Chase bank accidentally leaked customer info to other customers
A technical bug on its online banking website and app allowed accidental leakage of customer banking information to other customers. The issue is believed to have lasted between May 24th and July 14th this year, and impacted both online banking and Chase Mobile app customers who shared similar personal information. Personal details of Chase bank customers including statements, transaction list, names, and account numbers were potentially exposed to other Chase banking members, although it isn’t imminently clear how or under what circumstances was a customer able to see other customers’ private information, or which groups, for example credit card holders, personal or business banking customers—or everyone – were affected.
Kalay cloud platform flaw exposes millions of IoT devices
Researchers at FireEye’s Mandiant have discovered a critical vulnerability, tracked as CVE-2021-28372, in a core component of the Kalay cloud platform which is used by millions of IoT devices from many vendors. The only information needed for the attack is the Kalay unique identifier (UID) of the targeted user, which could be obtained via social engineering. After obtaining the UID, an attacker could send a specially crafted request to the Kalay network to register another device with the same UID on the network. Then the Kalay servers will overwrite the existing device. Most of the devices using the platform are video surveillance products such as IP cameras and baby monitors, prime targets for eavesdropping.
Data sovereignty laws place new burdens on CISOs
An article written by Christopher Burgess and posted yesterday at CSO Online quotes a number of and studies and experts showing how the exponential growth of data crossing borders and public cloud regions is making it exceedingly difficult for CISOs whose customer base or digital infrastructure crosses political boundaries. Companies who are putting their data into the cloud must realize that not all providers are created equal and one must do their due diligence to ensure they avoid storing data in places with data sovereignty laws. The article stresses the need for incident response strategies and a realization that remaining up to speed on data sovereignty will increase operating costs.
Critical Valve bug lets gamers add unlimited funds to Steam wallets
Security researcher DrBrix has helped Valve, the makers of the gaming platform Steam, plug an easy-to-exploit hole that allowed users to add unlimited funds to their digital wallet simply by changing the account’s email address. Steam Wallet funds are exclusive to the Steam platform and are used to purchase in-game merchandise, subscriptions and Steam-related content. Valve restricts Steam credits from being transferred outside its network however, there are several unsanctioned ways to convert wallet funds into actual dollars. Working for the HackerOne bug-bounty program, DrBrix reported the bug last Monday, and by Wednesday, Valve had plugged the hole and paid DrBrix $7,500.
Thanks to our episode sponsor, Copado
To get a free demo, visit Copado.com.
Colonial Pipeline reportedly admits data breach
Nearly 6000 individuals may have had their personal information compromised by ransomware attackers when they struck earlier this year. The fuel pipeline operator, which was crippled by the attack in May, confirmed to CNN Business that it had begun sending out breach notification letters to 5810 victims. Most of those affected are thought to be current and former employees and family members, and include names, contact information, birth dates, Social Security numbers, driver’s license details, military ID numbers, and health insurance information.
Mastercard to end magnetic strip on cards
Mastercard says chip-and-pin and new biometric cards that use fingerprints, offer greater security. By 2033, none of its debit or credit cards will have a strip, with banks in many regions including Europe able to issue the strip-less cards from 2024. The pandemic, the company says, has highlighted the public’s appetite for different ways to pay.
(BBC News)
Malware campaign uses clever ‘captcha’ to bypass browser warning
The trick gets users to bypass browser warnings to download the Gozi (aka Ursnif) banking trojan. Embedded in a YouTube video about a womens’ prison, a fake reCAPTCHA image appears on the screen when the viewer clicks “play.” Given that the malware is an executable, Google Chrome automatically warns that the file may be malicious and asks the user whether they wish to ‘Keep’ or ‘Discard’ the file. The reCAPTCHA prompts the user to press a series of keys, the last two being Tab and Enter, which highlights and then executes the Chrome warning’s Keep option. Once running, Gozi will steal account credentials, download further malware to the computer, and execute commands issued remotely by the threat actors.
Zoom incompatible with GDPR, claims German data protection watchdog
The acting Hamburg Commissioner for Data Protection and Freedom of Information has officially warned the city’s Senate Chancellery not to use the on-demand version of Zoom’s videoconferencing software. Referring to the European Court of Justice Schrems II decision of July 2020, Ulrich Kühn claimed the software violates the EU General Data Protection Directive (GDPR) as “such use is associated with the transmission of personal data to the US.” Zoom has said its products feature “an explicit consent mechanism for EU users” on its platform and that it has implemented “zero-load” cookies for users whose IP address show they are accessing the site from a EU member state.