Like I have said, when it is good to be true, it is certainly too good to be true!
"Keeping Upromises
By Lesley Fair
January 9, 2012 - 11:43am
Upromise offers users a service where they can save for college by getting rebates when they buy merchandise from participating retailers. But as the FTC charged in a recent law enforcement settlement, when it comes to consumer privacy and data security, the college savings membership program may want to consider a refresher course.
To participate in Upromise, users downloaded the Upromise TurboSaver Toolbar, designed by a service provider hired by Upromise. Once in place, the Toolbar modified users’ browsers to highlight results from Upromise member merchants. According to the FTC’s complaint, how the Toolbar’s optional "personalized offers" feature worked is where things went wrong.
That feature — which in some cases was the default setting because of a box Upromise pre-checked — modified the Toolbar to provide targeted offers based on a user’s online behavior. While Upromise told users that the personalized offers feature collected information "about sites you visit" for the purpose of providing "college savings opportunities tailored to you," the FTC says the company failed to disclose the full extent of what was going on.
According to the complaint, the feature collected a ton of other information, including the names of all sites people visited and which links they clicked on, as well as information they entered on some pages — like search terms, user names, and passwords. What’s more, in some cases, Upromise’s toolbar collected and transmitted credit card and account numbers, expiration dates and security codes, user names and passwords for access to secure sites, and any Social Security numbers people entered on those pages.
Failing to tell people the full extent of what Upromise collected was a deceptive practice, charged the FTC. The complaint also alleges that Upromise falsely told people their data would be encrypted when it actually was transmitted in clear, readable text.
In addition, according to the FTC, Upromise’s claim that it took reasonable security measures to prevent unauthorized access to consumer’s data was false. The complaint alleges that Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information it collected and maintained. Among other things, Upromise:
transmitted sensitive information from secure web pages, like financial account numbers and security codes, in clear readable text;
didn’t use readily available, low-cost measures to assess and address the risks to people’s information;
failed to ensure that employees responsible for the information collection program received adequate guidance and training; and
failed to take adequate steps to ensure that its service provider used reasonable and appropriate measures to protect information.
The complaint also charges that Upromise’s failure to use reasonable and appropriate measures to protect consumer information — like credit card and financial account numbers, security codes and expiration dates, and Social Security numbers that consumers entered into other websites — was an unfair practice under the FTC Act. How so? Tools for capturing data in transit — like over unsecured wireless networks at the neighborhood coffee shop or other public places — are commonly available, making it easier for bad guys to intercept clear-text data while it’s being sent. That opens the door for misuse, including unauthorized charges and identity theft.
Next: Practical pointers from the Upromise settlement"
More information at:
http://business.ftc.gov/blog/2012/01/keeping-upromises
Monday, January 9, 2012
Friday, December 30, 2011
Emerging threats to become major players in 2012
Saw this picture from Help Net Security and thought it was interesting so I'm posting it here.
1. Industrial attacks: Cybercriminals target utilities
2. Advertisers will “legalize” spam
3. Mobile threats: Attackers will bypass PCs
4. Embedded hardware: The promised land for sophisticated hackers
5. Hacktivism: Joining forces online and on the front lines
6. Virtual Currency: A cybercriminal payment plan
7. Cyberwar: Flexing its muscles
8. Rogue Certificates: Untrustworthy and undetectable
9. Tomorrow’s internet looks more like yesterday’s Internet
10. Advances in operating systems moves hackers “down and out”
1. Industrial attacks: Cybercriminals target utilities
2. Advertisers will “legalize” spam
3. Mobile threats: Attackers will bypass PCs
4. Embedded hardware: The promised land for sophisticated hackers
5. Hacktivism: Joining forces online and on the front lines
6. Virtual Currency: A cybercriminal payment plan
7. Cyberwar: Flexing its muscles
8. Rogue Certificates: Untrustworthy and undetectable
9. Tomorrow’s internet looks more like yesterday’s Internet
10. Advances in operating systems moves hackers “down and out”
Wednesday, May 11, 2011
Two Zero-Day Flaws Used To Bypass Google Chrome Security and More . . .
Android malware - This picture explains it all
This was an interesting picture that I was looking at regarding Android malware.
(Source: HelpNet Security)
(Source: HelpNet Security)
Sunday, May 8, 2011
Social networking site Facebook should be more secure
Social networking sites like Facebook should do more to become more secure. There are more and more Facebook scams (like the free IPAD etc.) that are now more pervasive and if you don't check out the link (as most users don't) before clicking the link; it's a bad thing.
"When landing on the fake Facebook page, they are re-directed to a different, malicious page where they are supposed to provide their email and shipping address in order to take part in an alleged test session of the iPad 2.
The bait is more interesting as scammers announce that Apple is giving away for free a total of 10,000 iPad2 for review purposes only.
“This scam is very aggressive and efficient at the same time because it uses two Facebook specific spreading mechanisms which ensure high visibility: notifications and direct email,” commented Catalin Cosoi, Head of the BitDefender Online Threats Lab. “The main social engineering elements are on the one hand, getting users curious about why they were made admins of a page and on the other, the classic iPad bait. In this case, the device is supposed to be given away for free, but sent through mail, for testing purposes.”
If you come across this scam, do not provide any details through the received form. Second, remove yourself from the admin list of that page."
(Source: HelpNet Security)
Subscribe to:
Posts (Atom)