Category Archives: security

Check-In Kiosks Security – The Overlooked Security Threat by IBM and Wired

Originally published on Wired March 4, 2019

Overlooked Security in Sign-In Kiosks – Visitor Management Systems  (note: all are “mostly” patched)

Wired published story of IBM interns infiltrating some systems (later patched). Typically there are USB ports exposed and sure enough in this case they found some.  We’re surprised that HID Global was the noted offender. They know better but then they generally sell the hardware and someone installs it on some machine that is deployed in some building in some fashion.  Here is excerpt from Wired:

On Monday, IBM is publishing findings on vulnerabilities in five “visitor management systems,” the digital sign-in portals that often greet you at businesses and facilities. Companies buy visitor management software packs and set them up on PCs or mobile devices like tablets. But X-Force interns Hannah Robbins and Scott Brink found flaws—now mostly patched—in all five mainstream systems they looked at from the visitor management companies Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist. If you had signed in on one of these systems, an attacker could’ve potentially nabbed your data or impersonated you in the system.

The very nature of visitor management systems is partly to blame. Unlike the remote access attacks most organizations anticipate and attempt to block, a hacker could easily approach a visitor management system with a tool like a USB stick set up to automatically exfiltrate data or install remote-access malware. Even without an accessible USB port, attackers could use other techniques, like Windows keyboard shortcuts, to quickly gain control. And while faster is always better for an attack, it would be relatively easy to stand at a sign-in kiosk for a few minutes without attracting any suspicion.

Among the PC software packs, EasyLobby Solo by HID Global had access issues that could allow an attacker to take control of the system and potentially steal Social Security numbers. And eVisitorPass by Threshold Security had similar access issues and guessable default administrator credentials.

Read full article on Wired March 4, 2019

Editor Note:  restricting access to USB ports is a basic necessity. For the sake of convenience and neglectible cost these basic rules are still violated.  Our recommendation is visit KioWare or Sitekiosk before you deploy in public.  See the related service article with the loan application kiosk and its exposed USB ports video walk-thru.

Craig is a  senior staff writer for Kiosk Industry Group Association. He has 25 years of experience in the industry. He contributed to this article.

EMV Kiosk – On Track Innovations Receives Interac Certification for Canadian Market

Originally published on https://www.otiglobal.com/pr-news-events/on-track-innovations-receives-interac-certification-for-canadian-market/

ROSH PINNA, Israel – October 30th, 2018 — On Track Innovations Ltd. (OTI) (NASDAQ: OTIV), a global provider of near field communication (NFC) and cashless payment solutions, has received a renewed Interbank Network Interac certification, which now allows Canadian businesses to integrate OTI’s secure cashless payment solutions into vending machines, kiosks and other unattended devices throughout Canada.

Interac Corp. operates an economical, world-class debit payments system with broad-based acceptance, reliability, security, and efficiency. The organization is one of Canada’s leading payments brands and is chosen an average of 16 million times daily to pay and exchange money.

“We are pleased to announce that we have received the Interac certification, reaffirming our commitment to remain at the forefront of innovation within the exciting Canadian unattended payment market,” said Shlomi Cohen, CEO of OTI. “Canada has over 59,000 automated teller machines and over 450,000 merchant locations accessible through the Interac network, making this certification essential to doing business in Canada. I look forward to addressing this significant market opportunity by leveraging our continued technological advantage and aggressive new sales efforts nationwide,” concluded Cohen.

About OTI

On Track Innovations (OTI) is a global leader in the design, manufacture, and sale of secure cashless payment solutions using contactless NFC technology. OTI’s field-proven innovations have been deployed around the world to address cashless payment and management requirements for the Internet of Payment Things (IoPT), wearables, automated retail, and petroleum markets. OTI distributes and supports its solutions through a global network of regional offices and alliances. OTI is the proud recipient of the 2017 AI Award for Best Cashless Payment Solutions Provider – Israel. For more information, visit www.otiglobal.com.

 

Safe Harbor / Forward-Looking Statements

This press release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995 and other Federal securities laws. Whenever we use words such as “believe,” “expect,” “anticipate,” “intend,” “plan,” “estimate” or similar expressions, we are making forward-looking statements. For example, we are using forward-looking statements when we discuss our expectations regarding our growth or profitability, reduction of costs and expenses, expected divestitures, plans for our existing and new products and services, penetration of new markets and securing new customers, contributions of our regions to our growth, resolution of our outstanding patent infringement claims, strengthening of our balance sheet and deliver long-term shareholder value. Because such statements deal with future events and are based on OTI’s current expectations, they are subject to various risks and uncertainties and actual results, performance or achievements of OTI could differ materially from those described in or implied by the statements in this press release. Forward-looking statements could be impacted by the effects of the protracted evaluation and validation periods in the U.S. and other markets for contactless payment cards, or new and existing products and our ability to execute production on orders, as well as other risks and uncertainties, including those discussed in the “Risk Factors” section and elsewhere in our Annual Report on Form 10-K for the year ended December 31, 2016, and in subsequent filings with the Securities and Exchange Commission. Although we believe that the expectations reflected in such forward-looking statements are based on reasonable assumptions, we can give no assurance that our expectations will be achieved. Except as otherwise required by law, OTI disclaims any intention or obligation to update or revise any forward-looking statements, which speak only as of the date hereof, whether as a result of new information, future events or circumstances or otherwise.

Investor Relations Contact:

Greg Falesnik
MZ North America
+1-949-385-6449
[email protected]

More Information on OTI

Tokenworks ID Authenticate Product News – User Authentication Drivers License

Tokenworks Product News – User Authentication Drivers License

We like to highlight our members when we can and new product enhancements are now available from Tokenworks.

Tokenworks provides a complete range of Age Verification, Data Entry & Form Fillers and Forensic Scanners. And complete developer tools.

Editors Note:  While with KIOSK Information Systems, I probably participated in the installation of literally thousands of Tokenworks devices for various customers. We found them to extremely reliable and updating to latest jurisdictional data was ideal.  

IDWedgeKB

USB Keyboard drivers license scanner with built in parsing – Recently Tokenworks did a node.js project which lets browsers grab data from device.

ID Wedge
The IDWedgeKB™ form filler desktop solution scans drivers licenses, ID cards, credit cards and other magnetic striped cards and fills computer forms with information from the card automatically! Plugged into any USB port and recognized as a keyboard, the IDWedgeKB™ extracts contact and payment information fields from driver’s licenses, debit/credit cards, membership cards and student IDs and sends them to the flashing cursor on ANY computer.

IDWedgePro

Software based – multiform – auto form filler.

ID Wedge Pro
The IDWedge®Pro form filler solution scans drivers licenses, ID cards, credit cards and other magnetic striped cards and fills multiple computer forms with information from the card. It automatically recognizes and populates forms in multiple PC applications, allowing different applications to share the same ID scanner. It works with any PC application that accepts keyboard input.

ID Parser Server product

A parsing server that clients can run from a windows server or on Azure and parse drivers licenses.

ID Server Parser
For larger clients, a great way to parse across large number of internet-connected devices. Supports Windows, Mac, Android, iOS, Applications. Simple to integrate and easy to Update . Uses TokenWorks Proven ID Parsing DLL software. Handles all N. American Drivers License*, State issued IDs, Ontario Health Card, Military IDs

 

The founders of Tokenworks have been involved in the Smart Card market since 1992 and have participated in a number of industry events and associations such as the Smart Card Forum, Smart Card Industry Association, Smart Card Alliance, CardTech/SecureTech and National Association of Campus Card Users.

In all of our efforts, the following principles are paramount:

  • Design in durability, quality, and value.
  • Deliver value to our customers and shareholders.
  • Do it once. Do it right.
  • Keep it simple.

For more information and pricing (included on website) visit Tokenworks website.

This Week In Credit Card News: Identity Fraud Hits All-Time High; Apple Pay’s Move Into E-Commerce

identity fraud

What took place this week in the credit card and payment industries

Source: www.forbes.com

Last year marked a large shift in the world of data breaches. For the first time, Social Security Numbers were compromised more than credit cards. A staggering 16.7 million consumers were affected by identity fraud last year, an 8% increase over year-ago levels and the highest volume since Javelin Strategy & Research began their annual surveys in 2003. This fraud resulted in losses of $16.8 billion.

Kiosk Malware Avanti – PoS malware hits food kiosks, steals payment card and biometric info – Help Net Security

PoS malware have recently been found in the payment kiosks by US-based vendor Avanti, stealing payment card and biometric information.

Source: www.helpnetsecurity.com

Avanti published an incident report

Krebs did a nice article on it as well.

WHAT HAPPENED?

The technology and back-end platform that we use to facilitate a 24-hour, self-service marketplace for customers is supported by our technical team and it is serviced and maintained by a network of operators around the country. We believe that sometime shortly before July 4, 2017, the workstation of one of the third party vendor’s employees became infected with a sophisticated and malicious malware attack, although our investigation has not enabled us to determine the precise nature of the attack. The malware wound up affecting some kiosks.  Within hours of learning of this incident on July 4, 2017, we worked with our vendor to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited further persistent activity by the malware.

WAS MY INFORMATION ACCESSED?

We are currently conducting an extensive IT forensic investigation to determine the extent of the attack, including which kiosks were affected. We have determined at this point that the attack was not successful on all kiosks and many kiosks have not been adversely affected. Additionally, based on our investigation at this time, it appears this malware was only active beginning on July 2, 2017.  Accordingly, if you did not utilize a kiosk between July 2, 2017 and July 4, 2017, you were likely not affected by this attack.

WHAT INFORMATION WAS COMPROMISED?

As you know, the kiosks do not collect certain data elements (such as Social Security Number, date of birth, or federal or state identification number) from customers.  Accordingly, those elements of personal information were not subject to compromise.

However, for customers that used a payment card to complete a purchase on an infected kiosk, the malware may have compromised cardholder first and last name, credit/debit card number and expiration date. In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.  We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

WAS BIOMETRIC DATA COMPROMISED?

No.  In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised.   We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.

DID THIS ATTACK AFFECT ALL KIOSKS? 

No. In May 2017, we began working with our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. The payment card information on these kiosks was not affected.  At this stage, we have determined the attack was not successful on all kiosks and many kiosks have not been adversely affected at all.  We believe approximately 1,900 kiosks have been affected, a fraction of the total kiosks in use.  

HOW DO I KNOW IF THE KIOSK AT MY LOCATION OR THE KIOSK I REGULARLY USE WAS AFFECTED?

As part of our remediation efforts, we have shut down payment card processing at affected kiosk locations.  If your kiosk’s payment card processing has been disabled or “temporarily unavailable” it is likely that your kiosk was affected by this attack. Please note that even if you used an affected kiosk, that does not mean that your personal information was compromised or infiltrated.

WHAT IS BEING DONE TO PROTECT ME?  

We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we worked with our technical team to commence an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  Within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access.  We also are continuing to work with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself.   Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

WHO IS RESPONSIBLE FOR THIS ATTACK?

We are working with our IT forensic investigators and law enforcement in an effort to determine those responsible.  At this time, the responsible party or parties have not been identified.

I AM UPSET MY INFORMATION MAY BE SUBJECT TO THIS ATTACK.

We understand.  We apologize for any inconvenience this incident may cause you and assure you were are doing everything we can to help.  We have been working nonstop to address this incident, remediate the attack and mitigate harm.  Immediately upon discovering that our third party vendor was the victim of a malware attack, we commenced an investigation to determine the scope of this incident and attempt to identify those affected, which included retaining a nationally recognized forensic investigation firm.  We worked with our assembled internal response team and took steps to secure our information systems, including shutting down payment card processing at kiosk locations we believe have been affected.  We also are working with our technical team and our operators to purge affected systems of any malware from the attack and taking steps to substantially minimize the risk of a data compromise in the future.

Within only a few days after our discovering the incident, we published detailed information to help affected individuals learn about steps they could take to safeguard their personal information and protect against identity theft. We also developed these FAQs to provide additional information and assist you with gathering information about the incident as well as additional steps you can take to protect yourself. Finally, we have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for one year at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here. You must complete the enrollment process by October 9, 2017. We encourage you to enroll in that service.

ARE THE PEOPLE WHOSE DATA MAY HAVE BEEN COMPROMISED AT RISK FOR IDENTITY THEFT?

Any person who has personal information compromised does have an increased risk of identity theft.  We are taking a number of steps to help you minimize the chance of identity theft. This includes enrolling in the credit monitoring service as described above.

HOW MANY INDIVIDUALS WERE AFFECTED BY THE DATA INCIDENT?

This incident affected a limited number of kiosks and as such did not affect all customers.  We are working with our IT forensic investigators to determine those who have been affected. At this time, the total number of affected individuals has not been determined.

SHOULD I BE CALLING MY BANK AND CLOSING MY ACCOUNT? SHOULD I BE CANCELING MY CREDIT CARDS?

Of course, you can take these steps if you feel more comfortable.  But, you do not have to close your bank and credit card accounts. Be sure, though, to monitor your bank and credit card statements for accuracy. If you notice any suspicious activity or you believe your information is being misused, please file a report with your local police department and the Federal Trade Commission. You can also enroll in the credit monitoring service as described above.

IS MY SPOUSE/DEPENDENT AFFECTED? 

We have no information at this point to suggest that the information of your spouse/child/dependent has been affected by this incident.   Please note if they also utilized a payment card at a kiosk between July 2, 2017 and July 4, 2017 they also likely were affected by this incident.

WHEN DID THIS EVENT OCCUR?

We discovered the incident on July 4, 2017.  At this stage of our investigation, it appears the malicious malware attack began on July 2, 2017.

WHY DIDN’T YOU TELL ME SOONER?

We believe we acted very quickly to make information available to you following our discovery on July 4, 2017. Our initial website posting was published three (3) days later. These comprehensive FAQs were added a few days after that. However, we have been conducting an extensive internal investigation to understand what happened and what information may have been compromised. This includes coordinating with our technical team, as well our operators. In addition, we needed to retain an IT forensic investigation expert and prepare a process for responding to your follow-up inquiries.

WHAT CAN I DO ON MY OWN TO ADDRESS THIS SITUATION?

There are a number of steps you can take, many of which were detailed in the Customer Notification These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

I RECEIVED AN EMAIL FROM AVANTI REGARDING THIS INCIDENT.  IS THIS LEGITIMATE?

In limited instances, we will endeavor to provide notification to potentially affected individuals via email (if we have a valid email address), as well as responding to emails you may have initiated with us.  However, you should be aware of scam email campaigns related to this incident.  These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from Avanti and the emails may include a “click here” link or ask you to “open” an attachment.  These emails are NOT from us.

  • DO NOT click on any links in email.
  • DO NOT reply to the email or reach out to the senders in any way.
  • DO NOT supply any information on the website that may open, If you have clicked on a link in email.
  • DO NOT open any attachments that arrive with email.

Individuals who have provided e-mails to us may receive an e-mail directing them to visit our website for additional information and/or to sign up for credit monitoring.  Any such email will not include attachments, embedded links, or in any way ask for personal information.

I RECEIVED A CALL FROM AVANTI REGARDING THIS INCIDENT AND ASKING FOR MY INFORMATION.  IS THIS LEGITIMATE?

No.  We are NOT calling individuals regarding this incident and are not asking for any of your personal information over the phone.

ORGANIZATION RELATED

HOW CAN I BE SURE THAT MY PERSONAL DATA WON’T BE SUBJECT TO ATTACK AGAIN IN THE FUTURE?

We are doing everything we can to ensure there is no further vulnerability to the kiosks.  In May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks.

We presently are working with a nationally recognized IT forensic investigation firm to investigate this attack and identify additional safeguards which may be utilized to secure data.  We comply with federal and state privacy laws and work hard to maintain your personal data in a safe and secure environment. This includes redoubling our efforts to expedite the rollout of our end-to-end encryption solution to all kiosks. Additionally, within hours of learning of this incident, we worked with our technical team to remove the malicious code associated with the malware attack and preliminary testing indicates these efforts prohibited any further improper access. We also have been updating all Antivirus Protocols and SW patching, and are continually scanning sample kiosks across the network for anomalies with no positive response.  We take data privacy and security very seriously and are continuing to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.  However, no set of safeguards is perfect or impenetrable. 

WHY DO KIOSKS HAVE MY INFORMATION?

It is necessary for the kiosks to have certain data from customers as part of the point of sale process. However, we continually work to minimize, to the extent possible, the amount of personal information that needs to be collected and maintained. For instance, in May 2017, before the incident occurred, we began working with our technical team and our operators to roll out an end-to-end encryption solution to all kiosks. At the time of the incident, the solution had been installed in more than 50% of kiosks. This solution would eliminate the storage of payment card data on the kiosks

I AM CONCERNED ABOUT IDENTITY THEFT – WHAT CAN I DO?

There are a variety of steps you can take, many of which are detailed in the Customer Notification and in the FAQs below.  These include placing a fraud alert with the credit bureaus, reviewing your financial statements, and signing up for credit monitoring.

IS AVANTI DOING ANYTHING TO HELP ME?

Avanti has endeavored to provide notice of this attack as soon as possible.  In addition, we

  • are making available to you at no cost a credit monitoring service which is described above in the FAQs below.
  • have taken steps to ensure that our electronic systems continue to be secure,
  • have notified various third party consultants, IT forensic investigators, and legal counsel to mitigate any possible harm to the extent reasonably possible,
  • have notified applicable law enforcement agencies,
  • will continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring, including redoubling our efforts to ensure our third party service providers maintain adequate data security.

WAS MY HOME ADDRESS INCLUDED WITH THE INFORMATION AND AM I IN ANY DANGER OF BEING ROBBED?

Your home address information was not included. For perspective, your address is likely available through many other sources of public records and is not generally considered sensitive personal information by itself.

IF MY IDENTITY IS STOLEN, OR IF I AM SUBJECT TO AN INCIDENT OF PAYMENT CARD FRAUD, WILL YOU NOTIFY ME WHEN IT HAPPENS?

By checking your credit report and ensuring you have placed a fraud alert to the three major credit bureaus you are taking the steps to limit your risk of becoming a victim of identity theft.  By being proactive with receiving timely credit reports, monitoring your bank and credit card statements, you will be able to notice any inaccuracies as they occur.  In addition, the credit monitoring service we will be making available is designed to alert you to irregularities concerning your credit. We will not have access to this information.

IDENTITY THEFT-GENERAL

WHAT IS IDENTITY THEFT?

Identity theft is the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.  Often the victim does not become aware of the crime until months or years after the theft occurs.

WHAT DO I DO NOW? WHAT CAN I DO TO PROTECT MYSELF? HOW DO I FILE A FRAUD ALERT AND GET A COPY OF MY CREDIT REPORT? WHAT ABOUT A SECURITY FREEZE?

There are some simple steps you can take to protect yourself against identity theft or other fraudulent misuses of information about you. Notably, watch for any unusual activity on your credit card accounts or suspicious items on your bills. You may wish to contact your credit card issuers and inform them of what has taken place. You may also wish to do the following:

  • Enroll in the credit monitoring service we are making available to you at no cost.
  • Under federal law, you are entitled to one free copy every 12 months of your credit report from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the Internet to AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.
  • When you receive your credit reports, look them over carefully. Look for accounts that you did not open or inquiries from creditors that you did not initiate. Look for personal information that is not accurate. Even if you do not find suspicious activity on your initial credit reports, it is recommended that you check your credit reports every three months for the next year. Checking your reports periodically can help you spot problems and address them.
  • To further protect yourself, you may contact the fraud departments of the three major credit reporting companies. They will discuss your options with you. You have the right to ask that these companies place ”fraud alerts” in your file. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting companies. As soon as that company processes your fraud alert, it will notify the other two credit reporting companies, which must then also place fraud alerts in your file. Contact information for the three major credit reporting companies is provided in the Customer Notification. 
  • Remove your name from mailing lists of pre-approved offers of credit for approximately six months by visiting www.optoutprescreen.com.;
  • Review all of your bank account statements frequently for checks, purchases or deductions not made by you;
  • If you suspect or know that you are the victim of identity theft, you should contact local police and you also can report this to the Fraud Department of the FTC;
  • To place a security freeze on your credit report, you will need to call all three credit bureaus (information listed below). Charges to place and/or remove a security freeze vary by state and credit agency.  To place a security freeze, contact:
  • Equifax 1-800-685-1111

https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

  • Experian 1-888-397-3742

http://www.experian.com/consumer/security_freeze.html

  • TransUnion 1-800-680-7289

http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page

WHAT SHOULD I DO IF I NOTICE ANY SUSPICIOUS ACTIVITY ON MY CREDIT REPORT OR MY BANK/CREDIT CARD STATEMENTS?

There are a few steps you must take. Call one of the 3 credit bureaus to:

  • Declare yourself an identity theft victim
  • Request a free credit report
  • Ask that a fraud alert be placed on your credit file
  • And, ask that bureau to contact the remaining 2 credit bureaus to request fraud alerts on your file.
  • Contact for the three major credit reporting companies is provided in the Customer Notification. 

While you may experience wait times of similar difficulties when contacting the credit bureaus, be persistent and begin monitoring your financial statements and contacting the institutions with suspected fraudulent activities.  You may want to visit each of the credit bureau’s websites to place fraud alerts on your accounts, but we recommend calling the toll-free number.

Second, filing a complaint with the police is required by many institutions to prove that your identity was stolen.  After filing the complaint, you should ask for a copy of the police report because you will need to attach this report to all written correspondence sent in your effort to resolve any fraudulent activities. Be polite, but persistent with the police because in many areas they are understaffed to deal efficiently with your identity theft.

WHAT SHOULD I DO IF THE LOCAL POLICE WILL NOT TAKE A REPORT FROM ME?

There are efforts at the federal, state and local level to ensure that local law enforcement agencies understand identity theft, its impact on victims, and the importance of taking a police report. However, we still hear that some departments are not taking reports. The following tips may help you to get a report if you’re having difficulties:

  • Furnish as much documentation as you can to prove your case. Debt collection
    letters, credit reports, and other evidence of fraudulent activity can help demonstrate the seriousness of your case.
  • Be persistent if local authorities tell you that they can’t take a report. Stress the
    importance of a police report; many creditors require one to resolve your dispute.
    Remind them that credit bureaus will automatically block the fraudulent accounts
    and bad debts from appearing on your credit report, but only if you can give them
    a copy of the police report.
  • If you’re told that identity theft is not a crime under your state law, ask to file a
    Miscellaneous Incident Report instead.
  • If you can’t get the local police to take a report, try your county police. If that
    doesn’t work, try your state police.
  • Some states require the police to take reports for identity theft. Check with the
    office of your State Attorney General to find out if your state has this law.LINK TO ALL STATE ATTORNEY GENERAL OFFICES:

http://www.privacycouncil.com/id_theft_resources.php

WHAT ARE TYPICAL THINGS THAT AN IDENTITY THIEF WOULD DO?

Identity thieves have been known to take a victim’s identity to obtain credit, credit cards from banks and retailers, steal money from existing accounts, apply for loans, rent an apartment, file bankruptcy or obtain medical services.

WHAT IS A FRAUD ALERT AND HOW LONG DOES IT LAST?

A Fraud Alert is a flag that the credit reporting agencies put in your file to instruct creditors to take extra precautions, such as additional verification of your identity when opening accounts or issuing credit.  An initial fraud alert lasts 90 days.   An extended alert lasts for 7 years.

 WHY SHOULD I SET A FRAUD ALERT WITH THE CREDIT BUREAUS?

This will prevent someone from opening new accounts in your name. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts as well. All three bureaus will place a message on your report that tells creditors to call you before opening any new accounts.

You will not be charged for this service. Please note, placing a fraud alert may delay your ability to open new lines of credit quickly. You should notify any new creditors with whom you have applied that you have a fraud alert placed.

WHEN A FRAUD ALERT HAS BEEN SET, WILL IT TRIGGER AN AUTOMATIC MAILING OF A CREDIT REPORT?

It is recommended that you request your free credit reports before setting a fraud alert.  If you do not, about one week after setting the fraud alert, you will receive confirmation letters from the credit bureaus. These letters will explain that you have to call each bureau and order your free report. They will provide the phone numbers you need to call.  Once you call and order, your report should arrive within 2 weeks in a plain, unmarked envelope. Be sure to examine it carefully.  You are entitled to one free copy for every 90 day alert period.

I ALREADY PLACED FRAUD ALERTS. CAN I PLACE THEM AGAIN?

The fraud alerts last 90 days and the system will let you know the alerts are already in place if you try to place them again before they expire. There is no penalty for doing this. You will NOT be notified when fraud alerts expire, so note the date and you can place them every 90 days for as long as you wish.

CREDIT REPORTS

HOW DO I GET A FREE COPY OF MY CREDIT REPORT?

Under federal law, you are entitled to one free copy of your credit report every twelve months from each of the three major credit reporting companies. You may obtain a free copy of your credit report by going on the internet to www.AnnualCreditReport.com or by calling 1-877-FACTACT (1-877-322-8228). If you would rather write, a request form is available on www.AnnualCreditReport.com. You may want to obtain copies of your credit reports to ensure the accuracy of the report information.

 WHAT DO I DO IF THERE IS INFORMATION ON MY CREDIT REPORT THAT IS OLD/INACCURATE?

Very often, a credit report will contain information that is a result of human error (typos, reporting errors or inaccuracies, outdated information). Sometimes, even social security number variations can appear. This is usually not identity theft, and it is up to the individual to dispute the incorrect information with the credit bureaus. Call the number provided on your report.

However, if you discover this information along with other evidence of fraud (new accounts, collections accounts that aren’t yours, etc.), you may be a victim of identity theft. It is best to begin by contacting the bureau to find out why/how the information is being reported. You can begin disputes with them. (See other FAQs below to get answers about disputing fraudulent accounts)

WHAT SHOULD I LOOK FOR ON A CREDIT REPORT TO INDICATE IDENTITY THEFT?

Accounts

Look for accounts you didn’t open and unexplained debts or authorized users that you didn’t authorize on your legitimate accounts.

Personal Information

Check to see if your personal information (your SSN; address(es); name and any
variations, including initials, Jr., Sr., etc.; telephone number(s); and employers) are correct. Inaccuracies in this information may also be due to typographical errors. If you believe that the inaccuracies are due to error, you should notify the credit bureaus by telephone and/or in writing to dispute the information.

Inquiries

Inquiries on credit reports from potential credit card issuers do not always mean that someone has tried to get credit in your name. Banks and credit card companies often inquire about a consumer’s creditworthiness to help them target their marketing efforts.

These inquiries will be identified in a designated section of the report and are described as “Inquiries that are viewed by others and don’t affect your credit score.” If you would not like your information to be used in this way, you can call 1-800-5 OPT OUT (1-800- 567-8688). You are automatically opted-out of data sharing when you place fraud alerts.

Inquiries that are described as displaying to others and affecting your credit score are the ones you need to be concerned with—these appear when someone has applied for credit in your name.

GENERAL CREDIT MONITORING QUESTIONS 

I KEEP SEEING “CREDIT MONITORING” OFFERED ON THE BUREAU’S WEBSITES. WHAT IS CREDIT MONITORING?

Monitoring your credit reports regularly is a helpful way to detect and prevent fraud. Credit monitoring assists you with this process. Each of the bureaus offers some kind of credit monitoring service that you can purchase. Remember, we will be making credit monitoring available to you at no cost. The enrollment process in described in the Customer Notification on the website.  The options are usually to monitor only one of your reports or all three. Some other Internet companies and financial institutions offer a monitoring service as well. We suggest you research the service and the company very well before purchasing the monitoring to ensure it is a reliable product.

The way monitoring works is that every week, you are informed of any changes to your credit report. You’ll be alerted to what’s happening with your credit by knowing about the following changes (all of which could indicate fraud):

  • New inquiries
  • New accounts opened in your name
  • Late payments
  • Improvements in your report
  • Bankruptcies and other public records
  • New addresses
  • New employers

SHOULD I BUY CREDIT MONITORING?

That is a decision that we recommend each person make for herself/himself. Please note, however, Avanti is making available a monitoring service for you at no cost. The enrollment process in described in the Customer Notification on the website.

CAN YOU ENROLL ME IN CREDIT MONITORING?

No, we cannot. This is something you will have to do individually.

IF I CHOOSE TO PURCHASE CREDIT MONITORING AND REPAIR SERVICES, WILL YOU REIMBURSE ME?

No.  We will be contracting with a trusted vendor to provide monitoring services at no cost to you and will not reimburse for services that may have been independently purchased.

Kiosk Hacking Demonstration – Defcon 16

Kiosk Hacking Demo

Lots of tools out there. This one sorts of puts the wrap on Windows XP (and 7 to extent).Complete how-to from Defcon 16 and Paul Craig (who has since moved onto ATMs).

Here is pdf of entire presentation — defcon-16-craig

The web address for iKat is ikat period h period cked period net

  • An online tool you visit from any Kiosk terminal.
  • Provides content to help an escape from any application jail.
  • “Sure would help me during penetration tests”

Kiosk Hacking Demonstration

 

 

 

Available Remote Input Vectors:
 Remotely hosted content, viewed by a Kiosk.
 JavaScript.
 Java Applets.
 ActiveX.
 ClickOnce applications (.NET Online Application Deployment).
 Internet Zone protocol handlers.
 File type handlers.
 Flash, Director, Windows Media Player, Real, QuickTime, Acrobat, other browser plug-ins.

More Security Kiosk news

Pornographic video at D.C.’s Union Station disassembled; content provider takes responsibility, claims it wasn’t a hack

A kiosk in a public transit station displayed pornographic content because the software was not properly locked down.

Source: www.kioskmarketplace.com

Writeup by Maras from point of view of software provider.  Our take? 

 
I think the Ping guy is being disingenuous when he says he wasn’t hacked.​ “Breaking into the desktop” is a hack in itself.  Was there malware which modified some existing code?.. no. But that isn’t what people are supposed to guard against.  He was hacked.
 
A little disappointing that his protection is predicated on his image build containing his tools.  And he said he “checked every single unit” like he went pc by pc.  No mention of overall remote management and control.
 
They never configured their Win10 correctly (and imaged it as such) and my guess is they are on consumer version.
 
Given all that the odds are very good that he’ll get “hacked” again sounds like to me…

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.

Source: lifehacker.com

Good advice

Kiosk Security – Here Is the Porn Video That Played in DC’s Union Station Last Night [NSFW]

Last night, a display screen in Union Station—one of Washington DC’s main transit hubs—found itself moonlighting as a tiny pornographic theater. Now, Gizmodo can exclusively reveal footage of the incident, and I can assure you that, one, it’s definitely pornography, and two, I have never had a commute this stimulating.

Source: gizmodo.com

I think they said it in the movie (Sierra Madre?) ” we don’t need no stinkin’ lockdown…”.  Somebody supposedly smarter than everyone else turns out to be not as smart as many.

Update: Corey Price, VP of Pornhub, provided Gizmodo with the following comment regarding the brand’s surprise appearance in Union Station yesterday evening.

“Pornhub is accessed by nearly 75 million fans across the world each day. It’s entirely possible the perpetrator of this incident was an avid fan who was perusing our content and unfortunately mishandled the technology behind the video screen at Union Hall. While we don’t condone such behavior — by any means — whatsoever, especially broadcasting unwarranted material to innocent passersby, we do hope it provided some…relief…in the midst of a hellacious commute home.”

Another worthwhile read is here on LifeHacker.

The Ransomware Attack Isn’t Over—Here’s How to Protect Yourself

Excerpt:

If your computer’s running on Microsoft Windows, you need to take these steps—right away.

Here’s why: in case you haven’t heard, hackers exploited a vulnerability in older Microsoft Windows servers to execute a large-scale global cyberattack on Friday using ransomware — a malicious software that holds your computer hostage for ransom — and a hacking tool stolen from the U.S. National Security Agency (NSA). The massive attack left victims locked out of their PCs with a promise of restored access if $300 was paid in digital currency Bitcoin—and a threat of destroyed files if the ransom is not met.

Thus far, at least 200,000 computers have been infected in more than 150 countries, leaving everything from businesses and governments to academic institutions, hospitals and ordinary people affected.

See article here on Kiosk Industry on passwords as well.

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

More news

UCP has Ingenico iUC285 Beta units

iUC285 Ingenico EMV Reader for Unattended Self Service

Unattended Card Payments Inc. Begins Shipping the iUC285 in the U.S. As main Ingenico VAR for unattended hardware, UCP Inc. announces they have received first shipment of iUC285 beta units.

Source: www.ucp-inc.com

These units are designed for unattended and are being certified with multiple processors as we speak.

Here is spec sheet.

iUC280 product info

Camlock Systems Launches LinkedIn Company Page

Camlock Systems Ltd has launched its company page on the professional social network LinkedIn. Camlock’s followers can now obtain expert security advice, gain company insights, read market news and participate in related discussions.

Camlock Systems’ locking security experts work in partnership with customers to supply or to design, develop and manufacture mechanical and electronic locking security using innovative technology.

By following Camlock Systems on LinkedIn, interested individuals have the opportunity to learn about products, markets, partnerships, career opportunities, Camlock’s team, and more.

LinkedIn further enables people to engage with Camlock Systems and their security experts, either by sharing and commenting on posts or by approaching a team member directly.

Camlock’s products are widely used in the self-service industries including vending machines, gaming machines and kiosk terminals as well as infrastructure and utilities cabinets and enclosures.

Rebecca Koch, International Marketing Manager at Camlock Systems, says: “LinkedIn will give our followers and us the chance to get to know and inspire each other. I would like to encourage everyone who is interested in locking security to connect with us.”

Follow us on LinkedIn under https://www.linkedin.com/company/camlock-systems-ltd or visit our website www.camlock.com for further information.

Security – How The Panama Papers Breach Happened

The news this week has been filled with the so called “Panama Papers” which have resulted in the resignation of at least one world leader, the Icelandic Prime Minister, and have caused controversy to surround others including Russian President Putin and British prime minister Cameron.
The data involved was taken from a Panamanian Law Firm called Mossack Fonseca (MF) by a hacker and reveals secret financial structures used by the powerful and wealthy to hide their assets around the world.
Turns out it likely due to a plugin for website that did not get updated.  Maybe they turned off updates or they were running unlicensed “free” version.  Free is cheaper is right?  We know better.

Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause

This entry was posted in General Security, WordPress Security on April 7, 2016 by mark   36 Replies

Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents.

Forbes have reported that MF was giving their customers access to data via aweb portal running a vulnerable version of Drupal. We performed an analysis on the MF website and have noted the following:

The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. 

Viewing this link on the current MF website to a Revolution Slider file reveals the version of revslider they are running is 2.1.7. Versions of Revslider all the way up to 3.0.95 are vulnerable to attack.

Mossack Fonseca running vulnerable Revolution Slider

 

It appears that MF have now put their site behind a firewall which would protect against this vulnerability being exploited. This is a recent change within the last month.

Looking at their IP history on Netcraft shows that their IP was on the same network as their mail servers.

Screen Shot 2016-04-07 at 9.58.56 AM

ViewDNS.info further confirms that this was a recent move to protect their website:

Screen Shot 2016-04-07 at 10.09.51 AM

According to service crawler Shodan, one of the IP’s on their 200.46.144.0 network runs Exchange 2010 mail server which indicates this network block is either their corporate network or at the very least has a range of IT assets belonging to the company. We also show they’re running VPN remote access software.

You can view the IP addresses used for email for MF below which are all on the same network block:

Screen Shot 2016-04-07 at 10.01.52 AM

To summarize so far:

  • We’ve established that they were (and still are) running one of the most common WordPress vulnerabilities, Revolution Slider.
  • Their web server was not behind a firewall.
  • Their web server was on the same network as their mail servers based in Panama.
  • They were serving sensitive customer data from their portal website which includes a client login to access that data.

A theory on what happened in the Mossack Fonseca breach:

A working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time. A website like mossfon.com which was wide open until a month ago would have been trivially easy to exploit. Attackers frequently create robots to hit URLs like : http://mossfon.com/wp-content/plugins/revslider/release_log.txt

Once they establish that the site is vulnerable from the above URL the robot will simply exploit it and log it into a database and the attacker will review their catch at the end of the day. It’s possible that the attacker discovered they had stumbled across a law firm with assets on the same network as the machine they now had access to. They used the WordPress web server to ‘pivot’ into the corporate assets and begin their data exfiltration.

Technical details of the vulnerability in Revolution Slider

This is a brief technical summary from one of our analysts describing the nature of the vulnerability in Revolution Slider that was exploited.

Revolution Slider (also known as Slider Revolution) version 3.0.95 or older is vulnerable to unauthenticated remote file upload. It has an action called `upload_plugin` which can be called by an unauthenticated user, allowing anyone to upload a zip file containing PHP source code to a temp directory within the revslider plugin.

The code samples below point you to where the specific problem is in revslider. Note that the revslider developer is allowing unprivileged users to make an AJAX (or dynamic browser HTTP) call to a function that should be used by privileged users only and which allows the creation of a file an attacker uploads.

Screen Shot 2016-04-07 at 10.31.37 AM

A demonstration of Revolution Slider being exploited

The following video demonstrates how easy it is to exploit the Revolution Slider vulnerability on a website running the newest version of WordPress and a vulnerable version of Revolution Slider.

Conclusion

As a courtesy we have reached out to Mossack Fonseca to inform them about the Slider Revolution vulnerability on their site and have not yet received a response. They appear to be protected against it being exploited, or perhaps re-exploited in this case but the WordPress plugin on the site still needs updating.

To protect your WordPress installation it is critically important that you update your plugins, themes and core when an update becomes available. You should also monitor updates for security fixes and give those the highest priority. You can find out if a WordPress plugin includes a security update by viewing the changes in the “Changelog”.

In this case the site owners did not update for some time and it resulted in world leaders being toppled and the largest data breach to journalists in history.

Update: 7 April at 3:52 PST – We should add that one of the firm partners has confirmed that the data was exfiltrated through a hack. There seemed to be some confusion about whether this was an inside job or a hack. Source: BBC News.

Thin Client Kiosk – malerisch.net: Owning a thin client in less than two minutes

RT @m3g9tr0n: Pwning a thin client in less than two minuteshttps://t.co/Y9FK57uVy2Source: blog.malerisch.netNormally, HP ThinPro OS interface is configured in a kiosk mode, as the concept of a thin/zero client is based on using a thick client to connect to another resource. For this purpose, a standard user does not need to authenticate to the thin client per se and would just need to perform a connection – e.g. VMware Horizon View. The user will eventually authenticate through the connection. The point of this blog post is to demonstrate that a malicious actor can compromise such thin clients in a trivial and quick way provided physical access, a standard prerequisite in an attack against a kiosk.

Source: thinclient.org

Tutorial on breaking and entering a thin client configured for kiosk mode.

PC Security Advice & Resources

PC Security for Kiosks is a big deal for sure.

Hacks into PCs bring to mind words like “Payload”.  We manage this website and just the security threats to your basic WordPress website is unprecedented.

A few days ago a new “Attack Platform” showed up for WordPress.

The first inclination is to shrug it off a bit and point out we speak of a website, yet many kiosks are running content and are connected to that very infrastructure. Thus they are at risk.

There are a couple of “goes without saying” precautions that should be considered:

  • Use a lockdown. There are several from KioWare, PROVISIO, KioskSimple, TIPS and KIOSK Core.  These all “lock down” the common entry points like when the OS boots up, where the browser goes, and at what privilege level a user has available (and it won’t be root or admin).
  • Use a secure OS.  Powering off a machine and back up is a critical juncture.  Are there USB ports exposed, and which are enabled?  Windows Embedded, POSReady and other windows iterations are designed for this industrial type use (also known as unattended).
  • Physical access to the machine and PC needs to be controlled.
  • “Tweaking” windows with assigned access and policies is fine but it usually takes multiple tries to finally lock down some of what the lockdowns lock down.
  • Windows Patch management (or Linux) — how are you going to implement that remotely and unattended?
  • How do you manage all those terminals.
  • What about the backoffice?  Many “breaches” are into the datastores that the kiosks are building/using back in the office. Security begins at home…
  • Do you have contractors logging into your network?  Take some advice from Target. Eliminate it or force them to log in only on secured terminals, not cheap PCs running freeware Malware protection (which doesn’t always update).

That’s some quick advice.

Here are some interesting and useful whitepapers out there.

 

More articles