A Worm Turns
Another week, another iPhone worm — but this one can
The newest worm, called "Duh," not only steals data stored on Apple Inc.'s popular mobile phone but also intercepts one-time-use passcodes sent by text message to people logging in at online banking sites, Computerworld reported Monday.
These text messages are typically considered strong authentication because they require a user to input a code sent to a device (the cell phone) that is separate from the computer being used to gain access to the online banking system. Such codes typically expire fairly quickly, but the Duh worm could potentially deliver it to a hacker quickly enough to let someone enter a victim's bank account.
The Duh worm, like its predecessors, attacks the phones of people who have "jail-broken" their iPhones — enabling them to run software that has not been approved by Apple — but are forgetful enough to leave the default password unchanged on a networking utility only jail-broken phones can run.
This worm goes a step further than its predecessors and actually changes the password from its default, "alpine," to a profane phrase known to the hackers.
Chester Wisniewski, a senior security adviser at the U.K. security firm Sophos, told Computerworld that the worm actually works against itself because it transmits so much data that it can quickly drain an infected iPhone's battery. As a result, "you're likely to know you've been hacked," he told the magazine.
Wisniewski also stressed that people who do not jail-break their phones cannot be victimized by this worm. "Anyone playing by Apple's rules is, of course, safe," he said.
Letters Lacking
Even when consumers are notified that their financial data has been exposed in a breach,
Part of the problem is that the letters that are typically used to warn people do not convey any sense of urgency; in some cases the offers of free credit monitoring can seem more like a marketing pitch, particularly when victims are offered only a three-month trial instead of monitoring that lasts a year or more, MSNBC's Bob Sullivan reported in his "The Red Tape Chronicles" column on Friday.
Another factor might be that the notification letters do not always explain how consumers' data was lost or exactly what personal details were exposed in the breach.
Whatever the reason, few consumers accept the offer of free credit monitoring, Sullivan wrote, citing breaches where just 4% to 6% of people who got the notification letters signed up for monitoring.
Mary Monahan, the Javelin research director who wrote the report, said that traditional mail has not proven effective at involving consumers in preventing fraud against themselves.
"While the idea of notification is to provide an opportunity for consumers to take action, apparently they do not," she told Sullivan. "This suggests that notification is not working."
The Washington Post's Brian Krebs separately looked into a disclosure letter that seemed "so casual in tone that" a reader "asked me to verify whether it was for real," Krebs wrote in his "Security Fix" column Nov. 20.
Alpha Software Inc., a database application company in Burlington, Mass., e-mailed customers this month to inform them of a breach at an unnamed Internet service provider that handles its Web hosting. The letter said
In the letter, Alpha also promised not to store credit card information anymore. Despite this promise, Krebs took issue with the letter's overall tone.
"Not only does the company straight away blame someone else for the breach, there is no apology or even sense of remorse," he wrote. Krebs said he also separately attempted to contact the company's co-chairman, Richard Rabins, who declined to answer questions about the incident.
Though Alpha's letter did not name its hosting provider, Krebs identified the company as Web.com and asked about a possible breach.
Web.com's chief marketing officer, Roseann Duran, told Krebs, "There is no security breach at all in terms of how this account has been handled." She added that Alpha had been unresponsive to recent notifications that Web.com was about to migrate or upgrade some of its servers but could not say whether one of the servers that held Alpha data was the one it used to store its customers' payment data.
Exposures
A unit of Universal American Insurance mailed out 80,000 postcards with members'
The postcards went to members of the Medicare Advantage plan, which often uses members' Social Security numbers as their account numbers, according to a Nov. 18 television report by WGAL, in Lancaster, Pa.
Universal American Action Network, the subsidiary that initiated the mailing, said that it has fired the printing service that erroneously printed Social Security numbers on the postcards.
Universal said it will also send a follow-up letter to the affected individuals informing them of the incident and offering a year of free credit monitoring.
A possible data breach in Spain has
Banks in Germany, Austria, Sweden and Finland have already reissued cards, according to an article PC World published on Nov. 20. Visa Europe and MasterCard Inc. have already detected fraud on some accounts but said that so far they have little information on how the accounts were compromised.
"What we don't know is what the issue is or how big that issue is," Ian Barber, a Visa spokesman, said in the article.
