Many of the nation’s top banks, investment firms and credit providers are vulnerable to a newly-discovered twist on a known security flaw that exposes Web site traffic to eavesdropping. The discovery has prompted renewed warnings from the U.S. Department of Homeland Security advising vulnerable Web site owners to address the flaw as quickly as possible.

In mid-October, the world learned about “POODLE,” an innocuous acronym for a serious security flaw in a specific version (version 3.0) of Secure Sockets Layer (SSL), the technology that most commercial Web sites use to protect the privacy and security of communications with customers.

When you visit a site that begins with “https://” you can be sure that the data that gets transmitted between that site and your browser cannot be read by anyone else. That is, unless those sites are still allowing traffic over SSL 3.0, in which case an attacker could exploit the POODLE bug to decrypt and extract information from inside an encrypted transaction — including passwords, cookies and other data that can be used to impersonate the legitimate user.

On Dec. 8, researchers found that the POODLE flaw also extends to certain versions of a widely used SSL-like encryption standard known as TLS (short for Transport Layer Security).

“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute,” wrote Ivan Ristic, director of engineering at security firm Qualys, which made available online a free scanning tool that evaluates Web sites for the presence of the POODLE vulnerability, among other problems. “The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack.”

A cursory review using Qualys’s SSL/TLS scanning tool indicates that the Web sites for some of the world’s largest financial institutions are vulnerable to the new POODLE bug, including Bank of America, Chase.com, Citibank, HSBC, Suntrust — as well as retirement and investment giants Fidelity.com and Vanguard (click links to see report). Dozens of sites offering consumer credit protection and other services run by Experian also are vulnerable, according to SSL Labs. Qualys estimates that about 10 percent of Web servers are vulnerable to the POODLE attack against TLS.

According to an advisory from the U.S. Computer Emergency Readiness Team (US-CERT), a partnership run in conjunction with the U.S. Department of Homeland Security, although there is currently no fix for the vulnerability SSL 3.0 itself, disabling SSL 3.0 support in Web applications is the most viable solution currently available. US-CERT notes that some of the same researchers who discovered the Poodle vulnerability also developed a fix for the TLS-related issues.

Until vulnerable sites patch the issue, there isn’t a lot that regular users can do to protect themselves from this bug, aside from exercising some restraint when faced with the desire to log in to banking and other sensitive sites over untrusted networks, such as public Wi-Fi hotspots.

 

If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited.

Four of the seven updates from Microsoft earned a “critical” rating, which means the patches on fix vulnerabilities that can be exploited by malware or attackers to seize control over vulnerable systems without any help from users (save for perhaps visiting a hacked or malicious Web site). One of those critical patches — for Internet Explorer — plugs at least 14 holes in the default Windows browser.

Another critical patch plugs two vulnerabilities in Microsoft Word and Office Web Apps (including Office for Mac 2011). There are actually three patches this month that address Microsoft Office vulnerabilities, including MS14-082 and MS-14-083, both of which are rated “important.” A full breakdown of these and other patches released by Microsoft today is here.

Adobe’s Flash Player update brings the player to v. 16.0.0.235 for Windows and Mac users, and fixes at least six critical bugs in the software. Adobe said an exploit for one of the flaws, CVE-2014-9163, already exists in the wild.

“These updates address vulnerabilities that could potentially allow an attacker to take over the affected system,” the company said in its advisory.

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe Acrobat and Adobe Reader users will need to apply a critical update that fixes at least 20 critical security in these programs. See Adobe’s Reader advisory for more details on that. The latest updates live here.

Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014.

In a statement released today, the South Plainfield, N.J. electronic payment provider said it launched investigation after receiving complaints about fraudulent charges on cards that had been legitimately used at certain merchants. The information stolen includes the customer name, card number, expiration date and verification code.

“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” the company explained. “Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”

Charge Anywhere said it believes that “only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified,” although the company allowed that the unauthorized person had the ability to capture network traffic as early as November 5, 2009.

The incident is the latest reminder of what happens to businesses that handle credit card data and other sensitive information and yet fail to full encrypt the data as it traverses their network. The company has provided a searchable list of merchants who may have been affected by the breach.

Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR’s photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:

“In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

“Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This [technique] has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

“Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.

EAST reports that explosive gas attacks were reported by eight countries in Europe this year. Why would thieves risk their lives and that of innocent passers-by on such a brute-force attack? EAST says the attacks are generally successful at busting open the ATM about 40 percent of the time.

“Two of the countries also reported attacks using solid explosives,” EAST warned. “Collateral damage for solid explosive attacks is a major concern. In one country, the average overall frequency of ATM related physical attacks is five incidents per week. Three countries reported significant collateral damage from physical attacks, in addition to cash losses suffered.”

Fortunately, many countries in Europe are fighting back against these incredibly dangerous skimming attacks, both with improved ATM technology and stiffer sentences for crooks caught in the act.

“In one country no such attack s have been reported since the introduction of ink staining technology,” EAST noted. “In another, significant sentences have been given to criminals convicted of such attacks (the longest was 18 years in prison and the shortest 14 years!). This is an important step for Europe as, overall, sentences for such attacks are deemed by the industry to be too lenient.”

When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable.

Some of the biggest retail credit card breaches of the past year — including the break-ins at Target and Home Depot — were detected by banks well before news of the incidents went public. When cards stolen from those merchants go up for sale on underground cybercrime shops, the banks often can figure out which merchant got hacked by acquiring a handful of their cards and analyzing the customer purchase history of those accounts. The merchant that is common to all stolen cards across a given transaction period is usually the breached retailer.

Sadly, this process of working backwards from stolen data to breach victim generally does not work in the case of breached data brokers that trade in Social Security information and other data, because too often there are no unique markers in the consumer data that would indicate from where the information was obtained.

Even in the handful of cases where underground crime shops selling consumer personal data have included data points in the records they sell that would permit that source analysis, it has taken years’ worth of very imaginative investigation by law enforcement to determine which data brokers were at fault. In Nov. 2011, I wrote about an identity theft service called Superget[dot]info, noting that “each purchasable record contains a two- to three-letter “sourceid,” which may provide clues as to the source of this identity information.”

Unfortunately, the world didn’t learn the source of that ID theft service’s data until 2013, a year after U.S. Secret Service agents arrested the site’s proprietor — a 24-year-old from Vietnam who was posing as a private investigator based in the United States. Only then were investigators able to determine that the source ID data matched information being sold by a subsidiary of big-three credit bureau Experian (among other data brokers that were selling to the ID theft service). But federal agents made that connection only after an elaborate investigation that lured the proprietor of that shop out of Vietnam and into a U.S. territory.

Meanwhile, during the more than six years that this service was in operation, Superget.info attracted more than 1,300 customers who paid at least $1.9 million to look up Social Security numbers, dates of birth, addresses, previous addresses, email addresses and other sensitive information on consumers, much of it used for new account fraud and tax return fraud.

Investigators got a lucky break in determining the source of another ID theft service that was busted up and has since changed its name (more on that in a moment). That service — known as “ssndob[dot]ru” — was the service used by exposed[dot]su, a site that proudly displayed the Social Security, date of birth, address history and other information on dozens of Hollywood celebrities, as well as public officials such as First Lady Michelle Obama, then FBI Director Robert Mueller, and CIA Director John Brennan.

As I explained in a 2013 exclusive, civilian fraud investigators working with law enforcement gained access to the back-end server that was being used to handle customer requests for consumer information. That database showed that the site’s 1,300 customers had spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Although four million consumer records may seem like a big number, that figure did not represent the total number of consumer records available through ssndob[dot]ru. Rather, four million was merely the number of consumer records that the service’s customers had paid the service to look up. In short, it appeared that the ID theft service was drawing on active customer accounts inside of major consumer data brokers.

Investigators working on that case later determined that the same crooks who were running ssndob[dot]ru also were operating a small, custom botnet of hacked computers inside of several major data brokers, including LexisNexis, Dun & Bradstreet, and Kroll. All three companies acknowledged infections from the botnet, but shared little else about the incidents.

Despite their apparent role in facilitating (albeit unknowingly) these ID theft services, to my knowledge the data brokers involved have never been held publicly accountable in any court of law or by Congress.

CURRENT ID THEFT SERVICES

At present, there are multiple shops in the cybercrime underground that sell everything one would need to steal someone’s identity in the United States or apply for new lines of credit in their name — including Social Security numbers, addresses, previous addresses, phone numbers, dates of birth, and in some cases full credit history. The price of this information is shockingly low — about $3 to $5 per record.

KrebsOnSecurity conducted an exhaustive review of consumer data on sale at some of the most popular underground cybercrime sites. The results show that personal information on some of the most powerful Americans remains available for just a few dollars. And of course, if one can purchase this information on these folks, one can buy it on just about anyone in the United States today.

As an experiment, this author checked two of the most popular ID theft services in the underground for the availability of Social Security numbers, phone numbers, addresses and previous addresses on all members of the Senate Commerce Committee‘s Subcommittee on Consumer Protection, Product Safety and Insurance. That data is currently on sale for all thirteen Democrat and Republican lawmakers on the panel.

Between these two ID theft services, the same personal information was for sale on Edith Ramirez and Richard Cordray, the heads of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), respectively.

Getting these ID theft service Web sites shut down might feel good, but it is not a long-term solution. Both services used to conduct these lookups of the public figures mentioned above are second- and third-generation shops that have re-emerged from previous takedown efforts. In fact, at least one of them appears to be a reincarnation of ssndob[dot]ru, while the other seems little more than a reseller of that service.

Rather, it seems clear that what we need is more active oversight of the data broker industry, and new tools to help law enforcement (and independent investigators) determine the source of data being resold by these identity theft services.

Specifically, if there were a way for federal investigators to add “breach canaries” — unique, dummy identities — to records maintained by the top data brokers, it could make it far easier to tell which broker is leaking consumer data either through breaches or hacked/fraudulent accounts.

Data brokers like Experian have strongly resisted calls from regulators for greater transparency in their operations and in the data that they hold about consumers. When the FTC recommended the creation of a central website where data brokers would be listed — with links to these companies, their privacy policies and also choice options, giving consumers the capability to review/amend the data that companies maintain — Experian lobbied against the idea, charging that it would “have the unintended effect of confusing consumers and eroding trust in e-commerce.”

The company’s main sticking point was essentially that it was unfair to impose such requirements on the bigger data brokers and ignore the rest. Experian’s chief lobbyist Tony Hadley has made the argument that there are just too many companies that have and share all this consumer data, which seems precisely the problem.

“The Direct Marketing Association (DMA) estimates that even a narrow definition of a marketing information service provider is likely to include more than 2,500 companies from all sectors of the economy,” Hadley wrote in a blog post earlier this year. “Simply put, the entire data industry – extremely vital to the US economy — cannot be neatly or accurately identified and then subjected to unrealistic requirements.”

My guess is that if the data broker giants are opposed to the idea of inserting dummy identities into their records to act as breach canaries, it is because such a practice could expose data-sharing relationships and record-keeping practices that these companies would rather not see the light of day. But barring any creative ideas to help investigators quickly learn the source of data being sold by identity theft services online, data brokers will remain free to facilitate and even profit from an illicit market for sensitive consumer information.