Chip and Pin Bank Cards

US banks are finally rolling out a new and more secure type of debit and credit card technology that should strengthen their security. Currently cards use a magnetic strip that holds the card number and expiration date which provides very little security since the card number is being transmitted over the point of sale device and the magnetic strip makes it easy to clone a credit card with stolen information. The EMV “smart card” technology (a joint effort of Europay, MasterCard, and Visa) cards have a built in chip that replaces the functionality of the magnetic strip. However, the chip provides much more security because every time it is used, it generates a one-time transaction code that is cryptographically signed and transmitted. This means that if thieves are able to skim a point of sale terminal or hack into a retailer’s network the codes they steal are worthless. This could have prevented much of the damages caused by breaches like Target, where millions of card numbers where stolen.
emv-credit-card~126313
These EMV card are not exactly new technology since they have been available since the early 2000’s and most of the rest of the world has already adopted them as the gold standard. The roll out in the US has been very slow because of the great costs of issuing new cards and upgrading point of sale terminals at retail locations. However, with the rise in identity theft and credit card fraud at an all time high, the credit card companies are pushing for the new more secure technology. They are forcing the retailers to transition to the EMV chip and pin terminals by setting a deadline of October 1st, 2015. After that all any company that accepts credit and debit card payments but doesn’t have chip and PIN readers in place could face increased liability and fines for fraudulent transactions incurred if card data is stolen from them.
Author: Charles Leavitt

Source: http://www.wired.com/2015/04/hacker-lexicon-chip-pin-cards/

Advertisements

USPS Hacker Attack

USPS, the United Stats Postal service has recently reported that hackers have been taking data from the service for over eight months. They have reported that the personal data of over eight hundred thousand employees has been taken along with 3 million customer’s data. The spokesmen for USPS, has said that there is no information that this data has been exploited.

USPS is currently working with the FBI to investigate the breach. They are also taking measurements to get better security by upgrading their current servers with added security measurements. USPS spokesmen have also said that there systems are still at risk and that the hackers may still be in the system along with malware that may be hidden and awaiting commands to activate.

There is some small speculation on who initiated the attack but USPS stated that there focus is not on who did the attack but rather protecting their systems and customers. They have offered a years worth of credit monitoring for its employees and they have recommended that customers pay attention to their bank accounts and change the passwords they use on accounts that have sensitive information.

Source: http://www.technewsworld.com/story/81337.html

CurrentC Hacked Before It Is Even Launched

CurrentC is a mobile payment system slated for release in 2015 that is meant to compete with Google Wallet and Apple Pay. On October 30, Merchants Customer Exchange (MCX), which is the organization behind the smartphone app, informed its beta testers that their database had been hacked and that users’ email addresses had been compromised. Unlike Google Wallet and Apple Pay, CurrentC uses a completely different system that uses QR codes instead of NFC to make financial transactions. It also does not allow you to pay using a credit card and instead links directly to your checking account. The system is being backed by many retail giants since it would allow them to avoid paying for credit card transaction fees. Although no financial information had been leaked during this breach, this is still a huge cause for concern for many people since CurrentC requires for you to enter in your bank account information and social security number. It also does not help that Kmart, Lowe’s, Target, and several other companies that are members of MCX have already experienced data breaches of their own over this past year.

Source: http://www.pcworld.com/article/2841032/currentc-is-doa-before-its-even-launched.html

-Chris Jones

JPMorgan Chase Bank Hacked

JPMorgan, the largest bank in the United States, was hacked over the summer. Earlier this year we saw reports that a hack had potentially occurred and the perpetrators were Russian, and back in August the bank made a statement that it was cooperating with law enforcement officials over the suspected incident, which happened in July.

Just a few days ago, it was revealed that a hack had actually occurred. The damage? 76 million households and 7 million small businesses had their information stolen during the breach.

Interestingly, this comes during a string of other attacks targeting other banking organizations in the United States, and after the attacks on Target and Home Depot.

While JPMorgan states that no financial data has been obtained by the hackers, the user contact information compromised included names, addresses, phone numbers, email addresses and internal customer data. There’s no evidence, however, that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised. Further, there has been no fraud seen related to the breach, and JPMorgan has said that customers are not liable for any fraudulent charge.

Even without any direct banking information being compromised, JPMorgan fears that the hackers will come back with a wave of spear phishing attempts and seeks to push awareness of such an attempt – along with other methods – to the forefront of customer minds.

A JPMorgan official says: “Customers of all banks should be more worried about identity theft, that someone in Eastern Europe or Russia or elsewhere steals your identity to get a credit card to say, buy a car or any other item.”

This person notes that “JPMorgan along with all other banks has teams of workers specifically monitoring both customer credit and debit card accounts to detect and stop fake charges as well as cyber hacking activity.”

Thankfully they, along with the FBI, are working on the case. They had better be.

http://www.cnet.com/news/jpmorgan-cyberbreach-exposed-contact-info-for-75m-households/

http://www.foxbusiness.com/industries/2014/10/06/jpmorgan-bracing-for-spear-phishing-campaign-sources/

Home Depot contains malware, but not before 56 million cards were impacted.

A few weeks ago, there were evidence that Home Depot had a security breach when credit cards were put up for sale on a black market website. This was already covered by this blog in this post. Since then, Home Depot has not only confirmed a breach, but that it had existed from April to September 2014. The release also tells that the malware was found in American and Canadian stores installed in the self-checkout machines, and have been removed from use. There were no signs of data breaches in normal checkout machines, Mexican stores, American or Canadian online websites. Despite card information being compromised, there were no signs that PIN numbers were recorded. Home Depot has also finished installing enhanced encryption in U.S stores on September 15 and Canadian stores are expected to be finished in early 2015. The breach was closed but after 56 million cards were affected. The malware used in this breach was reported to not have been seen in other attacks, however there are signs that this breach was done by the same group of hackers responsible for Target last year. According to Krebsonsecurity.com, the thieves were stealing card information up to five days after first signs of the breach on September 2nd. As of September 22, 2014, Home Depot holds the record for the largest retail card breach. Second place goes to TJX with 45.6 million cards and third place goes to Target with 40 million.

-David Mauriello