You’d think a credit monitoring service—even one as skeevy as freecreditreport.com—would take great pains to keep up the appearance of security and confidentiality. You’d be wrong. When Brian called to cancel their service he was asked to call out his social security number and his mother’s maiden name, even though it turned out they could easily access his account and cancel his service with only his phone number and birthday. Oh, and the first CSR hung up on him, but (sadly) that’s not really very newsworthy anymore.
security
Certegy Decides Whether Or Not Kmart Will Accept Your Check
By 4.23.08
S. wrote a check at Kmart earlier this month and it was denied. No reason was given—just “denied.”
By 4.23.08
../../../..//2008/04/23/since-its-creation-in-2001/
Since its creation in 2001, the TSA has fired over 200 employees for stealing. Since the TSA will invariably deny your request for compensation if you file a theft claim, your best bet is to either pack valuables in your carry-on, or just leave them home all-together. [MSNBC]
Collection Agency's Server Stolen; Had 700,000 Accounts On It
By 4.19.08
Indiana broke its own record for computer security breaches last month, when a server containing personal data on 700,000 people was stolen from the offices of Central Collection Bureau, a debt collection agency. The stolen data included names, personal billing information, last known addresses, and social security numbers of people who hold delinquent accounts with a variety of companies, including utilities and hospitals. The company said the server was behind “three locked doors” and “was protected by two passwords, but was not encrypted.”
By 4.18.08
../../../..//2008/04/18/due-to-recruitment-difficulties-the/
Due to recruitment difficulties, the same guy making sure you don’t bring on more than three ounces of deadly shampoo is now getting trained as a US Air Marshal. [CNN]
It's Impossible To Cancel Arcot's SecureCode On Your Mastercard
By 4.17.08
Be wary of Arcot, a credit card security company that’s devoid of customer service.
Nels had to sign up for Arcot’s SecureCode to complete an online purchase. Now he wants to cancel it, but can’t find anyone at Arcot who can help him. The web pages he’s sent to are dead ends, and he left messages with Arcot’s executives that were never returned.
Get Free Sprint Features With URL Hacking
By 4.14.08
Two more instances of Sprint’s insecure online system:
Flawed Sprint Security Worse Than We Thought
By 4.9.08
In the comments on our post exposing a flaw in Sprint’s online account security that would let a stranger completely take control of your cellphone account, a former Sprint rep says it’s even weaker than what we thought. How? Reader Dragonfire81 says that every question about cars has three luxury models and one typical car, making it pretty easy to guess. “None of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. “I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.” Here’s his comment in full:
Flawed Security Lets Sprint Accounts Get Easily Hijacked
By 4.8.08
We found you can hijack a Sprint user’s account as long as you know their cellphone number, just a smidge about them, and have half a brain. Once inside, you have total access to their account. You could change their billing address, order a whole bunch of cellphones sent to a drop location, and leave the victim paying the bill. There’s also the stalker’s wet dream: add GPS tracking to their cellphone and secretly watch their every movement from any computer. Reader Jim told Sprint about this 2 months ago but they ignored him, so I tested it out and am publishing the results in the hope of getting Sprint to fix this exploit. I’ll show you we cracked into a Sprint account and just how much damage I could have done, inside…
Redbox Shows Businesses How To Properly Handle A Data Breach
By 4.7.08
Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country, and on Friday they announced that they’d found credit card skimmers attached to three of their kiosks. What’s surprising is that they ‘fessed up so quickly, and in a highly public manner—they’ve got the text “SECURITY ALERT” at the top and bottom of their website, and the email they sent to their members is detailed, forthright, and helpful, and reposted in its entirety—along with photos of sample card skimmers—on their site. Attempts at identity theft no longer surprise us, but a competent handling of the issue by a company is pretty amazing.
ConsumerSay Wants All Your Data, Will Give You $20 For It
By 4.2.08
Pssst, wanna make an easy $20? Just give all your bank account and personal data over to ConsumerSay, a consumer opinion and behavior tracking firm owned by Lightspeed Research. Jen, who sometimes fills out surveys for freebies and cash, got an email from them offering her $20 for only 5 to 10 minutes of her time. Oh, and all of her financial transaction data.
TSA Freaks Over Speakers, Lets Knife Pass Through. Twice.
By 3.31.08
TSA throws away passenger’s toothpaste, freaks out over his JBL On Tour speaker system, and lets him pass through with a lock-knife keychain, twice. Couple this with that story a few weeks ago about the Apple Air trying to go through security (it doesn’t have a hard drive! there’s no ports!) and it seems that the TSA’s main concern is that the next terroristic attack will have incredibly attractive design.
Hannaford Credit Card Theft Caused By Malware, Not Database Breach
By 3.31.08
Most corporate credit card data theft happens at the database level, like the massive T.J. Maxx breach. But Hannaford has notified investigators that the recent theft of 4.2 million accounts was caused by malware that was installed on the servers at each of its 300 locations. The software “intercepted data from customers as they paid with plastic at checkout counters and sent data overseas,” reports CNET.
TSA Will Allow Women With Nipple Piercings To Fly If They Flash Officials
By 3.30.08
Your nipple piercings are still a threat to national security, but the TSA will let you fly if you “allow a visual inspection of [your] piercings.” The announcement came after TSA officials in Texas forced Mandi Hamlin to remove her nipple piercings with a pair of pliers before allowing her to board her flight. The TSA stopped short of apologizing to Ms. Hamlin, instead saying: “TSA acknowledges that our procedures caused difficulty for the passenger involved and regrets the situation in which she found herself.”
Geek Squad Feels "Unfairly Targeted" By Consumerist Expose
By 3.28.08
When personal finance magazine Kiplinger asked the Geek Squad about our video that caught one of their technicians stealing porn from our harddrive (peeping tomism, hardly limited to Geek Squad, is just as rampant in the computer repair industry as the photo developing industry), an unidentified Geek Squad spokeswoman ingenuously responded, “We have been the target of a blog that prefers to focus on the exceptions to our service and not the overall, vast majority of successful services we provide to clients.” That’s like saying dirt is unfairly targeted by a broom. Where there’s a valid complaint, we’ll post. Where there’s a consumer whose rights aren’t respected, we will defend. We don’t have a vendetta against the Geek Squad, or any other company. We have a vendetta against bad customer service. That’s our bottom line. After the jump, the original undercover video…
TSA Forces Woman To Remove Nipple Piercings
By 3.28.08
Woman Says TSA Forced Piercings Removal [AP] (Thanks to Benny!)
Are You Sure You Want To Add That Facebook App?
By 3.27.08
Gregory writes in to point out that Facebook does a lousy job of monitoring the development of its third-party Platform applications—and in fact many of them are written so badly that they can be easily hacked. The examples he cites, which are listed in the winter issue of the hacker magazine 2600, are all fairly mild stunts like spoofing user IDs, changing the moods of another user, and re-routing gifts, “but this information could be used to mount large scale social engineering attacks if automated and coupled with other information.” To illustrate how easy it is to change another user’s settings, he pointed us to a YouTube example of how to change another users “mood” via the Mood app.
By 3.26.08
../../../..//2008/03/26/the-tsa-is-expanding-its/
The TSA is expanding it’s skiing-themed “self-selection” security lanes beyond Denver and into Orlando, Boston, and Spokane [TSA via Gridskipper]
