Cyber Week in Review: Retail Gift Cards, CeX & WikiLeaks

week in review

Each week we bring you some of the biggest news in the cyberverse, well, at least in cyber attack news. This week, most of the public news focused on natural disasters: fires in the west and hurricanes in Florida, captivating audiences well beyond the spirals of the United States.

But how about we take a little breather from the stifling world of mother nature’s wrath, and instead take a gander at the disasters human beings execute at a distance, the recent cyber attacks around the globe? It puts it all in perspective–the great big world and the tiny little computers that connect it. Here’s this week’s cyber week in review.

No Gift Like the Present

Gift cards provide a wonderful, choose-your-own gift, more appropriate than handing someone cash, gift option. They come with a warning, “Treat this like you would cash,” because should you drop or lose it, the person to find it has the remaining cash value. If only it were as simple as dropping it on the ground or losing it in the sock drawer, though.

For years white hat hackers have warned retailers about insecure gift cards. Left out on displays, they often have exposed sequential numbering systems or only a few unique digits, subject to easy brute force hacking on their card value verification sites. What’s more, hackers may track gift cards, waiting for it to be activated, but then ready to steal the value the moment you do so. A presenter at the recent ToorCon (hacker conference in San Diego), demonstrated these and other techniques for audience members. The solutions?

  • Scratch-off numbering, invisible until purchased
  • Sophisticated CAPTCHAs on sites to prevent brute-force hacking
  • Randomized numbers, never sequential

Since all of these techniques already exist, the implementation should be as simple as printing money.

Slightly Used

Speaking of gifts, if you’ve bought or sold new or gently used games or movies, you’ve probably heard of CeX, the online electronics selling spot. Well, good news and bad news. Which do you want first? Let’s go with the good news.

The good news is, if you’ve never heard of CeX, then you can’t have had your personal information stolen. The bad news is if you’ve used CeX the personal information of up to 2 million users got stolen. The data breach included names, addresses, email addresses, phone numbers, and even credit and debit card numbers (in encrypted form, but those encryptions can be hacked). That means that if you do use CeX, it’s time to change your password. (If you were potentially affected, you would have gotten a notification from the company, so there’s some more good news).

The Good, the Bad, and the Wiki

Speaking of good and bad news, WikiLeaks had some. The Julian Assange-backed site had a bit of a hijack embarrassment: OurMine apparently breached their main page and posted a message on it, to the tune of, “You challenged us to hack you.” The only thing is, it wasn’t exactly a hack. So there’s the good news. You’d think a leak-site would have excellent security, and indeed they appear to.

Instead, it’s a case of “DNS-poisoning,” coming at the site from one or more of their hosting servers and simply redirecting traffic. The effect can be fairly convincing, to anyone redirected, but the security of WikiLeaks wasn’t impacted. We’ll call that one a point for Assange and crew.

No Time Like the Present

As the world spins and hurricanes and fires wage, we’ll keep tracking current cyber attacks. It takes more than downed trees and localized power outages to halt the cyberverse. Until next week, enjoy the headlines (but stay out of them).

Leave a Reply