Equifax says 143m Americans’ social security numbers exposed in hack

Credit monitoring company Equifax says a breach exposed the social security numbers and other data of about 143 million Americans.

After discovering the breach, but before notifying the public, three Equifax senior executives sold shares in the company worth almost $1.8m. Since the public announcement, the company’s share price has tumbled.

The Atlanta-based company said Thursday that “criminals” exploited a US website application to access files between mid-May and July of this year.

It said consumers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers were exposed. Credit card numbers for about 209,000 US consumers were also accessed.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said the company’s chairman and CEO Richard Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

The company said hackers also accessed some “limited personal information” from British and Canadian residents.

Equifax said it doesn’t believe that any consumers from other countries were affected.

Such sensitive information can be enough for crooks to hijack people’s identities, potentially wreaking havoc on the victims’ lives.

Financial institutions, landlords and other businesses draw on data from credit monitoring companies like Equifax to verify people’s identity and ensure they are suitable for leases and loans. This breach has given cybercriminals a treasure trove of data to assume the identities of those affected and carry out fraudulent transactions in their name.

“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”

Ryan Kalember, from cybersecurity company Proofpoint said: “This has really called into question the entire model of how we authenticate ourselves to financial institutions. The fact that we still use things like mother’s maiden name, social security number and date of birth is ridiculous.”

The breach could also undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.

Equifax discovered the hack 29 July, but waited until Thursday to warn consumers. In the interim, as first reported by Bloomberg, chief financial officer John Gamble sold shares worth $946,374 and president of US information solutions Joseph Loughran exercised options to sell stock worth $584,099. President of workforce solutions Rodolfo Ploder also sold stock worth $250,458.

Ines Gutzmer, head of corporate communications for Equifax, said: “The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”

Read More

A Look at Romanian ‘Hackerville’ Reveals Human Element of Cybercrime

“Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Cybercrime if often thought of as something that only happens within the generalized, invisible space of the internet. It is seen as virtual rather than physical, and those who commit cybercrime are thought of as anonymous individuals whose activities are all within the confines of the web. Run an image search for “hacker” or “cybercriminal” and you will see plenty of pictures of people with their faces hidden by hoods or masks, sitting alone in a dark room in front of a computer. But what if, instead of a hooded loner, the universal image of cybercrime was that of a group of neighbors in an impoverished part of the world, gathered together at a local cafe?

The latter is a new picture of cybercrime that researchers Jonathan Lusthaus and Federico Varese hope to make more people aware of in their recent paper “Offline and Local: The Hidden Face of Cybercrime.” The co-authors, working on the Human Cybercriminal Project out of the sociology department of the University of Oxford, traveled to Romania in 2014 and 2015 to study the oft-ignored real-world aspect of cybercrime in an area known to be a hub for one specific form of this crime—cyber fraud.

“Hackerville”

The town of Râmnicu Vâlcea, which has a population of around 100,000, has faced some economic setbacks in the last decade, including the loss of a major employer, a chemical plant; in addition, the average monthly salary in Romania as a whole (in 2014) was only €398 compared to €1,489 across the European Union. However, upon arriving in town, Lusthaus and Varese found themselves surrounded by luxury cars, “trendy” eateries, and shopping malls stocked with designer clothes and electronics. Though Râmnicu Vâlcea is poor “on paper,” the town seemed to be thriving, and interviews with Romanian law enforcement agents, prosecutors, cybersecurity professionals, a journalist, a hacker, and a former cybercriminal would soon give the researchers a clue as to why that might be.

“It was rumored that some 1,000 people (in Râmnicu Vâlcea) are involved almost full-time in internet fraud,” Varese told me, explaining why the town sometimes nicknamed “Hackerville” became a key target of their research (although the authors point out, in their paper, that the more accurate term would be “Fraudville,” as scams are focused more on the sale of fake goods than hacking or the spread of malware).

Varese said major findings from their interviews in Râmnicu Vâlcea as well as the Romanian cities of Bucharest and Alexandria were that cybercriminals knew each other and interacted with each other at local meeting spots offline, such as bars and cafes; that they operated in an organized fashion with different people filling different roles; that many in the town were aware of the organized crime but either didn’t say anything or sought to become involved themselves; and that there have been several cases throughout the years of corrupt officials, including police officers, who accepted bribes from the fraudsters and allowed them to perpetuate their schemes without interference.

“These are almost gangs,” Varese said. “They are not the individual, lonely, geeky guy in his bedroom that does the activities, but it’s a more organized operation that involves some people with technical skills and some people who are just basically thugs.”

The paper describes a culture of local complacency, often under threat of violence by a network of seasoned cybercriminals. This picture is far from that of the anonymous, faceless hacker many have come to envision, and instead reveals how internet crime can become embedded in specific populations.

“Most people think of cybercrime as being a global, international sort of liquid problem that could be anywhere and could come at you from anywhere,” Varese said. “In fact, the attacks—the cybercrime attacks or the cyber fraud—really come from very few places disproportionately. So cybercrime is not randomly distributed in the world. It’s located in hubs.”

Cultural and Human Factors

I asked Varese two major questions—why Romania and why cybercrime, as opposed to other forms of profitable crime? He responded that a look at the country’s history reveals why, instead of weapons or drugs, criminals in Romania might turn instead to their computers.

“Romania is a very special place. Mainly because, during the dictatorship of Nicolae Ceaușescu—that was the communist dictator that ruled Romania from the 60s to the 90s—he emphasized the importance of technical education, and especially IT,” Varese explained. “There was a very good technical basis among people. When the internet arrived, a lot of Romanians built up their own micro-networks. And so it turns out that when the regime fell, Romania turned out to be a country which was very, very well-connected.”

The high level of technical education, combined with a high level of poverty and a high level of corruption—as shown in the paper, which points out that Romania’s score on Transparency International’s 2016 Corruption Perceptions Index is only 48 out of possible 100—created a perfect storm for a culture of cybercrime to grown, Varese said.

But Romania is not the only place where cybercrime is highly concentrated and where online activities are strongly tied to offline factors. Varese identifies Vietnam in Asia, Nigeria in Africa and Brazil in the Americas as three other cybercrime hubs. Varese and his coauthor also plan to take their future research to Eastern Europe, where “corruption and the technical and economic of legacy of communism” have created “a highly conducive environment for cybercrime,” their paper states.

Varese hopes this sociological research will help authorities recognize and manage the human element of cybercrime that is often ignored in the fight against online threats.”

Read More

This $18 key can protect you from hackers

By now you’ve probably heard you should be using two-factor authentication, often called 2FA, to log in to your accounts. If you’re using 2FA, you need an additional code to access your email, Facebook or other accounts. This is often sent via SMS, which may not be the most secure.

For instance, if you request a texted code, it could be intercepted by someone snooping on your mobile network or a hacker who has convinced a mobile operator to redirect your phone number. Further, when you don’t have cell service, you can’t get the text.

YubiKey, created by Yubico, is one solution. The $18 key connects to a USB port on your computer and tells a service, like Gmail, that you are you.

You simply plug it into your computer, touch it and your identity is authenticated. It automatically creates a one-time-use password to log in to an account, and because it’s a physical key, data can’t be intercepted in transit.

Security researchers say Yubikey is the best method to protect yourself from phishing, a common tactic that tricks a person into thinking a malicious message was sent by someone they trust.

Usually phishing attacks are used to gain access to your personal information, like emails or bank accounts.

Facebook added support for the security key in January.

“We added support for U2F Security Keys because they offer the best possible account protection against the potential risk of phishing,” Facebook security engineer Brad Hill said in a statement to CNN Tech.

It takes just minutes to set it up with services like Facebook and Gmail, which let you add it under Security Settings.

“Security is the biggest issue on the internet,” Yubico CEO Stina Ehrensvard said. “For the internet to be secure … it should be the users who own and monitor and control what data they want to provide.”

Read More

Ancestry.com Helps Family of Dead Boy Find Man Posing as Him

“A Pennsylvania man who assumed the identity of a baby who died in Texas in 1972 has been arrested on charges of Social Security fraud and aggravated identity theft after the baby’s aunt discovered the ruse on Ancestry.com.

Jon Vincent, 44, was arrested in Lansdale, near Philadelphia, on Monday, but had also lived near Pittsburgh and York, Pennsylvania since 2003 — after first obtaining a Social Security card in the name Nathan Laskoski in 1996, federal prosecutors said. Vincent remained jailed Wednesday, when a federal magistrate ordered him to appear for arraignment May 2.

The real Nathan Laskoski died in December 1972, two months after he was born near Dallas. Vincent stole the dead child’s identity after escaping from a Texas halfway house in March 1996, and used the dead baby’s identity to start another life, prosecutors said. The Texas conviction was for indecency with a child, though the precise sentence Vincent was serving wasn’t immediately clear, said Michele Mucellin, a spokeswoman for the U.S. Attorney’s Office in Philadelphia.

Vincent lived in also lived in Mississippi and Tennessee under his assumed name, holding jobs, getting drivers’ licenses and even getting married and divorced as Laskoski before the scheme unraveled late last year, according to online court records.

That’s when Laskoski’s aunt did a search on Ancestry.com, a genealogy website.

In researching her family tree, Nathan Laskoski’s name came up as a “green” leaf on the website, which led to public records suggesting he was alive. The aunt told Laskoski’s mother, who did more research and learned that someone had obtained a Social Security card under her son’s name in Texas, as well as finding public marriage and divorce records, Laskoski’s mother filed an identity theft complaint with the Social Security Administration.

An investigator from the SSA’s Office of Inspector General took it from there in January, court records show.

Read More

Miami Student Sentenced for Cyberstalking on Facebook and Instagram

“A Miami student was sentenced yesterday for cyberstalking on Facebook and Instagram.

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and George L. Piro, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, made the announcement.

Kassandra Cruz, 23, of Miami, Florida, was sentenced by U.S. District Judge Frederico A. Moreno to 22 months in prison, followed by three years of supervised release, a $100 special assessment, and $2,178.32 in restitution, stemming from her conviction on one count of cyberstalking, in violation of Title 18, United States Code, Section 2261(A)(2)(B).

According to court documents, beginning in June 2015, victim “S.B.” received a “friend” request from Cruz on her Instagram and Facebook accounts. In an effort to gain “S.B.’s” friendship, Cruz created a false persona on her Instagram account wherein she portrayed herself as a male who was an active duty U.S. Marine. Under that ruse, “S.B.” accepted the friend request.

From late June 2015 until September 2015, Cruz, posing as Giovanni, “liked” and commented on pictures “S.B.” posted on both her Instagram and Facebook accounts. However, when “S.B.” noticed that Cruz had begun “following” and “liking” all of her friends pages and posts, she became suspicious and “blocked” and “unfollowed” Cruz from her social media accounts.

As a result, Cruz threatened that “S.B.” would face repercussions at her job and with her family if she did not comply, and specifically threatened to expose “S.B.’s” past via social media. The threats to “S.B.” persisted from Cruz on social media and later via text messaging, and Cruz ultimately demanded on multiple occasions $100,000 in exchange for no further contact, adding that she “knew where “S.B.’s family lived and they should watch their backs because someone would be heading to…to deal with them.” In total, “S.B.” received over 900 unwanted calls and text messages since the beginning of 2016, and the extortionate and threatening messages continued until late April 2016. Ultimately, Cruz was arrested and taken into custody during a pre-arranged meeting in Miami.

Mr. Ferrer commended the investigative efforts of the FBI. This case is being prosecuted by Assistant U.S. Attorneys Jodi L. Anton and Francis Viamontes.

View Source

Florida duo nabbed in multi-state debit card skimming operation

“Alabama Attorney General Luther Strange, joined by Ozark Police Chief Marlos Walker and Baldwin County Sheriff’s Office representatives, announced the arrests of two individuals for their role in an apparent multi-state debit card skimming scheme that bilked unsuspecting victims in Alabama and surrounding states of thousands of dollars.

On Dec. 21, Reiner Perez Rives, 34, and Eunises Llorca Meneses, 30, both of the Orlando, Florida area, were apprehended by deputies of the Baldwin County Sheriff’s Office and investigators of the Attorney General’s Office.

Rives and Meneses face charges from the Baldwin County Sheriff’s Office for trafficking in stolen identities, identity theft and an illegally obtained or an illegally possessed credit card.

Rives also awaits 15 counts of identity theft to be served by the Ozark Police Department. Additional charges may be filed in both jurisdictions and in surrounding states pending further review of recovered evidence and the identification of other victims.

On Dec. 13, the Ozark Police Department contacted investigators of the Alabama Attorney General’s Office seeking assistance in solving approximately eight identity theft cases that had occurred within two days.

Investigators traced five of the thefts to a local gas station where a skimming device wrapped in electrical tape was bundled with wires inside a gas pump. The two suspects were later identified after one of the victim’s debit cards was traced to an unauthorized purchase at a Bristol, Virginia, gas station.

A surveillance video of the suspect’s license plate revealed a rental car linked to Rives. Attorney General investigators, working with the Ozark Police Department, tracked Rives and Meneses to Texas.

The suspects were apprehended as they traveled back through Alabama by the Baldwin County Sheriff’s Office which was alerted by the Attorney General’s Office.

The Baldwin County Sheriff’s Office and agents of the Attorney General’s Office seized from the suspects $6,490 in cash, 39 stolen debit card numbers with PINs and an additional 315 gift cards with an undetermined amount of personal information. Rives and Meneses are currently being held in the Baldwin County jail.”

Read More

New cloud attack takes full control of virtual machines with little effort

“The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.”

Read More

Safe Online Surfing Internet Challenge

What do more than 870,000 students across the nation have in common?

Since 2012, they have all completed the FBI’s Safe Online Surfing (SOS) Internet Challenge. Available through a free website at https://sos.fbi.gov, this initiative promotes cyber citizenship by teaching students in third through eighth grades how to recognize and respond to online dangers through a series of fun, interactive activities.

Anyone can visit the website and learn all about cyber safety, but teachers must sign up their school to enable their students to take the exam and participate in the national competition. Once enrolled, teachers are given access to a secure webpage to enroll their students (anonymously, by numeric test keys) and request their test scores. E-mail customer support is also provided. Top-scoring schools each month are recognized by their local FBI field office when possible. All public, private, and home schools with at least five students are welcome to participate.

Now entering its fifth season, the FBI-SOS program has seen increased participation each year. From September 2015 through May 2016, nearly a half-million students nationwide finished the activities and took the exam. We look forward to even more young people completing the program in the school year ahead. The challenge begins September 1.

Read More

Victimized by a Cyber Scammer?

“Today, the FBI’s Internet Crime Complaint Center (IC3) is embarking on a campaign to increase awareness of the IC3 as a reliable and convenient reporting mechanism to submit information on suspected Internet-facilitated criminal activity to the FBI. As part of the campaign, digital billboards featuring the IC3’s contact information are being placed within the territories of a number of Bureau field offices around the country.

While the number of complaints being reported to the IC3 did increase in 2015 from the previous year, anecdotal evidence strongly suggests that there are many other instances of actual or suspected online frauds that are not being reported, perhaps because victims didn’t know about the IC3, were embarrassed that they fell victim to a scammer, or thought filing a complaint wouldn’t make a difference. But the bottom line is, the more complaints we receive, the more effective we can be in helping law enforcement gain a more accurate picture of the extent and nature of Internet-facilitated crimes—and in raising public awareness of these crimes.

The FBI field offices taking part in the billboard campaign include Albany, Buffalo, Kansas City, Knoxville, New Orleans, New York City, Phoenix, Oklahoma City, Salt Lake City, and San Diego. They were selected because they house multi-agency cyber task forces that participate in an IC3 initiative called Operation Wellspring. This initiative connects state and local law enforcement with federal cyber resources and helps them build their own cyber investigative capabilities, which is important because not all Internet fraud schemes rise to the level necessary to prosecute them federally. We hope to expand Operation Wellspring to other FBI offices in the future.”

Read More

Ransomware Hackers Blackmail U.S. Police Departments

Cyber criminals who have forced U.S. hospitals, schools and cities to pay hundreds of millions in blackmail or see their computer files destroyed are now targeting the unlikeliest group of victims — local police departments.

Eastern European hackers are hitting law enforcement agencies nationwide with so-called “ransomware” viruses that seize control of a computer system’s files and encrypt them. The hackers then hold the files hostage if the victims don’t pay a ransom online with untraceable digital currency known as Bitcoins. They try to maximize panic with the elements of a real-life hostage crisis, including ransom notes and countdown clocks.

If a ransom is paid, the victim gets an emailed “decryption key” that unlocks the system. If the victim won’t pay, the hackers threaten to delete the files, which they did last year to departments in Alabama and New Hampshire. That means evidence from open cases could be lost or altered, and violent criminals could go free.

Since 2013, hackers have hit departments in at least seven states. Last year, five police and sheriff’s departments in Maine were locked out of their records management systems by hackers demanding ransoms.

Ransomware crimes on all U.S. targets are soaring. In just the first three months of 2016, attacks increased tenfold over the total entire previous year, costing victims more than $200 million. Authorities stress that this number only represents known attacks. One federal law enforcement official told NBC News that the “large majority” of attacks go unreported.

The viruses – most of which come from Russia and Eastern Europe — are typically so impenetrable that even FBI agents have at times advised victims to just pay up and get their data back.

Read More