What’s in a Boarding Pass Barcode? A Lot

October 6, 2015

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

An older Delta boarding pass with a board code. Source: IATA.

An older Delta boarding pass with a bar code that does not include a frequent flyer number. Source: IATA.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information. ‘

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The access granted by Lufthansa’s site also included his friend’s phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site. Continue reading

Trump Hotel Collection Confirms Card Breach

October 5, 2015

The Trump Hotel Collection, a string of luxury hotel properties tied to business magnate and Republican presidential candidate Donald Trump, said last week that a year-long breach of its credit card system may have resulted in the theft of cards used at the hotels. The acknowledgement comes roughly three months after this author first reported that multiple financial institutions suspected the hotels were compromised.

Trump International Hotel and Tower in Chicago.

Trump International Hotel and Tower in Chicago.

In a Web site created to share details about the hack, The Trump Hotel Collection said the breach affects customers who used their credit or debit cards at the hotels between May 19, 2014, and June 2, 2015.

“While the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems, it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems. Payment card data (including payment card account number, card expiration date, and security code) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected.

The Trump compromise is just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments. In March, upscale hotel chain Mandarin Oriental disclosed a compromise. The following month, hotel franchising firm White Lodging acknowledged that, for the second time in 12 months, card processing systems at several of its locations were breached by hackers.

On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties.
Continue reading

Advertisement

Scottrade Breach Hits 4.6 Million Customers

October 2, 2015

Welcome to Day 2 of Cybersecurity (Breach) Awareness Month! Today’s awareness lesson is brought to you by retail brokerage firm Scottrade Inc., which just disclosed a breach involving contact information and possibly Social Security numbers on 4.6 million customers.

scottradeIn an email sent today to customers, St. Louis-based Scottrade said it recently heard from federal law enforcement officials about crimes involving the theft of information from Scottrade and other financial services companies.

“Based upon our subsequent internal investigation coupled with information provided by the authorities, we believe a list of client names and street addresses was taken from our system,” the email notice reads. “Importantly, we have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. All client passwords remained encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident.”

The notice said that although Social Security numbers, email addresses and other sensitive data were contained in the system accessed, “it appears that contact information was the focus of the incident.” The company said the unauthorized access appears to have occurred over a period between late 2013 and early 2014.

Asked about the context of the notification from federal law enforcement officials, Scottrade spokesperson Shea Leordeanu said the company couldn’t comment on the incident much more than the information included in its Web site notice about the attack. But she did say that Scottrade learned about the data theft from the FBI, and that the company is working with agents from FBI field offices in Atlanta and New York. FBI officials could not be immediately reached for comment.

It may well be that the intruders were after Scottrade user data to facilitate stock scams, and that a spike in spam email for affected Scottrade customers will be the main fallout from this break-in.

In July 2015, prosecutors in Manhattan filed charges against five people — including some suspected of having played a role in the 2014 breach at JPMorgan Chase that exposed the contact information on more than 80 million consumers. The authorities in that investigation said they suspect that group sought to use email addresses stolen in the JPMorgan hacking to further stock manipulation schemes involving spam emails to pump up the price of otherwise worthless penny stocks.

Scottrade said despite the fact that it doesn’t believe Social Security numbers were stolen, the company is offering a year’s worth of free credit monitoring services to affected customers. Readers who are concerned about protecting their credit files from identity thieves should read How I Learned to Stop Worrying and Embrace the Security Freeze.

Experian Breach Affects 15 Million Consumers

October 2, 2015

Kicking off National Cybersecurity Awareness Month with a bang, credit bureau and consumer data broker Experian North America disclosed Thursday that a breach of its computer systems exposed approximately 15 million Social Security numbers and other data on people who applied for financing from wireless provider T-Mobile USA Inc.

experianExperian said the compromise of an internal server exposed names, dates of birth, addresses, Social Security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment. The Costa Mesa, Calif.-based data broker stressed that no payment card or banking details were stolen, and that the intruders never touched its consumer credit database.

Based on the wording of Experian’s public statement, many publications have reported that the breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015. But according to Experian spokesperson Susan Henson, the forensic investigation is ongoing, and it remains unclear at this point the exact date that the intruders broke into Experian’s server.

Henson told KrebsOnSecurity that Experian detected the breach on Sept. 15, 2015, and confirmed the theft of a single file containing the T-Mobile data on Sept. 22, 2015.

T-Mobile CEO John Legere blasted Experian in a statement posted to T-Mobile’s site. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote.

WHAT YOU CAN DO

Experian said it will be notifying affected consumers by snail mail, and that it will be offering affected consumers free credit monitoring through its “Protect MyID” service. Take them up on this offer if you want , but I would strongly encourage anyone affected by this breach to instead place a security freeze on their credit files at Experian and at the other big three credit bureaus, including Equifax, Trans Union and Innovis.

Experian’s offer to sign victims up for its credit monitoring service to address a breach of its own making is pretty rich. Moreover, credit monitoring services aren’t really built to prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score. Continue reading

ATM Skimmer Gang Firebombed Antivirus Firm

September 29, 2015

It’s notable whenever cybercime spills over into real-world, physical attacks. This is the story of a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs.

molotovThe threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site.

The anonymous party, which self-identified as the “International Carders Syndicate,” said Dr.Web’s ATM Shield product designed to guard cash machines from known malware “threatens activity of Syndicate with multi-million dollar profit.”

The threat continued:

“Hundreds of criminal organizations throughout the world can lose their earnings. You have a WEEK to delete all references about ATM Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The end of Doctor Web will be tragic.”

In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again. Each time, the damage was minimal, but it rattled company employees nonetheless.

Less than two weeks later, Dr.Web received a follow-up warning letter:

“Dear Dr.Web, the International carder syndicate has warned you about avoidance of interference (unacceptable interference) in the ATM sphere. Taking into account the fact that you’ve ignored syndicate’s demands, we employed sanctions. To emphasis the syndicate’s purpose your office at Blagodatnaya st. was burnt twice.

If you don’t delete all references about atmskimmer viruses from your products and all products for ATM, the International carder syndicate will destroy Doctor Web’s offices throughout the world, In addition, syndicate will lobby the Prohibition of usage of Russian anti-viruses Law in countries that have representation offices of the syndicate under the pretext of protection against Russian intelligence service.”

After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb.

Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office.

“This is an office where we have much more security than any other, but also many more visitors,” he said. “We had been on high alert after the fire bombings, and we’ve never had intrusions before and never had them after this. But during that period, we had three attempts to enter the perimeter and to do something bad, but I won’t go into details about that.”

Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards.

“We think this group got very nervous by the fact that we had published exactly what they’d done, and it was very untimely for them, they were really desperate,” Sharov said. “We believe our reports came out just after development of the ATM Trojan had finished but before it was released to customers.” Continue reading

With Stolen Cards, Fraudsters Shop to Drop

September 28, 2015

A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.

Many retailers long ago stopped allowing direct shipments of consumer goods from the United States to Russia and Eastern Europe, citing the high rate of fraudulent transactions for goods destined to those areas. As a result, fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators essentially split the profits from merchandise ordered with stolen credit and debit cards.

Source: Drops for Stuff research paper.

Source: Drops for Stuff research paper.

Much of the insight in this story comes from a study released last week called “Drops for Stuff: An Analysis of Reshipping Mule Scams,” which has multiple contributors (including this author). To better understand reshipping scheme, it helps to have a quick primer on the terminology thieves use to describe different actors in the scam.

The “operator” of the reshipping service specializes in recruiting “reshipping mules” or “drops” — essentially unwitting consumers in the United States who are enlisted through work-at-home job scams and promised up to $2,500 per month salary just for receiving and reshipping packages.

In practice, virtually all drops are cut loose after approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, the operator must be constantly recruiting new drops.

The operator sells access to his stable of drops to card thieves, also known as “stuffers.” The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive the packages, the stuffers provide them with prepaid shipping labels that the mules will use to ship the packages to the stuffers themselves. After they receive the packaged relayed by the drops, the stuffers then sell the products on the local black market.

The shipping service operator will either take a percentage cut (up to 50 percent) where stuffers pay a portion of the product’s retail value to the site operator as the reshipping fee. On the other hand, those operations that target lower-priced products (clothing, e.g.) may simply charge a flat-rate fee of $50 to $70 per package. Depending on the sophistication of the reshipping service, stuffers can either buy shipping labels directly from the service — generally at a volume discount — or provide their own [for a discussion of ancillary criminal services that resell stolen USPS labels purchased wholesale, check out this story from 2014].

The researchers found that reshipping sites typically guarantee a certain level of customer satisfaction for successful package delivery, with some important caveats. If a drop who is not marked as problematic embezzles the package, reshipping sites offer free shipping for the next package or pay up to 15% of the item’s value as compensation to stuffers (e.g., as compensation for “burning” the credit card or the already-paid reshipping label).

However, in cases where the authorities identify the drop and intercept the package, the reshipping sites provide no compensation — it calls these incidents “acts of God” over which it has no control.

“For a premium, stuffers can rent private drops that no other stuffers will have access to,” the researchers wrote. “Such private drops are presumably more reliable and are shielded from interference by other stuffers and, in turn, have a reduced risk to be discovered (hence, lower risk of losing packages).” Continue reading

Banks: Card Breach at Hilton Hotel Properties

September 25, 2015

Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.

hiltonIn August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity.

However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, DoubletreeHampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

In a written statement, a Hilton spokesperson said the company is investigating the breach claims.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously, and we are looking into this matter.”

As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.

This is a developing story. More as updates become available.

Bidding for Breaches, Redefining Targeted Attacks

September 23, 2015

A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.

A good example of this until recently could be found at a secretive online forum called “Enigma,” a now-defunct community that was built as kind of eBay for data breach targets. Vetted users on Enigma were either bidders or buyers — posting requests for data from or access to specific corporate targets, or answering such requests with a bid to provide the requested data. The forum, operating on the open Web for months until recently, was apparently scuttled when the forum administrators (rightly) feared that the community had been infiltrated by spies.

The screen shot below shows several bids on Enigma from March through June 2015, requesting data and services related to HSBC UK, Citibank, Air Berlin and Bank of America:

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

One particularly active member, shown in the screen shot above and the one below using the nickname “Demander,” posts on Jan. 10, 2015 that he is looking for credentials from Cisco and that the request is urgent (it’s unclear from the posting whether he’s looking for access to Cisco Corp. or simply to a specific Cisco router). Demander also was searching for services related to Bank of America ATMs and unspecified data or services from Wells Fargo.

More bids on Enigma forum for services.

More bids on Enigma forum for services, data, and access to major corporations.

Much of the information about Enigma comes from Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies. The employees at Jolles’ firm are all former members of Shin Bet, a.k.a. the Israel Security Agency/General Security Service — Israel’s counterespionage and counterterrorism agency, and similar to the British MI5 or the American FBI. The firm’s namesake comes from its founder, Yuval Diskin, who headed Shin Bet from 2005 to 2011.

“On Enigma, members post a bid and call on people to attack certain targets or that they are looking for certain databases for which they are willing to pay,” Jolles said. “And people are answering it and offering their merchandise.”

Those bids can take many forms, Jolles said, from requests to commit a specific cyberattack to bids for access to certain Web servers or internal corporate networks.

“I even saw bids regarding names of people who could serve as insiders,” she said. “Lists of people who might be susceptible to being recruited or extorted.”

Many experts believe the breach that exposed tens of millions user accounts at AshleyMadison.com — an infidelity site that promises to hook up cheating spouses — originated from or was at least assisted by an insider at the company. Interestingly, on June 25, 2015 — three weeks before news of the breach broke — a member on a related secret data-trading forum called the “Gentlemen’s Club” solicits “data and service” related to AshleyMadison, saying “Don’t waste time if you don’t know what I’m talking about. Big job opportunity.”

On June 26, 2015, a forum member named "Diablo" requests data and services related to AshleyMadison.com.

On June 26, 2015, a “Gentlemen’s Club” forum member named “Diablo” requests data and services related to AshleyMadison.com.

Cybercrime forums like Enigma vet new users and require non-refundable deposits of virtual currency (such as Bitcoin). More importantly, they have strict rules: If the forum administrators notice you’re not trading with others on the forum, you’ll soon be expelled from the community. This policy means that users who are not actively involved in illicit activities — such as buying or selling access to hacked resources — aren’t allowed to remain on the board for long. Continue reading

Adobe Flash Patch, Plus Shockwave Shocker

September 21, 2015

Adobe has released a critical software update to fix nearly two-dozen security holes in its Flash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes.

brokenflash-aIf you use and need Flash Player, it’s time to update the program (the latest version is 19.0.0.185 for Windows and Mac users). Google Chrome and Internet Explorer bundle their own versions of Flash (also now at v. 19.0.0.185); each should auto-update to the latest. Find out if you have Flash installed and its current version number by visiting this page.

Adobe said it was unaware of any exploits in the wild for the vulnerabilities fixed in this Flash release. Nevertheless, I would recommend that if you use Flash that you strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

SHOCKWAVE SHOCKER

In other Adobe patch news, on Sept. 8, 2015 I urged readers who have the Shockwave media player installed to update to the latest version or else junk the program altogether. In a post more than a year ago, I outlined Why You Should Ditch Adobe Shockwave, noting that the program bundles a component of Adobe Flash that was more than 15 months behind on security updates. Continue reading

Inside Target Corp., Days After 2013 Breach

September 21, 2015

In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.

targetsmashAccording to an internal corporate report obtained by KrebsOnSecurity, Target commissioned the study “in anticipation of litigation” from banks that might join together to sue the retailer in a bid to recoup the costs of reissuing cards to their customers. Last week, a federal judge cleared those claims to go forward in a class action suit.

The Verizon assessment, conducted between December 21, 2013 to March 1, 2014, notably found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”

The report noted that Verizon consultants were able to directly communicate with point-of-sale registers and servers from the core network. In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.

Verizon’s findings lend credence to the working theory about how hackers initially broke into Target. In February 2014, KrebsOnSecurity was the first to report that investigators had zeroed in on the source of the breach: Fazio Mechanical, a small heating and air conditioning firm in Pennsylvania that worked with Target and had suffered its own breach via malware delivered in an email. In that intrusion, the thieves managed to steal the virtual private network credentials that Fazio’s technicians used to remotely connect to Target’s network.

Verizon’s report offers a likely playbook for how the Target hackers used that initial foothold provided by Fazio’s hack to push malicious software down to all of the cash registers at more than 1,800 stores nationwide.

Target spokesperson Molly Snyder would neither confirm nor deny the authenticity of the documents referenced in this report, but she maintained that Target has made great strides and is now an industry leader on cybersecurity.

“We’ve brought in new leaders, built teams, and opened a state-of-the-art cyber fusion center,” Snyder said. “We are proud of where we stand as a company and will be absolutely committed to being a leader on cybersecurity going forward.”

Snyder said Target believes “that sharing accurate and actionable information – with consumers, policy makers, and even other companies and industries – will help make all of us safer and stronger,” she said in an emailed statement. “Sometimes that means providing information directly to consumers, other times that means sharing information about possible industry threats with other companies or through our participation in the Financial Services and Retail Information Sharing and Analysis Centers (ISACs), and sometimes that means working with law enforcement. What we don’t think it means is continuing to rehash a narrative that is nearly two years old.”

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target's cash registers in 2013 and 2014.

A high-level graphic showing the various routes that Verizon penetration testers were able to use to get all the way down to Target’s cash registers in 2013 and 2014.

THE ROLE OF DEFAULT AND WEAK PASSWORDS

The report notes that “while Target has a password policy, the Verizon security consultants discovered that it was not being followed. The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”

Default passwords in key internal systems and servers also allowed the Verizon consultants to assume the role of a system administrator with complete freedom to move about Target’s sprawling internal network.

“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”

Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including; target.com, corp.target.com; email.target.com; stores.target.com;  hq.target.com; labs.target.com; and olk.target.com. Continue reading