- Everything you wanted to know about data breaches and privacy violations — after malware hits Wawa stores
- 1. Check whether your accounts have been affected
- 2. Sign up for additional fraud protection
- 3. Know the difference between a credit freeze and a lock
- 4. Know the difference between a hack and a breach
- The Rise of the Smart Car Market
- Examples of Smart Car Threats
- 1. Car Control Hacks
- 2. Smart Alarm Hack
- 3. Insecure Associated Apps for Smart Cars
- Preventing Your Smart Car Being Outsmarted
- 1. Patch and Update
- 2. Deactivate Services
- 3. Secure Your Wi-Fi
- 4. Trust in a Good Mechanic
- Smart Car Security by Design
- Design Smart, Design Secure
Everything you wanted to know about data breaches and privacy violations — after malware hits Wawa stores
Another day, another massive security breach.
The gas station and convenience store chain Wawa said Thursday that malware in its payment processing system may have been collecting customers’ debit and credit card numbers since March.
The breach affected all 850 Wawa locations, which are on the East Coast from Pennsylvania to Florida, the Associated Press reported.
Wawa says it will notify customers and offer free credit card monitoring.
It’s one of several recent data breaches.
Food delivery app DoorDash said in September that “an unauthorized third party” accessed some of its user data in May, affecting about 4.9 million customers, merchants and DoorDash delivery people who joined the platform on or before April 5, 2018. In that case, the company said not enough information was released for hackers to ring up fraudulent charges.
“ Compromised data included profile information, including names, delivery addresses, and order history. For some consumers, the last four digits of credit cards were exposed. ”
About 100,000 delivery people had their driver’s license numbers compromised, DoorDash said.
Capital One Financial Corp. COF, +1.35% said in July that more than 100 million people had their personal information hacked.
The hacker got information including credit scores and balances, ZIP codes, email addresses, dates of birth, self-reported income and payments history, fragments of transaction data, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said.
Don’t miss:A worrying theory after Equifax and settlements — aggregated data is NOT enough to protect your privacy
Capital One couldn’t say for sure whether the leaked data was used for fraud, but said it was unly. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.
“ Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement. ”
Wawa, Capital One offered customers free credit monitoring.
However, privacy experts say credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. But it does not prevent someone from taking out a loan in your name.
Such security precautions are unly to help people protect against a hack. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.
Be on your toes after a major hack or data breach. Never give out personal details over the telephone, even if the caller seems to represent the company that recently had a data breach or the email appears to be from that company. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card.
Here’s what you should do if your data is breached, particularly if your credit-card or Social Security Numbers were exposed:
1. Check whether your accounts have been affected
There still aren’t many formal ways to check whether your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to.
Some states, California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations.
Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.
2. Sign up for additional fraud protection
Security experts generally recommend never re-using security passwords and say people should use two-factor authentication, which requires a user to enter a code sent to their phone or email to log into an app or website or to change a password. They also say those affected by such hacks should freeze their credit report — it’s now free to do that.
Paid services such as Lifelock, EZ Shield and Identity Guard go beyond typical credit freezing and alert services. The most basic version of Lifelock costs $9.
99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.
3. Know the difference between a credit freeze and a lock
A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name.
Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically costs a monthly fee. Contact Equifax, Experian EXPN, and TransUnion TRU, +3.
27% to request a freeze.
4. Know the difference between a hack and a breach
A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence.
A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom.
If your data was involved in a breach, it’s possible it was just left exposed online and was not stolen.
“ Be on your toes after a major hack or data breach. Never give out personal details over the telephone, even if the caller seems to represent a company that recently experienced a breach. ”
Two years after Equifax EFX, +3.11% revealed that hackers accessed the personal information of up to 147 million people, the credit reporting bureau announced a settlement for up to $700 million, including $425 million in relief for those who have been affected.
Last year, , +1.54% announced that U.K.-based Cambridge Analytica improperly accessed 87 million users’ data. Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing that happens again. Cambridge Analytica closed down in the wake of the scandal. The Federal Trade Commission fined $5 billion.
WhatsApp, the messaging and audio app owned by , announced in 2018 that hackers were able to install spyware on Android smartphones and Apple AAPL, +0.51% iPhones. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said at the time.
More than 57 million customers of Uber UBER, +1.52% had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies, for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.
(The Associated Press, Jacob Passy, Maria LaMagna and Kari Paul contributed to this story.)
This happened to a Chrysler Jeep Cherokee during BlackHat 2015 in Las Vegas. Security researchers, Charlie Miller and Chris Valasek, demonstrated just how easy it is to hack a connected car using simple hacking techniques password guessing.
With computing power that, should be worried that our cars could become our enemies?
In this blog article, we will shed a light on the increasingly popular concept of smart cars, give examples for possible smart car security threats and provided recommendations for how to prevent your smart car from being outsmarted.
Can Data Privacy be Smart? An Introduction to Smart City Privacy[Infographic] How to Secure the IoT Environment
The Rise of the Smart Car Market
The smart car market is revving up and expected to be worth $43 Billion by 2023. People are falling in love with smart technologies and cars are just one area that is picking up on the trend towards smartness.
Cars are smart when they become connected.
The first connected car was the Onstar by General Motors. It had a built-in telematics system and automatic crash notification – sending out a call to an advisor who could then contact emergency services.
Now, connected cars have an array of sensors and connect via intelligent systems directly (or indirectly) to the Internet. McKinsey describes the modern connected car this: “today’s car has the computing power of 20 personal computers, features about 100 million lines of programming code, and processes up to 25 gigabytes of data an hour.”
Examples of Smart Car Threats
In a survey looking at the obstacles to connected car uptake, cybersecurity and privacy were the biggest concerns for consumers.
But what kinds of security threats put connected cars and their drivers at risk? In recent years, a number of researchers have explored vulnerabilities in smart car systems with some interesting results – some of which we have listed below.
1. Car Control Hacks
A car running software, especially software that is connected to a mobile app or the Internet, is at risk of the same vulnerability exploits as any other computer. Protocol or code vulnerabilities are areas of potential weakness in connected car security.
One of the selling features of a smart car is its great infotainment system. The car’s infotainment system is connected via protocols, the MirrorLink protocol, to the driver’s/passenger’s smartphone to allow music to be played. MirrorLink uses the same type of mechanism that is often used in remote desktop sharing.
A team of security researchers at New York University Tandon School of Engineering and George Mason University have demonstrated inherent critical security flaws in the system. The team found that hackers could exploit these vulnerabilities and override the safety features of the car.
The mazda_getInfo repository on Github demonstrates how the infotainment system in a Mazda could be vulnerable.
The MZD Connect firmware of Mazda’s connected car, allowed a user to run malicious scripts from a USB flash drive via the car’s dashboard.
However, Mazda put out a disclaimer about this, stating “ Please be assured and note that customizations cannot be carried out remotely by a third party”.
Another infotainment initiated attack was discovered by researchers looking at Volkswagen and Audi connected cars. The researchers used the car's Wi-Fi to exploit an exposed port and hijack the infotainment system.
2. Smart Alarm Hack
PenTestPartners, who perform penetration testing on products to find vulnerabilities, identified an exploit that uses a car’s smart alarm system.
They were able to identify critical security vulnerabilities in two of the largest smart alarm systems affecting 3 million vehicles. The vulnerabilities included both security issues, such as unlocking the car and privacy violations exposing the personal data of the car owner.
Related Post: Can Data Privacy be Smart? An Introduction to Smart City Privacy
3. Insecure Associated Apps for Smart Cars
Mobile apps are a potential weak point in smart cars.
Kaspersky took seven connected car mobile apps and analyzed them for vulnerabilities. What they found was shocking. Amongst others, they identified little or no code obfuscation for door unlocking.
They also found none of the apps encrypted username and password credentials. One of the main concerns of the exercise was that mobile Trojans could be used in the future to compromise smart cars.
And, it isn’t just cars at risk here. The Xiaomi Electric Scooter connects via Bluetooth to mobile app allowing various functions such as an anti-theft system to switch-on/off. Unfortunately, researchers have identified a flaw that allows a remote hacker (up to 100 meters) to send commands to the scooter via the app without the need for the password.
Preventing Your Smart Car Being Outsmarted
Smart cars are vulnerable to the same issues as other software. And, because components are connected, they offer an expanded attack surface for cybercriminals. As consumers of smart cars, we recommend several things to hack-proof our connected vehicle.
1. Patch and Update
any other computer, you should endeavor, wherever allowed, to patch firmware.
Also, always keep mobile phones and associated smart car apps up to date. UConnect, who develop a connected vehicle platform for a number of well-known smart car makes, let you check for updates online. Also, make sure you sign up for manufacturer updates.
2. Deactivate Services
If you aren't using it, deactivate it. Bluetooth, for example, is a possible exploit point for cybercriminals.
3. Secure Your Wi-Fi
Check out the Wi-Fi hotspot used by the car and wherever possible secure it – this includes replacing any default passwords. In addition, make sure you don’t write down any passwords associated with your smart car and leave them in the car.
Related Post: [Infographic] How to Secure the IoT Environment
4. Trust in a Good Mechanic
Malware upload may be more difficult to perform remotely, but it is easier if a malicious insider does it. Take care to find a trustworthy mechanic when you have your smart car serviced.
Smart Car Security by Design
Secure best practices in the automotive industry are a must if we want to ensure a secure driving experience. The manufacturing process, itself, needs to be the principle of ‘Security by Design’. To this end, frameworks and best practice guides are being developed to ensure smart cars have good security built-in, by design.
One such example is Enisa smart car best practice guidelines. The guidelines look at ways to develop best practices in keeping smart cars safe from cyber threats.
- building more secure products for smart cars
- improved information sharing among industry players
- consensus on technical standards
- tools built for security analysis of smart cars
Related Post: GDPR: What is Privacy by Design?
Another body working in the area of smart car security best practices is the National Highway Safety and Transportation Administration and the Federal Trade Commission. A workshop held in Washington D.C. in 2017, explored ways of improving the data security and privacy of connected cars.
A number of key points emerged from the workshop. A focus was on data collection in smart car environments being expansive across myriad areas of the car. The workshop discussed how data privacy fundamentals such as consent to share data and the minimization of data collection must be incorporated into car design.
From the workshop, a document offering voluntary guidance on smart car security was released – “Automated Driving Systems 2.0: A Vision for Safety”.
Design Smart, Design Secure
Ensuring that our smart cars give us a secure and privacy-enhanced driving experience means our manufacturers need to ‘design smart’.
Smart cars are the equivalent of an Internet-connected device on wheels. All of the same vulnerabilities and exploits found in the Internet of Things (IoT) will come to haunt smart cars unless we plug the gaps with Security by Design.