Expect phishers and other password thieves to up their game in 2016: Both Google and Yahoo! are taking steps to kill off the password as we know it.

New authentication methods now offered by Yahoo! and to a beta group of Google users let customers log in just by supplying their email address, and then responding to a notification sent to their mobile device.

According to TechCrunch, Google is giving select Gmail users a password-free means of signing in. It uses a “push” notification sent to your phone that then opens an app where you approve the log-in.

The article says the service Google is experimenting with will let users sign in without entering a password, but that people can continue to use their typed password if they choose. It also says Google may still ask for your password as an additional security measure if it notices anything unusual about a login attempt.

The new authentication feature being tested by some Gmail users comes on the heels of a similar service Yahoo! debuted in October 2015. That offering, called “on-demand passwords,” will text users a random four-character code (the ones I saw were all uppercase letters) that needs to be entered into a browser or mobile device.

This is not Yahoo!’s first stab at two-factor authentication. Another security feature it has offered for years — called “two-step verification” — sends a security code to your phone when you log in from new devices, but only after you supply your password. Yahoo! users who wish to take advantage of the passwords-free, on-demand password feature will need to disable two-step verification for on-demand passwords to work.

Yahoo! also warns that some non-Yahoo apps like Apple mail and Outlook won’t work. For those programs to access your Yahoo! mail with on-demand passwords enabled, you’ll need to set up app-specific passwords. Yahoo! provides instructions on how to do that here.

The system that Google is reportedly beta testing sounds easier to use, and more like true two-factor authentication. It doesn’t require the user to enter any code, and he just has to click a button on an app that tells the login to proceed.

All of this had me wondering: Should we expect Microsoft to roll out a similar password-free login process for Hotmail or Outlook users? It doesn’t seem likely: A spokesperson for the company referred me to Microsoft’s Passport system, which also uses a password-free authentication system. However, Passport’s key two-factor features are only available to Windows 10 users.

To come full circle on the lead of this story, I think it’s likely we’ll see an increase in more targeted, personalized phishing attacks if Google and Yahoo!’s two-factor solutions gain wide adoption. Perhaps Google anticipated this in April 2015, when it starting offering its Password Alert feature — a Google Chrome browser add-on that will display a warning if you type your Google password into a site that isn’t a Google sign-in page. Google says this protects users from phishing attacks and also encourages people to use different passwords for different sites, a security best practice.

Plenty of other online services now offer two-step authentication. Twofactorauth.org has a fairly comprehensive breakdown of those that do and don’t. Consider dropping by there to see if you’re taking full advantage of all of the security offered for your various online accounts.

The U.S. Federal Trade Commission this past week announced it reached settlements with software giant Oracle and identity protection firm LifeLock over separate charges of allegedly deceiving users and customers about security. LifeLock agreed to pay $100 million for violating a 2010 promise to cease deceptive advertising practices. Oracle’s legal troubles with the FTC stem from its failure to fully remove older, less secure versions of Java when consumers installed the latest Java software.

The FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.”

Few sites require Java to display content anymore, and most regular users can likely do without the program given the incessant security holes introduced by the program and its record of being abused by malicious software to infect millions of systems. See this post for a more detailed breakdown of why I’ve so often encouraged readers to junk Java, and advice for users who absolutely still need to have Java installed. If you’re not sure whether you have Java installed, check out this page that Oracle has put up to help users detect and remove installations of Java.

LIFELOCK

The FTC’s $100 million settlement with LifeLock represents a record for monetary awards obtained by the agency It stems from alleged violations of a previous deceptive advertising settlement the company reached with the FTC back in 2010.

According to the FTC, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information — including their social security, credit card and bank account numbers. The FTC also alleged LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions, and that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.

The court documents related to the latest LifeLock settlement are still sealed, so it’s unclear how exactly LifeLock allegedly failed to protect customers’ sensitive personal data. Interestingly, the lone dissenter in the LifeLock case was FTC Commissioner Maureen K. Ohlhausen, who said she disagreed with the ruling because the commission hadn’t produced evidence that LifeLock somehow failed to secure its customer data, and noted that the company has complied with payment card industry security standards for accepting and handling credit card data.

For its part, LifeLock says in a statement that “there is no evidence that LifeLock has ever had any of its customers data stolen, and the FTC did not allege otherwise.”

This October 2015 story from About.com includes interesting perspective from Virginia Attorney Ken Cuccinelli, whose investigation into LifeLock’s business practices culminated in a class-action lawsuit pitting the FTC and 34 other state attorneys general against the company. According to that interview, Cuccinelli’s beef with LifeLock seems to have centered around allegations of false advertising about the level and quality of LifeLock’s identity protection service, as opposed to any specific data security issues at LifeLock.

“The problem, according to Cuccinelli, was not so much that LifeLock offered a flawed service, but that they were misrepresenting the level of security that they in fact provided,” wrote William Deutsch. “For years, LifeLock had been claiming to be an airtight guarantee against all forms of identity theft. LifeLock’s service is most effective against new account fraud, which is why members can expect an alert when someone tries to open up a new account in their name. But according to the Federal Trade Commission, the service wasn’t as effective in securing customers against the abuse of existing accounts, nor did it offer much protection against medical and employment related fraud.”

I have consistently urged readers to understand the limitations of credit monitoring services, which countless companies offer consumers each year in response to data breaches that expose customer personal and payment data. As I’ve noted time and again, credit monitoring services are unlikely to block thieves from opening new lines of credit in your name; the most you can hope for is that these services will alert you when the thieves succeed in getting new credit using your good name.

Credit monitoring services are useful for ID theft victims who are seeking help in removing fraudulent inquiries from their credit report. But if you want true protection against new account fraud committed in your name, place a security freeze on your credit file with the major credit bureaus. This article explains more about what’s involved in a security freeze and how to protect you and your family.

Digital gift card retailer Gyft has forced a password reset for some of its users. The move comes in response to the theft of usernames and passwords from a subset of Gyft customers.

Mountain View, Calif. based Gyft lets customers buy and use gift cards entirely from their mobile devices. Acting on a tip from a trusted source in the cybercrime underground who reported that a cache of account data on Gyft customers was on offer for the right bidder, KrebsOnSecurity contacted Gyft to share intelligence and to request comment.

Gyft declined to comment on the record for this story. But company officials insist their platforms were never breached — pointing instead to an unnamed third party.

Gyft did confirm attackers were able to acquire usernames and passwords for a subset of Gyft customers, and that it had forced a password reset for those accounts.

The company has not disclosed publicly how many customers it has, but insiders said the percentage of users affected was in the “high single digits.” Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.

Gyft was acquired in July 2014 by payment giant First Data, a company that has traditionally specialized in processing credit cards and managing ATMs.

The attack on Gyft is likely to be of particular interest to enthusiasts of the virtual currency Bitcoin. Founded in 2012, Gyft has long been a favorite of bitcoin account holders because it’s consistently been one of the easiest ways to exchange bitcoins for digital gift cards that can be used at everyday businesses.

Cyber crooks very often recycle stolen credentials by trying the username/email address and password pairs at dozens of other retailers online, knowing that a good percentage of consumers will reuse the same credentials at multiple sites. If you re-used your Gyft username and password at other sites (tsk-tsk!) it’s time to change those passwords.

Companies can beef up customer account security by requiring users to sign up for two-step or multi-factor authentication, a process wherein the customer must provide a special one-time code sent to a mobile device in addition to a username and password. Enabling two-step authentication helps blunt the threat from stolen customer credentials because the thieves also would need to have access to the user’s mobile device in order to hijack the account.

A cursory examination of Gyft’s user platform suggests the company does not yet offer two-step authentication for its online site, nor does it require users to supply a mobile number. However, at a Bitcoin conference in Africa this year, Gyft founder Vinny Lingham reportedly told the audience the company was considering adding the security feature.

Fraud analysts in the banking industry tell KrebsOnSecurity that the latest hospitality firm to suffer a credit card breach is likely Landry’s Inc., a company that manages a nationwide stable of well-known restaurants — including Bubba Gump, Claim Jumper, McCormick & Schmick’s, and Morton’s. 

Update, 2:57 p.m. ET: Landry’s has acknowledged an investigation. Their press release is available here (PDF).

Original story:

Houston-based Landry’s Inc. owns and operates more than 500 properties, such as Landry’s Seafood, Chart House and Rainforest Cafe. Last week, I began hearing from banking industry sources who said fraud patterns on cards they’d issued to customers strongly suggested a breach at the restaurateur. Industry sources told this author that the problem appears to have started in May 2015 and may still be impacting some Landry’s locations.

It remains unclear how many of Landry’s 500 properties may be affected. The company says it is investigating reports of unauthorized charges on certain payment cards after the cards were used legitimately at some of its restaurants. An online FAQ about the incident posted to Landry’s site says the company does not yet know the extent of the breach.

Restaurants are a prime target for credit card thieves, mainly because they traditionally have not placed a huge emphasis on securing their payment systems. The attackers typically exploit security vulnerabilities or weaknesses in point-of-sale devices to install malicious software that steals credit and debit card data.

Thieves can encode the stolen data onto new plastic and use the counterfeit cards at big box retailers like Best Buy and Target. Indeed, multiple sources in the banking industry say they are now seeing fraudulent purchases at big box stores on cards that all were used at apparently compromised Landry’s locations.

Sources at multiple financial institutions say they are tracking a pattern of fraud indicating that thieves have somehow compromised the credit card terminals at checkout lanes within multiple Safeway stores in California and Colorado. Safeway confirmed it is investigating skimming incidents at several stores.

Banking sources say they’ve been trying to figure out why so many customers in the Denver and Englewood areas of Colorado were seeing their debit cards drained of cash at ATMs after shopping at Safeways there. The sources compared notes and found that all of the affected customers had purchased goods from one of several specific lanes in different compromised stores (the transaction data includes a “terminal ID” which can be useful in determining which checkout lanes were compromised.

Safeway spokesperson Brian Dowling said the fraud was limited to a handful of stores, and that the company has processes and procedures in place to protect customers from fraudulent activity.

“We have an excellent track record in this area,” Dowling said. “In fact, we inspect our store’s pin pads regularly and from time to time find a skimmer, but findings have been limited and small in scale. We immediately contact law enforcement and take steps to minimize customer impact.”

Dowling said the problem of checkout skimmers is hardly limited to Safeway, and he hinted that perhaps other retailers have been hit by this same group.

“This is not unique to our company, and we understand some other retailers may have been more significantly impacted,” Dowling said, declining to elaborate.

Safeway would not name the affected locations, but bank industry sources say the fraud was traced back to Colorado locations in Arvada, Conifer, Denver, Englewood and Lakewood. In California, banks there strongly suspect Safeway locations in Castro Valley and Menlo Park may also have been hit. Those sources say ATM fraud has been linked to customers using their debit cards at those locations since early September 2015.

In order to steal card data and personal identification numbers (PINs) from Safeway customers, the thieves would have had to open up the card processing terminals at each checkout lane. Once inside, the thieves can install a device that sits between the keypad and the electronics underneath to capture and store PINs, as well as a separate apparatus that siphons account data when customers swipe their cards at the register.

Either that, or the skimmer crooks would have to secretly swap out existing card terminals at checkout lanes with pre-compromised terminals of the exact same design. In any case, skimming incidents involving checkout lanes in retail locations generally involve someone on the inside at the affected retailer.

In late 2012, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide. The year prior, Michaels Stores said it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced card machines to include technology capable of siphoning customer payment card data and PINs.

Sadly, I don’t have any skimmer photos to share from this story, but I have written about the growing sophistication of these point-of-sale skimming devices. Here’s a look at one compromised card reader, and the handiwork that went into the thieves’ craft. Descriptions and images from other skimming devices can be found in my series All About Skimmers.

The mass-issuance of chip-based credit and debit cards by U.S. banks to consumers should eventually help minimize these types of scams, but probably not for some time yet. Most cards will continue to have all of the cardholder data stored in plain text on the magnetic strip of these chip-based cards for several years to come. As long as merchants continue to let customers swipe instead of “dip,” we’ll continue to see skimmers just about everywhere swiping is still allowed.

Remember that you are not liable for fraudulent card charges, but that it’s still your responsibility to alert their card issuer quickly to any unauthorized charges. So keep a close eye on your bank statements. Also, this attack is another reminder of why it makes more sense to shop with a credit vs. a debit card: Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Update: According to reporting from the Denver Post, the Safeway incident affected three stores in Colorado. All of the affected lanes were self-checkout lanes, the publication reported.