Monday, October 27, 2014
For my Intro to Computer Security students. Why wait for banks to issue the “Next Generation” of credit cards? Use the security of “Chip-enabled” cards to guarantee payment.
‘Replay’ Attacks Spoof Chip Card Charges
An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.
Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.
The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.
The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute.
… However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.
(Related) I can see how this could be used to suck cash from your bank account. (I can create my own QR code and tie it to my account in Brazil.) Since it comes through your phone, will you be liable?
Dirty Tactics Thwart Mobile Payments
… Rite Aid and CVS have actively disabled NFC (near-field communication) card readers in their stores to prevent customers from using Apple Pay, Google Wallet, and other mobile payments platforms. It has to be assumed this is a bid to keep CurrentC from being surplus to requirements even before it launches in 2015.
CurrentC works differently from Apple Pay, with the customer scanning a QR code into their phone to have the payment taken directly from their bank account. This is designed to cut credit card companies (and their processing fees) out of the equation. Which is why no banks are backing CurrentC.
Also for my Computer Security students. This will be a big concern for most companies. The article suggests a couple of approaches, but consider what would work for you.
What Employees Want vs. What IT Wants - The Venn Diagram that Doesn't Overlap
… A large part of what employees want is the ability to do their jobs more efficiently. They want to be able to collaborate internally and externally, and share content. They want to use the devices they need to get their jobs done, and they want to work from Starbucks, from their kid’s soccer field practice and in a hotel room.
… IT, on the other hand is responsible and accountable for the availability and security of the business, and the easiest way to do that is to limit the avenues of risks. But, sometimes, this backfires. Locking down corporate mobile devices encourages employees to use their own mobile devices in search of productivity. Forcing users to access cloud services through a VPN defeats the agility of these services by making them slow and thus also encourages circumvention.
For my Ethical Hackers: This is not a replacement for Uber! (Strange that data on how the reprogramming equipment is used is not reported back to the manufacturer, like all other IoT devices.)
Keyless cars 'increasingly targeted by thieves using computers'
Organised criminal gangs are increasingly targeting high-end cars with keyless security systems, a motoring industry group has warned.
The thieves are acquiring equipment intended only for legitimate mechanics, the Society of Motor Manufacturers and Traders (SMMT) said.
Manufacturers are trying to stay ahead of the thieves by updating software.
It has been reported that some London-based owners of Range Rovers have been denied insurance over the issue.
… "The challenge remains that the equipment being used to steal a vehicle in this way is legitimately used by workshops to carry out routine maintenance," a spokesman said.
"As part of the need for open access to technical information to enable a flourishing after-market, this equipment is available to independent technicians. However a minority of individuals are exploiting this to obtain the equipment to access vehicles fraudulently.
A challenge for my Computer Forensics students.
Devices being remotely wiped in police custody
All the data on some of the tablets and phones seized as evidence is being wiped out, remotely, while they are in police custody, the BBC has learned.
Cambridgeshire, Derbyshire, Nottingham and Durham police all told BBC News handsets had been remotely "wiped".
And Dorset police said this had happened to six of the seized devices it had in custody, within one year.
The technology used was designed to allow owners to remove sensitive data from their phones if they are stolen.
"If a device has a signal, in theory it is possible to wipe it remotely," said Ken Munro, a digital forensics expert with Pen Test Partners.
This sounds a bit like a straight line, but it is clearly another “Big Data can make new businesses” story.
Big Data, Dumpster Diving and the New Ethics of Waste Management
New York Times: “Rubicon, based in Atlanta, isn’t in the business of hauling waste. It doesn’t own a single truck or landfill. Rather, companies hire it as a kind of waste consultant. It begins by holding an online bidding process for its clients’ waste contracts, fostering competition among waste management businesses and bringing down their prices…. Though unscientific, Dumpster-diving remains the primary way that those in waste management analyze their customers’ trash. “It’s literally: Here’s paper, here’s a cup, here’s books, here’s e-waste,” explained Ms. Beason, who has spent 25 years rummaging around Dumpsters in various waste management jobs… Mr. Morris says he believes that the future of the trash business lies in data. And Rubicon collects all sorts of it: the value per ton and per cubic yard of various materials, in various regions; the volume of clients’ waste; how often that waste is removed; which haulers are servicing which locations for which clients, and so on. The data lives in Rubicon’s proprietary software platform, called Caesar. (Mr. Morris, a fan of the classics, sees in Julius Caesar’s irrevocable river crossing “a fantastic story of disruption.”) One of Rubicon’s most basic data applications is simply to determine whether a client can have its garbage picked up less often. Because haulers traditionally charge per visit, they have an incentive to empty Dumpsters even when they’re only half full. Rubicon sees emerging technologies as creating opportunities to reduce such inefficiencies. It is experimenting, for instance, with a sonar-equipped device that measures whether a Dumpster is full…. Even more grandly, Mr. Morris has said he would like all of his clients to divert 100 percent of their waste from landfills by 2022. Reaching such a goal would seem a threat to companies like Waste Management that are heavily invested in landfills. Yet Waste Management doesn’t appear to be worried about Rubicon, or to think a future without landfills is near.”
Not all of this is free.
Elsevier Adds Five New Subject Areas to Legacy eBook Collection
News release: “Elsevier, a world-leading provider of scientific, technical and medical information products and services, today announced it added five new subject areas to its Legacy eBook Collection on ScienceDirect. The Legacy Collection consists of digitized, classic scholarly book content, now including nearly 13,000 books. The new subject areas are arts and humanities; computer science; economics, econometrics and finance; immunology and microbiology; and mathematics. In addition, there are newly digitized books in the engineering and the biochemistry, genetics, and molecular biology collections. The Legacy Collection includes books with contributions from notable authors like leading business management thinker Peter Drucker, and Nobel Laureates such as Lev Davidovich Landau, George Olah, Peter Diamond and Sir Frank McFarlane Burnet. For the first time, the books in the Elsevier’s Legacy Collection are also being made available to more than 70 third-party ebook distributors. Customers can purchase these revived titles through online retailers or through library ebook service providers.”