Category: theft

In an increasingly digital world, where concerns about online data security are rampant, it’s easy to overlook the vulnerabilities that exist offline. While much attention is rightfully directed towards protecting data in the virtual space, offline data theft remains a significant threat that can be just as insidious and damaging. Understanding how data steal occurs offline is essential for safeguarding personal and sensitive information comprehensively.

1. Physical Theft and Tampering: One of the most straightforward methods of offline data theft is physical theft or tampering with devices that store personal data. This includes stealing laptops, smartphones, external hard drives, or even paper documents containing sensitive information. Once in the wrong hands, this data can be exploited for various malicious purposes, including identity theft and financial fraud.

2. Interception of Postal Mail: Traditional mail, despite its diminishing relevance in the digital age, still poses a risk for data theft. Intercepting postal mail containing sensitive documents, such as bank statements, invoices, or official correspondence, provides attackers with valuable personal information. This information can be used to perpetrate identity theft or gain unauthorized access to financial accounts.

3. Skimming and Eavesdropping: Skimming devices installed on ATMs, point-of-sale terminals, or even gas pumps can capture credit card information when users swipe their cards. Similarly, eavesdropping on conversations in public places, such as cafes or public transportation, can yield valuable information, such as passwords or account details, which can then be exploited by attackers.

4. Dumpster Diving: Despite its rudimentary nature, dumpster diving remains a viable method for harvesting sensitive information. Discarded documents, such as bank statements, invoices, or discarded electronic devices, can contain a treasure trove of personal data. Attackers sift through trash bins or dumpsters in search of such discarded items to exploit for their gain.

5.  Social Engineering and Impersonation: Offline data theft can also occur through social engineering tactics, where attackers manipulate individuals into divulging sensitive information. This can involve impersonating authority figures, such as government officials or company representatives, to gain access to confidential information or tricking individuals into revealing passwords or account details over the phone.

6.Insider Threats: Employees or individuals with authorized access to sensitive data can also pose a significant threat to data security offline. Whether through negligence, malicious intent, or coercion, insiders can leak or misuse sensitive information, compromising data security from within an organization.

Protecting Against Offline Data Theft:

1. Secure Physical Storage: Store physical devices containing sensitive information in secure locations, such as safes or locked cabinets, when not in use. Encrypt data stored on devices to prevent unauthorized access in case of theft or loss.

2. Monitor Postal Mail: Be vigilant for signs of tampering or interception of postal mail. Consider using secure mail services or electronic delivery for sensitive documents whenever possible.

3. Be Cautious in Public Spaces: Exercise caution when handling sensitive information in public spaces. Shield PINs when entering them on ATMs or point-of-sale terminals, and avoid discussing confidential matters in public where conversations could be overheard.

4. Shared Documents: Dispose of documents containing sensitive information securely by shredding them before discarding. This prevents attackers from reconstructing discard-ed documents and extracting valuable data.

5. Educate Against Social Engineering: Raise awareness among individuals about the risks of social engineering tactics and the importance of verifying the identity of individuals requesting sensitive information, especially over the phone or via email.

6.Implement Insider Threat Mitigation: Implement measures to monitor and mitigate insider threats, including employee training, access controls, and regular audits of access to sensitive data.

In conclusion, while the digital landscape presents numerous challenges for data security, offline data theft remains a prevalent and often overlooked threat. By understanding the various methods through which offline data theft occurs and implementing appropriate safeguards, individuals and organizations can better protect themselves against this insidious form of data breach.

The post Unveiling the Mechanics of Offline Data Theft: How Your Information Can Be Compromised Beyond the Digital Realm appeared first on Cybersecurity Insiders.

Apple is rolling out a new “Stolen Device Protection” feature that seems well thought out:

When Stolen Device Protection is turned on, Face ID or Touch ID authentication is required for additional actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple Card, turning off Lost Mode, erasing all content and settings, using payment methods saved in Safari, and more. No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication.

For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication. In these cases, the user must authenticate with Face ID or Touch ID, wait one hour, and authenticate with Face ID or Touch ID again. However, Apple said there will be no delay when the iPhone is in familiar locations, such as at home or work.

More details at the link.

This is not about mass surveillance of mail, this is about the sorts of targeted surveillance the US Postal Inspection Service uses to catch mail thieves:

To track down an alleged mail thief, a US postal inspector used license plate reader technology, GPS data collected by a rental car company, and, most damning of all, hid a camera inside one of the targeted blue post boxes which captured the suspect’s full face as they allegedly helped themselves to swathes of peoples’ mail.

Thieves cut through the wall of a coffee shop to get to an Apple store, bypassing the alarms in the process.

I wrote about this kind of thing in 2000, in Secrets and Lies (page 318):

My favorite example is a band of California art thieves that would break into people’s houses by cutting a hole in their walls with a chainsaw. The attacker completely bypassed the threat model of the defender. The countermeasures that the homeowner put in place were door and window alarms; they didn’t make a difference to this attack.

The article says they took half a million dollars worth of iPhones. I don’t understand iPhone device security, but don’t they have a system of denying stolen phones access to the network?

EDITED TO ADD (4/13): A commenter says: “Locked idevices will still sell for 40-60% of their value on eBay and co, they will go to Chinese shops to be stripped for parts. A aftermarket ‘oem-quality’ iPhone 14 display is $400+ alone on ifixit.”

Tile has an interesting security solution to make its tracking tags harder to use for stalking:

The Anti-Theft Mode feature will make the devices invisible to Scan and Secure, the company’s in-app feature that lets you know if any nearby Tiles are following you. But to activate the new Anti-Theft Mode, the Tile owner will have to verify their real identity with a government-issued ID, submit a biometric scan that helps root out fake IDs, agree to let Tile share their information with law enforcement and agree to be subject to a $1 million penalty if convicted in a court of law of using Tile for criminal activity. So although it technically makes the device easier for stalkers to use Tiles silently, it makes the penalty of doing so high enough to (at least in theory) deter them from trying.

Interesting theory. But it won’t work against attackers who don’t have any money.

Hulls believes the approach is superior to Apple’s solution with AirTag, which emits a sound and notifies iPhone users that one of the trackers is following them.

My complaint about the technical solutions is that they only work for users of the system. Tile security requires an “in-app feature.” Apple’s AirTag “notifies iPhone users.” What we need is a common standard that is implemented on all smartphones, so that people who don’t use the trackers can be alerted if they are being surveilled by one of them.

Suspected members of a European car-theft ring have been arrested:

The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away.

As a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over EUR 1 098 500 in criminal assets seized.

The criminals targeted keyless vehicles from two French car manufacturers. A fraudulent tool—marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.

Among those arrested feature the software developers, its resellers and the car thieves who used this tool to steal vehicles.

The article doesn’t say how the hacking tool got installed into cars. Were there crooked auto mechanics, dealers, or something else?

The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something.

The Axie Infinity recovery represents a shift in law enforcement’s ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds.

In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain.

Advanced blockchain-monitoring tools and cooperation from centralized crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group tried to cash out, investigators said.

The money was laundered through the Tornado Cash mixer.

Amid a wave of hacks that have cost investors billions of dollars worth of cryptocurrency, the FBI is calling on decentralised finance (DeFi) platforms to improve their security. In a warning posted on its website, the FBI said that cybercriminals are increasingly targeting DeFi platforms to steal cryptocurrency, often exploiting vulnerabilities in smart contracts to […]… Read More

The post FBI issues warning after crypto-crooks steal $1.3 billion in just three months appeared first on The State of Security.