[The] undercover operation... at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear.

"Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist" [Wired Threat Level] (Thanks to Robbie!)
(Photo: Getty)

"If he wasn't such a prick, he could have avoided all of that," says EBK. "I wasn't even really thinking. Plus, I'm just so mad at Comcast. I'm tired of their shitty service."

Comcast Hijackers Say They Warned the Company First [Wired]
(Photo: cmorran123)

From the San Jose Mercury News:

We're halfway down the block when the manager comes running out and tells us to stop right there,"' Fukuba said.

The students were ordered to return to the store, where a security guard and the manager called police, Vicenti said.

Sgt. Sandra Brown confirmed that the store called the Palo Alto Police Department and an officer responded, but made no arrests. She said the store issued the teens an "admonishment" to leave the store, but police did not force them out.

After being lectured by the manager on the dangers of "hacking" into the phones, the teens were photographed and told their pictures were being sent to all Apple stores "so they'd be on the lookout for us," Rogers said.

He and Patel were then allowed to leave. Fukuba and Vicenti, who are both under 18, had to wait for their parents to come pick them up.

Over the next few days, the boys worried about the ban's repercussions.

Fukuba wondered what will happen if he needs to get his computer or iPhone repaired.

"I'll have to get a friend to buy stuff for me, like a drug deal," Fukuba said.

Later in the week, the teens had heard through a friend that a different manager had told said they were still welcome at Apple, despite what the other employees had said.

"I'm not really sure what's going on," Fukuba said.

An Apple spokesperson confirms that the teenagers are not banned from the Apple store in any way: "They were not banned from that store or any other store," he said.

Teens say they were banned from Apple stores for life, company denies it [SJMN]
(Photo: epicharmus )

One reader, Meiran, put it this way: "I'm rather impressed by their reaction, it seems like most modern companies would attempt to push this under the rug and pretend it didn't happen, leaving customers to wonder what those strange charges on their statements are."

According to Wikipedia, the company is mostly owned by McDonald's and Coinstar, so it's not like this is an example of a start-up that's never encountered the heavy hand of corporate influence. This means Redbox's board of directors intentionally chose to be proactive on the matter. They seem to have figured out something that lots of other companies still struggle with, which is that if you empower your customers to help protect themselves, they'll help protect you, too. We wouldn't be surprised if the next time a skimmer is detected, the alert comes from a customer who remembers Redbox's email.

"Redbox Security Alert - Credit Card Skimmer Attempt" [redbox](Thanks to everyone who sent this in!)

RELATED
"Redbox Warns Customers about Credit Card Skimming" [Hacking Netflix]

Have any of you out there read the winter issue of 2600 (the hacker quarterly)? There's a pretty good article in there called "Facebook Applications Revealed" and it just serves to point out that many people just don't know what they're getting into when they click to add an application. In my opinion, it is irresponsible of Facebook to post assurances to its users that their data is just as secure when using Platform applications as they are when they are using the first party system. Of course, the most personal data still resides on Facebook servers, and one must be authenticated to get access to it; however, poorly-written applications can have numerous security holes that enable prankster "friends" or malicious hackers to gain access to other remotely stored information, e.g. mood histories, etc.
 
At any rate, it seems Facebook turns a blind eye to these applications that don't properly authenticate users for appropriate data access (e.g. Super Wall), and it seems developers don't really care to properly protect the information they are entrusted with. I have looked plenty of places, including the official Facebook Developers Wiki, and have found no mention of a set of best practices for identity/permission verification or data security for application developers. I am researching these particular vulnerabilities in order to make them more widely known and to help establish a set of suggestions to send or make available to developers that would assist them in properly identifying the user and only allowing said user to modify his/her data, as well as to assist them in verifying that a user has permission to view another user's application data (histories, etc.). At this point, I feel that there is not enough public awareness of these vulnerabilities or their implications. Many users don't know about them, and thus don't care. This provides no incentive for developers to modify their code and make their applications more secure.
 
Quite a few application developers fail to consider implementing adequate security measures in order to verify data ownership. The article I mentioned earlier points out particular vulnerabilities in the Moods, Free Gifts, and Super Wall as examples. In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea. The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.
 
In fact, someone has posted a screencast of this hack being executed in under 60 seconds, including commentary, on YouTube. See this link: http://www.youtube.com/watch?v=w65s1iyXqLo
 
ASuper Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's. Same thing with Free Gifts: you change the uid in the form before it's submitted and you can send a gift anonymously to anyone. Not only is it poor form for these developers to continue to ignore the fact that users trust them to establish and maintain a certain level of security and privacy, but in my opinion it may also be against Facebook's own Platform Application Guidelines, where it is clearly stated that "Applications may not[...] contain functionality that permits any person to impersonate a user of the Facebook Site or obtain access to the Facebook Site without authorization [or] disregard or circumvent any technical measures instituted by Facebook to ensure that the application only provides users with access to Facebook Site content that they would otherwise be able to view on the Facebook Site in accordance with any user privacy settings" (Facebook Platform Application Guidelines, Section II, Subsections 3 and 4). All three of these applications, and perhaps many more, violate the principle established by these rules by disregarding privacy settings and not properly authenticating users to view or modify certain data. I'm sure if someone had their privacy settings set to block everybody but friends from viewing their profile, they wouldn't want somebody changing their mood or spoofing a comment to them through Super Wall. In fact, Facebook's first core privacy principle is that "You should have control over your personal information" (Facebook Privacy Policy, Facebook Principles, Section 1). These applications, by not adhering to basic principles of internet security, take this control right out of the hands of users. This thread on the Facebook Developer Forum has a bit of discussion on how to properly authenticate users: http://forum.developers.facebook.com/viewtopic.php?id=11668.
 
At any rate, something needs to be done about this. I'm not sure what exactly, but I am sure that users need to know exactly what they're getting into when they add apps like this. I know at first it seems inconsequential that hackers can gain access to someone's Super Wall or Mood History, but this information could be used to mount large scale social engineering attacks if automated and coupled with other information: for example, one would tend to be much more likely to fall for a scam if he or she were depressed. The Moods application freely gives out this information to anyone wanting to take a peek. Coupled with a list of email addresses cross-referenced to user id's, such an attack could be made extremely effective with that added information. Super Wall post spoofing could be used to instigate fights between two friends or lovers. The possibilities are only limited by a social engineer's mind, and since Moods and Super Wall together boast almost two million active users, these seemingly small holes are too large for malicious minds-or those that protect us against them-to ignore. I hope you can help me get the word out.
 
Sincerely, Gregory

RELATED
"Facebook Takes Letting The Whole World See Your Private Photos Seriously"
(Door photo: roblisameehan)

Nice.

Also demonstrated: A stainless steel wallet that blocks the reader. We know someone who keeps his credit cards in an Altoids tin. He now seems like a genius.

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright— had no idea what was going on.

The type of network George was looking for is called WEP, and it's not that difficult to crack. It's about the same level of security that most people have on their home networks. It's probably fine for your needs, but a corporation needs something, uh, more robust.

The following stores were mentioned by George as having the potential to be hacked. Naturally, he didn't try to break in because he's not an evil douchebag and he doesn't want to go to jail. So keep that in mind.

Lowes: I saw a combination of WPA and WEP coming from Lowes Home Improvement store. The problem is that almost all of the wireless clients were connected using WEP and actively transmitting data. Even if no one is using WEP but the WEP network exists and gets broken into, the hacker will come in via WEP and it doesn't matter if WPA is mostly being used

JCPenny:
JCPenny only used WEP on their network and it was actively being used by many wireless LAN clients. It does not look good at all.

Macy's:
Macy's only used WEP on their network and it was very active. I could see a lot of Cisco and Symbol clients connected to the access points. These clients may be the cash registers. Macy's does not look good.

Best Buy:
Best Buy was sort of an odd case. The first network I saw from them was labeled "BestBuy" for the SSID and it was in the clear with zero security. I walked in to ask them if they were offering free Wi-Fi access and the nice employ told me no. Then he wanted to be helpful so told me to go ahead and try to get on the network to get access and I had to hold my laughter back.

PetSmart pet store:
PetSmart only showed a WPA network. However, WEP and WEP40 compatibility was also detected so it isn't clear what the risk is without doing a penetration test which I can't legally do.

Office Depot:
Office Depot actually had a "Free Wi-Fi" sign with a two-page instruction sheet on how to get free Wi-Fi service in their store. I didn't see any customers using it but I found it strange that so many devices where actively using it.

Retailers haven't learned from TJX - still running WEP [ZDNet]
TJX's failure to secure Wi-Fi could cost $1B [ZDNet]
How Credit-Card Data Went Out Wireless Door [WSJ]
(Photo: pierre lascott)

A Romanian hacker posted this and 15 other people's profiles in the eBay Trust and Safety forum, taunting Americans with his identity thieving prowess. He said,

...what make the american and canadian boys at 14-15 years old ????? Eaet burgers at Mc Dolnalds and watched naked girls on internet porno webspages.... Romanian guys at 14-15 years old scam people...Is so easy to stolen your eBay account and your Paypal.....is just a funny game for us...

We have to agree with the fellow. Stop eating your cheeseburgers and watching your porno and protect your identities, fools.

How To Spot A PayPal Spoofer
12 Steps To Protect Yourself From Identity Theft
ORIGINAL VIDEO: PayPal Security Key First Look
What To Do When Your Identity Is Stolen
HOW TO: Get Through Having Your Identity Stolen

Full screencap of the nose-thumb, inside...

Click to enlarge.

— BEN POPKEN

(Thanks to Bud!)

"Initially the cardholder is the victim, but after the bank pays the customer back, the bank is the victim and if the bank doesn't report it, there's no case built against them," he says.

Listen to the interview here. Spotted at BoingBoing.

Gotta love the hacker's hollow rationalizations. However, he proves two of the things we've contended: 1) always run your debit card as credit and 2) forcible debit card reissues are sure signs your bank's center has been hacked.

This is pretty amazing... and the real culprit is the banks for not reporting it. Hackers just take advantage of the weaknesses, namely, consumer ignorance. UPDATE: We are, of course, referring to the consumer ignorance perpetuated by the banks hiding all of this from us.

Previously: The Russian Connection thread.