December 18, 2019

Doxed credit card data has two hours max before it’s nabbed

By Lisa Vaas

Sure, we all know that ripped-off payment card details – like these! – sell like hot potatoes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.

But exactly how fast do hot potatoes get sold?

Two hours, it turns out. That’s how long it recently took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.

David Greenwood, from ThreatPipes, says he decided to run an experiment on how long it would take thieves to find his card, motivated as he is by the fact that he’s been bedeviled by e-thieves who keep poking at it:

In only two years, there have been 4 attempts to use my credit card fraudulently.

The cyber-crime headline writers are not struggling for work.

Greenwood got curious about the life cycle of stolen data. He wondered, how does data such as credit and debit card information propagate across the internet, including on the dark web, where carders conduct their dirty work?

Dirty work, as in, buying stolen payment card details, putting all the legitimate card details onto the fresh magnetic stripe of a blank card, and thereby cloning the card so they can use the counterfeit to buy themselves some bling.

So, Greenwood picked up an anonymous, prepaid credit card, and he set to work at trying to do what crooks do: sell that tasty tidbit.

Read more at https://nakedsecurity.sophos.com/2019/12/18/doxed-credit-card-data-has-two-hours-max-before-its-nabbed/

Mozilla adds NextDNS to list of DNS-over-HTTPS providers

By John E Dunn

Good news for Firefox users interested in turning on the browser’s DNS-over-HTTPS (DoH) privacy feature – they now have two providers to choose from.

The first, of course, is Cloudflare, which Mozilla partnered with during the two-year development and testing of its DoH service, finally turned on for users in September.

Not all Firefox users were at ease with this – entrusting DNS privacy to a single company felt like a risk no matter how many assurances were being offered.

By adding a second provider, startup NextDNS, founded in May 2019, Mozilla has not only added an alternative but got its promised Trusted Recursive Resolver program (TRR) off the ground. The TRR matters because, as Mozilla says:

DoH’s ability to encrypt DNS data addresses is only half the problem we are trying to solve. The second half is requiring that companies with the ability to see and store your browsing history change their data handling practices.

In other words, just encrypting DNS queries to make it more difficult for ISPs and governments to snoop on website visits won’t mean much if the company offering the DoH service hasn’t itself signed up to a robust privacy policy.

It’s rather like VPNs, which many people use for security, privacy and to dodge geo-blocking only to discover that many providers (typically the free ones) are collecting private data to sell on to advertisers.

Read more at https://nakedsecurity.sophos.com/2019/12/18/mozilla-adds-nextdns-to-list-of-dns-over-https-providers/

Alleged bank vault robber posed with cash on Instagram, Facebook

By Lisa Vaas

Somebody really needs to write a rap about yobs who show off piles of loot in their social media feeds.

The alleged crook du jour: Arlando M. Henderson, 29, of Charlotte, North Carolina, whom the FBI has arrested and charged with supposedly stealing more than $88,000 smackers from the vaults of his employer, Wells Fargo Bank.

If he’s innocent, Henderson is going to have to explain why his Instagram rap shows him holding an AK-47 and large stacks of cash… and how in the world he found the wherewithal to pick up that Mercedes-Benz in his Facebook posts.

On Friday, the US Attorney’s Office for the Western District of North Carolina said that the FBI arrested Henderson on 4 December in San Diego and charged him with stealing cash from Wells Fargo’s bank vaults, from deposits made by its customers, and with using some of that beautiful green spray-o-cash…

Read more at https://nakedsecurity.sophos.com/2019/12/18/alleged-bank-vault-robber-posed-with-cash-on-instagram-facebook/

Google to choke off ‘less secure applications’

By Danny Bradbury

If you’re entering a username and password to give an app access to a G Suite account, beware: you won’t be able to do it for much longer.

Google is changing the way that it grants third-party apps access to G Suite accounts as it tries to improve security. It is weeding out what it calls ‘less secure apps’ (LSAs) by denying them access to its services.

Google defines secure apps according to a rigid set of security standards. To be considered secure, a third-party app must let you see what level of account access you are giving it before you connect it to your Google account. The app must also let you access only the parts of your Google account that you want, such as your email or calendar, without giving it access to everything else. It must allow you to disconnect it from your Google account at any time, and it must let you connect it to your account without exposing your Google password.

Apps that don’t meet these security criteria are considered less secure, and on 29 July 2019, the company announced it would begin limiting access to G Suite accounts from those apps beginning on 30 October. On that date, it began removing an option for G Suite administrators to ‘enforce access to less secure apps for all users’. That meant admins could no longer just wave through less secure apps at the domain level. Instead, users would have to grant access to these apps themselves if admins let them.

That move was due to be complete by the end of this year. Now, the company is moving on to the next step: restricting access to account data for LSAs. Because these apps rely on insecure password technology to access sensitive Google account data, the company will be cutting off their ability to access G Suite account data altogether. It will happen in two stages. After 15 June 2020, users who try to connect the Google accounts to an LSA for the first time won’t be allowed to, but those who have already connected to LSAs before that date will still be permitted.

Read more at https://nakedsecurity.sophos.com/2019/12/18/google-to-choke-off-less-secure-applications/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation