Category Archives: Credit card security

CyberSecurity: Holy Shit! Hashcat tool cracks 55 Character Passwords

Holy shit! That’s exactly I felt when I read about Hashcat tool which is a freely available tool. Also, available in Kali Linux applications set. A fastest & reliable to crack the password up to 55 chars. Tools like this always have two sides:

  1. Cybercriminals to steal the data & use this tool to crack the password.
  2. Another benefit is that Companies can do the stress testing on their user passwords & password policy.

Scared & Still looking for answer? Keep reading…

You might be thinking that All security experts suggest to the normal people to use a strong password but if a tool can crack any password no matter how big it is then how strong password any human being can set & remember that. Does the password has become useless in advance technology? 

Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols & everybody should try to keep password strong & unique to the single application. Not re-using of the password is a good way to keep yourself safe. 

All you can do is to keep password strong enough to make harder for the hackers to crack it. Making their job tough is one way to buy sometime before they hit you.

So, How does HashCat break the password?

Hashcat tool basically needs hashcode to crack the password. Any criminals or penetration tester needs to know hashcode. There are multiple ways of obtaining these hashes, such as .dll injection in Windows systems or capturing the hash in transit. Kali Linux has this tool in their applications. You can explore more on that if you are interested to know.

Is password manager a solution?

I think not a bad idea to start using a password manager like keepass. however, only fear you might have that password manager become a single failure point for all your digital accounts. Some security experts do recommend a password manager software. 

My personal opinion is that we should enable 2FA & biometric authentication in your digital accounts. Like Google authenticator, app-based 2FA etc. Since everything has become crackable, Our objective should be, Let’s make life harder for criminals.

CyberSecurity: All about mobile sim swap attack!

SIM Swap attack (aka SIM intercept attack ) is an identity theft where someone could impersonate your digital life & received all text messages etc in their own SIM. Just to clarify, Sim swap attack isn’t about swapping your physical sim.

How attacker achieve this?

In cybersecurity chain, The weakest link is human factor & attacker knows how easy it is to convince with someone. By nature, we trust other people or system as well. How hackers convince customer representative is called social engineering. Social engineering is all about pretending to be someone & convince to the person who can trust & provide valuable information. With the same technique, SIM swap could happen. In very simple terms, Attacker would pretend to be you & would convince to your telecom carriers to switching your SIM number to new SIM which owns by the attacker.

How dangerous it could be?

It is very bad for the victims when all your OTP, messages etc are received by someone. Lots of things could be done. most dangerous is when an attacker can gain access to your bank accounts, credit cards, all other sensitive information which depends on OTP & messages. Recent examples here. SIM swap! Man charged after million dollar cryptocurrency theft

What is the solution?

Well, In such cases, nothing much can be done except taking extra precaution. There are a few solutions like App-based two-factor authentication just like Text/Message based authentication. Your bank has two-factor authentication & OTP goes to your message. You could enable app based two-factor authentication like Google authenticator, Authy etc. App-based authentication generates an OTP & that OTP would be within the apps so someone needs to steal your device to get that OTP. 

Problem with app-based two-factor authentication is that it may not possible with every bank & still rely on text-based two-factor authentication.

Final Thought

Anything which is linked to your banking system needs security. If any loose point is vulnerable then the whole thing could be vulnerable. In cybersecurity, it is said that every vulnerability is exploitable.

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” 

― Stephane Nappo

CyberSecurity: EMV enabled credit cards does not stop fraud!

State bank of India asked their customer to get rid of a conventional swipe card and replace with EMV enabled chip cards. EMV Chips are considered to be safer & prevent credit/Debit cards fraud.

FYI: EMV stands for ‘Europay MasterCard Visa’ while the PIN is an acronym for the personal identification number.

Purpose of EMV

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.

Reality of EVM

new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.

This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.

“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.

How fraud is still possible?

While the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems. This is the problem where banks & merchants are not configuring their systems and keep the system vulnerable.

What is the use of stolen Data?

There are multiple ways cybercriminals use stolen data. First & easy way is to sell these credit cards number in the dark web. A market full of criminals & isn’t public web or apps. The second method is that They create the replica of these cards & use it to withdraw money.

Reference:

http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/

Cyber Security: Lesson to be learned

Below is the reference of the paper which is one of the finest paper i have read in recent time. Here is the glimpse of the paper & Reference.

https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors

In this paper, the author argues that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers.Header-For-Cyber-Report

  1. There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches.9 This is likely a vast undercount since many victims don’t report break-ins to begin with.10 Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.11
  2. There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.
  3. There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them.

My takeaway & View:

Despite so many levels of effort by security experts & organizations and putting million dollars on security, it is a pretty scary situation. And the big question comes to my mind is that what about countries like India, Sri Lanka, Bangladesh or developing countries many others. These countries have not realized the threats yet and do not have an infrastructure to deal with such a horrible situation. However, cyber threat is real.

China bulldozes all their neighbours & In the cyber world, China is much advanced than anyone else. They are capable of listening to Mr Trump phone call as well. If President of United State phone isn’t considered as safe then what we can expect from the technology which many countries trying to adopt. What if China starts targeting their rivals. Does India has the power to hold himself in such attacks?

With given situation in the cyber world & technological advancement. The Lesson from all above can be learned. I won’t say it is too late for countries like India to learn and adapt the technology which could be safer to use. OR, enforce organizations to keep their services secure. Everything must be viewed now from the security perspective. Every digitalization must have security as their first priority.

Indian govt has been very pro-active in digitalization of their services however there are many services/portals which are vulnerable. And a lesson must be learned otherwise it would be very damaging & developing countries can’t afford it. Good stuff, however, has been identified but only on paper so far. For instance, GDPR.

I don’t want to sound like an expert here but truth to be told. Indian IT service companies must learn & realize the threat. Make our service more secure and deliver what it could make your client safer. Have security in mind when designing an application. Invest in training, skill newcomer to develop more secure applications. In reality, the issue is more of a mindset than a skill gap. People never understand what info to be exposed or hidden. As long as the application works, it is great. Here are the few instances:

  1. A simple example is that allowing users to change the password without checking the current password.
  2. Support Changing password, email or profile info using GET method in web service.
  3. If you check application, the application shows more insights. Don’t want to review any application but that is how software is developed.

Final words: Keep yourself aware of things which could impact you directly or indirectly.