How Attackers Will Use Epsilon Data Against You

Trailrunner7 writes "What might the criminals who broke into Epsilon do with the email lists they have? The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from data-breaches.net, totals are up to 57 customers including credit card providers with branded cards — Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts. Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."

Grab a bag of popcorn, and watch the fun.

[countertrolling]

Always good for a laugh to us 'third world' savages. Where's your 'privacy policy' now, eh?

Re:Grab a bag of popcorn, and watch the fun.

[grub]

Always good for a laugh to us 'third world' savages. Where's your 'privacy policy' now, eh?

Glad to see the OLPC project is working out for you!

Re:Grab a bag of popcorn, and watch the fun.

[countertrolling]

My "OLPC" is a 14 year old Toshiba 445CDT.. with its original battery that still holds a charge for a full hour*. Damn thing cost 2,700 bucks. A real bargain actually. However, for now, I'm on a 'new' 7 year old mac mini. My house is like 'animal rescue', for computers and parts.

*In case you're interested, it's the number of cycles that matter.

VISA Hit?

[syntap]

Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards)

I have not yet seen notes that VISA itself was hit. Banks that use VISA's services may have been, but the article is lumping the network/transaction processor with the banks. It is possible to be a customer of VISA for other purposes, which surprises me that the article is claiming they were independently hit, that is news here.

Re:VISA Hit?

[blair1q]

They weren't hit. They were clients of the mass-mailing service that got hit. If you were on Epsilon's list under Visa, Epsilon notified Visa that you were exposed. Visa then should have notified you.

I got 4 separate notifications, but I suspect that's not all.

I've tried to get Epsilon to give me a full list of what companies using their service have my email address, but, in phenomenal wanker fashion, they refused, citing "privacy" and "security".

Re:VISA Hit?

[AmiMoJo]

I just got my notifications but for some reason gMail classified them as spam:

Dear amimojo,

We have detected a Data Breech on our main server and your card details may have been stolen. Please log in to the VISA web site to confirm your card details by clicking the link below so we can confirm you are NOT a victim:

http://21343.ru/HTTP://VISA.COM/checkings.php (VISA OFFICIAL WEB SITE (RECOMMENDED))

I also got this one from a kind and helpful Visa employee:

Dear Kind and most Blessed Sir,

My name is James Mudac and I am writing to you from the offices of Visa Nigeria. We have recently learned of a serious loss of your personal datas and I am writing to you in the sincear hope that I can help you recover your datas on this day. Please would you forward me a copy of your passport and birth certificate and the numbers on your credit card so that I am check them for you.

Please accepting my most humble appologies for this terrible crime that has happened to you. We will be depositing monies to the value of $25,000,000 (TWENTy FIVE MILLION DOLLARS) into your account to reimburse you for your losses and unfortunately consequences.

I hope you will be writing to me soon so that I may help you in this difficult time in my country.

Passwords not compromised

[Relayman]

Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.

Re:Passwords not compromised

[Sleuth]

Err, and how would my credit card company get my email password? This article is rather silly...

Re:Passwords not compromised

[gstoddart]

Who said anything about passwords being compromised?

Not as part of this breach, but as a possible consequence.

Bad guys get your email, name, and a couple of other things. Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service. Bad guys then could potentially rely on the fact that people reuse passwords, and get into several other sites.

Depending on the uniqueness of your first/last name combination ... there might actually be enough information in there to actually identify you in the real world.

You know, the things that TFA are actually saying.

Re:Passwords not compromised

[Relayman]

Agreed. But any of this can happen any time someone sees my email address. Every time my friends' computers gets hacked, the hacker downloads his/her address book and gets my email address. The Epsilon disclosure doesn't make me any more vulnerable than before. There is no story!

Re:Passwords not compromised

[element-o.p.]

Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid -- not just a possible consequence of my e-mail addy being compromised.

I'm not going to give you my credentials just because you ask for them in an e-mail. In fact, the first thing I do when I get an e-mail that looks at all suspicious (and asking me for any personally identifiable information in an e-mail is a sure-fire way to trigger my alarms) is blow open the headers and see where the e-mail came from. Then and only then will I even consider opening up a web browser and going to my bank/other web site *by clicking on my bookmark* (rather than the link in the e-mail) and searching for the web page to update my information.

Hold on -- I just got an e-mail saying I can win ${ITEM_OF_VALUE_TO_ME} by clicking a link...BRB...

Re:Passwords not compromised

The Epsilon disclosure doesn't make me any more vulnerable than before.

Of course it does. They have your email and know with which company you have an account using this email, maybe even specific services you've subscribed to. They can forge a credible-sounding email pretending to be said company or working for them or whatever. The more info you have the more credible a forgery is, the more people will fall for it. The majority of internet users couldn't tell a decent forgery from the real deal.

Re:Passwords not compromised

[John+Hasler]

Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid...

Thus the majority of users are at risk.

Re:Passwords not compromised

[timeOday]

We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.

Re:Passwords not compromised

[isleshocky77]

This is exactly where the risk comes from. I've now been receiving faked emails from a stock company of mine which was compromised. On my phone the email looks entirely credible and I'm not able to check where the link in the email is actually taking me. Once I checked it out on a computer I noticed the link was going to a fake domain rather than to the institution. I'm a web developer and consider myself pretty computer savvy. I also knew about the information being taken and am extremely wary of following an emails. When I think of my dad getting the email from his banking institution which appears completely legit; it scares me.

Re:Passwords not compromised

[zuckerj]

Unfortunately MANY major companies practice procedures that put their customers at risk by sending emails with links. Any official communication from a credible institution should not include ANY links, or phone numbers. They should simply say, please visit our website, or call us via the phone umber printed on your bill or the back of your card. I complain to companies time and again that they are indeed part of the security threat problem and putting their customers at risk. I recently got an email from Bank of America telling me that they saw unusual activity on my Check Card and they gave me a phone number to call. I called the number and the representative starts off the conversation by asking me for my driver's license number! I told him how ridiculous and dangerous their procedures were, and told him I'd not answer any questions without calling back from a known number. Unfortunately, when I called back, I was informed that it was indeed Bank of America and everything was legit. I say unfortunately because it just confirmed my worst fears that a Major institution such as Bank of America, was knowingly putting their customers at increased risk. Also unfortunately, after trying to explain to the representative, for the 3rd time, why this was a dangerous practice, I realized I have better luck educating a brick by banging my head on it. So while you may call victims STUPID for falling prey to these sinister ploys to farm information, it is in fact the companies we trust that are failing us and making our attempts to safeguard our information more and more difficult.

Re:Passwords not compromised

[rsborg]

Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.

A username+password is two pieces of a credential set. With many of these services, one of them is now given up (ie, your email). This is just making it easier for criminals to target you (akin to similar attack reducing the key search space in cryptography).

Re:Passwords not compromised

[element-o.p.]

Agreed.

Unfortunately, it's not the call center drone who is going to enact a policy change. That person may very well understand and agree with what you are saying -- and may even complain to his/her boss that this is a stupid practice -- but the odds of it trickling up to the decision maker who has the power to enact a change is virtually nil, because even if the call center drone gets it, chances are the call center manager *won't* and even if that manager does, there's about a hundred thousand layers of middle-management between between that person and the real decision maker.

As if that wasn't reason enough -- and it is -- there's the fact that it is quite simply easier for the bank to write off the losses caused by such insecure practices than it is to create policies that provide *real* security. It's all about CYA -- show that you are complying with your SoX/PCI/other-TLA policies and you're good, even if in the real world, your policies suck.

Re:Passwords not compromised

[John+Hasler]

> ...the companies we trust...

Speak for youself.

Re:Passwords not compromised

[Chris+Mattern]

Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service

I don't give my passwords to anybody, ever. If Jesus Christ came down and asked for my passwords, he wouldn't get them, not even if he walked on water.

Re:Passwords not compromised

[slick7]

We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.

My password is not compromised since I do have an online bank account, and I never will. Secondly, my debit card is on another bank account at another bank. Thirdly, I only write checks to myself thereby eliminating any processing delays. Rarely do I write checks to third parties, but sometimes I do. Yes it's a pain in the ass, yet, my assets are secure from most entities other than the bank and government. Fourthly, I do not discuss my steganographic practices, period!

Re:Passwords not compromised

[steveg]

There is a lot of the time that having a very common name can be a pain in the butt. This is one time I'm glad of it.

My email address gives away my first initial and last name. If someone tries to look me up by that they'll find hundreds with that combo in my town. If they manage to figure out my first name that'll drop it to dozens.

Re:Passwords not compromised

[Relayman]

It sounds like the problem is that your stock company is sending phish messages of its own.

Re:Passwords not compromised

[isleshocky77]

I'm not sure how you got that from my post. I'm saying that most of the users of the internet would not know a phishing message if one came. With these email databases being compromised people trying to phish can now target the specific users of the bank with a relevant message to them that they might normally be used to be seeing and not think twice about following links within.

Re:Passwords not compromised

[cffrost]

Banks do not give a fuck about you. Join a credit union if you want to be treated like a person, instead of an object from which to extract profits.

Re:Passwords not compromised

[tlhIngan]

Problem is, most sites use the "something you know" method of authenticating emails from them to you. E.g., if you get an e-mail from Paypal, Paypal will use your name (as entered in the account) in the email. So if you get one that says "Dear Sir" or somesuch other than "Dear $First $Last", you know it's not a legit email. After all, a phisher won't have your name and email address togethered.

You'll find most sites do that - it's a simple way to verify email authenticity. Now that names-emails mappings have been released, it'll be harder to tell phishing emails from real ones.

They'll sell it to marketers like everyone else

[locallyunscene]

At least that's what it seems like as my emails about the leak came with a bunch of Automotive Insurance emails despite the fact I no longer own a car.

Comment removed

[account_deleted]

Comment removed based on user account deletion

My achaeology discussion account has been hacked!

[ackthpt]

Preposterous claims and counter claims all in my name! It's all over for me, now! My credibility is ruins!

Curse you Epsilon Data Thiefs! >:(

Keep Calm and Carry On

[SSpade]

All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.

http://blog.wordtothewise.com/2011/04/epsilon-keep-calm-and-carry-on/

Re:Keep Calm and Carry On

[bberens]

Just a slight correction, it's names, e-mail addresses, AND a business relationship. Now, for example, the hacker might know that my e-mail address is associated with company XYZ and can send me a more targeted phishing attack by pretending to be a representative of XYZ. They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.

Re:Keep Calm and Carry On

[WrongSizeGlass]

All that was stolen was names and email addresses. It's not like spammers and other online criminals don't have those anyway.

But what they do have now is fisrt & last names along with those email addresses and knowledge that a large group of individuals have accounts at a specific business. They can now target a very specific group with personalized attacks.

Mr. John Smith,
As you are aware StupidBank had some recent security issues. Please login to verify that your username and password have been updated to prevent someone from targeting you for online scams and phishing schemes.

Yours Truly, StupidBank

Re:Keep Calm and Carry On

[poetmatt]

all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.

That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.

I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).

Re:Keep Calm and Carry On

[vlm]

They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.

I've gotten thousands of targeted spam over the years, mostly from companies I do not do business with. I think I've gotten about 10 Citibank phishing emails over the years, at least. I don't have an account there, but... Same thing with bank of america, etc.

Re:Keep Calm and Carry On

[Dachannien]

Even still, I've gotten a lot more spam (not even phishing, just regular craptastic spam) on my e-mail accounts that were affected by this breach.

Re:Keep Calm and Carry On

Strange the URL for stupidbank.com has changed to logginurkeyz-stupidbank.com, I wonder why? Oh well, *click*.

Re:Keep Calm and Carry On

[WrongSizeGlass]

all it takes is one website that requires a name and an email address to reset a password/change email address and/or an easily guessable password and then they're in.

That is, if the user uses the same password as indicated or has an easy to guess password, then there's the ticket to anything and everything.

One of my clients received a personalized TD Ameritrade email scam today. It was a very professional job, including a lot of content from the TD Ameritrade site. The only thing that was out of place were the actual href targets (they weren't TD Ameritrade). I'm filtering client email for companies exposed in the Epsilon breach.

I got more notifications from the gawker breach (2) than from the Epsilon leak though (0).

The Epsilon breach is still very young. When the lists get sold a few hundred (or thousand) times you'll see a lot more from it.

Re:Keep Calm and Carry On

[maxwell+demon]

No, the URL has changed to stupldbank.com ...

fantasy

[Lehk228]

the scenario in TFA could happen, but it's mostly masturbatory super hacker fantasy

these email and name lists will be used for spamming and unsophisticated phishing, "IMPORTANT MESSAGE FROM $COMPANY, you account will be terminated unless you log in here [www.example.ru]"

TFA layed out a scenario where targetted espionage is carried out against targets that are somehow more convenient because you got their email address.

Re:fantasy

[Sleuth]

but it's mostly masturbatory super hacker fantasy
 

That's a fun quote, thank you!

Re:fantasy

[lopaka1998]

Exactly. A few of my accounts got hacked and I got a warning e-mail. One example of this new spam: the last few days I've been getting FaceBook Spam -

Hi, $random_name_here has left you a private message on facebook * A HREF="$hacker_url"* Click here * /A* to log in.

The funny thing - I don't even use Facebook. Shows you what those stupid hackers know!

Re:fantasy

[david_thornley]

There's ads that tell me my registry has problems. Not only don't they tell me how they can tell through NoScript, but they don't tell me whether it's under /usr, /var, or /etc.

Re:fantasy

I got two Phishing emails today. I was notified twice last week about my email and Epsilon. I forwarded the 2 phish emails to the US CERT. They were from news. mondino.de. But they were "about" Skype and Adobe Systerm (I did not add the r) Incorporated. Both wanted me to click a link and download something.

That is pathetic, all my software is automatically update from the client itself. If they want me to click on something they should tell me it is Jessica Alba and Brooke Burke doing some nasty lesbian stuff.

Re:fantasy

$HOME/.wine/userreg.dat

You're welcome!

Weird World we're living in

Shouldn't Visa and other corporate morons pay damages high enough to close them down? And have those money put into schools to raise the educational levels so people will be smart enough not to mess with credits?

Re:Weird World we're living in

[element-o.p.]

...And have those money put into schools to raise the educational levels so people will be smart enough not to mess with credits?

Education != intelligence. Actually, more to the point, wisdom != intelligence.

Brilliant hackers and 'marks'.

I wonder if the 'hacker' used social engineering:
"The final interview question to complete our questions, before we send you your $5 gift certificate, What is your pets' name?"
"Hummm that's hard, let me think, AH! Precious Punkin!"
(sound of typing in the background) as interviewee's work VPN access authenticates with password 'Precious-punkin".
"Thank you so much for your time, your (snigger) $5 gift certificate will be mailed to you. Please wait 7 to 10 work days for delivery!"

Or maybe it was just a lucky guess that "Green Hospital", might have set a setup default password on the VPN as 'greenhospital' and the new VP of elite and creative marketing couldn't think of anything better that was memorable enough to actually remember, so they left the default unchanged.
sigh...

Basic targeting skills.

Most of his techniques, such as "Email addresses are easy to figure out, such as Name.Name@Company.com, will make it so any name on the list can be traced to CEO, then use LinkedIn!"

You could just skip the email breach, look up the CEO of a desired company, guess the obvious email address, and you're good to go.

Using a person's business relationship with a specific company whose data was stolen is the value of these addresses... not the person's existence.

Re:Not much here?

[gstoddart]

While I can certainly see that some people may be taken advantage of via phishing scams, I just don't see this leading to a great rise in security threats to users. Anyone who *isn't* vigilant in filtering their email, not responding to strange/unknown email requests for information, etc. is likely ALREADY a target!

Well, as someone who is very vigilant and distrusting of emails in general ... and as someone who has received at least one email indicating that my data may have been compromised, I'm still a little worried.

With better and more specific information, it's easier to craft a phishing email to be far more convincing and likely to catch people out. Instead of casting an extremely wide net and hoping that someone falls for it, you could be sending an email which targets people by name, and convincingly looking like it comes from a company you deal with.

This is made even worse by the sheer number of legitimate emails I see that actually come from a 3rd party because companies farm this stuff out (which is the root cause of this in the first place). Heck, I've lost track of the number of emails I've received on behalf of an employer that send me to a 3rd party site to do something -- usually a site which requires that I allow cookies, flash, and all sorts of crap I usually don't let unknown sites do. All because some twit in HR wanted to use Survey Monkey or something.

Even with a high level of paranoia, it's increasingly difficult to be 100% sure of the origins and authenticity of some things.

Spoiler Alert: Spear phishing

[FalleStar]

The author makes the flawed assumption that sending someone an e-mail == being able to install a keylogger on their machine. In reality in order to get a keylogger on the machine it requires the recipient being gullible enough to download an attachment being sent to them by a complete stranger (unlikely, but not out of the question). Or alternatively it requires that the hacker crafts some attack that exploits a vulnerability in the e-mail reader of the recipient's choice which now days can be any number of web-clients, Outlook, Thunderbird, or a smartphone e-mail client even. The suggestion that simply having an e-mail address of somebody will allow an attacker to install a keylogger on the targets machine is idiotic at best.

Re:Spoiler Alert: Spear phishing

They have a bit more than an email address. They have the name of one or more companies with which the person owning the email does business. I can think of these things in 2 minutes. They can think of a lot more if they choose.

* They can, perhaps, use the company names to get their emails past all the spam checkers. You know, Walgreens with an offer on Viagra of FDA approved male enhancement pills.
* They can send emails touting company cooperation. So, you have the same email on Walgreen's and a Citibank card. They send you an email with a malicious link telling you that you can register (on their web site) to get a great discount using your Citibank card at Walgreens.
* Or even better, install a browser addon that will highlight special prices just for you.

Re:Spoiler Alert: Spear phishing

[John+Hasler]

The suggestion that simply having an e-mail address of somebody will allow an attacker to install a keylogger on the targets machine is idiotic at best.

Right. The malware already in control of the average user's machine will defend its territory.

Will the bad formatting here EVER get fixed??

[digitalaudiorock]

OK, this is totally OT, but I don't know where else to post it. I posted this several months ago and a lot of people reported the same issue, and nothing has changed.

I get no score in any subject starting at (as far as I can tell) a level 3 post or greater. In addition, everything in any such posts has double line breaks between every post.

It sucks, plain and simple. I'm running Firefox 3.6.16 under Gentoo. So what's up?...is Firefox broken or slashdot???

Tom

Re:Will the bad formatting here EVER get fixed??

[blair1q]

The score display/hiding seems to be totally random.

Worse is the article expand/collapse misfeature. When I go to do a reply, every time I click in the text box it thinks I want to expand the thread further. Basically I have to expand every article in the thread (and many run to 20 levels) just to start entering my reply.

Total #fail on someone's scripty little part.

And in the article-submission dialog, the edit box is about 20% wider than the box, so the right half of every line is hidden. Only way to deal with that is to compose in an editor and paste it into the box. Plus the tag entry is bollocks. It enters the tag if you hit the spacebar, orders the tags randomly, and trying to delete one only succeeds in giving you the negation of the tag, not the deletion of it. The only way to deal with that is to close the submission form, clear your history and cookies (stuff in that form is ultra-sticky) and start over.

But at least I can use the word "replace" in a posting now, without some eval code bunging that up.

Re:Will the bad formatting here EVER get fixed??

[JewGold]

The worst part is I can no longer middle-click links in some posts in Firefox. Instead of opening the link in a new tab like it should, something in the broken javascript makes it open the parent, and move me around in the page so I first have to scroll around to find the post I was reading, right click the link, copy the URL, open a new tab and paste in. Major hassle. Same thing happens if I highlight a phrase to search.

Re:Will the bad formatting here EVER get fixed??

[Lost+Race]

Classic Discussion System (D1)
+
Noscript
=
Win

Re:Will the bad formatting here EVER get fixed??

[Phantom+Gremlin]

You're not alone in your despair. Categorizing the new discussion system as a clusterfuck doesn't begin to describe how badly broken it is. The slashdot "editors" must never read any of the stories, because, as you point out, it's been *months*, and yet nothing much seems to have changed.

Of course, the whole hierarchy viewing mechanism is also totally fubarred, so you'll probably never even be able to view this response.

I see it as a positive. I'm now wasting much less time on slashdot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Dear Sir, much appreciation to you.

[140Mandak262Jamuna]

Dear Respected Sir,

I read with much interest your user manual about exploiting the email list. However I do not see a script or code that I can download and use with your user manual. Please provide the same sir.

Sincerely,

Scrip T K Iddie

All your email addresses are belong to us.

No need to speculate.

[Ecuador]

Here is what I got on my New York & Company email address (I had not received anything else - except the breach warning - on this address for years after an order with them in 2007):
(I assume that the german unicode characters will be missing from my post but you will get the picture...)

From: "Mr.Frank Morgan"
Reply-To: frank77morgan3@yahoo.com

Subject: BITTE ANTWORTEN

Guten Tag,

Ich bin Frank Morgan, die ich in der Buchhaltung eines Finance Haus hier in Europa zu arbeiten. Ich sah Ihr Kontakt während meiner privaten Suche im Info-Center, ich glaube, dass Sie ganz ehrlich, engagiert und fähig Unterstützung in diesem Geschäft Venture wollen.
Es ist auf dieser Grundlage, dass ich mich an Sie als nächsten Angehörigen zu einem späten Client des Finance House, so dass die Gesamtsumme von $ 16.5million (Sechzehn Millionen fünfhunderttausend US Dollar) freigegeben wird und bezahlt werden stehen Sie als Empfänger sowie den nächsten Angehörigen des Verstorbenen.
Alle Dokumente und Nachweise, damit Sie bekommen die Mittel wurden sorgfältig erarbeitet, wie ich aus den verschiedenen Büros für die ordnungsgemäße Übertragung der Fonds für Sie besorgt haben gesichert.
Wenn dieser Vorschlag Ihnen gefällt, antworten Sie bitte auf mich mit den folgenden Informationen.
-Vollständige Namen
-TELEPHONE/FAX NUMBER-
-Address-
-AGE-
-SEX-
-BERUF-
Ich erwarte Ihre dringende Antwort, segne alles Gute und Gottes euch.
Mit freundlichen Grüßen,
Frank Morgan
+447031901697
mrfrankmorgan444@hotmail.com

is our uncle sam a pyschopath, or just misinformed

everything we say is being used against us? is it a religious problem? queers? what?

the glorious 2nd chance 'day of departure' has come,,, & gone. still here?

we've seen in the genuine american native elders teepeeleaks etchings, whereas our self-appointed rulers & clergy can be less than democratic/christian/human when it comes to certain (other peoples') things.

Simple solution

[antonymous]

Yes, it's too simple to actually work, but after data breaches like this, Epsilon should be required to publish all the data that was compromised. It devalues the data held by the malicious entity (a deterrent against future attacks), and allows security personnel to more accurately gauge the risk and present additional strategies for mitigation. Any action that reduces the value of these databases is a step in the right direction.

Sign of a Math major

Read the title as "How Attackers Will Use Epsilon DELTA Against You" and thinking wtf?

Re:Sign of a Math major

[maxwell+demon]

No, I read it correctly as "Epsilon Data". Which of course is a negligible amount of data (epsilon is arbitrary small), so the question how attackers might use that little data against me surely is interesting. :-)

Unique Passwords

"The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."

Sure, they might manage to get credentials via phishing. This would be far less of a problem if people used a good password scheme for keeping unique passwords on all websites, like I've done for a long time now.
http://lifehacker.com/#!184773/geek-to-live--choose-and-remember-great-passwords

Re:Unique Passwords

[maxwell+demon]

"The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."

Sure, they might manage to get credentials via phishing. This would be far less of a problem if people used a good password scheme for keeping unique passwords on all websites, like I've done for a long time now.
http://lifehacker.com/#!184773/geek-to-live--choose-and-remember-great-passwords

Since you obviously have forgotten your Slashdot password, your scheme cannot work too well. ;-)

Memories

I read the topic and my stomach lurched as I was instantly taken back to a college classroom enduring a long lecture on the works of Cauchy and how epsilon can be thought of as the "error" associated with a given distance "delta" from a function...

I shook my head in disgust and then re-read the topic.

Oh, it says epsilon data...

LastPass

[Kamiza+Ikioi]

With so simple it's stupid services like LastPass, I really don't understand how people still can't use unique passwords. For christ's sake, using LastPass is EASIER than using 1 common password, because it auto logs in. I really don't get people. Then again, with so simple it's obvious backup services like Carbonite, you'd think everyone would be backing up, too. Fat chance there.

Re:LastPass

[olden]

Maybe "people" gave it a thought and concluded that trusting a company with all their passwords and/or data wasn't such a great idea either...

It happened to me last weekend

[Luyseyal]

It happened to me last weekend. A woman posing as "Linda Wilson" called AT&T to cancel our phone service. She had enough info to get the rep to believe she could cancel the account. She hung up in the middle of the call when asked to verify the address on the account and the rep tried calling all the numbers on the account to reach her. (The rep didn't ask for any info so he wasn't phishing me. A call to 611 confirmed what he said.)

I don't know if it's Epsilon or the fact that we applied for a couple of credit cards recently or just a random breach. But, phishing/social engineering happen all the time.

For safe measure, we changed our account info and put a fraud alert on our credit reports.

-l

How important are you as a target?

[Xaedalus]

Exactly how much time do you think the bad guys are going to spend on you? To take the time to craft an ultra-convincing phishing attack, along with the subsequent necessary complex plotting to dissuade your fears, and get you to click seems like an inefficient, and ineffective expenditure of time to me. Maybe it's just me, but the ROI would have to be incredible to justify that kind of attention to detail.

I believe that the majority of these email addresses are going to be passed off as quickly as possible to some sucker on the black market, who'll send out a mass spam of phishing attacks that won't fool a sophisticated user, but will get Ma or Pa Kettle (who has dementia, alzheimers, naivety, or is just plain stupid). It's more cost effective to target stupid people with cheap spam than it is to try and lure smart people in

Spammer company gets rooted by spammers

Epsilon (aka Bigfoot) has been a bunch of spammy fucks for years. Seeing them get rooted by their fellow criminals can only be described as ironic justice.

Re:Not much here?

[david_thornley]

They can send me emails from a third party. They can direct me to third-party websites. They can't make me turn off NoScript on them, and they can't make me type in credentials.

The security-conscious computer-savvy geek is pretty safe here. It's only the other 99.9% of the population that is at risk.

JP Morgan Chase

I'm under the impression that JP Morgan Chase was affected. I've got an account with them, and a debt card with the VISA logo. Though they hit me with "Refinance Your Auto Loan" emails monthly, for a non existent auto loan (uhh I hope?), I've yet to receive one of these emails.. Has anybody else?

Chase?

[seven+of+five]

I was shocked to learn that they'd scooped Chase Bank's email list. Not because of the theft, but I thought, why would Chase need to hire an outside firm to send out emails? Don't they have their own servers? Marketing types??