Krebs on Security not working

[carlf]

I'm getting an error on http://krebsonsecurity.com/feed/. The W3C validator says it is valid and I get what appears to be valid XML when I curl it but elfeed is giving me:

Elfeed parse failed for https://krebsonsecurity.com/feed/: (error XML: (Not Well-Formed) Only one root tag allowed)

Any hints?

[carlf]

I'm getting this from edebug:

Debugger entered--Lisp error: (void-variable url-http-response-status)
  apply(debug error (void-variable url-http-response-status))
  edebug(error (void-variable url-http-response-status))
  url-http-parse-headers()
  url-http-chunked-encoding-after-change-function(107256 110836 3580)
  url-http-generic-filter(#<process krebsonsecurity.com> " with information and security resources to individuals who may have been affected. The security of our networks is our top priority and we are acting accordingly.&#8221;</p>\n<p>&#8220;The few employees who may have been affected were notified promptly, and at this point the impact appears to be quite small.&#8221;</p></blockquote>\n<p>According to a LANDESK employee who spoke on condition of anonymity, the breach was discovered quite recently, but system logs show the attackers <em>first broke into LANDESK&#8217;s network 17 months ago, in June 2014</em>.</p>\n<p>The employee, we&#8217;ll call him &#8220;John,&#8221; said the company only noticed the intrusion when several co-workers started complaining of slow Internet speeds. A LANDESK software developer later found that someone in the IT\302\240department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.<span id=\"more-33029\"></span></p>\n<p>John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.</p>\n<p>&#8220;LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,&#8221; John said. &#8220;They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK&#8217;s web servers, and downloading it.&#8221;</p>\n<p>The implications are potentially far reaching. This breach happened more than a year and a half ago, during which time several versions and fixes of LANDESK software have been released. LANDESK has thousands of customers in all areas of commerce. By compromising LANDESK and embedding a back door directly in their source code, the attackers could have access to large number of\302\240computers and servers worldwide.</p>\n<p>The wholesale theft of LANDESK source code also could make it easier\302\240for malware and exploit developers to find security vulnerabilities in the company&#8217;s software.</p>\n<p>A LANDESK spokesperson would neither confirm nor deny the date of the breach or the source code theft, saying only that the investigation into the breach is ongoing and that the company &#8220;won&#8217;t comment on speculation.&#8221;</p>\n<p><strong>Update, 6:51 p.m. ET: </strong>Landesk just posted <a href=\"https://community.landesk.com/support/docs/DOC-39460\" target=\"_blank\">a statement</a> on its support site. The relevant bit is here: &#8220;Given the recent online speculation about the security of our product, we want to reassure you about the security of our products and provide some best practices to help you increase your security posture if needed.\302\240 We can\342\200\231t comment on the specifics of the investigation, but based on the information we know so far, we have not confirmed a risk to our customers\342\200\231 environments, and there are no known primary attack vectors using LANDESK software.&#8221;</p>\n]]></content:encoded>\n         <wfw:commentRss>https://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/feed/</wfw:commentRss>\n       <slash:comments>59</slash:comments>\n       </item>\n   </channel>\n</rss>\n
\n<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/
\n
\nPage Caching using memcached
\nDatabase Caching 1/5 queries in 0.001 seconds using memcached
\nObject Caching 782/787 objects using memcached
\n
\n Served from: krebsonsecurity.com @ 2015-12-16 01:18:13 by W3 Total Cache -->
\n0
\n
\n- Peer has closed the GnuTLS connection\n")
  recursive-edit()
  edebug--recursive-edit(after)
  edebug--display([t 0 0 10000 nil url-queue-run-queue nil idle 0] 1 after)
  edebug-debugger(1 after [t 0 0 10000 nil url-queue-run-queue nil idle 0])
  edebug-after(0 1 [t 0 0 10000 nil url-queue-run-queue nil idle 0])
  (lambda nil (edebug-after (edebug-before 0) 1 (elfeed-update-feed "https://krebsonsecurity.com/feed/")))()
  edebug-enter(edebug-anon90501 nil (lambda nil (edebug-after (edebug-before 0) 1 (elfeed-update-feed "https://krebsonsecurity.com/feed/"))))
  edebug-enter(edebug-anon90501 nil (lambda nil (edebug-after (edebug-before 0) 1 (elfeed-update-feed "https://krebsonsecurity.com/feed/"))))
  eval((edebug-enter (quote edebug-anon90501) nil (function (lambda nil (edebug-after (edebug-before 0) 1 (elfeed-update-feed "https://krebsonsecurity.com/feed/"))))) nil)
  eval-expression((edebug-enter (quote edebug-anon90501) nil (function (lambda nil (edebug-after (edebug-before 0) 1 (elfeed-update-feed "https://krebsonsecurity.com/feed/"))))))
  edebug-defun()
  #<subr call-interactively>(edebug-defun record nil)
  ad-Advice-call-interactively(#<subr call-interactively> edebug-defun record nil)
  apply(ad-Advice-call-interactively #<subr call-interactively> (edebug-defun record nil))
  call-interactively(edebug-defun record nil)
  command-execute(edebug-defun record)
  helm-M-x(nil "edebug-defun")
  #<subr call-interactively>(helm-M-x nil nil)
  ad-Advice-call-interactively(#<subr call-interactively> helm-M-x nil nil)
  apply(ad-Advice-call-interactively #<subr call-interactively> (helm-M-x nil nil))
  call-interactively(helm-M-x nil nil)
  command-execute(helm-M-x)

[carlf]

Actually, looking at it more, I think this might be a repeat of #87. Feel free to close if that's the case.

[carlf]

I see a multi-line comment. Not sure if that is the same as multiple comments:

<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/

Page Caching using memcached
Database Caching 1/4 queries in 0.001 seconds using memcached
Object Caching 781/784 objects using memcached

 Served from: krebsonsecurity.com, krebsonsecurity.com @ 2015-12-16 04:09:22 by W3 Total Cache -->

[skeeto]

It's working fine for me with the latest version of Elfeed and Emacs 24.4. Everything about the feed looks correct, too. What version of Elfeed and Emacs are you using?

[carlf]

I'm on emacs 24.5.1 and elfeed 1.3.0. I just updated from melpa.

[skeeto]

I'm still unable to reproduce the issue with the latest version of Elfeed and Emacs 24.5. Your error message mentions a problem with url-http-response-status, but Elfeed doesn't make use of any of the url-http-* variables (in fact, Elfeed has little concern about the chosen protocol). Some other code is triggering that error.

Check for problems in your config and see if you can reproduce the problem without loading your config (-q). It may also be a problem with your local network meddling with content. Corporate firewalls have caused problems for Elfeed before.

[carlf]

I tried the following after emacs -Q:

(add-to-list 'load-path "~/.emacs.d/elpa/elfeed-20151215.938/")
(require 'elfeed)
(setq elfeed-feeds
      '(("http://feedpress.me/CoolTools" tech)
        ("http://www.osnews.com/files/recent.xml" tech)
        ("http://toucharcade.com/feed/" tech)
        ("http://www.marco.org/rss" tech)
        ("https://news.ycombinator.com/rss" tech)
        ("http://www.loopinsight.com/feed/" tech)
        ("http://emacs-fu.blogspot.com/feeds/posts/default" tech emacs)
        ("http://feed.torrentfreak.com/Torrentfreak/" tech)
        ("http://feeds.dashes.com/AnilDash" tech)
        ("https://krebsonsecurity.com/feed/" tech)
        ("http://feeds2.feedburner.com/hackaday/LgoM" tech)
        ("http://syndication.thedailywtf.com/TheDailyWtf" tech)
        ("http://feeds.feedburner.com/readwriteweb" tech)
        ("http://www.engadget.com/rss.xml" tech)
        ("http://feeds.feedburner.com/makezineonline" tech)
        ("http://www.aaronsw.com/2002/feeds/pgessays.rss" tech)
        ("http://gearhungry.com/feed" tech)
        ("http://feeds.feedburner.com/boingboing/iBag" tech)
        ("https://planet.archlinux.org/atom.xml" tech)
        ("https://www.schneier.com/blog/atom.xml" tech)
        ("http://www.theverge.com/rss/full.xml" tech)
        ("http://feeds.feedburner.com/codinghorror/" tech)
        ("http://feeds.arstechnica.com/arstechnica/index/" tech)
        ("http://feeds.feedburner.com/Makeuseof" tech)
        ("http://lambda-the-ultimate.org/rss.xml" tech)
        ("http://daringfireball.net/feeds/main" tech)
        ("http://feeds.feedburner.com/werdcom" tech)
        ("http://randsinrepose.com/feed/" tech)
        ("http://rss.slashdot.org/Slashdot/slashdot" tech)
        ("http://feeds.feedburner.com/Phoronix" tech)
        ("http://feeds.feedburner.com/TheWirecutter" tech)
        ("http://feeds.feedburner.com/Letterheady" design)
        ("http://feeds.feedburner.com/acontinuouslean/" design)
        ("http://feeds.kottke.org/main" design)
        ("http://feeds.feedburner.com/InformationIsBeautiful" design)
        ("http://feeds.feedburner.com/alistapart/main" design)
        ("http://www.typorn.org/rss.xml" design)
        ("http://www.smashingmagazine.com/feed/" design)
        ("http://feeds.feedburner.com/ucllc/brandnew" design)
        ("http://postsecret.com/feed/?alt=rss" misc)
        ("http://motherboard.vice.com/rss?trk_source=motherboard" misc)
        ("http://feeds2.feedburner.com/slashfilm" misc)
        ("http://longreads.com/rss/" misc)
        ("http://feeds.feedburner.com/AskMetafilter" misc)
        ("http://feeds.feedburner.com/tedtalks_video" misc)
        ("http://feeds.feedburner.com/everyday-carry/bQTf" misc)
        ("http://what-if.xkcd.com/feed.atom" misc)
        ("http://longform.org/feeds/site.rss" misc)
        ("http://feeds.feedburner.com/Metafilter" misc)
        ("http://feeds.boston.com/boston/bigpicture/index" misc)
        ("http://feeds.feedburner.com/LettersOfNote" misc)
        ("http://feeds.feedburner.com/volokh/mainfeed" politics)
        ("http://gregmankiw.blogspot.com/feeds/posts/default" politics)
        ("http://feeds.feedburner.com/scotusblog/pFXs" politics)
        ("http://www.footnoted.com/feed/" politics)
        ("http://feeds.feedburner.com/Popehat" politics)
        ("http://feeds.feedburner.com/CafeHayek" politics)
        ("http://feeds.feedblitz.com/loweringthebar" politics)
        ("http://feeds.feedburner.com/abovethelaw/" politics)
        ("http://feeds.cato.org/Cato-at-liberty" politics)
        ("http://notalwaysright.com/feed/atom" humor)
        ("http://tragedyseries.tumblr.com/rss" humor)
        ("http://feeds.theonion.com/theonion/daily" humor)
        ("http://feeds.feedburner.com/passiveaggressivenotes" humor)
        ("http://shitmystudentswrite.tumblr.com/rss" humor)
        ("http://www.somethingawful.com/rss/frontpage.xml" humor)
        ("http://www.badassoftheweek.com/rss.xml" humor)
        ("http://basicinstructions.net/basic-instructions/atom.xml" humor)
        ("http://oglaf.com/feeds/rss/" humor)
        ("http://feeds.feedburner.com/Hyperbole-and-a-half" humor)
        ("http://feeds.feedburner.com/oatmealfeed" humor)
        ("http://feeds.feedburner.com/CrackedRSS" humor)
        ("http://www.xkcd.com/rss.xml" humor)))
(setf url-queue-timeout 60)
(setq elfeed-search-date-format '("%Y-%m-%d %H:%M" 16 :left))
(setq elfeed-sort-order 'ascending)

On refreshing I still get:

[2015-12-18 11:01:44] [error]: Elfeed parse failed for https://krebsonsecurity.com/feed/: (error XML: (Not Well-Formed) Only one root tag allowed)

[skeeto]

Hmmm, using your exact config I'm still unable to reproduce on either 24.4 or 24.5. I'm trying to think of what would be different between us. Elfeed uses Emacs' Elisp XML parser, so the parser shouldn't vary between platforms (i.e. Emacs linked against differing versions of libxml2). The only thing I can think of is that you're being served different content than me.

Could you wget/curl the Krebs feed and share it? That way I can parse the exact same bytes as you (elfeed-xml-parse-region).

[carlf]

Here's what I'm getting:

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
    xmlns:content="http://purl.org/rss/1.0/modules/content/"
    xmlns:wfw="http://wellformedweb.org/CommentAPI/"
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:atom="http://www.w3.org/2005/Atom"
    xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
    xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
    >

<channel>
    <title>Krebs on Security</title>
    <atom:link href="http://krebsonsecurity.com/feed/" rel="self" type="application/rss+xml" />
    <link>http://krebsonsecurity.com</link>
    <description>In-depth security news and investigation</description>
    <lastBuildDate>Thu, 17 Dec 2015 20:11:37 +0000</lastBuildDate>
    <language>en-US</language>
    <sy:updatePeriod>hourly</sy:updatePeriod>
    <sy:updateFrequency>1</sy:updateFrequency>
    <generator>https://wordpress.org/?v=4.4</generator>
    <item>
        <title>Banks: Card Breach at Landry&#8217;s Restaurants</title>
        <link>http://krebsonsecurity.com/2015/12/banks-card-breach-at-landrys-restaurants/</link>
        <comments>http://krebsonsecurity.com/2015/12/banks-card-breach-at-landrys-restaurants/#comments</comments>
        <pubDate>Thu, 17 Dec 2015 18:55:37 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[Data Breaches]]></category>
        <category><![CDATA[Landry's breach]]></category>
        <category><![CDATA[Bubba Gump]]></category>
        <category><![CDATA[Claim Jumper]]></category>
        <category><![CDATA[McCormick & Schmick's]]></category>
        <category><![CDATA[Morton]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33315</guid>
        <description><![CDATA[Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry's Inc., a company that manages a nationwide stable of well-known restaurants -- including Bubba Gump, Claim Jumper, McCormick &#038; Schmick's, and Morton's. Landry's has not responded to multiple requests for comment.]]></description>
                <content:encoded><![CDATA[<p>Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely <strong>Landry&#8217;s Inc.</strong>, a company that manages a nationwide stable of well-known restaurants &#8212; including <strong>Bubba Gump</strong>, <strong>Claim Jumper</strong>, <strong>McCormick &amp; Schmick&#8217;s</strong>, and <strong>Morton&#8217;s. </strong></p>
<p><strong>Update, 2:57 p.m. ET: </strong>Landry&#8217;s has acknowledged an investigation. Their press release is available <a href="http://www.landrysinc.com/pdf/pressReleases/2015/press_20151217.pdf" target="_blank">here</a> (PDF).</p>
<p><img class="aligncenter size-medium wp-image-33319" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/landrys-580x363.png" alt="landrys" width="580" height="363" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/landrys-580x363.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/landrys.png 631w" sizes="(max-width: 580px) 100vw, 580px" /></p>
<p><em>Original story:</em></p>
<p>Houston-based Landry&#8217;s Inc. owns and operates <a href="http://www.landrysinc.com/concepts/default.asp" target="_blank">more than 500 properties</a>, such as <strong>Landry&#8217;s Seafood</strong>, <strong>Chart House</strong> and <strong>Rainforest Cafe</strong>. Last week, I began hearing from banking industry sources who said fraud patterns on cards they&#8217;d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry&#8217;s locations.</p>
<p>It remains unclear how many of Landry&#8217;s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An <a href="http://www.landrysinc.com/pdf/pressReleases/2015/press_20151217.pdf" target="_blank">online FAQ</a> about the incident posted to Landry&#8217;s site says the company does not yet know the extent of the breach.</p>
<p>Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.</p>
<p>Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry&#8217;s locations.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/banks-card-breach-at-landrys-restaurants/feed/</wfw:commentRss>
        <slash:comments>13</slash:comments>
        </item>
        <item>
        <title>Skimmers Found at Some Calif., Colo. Safeways</title>
        <link>http://krebsonsecurity.com/2015/12/skimmers-found-at-some-calif-colo-safeways/</link>
        <comments>http://krebsonsecurity.com/2015/12/skimmers-found-at-some-calif-colo-safeways/#comments</comments>
        <pubDate>Wed, 16 Dec 2015 05:10:37 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[All About Skimmers]]></category>
        <category><![CDATA[Barnes & Noble]]></category>
        <category><![CDATA[Michaels Stores]]></category>
        <category><![CDATA[Safeway skimmers]]></category>
        <category><![CDATA[Brian Dowling]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33285</guid>
        <description><![CDATA[Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.]]></description>
                <content:encoded><![CDATA[<p>Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.</p>
<p><img class="aligncenter size-medium wp-image-33296" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/safeway-580x404.png" alt="safeway" width="580" height="404" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/safeway-580x404.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/safeway.png 599w" sizes="(max-width: 580px) 100vw, 580px" /></p>
<p>Banking sources say they&#8217;ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a &#8220;terminal ID&#8221; which can be useful in determining which checkout lanes were compromised.</p>
<p>Safeway spokesperson <strong>Brian Dowling</strong> said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.</p>
<p>&#8220;We have an excellent track record in this area,&#8221; Dowling said. &#8220;In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.&#8221;<span id="more-33285"></span></p>
<p>Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.</p>
<p>&#8220;This is not unique to our company, and we understand some other retailers may have been more significantly impacted,&#8221; Dowling said, declining to elaborate.</p>
<p>Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.</p>
<p>In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.</p>
<p>Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.</p>
<p>In late 2012, bookseller <strong>Barnes &amp; Noble</strong> disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, <strong>Michaels Stores</strong> said it had <a title="Breach at Michaels Stores Extends Nationwide" href="http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/" target="_blank">replaced more than 7,200 credit card terminals</a> from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.</p>
<p>Sadly, I don&#8217;t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. <a href="http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer/" target="_blank">Here&#8217;s a look at one compromised card reader</a>, and the handiwork that went into the thieves&#8217; craft. Descriptions and images from other skimming devices can be found in my series <a href="http://krebsonsecurity.com/all-about-skimmers/" target="_blank">All About Skimmers</a>.</p>
<p>The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of &#8220;dip,&#8221; we&#8217;ll continue to see skimmers just about everywhere swiping is still allowed.</p>
<p>Remember that you are not liable for fraudulent card charges, but that it&#8217;s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/skimmers-found-at-some-calif-colo-safeways/feed/</wfw:commentRss>
        <slash:comments>61</slash:comments>
        </item>
        <item>
        <title>13 Million MacKeeper Users Exposed</title>
        <link>http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/</link>
        <comments>http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/#comments</comments>
        <pubDate>Mon, 14 Dec 2015 20:51:07 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[Security Tools]]></category>
        <category><![CDATA[Shodan]]></category>
        <category><![CDATA[MongoDB]]></category>
        <category><![CDATA[Kromtech]]></category>
        <category><![CDATA[MacKeeper]]></category>
        <category><![CDATA[Chris Vickery]]></category>
        <category><![CDATA[computer fraud and abuse act]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33269</guid>
        <description><![CDATA[The makers of MacKeeper -- a much-maligned software utility many consider to be little more than scareware that targets Mac users -- have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er...users. Perhaps more interestingly, the guy who found and reported the breach doesn't even own a Mac, and discovered the data trove merely by browsing Shodan -- a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.]]></description>
                <content:encoded><![CDATA[<p>The makers of <strong>MacKeeper</strong> &#8212; a <a href="http://www.macworld.com/article/2861435/software-utilities/how-to-uninstall-mackeeper-from-your-mac.html" target="_blank">much-maligned</a> software utility many consider to be little more than <a href="https://en.wikipedia.org/wiki/MacKeeper" target="_blank">scareware</a> that targets Mac users &#8212; have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er&#8230;users. Perhaps more interestingly, the guy who found and reported the breach doesn&#8217;t even own a Mac, and discovered the data trove merely by browsing <a href="https://www.shodan.io/" target="_blank">Shodan </a>&#8212; a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.</p>
<p><img class="alignright wp-image-33271" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/mackeeper.png" alt="mackeeper" width="325" height="236" />IT helpdesk guy by day and security researcher by night, 31-year-old <strong>Chris Vickery</strong> said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.</p>
<p>Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. &#8220;Ports&#8221; are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with <a href="https://en.wikipedia.org/wiki/MongoDB" target="_blank">MongoDB</a>, a popular database management system.</p>
<p>In short order, Vickery&#8217;s request turned up four different Internet addresses, all of which he later learned belonged to <a href="http://kromtech.com/" target="_blank">Kromtech</a>, the company that makes MacKeeper.</p>
<p>&#8220;There are a lot of interesting, educating and intriguing things that you can find on Shodan,&#8221; Vickery said. &#8220;But there&#8217;s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.&#8221;</p>
<p>Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.</p>
<p>&#8220;Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,&#8221; the company said <a href="https://mackeeper.com/blog/post/173-mackeeper-security-advisory" target="_blank">in a statement</a> published to its site totday. &#8220;We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.&#8221;</p>
<p>Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk.<span id="more-33269"></span></p>
<p>&#8220;Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,&#8221; the statement continues. &#8220;The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer&#8217;s web admin account where they can manage subscriptions, support, and product licenses.&#8221;</p>
<p>Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that&#8217;s the case, because some of the Shodan records he found that pointed back to Kromtech&#8217;s database were dated mid-November 2015.</p>
<p><span class="pullquote pqleft">&#8220;The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,&#8221; Vickery said.</span> &#8220;I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.&#8221;</p>
<p>Vickery said he was able to connect to the database that Shodan turned up for him just by cutting and pasting the information into <a href="http://www.mongovue.com/" target="_blank">a commercial tool</a> built to browse Mongo databases. Asked whether he&#8217;s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he&#8217;s not concerned (for background, see the controversy over bone-headed cases brought against researchers under the <a href="https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act" target="_blank">Computer Fraud and Abuse Act</a>).</p>
<p>&#8220;It&#8217;s a concern, but I&#8217;ve made peace with that and you can&#8217;t live your life in fear,&#8221; he said. &#8220;I feel pretty confident that if you configure a server for public access &#8212; without authentication &#8212; and it gets publicly accessed, that&#8217;s not a crime.&#8221;</p>
<p>I admire Vickery&#8217;s courage and straightforward approach, and his story is a good reminder about the importance of organizations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn&#8217;t be public.  Consider taking the time to learn how to use Shodan (it&#8217;s actually fairly intuitive, but some data may only be available to paying subscribers); use it to see if your organization has unnecessarily exposed databases, networking devices, security cameras and other &#8220;Internet of Things&#8221; devices.</p>
<p>Finally, if you&#8217;re a MacKeeper customer and you re-used your MacKeeper user password at other sites, it&#8217;s now time change that password at the other sites &#8212; and <em>not</em> just to your new MacKeeper password! For more password do&#8217;s and don&#8217;ts, check out <a href="http://krebsonsecurity.com/password-dos-and-donts/" target="_blank">this primer</a>.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/feed/</wfw:commentRss>
        <slash:comments>21</slash:comments>
        </item>
        <item>
        <title>Don&#8217;t Be a Victim of Tax Refund Fraud in &#8217;16</title>
        <link>http://krebsonsecurity.com/2015/12/dont-be-a-victim-of-tax-refund-fraud-in-16/</link>
        <comments>http://krebsonsecurity.com/2015/12/dont-be-a-victim-of-tax-refund-fraud-in-16/#comments</comments>
        <pubDate>Mon, 14 Dec 2015 14:51:04 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[Tax Refund Fraud]]></category>
        <category><![CDATA[Equifax]]></category>
        <category><![CDATA[turbotax]]></category>
        <category><![CDATA[H&R Block]]></category>
        <category><![CDATA[Michael Kasper]]></category>
        <category><![CDATA[John Koskinen]]></category>
        <category><![CDATA[Julie Magee]]></category>
        <category><![CDATA[Isha Sesay]]></category>
        <category><![CDATA[IP PIN]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=32957</guid>
        <description><![CDATA[With little more than a month to go before the start of the 2016 tax filing season, the IRS and the states are hunkering down for an expected slugfest with identity thieves who make a living requesting fraudulent tax refunds on behalf of victims. Here's what you need to know going into January to protect you and your family.]]></description>
                <content:encoded><![CDATA[<p>With little more than a month to go before the start of the 2016 tax filing season, the IRS and the states are hunkering down for an expected slugfest with identity thieves who make a living requesting fraudulent tax refunds on behalf of victims. Here&#8217;s what you need to know going into January to protect you and your family.</p>
<p><img class="alignright wp-image-25751" src="http://krebsonsecurity.com/wp-content/uploads/2014/04/taxfraud-285x285.jpg" alt="The Growing Tax Fraud Menace" width="260" height="260" srcset="http://krebsonsecurity.com/wp-content/uploads/2014/04/taxfraud-150x150.jpg 150w, http://krebsonsecurity.com/wp-content/uploads/2014/04/taxfraud-285x285.jpg 285w, http://krebsonsecurity.com/wp-content/uploads/2014/04/taxfraud-600x600.jpg 600w, http://krebsonsecurity.com/wp-content/uploads/2014/04/taxfraud.jpg 693w" sizes="(max-width: 260px) 100vw, 260px" />The good news is that the states and Uncle Sam have got a whole new bag of technological tricks up their sleeves this coming tax season. The bad news is ID thieves are already testing those defenses, and will be working against a financially strapped federal agency that&#8217;s been forced to cede much of its ability to investigate and prosecute such crimes.</p>
<p>Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.</p>
<p>By all accounts, the IRS has improved at blocking phony refund requests. The agency estimates it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Trouble is, it paid out some $5.8 billion in fraudulent refunds that year that it later determined were bogus, and experts say that is only the fraud the agency knows about, and the true number is likely much higher annually.</p>
<p>Perhaps in response to the IRS&#8217;s increasing ability to separate phony returns from legitimate ones, crooks last year <a href="http://krebsonsecurity.com/2015/02/the-rise-in-state-tax-refund-fraud/" target="_blank">massively focused on filing bogus refund requests with the 50 U.S states</a>. To head off a recurrence of that trend in the 2016 filing season, the states and the IRS have <a href="https://www.irs.gov/uac/Newsroom/IRS,-States-and-Industry-Partners-Provide-Update-on-Collaborative-Fight-Against-Tax-Related-Identity-Theft" target="_blank">hammered out an agreement</a> to examine more than 20 new data elements collected by online providers like <strong>TurboTax</strong> and <strong>H&amp;R Block</strong>.</p>
<p>Those new data elements include checking for the repetitive use of the same Internet address to rapidly file multiple returns, and reviewing computer device information (browser user agent string, cookies e.g.) tied to the return&#8217;s origin. Another check involves measuring the time it takes to file a return; fraudsters involved in tax refund fraud tend to breeze through returns in just a few minutes because they are generally copying and pasting information into the tax forms, or relying on an automated program to do it for them.</p>
<p>The hope is that the these new checks will let investigators more accurately flag suspicious refund requests processed by tax preparation firms, which also have agreed to beef up <a href="http://krebsonsecurity.com/2015/03/intuit-failed-at-know-your-customer-basics/" target="_blank">lax security</a> around customer accounts. Under the agreement, online providers will enforce:</p>
<ul>
<li>new password standards to include a minimum of eight characters, with upper, lowercase, alphanumerical and special characters;</li>
<li>a lock-out feature that blocks users with too many unsuccessful login attempts;</li>
<li>the addition of three security questions;</li>
<li>some sort of out-of-band verification for email addresses &#8212; sending an email or text to the customer with a personal identification number (PIN).</li>
</ul>
<p><strong>Julie Magee</strong>, Alabama&#8217;s chief tax administrator, said the state/IRS task force opted not to disclose all 20 of the data elements they will be collecting from tax prep firms.</p>
<p>&#8220;The thieves are going to figure these out on their own, and they&#8217;re already testing our defenses,&#8221; Magee told KrebsOnSecurity. &#8220;We don&#8217;t want to do anything to make that easier for them.&#8221;</p>
<p><span style="text-decoration: underline;">ANALYSIS</span></p>
<p>Whether or not we see an increase in tax refund fraud next year, one thing seems certain: the IRS will prosecute far fewer of the crooks involved. Congress has persistently underfunded the IRS, and budget cuts have pushed prosecutions of identity thieves to a new low. According to the IRS&#8217;s 2015 Annual Report, IRS identity theft criminal investigations are down almost 50 percent since 2013.</p>
<p><img class="aligncenter size-medium wp-image-33236" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/irs-idtheftprosecutions13-15-580x164.png" alt="irs-idtheftprosecutions13-15" width="580" height="164" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/irs-idtheftprosecutions13-15-580x164.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/irs-idtheftprosecutions13-15-768x218.png 768w, http://krebsonsecurity.com/wp-content/uploads/2015/12/irs-idtheftprosecutions13-15-940x266.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/12/irs-idtheftprosecutions13-15.png 1270w" sizes="(max-width: 580px) 100vw, 580px" /></p>
<p>Tax fraudsters were so aggressive last year that they figured out how to steal consumer identities directly from the agency itself. In August 2015, the IRS disclosed that crooks abused the &#8220;Get Transcript&#8221; feature on its Web site to steal Social Security numbers and information from previous years’ tax filings on more than 334,000 Americans.</p>
<p>The IRS has responded to the problem of tax ID theft partly by offering <a href="http://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN" target="_blank">Identity Protection PINs</a> (IP PINs) to affected taxpayers that must be supplied on the following year’s tax application before the IRS will accept the return. However, consumers still have to request an IP PIN by <a href="https://www.irs.gov/Individuals/Get-An-Identity-Protection-PIN" target="_blank">applying for one at the agency&#8217;s site</a>, or by mailing in <a href="https://www.irs.gov/pub/irs-pdf/f14039.pdf" target="_blank">form 14039</a> (PDF).</p>
<p>Incredibly, the process that thieves abused to steal tax transcripts from 334,000 taxpayers this year from the IRS&#8217;s site also works to fraudulently obtain a consumer&#8217;s IP PIN. In fact, the following redacted screen shot from a notorious cybercrime forum shows a seasoned tax fraudster teaching would-be scammers how to use the IRS&#8217;s site to obtain a victim&#8217;s IP PIN.</p>
<p><img class="aligncenter size-medium wp-image-33199" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/ippin-580x162.png" alt="ippin" width="580" height="162" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/ippin-580x162.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/ippin.png 620w" sizes="(max-width: 580px) 100vw, 580px" /></p>
<p><span id="more-32957"></span>Both the Get Transcript and the process to retrieve an IP PIN from the IRS&#8217;s site are vulnerable because they rely on the applicant supplying static information that is trivial for thieves to obtain, including the taxpayer&#8217;s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau <strong>Equifax</strong> that asks four so-called “knowledge-based authentication” (KBA) questions.</p>
<p>These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing, but much of the data is readily available via free online social networking and consumer tracking services like Spokeo.</p>
<p>If any readers here doubt how easy it is to buy personal data on just about anyone, check out <a title="http://krebsonsecurity.com/2014/12/toward-a-breach-canary-for-data-brokers/" href="http://krebsonsecurity.com/2014/12/toward-a-breach-canary-for-data-brokers/" target="_blank">the story I wrote in December 2014</a>, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the <strong>U.S. Senate Commerce Committee</strong>. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators.</p>
<p>My guess is that a huge chunk of 334,000 victimized via the IRS&#8217;s site this year probably will not request the IP PIN and will in fact have fraudulent tax returns filed with their info &#8212; whether they request the <span class="il">IP</span> <span class="il">PIN</span> and it is stolen or not. The IRS should just issue the IP PINs to affected taxpayers, instead of asking victims to do it themselves.</p>
<p>Incidentally, the <a href="https://twitter.com/IRSnews/status/671413617410076673?s=03" target="_blank">IRS&#8217;s Twitter account is still promoting the online Get Transcript capability</a>, even though it no longer offers the service online. For now, the only way to obtain a transcript is via snail mail.</p>
<div id="attachment_33259" style="width: 590px" class="wp-caption aligncenter"><img class="size-medium wp-image-33259" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/irstweet-gettranscript-580x510.png" alt="IRS's Twitter account urging followers to use a service that hasn't been available for months." width="580" height="510" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/irstweet-gettranscript-580x510.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/irstweet-gettranscript.png 753w" sizes="(max-width: 580px) 100vw, 580px" /><p class="wp-caption-text">IRS&#8217;s Twitter account urging followers to use a service that hasn&#8217;t been available since May 2015.</p></div>
<p><span style="text-decoration: underline;">DON&#8217;T BE THE NEXT VICTIM<br />
</span></p>
<p>In notifying 334,000 taxpayers affected by its Get Transcript debacle, the IRS predictably offered victims free credit monitoring services from <strong>Equifax</strong>. The IRS makes no mention of a more effective way to block ID thieves: Placing a &#8220;security freeze&#8221; on one&#8217;s credit files with the major credit bureaus. See <a href="http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/" target="_blank">this tutorial</a> about why freezes are more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit.</p>
<p>While it&#8217;s true that having a security freeze on your credit file won&#8217;t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN. Also, anyone who has a freeze in place will need to temporarily lift that freeze to take advantage of any credit monitoring services (in this case, the consumer would need to briefly thaw a freeze at Equifax).</p>
<p><strong>-File before the fraudsters do it for you</strong> &#8211; Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible after the 2016 Tax Filing Season begins &#8212; which is usually the second or third week in January. Remember, it doesn&#8217;t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.</p>
<p><strong>-Get on a schedule to request a free copy of your credit report.</strong> By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you&#8217;re signed up for credit monitoring make them do the hard work for you.</p>
<p>&#8211;<strong>Monitor, then freeze.</strong> Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. <a href="http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/" target="_blank">Instructions for doing that are here</a>.</p>
<p><strong>-File form 14039 and request an IP PIN from the government.</strong> This form requires consumers to state they believe they&#8217;re likely to be victims of identity fraud. Even if thieves haven&#8217;t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft &#8212; even if we just look at breaches announced in the past year alone.</p>
<p><span style="text-decoration: underline;">FIGHT BACK </span></p>
<p>Thieves involved in tax return fraud may be laughing all the way to the bank, but that doesn&#8217;t mean we have to suck it up and take it: Exercise your rights to obtain a copy of the phony return, and you may just help put crooks in jail.</p>
<p>If you become of the victim of tax fraud and are motivated to learn who helped to defraud you and Uncle Sam, you can <a href="https://www.irs.gov/pub/irs-pdf/f4506.pdf" target="_blank">file form 4506</a> (plus a $50 fee) to get a copy of the return. That information can be shared with your local police, who may be able to use to track down people who help launder the proceeds from tax refund fraud.</p>
<p>Earlier this year, I wrote about <strong>Isha Sesay</strong>, a Pennsylvania woman who <a href="http://krebsonsecurity.com/2015/06/states-seek-better-mousetrap-to-stop-tax-refund-fraud/" target="_blank">was arrested for receiving phony IRS refunds</a> on behalf of at least two tax fraud victims. Among Sesay&#8217;s victims was resident <a href="http://krebsonsecurity.com/?s=michael+kasper&amp;x=0&amp;y=0" target="_blank">Mike Kasper</a>, whose request for the filing led to Sesay&#8217;s arrest. Kasper&#8217;s hard work helped expose the <a href="http://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-by-get-transcript-scam/" target="_blank">IRS’s pervasive authentication weaknesses</a> and later <a href="http://www.hsgac.senate.gov/hearings/the-irs-data-breach-steps-to-protect-americans-personal-information" target="_blank">testified to Congress</a> about his ordeal. Sesay is currently <a href="http://krebsonsecurity.com/wp-content/uploads/2015/12/2015_10_23_520510.pdf" target="_blank">scheduled to plead guilty</a> (PDF) to the charges on Dec. 18.</p>
<p>Turns out, Kasper&#8217;s sleuthing was key to Sesay&#8217;s prosecution. When he found out he&#8217;d been victimized, Kasper requested the copy of returns that fraudsters filed in his name, but he did so <em>before</em> filing form 14039 to request an IP PIN.  Had he done it in the opposite order, the IRS would have redacted all of Ms. Sesay personal and financial information.</p>
<div id="attachment_33261" style="width: 569px" class="wp-caption aligncenter"><img class="size-full wp-image-33261" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/michaelkasper.png" alt="Poughkeepsie, NY victim Michael Kasper testifying before the Senate Homeland Security Committee in June 2015." width="559" height="315" /><p class="wp-caption-text">Poughkeepsie, NY victim Michael Kasper testifying before the Senate Homeland Security Committee in June 2015.</p></div>
<p>In <a href="http://www.hsgac.senate.gov/hearings/the-irs-data-breach-steps-to-protect-americans-personal-information" target="_blank">testimony</a> before the Senate this year, IRS Commissioner <strong>John Koskinen</strong> explained the reasoning behind that decision: A fraudulent return could include the personal information of other people. The end result is that it is better to file <a href="https://www.irs.gov/pub/irs-pdf/f4506.pdf" target="_blank">form <span class="il">4506</span></a> and pay $50 to request a photocopy of the fraudulent return before you file form 14039 to formally report the fraud.</p>
<div>
<p>&#8220;There is a section 6103 of the US code that imposes <a href="https://www.law.cornell.edu/uscode/text/26/6103" target="_blank">stiff criminal penalties</a> for sharing tax return information  and the IRS&#8217;s tortured view of reality interprets this law, which is intended to protect personal information, so that once you report fraud and they know some information on the return might not be yours, they believe it is against the law for them to ever share that information with you,&#8221; Kasper said.</p>
<p>&#8220;As a result, when they recently created the process above for victims to get a copy of the fraudulent tax returns filed in their name, the IRS decided they need to redact any personal info that could possibly belong to a criminal,&#8221; Kasper continued. &#8220;They do everything they can to protect the privacy of the criminal who already violated your privacy. You actually lose all of your rights once you report the crime so it&#8217;s better to wait.&#8221;</p>
</div>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/dont-be-a-victim-of-tax-refund-fraud-in-16/feed/</wfw:commentRss>
        <slash:comments>50</slash:comments>
        </item>
        <item>
        <title>The Role of Phony Returns in Gift Card Fraud</title>
        <link>http://krebsonsecurity.com/2015/12/the-role-of-phony-returns-in-gift-card-fraud/</link>
        <comments>http://krebsonsecurity.com/2015/12/the-role-of-phony-returns-in-gift-card-fraud/#comments</comments>
        <pubDate>Thu, 10 Dec 2015 19:48:17 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[Web Fraud 2.0]]></category>
        <category><![CDATA[Starbucks]]></category>
        <category><![CDATA[Damon McCoy]]></category>
        <category><![CDATA[gift card fraud]]></category>
        <category><![CDATA[New York University]]></category>
        <category><![CDATA[Petsmart]]></category>
        <category><![CDATA[Petco]]></category>
        <category><![CDATA[H&M]]></category>
        <category><![CDATA[Chevron]]></category>
        <category><![CDATA[Cabelas]]></category>
        <category><![CDATA[The Return Exchange]]></category>
        <category><![CDATA[giftcardgranny.com]]></category>
        <category><![CDATA[cardpool.com]]></category>
        <category><![CDATA[raise.com]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33217</guid>
        <description><![CDATA[On any given day, there are thousands of gift cards from top retailers for sale online that can be had for a fraction of their face value. Some of these are exactly what they appear to be: legitimate gift cards sold through third-party sites that specialize in reselling used or unwanted cards. But many discounted gift cards for sale online are in fact the product of merchandise return fraud, meaning consumers who purchase them unwittingly help thieves rob the stores that issued the cards.]]></description>
                <content:encoded><![CDATA[<p>On any given day, there are thousands of gift cards from top retailers for sale online that can be had for a fraction of their face value. Some of these are exactly what they appear to be: legitimate gift cards sold through third-party sites that specialize in reselling used or unwanted cards. But many of the more steeply discounted gift cards for sale online are in fact the product of merchandise return fraud, meaning consumers who purchase them unwittingly help thieves rob the stores that issued the cards.</p>
<p><img class="alignright wp-image-33221" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/giftcards.png" alt="giftcards" width="291" height="192" />This type of scam mainly impacts brick-and-mortar retailers that issue gift cards when consumers return merchandise at a store without presenting a receipt. Last week I heard from KrebsOnSecurity reader Lisa who recently went online to purchase a bunch of steeply discounted gift cards issued by pet supply chain <strong>Petco</strong>.</p>
<p>Lisa owns two Rottweilers that both eat a good chunk of their weight each month in dog food, so Lisa said she felt like she&#8217;d really hit on a bargain when she found a $165 Petco gift card for sale at a popular online gift card retailer for $120 (a nearly 30 percent discount on the value).</p>
<p>&#8220;When I went to Petco to get my monthly supply of dog food and snacks for my Rotties, I used my merchandise card and the manager shared with me that folks are stealing merchandise from one Petco store and returning the items to another without a receipt and then selling the cards to places like <strong>raise.com</strong> and <strong>cardpool.com</strong> at a discounted price,&#8221; Lisa recounted.</p>
<p>Petco&#8217;s official <a href="http://www.returnsandrefunds.com/Petsmart/Returns" target="_blank">policy</a> is that for returns more than 60 days after the purchase &#8212; or if the receipt is unavailable &#8212; the value of the goods returned will be refunded to a merchandise card. Lisa said she bought the Petco card from raise.com, but she said the company never disclosed that the card was a merchandise return card &#8212; a fact that was printed on the front of the card she received.</p>
<p>&#8220;I feel really bad now because my purchase of these cards may have contributed to unlawful activities,&#8221; Lisa said. &#8220;Even though I saved $40+, Petco actually lost money as a result.&#8221;</p>
<p>Neither Raise nor Petco responded to requests for comment. But a look at the available Petco cards for sale via one gift card tracking site &#8212; <strong>giftcardgranny.com</strong> &#8212; shows Petco cards routinely sell for at least 25 percent off their value.</p>
<p>In any case, this fraud scheme is hardly specific to Petco. Cards from <strong>Petsmart</strong>, a competitor that also offers merchandise return cards, generally <a href="http://www.giftcardgranny.com/buy-gift-cards/pet-smart/" target="_blank">sell at 20 percent off their value</a>. Clothier <a href="http://www.giftcardgranny.com/buy-gift-cards/h-and-m/" target="_blank">H&amp;M&#8217;s cards</a> average about 30 percent off.</p>
<p>Contrast these discounts with those for gift cards from restaurants, fuel stations and other businesses that generally don&#8217;t have to deal with customer returns and you&#8217;ll notice two interesting patterns: For starters, the face value of the cards from merchants that don&#8217;t take customer returns are far more likely to be even amounts, such as $50, $25 and $40. The percentage off the face value also tends to be much lower &#8212; between 3 and 15 percent. For example, see the discount percentage and value of cards from <a href="http://www.giftcardgranny.com/buy-gift-cards/starbucks/" target="_blank">Starbucks</a> and <a href="http://www.giftcardgranny.com/buy-gift-cards/chevron/" target="_blank">Chevron</a>.</p>
<p>&#8220;Twenty-five percent off is really high, and there aren&#8217;t many that offer that high of a discount,&#8221; said <strong>Damon McCoy</strong>, an assistant professor of computer science at New York University and an expert on fraud involving stored value cards. &#8220;Normally, it is around 5 percent to 15 percent.&#8221;<span id="more-33217"></span></p>
<p>According to a study conducted jointly by KingRogers International and <a href="http://www.theretailequation.com/Retailers/IndustryReports.aspx" target="_blank">The Retail Equation</a>, approximately nine percent of all returns in the United States are fraudulent. The National Retail Foundation estimates that the problem will cost U.S. retailers nearly $11 billion this year.</p>
<p>Investigators say the crimes very often are tied to identity theft rings and drug addicts. Last month, authorities in Michigan <a href="http://www.usatoday.com/story/news/nation-now/2015/10/06/home-depot-thief-gift-cards/73441386/" target="_blank">convicted a 46-year-old father of four</a> for running a large-scale fencing operation that used teams of prostitutes, heroin users, parolees and panhandlers to steal high-priced items from local Home Depot stores and then return the goods to a different Home Depot location in exchange for store debit cards.</p>
<p>Of course, another huge source card of gift card fraud are cards purchased with stolen credit cards. Thieves will buy &#8220;dumps&#8221; &#8212; card data stolen from brick-and-mortar businesses &#8212; and encode that data onto anything with a magnetic strip and try to buy high-dollar gift cards from a range of retailers. The carded gift cards very often wind up for sale online at steep 20-30 percent discounts.</p>
<p>Earlier this year I saw part of this process in action at a Giant grocery store in Maryland. The man in front of me in line looked and smelled homeless. The only items he was trying to buy were several $200 gift cards that Giant had on sale for various retailers. When the first card he swiped was declined, the man fished two more cards out of his wallet. Each was similarly declined, but the man just shrugged and walked out of the store. I asked the cashier if this sort of thing happened often, and he just shook his head and said, &#8220;Man, you have no idea.&#8221;</p>
<p>Lisa admits she remains conflicted over whether she would buy another steeply discounted card to help feed her dogs. But she said retailers could help stem this type of fraud by tying merchandise return cards to the identity of the person who returned the merchandise in the first place. Most stores that issue merchandise return cards now require the person returning the goods to show a valid state driver&#8217;s license, but the cards are not tied to that customer, nor do stores check ID when consumers use merchandise return cards at the store to purchase goods.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/the-role-of-phony-returns-in-gift-card-fraud/feed/</wfw:commentRss>
        <slash:comments>71</slash:comments>
        </item>
        <item>
        <title>Adobe, Microsoft Each Plug 70+ Security Holes</title>
        <link>http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security-holes/</link>
        <comments>http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security-holes/#comments</comments>
        <pubDate>Wed, 09 Dec 2015 00:45:25 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[Time to Patch]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33202</guid>
        <description><![CDATA[Adobe and Microsoft today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its Flash Player software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the Windows operating system and associated software.]]></description>
                <content:encoded><![CDATA[<p><strong>Adobe</strong> and <strong>Microsoft</strong> today independently issued software updates to plug critical security holes in their software. Adobe released a patch that fixes a whopping 78 security vulnerabilities in its <strong>Flash Player</strong> software. Microsoft pushed a dozen patch bundles to address at least 71 flaws in various versions of the <strong>Windows</strong> operating system and associated software.</p>
<p><a href="http://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png"><img class="alignright size-full wp-image-26837" src="http://krebsonsecurity.com/wp-content/uploads/2014/07/brokenwindows.png" alt="brokenwindows" width="229" height="240" /></a>Three-quarters of the patches Microsoft issued earned the company&#8217;s most dire &#8220;critical&#8221; rating, meaning malware or attackers could use the flaws fixed in these patches to fully compromise vulnerable systems with zero help from users. What&#8217;s more, two of the vulnerabilities are actively being exploited, including a bug in Windows and <strong>Microsoft Office</strong>.</p>
<p>As per usual, a patch for <strong>Internet Explorer</strong> addresses a huge chunk (30) of the individual security flaws tackled in this month&#8217;s update cycle. Microsoft also released a critical patch to correct 15 weaknesses in <strong>Microsoft Edge</strong>, the browser meant to supplant IE.</p>
<p>According to security firm <strong>Shavlik</strong>, supported versions of IE will be changing quite a bit in January. After <span data-term="goog_114580385">January 12, 2016</span>, only the latest IE version available on each operating system will be supported. This means if you are not running the latest version of IE available for the version of Windows you are on, you will no longer be getting security updates. More information about this change is available <a href="https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/" target="_blank">here</a>.<span id="more-33202"></span></p>
<p>The <strong>SANS Internet Storm Center</strong> is <a href="https://isc.sans.edu/forums/diary/December+2015+Microsoft+Patch+Tuesday/20461/" target="_blank">reporting</a> that some Windows users who have Outlook installed are experiencing some difficulties using the program after applying this month&#8217;s updates. If you use Outlook, it may be wise to put off installing this patch for a few days until Microsoft addresses the issue.</p>
<p>Another <a href="https://technet.microsoft.com/en-us/library/security/ms15-127.aspx" target="_blank">vulnerability</a> &#8212; fixed by a patch for domain name system (DNS) servers that run on Windows Servers &#8212; could prove extremely dangerous for organizations that rely on Windows Server for DNS services. According to SANS, Microsoft rates the exploitability as &#8220;2&#8221;, but doesn&#8217;t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news if you are using a Microsoft DNS server exposed to the public internet.</p>
<p>Adobe&#8217;s <a href="https://helpx.adobe.com/security/products/flash-player/apsb15-32.html" target="_blank">Flash update</a> brings Flash to version <em>20.0.0.228</em> for Internet Explorer and Chrome on Windows and Mac systems, and <em>20.0.0.235</em> for Windows and Mac versions of Firefox and Safari.</p>
<p>As I noted in <a href="http://krebsonsecurity.com/2015/06/a-month-without-adobe-flash-player/" target="_blank">a previous post</a>, most users can jump off the incessant Flash-patching merry-go-round by simply removing the program — or hobbling it until and unless it is needed for some purpose or site.</p>
<p>Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.</p>
<p>If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash. Another alternative to removing Flash is <a href="http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/" target="_blank">Click-To-Play</a>, which lets you control what Flash (and Java) content gets to load when you visit a Web page.</p>
<p>If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the <a href="https://get.adobe.com/flashplayer/" target="_blank">Flash home page.</a> Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security-holes/feed/</wfw:commentRss>
        <slash:comments>40</slash:comments>
        </item>
        <item>
        <title>When Undercover Credit Card Buys Go Bad</title>
        <link>http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/</link>
        <comments>http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#comments</comments>
        <pubDate>Mon, 07 Dec 2015 10:50:58 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[Spam Nation]]></category>
        <category><![CDATA[Web Fraud 2.0]]></category>
        <category><![CDATA[Home Depot breach]]></category>
        <category><![CDATA[no pigs allowed]]></category>
        <category><![CDATA[pig detected]]></category>
        <category><![CDATA[rescator]]></category>
        <category><![CDATA[Sally Beauty breach]]></category>
        <category><![CDATA[target breach]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33186</guid>
        <description><![CDATA[I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar's own security system triggered a "pig alert" and brazenly flagged the fed's transactions as an undercover purchase placed by a law enforcement officer.]]></description>
                <content:encoded><![CDATA[<p>I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar&#8217;s own security system triggered a &#8220;pig alert&#8221; and brazenly flagged the fed&#8217;s transactions as an undercover purchase placed by a law enforcement officer.</p>
<p>Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and &#8220;carding&#8221; markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.</p>
<p>Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops &#8212; Rescator &#8212; somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren&#8217;t shy about letting you know when they think you&#8217;re not a real criminal. My law enforcement source said he&#8217;d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site&#8217;s checkout page was replaced with this image:</p>
<div id="attachment_33189" style="width: 590px" class="wp-caption aligncenter"><a href="http://krebsonsecurity.com/wp-content/uploads/2015/12/pigdetectionoccurednopigsallowedonpremises.png"><img class="size-medium wp-image-33189" src="http://krebsonsecurity.com/wp-content/uploads/2015/12/pigdetectionoccurednopigsallowedonpremises-580x562.png" alt="A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this &quot;pig detected&quot; alert." width="580" height="562" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/12/pigdetectionoccurednopigsallowedonpremises-580x562.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/12/pigdetectionoccurednopigsallowedonpremises.png 583w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this &#8220;pig detected&#8221; alert.</p></div>
<p>The shop from which my source attempted to make the purchase &#8212; called Rescator &#8212; is <a href="http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/" target="_blank">the same carding store</a> that was the first to move millions of cards on sale that were stolen in the <a href="http://krebsonsecurity.com/?s=target+breach&amp;x=0&amp;y=0" target="_blank">Target</a> and <a href="http://krebsonsecurity.com/?s=home+depot+breach&amp;x=0&amp;y=0" target="_blank">Home Depot breaches</a>, among others. I&#8217;ve <a href="http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/" target="_blank">estimated</a> that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that&#8217;s still more than $50 million in revenue. It&#8217;s no wonder they want to keep the authorities out.<span id="more-33186"></span></p>
<p class="p1"><span class="s1">The analysis method used by my source &#8212; the buying of stolen cards to determine a breach source (also called &#8220;common point-of-purchase or &#8220;CPP&#8221; analysis) &#8212; was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years (including Target and Home Depot).</span></p>
<p class="p1"><span class="s1">But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale. Rescator&#8217;s site earned its infamy in part by flouting this best practice with cards stolen in separate breaches at Target, Home Depot, <a href="http://krebsonsecurity.com/?s=sally+beauty+breach&amp;x=0&amp;y=0" target="_blank">Sally Beauty</a>, <a href="http://krebsonsecurity.com/?s=chang%27s&amp;x=0&amp;y=0" target="_blank">P.F. Chang&#8217;s</a> and <a href="http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/" target="_blank">Harbor Freight.</a> But according to banking industry sources, more recently it seems Rescator and other card shops have been flooded with cards from hacked point-of-sale machines at small restaurants across North America.</span></p>
<p>I told my law enforcement source that it&#8217;s not unheard of for cyber thieves who run online stores to employ blacklists of Internet address ranges known to be frequented or assigned to government and law enforcement agencies worldwide. The cybercrime kingpins I wrote about in <a href="http://www.amazon.com/Spam-Nation-Organized-Cybercrimefrom-Epidemic/dp/1501210432" target="_blank">my book Spam Nation</a> used blacklists to block purchases of rogue pharmaceuticals by fraud investigators (a Spam Nation excerpt showing two key cybercrooks arguing about how best to flag suspicious purchases is in the second half of <a href="http://krebsonsecurity.com/2012/04/gateline-net-was-key-rogue-pharma-processor/" target="_blank">this story</a>).</p>
<p>Then again, perhaps Rescator&#8217;s site simply noticed something amiss when my source funded his account with Bitcoin. The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source&#8217;s screen &#8212; effectively stealing hundreds of taxpayer dollars directly from the authorities.</p>
<p>Unsurprisingly, my source was unwilling to divulge anything about his undercover operations, including any foibles he might have made that led to his outing. He just wanted advice about how to avoid the pig alert in future undercover buys. But I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations.</p>
<p>If the idea of fraudsters using intelligence to outwit investigators sounds fascinating, check out <a href="http://www.paymentssource.com/news/risk-analytics/banks-have-a-harder-time-blending-among-fraudsters-3022713-1.html" target="_blank">this Nov. 2015 story at PaymentsSource.com</a>, which references the above-pictured pig alert and some other ways many of the more savvy black-market card shops are getting less welcoming to outsiders.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/feed/</wfw:commentRss>
        <slash:comments>54</slash:comments>
        </item>
        <item>
        <title>OPM Breach: Credit Monitoring vs. Freeze</title>
        <link>http://krebsonsecurity.com/2015/12/opm-breach-credit-monitoring-vs-freeze/</link>
        <comments>http://krebsonsecurity.com/2015/12/opm-breach-credit-monitoring-vs-freeze/#comments</comments>
        <pubDate>Wed, 02 Dec 2015 14:10:26 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[Security Tools]]></category>
        <category><![CDATA[credit freeze]]></category>
        <category><![CDATA[Equifax]]></category>
        <category><![CDATA[Experian]]></category>
        <category><![CDATA[ID Experts]]></category>
        <category><![CDATA[Innovis]]></category>
        <category><![CDATA[OPM Breach]]></category>
        <category><![CDATA[security freeze]]></category>
        <category><![CDATA[Trans Union]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=33095</guid>
        <description><![CDATA[Many readers wrote in this past week to say they'd finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in the massive data breach discovered this year at the Office of Personnel Management (OPM). Almost as many complained that the OPM's response -- the offering of free credit monitoring services for up to three years -- won't work if readers have taken my advice and enacted a "security freeze" on one's credit file with the major credit bureaus. This post is an attempt to explain what's going on here.]]></description>
                <content:encoded><![CDATA[<p>Many readers wrote in this past week to say they&#8217;d finally been officially notified that their fingerprints, background checks, Social Security numbers, and other sensitive information was jeopardized in <a href="https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach" target="_blank">the massive data breach</a> discovered this year at the <strong>Office of Personnel Management</strong> (OPM). Almost as many complained that the OPM&#8217;s response &#8212; the offering of free credit monitoring services for up to three years &#8212; won&#8217;t work if readers have taken my advice and enacted a &#8220;security freeze&#8221; on one&#8217;s credit file with the major credit bureaus. This post is an attempt to explain what&#8217;s going on here.</p>
<div id="attachment_31251" style="width: 590px" class="wp-caption aligncenter"><a href="http://krebsonsecurity.com/wp-content/uploads/2015/06/opmoffices.png"><img class="size-medium wp-image-31251" src="http://krebsonsecurity.com/wp-content/uploads/2015/06/opmoffices-580x348.png" alt="OPM offices in Washington, DC. Image: Flickr." width="580" height="348" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/06/opmoffices-580x348.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/06/opmoffices.png 939w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">OPM offices in Washington, DC. Image: Flickr.</p></div>
<p>Earlier this week I got the following message from a reader:</p>
<blockquote><p>&#8220;I just received official notification that I am affected by the OPM data breach. I attempted to sign up for credit monitoring services with the OPM&#8217;s contractor ID Experts at opm.myidcare.com, but was denied these services because I have a credit security freeze. I was told by ID Experts that the OPM&#8217;s credit monitoring services will not work for accounts with a security freeze.&#8221;</p></blockquote>
<p>The reader continued:</p>
<blockquote><p>&#8220;This supports my decision to issue a security freeze for all my credit accounts, and in my assessment completely undermines the utility and value of the OPM&#8217;s credit monitoring services when individuals can simply issue a security freeze. This inability to monitor a person&#8217;s credit file when a freeze is in place speaks volumes about the effectiveness of a freeze in blocking anyone &#8212; ID protection firms or ID thieves included &#8212; from viewing your file.&#8221;</p></blockquote>
<p>I reached out to my followers on Twitter to gauge their reactions to this. I wrote: &#8220;Finish this sentence: Lifting a freeze to enable credit monitoring is like&#8230;.&#8221; Here were some of the notable responses:</p>
<p><strong>@sdweberg 10:22pm</strong> &#8230;shooting your rottweilers and paying the neighbors a monthly fee to &#8220;keep an eye on&#8221; your house.</p>
<p><strong>@shane_walton 10:15pm</strong> &#8230;installing flash to watch a flash video about the evils of flash.</p>
<p><strong>@danblondell 10:13pm</strong> &#8230;leaving the storm doors open to keep an eye on the tornado</p>
<p><strong>@flakpaket 12:48am</strong> &#8230;leaving your doors and windows unlocked so that burglars can set off your indoor motion sensors.</p>
<p><strong>@ShermanTheDad</strong><span class="messageDescription"> 8:25am &#8230;</span>taking your gun off safety to check and see if it&#8217;s loaded.</p>
<p class="p1">Removing a security freeze to enable credit monitoring is foolhardy because the freeze offers more comprehensive protection against ID theft. Credit monitoring services are useful for cleaning up your credit file *after* you&#8217;re victimized by ID thieves, but they generally do nothing to stop thieves from applying for and opening new lines of credit in your name.</p>
<p class="p1"><span class="s1">As I discussed at length <a href="http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/" target="_blank">in this primer</a>, credit monitoring services aren’t really built to </span><span class="s1">prevent ID theft. The most you can hope for from a credit monitoring service is that they give you a heads up when ID theft does happen, and then help you through the often labyrinthine process of getting the credit bureaus and/or creditors to remove the fraudulent activity and to fix your credit score.</span><span id="more-33095"></span></p>
<p class="p1">Many of these third party credit monitoring services also induce people to provide even more information than was leaked in the original breach. For example, <strong><a href="https://www2.idexpertscorp.com/press/single/opm-dod-announce-identity-theft-protection-and-credit-monitoring-contract" target="_blank">ID Experts</a></strong> &#8212; the company that <a href="http://krebsonsecurity.com/2015/09/opm-misspends-133m-on-credit-monitoring/" target="_blank">OPM has paid $133 million</a> to offer credit monitoring for the 21.5 million Americans affected by its breach &#8212; offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.</p>
<p class="p1"><span class="s1">If you have already been victimized by identity theft (fraud involving existing credit or debit cards is <i>not</i> identity theft), it might be worth signing up for these credit monitoring and repair services. <em>Otherwise, I’d strongly advise my US readers to consider freezing their credit files at the major credit bureaus. </em></span></p>
<p>Depending on in which state you reside, there may be <a href="https://help.equifax.com/app/answers/detail/a_id/75/~/security-freeze-fees-and-requirements" target="_blank">a small fee</a> to place and/or thaw a freeze on your credit file, and freezing them at all four major bureaus (<strong>Equifax</strong>, <strong>Experian</strong>, <strong>Innovis</strong> and <strong>Trans Union</strong>) could cost as much as $60. But this is a small price to pay for peace of mind.</p>
<p>In <a href="http://krebsonsecurity.com/2015/11/report-everyone-should-get-a-security-freeze/" target="_blank">a report released last month</a>, the consumer <strong>US-PIRG</strong> urged all consumers to place a security freeze on their credit files. US-PIRG suggests if you already have freezes on your reports, you will need to lift your freezes before signing up for the credit monitoring and reinstate the freezes. If you don&#8217;t have freezes on your credit reports yet, sign up for the free credit monitoring first, then place your freezes.</p>
<p>In a perfect world, breached organizations would offer to pay the costs involved in freezing your credit files, but sadly the standard playbook in corporate breach response is to pay for credit monitoring.</p>
<p><span style="text-decoration: underline;">PROTECTING DEPENDENTS FROM ID THEFT</span></p>
<p>One area where credit monitoring makes more sense is with dependents and children under the age of 18. That&#8217;s because it&#8217;s impossible to freeze a credit file that doesn&#8217;t exist, and most minors aren&#8217;t going to have one (hopefully).</p>
<p>According to <a href="http://www.experian.com/ask-experian/20060823-freezing-your-childrens-credit-histories.html" target="_blank">Experian</a>, if your children already have credit reports in their names, one of three things has happened: You have applied for credit in their names and the applications were approved; you have added them as authorized users or joint account holders on one or more of your accounts; someone has fraudulently used their information to apply for credit and they are already identity theft victims.</p>
<p>One way to find out is to visit annualcreditreport.com to apply for a copy of their credit report. The most important precaution parents can take is to keep a close eye on dependent credit files when kids reach their mid-teens. That way, if a credit file materializes for your child because of identity theft, there is still time to sort it out before the kid actually needs a line of credit or loan. However, if your child becomes the victim of ID theft at a very young age, it probably makes more sense to freeze the kid&#8217;s credit file.</p>
<p>Most credit monitoring services will allow you to enroll your children as well, but that coverage generally expires after they reach 18. KrebsOnSecurity reader Michael found this out when he tried to sign up his five kids after receiving a notice from the OMB.</p>
<p>&#8220;For some reason, coverage for adult children was not provided when I signed up and is discontinued once they reach 18, so at the outset, only 2 of my 5 kids were included even though their data was also compromised,&#8221; Michael wrote.</p>
<p>If you&#8217;re considering freezing your credit file, <a href="http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/" target="_blank">have a look at this primer</a> which walks through the various steps needed to place a freeze. It also includes pointers to additional steps that consumers can take to avoid becoming victims of identity theft.</p>
<p>Were you or your family impacted by the OPM breach? How have you responded? Sound off in the comments below.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/opm-breach-credit-monitoring-vs-freeze/feed/</wfw:commentRss>
        <slash:comments>86</slash:comments>
        </item>
        <item>
        <title>DHS Giving Firms Free Penetration Tests</title>
        <link>http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/</link>
        <comments>http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/#comments</comments>
        <pubDate>Tue, 01 Dec 2015 05:05:29 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[Cyber Hygiene]]></category>
        <category><![CDATA[Dave Aitel]]></category>
        <category><![CDATA[DHS]]></category>
        <category><![CDATA[Immunity Inc]]></category>
        <category><![CDATA[National Cybersecurity Assessment and Technical Services]]></category>
        <category><![CDATA[national security agency]]></category>
        <category><![CDATA[NCATS]]></category>
        <category><![CDATA[Risk and Vulnerability Assessment]]></category>
        <category><![CDATA[Sy Lee]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=32876</guid>
        <description><![CDATA[The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help "critical infrastructure" companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime).]]></description>
                <content:encoded><![CDATA[<p dir="ltr">The <strong>U.S. Department of Homeland Security</strong> (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies &#8212; mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help &#8220;critical infrastructure&#8221; companies shore up their computer and network defenses against real-world adversaries. And it&#8217;s all free of charge (well, on the U.S. taxpayer&#8217;s dime).</p>
<div id="attachment_33139" style="width: 590px" class="wp-caption aligncenter"><a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygienemap.png"><img class="size-medium wp-image-33139" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygienemap-580x388.png" alt="Organizations participating in DHS's &quot;Cyber Hygiene&quot; vulnerability scans. Source: DHS" width="580" height="388" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygienemap-580x388.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygienemap-940x628.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygienemap.png 1059w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">Organizations participating in DHS&#8217;s &#8220;Cyber Hygiene&#8221; vulnerability scans. Source: DHS</p></div>
<p>KrebsOnSecurity first learned about DHS&#8217;s <strong>National Cybersecurity Assessment and Technical Services</strong> (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.</p>
<p dir="ltr">DHS declined requests for an interview about NCATS, but the agency <a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/Agency-Acceptance-Letter-CH-Service-SLTT_PS.pdf" target="_blank">has published some information</a> about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a &#8220;Risk and Vulnerability Assessment,&#8221; (RVA) and a &#8220;Cyber Hygiene&#8221; evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.</p>
<p>“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,&#8221; <strong>DHS spokesperson</strong> <strong>Sy Lee</strong> wrote in an email response to an interview request. &#8220;The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”</p>
<p dir="ltr">The RVA program reportedly scans the target&#8217;s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target&#8217;s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with &#8220;social engineering&#8221; attempts to see how employees respond to targeted phishing attacks.</p>
<p dir="ltr">The Cyber Hygiene program &#8212; which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders &#8212; includes both internal and external vulnerability and Web application scanning.</p>
<p dir="ltr">The reports show detailed information about the organization&#8217;s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is <a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/DHS-NCATS-FY14-Annual-Report.pdf" target="_blank">here</a> (PDF).</p>
<p dir="ltr">Among the findings in that report, which drew information from more than 100 engagements last year:</p>
<p>-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);</p>
<p>-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of &#8220;high&#8221; (4o percent) or &#8220;critical&#8221; (13 percent).</p>
<p>-RVA phishing emails resulted in a click rate of 25 percent.</p>
<div id="attachment_33132" style="width: 590px" class="wp-caption aligncenter"><a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/ncats14vulns.png"><img class="size-medium wp-image-33132" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/ncats14vulns-580x234.png" alt="Data from NCATS FY 2014 Report." width="580" height="234" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/ncats14vulns-580x234.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/ncats14vulns.png 916w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">Data from NCATS FY 2014 Report.</p></div>
<p dir="ltr"> <span style="text-decoration: underline;">ANALYSIS</span></p>
<p dir="ltr">I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries &#8212; with the latter typically at regional or smaller institutions such as credit unions.</p>
<p dir="ltr">DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of the agency&#8217;s past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.</p>
<p dir="ltr">I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. <strong>Dave Aitel</strong> is chief technology officer at <strong>Immunity Inc.</strong>, a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.<span id="more-32876"></span></p>
<p><a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygiene.png"><img class="alignright size-full wp-image-33138" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/cyberhygiene.png" alt="cyberhygiene" width="250" height="338" /></a></p>
<p dir="ltr">Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program to learn about real-world vulnerabilities in critical infrastructure companies.</p>
<p dir="ltr">&#8220;DHS is a big player in the &#8216;regulation&#8217; policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,&#8221; Aitel said. &#8220;The more DHS understands about the realities of information security on the ground &#8211; the more it treats American companies as their customers &#8211; the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.&#8221;</p>
<p dir="ltr">Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.</p>
<p dir="ltr">&#8220;Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,&#8221; he said. &#8220;Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test &#8211; what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.&#8221;</p>
<p dir="ltr">As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the <a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/Agency-Acceptance-Letter-CH-Service-SLTT_PS.pdf" target="_blank">acceptance letter</a> (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The <a href="http://krebsonsecurity.com/wp-content/uploads/2015/11/Agency-Acceptance-Letter-CH-Service-SLTT_PS.pdf" target="_blank">rules of engagement letter</a> from DHS further lays out ground rules and specifics of the NCATS testing services.</p>
<p dir="ltr">Aitel, a former research scientist at the <strong>National Security Agency</strong> (NSA), raised another issue: Any vulnerabilities found anywhere within the government &#8212; for example, in a piece of third party software &#8212; are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.</p>
<p dir="ltr">But what about previously unknown vulnerabilities found by DHS examiners?</p>
<p dir="ltr">&#8220;This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in <strong>Microsoft IIS</strong> (Web server), that’s not going to the customer &#8211; that’s going to the NSA,&#8221; Aitel said.</p>
<p dir="ltr">And then there are potential legal issues with the government <a href="https://www.whitehouse.gov/omb/circulars_a076_a76_incl_tech_correction/" target="_blank">competing with private industry</a>.</p>
<p dir="ltr"><strong>Alan Paller</strong>, director of research at the <strong>SANS Institute</strong>, a Bethesda, Md. based security training group, isn&#8217;t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.</p>
<p dir="ltr">&#8220;The NCATS program could be an excellent service that does a lot of good but it isn’t,&#8221; Paller said. &#8220;The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: &#8216;The US government came and checked us.&#8217; They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.&#8221;</p>
<p dir="ltr">According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.</p>
<p dir="ltr">&#8220;Mostly they do architectural assessments and traffic analysis,&#8221; he said. &#8220;They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).&#8221;</p>
<p dir="ltr">Paller said the sort of network architecture review offered by DHS&#8217;s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.</p>
<p dir="ltr">&#8220;In general the architectural reviews are done by younger folks with little real world experience,&#8221; Paller said. &#8220;The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.&#8221;</p>
<p dir="ltr">Does your organization have experience with NCATS assessments? Are you part of a <a href="http://www.dhs.gov/what-critical-infrastructure" target="_blank">critical infrastructure</a> company that might use these services? Would you? Sound off in the comments below.</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/feed/</wfw:commentRss>
        <slash:comments>75</slash:comments>
        </item>
        <item>
        <title>Gas Theft Gangs Fuel Pump Skimming Scams</title>
        <link>http://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-skimming-scams/</link>
        <comments>http://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-skimming-scams/#comments</comments>
        <pubDate>Mon, 30 Nov 2015 14:29:05 +0000</pubDate>
        <dc:creator><![CDATA[BrianKrebs]]></dc:creator>
                <category><![CDATA[A Little Sunshine]]></category>
        <category><![CDATA[Other]]></category>
        <category><![CDATA[Aaron Turner]]></category>
        <category><![CDATA[bladder trucks]]></category>
        <category><![CDATA[fuel theft]]></category>
        <category><![CDATA[fuel theft gang]]></category>
        <category><![CDATA[gas pump skimmers]]></category>
        <category><![CDATA[pump skimmers]]></category>
        <category><![CDATA[Steve Scarince]]></category>
        <category><![CDATA[US Secret Service]]></category>
        <category><![CDATA[VeriFone]]></category>
        <category><![CDATA[Visa]]></category>

        <guid isPermaLink="false">http://krebsonsecurity.com/?p=32878</guid>
        <description><![CDATA[Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.]]></description>
                <content:encoded><![CDATA[<p>Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.</p>
<p><strong>Agent Steve Scarince</strong> of the <strong>U.S. Secret Service</strong> heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.</p>
<div id="attachment_33103" style="width: 590px" class="wp-caption aligncenter"><a class="lightbox" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/externalcardskim.png"><img class="size-medium wp-image-33103" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/externalcardskim-580x483.png" alt="External pump skimmers retrieved from LA fuel stations." width="580" height="483" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/externalcardskim-580x483.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/externalcardskim-940x783.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/externalcardskim.png 1126w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">An external pump skimmer is attached to the end of this compromised fuel dispenser in Los Angeles (right).</p></div>
<p>&#8220;Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,&#8221; he said. &#8220;The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, &#8216;Make the most of it, and bring me back the cards that don&#8217;t work.&#8217; And the leader of the ring will go back to the card skimmer and say, &#8216;Okay out of 100 of those you sold me, 50 of them didn’t work.'&#8221;</p>
<p>Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump&#8217;s card reader and PIN pad. The devices also are connected to the pump&#8217;s electric power &#8212; so they don&#8217;t need batteries and can operate indefinitely.</p>
<div id="attachment_33104" style="width: 590px" class="wp-caption aligncenter"><a class="lightbox" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/internalskim1.png"><img class="size-medium wp-image-33104" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/internalskim1-580x308.png" alt="Internal pump skimming device seized from a Los Angeles fuel station." width="580" height="308" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/internalskim1-580x308.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/internalskim1-940x499.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/internalskim1.png 1212w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">Internal pump skimming device seized from a Los Angeles fuel station.</p></div>
<p>Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that&#8217;s been freshly stolen since their last visit.</p>
<p>The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don&#8217;t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.</p>
<p><span style="text-decoration: underline;">MOBILE BOMBS</span></p>
<p>Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic &#8220;bladders&#8221; capable of holding between 250 and 500 gallons of fuel.</p>
<p>&#8220;The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,&#8221; he said. &#8220;Then they&#8217;ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.&#8221;</p>
<div id="attachment_33105" style="width: 590px" class="wp-caption aligncenter"><a class="lightbox" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck1.png"><img class="size-medium wp-image-33105" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck1-580x323.png" alt="A bladder made to look like it's hauling used tires." width="580" height="323" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck1-580x323.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck1-940x523.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck1.png 1370w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">A bladder truck made to look like it&#8217;s hauling used tires. The wooden panel that was hiding the metal tank exposed here has ben removed in this picture.</p></div>
<p>The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it&#8217;s always a cash transaction.</p>
<p>&#8220;The stations know they&#8217;re buying stolen gas,&#8221; Scarince said. &#8220;They&#8217;re fully aware the fuel is not coming from a legitimate source. There&#8217;s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.&#8221;</p>
<div id="attachment_33106" style="width: 590px" class="wp-caption aligncenter"><a class="lightbox" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck2.png"><img class="size-medium wp-image-33106" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck2-580x316.png" alt="Fuel theft gangs converted this van into a bladder truck. Image: Secret Service." width="580" height="316" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck2-580x316.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck2-940x511.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/bladdertruck2.png 1518w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.</p></div>
<p>Needless to say, the bladder trucks aren&#8217;t exactly road-worthy when they&#8217;re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.</p>
<p>&#8220;Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,&#8221; Scarince said. &#8220;He lit up and that was the last thing he did.&#8221;</p>
<div id="attachment_33107" style="width: 590px" class="wp-caption aligncenter"><a class="lightbox" href="http://krebsonsecurity.com/wp-content/uploads/2015/11/crispycritters.png"><img class="size-medium wp-image-33107" src="http://krebsonsecurity.com/wp-content/uploads/2015/11/crispycritters-580x216.png" alt="This bladder truck went up in smoke (literally)." width="580" height="216" srcset="http://krebsonsecurity.com/wp-content/uploads/2015/11/crispycritters-580x216.png 580w, http://krebsonsecurity.com/wp-content/uploads/2015/11/crispycritters-940x350.png 940w, http://krebsonsecurity.com/wp-content/uploads/2015/11/crispycritters.png 1542w" sizes="(max-width: 580px) 100vw, 580px" /></a><p class="wp-caption-text">This bladder truck went up in (a) smoke.</p></div>
<p><span id="more-32878"></span>Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.</p>
<p>&#8220;There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,&#8221; Scarince said. &#8220;These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can&#8217;t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.&#8221;</p>
<p>How big are the fuel theft operations in and around Los Angeles? <span class="pullquote pqright"><em>Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.</em></span></p>
<p>&#8220;And that&#8217;s a very conservative guess, just based on what the credit card companies report,&#8221; he said.</p>
<p><strong>Aaron Turner</strong>, vice president of identity service products at <strong>Verifone</strong> &#8212; a major manufacturer of credit card terminals &#8212; leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is<span class="s1"> a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment.<span class="Apple-converted-space">  </span></span></p>
<p><span class="s1">&#8220;Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers&#8230;not so much,&#8221; Turner said.<span class="Apple-converted-space"> &#8220;</span>One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it&#8217;s safe to say that skimmer manufacturers are not getting <a href="https://en.wikipedia.org/wiki/UL_(safety_organization)" target="_blank">UL certifications</a> for their gear.&#8221;</span></p>
<p class="p1"><span style="text-decoration: underline;">COUNTERING FUEL FRAUD</span></p>
<p class="p1">With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.</p>
<p class="p1">&#8220;A lot more card issuers and merchant processors are really pushing hard on velocity checks,&#8221; Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. &#8220;If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.&#8221;</p>
<p>Card issuers also can impose their own artificial spending limits on fuel purchases. <strong>Visa</strong>, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.</p>
<p>&#8220;The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,&#8221; Scarince said. &#8220;They&#8217;ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they&#8217;ll drive one direction, and Tuesday they&#8217;ll go the other way, just to make sure they don’t hit the same stations one day after another.&#8221;</p>
<p class="p1">Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card&#8217;s magnetic strip, and most fuel stations won&#8217;t have chip-enabled readers for several years to come.</p>
<p class="p1">On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don&#8217;t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.</p>
<p class="p1">But those rules don&#8217;t apply to fuel stations in the United States until October 2017, and a great many stations won&#8217;t meet that deadline, said Verifone&#8217;s Turner.</p>
<p class="p1">&#8220;The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don&#8217;t feel they&#8217;re going to hit the 2017 dates,&#8221; Turner said. &#8220;If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians&#8230;most of the stations are saying that even if they start this process now they&#8217;re going to struggle to meet that October 2017 date.&#8221;</p>
<p>Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.</p>
<p>&#8220;We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,&#8221; Turner said. &#8220;<span class="s1">In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.&#8221;</span></p>
<p>Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic <a href="http://www.laweekly.com/news/taking-down-armenian-power-californias-modern-mafia-4824242" target="_blank">Armenian </a><a href="http://gangstersinc.ning.com/profiles/blogs/profile-armenian-power-leader-mher-darbinyan" target="_blank">organized crime</a> members that have invested heavily in fuel theft schemes. Last month, the Justice Department <a href="http://www.justice.gov/usao-cdca/pr/8-charged-federal-court-relation-skimmers-installed-gas-pumps-collect-credit-card-and" target="_blank">announced charges</a> against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.</p>
<p>Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.</p>
<p>&#8220;We are seeing pump skimming now shoot across the country,&#8221; Scarince said. &#8220;Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we&#8217;re now seeing show up in other locations across the country. They&#8217;re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.&#8221;</p>
<p><span style="text-decoration: underline;">WHAT CAN  YOU DO?</span></p>
<p>Avoid sketchy-looking stations and those that haven&#8217;t started using tamper-evident seals on their pumps.</p>
<p>&#8220;The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven&#8217;t upgraded their pump locks and haven&#8217;t started <a href="http://krebsonsecurity.com/2015/02/fuel-station-skimmers-primed-at-the-pump/" target="_blank">using tamper seals</a>,&#8221; Scarince said. &#8220;If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they&#8217;re going to be targeted.&#8221;</p>
<p>Scarince says he also tends to use pumps that are closest to the attendants.</p>
<p>&#8220;Those are less likely to have skimmers in or on them than street-side pumps,&#8221; he said.</p>
<p>Consumers should remember that they&#8217;re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).</p>
]]></content:encoded>
            <wfw:commentRss>http://krebsonsecurity.com/2015/11/gas-theft-gangs-fuel-pump-skimming-scams/feed/</wfw:commentRss>
        <slash:comments>63</slash:comments>
        </item>
    </channel>
</rss>

<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/

Page Caching using memcached
Database Caching 1/12 queries in 0.003 seconds using memcached
Object Caching 791/859 objects using memcached

 Served from: krebsonsecurity.com, krebsonsecurity.com @ 2015-12-17 23:30:25 by W3 Total Cache -->

[carlf]

This is on OSX BTW. Could that make a difference? Here is my otool output:

/usr/local/Cellar/emacs/24.5/Emacs.app/Contents/MacOS/Emacs:
    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1347.57.0)
    /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
    /usr/lib/libxml2.2.dylib (compatibility version 10.0.0, current version 10.9.0)
    /usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 48.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1153.18.0)
    /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 600.0.0)
    /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1153.20.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

[carlf]

And here's the output of the elfeed-xml-parse-region:

((rss ((version . "2.0") (xmlns:content . "http://purl.org/rss/1.0/modules/content/") (xmlns:wfw . "http://wellformedweb.org/CommentAPI/") (xmlns:dc . "http://purl.org/dc/elements/1.1/") (xmlns:atom . "http://www.w3.org/2005/Atom") (xmlns:sy . "http://purl.org/rss/1.0/modules/syndication/") (xmlns:slash . "http://purl.org/rss/1.0/modules/slash/")) "

" (channel nil "
    " (title nil "Krebs on Security") "
    " (atom:link ...) "
    " (link nil "http://krebsonsecurity.com") "
    " (description nil "In-depth security news and investigation") "
    " (lastBuildDate nil "Thu, 17 Dec 2015 20:11:37 +0000") ...) "
"))

[carlf]

Hmm. That seems truncated. I ran it with C-u M-:

[carlf]

Got the complete output: https://gist.github.com/carlf/517a5a7fef9687492f75

It seems to be parsing the text fine. I'm mystified as to why it is showing up that way in the log.

[skeeto]

Closing since this is old and I wasn't ever able to observe the problem in order to come up with a fix.