Security

"This is not a breach"

Apple Pay competitor CurrentC defended the security of its mobile payment system in a Wednesday conference call, just hours after its parent company MCX reported that hackers had obtained some users’ e-mail addresses.

MCX CEO Dekkers Davidson said the attack, which targeted the company’s email vendor, was “not a breach” of the CurrentC app itself. He also emphasized that the incident affected mostly dummy e-mails used in the yet-unreleased service’s ongoing testing phase. Davidson also revealed that some dummy zip codes were stolen and that CurrentC’s systems had withstood several repeated attacks during the past week.

Davidson added the hack hasn’t made the company hesitant to store customer information in the cloud, a plan that’s been criticized given that CurrentC’s main competitor, Apple Pay, doesn’t collect any traceable information at all.

“In terms of consumers’ information and any payment credentials, they’re not stored on a device. They’re not actually present in the physical world,” Davidson said. “And that we think is a design or implementation that makes it far more secure than the world we live in today, and far more secure than many of the alternatives that have been advanced over the last few years.”

While MCX is a joint venture by retailers in order to create a retailer-owned payment system, Davidson said that the service is “first and foremost” about customer engagement. Part of that customer engagement will include a consumer privacy dashboard so that users can elect what information, if any, they would like to share with merchants.

MCX has been under scrutiny after reports suggested that MCX members CVS and Rite Aid disabled Apple Pay because of a contractual agreement for exclusivity. However, Davidson said that the company welcomes competition, and that it is the merchants’ choice whether or not to accept other forms of mobile payment. He added that MCX member retailers are not subject to fines if they choose to adopt Apple Pay, which registered 1 million credit cards in its first three days.

Davidson added that although some MCX merchants have blocked Apple Pay, MCX is open to member retailers using both Apple Pay and CurrentC simultaneously once the latter service goes public early next year.

“We have a great deal of respect for Apple, of course, and Apple Pay,” Davidson said. “We believe and our merchants believe we require two to three strong players in the space to build the ecosystem.”

Russian hackers may have jumped the White House's digital fence

Retailers joined forces to create the digital wallet, which has received cold reviews

Nearly 70% of Americans are worried they'll be hacked. Just 18% are afraid of being murdered

Americans are more worried that their credit card information will be stolen by hackers than they are about being murdered, sexually assaulted or having their home targeted by a burglar, according to a Gallup poll released this week.

Sixty-nine percent of Americans said they frequently or occasionally worry about having credit card information they use in stores stolen by computer hackers, making hacking by far the most feared crime in the United States, according to the poll. The second-ranking crime that Americans worry about is having their computer or smartphone hacked, with 62% of Americans occasionally or frequently worried about such a breach.

By comparison, 45% of Americans are worried about their homes being burglarized, 28% about being the victim of terrorism and 18% are worried about getting murdered.

Target, Home Depot and Neiman Marcus have all reported massive hacks in the past year, affecting many millions of customers. Fully one quarter of Americans say they or someone in their household has had information from a credit card used at a store stolen by computer hackers during the last year.

Russian hackers suspected

Hackers believed to be employed by the Russian government breached White House computer networks in recent weeks, temporarily disrupting services.

Citing unnamed sources, the Washington Post reported there was no evidence that hackers had breached classified networks or that any of the systems were damaged. Intranet or VPN access was shut off for a period but the email system was never downed. The breach was discovered two to three weeks ago, after U.S. officials were alerted to it by an unnamed ally.

“On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system,” a White House official told the Post. “This is a constant battle for the government and our sensitive government computer systems, so it’s always a concern for us that individuals are trying to compromise systems and get access to our networks.”

Cybersecurity firms in recent weeks have identified NATO, the Ukrainian government and U.S. defense contractors as targets of Russian hackers thought to be working for the government.

[The Washington Post]

We're looking for an easy, cheap way to catch an intruder in the act

Question: I just moved to a new apartment and for a number of reasons, I’m feeling like I need to have a video camera in my place. Mainly because I feel like the management company continues to come into my apartment to “fix” things, and it’s causing me to feel violated.

I was wondering if you knew of a relatively cheap camera that would hook up to an iPhone app and send some sort of notification on the phone when there’s movement.

Short Answer: The $149 Dropcam HD should do the trick.

Long Answer: There’s no shortage of streaming security cameras out there and while Dropcam isn’t the cheapest option, it’s really easy to set up, it’s reliable and its free mobile app works great.

There are two models available: the $199 Dropcam Pro and the $149 Dropcam HD. You’ll be just fine with the $149 model pictured above. The $199 version gets you a wider field of view (130 degrees versus 107 degrees), lets you zoom in closer (8x versus 4x) and has a newer wireless chip that can take advantage of faster connections.

Either model will alert you to movement via email and text message, and you can watch live footage from your phone or from a computer. You can also set up movement zones in your home, such as doorways and stairwells. This is handy if you have pets, for instance. You don’t want motion notifications going off all day when your dog is moving around; only when someone comes in through the front door. Each camera sports voice communication, too, so you can tell your dog to get off the couch or tell an intruder that you’ve called the police.

There are two service plans available, which record footage that you can use to play back later if you need it for legal reasons. The 7-days-of-recording, $99-per-year plan should be just fine. There’s also a $299-per-year plan that saves 30 days of footage.

Note that you don’t have to use a service plan at all, though. If you just want to check in on live footage and get alerts when someone enters your place, that’s all included without a plan. My advice would be that if you decide to go without a plan and you get an alert that someone has entered your home, capture a screenshot (or several) of the person in the act by pressing the power button and the Home button on your iPhone at the same time. That way you’ll have proof if you need it later.

Related:

• Ask TIME Tech: Best iPad for the Money Right Now?
• Ask TIME Tech: Good Cheap Tablet for Skype?
• Amazon Fire TV Stick vs Google Chromecast vs Roku Streaming Stick
• Amazon’s Kindles Compared: Voyage vs Paperwhite vs Standard
• 30-Second Tech Trick: Share Your Location From an iPhone Text Message

The iCloud attack coincided with the iPhone 6 releases in China

Chinese users recently attempting to access Apple’s iCloud online data storage service may have had their personal information stolen in what one cybersecurity firm claims was a high-level cyberattack backed by Chinese authorities.

GreatFire, an independent Chinese censorship watchdog, said the hack was a “man-in-the-middle” attack, in which hackers get access to users’ files by getting them to enter their login information into a fake login site. The hackers then set in “the middle” of users and the service, grabbing data at it’s transmitted between the two.

Apple confirmed the attack Tuesday, stating that it is “aware of intermittent organized network attacks using insecure certificates to obtain user information.” The firm added that the attacks “don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser.”

GreatFire said the hackers involved with the iCloud breaches used servers accessible by only state-run organizations and Chinese authorities, a sign the attacks had the blessing of such authorities. The hack came just as the iPhone 6 was released in China after a delay over the government’s security firms.

The iCloud attack follows a report earlier this month that “a very large organization or nation state” was putting malicious spyware onto iPhones and iPads belonging to Hong Kong’s pro-democracy protestors. GreatFire also previously reported that Chinese authorities had launched attacks on GitHub, Google, Yahoo and Microsoft in an apparent effort to censor those services.

“This is what nation states do to ‘protect’ their citizens. There is nothing surprising or unexpected in this revelation,” said Phil Lieberman, president of cybersecurity firm Lieberman Software. “It would not be hard to find other countries doing similar things.”

In the wake of hacks against Target, Home Depot and JPMorgan, analysts say companies' boards need to be more vigilant on cybersecurity

As an increasing number of major retailers and financial institutions are falling victim to hacks like those against Target, Home Depot and JPMorgan, many experts say corporate boards aren’t doing enough to protect customers from cybersecurity breaches.While corporate boards are a step removed from companies’ day-to-day operations, the increasing risk of data breaches means that boardmembers need to be more involved in cybersecurity, observers say, whether by pushing for security oversight or reshuffling executives who don’t react properly to crises.

“We live in the post-Target era,” said John Kindervag, security analyst at Forrester. “There’s a moral obligation to consider firing an executive team because of a data breach. It’s a huge business failure.”

Corporate boards rarely review cybersecurity plans or involve themselves in the particulars of data protection, traditionally viewing security as an information technology problem. According to a PriceWaterhouseCoopers report released last month, just 42% of 9,700 executives in over 150 countries said their boards are involved in security strategy; just 25% said their boards are involved in reviewing security and privacy threats.

“They’ll say to the CEO, what are we doing about security, and then don’t get involved at all until they get breached,” says Avivah Litan, security analyst at Gartner. “Most companies don’t communicate at that level with the board. They’re out of touch and they’re totally clueless about information security.”

Securities and Exchange Commissioner Luis Aguilar put it more gingerly to board directors earlier this month at a New York Stock Exchange cybersecurity conference. “There may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks,” Aguilar said. There’s a discrepancy, too, between what shareholders demand of boards and what they’re actually doing — a survey published by Institutional Shareholder Services (ISS) last month shows that nearly 70% of shareholders view board oversight actions prior to hacking incidents as “very important.”

Negligent boards may find themselves facing questions from angry shareholders and customers after a cyber breach. In June, ISS made the unusual recommendation that Target shareholders oust seven out of 10 members of its board after credit card information belonging to 40 million customers was compromised, laying blame on two board committees in particular.

“The data breach revealed that the company was inadequately prepared for the significant risks of doing business in today’s electronic commerce environment,” ISS advised. “The responsibility for oversight of these risks lies squarely with the Audit Committee and the Corporate Responsibility Committee.” Shareholders re-elected the board, but ISS’ condemnation was a wake-up call for retailers. Target is now facing an investigation from the Federal Trade Commission into the details of the breach.

Home Depot, meanwhile, was a founding member of a threat-sharing group of major retailers earlier this year, and its board received regular updates on cybersecurity, according to a spokesman. “IT and IT security have regularly been items on our board meeting agendas for several years now, and the board has received regular updates on the breach since it occurred,” said that spokesman. But the hardware retailer was caught flat-footed by a data breach this year that jeopardized 56 million customers’ credit cards, and managers ignored weaknesses in cyber defense before the attack, the New York Times reported last month.

Analysts say a strong board of directors should know how to ask management the right questions about cybersecurity. “The board is not responsible for identifying risk, but it sure as hell needs to know that management understands that responsibility and knows how to respond to it,” said Rick Steinberg, former governance practice leader at PricewaterhouseCoopers.

Ultimately, it might be a financial motivation that gets corporate boards to take a closer look at their firms’ cybersecurity standards. Target’s net income dropped more than $400 million in the quarter the breach was announced compared to the year before; the company said direct costs from the data breach would reach $148 million in the second quarter of 2014 alone. The total expense of any breach, including lost profits from nervous consumers, are often incalculable. “A data breach is the equivalent of an oil spill,” said Kindervag. “It’s a fundamental business issue.”