Marriott/Starwood hack: Is your passport number in China?

By Richi Jennings | December 12, 2018
Hotel hack reminds researchers, sources say Recent revelations that Starwood’s huge reservation database was stolen have taken new significance. Sources say it looks similar to other nation-state attacks from around the same time. Starwood is now owned by Marriott, which isn’t saying anything about these anonymous allegations. But it once again highlights the fragile nature of the […]
Read More

Now it’s ATM fraud from phishing: Time for a biometric intervention

By Richi Jennings | November 7, 2018
When will banks give us easy biometrics? News comes to us from Ohio, where fraudsters stole more than $100,000 from bank accounts, via ATM withdrawals. But no debit cards were stolen. That’s right, thieves have worked out how to subvert the “cardless” ATM systems some banks are using. It’s very convenient for customers, but also very insecure. […]
Read More

Experian credit freeze unfrozen by hackers?

By Richi Jennings | October 16, 2018
Stop using PINs and passwords! Another week, another sorry tale of poor identification. This time, it’s Experian that failed to properly secure users’ PINs. People who froze their credit reports discovered hackers could unfreeze them—even though a PIN was supposed to stop that. But Experian says it’s “confident that our authentication is secure.” OK then. It turns out […]
Read More

Facebook breach of 90 million users’ ID tokens: Not surprising

By Richi Jennings | October 2, 2018
Analysis: It was only a matter of time Last week, Facebook revealed it had suffered a breach of 50 million users’ data. And now we hear 40 million more people needed their ID tokens resetting—because the vulnerability existed for more than a year. But because people often use Facebook as an identity provider, the problem […]
Read More

Credential-stuffing explodes as password-reuse continues unchecked

By Richi Jennings | September 26, 2018
The problem isn’t the reuse—it’s the passwords! New research shows that hackers have been turning their malicious attention to cracking accounts with reused passwords. In other words, credential stuffing. That’s where hackers try to break into accounts that share the same username and password as other, previously-leaked accounts—is becoming a huge problem. And for a hacker […]
Read More

12 months on from Equifax breach: No change?

By Richi Jennings | September 12, 2018
Why are people still using SSNs as identifiers? It’s been a year since we discovered the biggest consumer data-breach ever. 150 million people had their personal identifying information leak out of Equifax’s servers. Identity information including social security numbers—which were of course never intended to be used as an identifier. Soon after the breach went public, there […]
Read More