Category: Alerts

Categories
Alerts

Banks Enact New Security Solutions to Safeguard ATMs

b2ap3_thumbnail_atm_best_practices_400.jpg All across the United States, banks are rolling out ATM improvements to help boost the security of their members by utilizing mobile devices. While these measures will undoubtedly help, they aren’t enough to fix all of the vulnerabilities that ATMs suffer from without some vigilance on the user’s part.

What is Being Done
Wells Fargo launched an initiative that allows their members to access their accounts via automated teller machines, without the use of their ATM cards. By utilizing the bank’s mobile application, an account holder can receive a temporary code that will grant them access to a Wells Fargo ATM when paired with a personal identification number.

While Wells Fargo is the first bank to incorporate app-based access to all 13,000 of their ATMs, other banks aren’t far behind. Chase, Bank of America, and Citigroup have also begun to incorporate similar functions into some of their ATMs.

This isn’t the end of improvements to Wells Fargo’s ATMs, either. Wells Fargo is making the necessary additions to allow members to utilize near-field communication (NFC). By doing so, bank members won’t even need their card to access the ATM. Instead, their mobile device prompts them to scan their fingerprint and enter their pin. So far, about 40 percent of the bank’s ATMs are equipped for this functionality.

Why These Advancements Might Help
Advancements like these are sure to help boost the user’s account security while they utilize these machines to handle their finances. Criminals have been getting more clever in their schemes, and it shows. There were six times as many ATMs that were compromised in 2015 than in 2014.

Scammers now use spy cameras and card skimmers in tandem to collect the information they need to gain access to a bank member’s accounts. These skimmers are able to be inserted directly into the ATM’s card reading mechanism, where it is almost impossible to detect their presence. The same can be said of the pinhole cameras that criminals will use to capture a user’s PIN number. These tiny devices are remarkably difficult to spot.

Worse yet, criminals will often damage machines that don’t have their devices inserted, forcing users into their trap. If you see a row of ATMs with only one in working order, it’s best to give that one a pass.

If you think that a user is safe if they were to use a chip-based card, rather than the magnetic strip, you’d be mistaken. Much as they capture the information from a card’s magnetic strip, scammers have a method to do the same with the card’s onboard chip. Known as “shimming,” this approach is rare but will likely only increase in popularity as more transactions are made with the chip functionality. Plus, these chip-based cards still have the magnetic strip as well, tempting many to swipe away their security.

A Few Issues That Remain
Unfortunately, there are still factors that make ATM machines an effective vehicle for scammers. First of all, many of these new security features were added to the ones already present in the ATMs, rather than replacing them. For instance, while Wells Fargo ATMs will permit the use of a temporary PIN, they will still allow account access through the less secure methods as well. Not to mention that out of a total of 70 million members, there are only 20 million Wells Fargo app users. This means that there are 50 million bank members who aren’t even using the features.

This is assuming that those 20 million app users will make use of them, anyways. Habits are hard to break, so many account holders will likely continue to carry and swipe their ATM cards, despite having a more secure way to access their accounts.

What Should You Do?
Whether you’re dealing with the accounts for your business, or your personal finances, keep security in mind whenever you happen to use an ATM, and take advantage of the improved, more secure processes that are available to you. At the very least, shield your PIN number with your other hand as you input it into the machine.

Is it worth potentially allowing a criminal to access your (or your business’) accounts? Share your thoughts with us in the comments!

Categories
Alerts

Alert: LastPass Vulnerability Found. Is Any Password Manager Safe?

b2ap3_thumbnail_last_pass_leak_400.jpg Thanks to one of Google’s researchers with the Zero Day Project, it has been discovered that LastPass has a major vulnerability as a result of a major architectural problem. This news comes on the heels of many other flaws the same researcher discovered within LastPass. However, based on what the researcher claims, these vulnerabilities were much less serious than his latest discovery.

After having “an epiphany in the shower,” Tavis Ormandy realized that the latest version of the password manager’s browser extension is subject to a flaw that allows some malicious websites to have their way with the user’s system. Otherwise, the vulnerability allows malicious websites to steal the user’s passwords from behind LastPass’ protections. Unfortunately, this vulnerability seems to be present in the extensions for every major browser on Windows and Linux, and is most likely present for Mac users as well.

Making this vulnerability even more significant, the vulnerability only requires the extension to be installed in order for it to be exploited. A user could be logged out and still be subject to receiving malicious code from the website they’re visiting.

To their credit, LastPass is committed to resolving this issue, acknowledging Ormandy’s report a mere hour after he submitted it. Two days later, LastPass released a blog post going over these events and offering a few recommendations:

  • Launch websites from the LastPass vault: To retain the highest level of security as possible, it’s better to access websites from the LastPass vault itself.
  • Use Two-Factor Authentication wherever possible: This will add an extra layer of security to prevent leaked credentials from granting easy access to your accounts.
  • Keep an eye out for phishing attacks: Clicking on a malicious link is a great way to hand over your access credentials to malicious entities, so before you click on a link in a received message, take a moment to ask yourself if the link makes sense to be coming from who allegedly sent it.

LastPass has also been vocal in their appreciation for people like Ormandy finding issues like these before they are found the hard way. According to Joe Siegrist, cofounder and vice president of LastPass, “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.

LastPass now has 90 days before Ormandy and Project Zero release the technical details as part of their disclosure policies. In the meantime, it would be prudent to take LastPass’ advice to heart for the sake of your own network security.

To ensure your credentials are protected, and to schedule a full security audit, contact COMPANYNAME at PHONENUMBER. 

Categories
Alerts

Alert: 33.7 Millions Records Released to Public Due to Leak of Massive Marketing Database

b2ap3_thumbnail_do_you_have_a_data_leak_400.jpg In recent news, millions of records containing personal information were made available to the public in a sizable data leak, providing potential scammers with plenty of information to utilize in their schemes. These records were all part of a 53 GB database that was available for purchase from Dun & Bradstreet, a business service firm.

The database contained information that could be of great use to hackers and marketers alike, as it outlined corporate data for businesses within the United States, providing professional details and contact information for members at every level of the businesses included.

Dun & Bradstreet released a statement via email in an attempt to remove the firm from any responsibility. According to the firm, there was no evidence of a breach on their systems. The email also pointed out that the leaked data was sold to “thousands” of other companies, and that the leaked data seemed to be six months old. In essence, Dun & Bradstreet’s position was “not our fault.,” and that there was little cause for worry, as the list only contained “generally publicly available business contact data.”

However, not everyone feels that the responsibility for this event can be passed off so easily, especially considering the nature of the data found on the database.

Troy Hunt manages Have I Been Pwned, a data leak alert site that allows a user to reference one of their accounts to determine if their credentials have been compromised. He offered up his own take after reviewing the database for himself. Hunt’s analysis revealed that the organizations with the most records in the database were:

  • The United States Department Of Defense: 101,013
  • The United States Postal Service: 88,153
  • AT&T Inc.: 67,382
  • Wal-Mart Stores, Inc.: 55,421
  • CVS Health Corporation: 40,739
  • The Ohio State University: 38,705
  • Citigroup Inc.: 35,292
  • Wells Fargo Bank, National Association: 34,928
  • Kaiser Foundation Hospitals: 34,805
  • International Business Machines Corporation: 33,412

If this list alarms you, you have the right idea. In his comments, Hunt brought up a few concerns that he had with the contents of the database out in public.

First of all, this list is essentially a guidebook for someone running a phishing campaign. A resourceful scammer could easily use the information contained in this list (including names, titles, and contact information) to create a very convincing and effective campaign. Furthermore, the most common records in the leaked database were those of government officials and employees. Hunt went so far as to mention which personnel records could be found in the database for the Department of Defense: while “Soldier” was the most common, the list also included “Chemical Engineer” and “Intelligence Analyst” entries.

In his response, Hunt asked a very important question: “How would the U.S. military feel about this data – complete with PII [personally identifiable information] and job title – being circulated?” With the very real threat of state-sponsored hacking and other international cyber threats in mind, Hunt brought up the value this list would have to a foreign power that isn’t fond of the U.S.

Finally, Hunt cited the chances of this data being recovered to be at a firm “zero” percent.

In short, despite the reassurances from Dun & Bradstreet, this database going public could present some very real dangers to any businesses included in it.

If you’re worried that your business may be vulnerable, there are two things you should do. First, you should see if your data has been exposed by checking Hunt’s site, Have I Been Pwned . Second, you should reach out to us at COMPANYNAME, so we can help keep you secured against threats like this and others. Give us a call at PHONENUMBER.

Categories
Alerts

Tip of the Week: Here’s Your PC’s Wish List for National Clean Out Your Computer Day

b2ap3_thumbnail_embrace_clean_your_pc_day_400.jpg Do you know what today is? It’s National Clean Out Your Computer Day! This means that there is no time like the present to make sure that you’re taking good care of your business’s technology assets. In honor of this day, we’ll discuss ways in which you can take better care of your technology.

Consider Your Unused Applications
It’s inevitable that your organization will stop using certain applications as time goes on. Maybe they’re just not necessary anymore, or they became outdated and you replaced them with better, more efficient solutions. Regardless, it’s important to make sure that you’re not paying for software that you no longer use, so make sure that you routinely uninstall software that fits this description. It’s a best practice to evaluate whether or not you need software that’s only used once or twice every couple of months.

Be Ready to Update Your Software
If you want to make sure that your PC is operating at maximum capacity, you need to keep your software updated. Patches and updates are designed with two purposes in mind: 1) Shore up weaknesses in security protocol, and 2) Improve the performance of the software. This is why it’s so important to make sure that you always keep your software up to date. Just be sure that all of your legacy apps don’t suffer from compatibility issues before upgrading to the latest versions, so reach out to COMPANYNAME before making the jump.

Run Defrag Software
Do you ever wonder what happens when you save and delete files, or move them from place to place on your hard drive? Pieces of your data wind up being stored in various locations, which makes it more difficult for your computer to effectively gather and open them when the need arises. Defragging your hard drive essentially gathers all of these pieces of data and places them where they originated, thus improving PC performance. Keep in mind that defragging only applies to hard disc drives, not solid state drives. Also, if you’re running a newer version of Windows, then you don’t have to worry about defragging because Windows will automatically do this for you when the drive isn’t in use. Defragging software is a great way to negate trouble, but if you’re hesitant to try this yourself, be sure to reach out to COMPANYNAME.

Clear Your Workstation of Dust
Dust collects over time, so it’s in your best interest to clear it before it can cause damage to your workstation. A can of compressed air can help you blow away the dust that collects around vents and fans on your computer. Also be sure to turn your keyboard upside down and shake it to clear away skin particles and food crumbs that may have fallen into it.

Remember Your Computer’s Insides
Before cleaning your PC’s insides, make sure that you properly shut down your computer and unplug it from the wall. If you’re not in the habit of peeking inside your computer, you may be surprised to see it coated in a layer of dust. This dust comes from the computer’s fans, and it can cause some serious performance issues, like overheating and computer crashes. Take a can of compressed air and blow away any dirt or dust that persists within. Also of note is that you should never touch components with just your bare hands, as the oil on your fingers could potentially cause damage. We’d prefer that you reach out to a trusted technician like those at COMPANYNAME before trying any internal maintenance yourself.

If all of this sounds like too much work, well… we can’t blame you. After all, you have a business to run. What you can do is reach out to COMPANYNAME and have our trusted technicians take good care of your technology. To learn more, reach out to us at PHONENUMBER.