Connect with us

Sensitive data of over 100 million credit and debit cardholders has been leaked on the dark Web, according to a security researcher. The data included full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards. It appears to have been associated with payments platform Juspay that processes transactions for Indian and global merchants including Amazon, MakeMyTrip, and Swiggy, among others. The Bengaluru-based startup acknowledged that some of its user data had been compromised in August.

The data surfaced on the dark Web is related to online transactions that took place at least between March 2017 and August 2020, the files shared with Gadgets 360 suggest. It included personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible. However, particular transaction or order details are not apparently a part of the leak.

The surfaced details could be combined with the contact information available in the dump by scammers to run phishing attacks on the affected cardholders.

Cybersecurity researcher Rajshekhar Rajaharia discovered the data dump earlier this week. He told Gadgets 360 that the leaked data was on sale on the dark Web by a hacker.

“The hacker was contacting buyers on Telegram and was asking payments in Bitcoin,” said Rajaharia.

He told Gadgets 360 that the data dump was selling on the dark Web with the name of Juspay and he was able to find its linkage with the company upon some observation. The company also confirmed a data breach to Gadgets 360, though it did not provide further details.

The researcher said that to verify the association with Juspay, he compared the data fields available in the MySQL dump samples files he received from the hacker with a Juspay API Document file. “Both were exactly the same,” he said.

Without providing any specifics around the latest data leak, Juspay founder Vimal Kumar told Gadgets 360 that an “unauthorised attempt was detected” on August 18 that was terminated when in progress.

“No card numbers, financial credentials, or transaction data was compromised,” Kumar said in an email. “Data records containing non-anonymised email, phone numbers and masked cards used for display purposes (contains first four and last four digits of the card, which is not considered sensitive), were compromised.”

Kumar added that the email and mobile information was “a small fraction of the 10 crore records” and most information was anonymised on the servers. He also claimed that the 10 crore records were not the card details and were the customer metadata, with a subset containing email and mobile information of users.

“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed,” he said.

Rajaharia alleged that despite being masked, the card numbers could be decrypted if a hacker would figure out the algorithm used for the card fingerprints. However, Kumar didn’t agree with the researcher.

“We do hundreds of rounds of hashing with multiple algorithms and also have a salt (another number appended to the card number). The algorithms that we use are currently not possible to reverse engineer even given enough compute resources,” he said.

Juspay received some data samples from its cybersecurity partner Cyble a few days back that it is still evaluating. Kumar told Gadgets 360 that Juspay informed its merchant partners the same day it observed the unauthorised access to its servers.

The company also identified security gaps in some of its older access keys used by developers and made two-factor authentication (2FA) mandatory for all the tools accessed by its teams, the executive stated.

However, Rajaharia says that the security side of Juspay is still not that sound. He told Gadgets 360 that he noticed a configuration issue on the company’s site that is currently redirecting to malicious websites.

“An old unused domain (used for a beta testing product) was pointing to an AWS Internet Protocol (IP) which has been reclaimed by another AWS user whose server is having this content,” Kumar said.

The details available on the Juspay site show that it has a team of over 150 people that reach 50 million users daily. Its products are claimed to process over four million daily transactions and its system development kits (SDKs) are available on over 100 million devices. Companies including Amazon, Airtel, Flipkart, Vi (Vodafone Idea), Swiggy, and Uber are among its key clients enabling payments for their customers.

Founded in 2012, Juspay holds Payment Card Industry Data Security Standard (PCI DSS) Compliance Level 1, which is the highest level of compliance given by the PCI Security Standards Council to payment merchants.

Last month, Rajaharia found personal data of seven million Indian credit and debit cardholders leaked through the dark Web. Sensitive data of over 1.3 million Indian banking customers also appeared on the dark Web in 2019.

Experts often point out that data leaks are getting more common in India as the country is expanding its digital infrastructure but without proper regulations on cybersecurity. The lack of a privacy protection law is also putting no compulsion on companies operating in the country to protect their user data firmly.


What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Source link

0
Continue Reading

Technology

Redmi Note 10 Launch Teased Officially After Rumours Tipping February Debut in India

Redmi Note 10 launch has been officially teased on Weibo. The new development comes just weeks after the rumour mill suggested the existence of the Redmi Note 10 series that could include the Redmi Note 10, the Redmi Note 10 Pro, and the Redmi Note 10 Pro 5G. The new series is expected to succeed the Redmi Note 9 family that debuted with the launch of the Redmi Note 9 Pro and the Redmi Note 9 Pro Max in India in March last year.

Redmi General Manager Lu Weibing has teased the launch of the Redmi Note 10 on Weibo. Instead of giving away details of the phone directly, Weibing has posted an image of the Redmi Note 9 4G asking users about their expectations with the Redmi Note 10.

The Redmi Note 10 is speculated to launch in India alongside the Redmi Note 10 Pro in February. Both phones will be priced aggressively, according to tipster Ishan Agarwal. The Redmi Note 10 in the series is tipped to come in Gray, Green, and White colour options.

Although Xiaomi hasn’t provided any specifics about the phone yet, the Redmi Note 10 Pro 5G purportedly received a certification from the Bureau of Indian Standards (BIS) earlier this month. The phone is also said to have surfaced on the US

Federal Communications Commission (FCC) website with the model number M2101K6G. It has also reportedly appeared on the websites of other regulatory bodies including the European Economic Commission (EEC), Singapore’s IMDA, and Malaysia’s MCMC.

Redmi Note 10 series specifications (expected)

The Redmi Note 10 Pro is rumoured to come with a 120Hz display and include the Qualcomm Snapdragon 732G SoC. However, the 5G variant of the Redmi Note 10 Pro is said to come with the Snapdragon 750G SoC. It is speculated to have 6GB and 8GB RAM options as well as 64GB and 128GB storage versions. The Redmi Note 10 Pro models will come with a 64-megapixel primary camera sensor and include a 5,050mAh battery, according to a recent report.

Similar to the Redmi Note 10 Pro models, the Redmi Note 10 is also rumoured to have both 4G and 5G versions. The smartphone is tipped to have a 48-megapixel primary camera sensor and include a 6,000mAh battery.

The Redmi Note 10 Pro and the Redmi Note 10 are both expected to run on Android 11 with MIUI 12 out-of-the-box.


What will be the most exciting tech launch of 2021? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Source link

0
Continue Reading

Technology

Cybersecurity: Blaming users is not the answer

istock 1166333977

A punitive approach toward employees reporting data breaches intensifies problems.

Image: iStock/iBrave

Experts are warning, when it comes to cybersecurity, blaming users is a terrible idea. Doing so likely results in creating an even worse situation. Many organizations have defaulted to a blame culture when it comes to data security,” comments Tony Pepper, CEO of Egress Software Technologies, in an email exchange. “They believe actions have consequences and someone has to be responsible.”

“In cases where employees report incidents of data loss they accidentally caused, it’s quite common for them to face serious negative consequences,” continues Pepper. “This, obviously, creates a culture of fear, leading to a lack of self-reporting, which in turn, exacerbates the problem. Many organizations are therefore unaware of the scale of their security issues.”

Pepper’s comments are based on findings gleaned by the independent market research firm Arlington Research. Analysts interviewed more than 500 upper-level managers from organizations within the financial services, healthcare, banking, and legal sectors.

What the analysts found was published in the paper, Outbound Email Security Report. Regarding employees responsible for a loss of data, 45% of those surveyed would reprimand the employee(s), 25% would likely fire the employee(s).

SEE: Identity theft protection policy (TechRepublic Premium)

Pepper suggests while organizations may believe this decreases the chance of the offense reoccurring, it can have a different and more damaging effect. There’s a chance employees may not report security incidents, to avoid repercussions from company management. 

“Especially in these uncertain times, employees are going to be even less willing to self-report, or report others, if they believe they might lose their jobs as the result,” adds Pepper. 

It gets worse 

According to survey findings, a high percentage of organizations rely on their employees to be the primary data breach detection mechanism–particularly when it comes to email. “Our research found that 62% of organizations rely on people-based reporting to alert management about data breaches,” mentions Pepper. “By reprimanding employees who were only trying to do their job, organizations are undermining the reporting mechanism and ensuring incidents will go unreported.”

The lack of truly understanding why data is escaping the digital confines of an organization makes it hugely difficult for those in charge of cybersecurity to develop a defensive strategy that will effectively protect an organization’s data.

Overcome the blame game

Once it is understood that reprimanding employees is ineffective, organizations should look to create a more positive security culture. One immediate benefit is the increased visibility of heretofore unknown security risks.  

Another benefit is the ability to show regulatory bodies the organization has taken all reasonable steps to protect sensitive data. Pepper adds, “If you don’t know where your risks are, it’s hard to put reasonable measures in place. Regulators could surmise that during a data breach investigation and levy higher fines and penalties.” 

Technology has a role

Once the blame game is curtailed, it’s time to get technology involved. “The first step is to get reporting right, using technology, not people, which will remove the pressure of self-reporting from employees and place the responsibility firmly in the hands of those in charge of cybersecurity,” suggests Pepper. “Advances in contextual machine learning mean it’s possible for security tools to understand users and learn from their actions, so they can detect and mitigate abnormal behavior–for example, adding an incorrect recipient to an email.”

This is where technology makes all the difference. It prevents accidental data loss before it can happen. It empowers employees to be part of the solution, and technology gives the security team unbiased visibility of risks and emerging threats. 

What cybersecurity teams need to understand

Education about potential consequences is vital. Anyone working with the organization’s digital assets needs to understand the possible outcomes from a data breach–for example, regulatory fines or damage to the organization’s reputation. 

It’s a safe bet when users understand the consequences of emailing client data to the wrong recipient or responding to a phishing email, they’ll be much more likely to report the incident if and when it occurs. Remember: If an incident isn’t reported, there’s no way to remediate it or prevent it from happening again.

Pepper, in conclusion, offers advice to those managing cybersecurity. “The best way to engage employees with security, and ensure they understand its importance, is to create a ‘security-positive’ company culture,” explains Pepper. “Security teams need to reassure the wider organization that, while data breaches are to be taken seriously, employees who report accidental incidents will receive appropriate support from the business and not face severe repercussions.”

Also see

Source link

0
Continue Reading

Technology

ArtEmis: Affective Language for Visual Art

97350 computer vision crop

Most of the annotation datasets in computer vision focus on objective and content-based applications. A recent paper on arXiv.org investigates an underexplored problem of the relationship between visual content and its emotional effect expressed through language.

ArtEmis Affective Language for Visual Art

Image credit: Merry Steward via pixy.org, CC0 Public Domain

A dataset of emotional reactions to visual artwork in natural language is collected. The annotators expressed moods, feelings, personal attitudes, and abstract concepts like freedom. Psychological interpretations were explained and linked with visual attributes.

Some of the examples even include metaphorical descriptions relative to subjective experience (like ‘it reminds me of my grandmother’). Further potential is demonstrated by creating neural speakers trained with the dataset. Some of the speakers were able to produce grounded visual explanations and fared reasonably well in the Turing test.

We present a novel large-scale dataset and accompanying machine learning models aimed at providing a detailed understanding of the interplay between visual content, its emotional effect, and explanations for the latter in language. In contrast to most existing annotation datasets in computer vision, we focus on the affective experience triggered by visual artworks and ask the annotators to indicate the dominant emotion they feel for a given image and, crucially, to also provide a grounded verbal explanation for their emotion choice. As we demonstrate below, this leads to a rich set of signals for both the objective content and the affective impact of an image, creating associations with abstract concepts (e.g., “freedom” or “love”), or references that go beyond what is directly visible, including visual similes and metaphors, or subjective references to personal experiences. We focus on visual art (e.g., paintings, artistic photographs) as it is a prime example of imagery created to elicit emotional responses from its viewers. Our dataset, termed ArtEmis, contains 439K emotion attributions and explanations from humans, on 81K artworks from WikiArt. Building on this data, we train and demonstrate a series of captioning systems capable of expressing and explaining emotions from visual stimuli. Remarkably, the captions produced by these systems often succeed in reflecting the semantic and abstract content of the image, going well beyond systems trained on existing datasets. The collected dataset and developed methods are available at this https URL.

Research article: Achlioptas, P., Ovsjanikov, M., Haydarov, K., Elhoseiny, M., and Guibas, L., “ArtEmis: Affective Language for Visual Art”, arXiv:2101.07396. Link: https://arxiv.org/abs/2101.07396




Source link

0
Continue Reading

Trending