September 2016 – Gregory M. Schmidt, CPP, PSP, CHPA

From “Yahoo Says Information on at Least 500 Million User Accounts Was Stolen”
Wall Street Journal (09/23/16) McMillan, Robert. Posted by ASIS.

Yahoo Inc. reported Thursday that hackers backed by an unnamed foreign government had stolen personal information from more than 500 million of its users’ accounts. Hackers penetrated Yahoo’s network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers, and encrypted passwords, Yahoo said. Yahoo said it believes that the hackers are no longer in its corporate network. The company said it did not believe that unprotected passwords, payment-card data, or bank-account information had been affected. In July, Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale was not legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.” Yahoo did not say how the hackers broke into its network or which country sponsored the attacks. The intrusion, in 2014, came during a period when many computer attacks were believed to be the work of China. More recent hacks, however, including of the Democratic National Committee earlier this year, have been blamed on Russia. Both countries have denied involvement in the hacks. The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House.

From “Crooks Are Selling a Skimmer That Works on All Chip Card Readers”
CSO Online (08/31/16) Korolov, Maria. Posted by ASIS.

Researchers have found a website that claims to sell “the most advanced EMV chip data collector in the world.” The seller says that the device is powered by the point of sale terminal, and can hold information on up to 5,000 credit cards in its memory. The equipment can also be used on machines made by Ingenico and Verifone, as well as terminals on gas station pumps, ticket purchase stations, and on small ATMs, specifically those manufactured by Triton. Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, says that the device is primarily targeted towards Latin America. Latin America is still reliant on static data authentication chips, which allow criminals to create usable new chip cards with the data they catch, making it an easier target. Barysevich also says that the “technology can be used in any point of sale device. It literally takes less than 10 seconds to install, and once installed, it stays there forever.” He said that terminal manufacturers have been notified about the issue.

The Author

Gregory M. Schmidt, PSP, CHS-I of Eagle/ Trident Security is a board certified Physical Security Professional and is certified in Homeland Security. He has over thirty years of experience developing dynamic security programs, plans and policies for businesses and healthcare facilities in Indiana and Florida. His conversation-style personal safety seminars are highly regarded and always in demand. Mr. Schmidt is a member of ASIS International, the International Association for Healthcare Security & Safety, the American Board for Certification in Homeland Security, and the American Society for Healthcare Engineering.

Greg can be reached at greg@eagletrident.com or 317/ 573-6799.