Israel Hackers Counterhack and Steal Saudi Credit Cards

On Saturday a pro-Palestinian hacker, who seemed to be from Saudi Arabia, leaked thousands of Israeli credit cards stolen from websites frequented by Israeli shoppers.

Israeli officials denounced the leak, and compared the theft to terrorism. According to Reuters, Israeli Deputy Foreign Minister Danny Ayalon stated in a speech that the attacks were “a breach of sovereignty comparable to a terrorist operation, and must be treated as such,” and “Israel has active capabilities for striking at those who are trying to harm it, and no agency or hacker will be immune from retaliatory action.

Reports have surfaced that the hacker was actually from Mexico, not Saudi Arabia. And also that Ayalon’s personal website was re-directed after his speech to point to an Islamic website that stated through Google Translate, “We declare war in cyberspace, do not be afraid of these monkeys.”

In a tit for tat type move, Ynetnews.com news just released a report stating that Pro-Israeli hackers breached Saudi shopping sites and that they have thousands of Saudi credit cards and personal information. “If the leaks continue, we will cause severe damage to the privacy of Saudi citizens,” one of the Israeli’s stated.

But it does not sound like the Israeli group will stop with just the credit card counter hack. “We could not stay silent after the pompous boasting of the Saudi hacker. A few Israeli hackers came together and decided on various responses for each cyber activity that would be carried out against Israel, including responses beyond the cyber world.”

He added that they would counterattack in the cyber realm for any terrorist attack against Israel, “If a terror attack were to take place, we will make every effort to publish the terrorist’s personal details and those of his family.”

I am a staunch supporter of Israel, but in this feud with continuous attacks and retaliations, one has to ask, when does it end?

Advertisements

Pulling Passport, Drivers License and Credit Card Info from Thin Air

Can your ID be stolen by just walking past a hacker?

… According to the Identity Theft Resource Center, the Smart Card Alliance states that: “the financial payments industry has designed multiple layers of security throughout the traditional credit and debit payment systems to protect all parties involved in the payment transaction.” For contactless payments (RFID), the financial industry uses added security technology, both on the contactless device (RFID card), as well as in the processing network and system to prevent fraud.”

The article goes on to state that Industry standard encryption, Authentication, Confidentiality and Control are some of the security measures being used to protect your identity. But how well does this added security work?

Well, here is where things get really murky. You have some authorities claiming that contactless credit cards are safe, but you have others showing that they clearly aren’t.

Even Mythbusters has been caught up in the drama. In 2008, they were going to do a show on RFID, but caved in from external pressure not to do the show. Then, later they released a statement that they were not pressured to cancel the show.

In December of 2010, WREG, Channel 3 news in Memphis decided to put this to the test. In just one hour, Walt Augustinowicz (of Identity Stronghold) armed with a netbook computer and a wireless card reader he bought online for under $100 patrolled Beale Street looking for volunteers. He had 20 people volunteer to be scanned and of these, he was able to read the account number and expiration date of 5 people who carried RFID enabled credit cards…

Selection of an article written for The Office Survivalist, continue reading here.

Looks like Chris Paget has done a lot of research into this issue. Apparently the record for reading one of these chips is over 200 feet, and theoretically could be read from over a mile. For more info check out Chris’s Blackhat video “Extreme Range RFID”:

And Chris’s appearance on FoxNews:

Apparently, the security code on the back of the credit card is one of the saving graces. This is not transmitted wirelessly with the account info. But not all companies require this for a purchase. Most credit cards offer full refunds for fraudulent purchases and as far as is known, this technique has never been used to actually steal information.

It would seem hackers prefer databases that store thousands of credit card numbers compared to walking around and waving a RFID reader around people’s butts after a football game.

RFID blocking sleeves and wallets are available that prevent these signals from being read remotely. You can also ask for non-RFID credit cards from your bank. Passports have blocking material in the cover and currently only a few states issue RFID enabled cards.

Psst, Hey Buddy Want a Password? Only 15 Cents!

How much is your password worth? Well, would you believe as low as 15 cents? 50,000 stolen iTunes passwords went up for auction on a Chinese auction site for anywhere from 15 cents to 30 dollars:

Roughly 50,000 Apple iTunes accounts stolen by hackers are said to be for sale on China’s largest auction site.

The accounts are available on TaoBao.com, the Chinese equivalent of eBay, for prices ranging from about 15 cents to $30 each, China’s Global Timesreported Thursday. Potential buyers are being promised access to seven times the purchase price in movies and music. The only restriction is that the buyer conduct all downloads within the first 24 hours of buying the illegal account.

Big deal, you say, so they can access my music, who cares?

The problem is many people use the same username and password for several accounts. So for 15 cents a hacker might theoretically access your e-mail, online stores, financial sites, etc. This really stresses the importance of using different passwords for each site that you login to.

This really begs the question, should our network security be based on passwords alone? In a previous article, How Much is Your Password Worth?, I showed that people would actually give away their password for a pen or chocolate. Some just gave them away for free! 

And lastly, should you depend on websites that you give personal data to, to protect your information? Do sites, like iTunes, mask your credit card numbers when you view your account page? You wouldn’t want to give out your credit card for 15 cents would you?