Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Capital One identity theft hacker, finally gets convicted

views
     
TSdaisiesdontdoit92
post Jun 23 2022, 12:36 AM, updated 2y ago

On my way
****
Junior Member
574 posts

Joined: Jan 2020


QUOTE
Remember the Capital One breach?

We did, though we felt sure it had happened a long time ago.

Indeed, when we checked, it had: the story first broke almost three years ago, back in July 2019.

At the time, the company reported:

Capital One Financial Corporation announced […] that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

And we noted that:

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

Was the breach down to an unpatched security bug, poor password choice, incorrrect access control, a cloud-related configuration blunder, or what?

All we knew back then was that this was a huge breach by any standards, affecting at least:

100,000,000 users in the USA
6,000,000 users in Canada
Any consumer or small business who applied for a credit card in the previous 14 years.
Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income.
Some customers also lost yet more intimate personal information such as credit scores, credit limits, balances, payment history, contact information, social security numbers (SSNs) and bank account numbers.

Fortunately, if that’s the right word in a case like this, “only” about 150,000 victims actually had their SSNs exposed (in the US, SSNs are effectively lifelong unique national ID numbers), meaning that about 99.9% of victims escaped that fate.

The cost of the breach
This breach cost Capital One dearly in more than one way.

Even though the company was itself the victim of a cybercrime, it was ultimately hit with a $190,000,000 class action settlement plus an $80,000,000 fine from the US Office of the Comptroller of the Currency (OCC).

The OCC noted:

[We] took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.

As you will notice from the OCC’s remarks above, the breach ultimately came down to poor cloud security, with data apparently exposed due to being shifted from a privately-controlled data store into the cloud.

There’s no reason why a public cloud deployment can’t be done securely, of course, but the potential consequences if it isn’t are huge.

A publicly visible cloud server is open to a much broader ranges of probes, attacks and hacks – what’s known in the jargon as “having a much larger and more exposed attack surface”.

Intriguingly, the fact that this was a cloud-related breach was quickly revealed after Capital One notified its customers of the attack, because the alleged perpetrator was soon arrested.

Cloud “anti-security” scanning
Paige Thompson, who was 33 at the time, was accused of the attack, apparently using what you might call “anti-security” tools of her own devising to scan cloud providers for vulnerable and misconfigured services, and from there to recover access credentials, gain acccess, exfiltrate data and infiltrate malware.

At the time, the US Department of Justice (DOJ) suggested that Thompson hadn’t tried to sell on the stolen data, but that she had used compromised services for what’s known as cryptojacking.

That’s where crooks deliberately install cryptomining software on other people’s devices – all the way from laptops and mobile phones, through powerful gaming rigs, to physical and virtual servers.

The victims end up paying for the electricity, cooling and server time, while the crimimals accumulate any cryptocurrency that gets earned in the process.

Anyway, the DOJ has just announced that Thompson has now been convicted, though she will only be sentenced in September 2022:

Thompson was found guilty of [w]ire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.

Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.

In the DOJ’s words, “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”


https://nakedsecurity.sophos.com/2022/06/21...icted/#comments

 

Change to:
| Lo-Fi Version
0.0109sec    0.23    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 08:29 PM