How Attackers Will Use Epsilon Data Against You

← Back to Stories (view on slashdot.org)

How Attackers Will Use Epsilon Data Against You

Posted by CmdrTaco on Tuesday April 12, 2011 @05:00AM from the this-is-social-networking dept.

Trailrunner7 writes "What might the criminals who broke into Epsilon do with the email lists they have? The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from data-breaches.net, totals are up to 57 customers including credit card providers with branded cards — Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts. Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."

20 of 78 comments (clear)

Min score:

Reason:

Sort:

VISA Hit? by syntap · 2011-04-12 05:08 · Score: 2

Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards)
I have not yet seen notes that VISA itself was hit. Banks that use VISA's services may have been, but the article is lumping the network/transaction processor with the banks. It is possible to be a customer of VISA for other purposes, which surprises me that the article is claiming they were independently hit, that is news here.
1. Re:VISA Hit? by blair1q · 2011-04-12 05:45 · Score: 3, Funny
  
  They weren't hit. They were clients of the mass-mailing service that got hit. If you were on Epsilon's list under Visa, Epsilon notified Visa that you were exposed. Visa then should have notified you.
  I got 4 separate notifications, but I suspect that's not all.
  I've tried to get Epsilon to give me a full list of what companies using their service have my email address, but, in phenomenal wanker fashion, they refused, citing "privacy" and "security".
Passwords not compromised by Relayman · 2011-04-12 05:09 · Score: 2

Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.

--
If I used a sig over again, would anyone notice?
1. Re:Passwords not compromised by gstoddart · 2011-04-12 05:23 · Score: 4, Interesting
  
  Who said anything about passwords being compromised?
  Not as part of this breach, but as a possible consequence.
  Bad guys get your email, name, and a couple of other things. Bad guys do a very targeted phishing exercise, and scam you into giving up credentials for one service. Bad guys then could potentially rely on the fact that people reuse passwords, and get into several other sites.
  Depending on the uniqueness of your first/last name combination ... there might actually be enough information in there to actually identify you in the real world.
  You know, the things that TFA are actually saying.
  
  --
  Lost at C:>. Found at C.
2. Re:Passwords not compromised by Relayman · 2011-04-12 05:37 · Score: 2
  
  Agreed. But any of this can happen any time someone sees my email address. Every time my friends' computers gets hacked, the hacker downloads his/her address book and gets my email address. The Epsilon disclosure doesn't make me any more vulnerable than before. There is no story!
  
  --
  If I used a sig over again, would anyone notice?
3. Re:Passwords not compromised by element-o.p. · 2011-04-12 05:41 · Score: 2
  
  Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid -- not just a possible consequence of my e-mail addy being compromised.
  
  I'm not going to give you my credentials just because you ask for them in an e-mail. In fact, the first thing I do when I get an e-mail that looks at all suspicious (and asking me for any personally identifiable information in an e-mail is a sure-fire way to trigger my alarms) is blow open the headers and see where the e-mail came from. Then and only then will I even consider opening up a web browser and going to my bank/other web site *by clicking on my bookmark* (rather than the link in the e-mail) and searching for the web page to update my information.
  
  Hold on -- I just got an e-mail saying I can win ${ITEM_OF_VALUE_TO_ME} by clicking a link...BRB...
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
4. Re:Passwords not compromised by Anonymous Coward · 2011-04-12 05:46 · Score: 2, Insightful
  
  The Epsilon disclosure doesn't make me any more vulnerable than before.
  Of course it does. They have your email and know with which company you have an account using this email, maybe even specific services you've subscribed to. They can forge a credible-sounding email pretending to be said company or working for them or whatever. The more info you have the more credible a forgery is, the more people will fall for it. The majority of internet users couldn't tell a decent forgery from the real deal.
5. Re:Passwords not compromised by John+Hasler · 2011-04-12 06:02 · Score: 3, Funny
  
  Maybe, but that would be a possible consequence of my e-mail being stolen *AND* me being stupid...
  Thus the majority of users are at risk.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
6. Re:Passwords not compromised by timeOday · 2011-04-12 06:49 · Score: 2
  
  We know what TFA is actually saying. It's desperately trying to whip up a mountain from a molehill, and not too successfully. It's just email addresses and names.
7. Re:Passwords not compromised by isleshocky77 · 2011-04-12 06:50 · Score: 2
  
  This is exactly where the risk comes from. I've now been receiving faked emails from a stock company of mine which was compromised. On my phone the email looks entirely credible and I'm not able to check where the link in the email is actually taking me. Once I checked it out on a computer I noticed the link was going to a fake domain rather than to the institution. I'm a web developer and consider myself pretty computer savvy. I also knew about the information being taken and am extremely wary of following an emails. When I think of my dad getting the email from his banking institution which appears completely legit; it scares me.
8. Re:Passwords not compromised by zuckerj · 2011-04-12 06:56 · Score: 3, Informative
  
  Unfortunately MANY major companies practice procedures that put their customers at risk by sending emails with links. Any official communication from a credible institution should not include ANY links, or phone numbers. They should simply say, please visit our website, or call us via the phone umber printed on your bill or the back of your card. I complain to companies time and again that they are indeed part of the security threat problem and putting their customers at risk. I recently got an email from Bank of America telling me that they saw unusual activity on my Check Card and they gave me a phone number to call. I called the number and the representative starts off the conversation by asking me for my driver's license number! I told him how ridiculous and dangerous their procedures were, and told him I'd not answer any questions without calling back from a known number. Unfortunately, when I called back, I was informed that it was indeed Bank of America and everything was legit. I say unfortunately because it just confirmed my worst fears that a Major institution such as Bank of America, was knowingly putting their customers at increased risk. Also unfortunately, after trying to explain to the representative, for the 3rd time, why this was a dangerous practice, I realized I have better luck educating a brick by banging my head on it. So while you may call victims STUPID for falling prey to these sinister ploys to farm information, it is in fact the companies we trust that are failing us and making our attempts to safeguard our information more and more difficult.
9. Re:Passwords not compromised by rsborg · 2011-04-12 07:13 · Score: 2
  
  Who said anything about passwords being compromised? My e-mail address is now public. Big whoop, it has always been public. If the "public" (don't include me) uses the same password for their checking account as they do their email, shame on them.
  A username+password is two pieces of a credential set. With many of these services, one of them is now given up (ie, your email). This is just making it easier for criminals to target you (akin to similar attack reducing the key search space in cryptography).
  
  --
  Make sure everyone's vote counts: Verified Voting
Re:Grab a bag of popcorn, and watch the fun. by grub · 2011-04-12 05:14 · Score: 2

Always good for a laugh to us 'third world' savages. Where's your 'privacy policy' now, eh?

Glad to see the OLPC project is working out for you!

--
Trolling is a art,
fantasy by Lehk228 · 2011-04-12 05:16 · Score: 2

the scenario in TFA could happen, but it's mostly masturbatory super hacker fantasy

these email and name lists will be used for spamming and unsophisticated phishing, "IMPORTANT MESSAGE FROM $COMPANY, you account will be terminated unless you log in here [www.example.ru]"

TFA layed out a scenario where targetted espionage is carried out against targets that are somehow more convenient because you got their email address.

--
Snowden and Manning are heroes.
Re:Keep Calm and Carry On by bberens · 2011-04-12 05:21 · Score: 2

Just a slight correction, it's names, e-mail addresses, AND a business relationship. Now, for example, the hacker might know that my e-mail address is associated with company XYZ and can send me a more targeted phishing attack by pretending to be a representative of XYZ. They could have done that before, but they had no idea whether or not I had any business relationship with XYZ so it would have been a wild guess.

--
Check out my lame java blog at www.javachopshop.com
Re:Not much here? by gstoddart · 2011-04-12 05:33 · Score: 2

While I can certainly see that some people may be taken advantage of via phishing scams, I just don't see this leading to a great rise in security threats to users. Anyone who *isn't* vigilant in filtering their email, not responding to strange/unknown email requests for information, etc. is likely ALREADY a target!
Well, as someone who is very vigilant and distrusting of emails in general ... and as someone who has received at least one email indicating that my data may have been compromised, I'm still a little worried.
With better and more specific information, it's easier to craft a phishing email to be far more convincing and likely to catch people out. Instead of casting an extremely wide net and hoping that someone falls for it, you could be sending an email which targets people by name, and convincingly looking like it comes from a company you deal with.
This is made even worse by the sheer number of legitimate emails I see that actually come from a 3rd party because companies farm this stuff out (which is the root cause of this in the first place). Heck, I've lost track of the number of emails I've received on behalf of an employer that send me to a 3rd party site to do something -- usually a site which requires that I allow cookies, flash, and all sorts of crap I usually don't let unknown sites do. All because some twit in HR wanted to use Survey Monkey or something.
Even with a high level of paranoia, it's increasingly difficult to be 100% sure of the origins and authenticity of some things.

--
Lost at C:>. Found at C.
Will the bad formatting here EVER get fixed?? by digitalaudiorock · 2011-04-12 05:41 · Score: 2

OK, this is totally OT, but I don't know where else to post it. I posted this several months ago and a lot of people reported the same issue, and nothing has changed.
I get no score in any subject starting at (as far as I can tell) a level 3 post or greater. In addition, everything in any such posts has double line breaks between every post.
It sucks, plain and simple. I'm running Firefox 3.6.16 under Gentoo. So what's up?...is Firefox broken or slashdot???
Tom
1. Re:Will the bad formatting here EVER get fixed?? by blair1q · 2011-04-12 05:54 · Score: 3, Informative
  
  The score display/hiding seems to be totally random.
  Worse is the article expand/collapse misfeature. When I go to do a reply, every time I click in the text box it thinks I want to expand the thread further. Basically I have to expand every article in the thread (and many run to 20 levels) just to start entering my reply.
  Total #fail on someone's scripty little part.
  And in the article-submission dialog, the edit box is about 20% wider than the box, so the right half of every line is hidden. Only way to deal with that is to compose in an editor and paste it into the box. Plus the tag entry is bollocks. It enters the tag if you hit the spacebar, orders the tags randomly, and trying to delete one only succeeds in giving you the negation of the tag, not the deletion of it. The only way to deal with that is to close the submission form, clear your history and cookies (stuff in that form is ultra-sticky) and start over.
  But at least I can use the word "replace" in a posting now, without some eval code bunging that up.
Re:Spoiler Alert: Spear phishing by John+Hasler · 2011-04-12 06:16 · Score: 2

The suggestion that simply having an e-mail address of somebody will allow an attacker to install a keylogger on the targets machine is idiotic at best.
Right. The malware already in control of the average user's machine will defend its territory.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:LastPass by olden · 2011-04-12 09:54 · Score: 2

Maybe "people" gave it a thought and concluded that trusting a company with all their passwords and/or data wasn't such a great idea either...