identitytheft
Latest
Amazon, Apple stop taking key account changes over the phone after identity breach
By now, you may have heard the story of the identity 'hack' perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone -- and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn't been as direct about what's going on, but Wired believes there's been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required. Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren't followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.
Google Wallet gets prepaid security fix, but 'brute-force' issue still hangs in the air
Google says it's fixed a Wallet security flaw that potentially allowed a phone thief to spend a user's prepaid balance. The ability to provision new prepaid cards had been suspended pending the update, but has now been restored. Things aren't quite back to normal in the Big G's world of mobile money, however. Users still find themselves caught between two competing arguments over an entirely different vulnerability, which involves a 'brute-force' attack on rooted devices. Google insists that this isn't a major concern, so long as Wallet users refrain from rooting, and that the system still "offers advantages over the plastic cards and folded wallets in use today." On the other hand, the company that discovered this issue -- zvelo -- has come back at Google with an equally blunt response. It acknowledges that a handset must be rooted to be vulnerable, but crucially its researchers also say that a device doesn't have to be rooted before it's stolen. In other words, they allege that a savvy thief can potentially steal a phone and then root it themselves, and they won't be happy with Wallet until it requires longer PIN number. Whichever argument sways you, it's worth bearing in mind that there's no evidence that anyone has yet managed to exploit these weaknesses for criminal purposes.
Provisioning for prepaid Google Wallet cards on hold while PIN-related security hole gets fixed
Remember that Google Wallet exploit from a few days ago? The one that would allow 'brute-force' PIN attacks, but only on rooted Android devices? Well, another PIN-related security hole was discovered soon after, putting even non-rooted Androids at risk. As Android Central points out, should your phone make its way into the wrong hands, your Google Wallet PIN number could be reassigned, allowing access to the prepaid account attached to the phone itself -- yikes. As such, the folks at Mountain View have taken action, shuttering provisions to prepaid cards until it finds a permanent fix for the problem. Despite the troubles, Google is sticking by its original tune, stating that Google Wallet offers multiples levels of protection (when used on official builds of Android) that go beyond traditional plastic cards, including your phone's lock screen. There's no estimate on when things will be back to normal, but you'll find Google's assessments and assurances about this situation at the source link below.
DoJ: Stingray cellphone tracking device falls under Fourth Amendment, but don't ask about it
In 2008, federal authorities arrested David Daniel Rigmaiden on charges of spearheading a massive identity theft ring in Arizona. Rigmaiden allegedly led this operation from January 2005 to April 2008, harvesting some $4 million off of more than 1,900 fraudulent tax returns. He was ultimately nabbed, however, thanks in part to controversial, and somewhat mysterious tool known as a "stingray" -- a device that effectively acts as a fake cell tower, allowing authorities to locate and track a cellphone even when it's not being used to place a call. Since his arrest, the 30-year-old Rigmaiden has been battling the feds in the U.S. District Court of Arizona, on allegations that their tracking tactics constituted an unlawful search and seizure, thereby violating his Fourth Amendment rights. For more than a year, the Department of Justice has maintained that the use of stingrays does not violate the Fourth Amendment. When it comes to sending data from a mobile device, the DoJ has argued, users should not have a "reasonable expectation" of privacy. Recently, though, the judge overseeing the case has indicated that he will press the feds for more information on how stingrays actually work -- something the government clearly has no desire to disclose. Prosecutors are so reluctant, in fact, that they may be willing to sacrifice their case against Rigmaiden in order to safeguard the stingray's secrecy. Read more about the latest developments, after the break.
Sony makes good, doles out identity protection activation codes for PSN and Qriocity users
Still feeling burned by Sony's record-breaking PlayStation Network outage? Fret not, promised reparations have arrived: a short form on the PlayStation website is now distributing activation codes for a free year of Debix AllClear ID Plus identity theft protection. The offer is good for all US PSN and Qriocity account holders who activate before June 28th, netting users up to $1 million in identity theft insurance coverage. Feel better? Hit the source link below to get your redemption code.
Sony offers free Debix identify theft protection for PSN and Qriocity hack victims in US
Sony's "Welcome Back" package of free software and PlayStation Plus subscriptions was a nice gesture, but it won't help you if your credit card gets fraudulently charged in the aftermath of the PlayStation Network debacle. That, however, is exactly what Debix is for. Sony's announced that it will provide a complimentary one-year subscription to Debix's "AllClear ID Plus" identity theft protection service to all PlayStation Network and Qriocity account holders in the United States, which will attempt to protect your personal data from harm, by both monitoring known criminal activity for your private digits and providing up to $1 million in ID theft insurance coverage. We've never used Debix, so we can't vouch for its reliability, and this particular plan admittedly doesn't look quite as comprehensive as the one Debix offers regular customers for $10 a month. Still, some peace of mind is a heck of a lot better than none, so we think we might take Sony up on its offer and sign up by the June 18th deadline. If you'd like to join us, you should find an activation code in your inbox before long.
AT&T fixes bug that logged users into random Facebook accounts
Okay, so we were under the impression that Facebook login credentials were a locally-managed affair, but it looks like almost anything can break when AT&T's involved -- according to CNET, the carrier just fixed "several problems" that had users logging into the wrong Facebook account from their phones. The issue was apparently related to subscriber identification numbers being mistranslated into bad URL session IDs, and AT&T says it's taken some security measures to prevent it from happening again, while Facebook's just shut off the automatic login feature that used the ID number entirely. Excellent work all around. Unfortunately, there's also a pesky incident in Atlanta where someone was able to login to another Facebook account from an AT&T phone due to a bad cookie, but AT&T says that was an "isolated" case and that it's "unclear how this cookie was set on the phone." How very reassuring. Back to Friendster!
NY state inserts RFIDs into licenses; citizens next?
What can we say about RFIDs that hasn't already made you afraid? Your passport? Clonable. Your work ID and "secure" credit cards? Yeah, those too. Not scary enough? How about every adult New Yorker walking around with one in their back pocket? It's just a matter of time, as the Empire State's clearly enhanced drivers licenses (says so right on 'em) are now hitting the streets. For $30 on a new one, or $10 if you're looking to upgrade, you can get yourself a radio-wave emitting ID, enabling you to cross the border into Mexico, Canada, or the Caribbean sans-passport. Don't worry, the cards won't be broadcasting any personal information -- just a unique code that the government can use to track your every movement.[Via Crave]
Paper Tyger unveils printable RFID Shield
If you're wondering how the privacy advocates that get shipped off to Japan's wireless island will maintain their sanity, we've got a hunch that they just might look Paper Tyger's way before departing. The aptly-named RFID Shield is reportedly "easily printable" and unsurprisingly aims to protect personal information on contactless credit cards and similar wallet mainstays. Purportedly, the unit contains "a new security barrier to assure that sensitive information contained on the card's RFID chip remains protected when not in use," and can even be fabricated into envelopes or paper sleeves. No word just yet on when this here RFID-shunning technology will be available for purchase, but we're sure at least a small sect of individuals will be clamoring for dibs when it finally goes commercial.
Self-Service Shredder kiosk enables pay-per-use shredding
Hey, we can't fault anyone for taking advantage of mass paranoia, and it seems that Colorado Springs-based JRP Enterprises, Inc. is about to cash in on the growing threat of identity theft. The Self-Service Shredder will be built, distributed, and marketed by RealTime Shredding, and thanks to a recent patent grant, it looks like it'll have exclusive rights to do so. The kiosk sports a 2.5-horsepower motor, LCD display, and has the ability to chew through paper (200 pages per minute, no less), cardboard, credit cards, paper clips, staples, CDs, DVDs, and floppy disks. Current installations include banks, offices, malls, military bases, and schools, and while we're not quite sure how much it'll take to get one in your place of work, those $1 per two minute shredding sessions could really add up.
Your office photocopier could help steal your identity
While we've seen just how to have a Sharp miracle in your office, it now seems that Sharp copiers (along with Xerox and a smorgasbord of others) could become a miraculous find for identify thieves. Given that many all-in-one "bizhubs" of today feature some sort of internal storage device to capture copies, scans, and faxes in case you need to resend the file a week or two later, it's not too surprising to think how such a convenience could be exploited by ill-willed individuals to extract personal information about you and your office mates. Pointing at tax time in particular, it has been suggested that many Americans photocopy sensitive documents that contain all the information needed to jack your ID without even realizing how vulnerable they've made themselves. Both Sharp and Xerox, however, have both released security kits that encrypt the internal data stored on its machines, but if you're using some off-the-wall copier and have noticed something peculiar about that fellow across the hall, stay sharp.
AMBER Alert comes to Kingston's Child ID USB flash drive
Similar to just about every other USB flash drive manufacturer out there, Kingston's renditions aren't any stranger to somewhat superfluous security layers, but the firm's latest thumb drive looks to keep your child safe by teaming up with AMBER Alert. While the kid-protecting service has already been available via SMS, the Child ID Kit allows users to upload a smorgasbord of information about a single child including photos, birthdate, hair / eye color, contact information, nicknames, and even fields for parents to explain gaudy tattoos and embarrassing piercings that should only be divulged when searching for a missing youngster. Sporting 512MB of internal storage, password protection, and obligatory encryption, paranoid guardians can snap up one (or more) now for $29.95 apiece. Still, we're not entirely convinced this ultra-modern edition of the milk carton splash will actually help you find missing kiddos any faster, but at least you won't be forced to go searching for their blood type at inopportune times.[Via Gadgets-Weblog]
Elecom intros skim prevention kit for wallet, cellphone
If you're down with the whole "swipeless" idea, but don't much dig the potential lack of security associated with it, Elecom's coming to the rescue in an attempt to put your paranoia to rest. The Skim Black I lineup of gear consists of a thin, wallet-based card and a not-so-elegant adornment for cellphones (pictured after the jump), both of which eliminate snoopers from jacking your precious information (or identity) by cutting off a reported 99.9-percent of radio waves. To be effective, the skim prevention card must be close to any swipeless cards in your wallet or pocket, while the bulkier SKM-K001 needs to be stuck on the rear of your mobile to effectively destroy the hopes of data thieves (and all stylistic appeal your handset previously had). Both units should be hitting Japan any day, and while the SKM-C001 wallet card will run you ¥1,260 ($11), the cellphone guardian will demand ¥2,310 ($20).[Via AkihabaraNews]
Ireland getting naked e-passports
If you think you're at risk of identity theft and targeted assassination attempts with your new RFID-enabled passport, just think of the Irish for a moment: they started getting e-passports last week that don't even include the little mesh jacket that supposedly keeps our version safe from unauthorized readers. With Dutch and German passports based on the same ICAO guidelines having already been successfully intercepted and decrypted, people are understandably concerned that the US didn't think this policy all the way through before making it a requirement of the Visa Waiver program, and now it seems that some of the affected countries are willing to implement even shoddier security than a type that is already deemed risky. According to Ireland's Department of Foreign Affairs, shielding the new documents is not necessary because they can only be detected when open and close to a reader, even though the general consensus is that the read distance of the chips they're using can be as much as several meters. Apparently the immediate fear is not so much over stolen identities (because of encryption), however, as it is about terrorists being able to use so-called RFID skimmers for targeting groups of people based on their nationality.
Seiko Epson developing tiny fingerprint sensor
With all this paranoia surrounding identity theft, we've seen fingerprint sensors on everything from hard drives to door locks to laptops, but the common feature on all of those is the relative thickness of the device. By "relatively thick," we mean that these current tags would probably bulk up your wallet in a bad way should they ever be used to tag things like credit and debit cards. Seiko Epson is on top of it, however, and are developing a ridiculously thin (0.2mm) fingerprint sensor that will allow mobile devices to be easily secured by biometrics. Potential applications, aside from deterring thieves from swiping your self-authenticating credit card, are tagging cellphones, MP3 players, and essentially anything that can fit into your pocket. The sensor operates by reading the faint electric current that emanates from your fingertip and conveys your specific print pattern for verification -- if it detects somebody trying their best to mimic your phalanges, it deactivates the device, rendering it useless to the perpetrator. While there's a certain sense of security gained by having everything you own equipped with a fingerprint sensor, we can envision that sharing your tagged gadgetry with friends could become tricky, and while Seiko Epson can't quite put a finger on a release date, it's expecting 2010 before this goes full scale.[Via Pink Tentacle]
One Time Password DisplayCard heightens transaction security
While we were a bit skeptical when Chase sent us one of their questionably-secure RFID-equipped "Blink" cards last year, we're gonna be all over a new technology from several companies that actually gives credit cards a heigtened level of security by generating a one-time passcode for each transaction, viewable on an embedded e-ink display. The OTP DisplayCard, as it's being called, was developed by InCard Technologies in conjunction with security firm nCryptone using technology from SiPix Imaging and SmartDisplayer, and is being targeted at financial institutions or at other companies as a replacement for the password-generating key fobs used to enable VPN access to their intranets. While the added security feature would come into play for both online and in-person transactions, it will probably be most useful for Internet purchases, making your credit card info almost worthless to identity thieves who can't get their hands on the card itself. Oh, and to answer the inevitable question: no, these cards will not be able to play Doom.[Via mobileread]
Japan sees sharp decline in cellphone recycling
As cellphones become more than just communication tools, incorporating gaming, multimedia, and PIM features, consumers are growing more and more attached to their handsets -- which is leading to a sharp decline in the number of old phones being recycled. According to a 2005 survey by Japan's Telecommunications Carriers Association, respondents cited both nostalgia and concern over potential data leaks as the main reasons they're holding onto old phones, which helps explain the 30% drop in handsets recovered for recycling from 2003 to 2004. Security concerns are so high that some people are turning to crushing machines which punch a hole through the phone's circuit board, in full view of the customer, rendering it useless. Judging by some of the drawers full of old phones that we've seen right here in the US, this is probably not just a Japanese phenomenon, although a slew of new carriers entering that market next year could exacerbate what some see as a growing problem.[Via textually]
