How Attackers Will Use Epsilon Data Against You 78
Trailrunner7 writes "What might the criminals who broke into Epsilon do with the email lists they have? The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from data-breaches.net, totals are up to 57 customers including credit card providers with branded cards — Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts. Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."
Re: (Score:2)
Always good for a laugh to us 'third world' savages. Where's your 'privacy policy' now, eh?
Glad to see the OLPC project is working out for you!
Re: (Score:1)
My "OLPC" is a 14 year old Toshiba 445CDT.. with its original battery that still holds a charge for a full hour*. Damn thing cost 2,700 bucks. A real bargain actually. However, for now, I'm on a 'new' 7 year old mac mini. My house is like 'animal rescue', for computers and parts.
*In case you're interested, it's the number of cycles that matter.
VISA Hit? (Score:3)
Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards)
I have not yet seen notes that VISA itself was hit. Banks that use VISA's services may have been, but the article is lumping the network/transaction processor with the banks. It is possible to be a customer of VISA for other purposes, which surprises me that the article is claiming they were independently hit, that is news here.
Re:VISA Hit? (Score:4, Funny)
They weren't hit. They were clients of the mass-mailing service that got hit. If you were on Epsilon's list under Visa, Epsilon notified Visa that you were exposed. Visa then should have notified you.
I got 4 separate notifications, but I suspect that's not all.
I've tried to get Epsilon to give me a full list of what companies using their service have my email address, but, in phenomenal wanker fashion, they refused, citing "privacy" and "security".
Re: (Score:2)
I just got my notifications but for some reason gMail classified them as spam:
Dear amimojo,
We have detected a Data Breech on our main server and your card details may have been stolen. Please log in to the VISA web site to confirm your card details by clicking the link below so we can confirm you are NOT a victim:
http://21343.ru/HTTP://VISA.COM/checkings.php [21343.ru] (VISA OFFICIAL WEB SITE (RECOMMENDED))
I also got this one from a kind and helpful Visa employee:
Dear Kind and most Blessed Sir,
My name is James Mudac and I am writing to you from the offices of Visa Nigeria. We have recently learned of a serious loss of your personal datas and I am writing to you in the sincear hope that I can help you recover your datas on this day. Please would you forward me a copy of your passport and birth certificate and the numbers on your credit card so that I am check them for you.
Please accepting my most humble appologies for this terrible crime that has happened to you. We will be depositing monies to the value of $25,000,000 (TWENTy FIVE MILLION DOLLARS) into your account to reimburse you for your losses and unfortunately consequences.
I hope you will be writing to me soon so that I may help you in this difficult time in my country.
Passwords not compromised (Score:2)
Re: (Score:1)
Err, and how would my credit card company get my email password? This article is rather silly...
Re:Passwords not compromised (Score:5, Interesting)
Not as part of this breach, but as a possible consequence.
Bad guys get your email, name, and a couple of other things. Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service. Bad guys then could potentially rely on the fact that people reuse passwords, and get into several other sites.
Depending on the uniqueness of your first/last name combination ... there might actually be enough information in there to actually identify you in the real world.
You know, the things that TFA are actually saying.
Re: (Score:2)
Re: (Score:2, Insightful)
The Epsilon disclosure doesn't make me any more vulnerable than before.
Of course it does. They have your email and know with which company you have an account using this email, maybe even specific services you've subscribed to. They can forge a credible-sounding email pretending to be said company or working for them or whatever. The more info you have the more credible a forgery is, the more people will fall for it. The majority of internet users couldn't tell a decent forgery from the real deal.
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
I'm not going to give you my credentials just because you ask for them in an e-mail. In fact, the first thing I do when I get an e-mail that looks at all suspicious (and asking me for any personally identifiable information in an e-mail is a sure-fire way to trigger my alarms) is blow open the headers and see where the e-mail came from. The
Re:Passwords not compromised (Score:4, Funny)
Thus the majority of users are at risk.
Re: (Score:3, Informative)
Re: (Score:2)
Unfortunately, it's not the call center drone who is going to enact a policy change. That person may very well understand and agree with what you are saying -- and may even complain to his/her boss that this is a stupid practice -- but the odds of it trickling up to the decision maker who has the power to enact a change is virtually nil, because even if the call center drone gets it, chances are the call center manager *won't* and even if that manager does, there's about a hundred thousand layers
Re: (Score:2)
> ...the companies we trust...
Speak for youself.
Re: (Score:1)
Banks do not give a fuck about you. Join a credit union if you want to be treated like a person, instead of an object from which to extract profits.
Re: (Score:3)
Re: (Score:2)
We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.
My password is not compromised since I do have an online bank account, and I never will. Secondly, my debit card is on another bank account at another bank. Thirdly, I only write checks to myself thereby eliminating any processing delays. Rarely do I write checks to third parties, but sometimes I do. Yes it's a pain in the ass, yet, my assets are secure from most entities other than the bank and government. Fourthly, I do not discuss my steganographic practices, period!
Re: (Score:2)
I don't give my passwords to anybody, ever. If Jesus Christ came down and asked for my passwords, he wouldn't get them, not even if he walked on water.
Re: (Score:2)
There is a lot of the time that having a very common name can be a pain in the butt. This is one time I'm glad of it.
My email address gives away my first initial and last name. If someone tries to look me up by that they'll find hundreds with that combo in my town. If they manage to figure out my first name that'll drop it to dozens.
Re: (Score:3)
Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.
A username+password is two pieces of a credential set. With many of these services, one of them is now given up (ie, your email). This is just making it easier for criminals to target you (akin to similar attack reducing the key search space in cryptography).
Re: (Score:2)
Problem is, most sites use the "something you know" method of authenticating emails from them to you. E.g., if you get an e-mail from Paypal, Paypal will use your name (as entered in the account) in the email. So if you get one that says "Dear Sir" or somesuch other than "Dear $First $Last", you know it's not a legit email. After all, a phisher won't have your name and email address togethered.
You'll find most sites do that - it's a simple way to verify email authenticity. Now that names-emails mappings hav
They'll sell it to marketers like everyone else (Score:2)
Re: (Score:1)
Re: (Score:3)
Well, as someone who is very vigilant and distrusting of emails in general ... and as someone who has received at least one email indicating that my data may have been compromised, I'm still a li
Re: (Score:1)
How important are you as a target? (Score:2)
Exactly how much time do you think the bad guys are going to spend on you? To take the time to craft an ultra-convincing phishing attack, along with the subsequent necessary complex plotting to dissuade your fears, and get you to click seems like an inefficient, and ineffective expenditure of time to me. Maybe it's just me, but the ROI would have to be incredible to justify that kind of attention to detail.
I believe that the majority of these email addresses are going to be passed off as quickly as possi
Re: (Score:2)
They can send me emails from a third party. They can direct me to third-party websites. They can't make me turn off NoScript on them, and they can't make me type in credentials.
The security-conscious computer-savvy geek is pretty safe here. It's only the other 99.9% of the population that is at risk.
My achaeology discussion account has been hacked! (Score:2)
Preposterous claims and counter claims all in my name! It's all over for me, now! My credibility is ruins!
Curse you Epsilon Data Thiefs! >:(
Keep Calm and Carry On (Score:2)
All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.
http://blog.wordtothewise.com/2011/04/epsilon-keep-calm-and-carry-on/ [wordtothewise.com]
Re: (Score:3)
Re: (Score:2)
all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.
That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.
I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).
Re: (Score:2)
all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.
That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.
One of my clients received a personalized TD Ameritrade email scam today. It was a very professional job, including a lot of content from the TD Ameritrade site. The only thing that was out of place were the actual href targets (they weren't TD Ameritrade). I'm filtering client email for companies exposed in the Epsilon breach.
I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).
The Epsilon breach is still very young. When the lists get sold a few hundred (or thousand) times you'll see a lot more from it.
Re: (Score:2)
They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.
I've gotten thousands of targeted spam over the years, mostly from companies I do not do business with. I think I've gotten about 10 Citibank phishing emails over the years, at least. I don't have an account there, but... Same thing with bank of america, etc.
Re: (Score:2)
All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.
But what they do have now is fisrt & last names along with those email addresses and knowledge that a large group of individuals have accounts at a specific business. They can now target a very specific group with personalized attacks.
Mr. John Smith,
As you are aware StupidBank had some recent security issues. Please login to verify that your username and password have been updated to prevent someone from targeting you for online scams and phishing schemes.
Yours Truly, StupidBank
Re: (Score:1)
No, the URL has changed to stupldbank.com ...
Re: (Score:2)
Even still, I've gotten a lot more spam (not even phishing, just regular craptastic spam) on my e-mail accounts that were affected by this breach.
fantasy (Score:3)
these email and name lists will be used for spamming and unsophisticated phishing, "IMPORTANT MESSAGE FROM $COMPANY, you account will be terminated unless you log in here [www.example.ru]"
TFA layed out a scenario where targetted espionage is carried out against targets that are somehow more convenient because you got their email address.
Re: (Score:1)
but it's mostly masturbatory super hacker fantasy
That's a fun quote, thank you!
Re: (Score:1)
Hi, $random_name_here has left you a private message on facebook * A HREF="$hacker_url"* Click here * /A* to log in.
The funny thing - I don't even use Facebook. Shows you what those stupid hackers know!
Re: (Score:2)
There's ads that tell me my registry has problems. Not only don't they tell me how they can tell through NoScript, but they don't tell me whether it's under /usr, /var, or /etc.
Re: (Score:2)
...And have those money put into schools to raise the educational levels so people will be smart enough not to mess with credits?
Education != intelligence. Actually, more to the point, wisdom != intelligence.
Spoiler Alert: Spear phishing (Score:1)
Re: (Score:3)
Right. The malware already in control of the average user's machine will defend its territory.
Will the bad formatting here EVER get fixed?? (Score:3)
I get no score in any subject starting at (as far as I can tell) a level 3 post or greater. In addition, everything in any such posts has double line breaks between every post.
It sucks, plain and simple. I'm running Firefox 3.6.16 under Gentoo. So what's up?...is Firefox broken or slashdot???
Tom
Re:Will the bad formatting here EVER get fixed?? (Score:4, Informative)
The score display/hiding seems to be totally random.
Worse is the article expand/collapse misfeature. When I go to do a reply, every time I click in the text box it thinks I want to expand the thread further. Basically I have to expand every article in the thread (and many run to 20 levels) just to start entering my reply.
Total #fail on someone's scripty little part.
And in the article-submission dialog, the edit box is about 20% wider than the box, so the right half of every line is hidden. Only way to deal with that is to compose in an editor and paste it into the box. Plus the tag entry is bollocks. It enters the tag if you hit the spacebar, orders the tags randomly, and trying to delete one only succeeds in giving you the negation of the tag, not the deletion of it. The only way to deal with that is to close the submission form, clear your history and cookies (stuff in that form is ultra-sticky) and start over.
But at least I can use the word "replace" in a posting now, without some eval code bunging that up.
Re: (Score:1)
Re: (Score:2)
Classic Discussion System (D1)
+
Noscript
=
Win
Re: (Score:1)
You're not alone in your despair. Categorizing the new discussion system as a clusterfuck doesn't begin to describe how badly broken it is. The slashdot "editors" must never read any of the stories, because, as you point out, it's been *months*, and yet nothing much seems to have changed.
Of course, the whole hierarchy viewing mechanism is also totally fubarred, so you'll probably never even be able to view this response.
I see it as a positive. I'm now wasting much less time on slashdot.
Dear Sir, much appreciation to you. (Score:2)
I read with much interest your user manual about exploiting the email list. However I do not see a script or code that I can download and use with your user manual. Please provide the same sir.
Sincerely,
Scrip T K Iddie
All your email addresses are belong to us.
No need to speculate. (Score:2)
Here is what I got on my New York & Company email address (I had not received anything else - except the breach warning - on this address for years after an order with them in 2007):
(I assume that the german unicode characters will be missing from my post but you will get the picture...)
From: "Mr.Frank Morgan"
Reply-To: frank77morgan3@yahoo.com
Subject: BITTE ANTWORTEN
Guten Tag,
Ich bin Frank Morgan, die ich in der Buchhaltung eines Finance Haus hier in Europa zu arbeiten. Ich sah Ihr Kontakt während
Simple solution (Score:1)
Sign of a Math major (Score:1)
Read the title as "How Attackers Will Use Epsilon DELTA Against You" and thinking wtf?
Re: (Score:1)
No, I read it correctly as "Epsilon Data". Which of course is a negligible amount of data (epsilon is arbitrary small), so the question how attackers might use that little data against me surely is interesting. :-)
Re: (Score:1)
"The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."
Sure, they might manage to get credentials via phishing. This would be far less of a problem if people used a good password scheme for keeping unique passwords on all websites, like I've done for a long time now.
http://lifehacker.com/#!184773/geek-to-live--choose-and-remember-great-passwords [lifehacker.com]
Since you obviously have forgotten your Slashdot password, your scheme cannot work too well. ;-)
LastPass (Score:2)
Re: (Score:3)
Maybe "people" gave it a thought and concluded that trusting a company with all their passwords and/or data wasn't such a great idea either...
It happened to me last weekend (Score:2)
It happened to me last weekend. A woman posing as "Linda Wilson" called AT&T to cancel our phone service. She had enough info to get the rep to believe she could cancel the account. She hung up in the middle of the call when asked to verify the address on the account and the rep tried calling all the numbers on the account to reach her. (The rep didn't ask for any info so he wasn't phishing me. A call to 611 confirmed what he said.)
I don't know if it's Epsilon or the fact that we applied for a couple of
Chase? (Score:2)