By Roy Urrico
Finopotamus aims to highlight white papers, surveys, analyses and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Robinhood, Neiman Marcus, Twitch, and Missouri Schools data incidents and vulnerable Wi-Fi highlight a roundup of cybersecurity reports.
Robinhood Breach Leaves Five Million Customers’ Information Exposed
Robinhood confirmed last week hackers obtained more than five million customer email addresses and two million customers, as well as a much smaller set of more specific customer data.
The company said in a blog post that a malicious hacker socially engineered a service representative by phone Nov. 3, 2021 to gain access to customer support systems and obtain customer names and email addresses, birthdates and ZIP codes of 310 customers. Robinhood said that 10 customers had “more extensive account details revealed.”
It is the type of information fraudsters use to facilitate further attacks against victims, like targeted phishing emails, since names and birthdays can often help verify a person’s identity.
Gil Dabah, founder and CEO of Piiano, an Israeli startup specializing in data privacy engineering to secure and control PII, explained, “There are various types of attacks that hackers are using: malicious software, phishing, denial of service, social hacking, system hacking and more.”
Dabah described some of the dangers:
· Social hacking. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. For example, a hacker that calls a company support team and successfully obtains login credentials into a restricted system.
· Phishing. An attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information. For example, sending an email that looks exactly like a message from a financial institution, and asking for login data to improve the account security.
· System hacking. Exploiting vulnerabilities within an operating system, databases or other software in order to obtain access to confidential data, such as PII, credit card details, etc.
Neiman Marcus Group, Twitch, Missouri Schools Top Data Events
The El Cajon, Calif.-based Identity Theft Resource Center reported that of the 139 data breaches reported in October 2021, three stand out: Neiman Marcus Group (NMG), a popular department store; Twitch, a live stream gaming service; and the Public School and Education Employee Retirement Systems of Missouri (PSRS/PEERS).
In a Sept. 30, 2021 press release, a NMG spokesperson said it “recently learned that an unauthorized party obtained personal information associated with certain Neiman Marcus customers' online accounts.” NMG noted it notified law enforcement of the issue, which occurred in May 2020. The incident exposed the sensitive information for nearly 4.35 million customers including payment card numbers and expiration dates, as well as login credentials like usernames, passwords, and security questions and answers. The company said the incident did not involve any active Neiman Marcus-branded credit cards.
Twitch suffered a data event on Oct. 6, 2021 following an error in the gaming service’s server configuration change. A malicious third party gained access to Twitch’s 135 gigabytes of internal information, which included company and personal data, according to Threatpost. Exposed information included names, email addresses and buyer comments.
A PSRS/PEERS of Missouri spokesperson said the ITRC report “is the latest organization to get hit with a business email compromise (BEC) attack, which continues to be popular among criminals since they are easier to commit and have a higher payout.” The IT department disabled an employee’s email address after a hacker gained access to it, leading to the sensitive data exposure of nearly 350,000 people. The attack could have involved sensitive data live Social Security numbers and PSRS/PEERS account numbers.
The ITRC suggested “Anyone who receives a data breach notification letter should follow the advice offered by the impacted company and immediately change their password to a 12-plus-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/text) and to keep an eye out for phishing attempts that claim to be from the breached organization.
Wardriving Maps Out Vulnerable Wi-Fi Networks
According to a study by Xfinity, 95% of consumers surveyed underestimate the number of cyberattacks they face monthly. Of these consumers, over 4 in 5 are not confident they could detect the hacking of one of their non-screen devices, which rely more on voice commands, gesture controls, and sensor data as opposed to a user interacting with a screen. And almost half of Americans surveyed believe that open Wi-Fi is safe and does not require additional precautions.
Xfinity observed experts believe otherwise, largely because of wardriving, the act of searching for open and vulnerable wireless networks from within a moving vehicle and subsequently mapping these wireless access points. Wardrivers frequently submit the information to third-party websites to build digital maps of unsecured networks.
“Often, there are a few reasons why people will wardrive,” said Daniel Markuson, a digital privacy expert at Panama-based virtual private network provider NordVPN. “The first is to steal banking information. These unprotected networks can allow hackers access to any device connected to the network. This means wardrivers can engage in malicious activities such as installing malware on your devices or even obtaining sensitive data.”
Markuson indicated another commonly practiced wardriving tactic is using these vulnerable networks for criminal activity, which causes the owner of the network to be liable. It is not all bad, however. “Ethical hackers will use wardriving to find vulnerabilities and improve overall network security.”
NordVPN suggested while wardriving is not illegal, there are blurred elements to the practice. “The line becomes clearer, legally speaking, at the point of interaction with the network,” says Daniel Markuson. “These interactions represent accessing a private network, and this extends into piggybacking, which is accessing someone’s Wi-Fi network without their permission or knowledge.”