Extreme Breach of Target’s Payment Processing Software Leaves 40 Million Accounts Vulnerable

Target (TGT) said a massive theft of credit and debit card data from its stores may have impacted 40 million accounts, one of the largest security breaches ever reported.

The discount retailer confirmed on Thursday that it’s aware of unauthorized access to payment card data between Nov. 27 and Dec. 15, at the start of the busiest shopping season of the year.

Target alerted authorities and financial institutions after it became aware of the breach and is partnering with a third-party forensics firm to investigate the theft, the company added.

According to a notice to customers on Target’s website, the theft targeted shoppers who made purchases using credit or debit cards in U.S. stores, not on the company’s website. The information that was stolen included customer names, card numbers, expiration dates and the CVV three-digit security code.

The industry has grappled with massive data thefts before. In 2007, T.J. Maxx and HomeGoods parent TJX (TJX) reported that thieves stole card numbers and personal data from as many as 90 million cards.

In July, federal prosecutors unveiled criminal charges related to the theft of more than 160 million card numbers from companies like J.C. Penney (JCP) and JetBlue (JBLU).

One of the latest breaches happened last year at Global Payments, an Atlanta-based payment processing company. Information from up to 1.5 million accounts was stolen.

The data breach at Target was first reported by the Krebs on Security website, which is operated by computer security expert Brian Krebs.

 

Read the rest at: http://www.foxbusiness.com/industries/2013/12/19/target-confirms-major-card-data-theft-during-thanksgiving-1487625092/

Advertisements

Hacking your cell phone calls, texts, browser

An increasingly popular technology for extending cell-phone coverage ranges had a major security hole that went undetected for years, through which an attacker could eavesdrop on everything a target did on their phone, according to new research released on Monday.
The research brings to light previously unknown vulnerabilities in some models of femtocells, devices that mobile network operators use to bring wireless service to low-coverage zones. The compact boxes, which are typically as small as a standard cable modem, can be deployed in hard-to-reach spots like the top of an apartment building or a home in the mountains. Femtocells are also referred to as “network extenders,” and analysts project that as many as 50 million of them will be in use by 2014.

In a demonstration for CNNMoney, researchers at iSEC Partners, who discovered the security hole, covertly recorded one of our phone conversations and played it back for us. They were also able to record our browsing history, text messages, and even view pictures we sent from one smartphone to another by hacking the network extender.

“We see everything that your phone would send to a cell phone tower: phone calls, text messages, picture messages, mobile Web surfing,” said iSEC Partners senior security consultant Tom Ritter.

ISEC discovered the security flaw a year ago and contacted the affected vendors, who quickly began working on a fix. Though iSEC focused its research on femtocells operating on Verizon’s 3G CDMA network, the company believes similar holes could exist on other network extenders.

http://money.cnn.com/2013/07/15/technology/security/femtocell-phone-hack/

 

The camera in your TV is watching you

Today’s high-end televisions are almost all equipped with “smart” PC-like features, including Internet connectivity, apps, microphones and cameras. But a recently discovered security hole in some Samsung Smart TVs shows that many of those bells and whistles aren’t ready for prime time.
The flaws in Samsung Smart TVs, which have now been patched, enabled hackers to remotely turn on the TVs’ built-in cameras without leaving any trace of it on the screen. While you’re watching TV, a hacker anywhere around the world could have been watching you. Hackers also could have easily rerouted an unsuspecting user to a malicious website to steal bank account information.

Samsung quickly fixed the problem after security researchers at iSEC Partners informed the company about the bugs. Samsung sent a software update to all affected TVs.

But the glitches speak to a larger problem of gadgets that connect to the Internet but have virtually no security to speak of.

Security cameras, lights, heating control systems and even door locks and windows are now increasingly coming with features that allow users to control them remotely. Without proper security controls, there’s little to stop hackers from invading users’ privacy, stealing personal information or spying on people.

Related story: The scariest search engine on the Internet

In the case of Samsung Smart TVs, iSEC researchers found that they could tap into the TV’s Web browser with ease, according to iSEC security analyst Josh Yavor. That gave hackers access to all the functions controlled by the browser, including the TV’s built-in camera.

“If there’s a vulnerability in any application, there’s a vulnerability in the entire TV,” said Aaron Grattafiori, also an analyst at iSEC.

Yavor and Grattafiori were also able to hack the browser in such a way that users would be sent to any website of the hacker’s choosing. While the hack would have been obvious if the website on the screen didn’t match the desired address, Yavor says there could be serious implications if a bad actor sent a user to a lookalike banking page and retrieved a user’s credentials.

http://money.cnn.com/2013/08/01/technology/security/tv-hack/

Your future home is vulnerable to cyberattacks

LAS VEGAS (CNNMoney) — If the Jetsons were real, they probably would have gotten hacked a lot.

In the classic 1960s animated sitcom, everything in the space-age family’s home was networked and could be controlled by the press of a button on a remote control.

PrintComment
That fantasy is becoming a reality. New technology allows practically everything in your home — from your door locks to your thermostat to your TV — to be controlled by an Internet-connected device like a smartphone.

Unsurprisingly, many of those cutting-edge devices are filled with holes that cyberattackers can exploit.

In a briefing at the Black Hat cybersecurity conference in Las Vegas on Wednesday, security researcher Collin Mulliner showed just how easily hackers can tap into “smart home” gadgets when they’re connected to mobile networks.

By scouring through a European database of registered devices on the mobile Internet, and with just a small amount of hacking, Mulliner was able to crack hundreds of home automation hubs, smart electric meter control units, and in-home security cameras.

Mulliner didn’t need to break out many advanced geek skills. For example, a quick Google search revealed that one brand of popular smart meter device had a default password of 1234. Since they’re typically installed by the electric company, few homeowners change it.

 http://money.cnn.com/2012/07/26/technology/home-network-cyberattack/

Alert from Hacker News: Some Outdated WordPress Blogs Used in DDOS Attacks

In the past we have reported about many such cyber attacks, where attackers hacked into the WordPress blogs using password brute-force attack or they used the PINGBACK vulnerability in older versions of WordPress without compromising the server.

WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site and it can be used for a single machine to originate millions of requests from multiple locations.

We have seen more than 100,000 IP addresses involved in the recent DDOS attack and the victim’s Forum website received more than 40,000 requests in 7 minutes from different WordPress blogs and IP addresses.

http://thehackernews.com/2013/12/ddos-attacks-originated-from-thousands.html

Christmas Came Early For Hackers: 2 Million Social Media Accounts Hacked, Big U.S. Bank Data Stolen

Hackers Stole 2M Facebook, Google Passwords: How to Protect Your Accounts

Dec. 5, 2013

Any time you logged into Facebook, Google, Twitter, or a host of other popular web services the past month, there may have been a hacker peering over your digital shoulder, sneaking a peek at your password.

The information security company Trustwave has revealed that the passwords to 2 million different accounts have been compromised. The malware program Pony forwarded the vast majority of the passwords to a central server in the Netherlands.

John Miller, security research manager at Trustwave, said that the hack wasn’t due to a flaw in any of those company’s servers. “It was the individual users’ computers that had the malware installed on their machine,” he told ABC News. He adds that the unnamed hackers were most likely motivated by profit. “These passwords were never publicly posted. We can’t say for sure, but [the hackers] were probably going to sell them.”

http://abcnews.go.com/Technology/hacker-group-stole-million-stolen-facebook-google-passwords/story?id=21109910

 

JP Morgan Chase Hacked: 465,000 Card  Users’ Data Gone

JPMorgan Chase, one of the world’s biggest Banks has recently announced that it was the victim of a cyber attack and warned round 465,000 of its holders of prepaid cash cards on the possible exposure of their personal information.

In the Security Breach that took place on the bank’s website www.ucard.chase.com in July, around 465,000 accounts are compromised i.e. 2% of the overall 25 million UCard users. JPMorgan confirmed that there is no risk for holders of debit cards, credit cards or prepaid Liquid cards.
 
They informed the law enforcement in September, and till now no information on how attackers have conducted the attack has been disclosed.

http://thehackernews.com/2013/12/JPMorgan-Chase-bank-card-hacked_5.html