iTunes breach: Much ado about nothing.

It's a big story. It was reported on TechCrunch that there's a flaw in iTunes that allows bad guys to go in and empty your bank account if you have Paypal selected as the payment method. One poor customer racked up $4700 worth of charges in a matter of hours. Other customers were reporting hundreds and thousands of dollars stolen. The story grew from there.

There was just one problem. It was wrong. The real culprit wasn't a flaw in iTunes or Paypal, it was a successful phishing attack that harvested peoples usernames and passwords, allowing the hackers to access accounts and rack up charges as if they were the legitimate owners.

An overzealous reporter or editor at TechCrunch fails to adequately check a story, uses twitter to verify that there's a problem, and runs with it. There was a real newsworthy story here, but it wasn't a flaw in iTunes, it was gullible users passing on their passwords.

Don't trust requests for identifying information in email. Don't trust anything in such an email, and whatever you do, don't give out your information just because the email looks pretty. You'll keep your account and your sanity intact.

 

$1000, Free on Facebook!

There are some legitimate "free" offers on the web, although by the time you jump through the hoops to qualify for them it would be cheaper to just buy the "prize" they offer.

Robert McMillan of IDG News reports on PCWorld that there's a free offer appearing on Facebook that's a lot easier, but the prize goes to the conmen, not to you. All you have to do is become a fan and get a free gift card. The scam has covered the gamut, from Ikea furniture to iTunes, and has offered as much as $1000 gift cards. One fan page gathered 70,000 fans before being taken down.

In another article by McMillan, Facebook Spokesman Simon Axten says that right now these pages are leading to marketing websites that generate money through advertising. But traditionally this kind of scam is associated with identity theft, and it is probably only a matter of time before the information gathering gets more personal and identity theft becomes the goal.

Remember, anybody can put up a page on Facebook and claim to be anyone else. And always remember that old adage, "If it looks too good to be true, it probably is.'

Court says "NO" to "potential damage" from data breach

When I first saw alerts on this story I thought it was another case of a bad court decision in favor of a corporation. Then I read Mark Mcreary's blog post, Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action. I also read the amended decision by Judge Legrome D. Davis, and after all that reading, I can see two things:

1. Had this lottery ticket paid off, it would have paid off big.
2. Even so, no lawyer should have been willing to plead this case.

Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.

Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.

He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?

PlainsCapital vs Hillary Machinery

tx_plow_boy asked what I though about "my bank" after the revelations by Hillary Machinery. Hillary is alleging that negligence on the part of PlainsCapital led to the theft of over $800,000 from Hillary Machinery's account. $600,000 was recovered, but Hillary Machinery wants PlainsCapital to admit that they are responsible and pay up.

I've read Walt Nett's article,  "Company, bank blame each other," in the Avalanche-Journal. I've read what Hillary Machinery says in the news section on their website, and I've read the two stories about similar breaches they link to directly from their site. I'm going to take a closer look at the info we have on the Hillary Machinery breach and see what I can come up with. Most of the information I'm using will be straight from their website. As we look at this the circumstances of this theft, keep in mind that I am not a lawyer, and I have only the information I've read (and linked to for you) to go by.

Looking at the info provided by Hillary Machinery on their website, here is what we have. To shorten this a little, I'll take it point by point.

1. In November 2009 PlainsCapital became the target of cybercriminals. They used vulnerabilities in PlainsCapitals internet banking system and initiated fraudulent wire and automated clearinghouse transfers.

Since I can find no mention of similar data breaches at PlainsCapital, I would probably classify the bank as a victim. It appears that the target was actually Hillary Machinery. For the same reason, I would say that the bank was not where the vulnerabilities were exploited. The normal scenario when an institution gets breached is to grab as much information as possible, or in the case of banks, grab money in small amounts from as many accounts as possible. Grabbing a large amount of money from one account points to the exploited vulnerability being at Hillary Machinery.

2. Even though the transactions were not authorized by a representative of Hillary Machinery Inc and inconsistent with Hillary's the bank still allowed them to occur.

The "not authorized by a representative of Hillary Machinery" is a bit of a red herring. If the perp stole the needed information from Hillary Machinery, the bank woudln't know that it wasn't someone from Hillary until the transaction was set in motion, and even then maybe not until two or three had been made. At that point the bank should have contacted the company to make sure the transactions were legit.

3. To make matters worse, PlainsCapital Bank has yet to take responsibility for the stolen funds claiming that their Internet banking systems are "reasonably secure."

Face it. The bank can't admit any culpability. The second they admit any kind of fault they will be sued out of business. If this case ends the way these things usually do it will be settled out of court with PlainsCapital paying some undisclosed amount without admitting any fault.

I don't think the lions share of blame goes to PlainsCapital on this one. It looks like Hillary was breached, whether by a virus, a trojan, or social engineering. Any share of the blame that goes to PlainsCapital goes after Hillary recognizes their own part in this very expensive fiasco.

I hope that answers your question, tx_plow_boy.

Catching phish

Phishing - the art of crafting a bogus email in such a way that significant numbers of people will click on links inside it, even when they should know the email did not come from the person or group it claims to represent.

First, lets take a look at the information you see when you first glance at the email:

The simple things to look for

This one is actually pretty obvious. I've never worked for Schlumberger or belonged to their employee credit union (they do have one), so I can safely assume I have no account data to verify. But if that wasn't enough, looking at the actual 'from' address. The email is supposedly from Schlumberger, but the email address is rrluee@accounts.net. Unlikely to be an address used by Schlumberger. Additionally, the 'to' address isn't my address, but service@orange.fr.

That's all good in a case like this, but what if it's not so obvious? Phishers can forge links, 'to' and 'from' headers, and even the golden 'security lock' that's supposed to tell you when you're connected to a secure site. What if you get emails claiming to be from eBay, or PayPal that don't seem right, but look really good? There are a couple of rules to go by in a situation like that:

First, if they are asking you to click a link to verify an account, they are probably bogus.

Second, never click a link in an email that is asking you to verify anything. Look the companies number up and call them or look up their website in a search engine, but don't use the links or any other contact information given in an email.

Third, if you do click on a link, check the URL in your browser. If you were going to Paypal and get http://www.getstuff.com/paypal you're probably on a bogus site.

I hope this was helpful. Remember, if they want you to provide information via email or a link from email, be wary.

Privacy Rx: Never answer "account verification" emails

A few days ago a doctor at the University of California San Francisco School of Medicine was tricked into giving his email account information. His email account contained some personal data about patients. How was he tricked? The email was designed to look like an official university email. So the first thing to do is put a strong policy in place that the university will never ask for account information through email. Then make sure that everyone knows this.

Well this is a short blurb today, but tomorrow we will go over a phishing email and see how you can detect one.