http://www.pogowasright.org/article.php?story=20081009103435719
Colorado state Web site dishes out SSNs of top execs
Thursday, October 09 2008 @ 10:34 AM EDT Contributed by: PrivacyNews
The Web site of the Colorado Secretary of State is making available the Social Security numbers and other personal data of numerous CEOs, company chairmen, presidents, board members and other senior executives at some of the country's largest companies, a privacy advocate said.
The documents containing the information were discovered by Betty "BJ" Ostergren a privacy advocate based in Hanover County, Va. For the past several years, Ostergren has been trying to get state and local governments to redact public documents before posting them online.
Source - Network World
[From the article:
Less than two weeks ago, an appeals court in Ohio ruled that a woman whose identity was stolen after an image of a speeding ticket containing her personal information was posted on her county's Web site can sue the official responsible for putting the record online.
“We don't need no stinking details!”
http://www.pogowasright.org/article.php?story=20081009124322811
Insider theft at AmeriCredit results in ID theft for customers
Thursday, October 09 2008 @ 12:43 PM EDT Contributed by: PrivacyNews
On September 25, AmeriCredit notified the New Hampshire Attorney General's office that a customer service employee at an unspecified facility had removed and misused the personal information of a "small number of customers" to purchase items on credit. Other customers' data were accessed, but may not have been misused.
Despite the safeguards AmeriCredit had in place, they apparently did not detect the breach and first became aware of the problem after a customer contacted law enforcement to report identity theft. The resulting investigation by law enforcement uncovered the breach.
In response to the incident, AmeriCredit reports that:
.... we have secured robust protection and credit monitoring for those who were affected. AmeriCredit has hired ID Experts to provide a one-year membership in their identity theft protection and restoration program. The service includes a dedicated toll free number for members of the affected class to call, a website dedicated to this event, twelve (12) months of credit monitoring, as well as fraud restoration services and a $30,000 insurance reimbursement component should anyone experience identity theft as a result of this incident. More robust measures are being provided to those few individuals whose identity was more likely used by the former employee, including twenty-four (24) months of credit monitoring and additional recovery services. This membership is paid for entirely by AmeriCredit.
Come learn security from us!
http://www.pogowasright.org/article.php?story=20081009183317700
Verizon exposes the wrong 1,200 e-mail addresses
Thursday, October 09 2008 @ 06:33 PM EDT Contributed by: PrivacyNews
This should be a vendor's first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you're trying to impress.
How did Verizon do in that regard on Tuesday? It failed miserably . . . and not just once.
Source - Network World
[From the article:
"Considering their content [about data-breach seminars], I thought it very humorous that the TO: field of the e-mails contained over 1,200 e-mail addresses:
... "You've got to be kidding," he wrote to the Verizon guy shortly thereafter. "I have received seven more duplicates after this response."
Verizon again: "We [are] having issues with our [Microsoft] Exchange server, and I am working with our help desk to correct the problem. I apologize for the inconvenience."
Verizon's "Secure the Information" lecture series includes a segment called, "Are you prepared for data loss?"
I presume that's where the company will be covering the art of the apology.
It's the little things that trip you up.
http://www.pogowasright.org/article.php?story=20081010074036949
FL: Police arrest identity theft suspect
Friday, October 10 2008 @ 07:40 AM EDT Contributed by: PrivacyNews
Police say a seasoned identity thief finally got caught because she tried to run her crime in this small community.
Stuart Police arrested Jermica Sykes and her boyfriend, Chad Knight, on charges of identity theft.
... "It was a pretty sophisticated operation," says Detective Sergeant Bill Pecci. "Jermica was able to access different accounts over the internet and working with multiple people around the state was able to obtain date of birth, social security numbers, account information for people everywhere and ultimately get credit cards sent to an address where they could receive them, and she also made new checks, checkbooks under these people's name."
.... Police say there could be 4,500 victims.
Source - WPTV.com
[From the article:
Investigators say Sykes then rented two apartments at two different complexes, Pineapple Cove and Coquina Cove, also claiming to work for the Miami-Dade Corrections Department.
The complexes are both managed by the same company. [and they actually looked at the data they collected! Amazing! Bob]
The landlords got suspicious, went inside the apartment at Pineapple Cove and found evidence of identity theft.
... Sykes told police she was making about $16,000 a month for selling the stolen information.
Tools & Techniques: A well done article!
http://news.cnet.com/8301-10789_3-10062529-57.html?part=rss&subj=news&tag=2547-1_3-0-5
High-tech bank robbers phone it in
Posted by Robert Vamosi October 9, 2008 4:37 PM PDT
Your ordinary bank robber can now steal hundreds of account numbers from ATMs without so much as lifting a finger. Instead, he skims.
Skimming is the physical use of secondary readers to capture the magnetic tracks on the backs of credit and debit cards. On ATMs, skimmers and secondary keypads are used to capture account numbers and PINs. Often, the ATM transaction goes through, and the customer doesn't realize that the account has been compromised until later.
Two risks these high-tech criminals face are being caught fitting a faux cover over an ordinary ATM card slot and keypad, then later retrieving the skimmers in order to get the account information.
With the arrest last week of "Chao," a Turkish ATM skimmer, comes new information on the lifestyles of modern bank robbers, including details on new devices that send captured account data via SMS to their smartphones.
For about $8,000, skimmers can have their own ATM overlay capable of transmitting 1,856 cards via SMS. Bulk pricing is available. And if they don't want the information sent card by card, they can dial into the device and download the data at their convenience. [Ain't technology wonderful!? Bob]
You're probably saying, "wait, I'd notice the compromise." Not so fast. These guys are good. Very good. See the photos of a compromised ATM machine on Snopes.com. Or watch this video to see how ATM skimming with SMS was accomplished last year in Pennsylvania.
Skimming got its start in South Africa, [News to me... Bob] and since 2004, there have been a handful of noteworthy cases in the United States, affecting ATMs in Seattle, San Francisco, Los Angeles, and Austin, Texas. Late last year, Citibank replaced debit cards for its Manhattan customers because of a skimming operation there.
Last February, during a presentation by Billy Rios and Nitesh Dhanjani at the Black Hat conference in Washington, I saw a photograph of a warehouse full of ATM card input overlays from one of the criminal enterprises they stumbled upon. You want black? They got black. You want beige? They have that. What about white or gray? Covered.
Industry standardization of ATM readers makes it easier for criminals to copy, so a bank robber needs only to match the look and style. A second photo showed boxes of keypad overlays. Large. Small. Again, you need only to match the look and style.
Once the account information is captured, the criminals tend to burn it onto blank magnetic stripe cards (ISO standard 7810), then use it at ATMs worldwide.
How are they able to fool so many people? In a blog on ZDNet, Dancho Danchev speculates that there might be some collusion with individuals working with ATM manufacturers. His blog is full of details from a site offering these overlays.
There is a downside to having the SMS service. As with a cell phone, the devices need batteries, which wear out. [Solar Power! Bob] And some SMS transmissions simply fail. Still, if a criminal gets 1,500 bank account numbers, I don't think they're going to mind.
Tools & Techniques: The used book store at the local libray has a couple hundred LPs for 50 cents each. Here is a step by step conversion guide... (I wonder if my students know what LPs are?)
http://howto.wired.com/wiki/Convert_LPs_Into_MP3s
Convert LPs Into MP3s
No comments:
Post a Comment