Taking advantage of “an App for that!” Making life easier for
customers sometimes makes it easier for hackers too.
SMS
Phishing + Cardless ATM = Profit
… A number of financial institutions are now
offering cardless ATM transactions that allow customers to withdraw
cash using nothing more than their mobile phones. But this also
creates an avenue of fraud for bad guys, who can leverage phished or
stolen account credentials to add a new phone number to the
customer’s account and then use that added device to siphon cash
from hijacked accounts at cardless ATMs.
In May 2018, Cincinnati, Ohio-based financial
institution Fifth
Third Bank began hearing complaints from customers who were
receiving text messages on their phones that claimed to be from the
bank, warning recipients that their accounts had been locked.
The text messages contained a link to unlock their
accounts and led customers to a Web site that mimicked the legitimate
Fifth Third site. That phishing site prompted visitors to enter
their account credentials — including usernames, passwords,
one-time passcodes and PIN numbers — to unlock their accounts.
All told, that scam netted credentials for
approximately 125 Fifth Third customers — most of them in or around
the Cincinnati area. The crooks then used the phished data to
withdraw $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less
than two weeks using Fifth Third’s cardless ATM function.
Now that GDPR has blazed the trail to higher
levels of punishment, expect others to follow.
One question that occasionally pops up is how
often businesses go out of business after or due to a data breach.
My answer to that is “not often,” but we do it occasionally. In
some cases, the breach may just have been a final straw for an
already shaky business.
Yesterday, during a webinar with Protenus, I
mentioned a case where the New Jersey Attorney General settled
charges against Virtua Medical Group over a breach
at their transcription vendor that impacted 1,650 patients. It
was a breach that I have reported on in the past, and I mentioned it
because it shows how even when OCR may not take enforcement action,
states can take action.
In response to this breach, Virtua Medical had
terminated its contract with Best Medical Transcription.
Today, there’s yet one more follow-up to this
case, as it appears that the NJ Attorney General’s Office also
filed charges against the transcription service itself. Stunningly,
and in one of the most severe enforcement outcomes I have ever seen,
the settlement bars the
vendor owner from ever managing or owning a business in New Jersey.
[…]
Read more on Courier
Post.
The state’s press release:
[…]
The consent judgement can be found here.
Not GDPR inspired, but another escalation. I have
to assume any retaliation would not be against Russian election
systems. What would you target?
The
Pentagon has prepared a cyber attack against Russia
The U.S. intelligence community and the Pentagon
have quietly agreed on the outlines of an offensive cyber attack that
the United States would unleash if Russia electronically interferes
with the 2018 midterm election on Nov. 6, according to current and
former senior U.S. officials who are familiar with the plan.
In preparation for its potential use, U.S.
military hackers have been given the go-ahead to gain access to
Russian cyber systems that they feel is needed to let the plan unfold
quickly, the officials said.
… The existence of such a plan means that
America is more fully integrating offensive cyber attacks into its
overall military planning systems, a
move likely to make cyber combat more likely and
eventually more commonplace, sometimes
without first gaining specific presidential approval.
Cyber attacks are now on a more obvious path, in short, to becoming a
regular currency of warfare.
… The senior official clarified that it would
be direct interference – efforts to tamper with voting registration
and recording votes – that would bring “swift and severe action.”
… According to the officials’ accounts,
military planners in the past were sometimes held back by the
intelligence community from hacking into foreign networks for fear of
compromising access that spies considered useful for collecting
information, particularly when it was uncertain whether any offensive
operation would eventually be approved. With only a small number of
skilled military hackers available, they were also hesitant to invest
time in gaining access to systems not explicitly part of an approved
strike.
… While some officials and cyber experts have
said that certain offensive cyber operations risk violating
international law, because of the possibility they might cause
collateral damage and harm civilians outside target networks,
government lawyers have approved the new approach after deciding that
letting the military hack
into a foreign system is not an act of war, so long as a
cyber weapon hasn’t yet been emplaced and the specific system being
targeted isn’t actually destroyed.
Sounds
too good to be true.
TSA gives
green light to test new technology that can screen passengers from 25
feet away
The Transportation Security Administration has
given the go-ahead to test technology that is designed to screen
multiple airport passengers at the same time from a distance of up to
25 feet away.
… The TSA has purchased several terahertz
screening devices from Britain-based Thruvision to test in a TSA
facility near Arlington, Va.
… The screening device, which is about the
size of an old-fashioned PC computer tower and weighs about 50
pounds, reads the outline
of people to reveal firearms and explosives hidden under
their clothes.
… , the passive terahertz technology reads
the energy emitted by a person, similar to thermal imaging
used in night-vision goggles.
“It’s 100% passive. There is no radiation
coming out of our device,” he said. “You don’t have to stand
directly in front of the device.”
(Related) Not really much here either. That
10X14 blind spot might need some work.
Thruvision
General
- Successfully passed extensive TSA laboratory testing and operational trials programme
- Allowing users to see the size, shape and location of both metallic and non-metallic items concealed in clothing.
TAC device
- Minimum object size of 5cm x 5cm (2in x 2in) at 5m (15ft) on stationary person and 35cm x 25cm (14in x 10in) at 8m (24ft) on walking person
Perspective. How to invade the US market.
TikTok
surpassed Facebook, Instagram, Snapchat & YouTube in downloads
last month
Beijing-based
ByteDance’s
2017 acquisition of tween and teen-focused social app Musical.ly
is paying off. The company this year merged
Musical.ly with its own short video app TikTok as a means of
entering the U.S. market. Today, the result of that merger is
sitting at the top of the U.S. App Store, ahead of Facebook. More
importantly, it recently surpassed Facebook, Instagram, YouTube and
Snapchat in monthly installs for the first time in September.
… Today, it’s ahead of Facebook (No. 7) and
Messenger (No. 5) as it sits in the No. 4 position, for example. But
it’s behind YouTube (No. 1), Instagram (No. 2) and Snapchat (No.
3).
… In June, TikTok (known as Douyin in China)
reported
reaching a global monthly active user count of 500 million across
150 countries and regions, which is around the time when Instagram
reached one billion monthly actives, for comparison’s sake.