Bug opened door for malicious link attack, giving hacker access to stored DJI drone data of commercial and consumer customers.
Troy Hunt sounds off on how both consumers and services have a joint role in creating and enforcing strong passwords.
Apple has widened the range of Macs running its T2 security chip. Is macOS finally catching up with other platforms when it comes to secure computing?
By Sabrina Bucknole Until recently, many people thought of VPNs as a tool used by tech-savvy kids to anonymously download music and films. But, as concern about the use and security of personal data online continues to rise, it is no surprise that the number of people using a Virtual Private Network (VPN) has increased dramatically – and […] This is a post from HackRead.com Read the original post: 4 things you didn’t know a VPN could do
Late last week an unknown hacker or a group of hackers successfully targeted a cryptocurrency exchange with an aim to steal Bitcoins by compromising the web analytics service it was using.
An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox—a popular open source virtualization software developed by Oracle—that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine.
The vulnerability occurs due to memory corruption issues and affects
A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.
According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”
“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.
The USPS did not respond to repeated requests for comment over the past six days.
The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.
KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.
However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.
Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.
“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”
Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.
“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.”
As noted in last year’s story, the major weakness with Informed Delivery lies in the method the USPS uses to validate new accounts. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.
KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.
But numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place with Equfiax and the two other major consumer credit bureaus (Experian and TransUnion).
Normally in these cases, I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.
The Dallas Morning News piece referenced earlier says Americans can opt-out of Informed Delivery by emailing the “eSafe Team” at USPS at eSafe@usps.gov. However, emails sent to this address by KrebsOnSecurity elicited no response over the past four days.
Yet, one reader received a curious response by emailing the customer service address advertised by USPS’s Informed Delivery service — firstname.lastname@example.org. That reader requested that USPS remove her address from eligibility for Informed Delivery, and asked the Postal Service to let her know if anyone had previously signed up for the service at his address.
According to an email shared with this author, the USPS’s customer help team responded by asking the resident to answer some of her KBA questions in plain text via email.
Sources tell KrebsOnSecurity that the USPS is now processing some 20,000 new Informed Delivery account registrations each day, and that the USPS is continuously deleting new account registrations that it believes may be fraudulent.
There is also a potentially new security wrinkle in the USPS’s Informed Delivery service. The USPS is now generating revenue by allowing third-party companies to advertise interactive content in Informed Delivery communications (PDF) sent to email subscribers.
The program allows the USPS to automatically match scanned mail images to specific advertising campaigns. According to a review of its mailer delivery user guide (PDF), this initiative allows advertisers to publicize content that contains interactive links, which could be abused by malefactors posing as legitimate advertisers.
By Uzair Amir The Hongkong and Shanghai Banking Corporation (HSBC) has suffered a data breach in which unknown hackers have accessed personal and financial data of its customers. The data breach, according to the notification from HSBC, took between October 4, 2018, and October 14, 2018. Upon detecting the breach, authorities suspended online access to prevent further unauthorized entry […] This is a post from HackRead.com Read the original post: HSBC suffers data breach after hackers access customers' personal data
The training and job-matching effort is a public-private partnership to address a growing workforce gap.
By Waqas Eleven Turkish individuals have been arrested by Turkish police department for stealing cryptocurrency worth approx. $80,000 via Sim Swapping. Reportedly, the suspects tricked the phone providers into revealing the phone numbers of the victims and used the SIMs for performing 2FA authentication. The hacker group managed to steal from multiple crypto exchanges. It is reported […] This is a post from HackRead.com Read the original post: Sim Swapping Crypto Stealing Hackers Arrested by Turkish Police
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com