Why You Should Use Your Debit Card As A Credit Card

Many of us try hard not to use our credit cards.  As a result, we tend to use our debit cards frequently.

Many debit cards carry either a Visa or Mastercard logo, which allows you to use the card as either a debit card or a credit card.  No matter which option you choose, the money is withdrawn from your bank account immediately, so from a financial standpoint, it really does not matter which option you choose.

Merchants such as Walmart, often try very hard to get you to choose the debit option.  The reason for this is that the merchant pays a smaller fee to their bank or payment processor for each transaction if you choose the debit option over the credit option.  For large transactions, this difference can be significant to the store, because if you choose the credit option, the store pays a percentage of the transaction amount.  If you chose debit, the store pays a flat fee, no matter the size of the transaction.

HOWEVER, from your perspective as a consumer, if the store that you shop at and use your card as a debit card is hacked – and that seems to be all too common these days – the bad guys can duplicate your debit card and with your pin, can empty your bank account.

Most banks allow you to limit the amount of withdrawals that are permitted on a daily basis to reduce your exposure.  Many banks also will send you a text message, in real time, every time your debit card is used – including atm withdrawals – so you will know instantly if your card is being used.   If you get a text message and you didn’t use your card, call your bank immediately to shut down the card.

So, even though some stores cajole you to use your card as a debit card, I recommend that, for your own financial safety, you shouldn’t do it.

There was an item on the news tonight here in Denver that some RTD (the local transit agency) ticket kiosks were compromised with skimming devices and some users had ATM withdrawals made from their bank accounts afterwards.  Had they used the card as a credit card, the skimmer operator would not have had their ATM PIN and would not have been able to withdraw cash from their bank account.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Malware specifically targets password managers

Boy, just when you thought you were doing it right!

Ars Technica, Dark Reading, Security Week and others are reporting a new variant of the Citadel malware that has been around for several years.

According to the articles, the new variant monitors processes and when it sees Keepass, Password Safe or neXus start up, it fires up a keystroke logger to grab the master password for the file.  At that point, the fact that file is encrypted is of little value since the malware has the key to the lock.

Apparently, according to IBM researchers who found this, this variant was created by just modifying the config file of the malware.  This means that if you change the name of the process, all that would need to be done to catch that would be to edit the config file and if they wanted to do the same thing with a different password manager, again, all they would need to do is edit the config file, so the fact that you are using a different password manager only protects you today, not tomorrow.

They said they did not know if this was a mass change or a targeted attack, but if it was targeted, I suspect it won’t be for long.

I *think* that if your password manager supports two factor authentication, then that might protect you against this attack.  It depends whether the second factor is static or dynamic.

This is why the security business is a cat and mouse game.  You make a change, the bad guys make a change.  You make a change to your change.  You get the idea.  If you were hoping that you could do something once and be done, I am sorry, but that is not gonna happen.

Facebooktwitterredditlinkedinmailby feather

NSA chief admits China could cripple U.S. power grid, financial networks

According to articles on ZDNet and ABC, NSA chief Admiral Mike Rogers said in testimony before the US House Intelligence Committee that China and probably one or two other countries could shut down critical computer networks that could force U.S. power and water grids, aviation systems and financial systems offline.

Let that sink in for a minute.

The reason this is possible is that over the last 10 years, all of these industries have moved their communications from private networks or unnetworked to the Internet without much thought about security – only about cost and convenience.  And, as I have often said, when security comes up against cost, security almost always loses.

On top of that bomb, Rogers said that it is a matter of when, not if.

Although the details of all of this are classified, what has come out is that most of the critical infrastructure has been infected with malware and if or when that malware is activated, the poop is going to hit the rotating air movement device.

AND, at this point, there is no reasonable way to undo the damage.  It will take decades of work to fix the decades of poor security practices.

Let’s hope we stay relatively friendly with those nations.

Of course, the thing that Admiral Rogers did not say is that we can likely do the same thing to them, so we have the cold war all over again – mutually assured destruction.

EXCEPT, that other countries – like China – are probably way less sophisticated in how they network their critical infrastructure (CI), so taking that CI down requires much more sophistication.  Let’s hope we can do that and declare a stalemate.

I do have to give Admiral Rogers credit for admitting what we in the security community have known about privately for years.  It does take cojones.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Software Testing – The Art of Proving The Presence Of Bugs, Not the Absence

Microsoft just published a critical patch for a 19 year old bug that dates back to Windows 95 and Internet Explorer 3.0.

First the obvious – since it was still there after 19 years, all the testing that Microsoft and users have done on every version of windows back to and including Windows 95 did not detect this bug – hence the title of the post.

But you might ask WHY was this bug not detected and Network World published an item that discussed that, but here are a couple of reasons –

  • The person that wrote that hunk of code is no longer with the project or company and no one else understands it, so lets leave it alone.  It ain’t broke
  • Supposedly, it is a subtle bug and hard to exploit, so you might have to look real hard to find it (not any more, of course)
  • Didn’t all that old code base go away with Vista/Win7/Win8?  It was 16 bit code and we moved to a 32 bit code base?  Nope, it wasn’t broke, so we just recompiled it.

The article gives some other reasons too, but this doesn’t mean that you should not test.  In fact, if anything, you need to expend more resources, automate the testing, pay bug bounties, etc.  It just means that testing is hard.

What this also means is that since this bug is now in the wild and Microsoft did not issue a patch for Windows XP, if you are still running XP, here is another reason to migrate – the bad guyss now have bug, they know what Microsoft did to fix it in newer OSes and all they need to do is figure out a way to exploit it in XP.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather

Uber God View

Following up on today’s Uber theme, There is an article on USAToday.com tonight that says that Uber has something they call “God View” that allows Uber employees to stalk VIP users (and apparently track the movements of any Uber user) – including journalists who are writing articles negative to Uber.

My guess is that this is no different than what a lot of tech companies can do – they have a lot of data about us and we have no choice but to trust how they use the data or not use the service.

The challenge is that we don’t really know what companies that have our data can do, cannot do or claim that they should not do even though they can.

Obviously, transparency is important and to the degree that companies fess up to what they are doing, that makes the decisions that we make more valid.

For example, Amazon knows everything that I purchase (and if I am logged in, everything that I look at) and Netflix knows every movie that I watch.  My cable or satellite provider knows every show that I watch and every commercial that I TIVO over.

I make a decision based on that knowledge whether I want to use those services based on the facts that I know about.

Facebooktwitterredditlinkedinmailby feather

Uber Safe ? Maybe!

I am sure that many of you have used the Uber and Lyft ride sharing services, but have you thought about what would happen if the driver was in an accident.  You might want to.

Insurance Networking News recently reported about a new coverage that one insurance company (Erie) is offering to provide coverage to people who use their personal vehicles as taxis and have an accident.  They don’t exactly call it Uber Insurance, but that is what it is.

Most likely, your personal auto insurance will not cover an accident if you are using your auto to drive for dollars – meaning it won’t cover damage to your vehicle or the vehicle you hit.  This is important to the Uber driver and not so much to the Uber passenger.

It also won’t cover costs for YOUR (as a passenger) medical care if you are injured.  This is the part that affects you the most immediately.  If it is the other guy’s fault and he or she admits it and he or she has insurance and you can get that company to accept liability, then you can get paid for your medical care.

Otherwise, you may be left to suing everybody involved, likely waiting years, and maybe getting some money.  But, all may not be lost, keep reading.

All that is from the Uber driver’s personal insurance company’s point of view.

Now from Uber’s point of view:

According to a blog post at Uber,  Uber provides $1 million of liability coverage per incident, which, they claim, is primary coverage, from the moment the driver accepts the trip to it’s conclusion.

Uber also claims to provide $1 million of uninsured/underinsured motorist bodily injury insurance.

Uber also provides $50,000 of contingent (secondary) comprehensive and collision insurance, ONLY IF the Uber driver has their own comprehensive and collision policy.

Lyft claims to offer similar coverage with slightly different rules/limits.

Hopefully nothing happens when you take that next taxi ride, but ….

Maybe this is much ado about nothing, but I suspect that there may well be kinks in the system yet to be worked out.  AND, you being knowledgeable about where your coverage is coming from (I would look to Uber or Lyft right away — the deep pockets idea), is probably very useful.

Certainly things to think about from both you as a Uber or Lyft passenger as well as a driver.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed