USPS Informed Delivery Vulnerabilities, Holiday Credit Card Fraud, Huge SMS Database Leak – WB43

This is your Shared Security Weekly Blaze for November 19th 2018 with your host, Tom Eston. In this week’s episode: USPS Informed delivery vulnerabilities, protecting yourself from credit card fraud and a huge SMS database leak.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Are you using or thinking about using the US Postal Service’s “Informed Delivery” feature?  If so, you’ll want to pay close attention to the recent warning from the US Secret Service which was sent to law enforcement across the country earlier this month. This alert stated that fraudsters are leveraging this feature to surveil potential identity theft victims and references a recent case in Michigan where seven people were arrested for apparently stealing credit cards from mailboxes after registering as those victims for the Informed Delivery service.

Brian Krebs from KrebsOnSecurity.com, who broke the news about the Secret Service alert, has noted that in the past the postal service has had no way to notify residents when someone signed up for the Informed Delivery service at their address. However, earlier this year the postal service corrected this issue by now mailing residents if someone has signed up for Informed Delivery at their address. Unfortunately, this doesn’t solve this problem if fraudsters simply order credit cards to the address before signing up for the service. Once the cards have been ordered the fraudster can then take advantage of the week or so that it takes to get a credit card in the mail to sign up the victim for Informed Delivery.

The other issue with Informed Delivery is that to sign-up for the service you’re asked four knowledge based authentication (or known as “KBA”) questions which typically have answers which can be Googled or found though other searching techniques on the Internet. KBA has been well known for quite some time that it’s not a reliable form of authentication.

So what can you do if you’re concerned about having your address hijacked by a fraudster using Informed Delivery?  Unfortunately, not a lot at this point. Putting a freeze on your credit can help as if someone is trying to set up Informed Delivery in your name, then the KBA process can’t access your credit files. However, Brian Krebs reports that this may not be working for everyone with a credit freeze in place. You may also want to “plant your flag” so to speak by signing up for Informed Delivery before someone else does. When signing up myself I was asked to visit my local post office branch to physically verify me or have a “invitation code” sent to me through the mail. Other than that, you can try to email the postal service to attempt to ‘opt-out’ of Informed Delivery but according to reports, emails are going unanswered and those that have had responses are asking KBA questions that are to be responded through plain text email.  And we all know plain text email is not a secure means of communication.  It’s safe to say that Informed Delivery is quite the mess right now. We’ll be sure to keep you updated of any changes or improvements to the security and privacy of Informed Delivery in future episodes.

Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.

Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:

• Visibility into workload communication pathways;
• Security policies built on the cryptographic fingerprint of the software;
• The ability to apply policies and segment your networks in one click; and
• A way to continuously monitor and assess risk.

Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.

A report last week released by firm Gemini Advisory showed that credit card fraud is still increasing in the US despite the use of new EMV chip-enabled cards. EMV which stands for Europay, Mastercard and Visa; or “chip cards” as they are better known, provide end-to-end encryption during card-present transactions.  The Gemini Advisory report stated that despite financial institutions issuing chip cards to their customers, out of the more than 60 million cards stolen over the last 12 months, 93% of them were chip enabled cards. Moreover, 45.8 million or 75% of card-present transactions were stolen at point-of-sale devices, while only 25% were compromised in online breaches. With all the chip cards out there, what seems to be the problem?

The issue is that merchants in the US are still struggling with updating point of sale equipment (often seen abbreviated as POS) to support chip cards. Specifically, because of the high cost associated with purchasing and installing equipment to support EMV technology. I’m sure you’ve noticed that every merchant is different and many still utilize the old fashioned swipe terminals. All credit cards with a chip also have the old magnetic stripe on the back for situations where a chip reader is broken or for merchants that have not upgraded their equipment yet. Gas stations in the US are the biggest culprits since they are not held liable or at fault for credit card fraud until October 2020. This is why in the US you still have to use the old fashioned swipe terminals at the gas station.

So how does a chip card get compromised?  The main ways are through malware installed on the point-of-sale system, skimming (where a device reads the magnetic stripe off of the card while you conduct a payment transaction) and “shimming” where a device sits between the chip on your card and the chip reader. Shimming devices can be used to create counterfeit magnetic stripe cards, but not if the bank is validating something called a CVV code which is part of the EMV standard. Some banks and merchants have not fully implemented EMV, which makes point-of-sale malware and credit card cloning the most popular types of credit card fraud. Until the merchants decide to upgrade their equipment, we’re going to see card-present fraud continue to be an issue.

In related news, a report from ACI Worldwide shows that there will be a 14% increase in fraud attempts this holiday season. With the highest this week and next due to Black Friday and Cyber Monday.  Having said that, here are some tips to help prevent becoming a victim of credit card fraud this holiday season:

First, use a more secure payment method like ApplePay, Samsung Pay or Google Pay with your mobile phone if the merchant supports it. If these methods are not available, you can always fall back to cash. If shopping online check to see if the merchant supports these more secure payment methods as well.

Second, if you’re at the gas pump or using an ATM always check to see if a skimmer is installed. This can be as simple as wiggling the credit card reader or by looking for anything that seems out of place with the reader itself or the outside of the machine.

Third, set up and configure fraud or text alerts every time a transaction on your credit card occurs. That way, you know right away if your card has been compromised. Also make sure you check your credit card statements often to look for suspicious transactions.

Lastly, never use a debit card for making purchases. If your debit card is compromised you lose the cash from your bank immediately and it can take weeks and lots of paperwork to get your money refunded. You’re safer with a credit card and the majority of credit cards these days have zero liability for fraudulent charges.

A massive database of over 26 million text messages, belonging to California based communications company Voxox, was discovered by security researcher Sebastien Kaul using the Shodan search engine. This database contained text messages that had password reset links, two-factor authentication codes, shipping notifications, names, cellphone numbers and more. The database server was found completely open to the Internet with no password and provided a web front-end, making the data extremely easy to search through. While access to this particular database has been taken offline, it shows once again, how SMS text messaging should not be used for secure communication or for two-factor authentication. Moreover, this is also another example of how a company that processes millions of sensitive records leaves a massive database like this exposed for anyone to view and access.

Many of us don’t think about the third-party companies like Voxox that work on the backend of your mobile carrier to process text messages, two-factor authentication codes and other communications that end up being pushed to your cell phone. SIM Hijacking and other SMS text message attacks, as discussed in previous episodes of the podcast, are continuing to increase. This is one reason we recommend companies and services to move away from SMS based two-factor authentication and use more secure methods like app based solutions such as Google Authenticator, Authy, Duo and other services which do not rely on SMS text messaging. Make sure you look for app based two-factor authentication when signing up for a new online service. Note that popular sites like Facebook, Instagram and Twitter have already provided app based two-factor authentication solutions that you can begin using right now.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at [email protected]. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/11/19/usps-informed-delivery-vulnerabilities-holiday-credit-card-fraud-huge-sms-database-leak-wb43/