Tag Archives: security

Kiosk Hacking – Tips To Harden Your Kiosk

Breaking into unattended and semi-attended devices should be harder than it is.

Recently McDonalds kiosks were hacked but by users simply using the software installed against itself.

One big rule — employ a lot of QA on your unit and have people try to break. Developers always think they have covered all the contingencies but almost never do.  They defend against what they know, not what happens in the real world.

Great video from LOL ComediaHa illustrating the over-confident developer thinking he has it all figured out, only to find out otherwise…

 

We also published a nice feature on Cyber Security and the implications which you should read. We quote:

Think the risk is overblown? A recent story on ZDNet detailed how a third-party worker inserted a USB drive into a computer on a cargo ship, inadvertently planting a virus in the ship’s administrative systems.

Here is much more advice from Andrew Savala of Redswimmer

It recently came out that a McDonalds kiosk in Australia was hacked. The following video shows two young men tricking the kiosk into giving them free food.

McDonald’s kiosk hack

Kiosk hacking has become common place in the news. In addition to the McDonald’s kiosk hack, HR kiosks have recently been hacked and there have also been incidents with smart city kiosks being hacked.

Self-service kiosks are everywhere from street corners to grocery stores and hackers are gunning for your customer’s data. Payment kiosks in particular are attractive targets because cardholder data is easy to monetize.

In this article I’m going to cover several techniques for hardening your kiosks security. Many of these kiosk hardening techniques involves functional changes to your kiosk application, so you’ll need to get your developers involved.

Prevent PIN theft

It’s frighteningly easy to steal someone’s PIN number using an iPhone and a thermal camera.

Flir makes one such thermal mobile camera that can be used to easily determine the PIN number someone entered.

The following video demonstrates this technique and explains how metal PIN pads, like those commonly found on ATMs, can be used to prevent PIN theft.

Shows how PIN theft works with thermal mobile camera and an iPhone
Password protect the BIOS

The BIOS firmware comes pre-installed on a personal computer‘s system board, and it is the first software to run when powered on.

Wikipedia

The BIOS is the first screen that appears when your computer boots and determines the boot order, among other things. From a security standpoint this is of particular concern because we don’t want a hacker to be able to reconfigure the computer to boot from a USB drive, or other media, instead of the kiosk’s hard drive.

Booting from another media would allow the attacker to run malware instead of the kiosk’s operating system. Fortunately, protecting the BIOS is simply a matter of configuring a password so the BIOS settings cannot be modified.

Here’s a tutorial video of how-to password protect your BIOS.

Tutorial video of how-to password protect your BIOS

Restrict keyboard input

The operating system has many keyboard shortcuts that will allow an attacker to exit out of your kiosk application and access the desktop.

There are many such hotkeys (i.e. Ctrl-Alt-Del in Windows) and we want to restrict the keyboard input to prevent a hacker from exiting your kiosk application.

Avoid the use of a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys removed.

As an added layer of security, you can use a keyboard filter driver to filter out system hotkeys.

Prevent the mouse right-click

Right clicking the mouse will prompt the user with a series of options. Some of which could be used to close or compromise your kiosk application. This is particularly true if your kiosk is running a web browser.

Limiting the user to only clicking the left mouse button will help mitigate this risk.

The easiest way to achieve this is by having your kiosk application filter or ignore the right mouse click.

Block physical access to USB ports

By allowing a hacker access to the USB ports they can potentially load malware to hijack your kiosk.

The following video explains how BadUSB works and suggests some techniques for protecting your USB ports on a laptop.

For a kiosk, all the USB ports should be made inaccessible through the use of a secure kiosk or tablet enclosure. Many secure enclosure options are available for both tablets and kiosks.

Explains how BadUSB works and suggests some techniques for protecting USB ports on a laptop.

Prevent access to the file system

It’s important to ensure that hackers cannot access the file system of your kiosk. There are multiple ways to get to the file system, particularly if your kiosk is running a web browser.

One method is by simply entering the file path into the web browser address bar like shown below. I now have access to browse the file system and access potentially sensitive information.

File system accessed through the address bar in Chrome

Other opportunities to access the file system include, but are not limited to, the print dialog and right clicking the mouse.

You’ll also want to monitor for popup windows and automatically close any dialog boxes.

Restrict access to external websites

If your kiosk is running a web browser then you’ll want to restrict the user to only viewing your website.

The most straightforward way of accomplishing this is through the use of a whitelist.

A whitelist list is an acceptable list of websites or web pages, depending on how granular you want to get, which the browser will allow to be displayed.

If the user attempts to navigate to a page not in the whitelist then the page will not be displayed.

Incorporate a watchdog

A watchdog refers to a service running in the background which ensures that your kiosk application is always running.

If your kiosk application crashes, uses up too much memory, or stops behaving for any reason, the watchdog will restart it.

In Windows the watchdog should be a Windows Service that automatically runs at startup. The watchdog will be implemented differently depending on your operating system, but the underlying objective is the same.

Wrapping Up

Anytime you’re deploying a kiosk, protecting customer data should be a top concern.

Payment kiosks in particular are attractive targets for hackers because cardholder data is easy to monetize. But payment kiosks aren’t the only kiosks at risk.

In order to implement the techniques in this article you’re going to have to modify your kiosk application. It’s time to get your developers involved so you can start protecting your customers and your reputation.

 

Tokenworks ID Authenticate Product News – User Authentication Drivers License

Tokenworks Product News – User Authentication Drivers License

We like to highlight our members when we can and new product enhancements are now available from Tokenworks.

Tokenworks provides a complete range of Age Verification, Data Entry & Form Fillers and Forensic Scanners. And complete developer tools.

Editors Note:  While with KIOSK Information Systems, I probably participated in the installation of literally thousands of Tokenworks devices for various customers. We found them to extremely reliable and updating to latest jurisdictional data was ideal.  

IDWedgeKB

USB Keyboard drivers license scanner with built in parsing – Recently Tokenworks did a node.js project which lets browsers grab data from device.

ID Wedge
The IDWedgeKB™ form filler desktop solution scans drivers licenses, ID cards, credit cards and other magnetic striped cards and fills computer forms with information from the card automatically! Plugged into any USB port and recognized as a keyboard, the IDWedgeKB™ extracts contact and payment information fields from driver’s licenses, debit/credit cards, membership cards and student IDs and sends them to the flashing cursor on ANY computer.

IDWedgePro

Software based – multiform – auto form filler.

ID Wedge Pro
The IDWedge®Pro form filler solution scans drivers licenses, ID cards, credit cards and other magnetic striped cards and fills multiple computer forms with information from the card. It automatically recognizes and populates forms in multiple PC applications, allowing different applications to share the same ID scanner. It works with any PC application that accepts keyboard input.

ID Parser Server product

A parsing server that clients can run from a windows server or on Azure and parse drivers licenses.

ID Server Parser
For larger clients, a great way to parse across large number of internet-connected devices. Supports Windows, Mac, Android, iOS, Applications. Simple to integrate and easy to Update . Uses TokenWorks Proven ID Parsing DLL software. Handles all N. American Drivers License*, State issued IDs, Ontario Health Card, Military IDs

 

The founders of Tokenworks have been involved in the Smart Card market since 1992 and have participated in a number of industry events and associations such as the Smart Card Forum, Smart Card Industry Association, Smart Card Alliance, CardTech/SecureTech and National Association of Campus Card Users.

In all of our efforts, the following principles are paramount:

  • Design in durability, quality, and value.
  • Deliver value to our customers and shareholders.
  • Do it once. Do it right.
  • Keep it simple.

For more information and pricing (included on website) visit Tokenworks website.

Kiosk Malware Avanti – PoS malware hits food kiosks, steals payment card and biometric info – Help Net Security

PoS malware have recently been found in the payment kiosks by US-based vendor Avanti, stealing payment card and biometric information.

Source: www.helpnetsecurity.com

Avanti published an incident report

Krebs did a nice article on it as well.

WHAT HAPPENED?

The technology and back-end platform that we use to facilitate a 24-hour, self-service marketplace for customers is supported by our technical team and it is serviced and maintained by a network of operators around the country. We believe that sometime shortly before July 4, 2017, the workstation of one of the third party vendor’s employees became infected with a sophisticated and malicious malware attack, although our investigation has not enabled us to determine the precise nature of the attack. The malware wound up affecting some kiosks.  Within hours of learning of this incident on July 4, 2017, we worked with our vendor to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited further persistent activity by the malware.

WAS MY INFORMATION ACCESSED?

We are currently conducting an extensive IT forensic investigation to determine the extent of the attack, including which kiosks were affected. We have determined at this point that the attack was not successful on all kiosks and many kiosks have not been adversely affected. Additionally, based on our investigation at this time, it appears this malware was only active beginning on July 2, 2017.  Accordingly, if you did not utilize a kiosk between July 2, 2017 and July 4, 2017, you were likely not affected by this attack.

WHAT INFORMATION WAS COMPROMISED?

As you know, the kiosks do not collect certain data elements (such as Social Security Number, date of birth, or federal or state identification number) from customers.  Accordingly, those elements of personal information were not subject to compromise.

However, for customers that used a payment card to complete a purchase on an infected kiosk, the malware may have compromised cardholder first and last name, credit/debit card number and expiration date. In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.  We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

WAS BIOMETRIC DATA COMPROMISED?

No.  In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised.   We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

DID THIS ATTACK AFFECT ALL KIOSKS? 

No. In May 2017, we began working with our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. The payment card information on these kiosks was not affected.  At this stage, we have determined the attack was not successful on all kiosks and many kiosks have not been adversely affected at all.  We believe approximately 1,900 kiosks have been affected, a fraction of the total kiosks in use.  

HOW DO I KNOW IF THE KIOSK AT MY LOCATION OR THE KIOSK I REGULARLY USE WAS AFFECTED?

As part of our remediation efforts, we have shut down payment card processing at affected kiosk locations.  If your kiosk’s payment card processing has been disabled or “temporarily unavailable” it is likely that your kiosk was affected by this attack. Please note that even if you used an affected kiosk, that does not mean that your personal information was compromised or infiltrated.

WHAT IS BEING DONE TO PROTECT ME?  

We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we worked with our technical team to commence an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  Within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access.  We also are continuing to work with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself.   Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

WHO IS RESPONSIBLE FOR THIS ATTACK?

We are working with our IT forensic investigators and law enforcement in an effort to determine those responsible.  At this time, the responsible party or parties have not been identified.

I AM UPSET MY INFORMATION MAY BE SUBJECT TO THIS ATTACK.

We understand.  We apologize for any inconvenience this incident may cause you and assure you were are doing everything we can to help.  We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we commenced an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  We also are working with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself. Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

ARE THE PEOPLE WHOSE DATA MAY HAVE BEEN COMPROMISED AT RISK FOR IDENTITY THEFT?

Any person who has personal information compromised does have an increased risk of identity theft.  We are taking a number of steps to help you minimize the chance of identity theft. This includes enrolling in the credit monitoring service as described above.

HOW MANY INDIVIDUALS WERE AFFECTED BY THE DATA INCIDENT?

This incident affected a limited number of kiosks and as such did not affect all customers.  We are working with our IT forensic investigators to determine those who have been affected. At this time, the total number of affected individuals has not been determined.

SHOULD I BE CALLING MY BANK AND CLOSING MY ACCOUNT? SHOULD I BE CANCELING MY CREDIT CARDS?

Of course, you can take these steps if you feel more comfortable.  But, you do not have to close your bank and credit card accounts. Be sure, though, to monitor your bank and credit card statements for accuracy. If you notice any suspicious activity or you believe your information is being misused, please file a report with your local police department and the Federal Trade Commission. You can also enroll in the credit monitoring service as described above.

IS MY SPOUSE/DEPENDENT AFFECTED? 

We have no information at this point to suggest that the information of your spouse/child/dependent has been affected by this incident.   Please note if they also utilized a payment card at a kiosk between July 2, 2017 and July 4, 2017 they also likely were affected by this incident.

WHEN DID THIS EVENT OCCUR?

We discovered the incident on July 4, 2017.  At this stage of our investigation, it appears the malicious malware attack began on July 2, 2017.

WHY DIDN’T YOU TELL ME SOONER?

We believe we acted very quickly to make information available to you following our discovery on July 4, 2017. Our initial website posting was published three (3) days later. These comprehensive FAQs were added a few days after that. However, we have been conducting an extensive internal investigation to understand what happened and what information may have been compromised. This includes coordinating with our technical team, as well our operators. In addition, we needed to retain an IT forensic investigation expert and prepare a process for responding to your follow-up inquiries.

WHAT CAN I DO ON MY OWN TO ADDRESS THIS SITUATION?

There are a number of steps you can take, many of which were detailed in the Customer Notification These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

I RECEIVED AN EMAIL FROM AVANTI REGARDING THIS INCIDENT.  IS THIS LEGITIMATE?

In limited instances, we will endeavor to provide notification to potentially affected individuals via email (if we have a valid email address), as well as responding to emails you may have initiated with us.  However, you should be aware of scam email campaigns related to this incident.  These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from Avanti and the emails may include a “click here” link or ask you to “open” an attachment.  These emails are NOT from us.

  • DO NOT click on any links in email.
  • DO NOT reply to the email or reach out to the senders in any way.
  • DO NOT supply any information on the website that may open, If you have clicked on a link in email.
  • DO NOT open any attachments that arrive with email.

Individuals who have provided e-mails to us may receive an e-mail directing them to visit our website for additional information and/or to sign up for credit monitoring.  Any such email will not include attachments, embedded links, or in any way ask for personal information.

I RECEIVED A CALL FROM AVANTI REGARDING THIS INCIDENT AND ASKING FOR MY INFORMATION.  IS THIS LEGITIMATE?

No.  We are NOT calling individuals regarding this incident and are not asking for any of your personal information over the phone.

ORGANIZATION RELATED

HOW CAN I BE SURE THAT MY PERSONAL DATA WON’T BE SUBJECT TO ATTACK AGAIN IN THE FUTURE?

We are doing everything we can to ensure there is no further vulnerability to the kiosks.  In May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks.

We presently are working with a nationally recognized IT forensic investigation firm to investigate this attack and identify additional safeguards which may be utilized to secure data.  We comply with federal and state privacy laws and work hard to maintain your personal data in a safe and secure environment. This includes redoubling our efforts to expedite the rollout of our end-to-end encryption solution to all kiosks. Additionally, within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access. We also have been updating all Antivirus Protocols and SW patching, and are continually scanning sample kiosks across the network for anomalies with no positive response.  We take data privacy and security very seriously and are continuing to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.  However, no set of safeguards is perfect or impenetrable. 

WHY DO KIOSKS HAVE MY INFORMATION?

It is necessary for the kiosks to have certain data from customers as part of the point of sale process. However, we continually work to minimize, to the extent possible, the amount of personal information that needs to be collected and maintained. For instance, in May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. This solution would eliminate the storage of payment card data on the kiosks

I AM CONCERNED ABOUT IDENTITY THEFT – WHAT CAN I DO?

There are a variety of steps you can take, many of which are detailed in the Customer Notification and in the FAQs below.  These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

IS AVANTI DOING ANYTHING TO HELP ME?

Avanti has endeavored to provide notice of this attack as soon as possible.  In addition, we

  • are making available to you at no cost a credit monitoring service which is described above in the FAQs below.
  • have taken steps to ensure that our electronic systems continue to be secure,
  • have notified various third party consultants, IT forensic investigators, and legal counsel to mitigate any possible harm to the extent reasonably possible,
  • have notified applicable law enforcement agencies,
  • will continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring, including redoubling our efforts to ensure our third party service providers maintain adequate data security.

WAS MY HOME ADDRESS INCLUDED WITH THE INFORMATION AND AM I IN ANY DANGER OF BEING ROBBED?

Your home address information was not included. For perspective, your address is likely available through many other sources of public records and is not generally considered sensitive personal information by itself.

IF MY IDENTITY IS STOLEN, OR IF I AM SUBJECT TO AN INCIDENT OF PAYMENT CARD FRAUD, WILL YOU NOTIFY ME WHEN IT HAPPENS?

By checking your credit report and ensuring you have placed a fraud alert to the three major credit bureaus you are taking the steps to limit your risk of becoming a victim of identity theft.  By being proactive with receiving timely credit reports, monitoring your bank and credit card statements, you will be able to notice any inaccuracies as they occur.  In addition, the credit monitoring service we will be making available is designed to alert you to irregularities concerning your credit. We will not have access to this information.

IDENTITY THEFT-GENERAL

WHAT IS IDENTITY THEFT?

Identity theft is the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.  Often the victim does not become aware of the crime until months or years after the theft occurs.

WHAT DO I DO NOW? WHAT CAN I DO TO PROTECT MYSELF? HOW DO I FILE A FRAUD ALERT AND GET A COPY OF MY CREDIT REPORT? WHAT ABOUT A SECURITY FREEZE?

There are some simple steps you can take to protect yourself against identity theft or other fraudulent misuses of information about you. Notably, watch for any unusual activity on your credit card accounts or suspicious items on your bills. You may wish to contact your credit card issuers and inform them of what has taken place. You may also wish to do the following:

  • Enroll in the credit monitoring service we are making available to you at no cost.
  • Under federal law, you are entitled to one free copy every 12 months of your credit report from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the Internet to AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.
  • When you receive your credit reports, look them over carefully. Look for accounts that you did not open or inquiries from creditors that you did not initiate. Look for personal information that is not accurate. Even if you do not find suspicious activity on your initial credit reports, it is recommended that you check your credit reports every three months for the next year. Checking your reports periodically can help you spot problems and address them.
  • To further protect yourself, you may contact the fraud departments of the three major credit reporting companies. They will discuss your options with you. You have the right to ask that these companies place ”fraud alerts” in your file. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting companies. As soon as that company processes your fraud alert, it will notify the other two credit reporting companies, which must then also place fraud alerts in your file. Contact information for the three major credit reporting companies is provided in the Customer Notification. 
  • Remove your name from mailing lists of pre-approved offers of credit for approximately six months by visiting www.optoutprescreen.com.;
  • Review all of your bank account statements frequently for checks, purchases or deductions not made by you;
  • If you suspect or know that you are the victim of identity theft, you should contact local police and you also can report this to the Fraud Department of the FTC;
  • To place a security freeze on your credit report, you will need to call all three credit bureaus (information listed below). Charges to place and/or remove a security freeze vary by state and credit agency.  To place a security freeze, contact:
  • Equifax 1-800-685-1111

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

  • Experian 1-888-397-3742

http://www.experian.com/consumer/security_freeze.html

  • TransUnion 1-800-680-7289

http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

WHAT SHOULD I DO IF I NOTICE ANY SUSPICIOUS ACTIVITY ON MY CREDIT REPORT OR MY BANK/CREDIT CARD STATEMENTS?

There are a few steps you must take. Call one of the 3 credit bureaus to:

  • Declare yourself an identity theft victim
  • Request a free credit report
  • Ask that a fraud alert be placed on your credit file
  • And, ask that bureau to contact the remaining 2 credit bureaus to request fraud alerts on your file.
  • Contact for the three major credit reporting companies is provided in the Customer Notification. 

While you may experience wait times of similar difficulties when contacting the credit bureaus, be persistent and begin monitoring your financial statements and contacting the institutions with suspected fraudulent activities.  You may want to visit each of the credit bureau’s websites to place fraud alerts on your accounts, but we recommend calling the toll-free number.

Second, filing a complaint with the police is required by many institutions to prove that your identity was stolen.  After filing the complaint, you should ask for a copy of the police report because you will need to attach this report to all written correspondence sent in your effort to resolve any fraudulent activities. Be polite, but persistent with the police because in many areas they are understaffed to deal efficiently with your identity theft.

WHAT SHOULD I DO IF THE LOCAL POLICE WILL NOT TAKE A REPORT FROM ME?

There are efforts at the federal, state and local level to ensure that local law enforcement agencies understand identity theft, its impact on victims, and the importance of taking a police report. However, we still hear that some departments are not taking reports. The following tips may help you to get a report if you’re having difficulties:

  • Furnish as much documentation as you can to prove your case. Debt collection
    letters, credit reports, and other evidence of fraudulent activity can help demonstrate the seriousness of your case.
  • Be persistent if local authorities tell you that they can’t take a report. Stress the
    importance of a police report; many creditors require one to resolve your dispute.
    Remind them that credit bureaus will automatically block the fraudulent accounts
    and bad debts from appearing on your credit report, but only if you can give them
    a copy of the police report.
  • If you’re told that identity theft is not a crime under your state law, ask to file a
    Miscellaneous Incident Report instead.
  • If you can’t get the local police to take a report, try your county police. If that
    doesn’t work, try your state police.
  • Some states require the police to take reports for identity theft. Check with the
    office of your State Attorney General to find out if your state has this law.LINK TO ALL STATE ATTORNEY GENERAL OFFICES:

http://www.privacycouncil.com/id_theft_resources.php

WHAT ARE TYPICAL THINGS THAT AN IDENTITY THIEF WOULD DO?

Identity thieves have been known to take a victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.

WHAT IS A FRAUD ALERT AND HOW LONG DOES IT LAST?

A Fraud Alert is a flag that the credit reporting agencies put in your file to instruct creditors to take extra precautions, such as additional verification of your identity when opening accounts or issuing credit.  An initial fraud alert lasts 90 days.   An extended alert lasts for 7 years.

 WHY SHOULD I SET A FRAUD ALERT WITH THE CREDIT BUREAUS?

This will prevent someone from opening new accounts in your name. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts as well. All three bureaus will place a message on your report that tells creditors to call you before opening any new accounts.

You will not be charged for this service. Please note, placing a fraud alert may delay your ability to open new lines of credit quickly. You should notify any new creditors with whom you have applied that you have a fraud alert placed.

WHEN A FRAUD ALERT HAS BEEN SET, WILL IT TRIGGER AN AUTOMATIC MAILING OF A CREDIT REPORT?

It is recommended that you request your free credit reports before setting a fraud alert.  If you do not, about one week after setting the fraud alert, you will receive confirmation letters from the credit bureaus. These letters will explain that you have to call each bureau and order your free report. They will provide the phone numbers you need to call.  Once you call and order, your report should arrive within 2 weeks in a plain, unmarked envelope. Be sure to examine it carefully.  You are entitled to one free copy for every 90 day alert period.

I ALREADY PLACED FRAUD ALERTS. CAN I PLACE THEM AGAIN?

The fraud alerts last 90 days and the system will let you know the alerts are already in place if you try to place them again before they expire. There is no penalty for doing this. You will NOT be notified when fraud alerts expire, so note the date and you can place them every 90 days for as long as you wish.

CREDIT REPORTS

HOW DO I GET A FREE COPY OF MY CREDIT REPORT?

Under federal law, you are entitled to one free copy of your credit report every twelve months from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the internet to www.AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.

 WHAT DO I DO IF THERE IS INFORMATION ON MY CREDIT REPORT THAT IS OLD/INACCURATE?

Very often, a credit report will contain information that is a result of human error (typos, reporting errors or inaccuracies, outdated information). Sometimes, even social security number variations can appear. This is usually not identity theft, and it is up to the individual to dispute the incorrect information with the credit bureaus. Call the number provided on your report.

However, if you discover this information along with other evidence of fraud (new accounts, collections accounts that aren’t yours, etc.), you may be a victim of identity theft. It is best to begin by contacting the bureau to find out why/how the information is being reported. You can begin disputes with them. (See other FAQs below to get answers about disputing fraudulent accounts)

WHAT SHOULD I LOOK FOR ON A CREDIT REPORT TO INDICATE IDENTITY THEFT?

Accounts

Look for accounts you didn’t open and unexplained debts or authorized users that you didn’t authorize on your legitimate accounts.

Personal Information

Check to see if your personal information (your SSN; address(es); name and any
variations, including initials, Jr., Sr., etc.; telephone number(s); and employers) are correct. Inaccuracies in this information may also be due to typographical errors. If you believe that the inaccuracies are due to error, you should notify the credit bureaus by telephone and/or in writing to dispute the information.

Inquiries

Inquiries on credit reports from potential credit card issuers do not always mean that someone has tried to get credit in your name. Banks and credit card companies often inquire about a consumer’s creditworthiness to help them target their marketing efforts.

These inquiries will be identified in a designated section of the report and are described as “Inquiries that are viewed by others and don’t affect your credit score.” If you would not like your information to be used in this way, you can call 1-800-5 OPT OUT (1-800- 567-8688). You are automatically opted-out of data sharing when you place fraud alerts.

Inquiries that are described as displaying to others and affecting your credit score are the ones you need to be concerned with—these appear when someone has applied for credit in your name.

GENERAL CREDIT MONITORING QUESTIONS 

I KEEP SEEING “CREDIT MONITORING” OFFERED ON THE BUREAU’S WEBSITES. WHAT IS CREDIT MONITORING?

Monitoring your credit reports regularly is a helpful way to detect and prevent fraud. Credit monitoring assists you with this process. Each of the bureaus offers some kind of credit monitoring service that you can purchase. Remember, we will be making credit monitoring available to you at no cost. The enrollment process in described in the Customer Notification on the website.  The options are usually to monitor only one of your reports or all three. Some other Internet companies and financial institutions offer a monitoring service as well. We suggest you research the service and the company very well before purchasing the monitoring to ensure it is a reliable product.

The way monitoring works is that every week, you are informed of any changes to your credit report. You’ll be alerted to what’s happening with your credit by knowing about the following changes (all of which could indicate fraud):

  • New inquiries
  • New accounts opened in your name
  • Late payments
  • Improvements in your report
  • Bankruptcies and other public records
  • New addresses
  • New employers

SHOULD I BUY CREDIT MONITORING?

That is a decision that we recommend each person make for herself/himself. Please note, however, Avanti is making available a monitoring service for you at no cost. The enrollment process in described in the Customer Notification on the website.

CAN YOU ENROLL ME IN CREDIT MONITORING?

No, we cannot. This is something you will have to do individually.

IF I CHOOSE TO PURCHASE CREDIT MONITORING AND REPAIR SERVICES, WILL YOU REIMBURSE ME?

No.  We will be contracting with a trusted vendor to provide monitoring services at no cost to you and will not reimburse for services that may have been independently purchased.

Kiosk Hacking Demonstration – Defcon 16

Kiosk Hacking Demo

Lots of tools out there. This one sorts of puts the wrap on Windows XP (and 7 to extent).Complete how-to from Defcon 16 and Paul Craig (who has since moved onto ATMs).

Here is pdf of entire presentation — defcon-16-craig

The web address for iKat is ikat period h period cked period net

  • An online tool you visit from any Kiosk terminal.
  • Provides content to help an escape from any application jail.
  • “Sure would help me during penetration tests”

Kiosk Hacking Demonstration

 

 

 

Available Remote Input Vectors:
 Remotely hosted content, viewed by a Kiosk.
 JavaScript.
 Java Applets.
 ActiveX.
 ClickOnce applications (.NET Online Application Deployment).
 Internet Zone protocol handlers.
 File type handlers.
 Flash, Director, Windows Media Player, Real, QuickTime, Acrobat, other browser plug-ins.

More Security Kiosk news

Pornographic video at D.C.’s Union Station disassembled; content provider takes responsibility, claims it wasn’t a hack

A kiosk in a public transit station displayed pornographic content because the software was not properly locked down.

Source: www.kioskmarketplace.com

Writeup by Maras from point of view of software provider.  Our take? 

 
I think the Ping guy is being disingenuous when he says he wasn’t hacked.​ “Breaking into the desktop” is a hack in itself.  Was there malware which modified some existing code?.. no. But that isn’t what people are supposed to guard against.  He was hacked.
 
A little disappointing that his protection is predicated on his image build containing his tools.  And he said he “checked every single unit” like he went pc by pc.  No mention of overall remote management and control.
 
They never configured their Win10 correctly (and imaged it as such) and my guess is they are on consumer version.
 
Given all that the odds are very good that he’ll get “hacked” again sounds like to me…

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.

Source: lifehacker.com

Good advice

Kiosk Security – Here Is the Porn Video That Played in DC’s Union Station Last Night [NSFW]

Last night, a display screen in Union Station—one of Washington DC’s main transit hubs—found itself moonlighting as a tiny pornographic theater. Now, Gizmodo can exclusively reveal footage of the incident, and I can assure you that, one, it’s definitely pornography, and two, I have never had a commute this stimulating.

Source: gizmodo.com

I think they said it in the movie (Sierra Madre?) ” we don’t need no stinkin’ lockdown…”.  Somebody supposedly smarter than everyone else turns out to be not as smart as many.

Update: Corey Price, VP of Pornhub, provided Gizmodo with the following comment regarding the brand’s surprise appearance in Union Station yesterday evening.

“Pornhub is accessed by nearly 75 million fans across the world each day. It’s entirely possible the perpetrator of this incident was an avid fan who was perusing our content and unfortunately mishandled the technology behind the video screen at Union Hall. While we don’t condone such behavior — by any means — whatsoever, especially broadcasting unwarranted material to innocent passersby, we do hope it provided some…relief…in the midst of a hellacious commute home.”

Another worthwhile read is here on LifeHacker.

The Ransomware Attack Isn’t Over—Here’s How to Protect Yourself

Excerpt:

If your computer’s running on Microsoft Windows, you need to take these steps—right away.

Here’s why: in case you haven’t heard, hackers exploited a vulnerability in older Microsoft Windows servers to execute a large-scale global cyberattack on Friday using ransomware — a malicious software that holds your computer hostage for ransom — and a hacking tool stolen from the U.S. National Security Agency (NSA). The massive attack left victims locked out of their PCs with a promise of restored access if $300 was paid in digital currency Bitcoin—and a threat of destroyed files if the ransom is not met.

Thus far, at least 200,000 computers have been infected in more than 150 countries, leaving everything from businesses and governments to academic institutions, hospitals and ordinary people affected.

See article here on Kiosk Industry on passwords as well.

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

More news

ATM-Style Kiosk Pumps Out Pirate Movies to USB Sticks – TorrentFreak

Services like RedBox have been delivering movies to the masses for more than 15 years but hiring out discs via a vending machine is always bound to cause problems. So how about a nice touchscreen shopping mall kiosk that dumps the latest movies to a USB stick for a few cents each?

Source: torrentfreak.com

Spotted by a TorrentFreak reader in a shopping mall in Ethiopia, this bright yellow kiosk looks like an ATM. However, on closer inspection it reveals itself to be a self-service media machine that does everything that RedBox can do (and more) without a plastic disc in sight.