on cybercrime, Spam Nation, has suffered from a data breach. The breach began in April and ended in June, affecting more than 5,000 shoppers who ordered books online. Credit card numbers, billing information, and some account passwords were compromised, and the breach occurred through a vulnerability in the company’s shopping card software, according to Sourcebooks’ disclosure letter on the California Attorney General’s website.
Penn Highlands Brookville – A Pennsylvania hospital has confirmed that approximately 4,500 patients were impacted in data breach. These patients were all seen by the same doctor, whose patient records were being held by a third party vendor in Ohio. The vendor was hacked, compromising patient names, addresses, dates of birth, driver’s license numbers, Social Security numbers, phone numbers, insurance information, medical information, and gender. The hospital says it’s not completely sure that the breach occurred but is notifying patients as a precaution. The doctor’s patient information has been moved to a
SCORE – At least 500 people had their personal information compromised in a breach to sport uniform manufacturer SCORE’s website. The breach was discovered on October 21, and after investigation, SCORE determined that it lasted between June 1 and September 4. Customers who shopped on online at www.scoresports.com may have had their names, payment card number and expiration date, as well as their SCORE account number compromised in the breach.
Cyberswim – Online swimsuit retailer Cyberswim is notifying customers about a data breach that occurred between May 12 and August 28, 2014. On September 24, the retailer discovered that malware had been installed on the company’s server, compromising the personal and payment information of swimsuit shoppers who made purchases on the website over the summer. Cyberswim said the attack may have been similar to attacks on other unnamed e-commerce sites. In response, Cyberswim has reset passwords and updated its website and system code to be able to better detect malware.
Follow me on Twitter at @kate_vinton.
Yahoo’s decision in June 2013 to reset accounts that had been dormant for 12 months and make them available to other users raised a number of security and privacy red flags. It was feared that the potential for identity theft would grow given that if an old Yahoo account was linked to another online service, the new user would need only request a password reset to gain access.
Yahoo promised to put mitigations in place to lessen that fear, and pointed out that fewer than 10 percent of inactive IDs were tied to Yahoo email accounts.
Facebook, for one, wanted an extra measure of assurance.
Working with Yahoo, Facebook engineers developed an SMTP extension called Require-Recipient-Valid-Since (RRVS) which inserts a timestamp in the header of an email message that indicates when Facebook last confirmed ownership of the Yahoo account.
“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” said Murray Kucherawy, a software engineer at Facebook.
Facebook on Thursday announced the RRVS Request for Comments draft RFC7293 was approved as a Proposed Standard by the IETF.
“The intended use of these facilities is on automatically generated messages, such as account statements or password-change instructions, that might contain sensitive information, though it may also be useful in other applications,” the draft says.
Facebook said its concern is the protection of its accounts connected to a recycled Yahoo account that could be taken over by a recycled Yahoo email address. Using the RRVS extension, senders can prevent messages from being sent to anyone by the intended recipient who owned the mailbox at a certain point-in-time.
“A receiving system can compare this information against the point in time at which the address was assigned to its current user,” the draft says. “If the assignment was made later than the point in time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then prevent delivery and, preferably, notify the original sender of the problem.”
This isn’t Facebook’s first foray into protecting its users and email. In May, the company made a plea to email providers urging them to start supporting STARTTLS. In August, Facebook said that 95 percent of its outbound notification emails were successfully encrypted with Perfect Forward Secrecy and certificate validation in place with the sender and recipient.
Just last week, Facebook announced that it developed a tool that mines paste sites such as Pastebin, Github and hacker forums looking for stolen credentials that match those belonging to Facebook accounts. The move was a reaction to the rash of data breaches recently targeting stolen credentials. If a Facebook credential is found, Facebook said that it will notify the user in question.
That announcement came on the heels of another bit of news that Facebook will double bounty payments through the end of the year for vulnerabilities found in its advertising code.
A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.
Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.
But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.
Pitts built a framework called BDF (Backdoor Factory) that can patch executable binaries with shell code in such a way that the binary will execute as intended, without the user noticing. He wanted to see whether anyone was conducting this kind of attack on the Internet right now, so he decided to have a look at Tor, the anonymity network, which is used by people around the world.
“To have the best chance of catching modified binaries in transit over the Internet, I needed as many exit points in as many countries as possible. Using Tor would give me this access, and thus the greatest chance of finding someone conducting this malicious MITM patching activity,” Pitts wrote in his explanation of the research.
“After researching the available tools, I settled on exitmap. Exitmap is Python-based and allows one to write modules to check exit nodes for various modifications of traffic. Exitmap is the result of a research project called Spoiled Onions that was completed by both the PriSec group at Karlstad University and SBA Research in Austria. I wrote a module for exitmap, named patchingCheck.py, and have submitted a pull request to the official GitHub repository. Soon after building my module, I let exitmap run. It did not take long, about an hour, to catch my first malicious exit node.”
The exit node in question was in Russia, and Pitts discovered that the node was actively patching any binaries he downloaded with a piece of malware. He downloaded binaries from a variety of sources, including Microsoft.com, and each of them came loaded with malicious code that opens a port to listen for commands and starts sending HTTP requests to a remote server.
Pitts informed officials at the Tor Project, who quickly flagged the exit node as bad.
“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” Roger Dingeldine, one of the original developers of Tor, wrote in a message on a Tor mailing list Friday.
In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.
“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email.
Pitts said that the relay in Russia was the only one he found that was exhibiting this malicious behavior, but that doesn’t mean it’s not happening elsewhere.
“Out of over 1110 exit nodes on the Tor network, this is the only node that I found patching binaries, although this node attempts to patch just about all the binaries that I tested. The node only patched uncompressed PE files. This does not mean that other nodes on the Tor network are not patching binaries; I may not have caught them, or they may be waiting to patch only a small set of binaries,” he said.
This isn’t the first time that attackers have been found using such an attack in the wild. In 2012 the Flame malware was seen using a complicated technique that involved the attackers using a forged Microsoft certificate to impersonate a Windows Update server and distribute Flame to more users. That attack involved a lot of moving parts and was a highly targeted attack, whereas the Tor attack Pitts found is applicable to a much wider potential population.
“The problem of modified binaries is not limited to Tor. We highlight the example because of some of the misconceptions people have about Tor providing increased safety. In general, users should be wary of where they download software and ensure they are using TLS/SSL. Sites not supporting TLS/SSL should be persuaded to do so,” Pitts said.
More than five years after a massive 2008 data breach, Heartland Payment Systems once again asked a federal judge to dismiss a lawsuit filed by a group of credit unions and banks, according to court documents obtained by CU Times.
In a motion filed Oct. 15 in U.S. District Court’s Houston Division, Heartland’s legal team argued that the negligence claims are barred by state laws in New Jersey, where Heartland is headquartered, and Texas, where the breach occurred.
The Princeton, N.J.-based processing giant contended that Texas economic loss doctrine should apply to the case because the core of the negligence claim - accusations that the company’s inadequate IT security measures permitted the breach – occurred at a Heartland data center in Texas, the documents said.
New Jersey’s economic loss doctrine also bars the claims, according to Heartland’s motion.
Plaintiff credit unions include the $155 million Matadors Community Credit Union of Chatsworth, Calif., the $2 billion GECU of El Paso, Texas, the $2 billion MidFlorida Credit Union of Lakeland, Fla., and the $4.2 billion Pennsylvania State Employees Credit Union of Harrisburg, Penn.
U.S. District Judge Lee Rosenthal, who is currently presiding over the litigation in Southern Texas, dismissed most of the complaints filed by the financial institutions in late 2011.
In that ruling, Judge Rosenthal ruled that the plaintiffs were not specifically protected in contracts between Heartland Payment Systems and its acquiring banks, Heartland Bank and KeyBank, and that the financial institutions were not covered in contracts between Heartland and the major card brands. The credit unions and banks appealed, targeting the negligence and responsibility for losses.
A panel of the Fifth Circuit Court of Appeals in New Orleans ruled last fall that the credit unions and banks could state a claim for negligence because the economic loss doctrine did not apply, despite the fact that the card issuers lacked a written contract with Heartland.
Litigation was then consolidated into one complaint to be heard by Rosenthal.
While the legal war wages on, Heartland Payments has been working to restore its image and launch new products.
The company recently unveiled a new service called Heartland Secure, which utilizes encryption, tokenization and a proprietary EMV-compliant point-of-sale terminals, according to Heartland’s website.
A group of New Jersey lawmakers said recent data breaches at Staples, Home Depot, Target and more have exposed a glaring loophole in the state’s identify theft laws that they want to close.
On Thursday, the Assembly Consumer Affairs Committee approved a measure to help ensure that consumers are informed of security breaches made to their account.
“Consumer notification is critical. If there’s a time where information is going to be compromised we want the consumer to know exactly what has been compromised,” said Assemblyman Troy Singleton (D-Mount Laurel).
Current law requires businesses to disclose breaches involving personal information such as Social Security numbers, addresses, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’ financial account.
The legislation co-sponsored by Singleton would also require companies to tell consumers if their user names, email addresses or security questions and answers that allow access to an online account have also been compromised in a data breach.
“We want to be in a position to be proactive and say, ‘If this happens let the consumer know everything.’ Any time there’s a breach of security everyone should know everything that happened and I think that’s what we want to encourage,” Singleton said.
Between 2005 and 2014, there have been 4,695 breaches exposing 633 million records, according to the Identity Theft Resource Center, a nonprofit organization that provides identify theft information to consumers. The average cost of a breach to an organization is estimated at $3.5 million.
It’s clear consumers are concerned about data breaches.