Fraud , Payments Fraud

Bitfinex of Hong Kong Lost $69 Million Jeremy Kirk (jeremy_kirk) • August 4, 2016    

The theft of $69 million worth of bitcoins from a Hong Kong-based exchange highlights the continuing challenges around keeping large quantities digital currency out of the reach of hackers.

See Also: How to Mitigate Credential Theft by Securing Active Directory

Bitfinex, one of the largest U.S. dollar bitcoin exchanges, said on Aug. 2 that it lost 119,756 bitcoins after its platform was hacked. Law enforcement has been contacted, the company said in a statement.

Bitcoin's market rate dropped 20 percent following Bitfinex's announcement, although it has since bounced back to about $580. The company's losses amounted to approximately $69 million, according to exchange rates on Aug. 4.

Bitcoin is a virtual currency that is exchanged using peer-to-peer software. Transactions are verified by computers contributing data to a cryptographic ledger known as the blockhain, which is increasingly being explored by the finance industry for broader applications.

Zane Tackett, Bitfinex director of community and product development, writes on Reddit that the company is evaluating its options for addressing customer losses.

"At this time we don't have any details that we can share on this, nor have we made any decisions regarding this," Tackett writes. "We'll continue to push out updates on this as information becomes available."

Tackett refuted a suggestion that the theft might have been an inside job, but he did not share details how the exchange was compromised.

"We have a pretty small team and most of us have been here for a while," he writes. "We also have strict permission limits for who has access to what. Furthermore, I've been on the phone with our entire team and am nearly 100 percent certain that nobody on our team did this."

Bitfinex says in a status update that it is trying to restore limited functionality that will allow customers to view their accounts. However, bitcoin trading will remain suspended.

Notice from Bitfinex posted online

Second Largest Loss

Bitfinex's losses are the second largest behind Mt. Gox, the Tokyo-based bitcoin marketplace that collapsed in February 2014. The exchange lost 850,000 bitcoins, worth about $474 million, but later found 200,000 of those bitcoins (see Bitcoin Trading Website Goes Dark).

Mt. Gox blamed the loss on a security issue called transaction malleability. But Japanese prosecutors charged CEO Mark Karpeles in September 2015 with embezzlement for allegedly transferring some funds from the exchange into accounts he controlled. It remains unknown who stole the majority of the bitcoins, and Mt. Gox is still in liquidation proceedings.

In June, hackers stole $55 million worth of ether, another digital currency, in an attack against an experimental investment fund called the Decentralized Autonomous Organization (see $55 Million in Digital Currency Stolen from Investment Fund). Ether developers made a software modification to the virtual currency's code that froze the funds.

Despite numerous exchange hacks and scammers, supporters of digital currencies have remained largely positive about the potential to revolutionize what they contend is an antiquated financial system.

But security breaches are a reminder of the vulnerabilities of cryptocurrency technologies, writes Peter Van Valkenburgh, director of research at the Washington-based Coin Center, which is a digital currency advocacy group.

"Every hack is also an opportunity to learn and grow resilient: Let's make sure we don't learn the wrong lessons this time around by drawing hasty conclusions," he writes.

Tough to Secure

A bitcoin is actually just a secret number. To transfer a bitcoin, a person must verify a planned transaction with a private encryption key. But if the private key is stolen, the attacker can steal the bitcoin.

Because all bitcoin transactions are recorded in the public blockchain, it is possible to follow the movement of stolen coins. Bitcoins are transferred between 34-character alphanumeric addresses, which appear in the blockchain.

Bitcoin addresses don't reveal information about who controls the funds. But stolen funds are often difficult to convert to fiat currency. Exchanges usually have strict identification requirements for account holders to comply with anti-money laundering regulations. Suddenly cashing out a large quantity of stolen bitcoins at a reputable exchange from a closely watched bitcoin address is unfeasible.

Bitcoin marketplaces employ a variety of methods to protect their vaults and the private keys for the bitcoins. But the companies are highly attractive targets because stolen bitcoins can be nearly impossible to recover. Unlike bank wire transfers, bitcoin transactions are irreversible.

Raising the level of security around bitcoins invariably makes the virtual currency more cumbersome to access, which is why exchanges must make difficult trade-offs.

"There is a balance between security and convenience," says Antony Lewis, a Singapore-based adviser on blockchain technology. "Customers say they want security, but their behavior suggests they prefer convenience. Exchanges who cater to this and put private keys on online machines put themselves at a higher risk of attack."

Breach Notification , Breach Response , Data Breach

Payment Card Data as Well as Patient Information Exposed Marianne Kolbasuk McGee (HealthInfoSec) • August 3, 2016    

Arizona-based Banner Health, which operates 29 hospitals, says it's notifying 3.7 million individuals that their data was exposed in a "sophisticated cyberattack." The organization has hired a forensics firm to investigate the attack after taking steps to block the attackers and contacting law enforcement officials.

See Also: Data Center Security Study - The Results

The data breach, which started when attackers gained unauthorized acess to payment card processing systems at some of the organization's food and beverage outlets, apparently also opened the door to the attackers accessing a variety of healthcare-related information, Banner Health says in an Aug. 3 statement. But the statement doesn't make clear how that additional access was gained.

On July 7, Banner Health discovered the hack of card processing systems that exposed cardholders' names, card numbers, expiration dates and verification codes as the data was being routed through the affected systems, the organization reports. Cards used at affected outlets between June 23 and July 7 were affected. Card transactions used to pay for medical services were not affected.

Affected individuals are being offered one year of credit and identity theft monitoring services. Plus, Banner Health says it's "further enhancing the security of our systems to help prevent something like this from happening again."

In addition to the card-related breach, "On July 13, Banner Health learned that cyberattackers may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers," the organization says in the statement, without offering further explanation. Data exposed could include patient names, birthdates and addresses as well as clinical details, such as physician names, dates of service, claims information "and possibly health insurance information and Social Security numbers." Also potentially exposed were physicians' names, addresses, dates of birth and Social Security numbers.

The investigation revealed that the attack was initiated on June 17, Banner Health reports.

Banner Health did not immediately respond to an Information Security Media Group's request for additional comment.

All Data At Risk

The eye-opening report of a breach affecting both payment card transactions and patient data highlights that "healthcare must consider all aspects of its business when addressing security," says security expert Mac McMillan, CEO of the consulting firm CynergisTek.

Attacks targeting the payment card systems of retailers - including high-profile attacks against Target and Home Depot - have become common in recent years, but few have been publicized in the healthcare sector.

"Although this is not necessarily a new phenomenon, covered entities and business associates need to not only keep a close eye on HIPAA privacy and security attacks/breaches, but also ramp up their Payment Card Industry Data Security Standards compliance efforts," says security and privacy expert Thad Phillips, principal consultant at tw-Security. "These PCI DSS compliance efforts include not only their financial departments, but also any food, beverage and gift shop points of sale that are accepting and processing credit card payments."

The healthcare sector, a leading target for hacker attacks due to the value of health data, "cannot expect that PCI DSS compliance will take care of itself while they are primarily focused on HIPAA privacy and security [compliance]," Phillips says. "Once the attacker is in any system on the network, the chances of them breaching additional systems within the organization are much higher. Thus, the organization's overall risk can't go anywhere but up."

Dan Berger, CEO of the security consultancy Redspin, says the Banner Health attack "underscores the necessity to conduct truly comprehensive network security assessments, including external and internal penetration testing. One has to assume that any device, system or workstation that connects to the network is a potential entry point for hackers."

In Development

Receive Invite When Available

In Development

Receive Invite When Available