Apple Holes
How did about 400 iTunes accounts get compromised, driving up fraudulent sales of a developer's book apps? According to one researcher:
Apple wasn't hacked, but its security practices made it easy for customer accounts to be exploited, Sean Sullivan, a security adviser at F-Secure of Helsinki told Computerworld for a July 8 article.
A spike in sales of otherwise unknown digital book apps from one developer was disclosed last week and linked to a compromise of accounts at Apple's iTunes digital media store. The sales were considered a way for a fraudster to profit from the stolen accounts.
The accounts themselves were most likely phished, or else the fraudster behind the incident used brute force to guess simple passwords. "Standard phishing attacks … [are] much more likely than someone hacking the accounts or Apple's database," Sullivan said. The fraudster could have even phished other accounts and bet that the victims use the same password on iTunes.
But Apple, by failing to use security measures that are common at banks and other companies, made it too easy for stolen credentials to be exploited. For example, many companies consider transactions made from other countries suspicious enough to flag or block, but Apple lets them through. It does limit the number of devices that can make purchases, the article noted.
Even other e-tailers are not so permissive, F-Secure said. The company tested Apple's permissiveness with a U.S. iTunes account it was given access to.
"An American account gives me access to iTunes from Finland," Sullivan told Computerworld. "Try that on Amazon, and it will say, 'Sorry, you're in Finland, you can't.'"
Sullivan said the best way to avoid any fraudulent charges through an iTunes account compromise is to link the account to an iTunes gift card instead of a credit or debit card. That way, stolen credentials can only be used up to the value of the gift card, and bank account details are never put at risk.
Meanwhile, fraudulent iTunes purchases are on the rise. The news site Ars Technica reported Saturday that fraudulent purchases are prevalent at the iTunes Travel category. One Ars Technica reader, Harper Reed, said that 34 travel-guide apps were purchased from his account, totaling $168.89.
Reed
Reed said Apple advised him to request a replacement credit card from his bank.
Branch that Wasn't
As if phishers weren't bad enough — a new threat to personal data is
Any New Yorker who walked into a "Greater Offshore Bank" branch established in the city in May could have been tricked into handing over personal data as part of a promotion for the technology company's Web browser, Bank Systems & Technology reported Monday.
In exchange for an offer of $500, passersby were asked to provide personal information such as their Social Security numbers, credit card numbers — even a strand of hair for a DNA sample — to an actor posing as a banker.
The counterfeit bank also asked for some more absurd personal information, such as applicants' pants measurements and whether they preferred to wear boxers or briefs.
People who were fooled by the hoax were then told it was all just a stunt, and instructed to shred their applications (the article does not specify what happened to the strands of hair).
Microsoft said it set up the fake branch to draw attention to the security features of its Internet Explorer 8 browser, which blocks access to known fraud sites.
Cops Get Their Cut
TJX Cos. Inc. continues to incur expenses related to the massive data security breach it disclosed in 2008.
The Framingham, Mass., retailer, which operates the T.J. Maxx and Marshalls clothing chains, agreed to pay $595,000 in legal fees to the Louisiana Municipal Police Employees' Retirement System
As part of the settlement, TJX has also agreed to improve its oversight of customer data.
A TJX spokeswoman told Bloomberg News that despite what it agreed to in the settlement, the company and its directors deny the allegations.
Going Gaga
The Pentagon used the best conventional wisdom to prevent data from walking out the door, but
Since the Defense Department, like banks and other organizations with sensitive data to protect, prohibits data drives and locks down its computers' USB ports to prevent files from being copied, Pfc. Bradley E. Manning allegedly used his computer's CD burner to steal sensitive information, The New York Times reported July 8.
Material said to be stolen included a video of a 2007 helicopter attack in Baghdad that was posted to Wikileaks.org in April.
To make his copying inconspicuous, Manning allegedly made his music tastes very conspicuous.
According to Pentagon officials and a former hacker the Times interviewed, Manning "was able to avoid detection not because he kept a poker face, they said, but apparently because he hummed and lip-synched to Lady Gaga songs to make it appear that he was using the classified computer's CD player to listen to music," the article said.
Manning is accused of instead copying classified data, including files he was not authorized to access, and leaving the secure facility where he worked in Iraq with the data CD stowed in a Lady Gaga CD case. Manning was arrested in May and criminal charges were filed against him this week.
Manning is accused of copying data from November until May. The Times said his alleged activities would have been spotted if monitoring software raised alerts on his accessing files he was not authorized to see.
Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any
