Lucky7Coin bad luck for Cryptsy
N ews of a multimillion dollar heist of Delray, Fla.-based Cryptsy, a cryptocurrency exchange established in 2013, stunned the digital currency community. More than 270,000 registered users were affected by the theft, which was initially disclosed Jan. 15, 2016. Many who traded in bitcoin and LiteCoin lost considerable sums.
The attack caught Cryptsy senior managers by surprise, according to the company's blog post. "[We] just didn't know what happened, didn't want to cause panic, and were unsure who exactly we should be contacting," the company posted. Cryptsy subsequently opened an investigation, shutting down all trades and deposits until more facts become known.
Cryptsy also appealed to bitcoin collectors and developers to aid its efforts to identify and apprehend the hacker known as Lucky7Coin believed to be responsible for the heist. Anyone with information can email the company directly at firstname.lastname@example.org. "If they are returned, then we will assume that no harm was meant and will not take any action to reveal who you are," the company stated. "If not, well, then I suppose the entire community will be looking for you."
Lucky7Coin cleans up
The company's blog additionally revealed that Lucky7Coin had placed malicious code into Cryptsy's bitcoin and LiteCoin wallets, creating a Trojan command and control unit that was activated following a period of latency. "This Trojan had likely been there for months before it was able to collect enough information to perform the attack," Cryptsy wrote. "It does not appear that this was the original developer for LK7."
The company believes the foul play began after Lucky7Coin offered to "clean up" and maintain the wallet, purportedly making changes that would enable "clients to synchronize blockchain." Instead, the clients lost approximately 13,000 bitcoin and 300,000 LiteCoin.
Before the shutdown, Cryptsy's trade volumes averaged 300,000 transactions a day, according to the company's website. Cryptsy stated that it was gradually replacing clients' losses until bad press caused widespread panic, making it unable to keep up with demand. "The article basically caused a bank run, and since we only had so much in reserves for those currencies, problems began," Cryptsy wrote. "Our current customer liabilities for BTC is around 10,000 BTC, so as you can see, we would like to see the bitcoins returned for both our users and for ourselves."
The blog contained a dismal forecast for Cryptsy's future, laying out the following three options for the company:
- Shut down the website and file bankruptcy, letting users file claims via the bankruptcy process and letting the court make the disbursements.
- Find a willing buyer to acquire and run Cryptsy and make good on requested withdrawals.
- Find a way to reacquire the stolen funds, then facilitate and process all withdrawal requests.
While Cryptsy remains open to suggestions and "any other ideas people may have on this," digital currencies in general may face an uphill battle in their quest for widespread adoption. Continuing market volatility and high-profile data breaches such as the March 2014 hack of the Mt. Gox bitcoin exchange have done nothing to reassure consumers, analysts and speculators.
Systemic failures cited
"It seems questionable that crypto currencies, while they may continue to have some utility for anonymous transfers, will reach either the implementation or fundamental scale to qualify as currency or money," stated William Hugh Murray, a certified information systems security professional, in the comments section of Cryptsy's blog post. Murray shares the opinion of prominent bitcoin developer Mike Hearn that bitcoin and other cryptocurrencies have been adversely affected by government oversight and are inherently not scalable.
In blog post dated Jan. 14, 2016, Hearn attributed bitcoin's failure to technical issues and a failure of leadership. "Think about it," he wrote. "If you had never heard about bitcoin before, would you care about a payments network that: couldn't move your existing money; had wildly unpredictable fees that were high and rising fast; allowed buyers to take back payments they'd made after walking out of shops, by simply pressing a button (if you aren't aware of this 'feature' that's because bitcoin was only just changed to allow it); is suffering large backlogs and flaky payments; which is controlled by China; and in which the companies and people building it were in open civil war? I'm going to hazard a guess that the answer is no."
Landry's: Did malware come through Windows?
Monday, February 8, 2016
L andry's Inc., a Houston-based hospitality firm, disclosed Jan. 29, 2016, that security data breaches may have affected "a small percentage" of its properties doing business as Golden Nugget Casino and Hotel and Landry's Restaurant. The company indicated that preliminary reports point to payment card processing malware detected in POS devices located "at certain of our restaurants, food and beverage outlets, spas, entertainment destinations, and managed properties."
The malicious code, engineered to steal track data from mag stripe payment cards, had been active between May 2014 and March 2015 and between May and December 2015, the company stated.
Payment and security analysts noted that cybercriminals have been stepping up attacks on the hospitality industry; many are urging merchants and acquirers to improve network monitoring and address potential vulnerabilities in the hotel and restaurant sector. Cory Miller, Director of Security Operations for Atlanta-based ControlScan Inc., noted that many hospitality merchants use multiple POS vendors, making it challenging to achieve network standardization.
The practice of using multiple vendors is "frequently coupled with ineffective system hardening standards and permissive firewall rules at the perimeter," Miller stated. "It was not until recently that POS environments were beginning to be designed with security in mind." He further noted that it is not uncommon to see legacy POS deployment guides that instruct the installer to open ports through a firewall, with no specified destination.
In addition to cooperating with law enforcement and payment card networks throughout the ongoing investigation, Landry's has taken steps to implement enhanced security measures, including end-to-end encryption, the company stated. Additionally, company representatives will notify customers whose cards were used at affected locations during known "at-risk windows."
The company further advised potentially affected customers to "remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity" and report unauthorized charges to card issuers in a timely manner.
While the exact source of the malware has not yet been identified, some analysts speculate that it may be a form of Black POS or BackOff, which involves strains of malicious code that attack Windows operating systems and are associated with as many as 600 POS data security breaches dating back to 2014.
Karl Sigler, Threat Intelligence Manager at Trustwave, said that BackOff malware places a Java file on POS systems that is designed to steal credit card information and routinely send out batches of stolen data to a remote command and control server. Trustwave initially reported BackOff to the U.S. Government's Secret Service Agency when it was first detected in 2013; the company has identified three prevalent strains of the virus, described as versions 1.4, 1.55 and 1.56, that remain active in retail and hospitality sectors. A good firewall is the most effective deterrent to BackOff and Black POS malwares, Sigler said.
BackOff has been further analyzed by the U.S. Computer Emergency Readiness Team (US-CERT), the National Cybersecurity and Communications Integration Center (NCCIS) and the Financial Sector Information Sharing and Analysis Center. The agencies found that BackOff uses a robust central management system that can automatically update all infected POS systems as soon as new versions of malware are released.
Security best practices
US-CERT issued an advisory July 21, 2014, for businesses that use remote desktop applications, warning of known vulnerabilities in Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn. Suspects have attempted to use brute force to enter these applications and deploy POS malware, the agency stated. Once in, the malware family can make itself at home within a POS system, scraping memory for track data, logging user keystrokes, using command and control communications and routinely updating malicious executable files.
US-CERT recommends increased vigilance in monitoring remote desktop environments, network security infrastructure, and cash register and POS devices to ensure that only allowed ports, services and Internet protocol addresses are communicating with a merchant's network. The agency further recommends using Europay, MasterCard and Visa PIN entry devices or other credit-only accepting devices that have Secure Reading and Exchange of Data (SRED) capabilities. A full list of SRED-approved devices can be found at the PCI Security Standards Council's website, www.pcisecuritystandards.org.
Cross promotions roll on VisaNet rails
Thursday, February 4, 2016
D unkin' Donuts, Shake Shack, Uber and other leading retailers recently joined a Visa Inc. initiative aimed at cross-promoting retail and hospitality brands to consumers. Visa Commerce Network, an interactive platform launched Jan. 29, 2016, enables merchants within Visa's electronic payment network to create online and in-app shopping experiences. Participating retail and hospitality brands can create joint promotions on the fly, according to Visa representatives.
Participating merchants can use VisaNet's library of commerce application programming interfaces (APIs) to connect transactions between two different Visa merchants. Qualifying purchases are identified at the POS and rewards are sent to Visa cardholder accounts, eliminating the need for consumers to carry coupons or reward cards.
In December 2015, Shake Shack and Uber offered discounted Uber rides to consumers who opted in to the campaign and paid by Visa at Shake Shack. The offer garnered new customers and increased spend for Shake Shack; Uber riders received rewards on their Visa cards. Laura Enoch, senior marketing manager of Shake Shack, said guests were able to participate in the promotion without changing their payment methods. "[All] of the rewards happened on the backend, it was a great activation without the need to train team members," she said.
Additional promotions planned
Following the success of the Shake Shack promotion, Uber rolled out grocery store offers in 10 U.S. markets, offering discounted rides and automatically enrolling consumers in a nationwide contest for an all-expense paid trip to the Super Bowl Feb. 7. "We are always looking for new ways to delight our customers and offer unique local experiences," said David Richter, Uber's Vice President of Strategic Initiatives. "We're excited to partner with Visa on this initiative."
More than a dozen businesses have successfully used Visa Commerce Network, Visa stated, noting that publicity generated by short-term campaigns can sometimes outlast the actual promotions. "We continue to hear from guests that they are visiting Dunkin' Donuts even more as a result of the campaign we ran using Visa Commerce Network," said Sherrill Kaplan, Dunkin' Donuts Senior Director of Digital and Loyalty Marketing. "The ability to quickly activate an offer that provided real benefits to both current and prospective customers alike was a very exciting outcome for us."
Platform architecture, benefits
Visa Commerce Network can trace its roots to TrialPay, a value exchange platform based in Palo Alto, Calif. Acquired by Visa in 2015, the company has 600 million users in 180 countries. TrialPay provides free items to consumers in exchange for their purchase or testing of product and service offerings from TrialPay advertisers. Visa enhanced TrialPay's platform and product offerings, adding API libraries, analytics and other features to augment rewards and loyalty at the POS. Consumers can earn rewards in real time at the POS or receive them as statement credits.
TrialPay noted that Visa Commerce Network is the first of its products to be launched by Visa; the company plans more near-term releases of products designed to help merchants attract and retain customers. "By exposing an API, we believe merchants can best build the consumer experience that makes sense for their customers," the company stated in a Jan. 29 blog post. "These offers drive value to merchants by providing consumer incentives to transact with Visa merchants in exchange for content or services offered by a publisher."
Growing a connected community
Visa and TrialPay view Visa Commerce Network as an important step forward in creating a seamless network of consumers, merchants and publishers that add value to each other on Visa's rails. Visa saw a need to build tools and services to help merchants grow their businesses, stated the TrialPay blog.
Ramon Martin, Global Head, Merchant Sales and Solutions at Visa also sees benefits for merchants, issuers and cardholders using the program. "Visa cardholders get access to great offers that don't require any changes to how they pay, while merchants can acquire new customers and increase sales," he said. "By coupling the power of Visa's payment network with our merchant partners, we are unleashing value for businesses, issuers and consumers alike."
Visa said it tracks all transactional activity and promotions. The company also noted that the platform's extensive built-in analytic tools and the VisaNet parent network processes approximately 100 billion transactions per year.
New checks target mobile deposit fraud
Tuesday, February 2, 2016
W hat do you get when you pair a company steeped in check printing with one that dominates the mobile imaging market? A new check that practically eliminates the possibility of fraud and accidental duplicate deposits when mobile deposit is used.
Photo Safe Check is a paper check product Harland Clarke, a business unit of Harland Clarke Holdings Corp., began delivering in January 2016. It incorporates security features that can only be read using mobile deposit software from Mitek Systems Inc.
Mitek, based in San Diego, holds numerous patents for mobile imaging technologies. The company claims its mobile imaging technology is used by more than 4,500 financial institutions and 60 million consumers, and gets used for 90 percent of all mobile deposits. Harland Clarke grew from the combination of two of the oldest and largest check printing companies in the country (John H. Harland Co. and Clarke American Checks Inc.) and filled more than 60 million check orders in 2015. Other arms of the corporation provide intelligent media delivery for advertising, as well as data management, decision support solutions, and related products and services.
Consumer version first
Initially Photo Safe Check security features are being added to consumer checks; a corporate version of the new checks should start rolling off the presses later this year. “We knew that checks aren’t going away,” said Rick Ebrey, President of the Payments Division at Harland Clarke. “So we started looking at how do we create more efficiencies, and how to help our clients attack the challenge of check fraud,” Ebrey said. He estimated 90 percent of consumer checks coming out of Harland Clarke will contain the new security features, which require no changes on the part of check writers.
The new checks feature a Photo Safe Deposit icon (a camera-lock graphic) on the front. When the icon is recognized by a mobile device running Mitek’s mobile deposit software, the mobile camera scans for additional security features on the back of the check. One of the feature, Image Match, is the MICR code line from the front of the check reprinted on the back. The new checks also feature Mobile Mark, a box depositors check when using their smartphones to deposit checks.
Easier risk calibration
The new features are intended to minimize endorsement forgeries, for example, a fraudster who uses the mobile channel to pair the back of one legitimately endorsed check with the fronts of multiple fraudulent checks. Plus it protects against front and back mismatches when depositing multiple checks at the same time, which Marek Helcl, Product Owner at Mitek, said is a more common problem with mobile deposit. “It also prevents accidental duplicate deposits,” he added.
The potential for duplicate deposits has been a concern among banks and credit unions with the advent of remote deposit capture (RDC), and especially now with the rise of mobile RDC. The consultancy Celent LLC estimated that roughly one third of adults with bank accounts made mobile deposits last year. Half of all banked adults are expected to use mobile deposit in 2016, according to Celent.
Ebrey suggested that over time, as more consumers and businesses use these new checks, financial institutions should be able to better calibrate risk thresholds for mobile deposit products.
“The new security features printed on the checks improve the mobile deposit experience that millions of Americans love,” Mitek President and Chief Executive Officer James DeBello said in a statement. Describing the collaboration with Harland Clarke, DeBello added “our combined technology does all the work to increase security and mitigate depositor errors without any extra steps required by consumers or banks.”
Downstream networks detect Wendy's breach
Monday, February 1, 2016
N umerous consumers who used credit cards at Midwest and Northeast locations of The Wendy's Company in the latter part of 2015 were notified by their card issuing banks of a potential data security breach. Wendy's, a publicly traded company established in 1969 and headquartered in Dublin, Ohio, is the world's third largest fast food enterprise, with 6,500 corporate and franchise locations in 30 countries.
Company spokesman Bob Bertini advised news media that fraudulent charges began to appear elsewhere after the cards were legitimately used at some Wendy's restaurants. "Until this investigation is completed, it is difficult to determine with certainty the nature or scope of any potential incident," he said. "We have hired a cybersecurity firm to assist, but are not disclosing the name at this point."
Proactive, preventive banks
Payments and security analysts credit bank fraud departments that monitor suspicious activities and security researchers who monitor black market trends for detecting the fraudulent transactions. Convergence of these two lines of effort proved a formidable force, parsing records from aggregated data to find the common denominator, which in this case clearly showed that all of the compromised payment cards had been used at select Wendy's locations.
"Ideally, we'd like to see merchant organizations detecting incidents proactively," said Jim Wherry, Information Security Analyst at Redhawk Network Security LLC. "In this case, though, from what we know, the issue was brought to light through the combined work of various fraud detection groups."
Forewarned, forearmed merchants
Wherry, a Certified Information Security Systems Professional and Payment Card Industry Qualified Assessor, noted that while fraud detection groups did their jobs, Redhawk advocates strongly for the empowerment of individual merchants. "They need to develop capabilities to detect intrusions before they become breaches down the line," he said.
Vann Abernethy, Senior Technical Expert at network security provider NSFOCUS IB, said, "This incident is another that should serve as a wake-up call for companies, the payment card industry and consumers alike. Many banks have been rolling out new chip-based cards (EMV) recently. This is a good step in the right direction for preventing card information theft and duplication, and adding an additional authentication factor would be even better."
Abernathy cautioned consumers who visited Wendy's in affected areas to monitor credit card activity daily for suspicious activities.
Encryption, tokenization needed
Abernethy emphasized the need for merchants to implement end-to-end encryption and tokenization at the POS. He urged retailers to have a plan in place and not to wait to take action until a data breach occurs. "No plan can cover everything, but having a plan and executing on it goes a long way," he stated.
Abernethy further noted that Europay, MasterCard and Visa (EMV) technology employs a one-time unique authentication factor designed to prevent payment card duplication. Having a secondary factor such as a personal identification number can add a secondary layer of protection. He advised retailers to protect cardholder data from the moment a card is read at the POS and throughout its journey to the card issuer for verification. End-to-end (E2E) encryption that begins at the card reader would go a long way to protecting systemic vulnerabilities, he added.
"Retailers should also remember that just because the primary payment transaction points are as secure as they can make them does not mean the data is not seeping out through another route, especially if there is no E2E encryption," Abernethy said. "Constant vigilance is needed to look for rogue executables, odd open ports and more."
Redhawk's Wherry added, "Much can be said about chip-and-signature technology and potential weak points, but the real takeaway from the Wendy's data breach is how it appears to have been detected."
View prior breaking news