"Has Apple Pay arrived too late?" by Hiawatha Bray | Globe Staff September 11, 2014
“Digital wallets” have been around for years, but who uses them? I have, once or twice, and found them uniformly lame. Perhaps the new Apple payment technology unveiled on Tuesday will finally crack the code. I’ll let you know after Sept. 19, when the new iPhone 6 with Apple Pay goes on sale.
But will consumers trust Apple Pay? Just days after iPhone photos of naked Hollywood stars were stolen and posted on the Internet, how many of us will trust the company with our most sensitive financial data?
I never saw those photos.
See: Cybersecurity firm IDs new Apple-targeting malware
Apple users warned about malware
Would you trust them?
*******
Still, Apple and a host of rival firms are convinced that we’re all waiting for the ideal digital wallet.... an Isis/Softcard account.... and I couldn’t use my Bank of America debit card with Isis.... but it paid off when I used Isis to get a candy bar at Walgreens.
It's the new coin of the realm.
******
Apple promises to make the process far less tortuous. The company laid the groundwork last year, when it added a superb fingerprint scanner to the iPhone 5s, good for unlocking the phone or buying from the App Store. Apple Pay will use fingerprint scans, not passwords or PINs. Just touch the fingerprint scanner on the phone while holding it next to the checkout terminal. It should be as easy as swiping a credit card.
ISIS will cut that thumb off.
And more secure, too, according to Apple. All financial data is encrypted, stored on the phone, and never transmitted to Apple. Instead of sending your card number, the iPhone transmits a unique transaction code for each purchase, which is then used for debiting your payment account. Even if the code is intercepted, it can never be used again. That’s the theory, anyway.
And Trey Ford, global security strategist for the Boston computer security firm Rapid7, said the use of transaction codes, instead of card numbers, should cut down on the theft of financial data.
“The market’s ripe for this,” Ford said. “I’m convinced that Apple has the resources, the relationships, and the wherewithal to build this correctly.”
But even if Apple Pay is more secure than today’s credit cards, what about tomorrow’s?
--more--"
Related: Class-action lawsuit filed against defunct baby care company
Security experts told Home Depot of hacking risk back in 2008
Related: Home Depot Was Hacked
"Home Depot says malware affected 56m payment cards" Associated Press September 19, 2014
NEW YORK — Home Depot estimates 56 million debit and credit cards were breached in a data theft between April and September at its US and Canadian stores. That makes it the second-largest breach on recored for a retailer.
The largest US home-improvement retailer said the malware used in the data breach has been eliminated and that there was no evidence debit PIN numbers were compromised or that the breach affected online shoppers.
Home Depot said it has completed a major security project that enhances encryption of customers’ data in US stores.
The information puts the breach behind TJX Cos.’s loss by theft of 90 million records, disclosed in 2007, and ahead of Target’s pre-Christmas 2013 breach, which compromised 40 million credit and debit cards.
Related: Gonzalez Can't Get Away From the Long Arm of the Law
Ever notice all the hackers end up working for the government?
Also see: Target won’t wait for Black Friday
Home Depot’s fiscal 2014 outlook includes estimates for the cost of investigating the breach, providing credit-monitoring services to customers, increasing call center staffing, and paying for legal and professional services. The profit guidance does not include potential yet-to-be determined losses related to the breach. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental enforcement proceedings.
‘‘We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,’’ said chief executive Frank Blake.
Target’s breach resulted in falling sales as shoppers worried about security, but Home Depot’s business appears intact. The reason? Customers may be growing accustomed to breaches, following a string of them this past year, including at Michaels, SuperValu, and Neiman Marcus. Home Depot might have also benefited with the timing: The disclosure came in September, long after spring, the busiest time of year for home-improvement chains.
--more--"
Related: Woman arrested in Framingham with credit card stash
Merchants and credit cards are getting safer
Sure they are.
"Staples may be the latest target in string of credit card hacks" by Jack Newsham | Globe Correspondent October 22, 2014
With breaches of personal and financial data becoming a seemingly routine occurrence, another major retailer is looking into a possible hacking attack: Staples Inc.
The Framingham-based office-supply company disclosed Tuesday that it is investigating “a potential issue involving credit card data,” but did not release additional details.
On Monday, Brian Krebs, who writes a widely followed blog on cybercrime, reported that the attack on Staples initially appeared to be confined to several stores in Pennsylvania, New York, and New Jersey.
If the breach is confirmed, Staples would be the latest of many consumer brands that have fallen prey to hackers. Since retailer Target Corp. was hacked in late 2013, hundreds of millions of credit card records and personal records, such as names and phone numbers, have been stolen from sandwich shops, grocery stores, and financial institutions — affecting as many as 6 out of 10 Americans, according to Chester Wisniewski, a senior security analyst at the antivirus company Sophos.
“We’re not even a year out from Target and there’s been 15 or 20 major American brands breached,” said Wisniewski. “If you process cards, you definitely have a target on your back.”
Throughout 2014, consumers have been rocked by a steady drumbeat of large-scale hacking attacks. In September, Home Depot, the home-improvement supplier with 2,200 stores across the United States, said that some 56 million customers had their payment card data stolen over a five-month period.
That same month, sandwich chain Jimmy John’s said customers at 216 of its restaurants may have had their card information exposed.
In October, financial giant JPMorgan Chase & Co. said that contact information, such as phone numbers and e-mail addresses for 83 million account holders had been taken. However, the bank said thieves did not obtain even more sensitive data, such as Social Security numbers or log-in credentials of its customers.
Related: Who Hacked JPMorgan?
News reports of the JPMorgan Chase attack suggested that nine other banks were also targeted. And on Oct. 10, Illinois-based retailer Kmart said an undetermined amount of credit and debit card information was stolen by hackers.
In Massachusetts, companies reported 1,821 instances of data theft in 2013, but many of those were banks reporting individual cardholders, according to Jayda Leder-Luis, a spokeswoman for the state’s Office of Consumer Affairs and Business Regulation.
Dennis Fisher, the Boston-based editor of the Threatpost news service published by computer security firm Kaspersky Lab, said electronic payment systems have multiple points that hackers can attack.
One is at the retailer, especially if it’s using an older system. Customer information also is often routed through intermediaries, such as payment processors, which have proved vulnerable to attack.
“The fundamental problem that underlies many of these retail breaches is that once a customer swipes her card at a point-of-sale terminal or enters it online, the data is out of her control,” said Fisher. “There are so many things that can go wrong in this system, and it only takes a small mistake for an attacker to get the opening he needs.”
Credit card companies have proposed solutions to reduce the impact of data theft. Retailers and banks are switching American consumers over to credit and debit cards with chips in them that generate unique codes to secure every transaction. These so-called EMV cards are already used widely in Europe and Japan.
So that has been the ultimate goal of all this?
By October 2015, some 70 percent of American credit cards and 40 percent of debit cards are expected to contain the new technology.
Tech companies have also designed payment technologies to reduce the value of stolen payment data.
Apple Pay, the application built into the iPhone 6 that makes payments by waving a phone near a card terminal, is designed to make secure payments based on the same principle as EMV.
Some 220,000 retailers have signed on to accept Apple Pay, including Staples’s 1,800 locations.
Looks like Apple pay is too late.
Still, controlling theft in the first place can be difficult, said Trey Ford, the global security strategist at Rapid7, a Boston-based cybersecurity firm.
“It will always be a game of cat-and-mouse,” he said. “It’s just the world we live in.”
--more--"
At least someone will be making a buck:
"Former Homeland Security chief warns of cyber threat" by Deirdre Fernandes | Globe Staff November 05, 2014
A television commercial that shows a father shutting down his home appliances and locking his front door with a tablet computer might prompt some people to exclaim, “Cool.” But it makes former US Homeland Security Secretary Michael Chertoff slap his palm against his forehead and sing the praises of the simple metal key.
“If you can remote lock it,” Chertoff said Wednesday, “ it can be remotely unlocked.”
Chertoff was the keynote speaker at a conference of cyber security specialists in Boston as the vulnerability of computer and Internet networks has become a major concern for consumers, businesses, and governments. The increase in large scale hacks on retailers, financial institutions, and even the White House illustrates that criminals, activists, and even foreign governments are looking for ways to break into networks, Chertoff said.
And the threat is growing, he added, as Americans increasingly connect to the Internet, not just to shop and watch their favorite shows, but also to control thermostats and pacemakers. “All of this should give us cause for concern,” he said.
The conference was sponsored by Advanced Cyber Security Center, a Boston-based group of business representatives, government officials, and academics who share information and research about online threats....
--more--"
I think we found the hacker:
"Apologetic New Bedford hacker gets 4-year jail sentence" by Milton J. Valencia | Globe Staff October 28, 2014
He goes by the online monikers “cam0,” “Freak,” and “leetjones.” But you might know him as the guy who hacked Burger King’s Twitter account, to claim the fast-food chain was bought by its rival McDonald’s. He is also known as the guy who hacked Paris Hilton’s phone and publicly posted racy photos of the socialite.
On Monday, 25-year-old Cameron Lacroix apologized for his crimes, telling a federal judge that he recognized the seriousness of what he thought was innocuous computer hacking. Lacroix pleaded for mercy as he was about to be sentenced for computer fraud.
“My actions let a lot of people down,” Lacroix told US District Court Senior Judge Mark L. Wolf.
“I grew up as a person,” Lacroix said, reading from a prepared statement, his arms flailing. “I know in my head I shouldn’t be doing this.”
Lacroix, of New Bedford, pleaded guilty in June to several counts of hacking from 2012 to 2013, which included accessing the computer accounts of three professors at Bristol Community College in New Bedford and changing grades for himself and two friends. He also hacked into a local police chief’s e-mail account, and into a local police department’s database, to see if he was under investigation. Lacroix also obtained stolen credit card data from 14,000 accounts.
Wolf sentenced Lacroix Monday to four years in federal prison for those crimes.
Lacroix also has an ongoing federal case alleging that he hacked into several Twitter accounts, including accounts for Jeep and Burger King. According to court records, Lacroix has said that he plans to plead guilty to those crimes as well.
Lacroix has already served two years in state prison for credit card and gift card fraud, and he also served time in federal juvenile prison, related to hacking the phone of Paris Hilton.
Despite those past sentences, Assistant US Attorney Adam Bookbinder lamented in court Monday that Lacroix has failed “to get the message.”
“This is a person committing serious crimes,” Bookbinder said.
Lacroix’s attorney, Behzad Mirhashem, pointed out that Lacroix has been cooperating with the FBI, to teach agents how he was able to breach the various computer networks.
Related: Hacker Helped FBI
See who is behind all the hacking?
Lacroix has also been seeking treatment for depression and an opiate addiction. His lawyer said he had a tough upbringing: His mother died of a drug overdose when Lacroix was young, he had a fragile relationship with his father, and he dropped out of high school. He also sought to get high from drugs and the adrenaline of computer hacking, his lawyer said.
“He was getting the rush from the discovery that he was capable of doing these things, but he is capable of so much more,” Mirhashem told the judge.
Wolf agreed. He told Lacroix that he had committed serious crimes, noting that it was his third time before a federal judge, but pointed out, “It took talent to commit the crime you committed; very few people could do it.”
“You obviously have a lot of talent, [but] you’ve misused it, you’ve abused it,” Wolf admonished, adding, “Life is not a video game.”
Lacroix’s four-year prison sentence will be followed by three years of supervised release. During that time, he cannot use a computer or access the Internet.
“You should have known it was dumb; you’ve been caught before,” Wolf said.
--more--"
Something else that is dumb:
"The Massachusetts Maritime Academy’s website was hacked for a third time in two days by someone claiming to be an Islamic extremist group Tuesday, school officials said."
And if it wasn't them it was the Russians!
Related: Class-action lawsuit filed against defunct baby care company
Security experts told Home Depot of hacking risk back in 2008
Related: Home Depot Was Hacked
"Home Depot says malware affected 56m payment cards" Associated Press September 19, 2014
NEW YORK — Home Depot estimates 56 million debit and credit cards were breached in a data theft between April and September at its US and Canadian stores. That makes it the second-largest breach on recored for a retailer.
The largest US home-improvement retailer said the malware used in the data breach has been eliminated and that there was no evidence debit PIN numbers were compromised or that the breach affected online shoppers.
Home Depot said it has completed a major security project that enhances encryption of customers’ data in US stores.
The information puts the breach behind TJX Cos.’s loss by theft of 90 million records, disclosed in 2007, and ahead of Target’s pre-Christmas 2013 breach, which compromised 40 million credit and debit cards.
Related: Gonzalez Can't Get Away From the Long Arm of the Law
Ever notice all the hackers end up working for the government?
Also see: Target won’t wait for Black Friday
Home Depot’s fiscal 2014 outlook includes estimates for the cost of investigating the breach, providing credit-monitoring services to customers, increasing call center staffing, and paying for legal and professional services. The profit guidance does not include potential yet-to-be determined losses related to the breach. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental enforcement proceedings.
‘‘We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,’’ said chief executive Frank Blake.
Target’s breach resulted in falling sales as shoppers worried about security, but Home Depot’s business appears intact. The reason? Customers may be growing accustomed to breaches, following a string of them this past year, including at Michaels, SuperValu, and Neiman Marcus. Home Depot might have also benefited with the timing: The disclosure came in September, long after spring, the busiest time of year for home-improvement chains.
--more--"
Related: Woman arrested in Framingham with credit card stash
Merchants and credit cards are getting safer
Sure they are.
"Staples may be the latest target in string of credit card hacks" by Jack Newsham | Globe Correspondent October 22, 2014
With breaches of personal and financial data becoming a seemingly routine occurrence, another major retailer is looking into a possible hacking attack: Staples Inc.
The Framingham-based office-supply company disclosed Tuesday that it is investigating “a potential issue involving credit card data,” but did not release additional details.
On Monday, Brian Krebs, who writes a widely followed blog on cybercrime, reported that the attack on Staples initially appeared to be confined to several stores in Pennsylvania, New York, and New Jersey.
If the breach is confirmed, Staples would be the latest of many consumer brands that have fallen prey to hackers. Since retailer Target Corp. was hacked in late 2013, hundreds of millions of credit card records and personal records, such as names and phone numbers, have been stolen from sandwich shops, grocery stores, and financial institutions — affecting as many as 6 out of 10 Americans, according to Chester Wisniewski, a senior security analyst at the antivirus company Sophos.
“We’re not even a year out from Target and there’s been 15 or 20 major American brands breached,” said Wisniewski. “If you process cards, you definitely have a target on your back.”
Throughout 2014, consumers have been rocked by a steady drumbeat of large-scale hacking attacks. In September, Home Depot, the home-improvement supplier with 2,200 stores across the United States, said that some 56 million customers had their payment card data stolen over a five-month period.
That same month, sandwich chain Jimmy John’s said customers at 216 of its restaurants may have had their card information exposed.
In October, financial giant JPMorgan Chase & Co. said that contact information, such as phone numbers and e-mail addresses for 83 million account holders had been taken. However, the bank said thieves did not obtain even more sensitive data, such as Social Security numbers or log-in credentials of its customers.
Related: Who Hacked JPMorgan?
News reports of the JPMorgan Chase attack suggested that nine other banks were also targeted. And on Oct. 10, Illinois-based retailer Kmart said an undetermined amount of credit and debit card information was stolen by hackers.
In Massachusetts, companies reported 1,821 instances of data theft in 2013, but many of those were banks reporting individual cardholders, according to Jayda Leder-Luis, a spokeswoman for the state’s Office of Consumer Affairs and Business Regulation.
Dennis Fisher, the Boston-based editor of the Threatpost news service published by computer security firm Kaspersky Lab, said electronic payment systems have multiple points that hackers can attack.
One is at the retailer, especially if it’s using an older system. Customer information also is often routed through intermediaries, such as payment processors, which have proved vulnerable to attack.
“The fundamental problem that underlies many of these retail breaches is that once a customer swipes her card at a point-of-sale terminal or enters it online, the data is out of her control,” said Fisher. “There are so many things that can go wrong in this system, and it only takes a small mistake for an attacker to get the opening he needs.”
Credit card companies have proposed solutions to reduce the impact of data theft. Retailers and banks are switching American consumers over to credit and debit cards with chips in them that generate unique codes to secure every transaction. These so-called EMV cards are already used widely in Europe and Japan.
So that has been the ultimate goal of all this?
By October 2015, some 70 percent of American credit cards and 40 percent of debit cards are expected to contain the new technology.
Tech companies have also designed payment technologies to reduce the value of stolen payment data.
Apple Pay, the application built into the iPhone 6 that makes payments by waving a phone near a card terminal, is designed to make secure payments based on the same principle as EMV.
Some 220,000 retailers have signed on to accept Apple Pay, including Staples’s 1,800 locations.
Looks like Apple pay is too late.
Still, controlling theft in the first place can be difficult, said Trey Ford, the global security strategist at Rapid7, a Boston-based cybersecurity firm.
“It will always be a game of cat-and-mouse,” he said. “It’s just the world we live in.”
--more--"
At least someone will be making a buck:
"Former Homeland Security chief warns of cyber threat" by Deirdre Fernandes | Globe Staff November 05, 2014
A television commercial that shows a father shutting down his home appliances and locking his front door with a tablet computer might prompt some people to exclaim, “Cool.” But it makes former US Homeland Security Secretary Michael Chertoff slap his palm against his forehead and sing the praises of the simple metal key.
“If you can remote lock it,” Chertoff said Wednesday, “ it can be remotely unlocked.”
Chertoff was the keynote speaker at a conference of cyber security specialists in Boston as the vulnerability of computer and Internet networks has become a major concern for consumers, businesses, and governments. The increase in large scale hacks on retailers, financial institutions, and even the White House illustrates that criminals, activists, and even foreign governments are looking for ways to break into networks, Chertoff said.
And the threat is growing, he added, as Americans increasingly connect to the Internet, not just to shop and watch their favorite shows, but also to control thermostats and pacemakers. “All of this should give us cause for concern,” he said.
The conference was sponsored by Advanced Cyber Security Center, a Boston-based group of business representatives, government officials, and academics who share information and research about online threats....
--more--"
I think we found the hacker:
"Apologetic New Bedford hacker gets 4-year jail sentence" by Milton J. Valencia | Globe Staff October 28, 2014
He goes by the online monikers “cam0,” “Freak,” and “leetjones.” But you might know him as the guy who hacked Burger King’s Twitter account, to claim the fast-food chain was bought by its rival McDonald’s. He is also known as the guy who hacked Paris Hilton’s phone and publicly posted racy photos of the socialite.
On Monday, 25-year-old Cameron Lacroix apologized for his crimes, telling a federal judge that he recognized the seriousness of what he thought was innocuous computer hacking. Lacroix pleaded for mercy as he was about to be sentenced for computer fraud.
“My actions let a lot of people down,” Lacroix told US District Court Senior Judge Mark L. Wolf.
“I grew up as a person,” Lacroix said, reading from a prepared statement, his arms flailing. “I know in my head I shouldn’t be doing this.”
Lacroix, of New Bedford, pleaded guilty in June to several counts of hacking from 2012 to 2013, which included accessing the computer accounts of three professors at Bristol Community College in New Bedford and changing grades for himself and two friends. He also hacked into a local police chief’s e-mail account, and into a local police department’s database, to see if he was under investigation. Lacroix also obtained stolen credit card data from 14,000 accounts.
Wolf sentenced Lacroix Monday to four years in federal prison for those crimes.
Lacroix also has an ongoing federal case alleging that he hacked into several Twitter accounts, including accounts for Jeep and Burger King. According to court records, Lacroix has said that he plans to plead guilty to those crimes as well.
Lacroix has already served two years in state prison for credit card and gift card fraud, and he also served time in federal juvenile prison, related to hacking the phone of Paris Hilton.
Despite those past sentences, Assistant US Attorney Adam Bookbinder lamented in court Monday that Lacroix has failed “to get the message.”
“This is a person committing serious crimes,” Bookbinder said.
Lacroix’s attorney, Behzad Mirhashem, pointed out that Lacroix has been cooperating with the FBI, to teach agents how he was able to breach the various computer networks.
Related: Hacker Helped FBI
See who is behind all the hacking?
Lacroix has also been seeking treatment for depression and an opiate addiction. His lawyer said he had a tough upbringing: His mother died of a drug overdose when Lacroix was young, he had a fragile relationship with his father, and he dropped out of high school. He also sought to get high from drugs and the adrenaline of computer hacking, his lawyer said.
“He was getting the rush from the discovery that he was capable of doing these things, but he is capable of so much more,” Mirhashem told the judge.
Wolf agreed. He told Lacroix that he had committed serious crimes, noting that it was his third time before a federal judge, but pointed out, “It took talent to commit the crime you committed; very few people could do it.”
“You obviously have a lot of talent, [but] you’ve misused it, you’ve abused it,” Wolf admonished, adding, “Life is not a video game.”
Lacroix’s four-year prison sentence will be followed by three years of supervised release. During that time, he cannot use a computer or access the Internet.
“You should have known it was dumb; you’ve been caught before,” Wolf said.
--more--"
Something else that is dumb:
"The Massachusetts Maritime Academy’s website was hacked for a third time in two days by someone claiming to be an Islamic extremist group Tuesday, school officials said."
And if it wasn't them it was the Russians!
