Thursday, December 30, 2010

Just a quick heads-up!

Data Privacy Day 2011 is January 28th – Mark Your Calendars!

December 29, 2010 by Dissent

Whether you call it Data Privacy Day in the U.S., or European Privacy & Data Protection Day, mark your calendars for January 28, 2011!

Here are some privacy-related events going on that week. Most are free; but a $ symbol indicates that there’s a registration fee.

[Here's the one we can walk to...

The Privacy Foundation (Sturm College of Law, U. of Denver): World Privacy Lunch

Details to be Announced

Another case of “We make it so convenient, anyone can get your money!” After all, how can you prove it wasn't you?

ID thieves zero in on home equity lines of credit

December 29, 2010 by admin

Dan Browning reports:

Burnsville resident Mike Calcutt says he was stunned last March when he learned that someone had run up nearly $90,000 in unauthorized charges on his home equity line of credit account at Affinity Plus Federal Credit Union.

His shock turned to anger when the credit union informed him that he’d have to repay the money.


Turns out, Affinity Plus let someone set up telephonic banking privileges on his account, Calcutt said. Then someone executed a series of nine transfers — each just below $10,000 — from his credit line to his savings account. And finally, someone got the credit union to wire the money to a drop account in Boston, from which it has disappeared.

Read more in the Star Tribune, where Browning also reports on other similar cases.

Related: Complaint in Calcutt v. Affinity Plus

For my Ethical Hackers...

At what point do companies (and governments) go beyond ignorance?

Unsmart Investments in Smartcards

Let this be a lesson for companies implementing smartcard systems: If you don’t want people creating money from nothing, pay attention to the security research before investing.

… Taipei’s EasyCard system has been in place since 2001, largely as a means of paying for the subway, bus, taxis and parking. It has also been widely known to use a smartcard system called MIFARE Classic, produced by NXP Semiconductors, the security of which was publicly demonstrated to be broken by CCC members at their annual congress three years ago.

This break is no secret. It was publicized at the time, is noted on Wikipedia, and the issue was noted by NXP itself on its Web site, which today says the MIFARE Classic offers “basic levels of data security.”

… Welte knew the MIFARE system was weak. That isn’t necessarily a problem — if, say, someone tries to hack a $50 dollar card to read $500, but there’s a backend server verification check that says this card is only supposed to have $50, the problem is more or less solved.

… The city government and EasyCard know about the problem, he said. Taiwanese researchers have tried to warn them, and the research is publicly available online. The problem is companies trying to rely on “security through obscurity” — using proprietary but unsafe encryption — and trying to save money by not investing in solid security.

No comments: