All is relatively well here at Woesnotgone
Meadow, where everyone has above average bandwidth.
In the Meadow, we have the usual life events for the residents. These include birthdays, anniversaries, occasional weddings, and other events we publish in the Gazette. Our local jeweler, Margie’s Bling, is our main source for gifts given with an open heart for these occasions. A recent issue with Jared and Kay Jewelers showed the Meadow there can be issues even with a simple jewelry purchase.
Data leaks are occurring at a greater rate than
in prior years. The individual leaks themselves appear to be allowing more data
to escape. The combination of this tends to be a bit scare and a rather
significant, growing issue. On the bright side, these tend to be remediated
rather quickly on average. The data are not all handled in the same manner
though. When these are not fixed immediately, the user’s data may be present to
be exfiltrated and used or sold.
Related to this, Jared and Kay Jewelers had a
bit of an issue. When a customer purchases the jewelry online, they have the
option to have the receipt emailed to them. This is handy and may be a benefit.
The client receives a link in an email for this receipt. The attack focusses on
the link. After the attacker was to post the modified link in the web browser,
they were able to access another client’s data (e.g. name, billing and shipping
addresses, email address, phone number, the items ordered, total cost, tracking
link, delivery date, and last four digits of the credit card number). All of
this would be very useful and marketable on the dar web. The attacker could
also use a quicker, more direct method to be unjustly enriched. They could
complete an automated search for packages within a driving distance of their
location. Any packages being delivered in the future could be picked up by the
unauthorized person after delivered and prior to the recipient actually picking
up the package from their porch.
They could also social engineer the business since
they know all of the relevant information the customer service representative
would ask. They could also social engineer the client, with the same
information used for the prior attack. A simpler attack would involve the plain
phishing attack for all the clients the data had been gathered on.
Jared’s parent company, Signet Jewelers, was
notified of the issue. This problem only affected the Jared and Kay Jewelers
client, not the other entities owned by Signet Jewelers (Zales and Piercing
Pagoda). After a few weeks, there was no resolution to the issue.
KrebsOnSecurity was contacted in mid-November 2018. At this point, Signet
Jewelers thought it was pertinent enough to address. The CISO noted the issue
was fixed for the future orders at that point. They did not understand the
issue also applied to past orders. This was later fixed. The issue was with the
coding not taking cybersecurity into account.
Thanks for visiting Woesnotgone Meadow, where
the encryption is strong, and the O/Ss are always using the latest version.
Resources
Bradley, B. (2018, December 3). If you’ve
ordered jewelry from these sites, your information may have been exposed.
Retrieved from https://www.komando.com/happening-new/516632/jared-kay-jewlers-data-leak
Krebs, B. (2018, December 3). Jared, kay
jewelers parent fixes data leak. Retrieved from https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/
No comments:
Post a Comment