Archive for the ‘InfoSecurity’ Category

Insecurity derailment

with one comment

Last week, news emerged that RSA has suffered a serious security breach that has left many wondering whether the millions of SecurID tokens in use around the world are really that secure after all. I’d be very surprised if RSA didn’t suffer financially as a direct consequence of this breach but RSA as a business will survive.

Jack Dorsey’s new venture, Square is hot at the moment. It’s a credit card reader and associated service that plugs into your iPhone or iPad and lets you take credit card payments. Square takes 2.75% and deposits the rest of the money into your bank account the following day. The device itself is free. All you need is a US address and a US bank account and you can start accepting payment by credit card.

Credit card fraud amounts to billions of dollars every year. Stolen credit card details sell for up to $50 but turning the stolen details into cash isn’t straightforward – fraudsters normally buy goods online which they then re-sell for cash. It would be much easier if you could simply set up a bank account under an assumed name (not that difficult in this age of identity theft), fill it with money debited from the stolen credit cards and then withdraw it the following day.

In theory, Square doesn’t allow this because the card has to be physically swiped through the device.

Except it doesn’t. Major Malfunction and Zac Franken have discovered that it’s possible to spoof the Square system into thinking that a card is present when, in fact, it’s not. This obviously opens up the risk that Square could become a vehicle for large-scale fraud and I can’t help wondering what the credit card companies would do if that were to happen.

Could Square fall victim to its own failure to build a secure platform?

Written by jackgavigan

March 23, 2011 at 11:16 pm

Posted in InfoSecurity

eFinancial Careers hacked

leave a comment »

I’d completely forgotten that I’d registered with eFinancial Careers until I got an email (see below) telling me that they’d been hacked and my personal data had been compromised. Under the circumstances, I can’t help wondering whether it might be a good idea to force companies to delete registered users’ accounts (and the attendant personal data) if the user fails to log in over an extended period of time.

Dear eFinancialCareers Member,This week, we detected illegal access of the eFinancialCareers database which compromised our users’ information. We believe that our registered users’ names, email addresses, registered countries and encrypted passwords have been accessed. At this time, our forensic teams have implemented countermeasures and continue to investigate.We are not immune from illegal attempts to access and extract information, as is the case with many organizations which maintain large information databases. Although we constantly review and improve our security features, unfortunately on this occasion, some information was taken, for which we offer our full apology.

Because email addresses were compromised, there is a possibility that you may receive unsolicited emails requesting further personal data, which could appear to come from eFinancialCareers. Please be on the alert for this type of email and inform us at if you receive anything suspicious.

Helpful advice on how to protect yourself from email scams is available on the homepage of our website. To help you determine whether communications from us are genuine, below is a list of things we do not do:

  • We do not ask for your personal financial information in an email, and never ask for bank account or credit card information to be sent via email.
  • We do not send out emails with executable or compressed (zipped) files, or attachments other than PDF and Word documents.
  • We will never ask for your password via phone or email. (You will only be required to enter your password when logging onto
  • We will never ask for your Social Security or National Insurance number.
  • Employer and recruiter enquiries from eFinancialCareers will never ask you to wire funds or accept payments for services.

As a precaution, the next time you access your eFinancialCareers account, you will be asked to reset your password.

We are taking this attack seriously and have already put security measures into place to prevent further loss of data. We will continue to review and improve our security features. We are sorry for any inconvenience this may cause you. Please do not hesitate to contact us to ask us any questions you may have relating to this security incident.

Sincerely,James Bennett
Managing Director
eFinancialCareers, EMEA & Asia PacificConstance Melrose
Managing Director
eFinancialCareers, North America

Written by jackgavigan

February 19, 2011 at 9:11 am

Posted in InfoSecurity

Cyber-criminals hit the EU’s carbon emissions trading scheme

leave a comment »

Everyone knows that cyber-criminals are constantly targeting banks and other financial institutions but you don’t often get to read about how they’ve successfully siphoned off €45m worth of certificates. Even worse, spot trading of emissions permits has been halted as a result of the breach (although, as with most commodities markets, most carbon trading is done using derivatives, so the impact isn’t quite as bad as it sounds at first).

There have been persistent rumours that the London Stock Exchange was the target of a concerted attack last year but, as is so often the case with these sort of rumours, the LSE’s keeping quiet.

It’ll  be interesting to see if further details emerge about the Emissions Trading Scheme attack.

Written by jackgavigan

February 7, 2011 at 10:09 pm

Posted in InfoSecurity