Information Technology

Coinbase is sending out breach notification letters to thousands of users after they discovered a “third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform.” First reported by The Record, the letters say at least 6,000 Coinbase customers had funds removed from their accounts.”In order to access your Coinbase account, these third parties first needed prior knowledge of the email address, password, and phone number associated with your Coinbase account, as well as access to your personal email inbox. While we are not able to determine conclusively how these third parties gained access to this information, this type of campaign typically involves phishing attacks or other social engineering techniques to trick a victim into unknowingly disclosing login credentials to a bad actor,” Coinbase told affected customers in the letter. “We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required in order to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third party took advantage of a flaw in Coinbase’s SMS Account Recovery process in order to receive an SMS two-factor authentication token and gain access to your account. Once in your account, the third party was able to transfer your funds to crypto wallets unassociated with Coinbase.”

Coinbase has faced significant backlash and criticism since a groundbreaking report from CNBC this summer found that thousands of people had suffered from similar account takeovers and saw money vanish from their accounts.When they contacted Coinbase for help, they were either ignored or hit with flippant responses that it was not the company’s fault they lost money. For some time Coinbase had no customer service at all. One couple, Mindaugas and Loreta from Horsham, Sussex, UK, lost more than $20,000 in a Coinbase phishing scam. The two said scammers pretended to work for Binance and Coinbase before breaking into the couple’s account and transferring their cryptocurrency to a private wallet. 

The couple contacted researchers with CyberNews for help after their attempts to get help from Coinbase were ignored. “At first, we thought it might be some kind of mistake or a glitch. But since their knowledge base had no option that covered any bugs or glitches, we decided to inform Coinbase that my husband’s account has been compromised. But all we got back was a password reset request,” Loreta said.The scammers doubled down on the attack, sending them a password reset for the Binance platform, where the couple also had purchased cryptocurrency. The scammer called the couple to gain their account information for Binance. “He said ‘We see that you have an account at Binance and since Coinbase and Binance are sister companies…’ And that’s when I saw he was trying to dupe us. Next thing I hear, he’s telling us to prove our identity either by transferring £5,000 from our Binance account to Coinbase or by giving them our Binance authentication code so that they can transfer the missing £15,000 to my husband’s Binance account,” Loreta said, noting that after this incident they called the police.”We’re still waiting for an answer. And since ‘only’ £15,000 was stolen, we’re not very hopeful that the police will do anything about it. Right now, all we hope for is that Coinbase takes a hard look at their security procedures and improves them so that situations like ours don’t happen to others.”Edvardas Mikalauskas, senior researcher at CyberNews, told ZDNet that through investigating the case of the couple, they found that the cryptocurrency had been laundered through a series of wallets that made it impossible to figure out where they went. Mikalauskas said hundreds, if not thousands, of cases like Mindaugas’ occur every day and noted that while crypto wallets are unlikely to have the same robust security procedures as a bank, Coinbase could introduce better suspicious or malicious behavior detection techniques and more robust measures to protect user accounts. “For example, banks commonly use AI to spot malicious behavior and automatically block transactions that look suspicious, then contact the customer for verification. These threat detection techniques should then be supplemented with better customer support relating to account breaches and takeovers, to help customers deal with the issues that result from a scam,” Mikalauskas said. “I wish Coinbase had a protection system in place to refund the lost crypto.”In its breach notification letters, Coinbase said it has updated its SMS Account Recovery protocols so that the authentication process cannot be bypassed. For the 6,000 US victims referenced in the letter, Coinbase said it would be depositing funds into their accounts equal to the value of the currency removed from their account at the time of the incident. “Some customers have already been reimbursed — we will ensure all customers affected receive the full value of what you lost. You should see this reflected in your account no later than today,” Coinbase said.But in addition to the cryptocurrency that was stolen, Coinbase said the cybercriminals who accessed the accounts also saw personal information like names, email addresses, home addresses, dates of birth, IP addresses for account activity, transaction history, account holdings and balances.Some accounts may have had information changed as well, Coinbase admitted. They have set up a phone support line at 1 (844) 613-1499 to help those who may have questions. They will also provide free credit monitoring for an undisclosed amount of time for those affected. Coinbase noted that it is still investigating the incident and is speaking with law enforcement about the issue.  More

The Justice Department has sentenced a former medical records technician for the US Army after he was caught accessing personal information from US veterans and using the data to steal millions from benefits sites. Fredrick Brown, a 40-year-old from Las Vegas, was sentenced to more than 12 years in prison after pleading guilty to conspiracy to commit wire fraud and conspiracy to commit money laundering charges. Brown’s actions led to $1.5 million in losses after he targeted more than 3,300 members of the US military community through a multinational fraud ring. Brown worked with four other people to defraud both service members, their dependents and civilians employed by the Department of Defense.As a civilian medical records technician and administrator with the US Army at the 65th Medical Brigade, Yongsan Garrison in South Korea, Brown admitted to stealing names, Social Security numbers, military ID numbers, dates of birth and contact information for thousands of military members between July 2014 and September 2015.While logged into the base’s electronic health records database, he took photos of his computer screen and sent the photos to Robert Wayne Boling Jr., who was based in the Philippines. From there, Boling Jr. and others used the information to access DOD and Veterans Affairs benefits sites and steal millions of dollars.

“Rather than honoring those servicemembers and veterans who sacrifice for them, the defendant and his co-conspirators targeted and stole from these brave men and women in a years-long fraud scheme. Such conduct is an affront to the United States and will not be tolerated,” said the Justice Department’s Brian Boynton. US Attorney Ashley Hoff noted that many of those targeted in the scheme were disabled or elderly because they receive more service-related benefits.In addition to his prison sentence, Brown was ordered to pay $2,331,639.85 in restitution. The Justice Department said 34-year-old Trorice Crawford had also been charged in 2020 in connection to the crime.  More

The White House plans to convene a 30-country meeting this month to address cybersecurity, President Biden said in a statement Friday. The topics of the meeting, Biden said, will include combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, building trusted 5G technology and better securing supply chains. “We are bringing the full strength of our capabilities to disrupt malicious cyber activity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence,” Biden said. The first cybersecurity meeting will be held virtually, CNN reports. The meeting follows a series of dramatic cybersecurity incidents over the past year, including the Colonial Pipeline ransomware attack that shut down gas and oil deliveries throughout the southeast, the SolarWinds software supply chain attack and an extensive hack on Microsoft Exchange servers.Following the Kremlin-backed SolarWinds attack, cyber attacks became a major part of talks between Biden and Russian president Vladimir Putin over the summer. In late July, Biden said that a major cyber reach could lead to “a real shooting war.”

In addition to mobilizing multi-national cybersecurity initiatives, the Biden administration has taken steps to improve cyber resiliency domestically. “The Federal government needs the partnership of every American and every American company” to address cybersecurity, Biden said Friday. “We must lock our digital doors — by encrypting our data and using multifactor authentication, for example—and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy.”Back in August, Biden secured promises from major tech companies, such as Google, Apple and Microsoft, to spend significant sums improving the nation’s cyber resiliency. In May, the president issued a cybersecurity executive order requiring federal agencies to modernize their cyber defenses. The Biden Administration earlier this year also launched a 100-day initiative to improve cybersecurity across the electric sector. More

Superhero-based passwords are increasingly showing up in datasets of breached information, according to a new blog post from Mozilla.Mozilla used data from haveibeenpwned.com to figure out the most common passwords found in breached datasets. Superman showed up in 368,397 breaches, Batman was featured in 226,327 breaches and Spider-Man was found in 160,030 breaches. Wolverine and Ironman were also seen in thousands of breaches. “A password is like a key to your house. In the online world, your password keeps your house of personal information safe, so it’s important to make sure it’s strong,” a Mozilla spokesperson said.  
Mozilla
The blog is a follow-up to another Mozilla report about the popularity of passwords related to Disney princesses, particularly for users of the Disney+ streaming service. Due to the prevalence of breached account details on the dark web, a number of companies are beginning to turn to password-less systems. Last month Microsoft extended its passwordless sign-in option from enterprise customers that use Azure Active Directory (AAD) to consumer Microsoft accounts on Windows 10 and Windows 11 PCs. 

Vasu Jakkal, Microsoft corporate vice president of the Microsoft Security, Compliance, Identity and Management division, said that nearly 100% of the company’s employees are passwordless. “We use Windows Hello and biometrics. Microsoft already has 200 million passwordless customers across consumer and enterprise,” Jakkal said.”We are going completely passwordless for Microsoft accounts. So you don’t need a password at all.”A some services are also turning to two-factor or multi-factor authentication as a way to avoid the use of passwords.  More

Corporations invest billions into protecting private data. Globally, the cybersecurity services market brought in $173 billion in 2020. However, cybersecurity isn’t only a concern for government agencies and major corporations. Hackers and scammers also target individuals, including college students. Fortunately, college students can protect their private data and improve their internet safety without a corporate-sized budget.This internet safety guide walks through the steps you can take to improve your data security and protect your private data. From identifying red flags to avoiding common scams, college students can often avoid online threats for free.Why is cybersecurity awareness important?Internet safety matters––particularly for college students. Take identity theft, for example. Victims of identity theft may see their credit score tank. That can make it harder to qualify for an apartment, apply to certain jobs, or take out a car loan. And bad credit can follow students for years after graduation.College students need to prioritize cybersecurity awareness. By taking a few simple steps, students can protect their private data and decrease the chances of falling for a phishing scam, putting private information at risk, or becoming the victim of identity theft.Why hackers target college studentsHackers target college students because of their unique vulnerabilities. For example, scammers focus on college students because of their social media use, lax monitoring, and poor cybersecurity awareness.Social media use: College students tend to include a large amount of personally identifiable information on social media. Hackers can use this information to guess passwords or the answers to common security questions.Lax monitoring: For many people, college represents the first time they open credit cards or manage their own bank accounts. And some college students fail to keep a close eye on their finances. That means they miss fraudulent charges. Similarly, college students might not check their credit report or find out if scammers stole their identity. 

Poor cybersecurity awareness: College students, like everyone else, worry about data theft. But most Americans fail to follow safety practices to secure their information. Many simply see data breaches and cyberattacks as an unavoidable fact of modern life.Common online threats towards college studentsCollege students face many of the same online threats as the general public, including phishing scams and fraudulent shopping sites. However, certain scams target college students. This section introduces the common online threats that college students face. PhishingA phishing scam tricks people into revealing private data or downloading malware. Many criminals target colleges with phishing scams because college email addresses often follow a predictable format that includes the student’s name. Students might receive emails that look official and ask them to confirm personal data or messages claiming they won a prize or lottery and must click on a link to claim their prize. These scams harm millions of victims every year.Fraudulent shopping sitesFake shopping sites trick students into entering their personal information, including credit card numbers. And fraudulent shopping sites target more than your data. Some send products that may be unsafe.College students are vulnerable to fake shopping sites because these criminals target students. Fake sites might be advertised on social media that targets students. These sites often look legitimate because they steal product photos to imitate real online shopping sites.Job scamsCollege students invest a lot of time into looking for jobs. But criminals use fraudulent job postings to capture private information. These job scams convince students to enter their Social Security number and other data. Some scammers even reach out with unsolicited job or interview offers. However, these scams are actually phishing attempts disguised as job postings.Students should watch out for warning signs of a fishy job posting. A very high guaranteed salary, very low job requirements, or a demand that applicants pay a fee for their interview can indicate a scam.Romance fraudSocial media and dating website fraud can trick students into providing personal information or sending strangers money. Romance frauds hook students through catfishing, where scammers pretend to be someone else online. These scammers may spend weeks or months building an online relationship with college students before asking for money or personal information. Students can protect themselves from romance fraud by limiting the information on their profile and using a throwaway email address.Reporting cybersecurity threatsIf you identify a cybersecurity threat, report it to your college’s IT department or information security office. Most colleges provide information about how to report a threat and what to include in your report.What if you fall for a scam or criminals steal your identity? You can protect yourself in several ways. First, report cybercrimes to law enforcement. Filing a police report can also help you recover money and protect your identity. Second, notify your financial institutions and freeze your accounts. Your bank can help you cancel your credit cards or take additional steps. Finally, notify credit reporting agencies and monitor your credit to remove any fraudulent reports.Tips and tricks for avoiding hackersCollege students can take simple steps to avoid hackers and protect their privacy. From spotting red flags to avoiding unsecured wifi networks, here are some easy tips and tricks to make your data safer. Learn phishing red flagsHackers use phishing scams to trick people into sharing private data. In one of the most common phishing scams, hackers claim to be from a reputable company, including government agencies. Their emails ask people to enter private information, like their birth date, Social Security number, or credit card number. Hackers then use that information to steal someone’s identity.You can avoid phishing scams by looking for red flags, including incorrect grammar or spelling, fake-looking URL or email addresses, or high-pressure attempts to convince readers to click on a link. And phishing goes beyond email––watch out for phishing attacks on social media, by phone, and through text message.Use caution when shopping onlineSome scammers use fake online shopping deals to trick people into entering credit card information. Instead of jumping on a deal that sounds too good to be true, take a few steps to verify the seller. Reviews posted on third-party sites such as the Better Business Bureau might indicate a scam. Using a debit-type gift card can also protect buyers from risking their credit score by falling for an online shopping scam.Install antivirus softwareA computer virus can destroy your data and disable your computer. Antivirus software identifies malware and other viruses to prevent your devices from becoming corrupted. You can protect yourself by installing antivirus software from a trusted company like Norton or McAfee. In addition to using antivirus protection on your laptop or desktop, consider installing antivirus software on other devices connected to the internet, including your cell phone and tablet.  Follow password best practicesA strong password can prevent hackers from accessing your private data. Instead of reusing the same password on multiple platforms, use unique passwords to avoid damaging data breaches. Fortunately, you don’t need to remember every single password. Instead, use a password manager to keep track of your passwords.Set up two-factor authenticationTwo-factor authentication adds an extra layer of security. Instead of simply logging in with a username and password, users must authenticate their identity through a second source, such as a code sent to their cell phone or an email link.Change your password after a breachData breaches can compromise your passwords. And most people do not change their password after a data breach. By changing your password, you can prevent hackers from accessing private data. The site Have I Been Pwned lets people check whether a data breach has affected their accounts.Beware of unsecured wifiUnfamiliar and unsecured wifi can put your data at risk. Cybercriminals can access these networks to steal your information. Many colleges offer unsecured wifi access on campus.How can you avoid unsecured wifi? First, choose a secured network if possible. Second, reduce your potential exposure by using a VPN on an unsecured network. Finally, avoid entering personal data like credit card information while using an unsecured network.Add physical protectionAntivirus software, VPNs, and password managers protect your data from online intrusions. But you should also protect the physical safety of your devices. That means using passcodes to access your devices and protecting your devices from theft. Avoid leaving devices unattended on a college campus or in any other public space. Use a cable lock on your laptop, put it away when not in use, and lock your dorm room or car. Take care on shared computersCollege students often use shared computers to write papers, conduct research, or search the internet. But computers available to the public in the campus library and computer lab do not have the same protections as private computers. You can protect your data on shared computers by not saving passwords and clearing your browser history. Use caution when making online purchases or logging into accounts with private data through a shared computer.
What are key threats to student safety in online learning environments?

Students in online learning environments must protect themselves against threats like cyberbullying, ransomware, phishing, and other threats to their internet safety. College students taking online classes should avoid sharing personal information or other forms of student data to protect themselves from identity theft and other cybercrimes.

Are college networks secure?

Colleges use security methods to protect their networks. However, many colleges offer public wifi access, which can potentially expose student data. When using a college network, students should implement their own security measures, such as using a VPN.

How students can stay safe on the internet?

Internet safety starts with awareness of potential online threats. Students can avoid phishing scams, malware, and other cyberattacks by knowing how to spot a threat. College students should also use secure passwords, avoid inputting personal data on shared computers, and protect their computing devices. More

Department store giant Neiman Marcus has announced a data breach involving nearly 5 million customer accounts that included payment card numbers and expiration dates alongside other personal information.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

In a statement, the company said the breach occurred more than a year ago, in May 2020. The company told ZDNet that they only discovered the breach in September 2021.  Last year, the 114-year-old company filed for bankruptcy and said it owed between $1 billion and $10 billion to more than 50,000 creditors.  Neiman Marcus said it hired Mandiant to investigate the data breach and has notified law enforcement about what happened. The company said it is still trying to “determine the nature and scope” of the breach.  “The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts,” the company explained.  “Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. Approximately 3.1 million payment and virtual gift cards were affected for these customers, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted.”  The company added that they do not believe any Bergdorf Goodman or Horchow online customer accounts were included in the breach. 

Neiman Marcus said it had created a call center to answer questions about the issue at (866) 571-9725, as well as a website for potential victims.  Quentin Rhoads, a director at cybersecurity firm CRITICALSTART, theorized that the company waited so long to notify affected customers because of the bankruptcy filing.  “From a security perspective, it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue-generating plan, which means there might be a chance attackers still have access,” Rhoads said.  “Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identity theft in conjunction with the other personal information stolen. The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems.”  The company has a long history of data breaches, including a major one in 2013 that led to the leakage of 1.1 million customer payment cards. Credit-card skimming malware had been implanted into systems in certain stores leading to the breach.  Neiman Marcus agreed to a settlement in 2019 worth $1.5 million with 43 states after the 2014 incident. More

ZDNet Recommends

One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update. The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can’t infect Apple devices.  FluBot attacks have commonly come in the form of text messages which claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware.  But that isn’t the only technique cybercriminals are using to trick people into downloading FluBot malware — New Zealand’s Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages which claim the user is already infected with FluBot and they need to download a security update. See also: A winning strategy for cybersecurity (ZDNet special report).After following the link, the user sees a red warning screen claiming “your device is infected with FluBot malware” and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.   At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so “honest” about FluBot is because they want the victim to panic and follow a link to install a “security update” which actually infects the smartphone with malware.  

This the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim’s address book.  FluBot has been a persistent malware problem around the world, but as long as the user doesn’t click on the link, they won’t get infected. Anyone who fears they’ve clicked a link and downloaded FluBot malware should contact their bank to discuss if there’s been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts.  If a user has been infected with FluBot, it’s also recommended they perform a factory reset on their phone in order to remove the malware from the device.  It can be difficult to keep up with mobile alerts, but it’s worth remembering that it’s unlikely that companies will ask you to download an application from a direct link — downloading official apps via official app stores is the best way to try to keep safe when downloading apps.  More on cybersecurity: More

iOS 15 brings several new security features to the iPhone. But ultimately, the security of a device is in the hands of the owner, who can choose to bolster that security or weaken it. Here’s what you need to know to make your iPhone a harder target for hackers and thieves. Note that these settings also mostly apply to the iPad.

The basics First off, everything starts off with the basics. These haven’t changed in years. Use a strong passcode using Custom Alphanumeric Code (if this is easily guessable, it’s game over). If you think someone knows your passcode, change it.Go to Settings > Face ID & Passcode (or Touch ID & Passcode).Turn on Face ID/Touch ID.Turn on screen Auto-Lock.Go to Settings > Display & Brightness and tap Auto-Lock and set to 30 seconds or 1 minute.Make sure iOS is up to date.Go to Settings > General > Software Update and make sure Automatic Update is enabled.Keep all your apps updated.Go to Settings > App Store and make sure App Updates are enabled. Keep an eye on apps that might be spying on you A new feature in iOS 15 is the ability to log what apps are up to on your iPhone. The feature is called Record App Activity, and this allows you to get a lot of when an app does one of the following: The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingTo enable this feature, go to Settings > Privacy and then scroll down to find Record App Activity. Built-in authenticator

iOS 15 brings an end to having to fire up a third-party two-factor authenticator app. Now Apple has built one right into iOS, and better still, it can even autofill the information for you. Got to Settings > Passwords, and then for each password entry, you can tap on it to get access to an option called Set Up Verification Codes… which allows you to enter the information required either using a setup key or QR code. Using a two-factor authenticator is far more secure than relying on SMS messages, so you should use this feature — either using Apple’s authenticator or another app — to get the highest security. Hide your IP address from trackers Safari can now cloak your IP address from trackers on websites, making it pretty much impossible for your browsing to be logged. Go to Settings > Safari and set Hide IP Address to From Trackers. Secure your browsing If you have an iCloud+ subscription, Apple has just given you a great reason to use the Safari browser — iCloud Private Relay. This is like a VPN in that it sends your web traffic through other servers to keep your location secret. To enable iCloud Private Relay, you’ll need an iCloud+ subscription. Then go to Settings, and at the top, tap your name and then go to iCloud and enable Private Relay. Put a stop to email trackers Protect Mail Activity is a feature built into the Mail app that prevents people from knowing if emails have been opened. To enable this feature, go to Settings > Mail, tap on Privacy Protection and enable Protect Mail Activity. If iCloud Private Relay is a good reason to switch to Safari, then this feature is a good reason to switch to Mail. More