Keystroke recording scripts found running on numerous Hong Kong websites, say researchers

Several Hong Kong websites are running third-party scripts which can potentially capture the keystrokes of site visitors, according to a study by researchers at Princeton University.

The sites may have no knowledge of the nature of the scripts. According to a 96,000-entry spreadsheet compiled by the researchers, the local websites of the Hong Kong Trade Development Council, Watsons, Lexis Nexis, Lane Crawford, GoGoVan, Spacious, Expat Living, AXA, Air France, and Air New Zealand are affected, among others.

The research published last week looked into seven of the top “session replay” companies, who specialise in gathering user data by recording the activities of website […] Read more

Buy a duplex with less than 5 percent down

Buying a duplex: a different animal

When it comes to buy a duplex with less than 5 percent down, the strength of your application really counts. The question very often is not what you can afford, but whether you can fit within tight lender guidelines.

Click to see your low-downpayment loan eligibility (Jan 6th, 2019)

What exactly is a duplex?

A duplex is a property with two units at one address. It’s traditionally a way to get into the investment real estate game, because you get shelter for yourself, plus rental income and extra tax breaks. The rent can offset or even […] Read more

We Warn Congress: After Equifax, Firms Will Step Up Trojan Horse Efforts to Eliminate State Privacy Laws

Like clockwork, after any big data breach is disclosed, powerful special interests seek to turn the problem into a bigger problem for consumers by using it as an opportunity to enact some sort of narrow federal legislation that broadly eliminates state data breach notification, state data security and other privacy protections.  I testified yesterday in the House Financial Services Committee (link to full hearing archive and video transcript) warning of their efforts. I warned in particular of their Trojan Horse efforts to hide their broader plans. They don’t simply want to create a “uniform national breach law.” Inside that Trojan […] Read more

Equifax Reopens Salary Lookup Service — Krebs on Security

Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”

The Work Number, Equifax’s salary and employment history portal.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for […] Read more

Pa. Credit Union Association joins suit against Equifax

(Photo / Thinkstock)

A trade group representing Pennsylvania credit unions has joined a class-action lawsuit against Equifax, saying financial institutions will incur years of fraud-related expenses because of the recent data breach at the company.

The Pennsylvania Credit Union Association is one of eight state and regional trade groups to join the suit since the Credit Union National Association filed it Oct. 4.

The complaint alleges that credit unions will be on the hook for costs like canceling and reissuing compromised credit cards, reimbursing members for fraudulent charges, increasing fraudulent activity monitoring and notifying members of fraud on their […] Read more

The vulnerability management process after Equifax

Managing software vulnerabilities is a universal problem.

While unknown flaws in code or system design are part of the vulnerability management process, responsible disclosure policies and bug bounties have greatly reduced the prevalence of zero-day attacks. Unknown security holes that attackers exploit are usually at high-value targets, such as Fortune 500 companies, government agencies and critical infrastructures.

NotPetya, WannaCry, Conficker and other well-publicized attacks took advantage of vulnerabilities that were publicly known and had available software patches. The use of known vulnerabilities is especially troubling for security professionals because these attacks can be prevented.

Companies haven’t embraced the ever-changing software environments that have […] Read more

Number of Leagues Joining CUNA’s Equifax Suit Rises Again

At least eight credit union leagues from all over the country are now plaintiffs in CUNA’s recent lawsuit against Equifax over the credit bureau’s huge data breach that exposed personal financial information for millions of people. 

The Pennsylvania Credit Union Association, Mountain West Credit Union Association and the Nebraska Credit Union League are among the latest to join the growing class-action suit over Equifax’s enormous data breach announced September 7.

The three leagues had harsh words about Equifax in their announcements. 

“We have not seen a data breach of this magnitude before and the potential […] Read more

Got an Equifax letter saying you were hacked? The helpline’s struggling

Almost 700,000 British victims of the Equifax hack are receiving letters offering a free fraud protection service. But you’ll need to hand over personal details to get it – and many say the helpline the letter directs you to isn’t working properly.

The credit report heavyweight is writing to UK consumers to warn them their personal details have been compromised, after it announced in September its US parent company had been the victim of a cyberattack five months […] Read more