TIME Security

Why Using an ATM Is More Dangerous Than Ever

Breaches have risen dramatically very recently

In a time when major data hacks are on the rise—think Target, Home Depot, Sony—it’s no surprise breaches on individuals are also up. According to FICO, debit-card compromises at ATMs rose 174% from January to April of this year, compared to the same period last year.

And that’s just breaches of ATMs located on official bank property. Successful breaches at non-bank ATMs rose 317% in that period.

In other words, withdrawing money from an ATM is more dangerous than it’s been in a long time—specifically, the worst it has been in two decades, according to the Wall Street Journal, which cites a prediction from consulting firm Tremont Capital Group that criminals will make more than 1.5 million successful ATM cash withdrawals this year.

As Fortune reported earlier this year, a majority of American corporations believe they will be hacked in 2015. The questions they are all dealing with is how to prepare for them and how to deal with them when they happen, because preventing these compromises has become increasingly difficult.

Banking institutions, as well as the payment companies that connect banks to consumers, like Visa and MasterCard, have beefed up their technology more aggressively than ever in order to both innovate and securitize. But for a private consumer who simply wants to take money from an ATM, stats like these are nonetheless sobering.

Read next: 5 Easy Ways to Avoid Getting Hacked at ATMs

Listen to the most important stories of the day.

TIME Innovation

Are “Micro-Schools” the Future of Education?

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. Are personalized “micro-schools” the future of education?

By Anya Kamenetz at NPR

2. Millions of Americans get tests, drugs, and operations that won’t make them better.

By Atul Gawande in the New Yorker

3. Can bacteria help us fight the ravages of climate change?

By Esther Ngumbi in Scientific American

4. Here’s a drone you can fly with your phone, from the designer of the Roomba.

By Jessica Leber in Fast Co.Exist

5. What’s killing the growth of mobile banking?

By Herb Weisbaum in NBC News

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

MONEY privacy

It Took Just One Email to Compromise the Leaders of the Free World

G20 Summit Leaders
Reuters

Many of the world leaders who attended last year’s G20 summit in Brisbane had their personal data compromised. The cause? Human error.

Whether an autofill mishap or a “What in the name of God were you thinking?” move, somebody’s shrimp is on the barbie at Australia’s immigration department after an officer there emailed President Obama’s passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year’s G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China’s President Xi Jinping, India’s Prime Minister Narendra Modi, Japan’s Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia’s privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

“The personal information which has been breached,” an email notifying the privacy commissioner stated, “is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit.”

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the “deleted items” folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn’t properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target’s own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great — at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, “What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them.”

Wilson went on to hypothesize: “If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.”

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is “most likely safe” an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as “human error” as well. (If anyone should know better, one would assume it might be the “privacy” commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you’re not aware of the fact that you are in harm’s way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it’s a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

“But that desk,” the casino owner says, “was priceless.”

So now anyone wanting to get their hands on that PII knows where it isn’t, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there’s the question of the privacy commissioner’s handling of the situation, which none of this explains. Sigh…

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link … and that humans are almost always the weakest link. So the beat goes on.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More from Credit.com

This article originally appeared on Credit.com.

TIME Crime

‘Revenge-Porn King’ to Plead Guilty and Face Imprisonment

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Hunter Moore is charged with hacking into victims' email accounts and posting their nude photos on his website

The owner of a “revenge porn” website, accused of posting stolen nude photos of women online, has agreed to plead guilty to federal computer-hacking and identity-theft charges, prosecutors announced Wednesday.

The Los Angeles Times reports that Hunter Moore was dubbed the “king of revenge porn” for running a website called IsAnyoneUp.com, on which explicit photos of women, stolen from their personal email accounts, were posted.

Moore, 28, also paid Charles Evans to hack into computers and steal nude photos from victims’ accounts. Evans is due to go on trial March 17.

Moore faces up to seven years in prison. He is set to appear back in court on Feb. 25.

[L.A. Times]

MONEY cybersecurity

Hackers Use Malware to Steal $300 Million From Banks

Hackers used malware attached to phishing emails to compromise the security systems of more than 100 banks across the world, according to a new report from security firm Kaspersky.

TIME Hacking

Hackers Steal $1 Billion in Massive, Worldwide Breach

Russian Retail-Sales Growth Unexpectedly Gains Amid Ruble Crisis
Bloomberg/Getty Images

A prominent cybersecurity firm says that thieves have infiltrated more than 100 banks in 30 countries over the past two years

Hackers have stolen as much as $1 billion from banks around the world, according to a prominent cybersecurity firm. In a report scheduled to be delivered Monday, Russian security company Kaspersky Lab claims that a hacking ring has infiltrated more than 100 banks in 30 countries over the past two years.

Kaspersky says digital thieves gained access to banks’ computer systems through phishing schemes and other confidence scams. Hackers then lurked in the institutions’ systems, taking screen shots or even video of employees at work. Once familiar with the banks’ operations, the hackers could steal funds without raising alarms, programming ATMs to dispense money at specific times for instance or transferring funds to fraudulent accounts. First outlined by the New York Times, the report will be presented Monday at a security conference in Mexico.

The hackers seem to limit their scores to about $10 million before moving on to another bank, Kaspersky principal security researcher Vicente Diaz told the Associated Press. This helps avoid detection; the crimes appear to be motivated primarily by financial gain. “In this case they are not interested in information. They’re only interested in the money,” he said. “They’re flexible and quite aggressive and use any tool they find useful for doing whatever they want to do.”

[New York Times]

TIME Cybercrime

This Could Be the End of User Name and Password

Superintendent of the New York State Department of Financial Services Benjamin Lawsky Interview
Scott Eels—Bloomberg/Getty Images Benjamin Lawsky superintendent of the New York State Department of Financial Services, speaks during a Bloomberg Television interview in New York on Nov. 24, 2014.

Anthem, J.P. Morgan hacks could lead to tougher online security.

A top New York State regulator is “very likely” to impose new cyber-security rules on much of the banking and insurance industries after high profile cyber-intrusions at Anthem and JP Morgan Chase, law enforcement officials tell TIME.

The move could spell the beginning of the end for a decade-long debate among state and federal regulators over whether to require companies to go beyond the simple user name and password identity checks required to access many computer networks at the heart of America’s financial system and could affect everyone from employees at those firms to the consumers they serve.

Early investigations in the Anthem case suggest foreign hackers used the user name and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people, including names, addresses and Social Security numbers, the law enforcement officials tell TIME. Anthem had invested in extensive cyber defenses in recent years, but the officials say initial investigations suggest the theft could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.

That shortcoming reflects systemic weaknesses found throughout the industry in an upcoming study by the New York State Department of Financial Services, a version of which was reviewed by TIME. Among the most worrying findings was a marked level of over-confidence among insurance industry officials regarding the security of their systems. “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here,” says Benjamin Lawsky, the department’s superintendent.

While many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there, according to the report. The study follows a similar review by Lawsky’s office of the banking sector late last year that led to tighter cyber-examinations for banks doing business in New York.

As the fourth-largest state and the home to many of the corporations in question, New York could affect consumers in other states with its decisions.

For more than a decade, federal and state regulators have debated measures to require increased security at banks and insurance companies that handle the financial and personal details of hundreds of millions of Americans. In 2005, the federal body charged with setting the examination standards for federal regulators concluded [pdf] that simple user name and password systems were “inadequate” for “transactions involving access to customer information or the movement of funds to other parties,” but stopped short of requiring tighter measures. Updated guidance in 2011 [pdf] also stopped short of requiring them.

MORE Apple Might Make Computers You Control With Hand Gestures

The primary federal regulator of big banks, the Office of the Comptroller of the Currency (OCC) says different banks need to assess their own risks in determining whether to use additional verification methods. Other regulators have worried that if one agency, like the New York State Department of Financial Services, tightens standards on its own, the result will be a patchwork of rules that make life difficult for banks doing business across the country.

Still, most agree that username and password security alone is increasingly vulnerable to hackers. As American Banker reports:

Most of the security breaches that occur in banking today use compromised credentials. More than 900 million consumer records have been stolen [in 2014] alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames. According to Verizon’s latest Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76% of the breaches analyzed.

The additional measures New York State is likely to require are known as “multi-factor authentication” and include a range of approaches to verify the identity of those trying to sign on to a computer system. Options include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, or using a separate identification source, like a swipe card.

Lawsky has not decided whether his new rule would require institutions to use multi-factor authentication only for employees and third-party vendors, or whether consumers would be required to use them too. However, requiring major banks and insurers under his purview—such as Barclays, Goldman Sachs, Anthem and others—to adopt multi-factor authentication could change the industry standard.

Lawsky says he is eager to see that change. “The password system should have been buried a long time ago, and its high time we buried it,” Lawsky tells TIME. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system,” he says.

MORE Why Your Passwords Are Easy To Hack

State and federal officials have argued that banking and insurance cyber vulnerabilities pose a threat not just to the accounts of individual consumers, but potentially to the stability of the entire financial system. The Obama administration’s recently released National Security Strategy says, “the danger of disruptive and even destructive cyber-attack is growing,” thanks to “malicious government, criminal, and individual actors,” targeting the networked infrastructure on which economy, safety, and health rely.

The New York State Department of Financial Services study of the insurance industry shows most are largely convinced they are confronting and defeating hackers. 58% claimed they had experienced no security breaches during the three years preceding the 2013-14 study, while 35% said they had only between one and five such incidents.

To some that suggests naiveté on the part of the industry. As FBI Director James Comey said last fall, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

In addition to the new rules on identity verification, Lawsky expects to impose new requirements on third-party vendors that have access to insurance company databases. Those vendors often have lower cyber-security standards and are not required to describe those standards to the companies even though they often have full access to personal data held by the company.

Read next: The 7 Biggest Lies You’ve Been Told About Hacking

Listen to the most important stories of the day.

TIME Security

Chipotle Hackers Direct Racist Tweets at Obama

Changed company's logo to a swastika

Chipotle apologized and promised an investigation into racist tweets sent by hackers from the company’s Twitter account early Sunday morning.

In the early morning hours, the hackers changed the company’s avatar to a photo of swastika and tweeted racist remarks directed at President Barack Obama. Other tweets targeted the FBI and included other offensive language.

Chipotle’s Twitter biography was changed to say it was the official account of “@TUGFeds” and “@TheCeltic666.” Both accounts had been suspended as of Sunday afternoon.

TIME intelligence

U.S. Journalist Receives Five Years in Jail for Linking to Hacked Data

Europe Hacking Startfor
Cassandra Vinograd—AP The home page of the Stratfor website is seen on a computer monitor in London Wendesday Jan 11, 2012.

Barrett Brown must also pay $890,000 in restitution

An American journalist loosely affiliated with the Anonymous hacking collective was sentenced to 63 months in jail by a Dallas federal judge on Thursday for linking to hacked data from private global intelligence firm Stratfor in 2011.

Barrett Brown, 33, initially faced a sentence of over 100 years until he pled guilty last year to three reduced charges of obstructing a police search, issuing online threats and involving himself in the sharing of Stratfor data, reports the BBC.

“The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” Brown said in a statement before the hearing.

Free speech activists allege Brown’s prosecution is based on his investigations into U.S. cybersecurity and intelligence contractors. He created Project PM in 2010 to probe intelligence leaks on a crowdsourcing platform.

“The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex,” Brown said in a public statement after the sentencing, according to The Guardian.

The hacker responsible for the Stratfor data breach, Jeremy Hammond, 30, is currently serving a 10-year prison sentence.

TIME Music

Israeli Man Arrested for Hacking Madonna’s Computer and Leaking Music

Madonna in New York in 2013.
Dimitrios Kambouris—Getty Images Madonna in New York in 2013.

The singer called the theft "a form of terrorism"

Israeli police arrested a man Wednesday who they suspect hacked into Madonna’s computer late last year and leaked demo versions of songs from her upcoming Rebel Heart album.

A month-long investigation from the cybercrime wing of Israel’s Lahav 433, an FBI-like organization, led authorities to arrest a 39-year-old, according to The Hollywood Reporter. A statement from Lahav 433 said it worked closely with the FBI and that the suspect allegedly “broke into the personal computers of several international artists over the past few months and stole” unreleased music that he then traded for money. Police put a gag order on the alleged hacker’s name, though local media in Israel have begun identifying the man as a former reality show contest from one of Israel’s singing competition programs.

Madonna, who in December rushed to release six songs from the album on iTunes in the wake of the leak, called the theft “a form of terrorism.”

Similarly, Björk announced Tuesday that she would suddenly release her new album, Vulnicura, on iTunes after the record leaked over the weekend, two months ahead of schedule.

[THR]

Your browser is out of date. Please update your browser at http://update.microsoft.com