Home Tags Supermarket

Tag: supermarket

A three-second laser strike cost Barry Bowser everything

Enlarge / Barry Bowser, seen here in front of the Bakersfield property where he was arrested in 2014.Cyrus Farivar reader comments 83 Share this story BAKERSFIELD, Calif.—Most convicted criminals don't make a point of publicly apologizing for their crimes in the local newspaper.

But Barry Bowser, who was convicted in 2015, is no ordinary criminal. “For shining a laser at a helicopter for three seconds, I lost my entire life,” Bowser wrote in a recent letter to the editor of The Bakersfield Californian. “I am now 54 years old and I have no one and nothing but the clothes I was given when I was released from prison.” Weighing at least 250 pounds with a wide chest and a handlebar mustache, Bowser has quite a presence. He agreed to meet me near a local supermarket and arrived in dark sunglasses, black sneakers, black-striped shorts with skulls on the edges, and a t-shirt advertising a local orthodontics practice. John Goodman would be a shoo-in for the lead role if there’s ever a Bowser movie. Bowser had previously done time, serving multiple stints in California state prison on drug and identity theft charges.

But this go-round was different—no drugs, no theft, no violence. Instead, in a fleeting moment that he still calls an accident, Barry Bowser violated 18 US Code § 39A of the Federal Aviation Administration Modernization and Reform Act of 2012: Whoever knowingly aims the beam of a laser pointer at an aircraft in the special aircraft jurisdiction of the United States, or at the flight path of such an aircraft, shall be fined under this title or imprisoned not more than five years, or both. That led to a 21-month prison sentence, though Bowser was released after 11. Prison cost him more than time; Bowser also lost several teeth. As we drove the few miles to the scene of his crime, Bowser told me that he had just come from a denture-fitting appointment at an orthodontist’s office, needed after a race riot at the county jail where he had been held at the request of federal authorities. “I got busted in the mouth with a lock in a sock, knocked my teeth out,” he said. “That was my first day in Fresno County jail.” And all for making a poor decision with a laser pointer. Waiting on enchiladas Back in September 2014, Barry Bowser was trying to get his life back on track.

After having been a functioning methamphetamine addict for 25 years, he said he had been clean for four consecutive years at that point. He had worked various oil and industrial jobs, as a derrick hand, an operator, a tool pusher, and as a natural gas compressor mechanic in Elk Hills (the “best job of my life,” Bowser noted). Now, he was fixing people’s cars in their driveways throughout the Bakersfield area. “I had a business going, I had a mobile mechanic business going, buying my own house,” he said. “I hadn't been that clean in years, feeling good on life.” Around this time, a friend, Danny Gibson, loaned Bowser a motorhome and invited him to park it on a large, commercial property on N.
Sillect Ave., on the edge of town.
In exchange, Bowser would do some maintenance and act as a sort of night watchman. Other properties nearby include a local union office, an animal hospital, and a strip club, Exotic Kitty’s.

The property also used to be a Home Depot, so it had a large storage area and a large parking area as well.

Bowser soon found out through a friend that the area had some recent reports of burglaries. Late in the evening on September 11, 2014, Bowser received a call from his friend Todd.

Todd was making enchiladas, would Bowser like some? Bowser said he would. While waiting, he began rummaging through drawers in the motorhome as a way to pass the time and found a laser pointer that Gibson had given him as a dog toy (for Bowser’s pitbull, also named Bowser).

A few moments later, Bowser found batteries for the pointer.
In they went, and lo, it worked. Bowser stepped outside with his dog and began shining the laser along a fence, trying to get his dog to chase the beam.

The pit quickly lost interest, and Bowser instead began testing the range of the laser to see what else it could hit. He managed to hit a billboard several hundred yards away.

Then he aimed for a radio tower with a blinking red light on the top.

Each target proved too easy.
So Bowser aimed for a second radio tower that was a quarter or a half mile away. Then came the three seconds that would change the man’s next two years. Bowser's laser seemed to hit something in the sky, but he wasn’t sure what, if anything, it was. He started to bring the laser down just in case, and that’s when a helicopter began pivoting to face him.

The laser beam then caught the windshield, and the glass “lit up like a Christmas bulb.” Bowser watched as the helicopter started to swerve and dip. Up in the helicopter, the pilot, Deputy Kevin Austin, saw the laser beam shoot past his head and through the open helicopter door. (It’s common practice to remove helicopter doors during hot weather.) The Tactical Flight Officer (TFO), a sort of police spotter who also was aboard the helicopter at the time, didn’t notice the laser.

But then the light hit the windshield directly. Austin later described the moment in an e-mail to prosecutors: The laser struck the helicopter twice.

The first was less than a second, followed by the second strike, which lasted between two and three seconds.

The second strike was held long enough for me to visually spot the exact location of the source, and the suspect was standing in an open area where I could see the silhouette of his person.
I immediately executed a left, diving turn toward the source to gain airspeed while closing the distance.
I also flipped my [night-vision] goggles down which made it easier to keep a visual on the suspect while he was still out in the open area. Once we arrived over the location of the suspect, he was still in an open area. We kept him illuminated with the helicopter's spotlight and observed him until we lost sight of him when he walked under a large, metal awning. My TFO, Deputy Jeremy Storar, used binoculars to obtain a good description of him as well. Bowser didn’t know the world of legal trouble he would soon face, but clearly he had annoyed somebody. His girlfriend Wendy and his buddy Todd arrived with the promised enchiladas as the helicopter hovered nearby.

Bowser went to the locked gate and rolled the laser out to her. “Get that thing out of here,” Bowser said. “What’d you do?” Wendy asked him. “Baby, just take this, give me the food, and I’ll call you,” he said. Bowser took his dinner, went inside the motorhome, changed clothes, and ate. But up in the sky, the helicopter crew had him under surveillance.

Austin described what happened next in that same e-mail: My TFO, Deputy Storar, and I watched him reach under a closed, locked chain-link gate to the driver of the SUV.

Deputy Storar observed the suspect and driver at the gate using a pair of binoculars.

The driver gave the suspect what appeared to be a bowl with possible food in it.

The exchange was made under the gate.
I told Deputy Storar to watch closely because I felt the suspect would hand the laser to the driver of the SUV.

The driver left moments later, but we were not certain whether the laser had been given to the driver. While Deputy Storar was observing with binoculars, I had control of the helicopter’s spotlight and used it to keep the driver and suspect illuminated. It was only a matter of time until the cops arrived. Enlarge / Barry Bowser had parked his motorhome under this awning. Cyrus Farivar About 15 minutes later, a Bakersfield Police Department patrol car arrived at the locked gate.

Two officers stepped out and approached the locked fence. One, officer Eric Celedon, called out to Bowser. “Do you know why we are here?” Bowser knew.

They were here because he’d hit the helicopter with the laser, but Bowser tried to explain it away. He was merely testing the laser and didn’t mean to cause any harm, he said. As the two talked, Bowser could hear Celedon’s shoulder-mounted radio blaring.

A voice, which he quickly figured out belonged to the helicopter pilot, pierced through an already tense situation: “I want that son of a bitch arrested! He’s going to jail! He about got me in a wreck!” Celedon obliged. He arrested Bowser for violating California Penal Code 247.5, the part of the state criminal code that deals with laser strikes. He read Bowser his rights and began a short interview, as court records show: Celedon: But you pointed it towards the helicopter? Bowser: Yes I guess I did. Celedon: What do you mean you guess? Either you did or you didn’t. Bowser: I did but I never seen it hit the helicopter. You know I didn’t even know if it was, the battery was going weak. You know, and... Celedon:...
So you didn't, but you pointed it at the helicopter, you just didn’t know you hit it? Was that it? Bowser: Um, yes I didn’t know if the batteries were even strong enough to hit, actually hit it. Celedon: Oh OK. Bowser: And I wasn’t trying hurt, I didn't even know if that was a cop helicopter.
I wasn’t trying to hurt nobody, you know what I mean? Aurich Lawson / Thinkstock Trouble It may seem absurd that a tiny, pen-sized laser could become such a concern for authorities.

But rest assured pilots do not take these situations lightly—they see lasers as a potentially dangerous nuisance. Many liken the experience to unexpectedly facing bright headlights on a dark country road. Officers have previously told Ars the experience can lead to temporary flash blindness. “[It takes] five to seven seconds to refocus, depending on the strength,” Fresno Police Officer Ken Schneider told Ars in 2014. “I once took a direct hit to the eye and had a tingling irritation for four hours.” The federal government takes such laser strikes seriously, too.

The Department of Justice told Ars that more than 28,000 laser illumination incidents in the United States have been reported to the Federal Aviation Administration between 2011 and 2015.

But as of 2014, only 134 arrests were made, and there were only 80 convictions. This year, as of October 22, the FAA reported 5,564 incidents nationwide.

That’s more than 22 laser strikes reported in the United States every day. Of those, Phoenix tops the list of most cases with 263.

Bakersfield, by contrast, has just 34. But in Bowser’s situation, he didn’t just fire the laser at a Kern County Sheriff’s Office helicopter. He did so in a part of the country where Assistant US Attorney Karen Escobar presides. Her federal district was responsible for more than 35 percent of the convictions noted above, and she has personally prosecuted 17 laser strike cases—far more than anyone else in the US.

Escobar has never lost a laser case, either. “I don’t know of crashes, but I do know of pilots that have suffered permanent disabilities from laser strikes,” Escobar told Ars. Authorities are generally concerned that handheld lasers, which have been getting cheaper and more powerful in recent years and are openly sold on the Web, could be used by a terrorist or a criminal to bring down an aircraft. While no aircraft in American airspace has ever been brought down, much less forced to make an emergency landing due to a laser strike, there has been a concerted effort to identify and crackdown on those carrying out such strikes. This, along with 18 US Code § 39A of course, is what Bowser had gotten himself into. Originally, he said the government wanted to charge him with attempted murder, terrorism, and other charges that ultimately were not filed.

But with the laser strike, he decided to push his defense attorney to take the single count to trial, believing that it would be difficult to prove that he “knowingly” aimed the laser at the police helicopter. "...but you did something." After being arrested, Bowser posted bail and returned for his first court appearance days later.
Initially, he was met with a surprise—state charges had been dropped. No explanation was given.

As far as Bowser knew, he was free as a bird. With that out of the way, he and Wendy decided to move back to her home state of Arkansas. Little did Bowser realize, however, federal authorities had started their investigation.

They were searching for the motorhome and laser in question. Bowser and Wendy sold their belongings at a yard sale and packed up for Arkansas in December 2014.

But months later, in March 2015, Bowser heard that his aunt, his closest relative, had fallen ill. He had to come back to California if possible. Unable to afford the plane ticket on short notice, he bought a used car and began driving west.
Somewhere outside of Amarillo, Texas, the car broke down. He decided to then rent a U-Haul truck to accommodate him, his stuff, and Bowser the pitbull. After visiting his aunt, Bowser decided to drive to Bakersfield to return the truck. On his way, he pulled over at a rest stop near the town of Nipomo to walk his dog.

Because large trucks are not usually on the road so late at night, a San Luis Obispo County sheriff’s deputy began questioning him.

By coincidence, there had been a recent rash of drug shipments in the area. When the deputy ran Bowser’s name in his computer, he came back with bad news—a sealed federal warrant dating to December 2014 had Bowser’s name on it. (According to Escobar, it had taken several weeks to file the warrant as federal authorities were trying to locate the motorhome, the laser, and Bowser himself.) “I don’t know what you did, but you did something,” the deputy told Bowser. “I have to take you in.” Bowser the dog was taken to a local animal shelter immediately and likely put down over time.

Boswer the man was taken to the San Luis Obispo County Jail before being driven by FBI agents Erick Bach and Joshua Allan Nicholson to a federal detention center in Bakersfield. There, while seated in the front passenger seat, Bowser gave the two men the same story he gave officer Celedon that faithful night: “I didn’t really comprehend that it was a helicopter until I turned my beam onto it, ‘till that laser hit it.” On the ride back to Bakersfield, Bowser told the FBI agents that he had “mutilated” the laser while in Arkansas. He had initially told the Bakersfield Police that he had given it to Todd, but in fact he had given it to Wendy, who kept it and took it with them to Arkansas. “I was chopping firewood, and I sat it right on top of the log I was splitting, and I chopped it right along with the log,” Bowser would later tell Ars. By the end of the month, Bowser again insisted that he had not intentionally or “knowingly” struck the helicopter and invoked his right to a speedy trial.

A date was set for June 20, 2015. Enlarge / Karen Escobar is an Assistant United States Attorney for the Eastern District of California. Cyrus Farivar "Knowingly" or unknowingly During opening arguments, Assistant US Attorney Escobar did not mince words: You will also hear his own admission, because there is a tape of the Bakersfield police officer’s interview with the defendant at that time. And I ask when you are in the jury room deliberating later on, that you remember what the defendant said on that tape, which was right after the laser strike happened and right when everything was fresh in his mind. When Officer Celedon asked the defendant if he knew why the police were there, he responded unequivocally that it was because he had a laser pointer and he pointed it at a helicopter. Erin Snider, a federal public defender, delivered her own opening statement to the jury moments later: You are also not going to hear any evidence that Barry continued to use the laser pointer after the helicopter started to respond.

As soon as that helicopter descended down out of the sky, Barry stopped what he was doing. He turned off that laser pointer. Now, the government bears the burden to prove beyond a reasonable doubt that Barry is guilty of this offense, and that’s to say that the government has to present evidence that firmly convinces you that Barry knowingly aimed the laser pointer at the aircraft. And it is going to be up to you to decide whether the government has satisfied its burden in this case.
So it is going to be up to you to decide whether in fact Barry knowingly aimed the laser pointer at the aircraft. Not accidentally, not mistakenly, not recklessly, but knowingly. The first witness the government put forward was the helicopter pilot himself, Kevin Austin. On the stand, Austin said the first laser strike gave him momentary “flash blindness,” which he said was “similar to a camera flash going off.” The second strike lit up the entire windshield. He also said that he experienced “irritation” in his left eye, comparing it to getting “sand or an eyelash” in his eye. After Austin, the prosecution furthered its case with a trio of witnesses.

TFO Deputy Storar noted that at the time of the strike, the helicopter was “en route to a report of a male subject that was naked and armed with a firearm.” Lt.

Col. Leon McLin (Ret.), a senior research optometrist at the United States Air Force, testified that laser strikes similar to Bowser’s case would be “consistent with tracking” (meaning the laser was intentionally following the aircraft).

And Joshua Nicholson, then a senior deputy with the Kern County Sheriff’s Office, testified that Bowser would have had to “turn to strike the helicopter.” The defense, meanwhile, only put up Bowser himself as a witness. Bowser re-iterated the same story. When questioned by his own lawyer if he “intentionally” aimed the laser at the helicopter, the accused responded unequivocally: “No, I did not.” But upon questioning by Escobar, Bowser admitted that he hadn’t been truthful with Officer Celedon on the night of his arrest.

Bowser lied about having handed off the laser to Todd, when in fact he’d handed it off to Wendy. Escobar: So it was OK at that time not to tell the truth? Bowser: Ma’am, I can’t say I thought about this.
I don’t know why I didn’t tell him the truth, ma’am.
I have no idea why I didn’t tell him the truth about the laser. Escobar: You have been convicted in the past with crimes involving dishonesty, correct? Bowser: If that’s what you call them. Escobar: Forgery? Bowser: Yes, ma’am. Over a decade ago. Escobar: And using someone else’s identity? Bowser: Over a decade ago. During closing arguments, Escobar addressed the jury plainly. Regardless of the language in 18 US Code § 39A, she pointed out that “it doesn’t matter that he didn’t intend to hit” the helicopter. “The crime is completed,” she continued. “The evidence clearly establishes it, and your common sense tells you there was an aiming because there were direct hits of the aircraft, and there was more than one strike.

The fact that the beam hit the aircraft establishes there was an aiming.” Janet Bateman, Bowser’s other defender, next got up and addressed the jury. “Barry Bowser is not guilty,” she intoned. “He is not guilty of knowingly aiming a laser pointer at a helicopter.” She laid out an argument that many defense attorneys attempt, that the government failed to prove its case.

Batemen pointed out that jurors should find Bowser not guilty, essentially, because he told them that he had not intended to fire the laser at the helicopter.

And under 18 US Code § 39A, intent matters (“Whoever knowingly aims the beam of a laser pointer at an aircraft…”). “So this certainly could have been an accident,” she continued. “The law contemplates a scenario just like this case, and it doesn’t allow for a person to be convicted.” The jury took four-and-a-half hours to reach a verdict: Bowser was guilty on the single count. Following the decision, he was sentenced to 21 months in prison. His lawyers’ request for a new trial was denied.

They appealed to the 9th Circuit, which affirmed the lower court’s verdict and sentence.

Bateman and Snider, the public defenders, did not respond to Ars’ requests for comment. Moving forward Today, standing outside of the chain linked fence where the laser incident happened, Bowser explained that he could easily make money again by slinging meth. He’s going to do his damnedest to stay on the straight and narrow, however. “Right now I just don’t know what to do,” he said. “I know what I can do, but I don’t want to do it.
I got God in my life now, and he’s leading me in the right direction.” Jail before trial, and then serving in federal prison was harder this time—not only did he get caught up in the riot, but the passing of time meant Bowser lost his girlfriend, his home, his dog. He’s also been out of contact with his children for years now, though he would like to let them know where he is with his life right now. “I don’t even know what my kids think, or if they knew they had a Dad,” he mused. “One of them was born when I was in [state] prison.” He’s applied for state disability benefits for the time being.

But if he does need to get a new job, Bowser said he’d like to use his experience with drugs and the prison system to help fellow addicts and criminals. He’d like to be a psychologist. “I got 20 years on this side, I think I could do it on the other side pretty good.” To this day, Bowser maintains the strike that has shaped the last two years of his life was an accident. However, he is also apologetic for his actions. “I'm writing this letter to apologize to the community of Bakersfield and to the Kern County Sheriff's Department —especially to the flight crew of KCSO Air One, piloted by Deputy Austin,” he wrote in that public letter to the Bakersfield Californian. “I also want to educate anyone who owns a laser and might be inclined to use it the way I did: Learn from my mistake.
I am now just getting out of prison.
I have paid dearly, for I have lost my girlfriend, my dog, my home, my vehicle.

Everything I owned, everything I have worked for 30 years of my life, is gone.” Escobar, the federal prosecutor who earned the conviction, told Ars that Bowser’s letter was the first time in her 26 years as a prosecutor in the Eastern District of California that she’s heard of anyone apologizing post-release after all appeals had been exhausted. It’s a gesture that hasn’t gone unnoticed.
In a response letter also sent to the Bakersfield Californian, a local woman praised Bowser for his candor and for showing compassion over the loss of his dog and much more. "Hang in there, Barry," she wrote. "Good things are coming, maybe even a brand new girlfriend."

‘Tesco Bank’s major vulnerability is its ownership by Tesco,’ claims ex-employee

Links to supermarket's systems may have exposed vulnerability A former techie at Tesco Bank reckons the recent high-profile breach may be down to security shortcomings at the bank's parent supermarket. Earlier this month Tesco Bank admitted that an estimated £2.5m had been stolen from 9,000 customer accounts in the biggest cyber-heist of its kind to affect a UK bank.

The National Crime Agency (NCA), with technical support from the newly established UK National Cyber Security Centre (NCSC), is leading a criminal investigation into the breach. NCSC issued a statement saying it was "unaware" of any threat to the wider UK banking sector. Tesco Bank's security procedures were solid but the bank was exposed because of Tesco's "not-very-secure-at-all systems" – a weakness hackers might well have exploited, our informed source (who requested anonymity) speculates. TB [Tesco Bank] use all the standard security processes, and have significant numbers of ex-RBS staff.
Security architecture is sound, and vulnerabilities are patched in a timely manner.

Fraud monitoring systems are industry standard.

A full breach is very unlikely, and there are much bigger and better targets if a gang has access to relevant zero-days. All staff are vetted as per standard processes – TB is no more vulnerable to an internal breach than anyone else.

Again, bigger and better targets are available.

TB does have a problem with retaining experienced staff, and hoping that junior staff will step up when they leave, but that's not uncommon. TB had one breach when they first opened Current Accounts – someone in the card printers got a list of card numbers and sold them.
It was caught in time, and cards were destroyed. Presumably security at the printers has been improved, but I'd consider that to be a continuing possible vulnerability. However, TB's major vulnerability is its ownership by Tesco, and the links between its secure systems and Tesco's not-very-secure-at-all systems.

There was no evidence of patching and monitoring occurring in Tesco systems that we linked to at all.
I strongly suspect that the Clubcard system has been breached and a list of TB account numbers farmed from there.
I also suspect that nothing will be done to trace that possible route – TB has no influence over Tesco at all, due to relative scale, and the apparent bad relations between the chief executives. In a follow-up email the former Tesco Bank worker, who worked in IT for the bank and at one time on its anti-fraud system, offered more details on security failings at the parent retailer. I worked on a TB project that had to verify certain customer information on Tesco systems.

The Tesco system would fall over on a regular basis, and we would have to tell Tesco it was down – they wouldn't monitor it.
It later became clear that it was an app server running on a very outdated piece of middleware, completely unpatched.

This was standard for Tesco systems. [The] only exception was the credit card payment system, which was secure because it was regulated.
Separately I was aware of an effort to tie some TB systems more closely to Clubcard. However, it had to be abandoned once the architects discovered how insecure Clubcard itself was. Various theories about what might have caused the breach at Tesco Bank have already been suggested.
Security watchers have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Around 136,000 customers hold current accounts with Tesco Bank. Holders of other accounts were not affected by the breach. Security intelligence firm Digital Shadows recently applied techniques for the Analysis of Competing Hypothesis (ACH) to assess the likelihood of the various competing explanations on offer.
It concluded that either payment system compromise or the cash-out of cloned cards were the two theories that best matched the available facts.

Cash-out of cloned cards would likely have been simpler to execute than payment system compromise, according to Digital Shadows, prompting the firm to lean towards this theory while not ruling out other possibilities. El Reg ran insights from the former Tesco Bank techie past Digital Shadows.
In response, Digital Shadows said that it had seen nothing so far which would suggest security problems at Tesco supermarket was behind the breach before conceding that it was still investigating the breach. Ken Munro, a director at security consultancy Pen Test Partners, described the former Tesco staffer's theory as all too plausible, based on his years of experience in the IT biz rather than any direct knowledge of the supermarket's systems. "So often it's the incidental systems that cause issues," Munro told El Reg. "One builds a secure app, but then has to hook it up to an existing access/authorisation system, or something similar.
I remember a pen test a few years back of a network that was pretty much bulletproof – up to date, pretty well configured, reasonable passwords etc. "Then we found an old fax server that was on the same domain.
It didn't take long to compromise that flaky fax box and from there the domain controller.

All the good work was undone by some failed oversight of one box. "You're probably only as secure as your least secure system," Munro concluded. Tesco Bank provided this statement: "On 5 and 6 November, Tesco Bank was targeted by fraud, which affected 9000 of our customers and cost us £2.5m. "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency.

This remains a criminal investigation. "We refunded each customer account in full and have taken steps to help reassure our customers that they can bank safely and securely at Tesco Bank." ® Sponsored: Customer Identity and Access Management

What went wrong at Tesco Bank?

Internal systems blamed for monster cyber-attack Tesco Bank has enlisted the help of recently established National Cyber Security Centre (NCSC) following the most serious cyber-attack ever launched against a UK bank. The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed.
Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.

At the same time Tesco announced that it was restoring normal service following the suspension of online and contactless transactions from current accounts applied in the immediate wake of the breach last weekend. NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking. Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely either Tesco's internal systems, or their mobile application, have been hacked.

Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN.

By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker." Tesco Bank manages around 136,000 current accounts.
Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach. Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack – and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands.
In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter." Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn. "When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident.

The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it.

The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late." ® Sponsored: Customer Identity and Access Management

Tesco Bank Stops Online Transactions After Money Missing from 20K Accounts

Tesco Bank, a U.K. retail bank, today put a halt to online transactions from current accounts after some customers reported over the weekend money missing from their accounts. The bank, which has more than seven million customers, told the BBC that 40,000 accounts were accessed and half of which reported missing money. “While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal,” chief executive Benny Higgins said in a statement this morning. “We are working hard to resume normal service on current accounts as soon as possible.” Higgins said that law enforcement and regulators are investigating; no further details on the attack were released, though Higgins told the BBC he knew what the attack was. “We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible,” Higgins said. Tesco Bank is co-owned by U.K.’s largest supermarket and the Royal Bank of Scotland. “We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts,” Higgins said. Customers, meanwhile, complained loudly on social media about the bank’s responsiveness to the situation. @tescobankhelp why is money still being taken out of my account fraudulently ?? My supposedly FROZEN bank account that I can't access???? — Kirsty Brown (@kirstyktweet) November 6, 2016 This getting more and more farcical.
Still no money still no way for my kids to eat in school tomorrow Tesco are beyond a joke — SamAllenAVFC (@samallen72) November 7, 2016

U.K. bank suspends online payments after fraud hits 20,000 accounts

The banking arm of U.K. supermarket chain Tesco has suspended online payments for its 136,000 checking account customers following a spate of fraudulent transactions. The bank suspended its payment service for all checking account customers after 40,00...

Retail, Certification Delays Slow Chip-Card Changeover

NEWS ANALSYS: With slow retail adoption, long queues for certification and a few lawsuits, the transition to chip cards is proving to be challenging. In March, five months after credit-card companies mandated a "liability shift" for most retailers who had not adopted chip-card technology, a Florida supermarket chain and a liquor store filed a class-action suit against Visa, MasterCard and other credit card issuers as well as several large banks.The lawsuit alleges that the mandated "liability shift" made the retailers responsible for more than $10,000 in charge-backs because they could not quickly adopt the technology and processes for handling the Europay-MasterCard-Visa, or EMV, standard for chip cards. The stores maintain that the mandate requires that, not only do they have to buy expensive equipment to process the cards, but they also have to become certified, a process that is "lagging months—and maybe years—behind, with no relief in sight.""What you have is a massively unfair and intentional Catch 22, where the very people who benefit from making these merchants pay under the Liability Shift are the people who imposed it and now control when, if ever, the merchants can get out from under it," Patrick J. Coughlin, counsel for the plaintiffs with Robbins Geller Rudman & Dowd, said in a statement.In early October, almost exactly a year after the shift began, a federal judge in California ruled on initial motions in the lawsuit, upholding the retailers' right to sue the financials firms. Other retailers, such as big-box giant Walmart and supermarket chain Kroger, have launched their own legal actions against payment-card companies for not requiring PINs. The lawsuits represent the stores' financial pain made manifest. While consumers have often been confounded by the initially slow processing of chip-card transactions and confused by the uneven adoption of chip readers at retailers, merchants have had to shoulder the expense and effort required for adoption.For some, it made little sense, George Rice, senior director of payments at HPE Data Security, told eWEEK."Some businesses looked at their exposure to fraud, and they look at that as less of a cost than upgrading their environment," he said. "A convenience store with an average $6 transaction does not see a need to fight charge-backs."The delays have resulted in a skewed distribution in adoption. While 80 percent of credit cards are now EMV-compliant chip cards, only 44 percent of U.S. card-accepting merchants have EMV terminals, and only 29 percent actually use the chip-card functionality to accept secure transactions, according to a survey conducted by the Strawhecker Group, a management consulting firm. The firm had previously surveyed merchants in January and had estimated that half would have implemented the technology.The EMV liability shift continues to be controversial. The payment-card firms' directive mandates that the least-compliant link in the chain of transactions—from the bank, to the retailer, to the payment card processor, to the card issuer—will be responsible for any fraud. If issuers have not issued new chip cards to their consumers, they are held financially responsible for fraudulent transactions. If retailers do not accept chip cards, then they are held responsible for the fraudulent transactions.Most retailers delayed their transition until after the busy Christmas season. The resulting avalanche of requests for certification, which initially was a very slow process, resulted in a clogged pipeline for servicing the firms, Jose-Luis Rojas, head of cards practice for Capgemini, a management consulting firm, told eWEEK.

Hackers claim they breached Aussie point-of-sale tech firm, try to sell...

Claim to have backdoored supplier to Woolworths' pub chain Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database.

They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago. If indeed they have hacked into H&L, credit card data and personal information would potentially be at risk: the firm's clients include several major retailers. The Register received information about an alleged breach at H&L Australia two weeks ago, plus the credentials required to access what was alleged to be an active backdoor on the company's network and an open public link to a large SQL database dump. We immediately reported this to CERT Australia, which offers assistance to compromised businesses. Our information came from Alex Holden, founder of US-based intelligence company Hold Security. Holden has form disclosing large breaches and has significant access to underground crime forums. He provided The Register with a chat room exchange between two unnamed entities he says were buying and selling what was purported to be the "H&L Australia database". The message thread spans almost four hours on 18 July.
In it the hackers chat in broken but succinct English. The exchange between the two was as follows: 11:23:53 seller: "http://URL.hlaustralia.com.au. have shell" 11:25:00 buyer ok , also will need admin cp (control panel) and db (database) 11:25:11 buyer i will make deal about it when my guys comes online ... 14:52:29 buyer password of shell hlaustralia 14:52:33 seller admin 14:53:46 seller all site of hlaustralia.com.au on one server 14:54:21 buyer good The shell and database – allegedly of H&L – was to be sold to the buyer for 27 Bitcoins on 27 July. The apparent backdoor and claimed stolen database have since been removed.

At no point did The Register access the alleged "backdoor" or the database. We have made repeated requests for comment to H&L Australia, the first on September 13.

The company has not responded directly to our questions, but in correspondence does not dispute the breach and indicates it is taking action to inform stakeholders about the situation. If a theft took place, precisely what was stolen is uncertain, but Holden claims he's aware of a 14.1Gb database dump, purportedly from the company. An obfuscated screenshot of the alleged stolen database uploaded by attackers.
Image: The Register. The supposedly breached local server database – according to a screenshot of the alleged dump – includes fields login; mortlock; password; homer16; db name, and hnlial_db. H&L's customers include Australian Leisure and Hospitality Group (ALH), a venture that operates some 330 pubs and clubs around Australia. Supermarket giant Woolworths is a joint-venture partner in ALH. Neither Woolworths nor ALH responded to repeated requests for comment after confirming initial receipt of news of the alleged breach on 13 September. A H&L Australia terminal in an AHL pub.
Image: The Register Time for a stiff drink Australian pubs are well patronised, so if the allegations are true, there's potential for many individuals' details to be in the data dump. Neal Wise, director of Melbourne penetration testing firm Assurance.com.au says the potential impact would depend on the information contained in alleged stolen databases, adding that PoS platforms are linked often to other systems such as loyalty programmes, which would potentially expand the scope of the client impact. "I’m not sure what data has been accessed so this could be as simple as enabling 'classic' credit card fraud or it could tie back into loyalty or other related systems," Wise says. Other security experts speaking on the condition of anonymity agree it is reasonable to conclude that the hackers would seek to monetise the valuable intelligence they would have paid a high price to acquire and those whose details have allegedly been collected at the point of sale. They say that if the hackers are telling the truth, they might be able to use the database to compromise customers' information – including credit card or personal staff and payroll information – although nor the The Register nor experts contacted for the story could legally download and inspect the database, beyond viewing a screenshot purported to be of the database that the hackers uploaded to the internet. The oldest trick in the book If the alleged breach took place, it is likely the hackers located a file upload or SQL injection vulnerability to create the backdoor in firm's systems, a form of attack Holden describes as the “oldest trick in the book”. The Federal Government's CERT Australia, while not commenting directly on the alleged breach, says organisations need to harden their defences. "All organisations, including small and medium businesses, need to consider cyber security as part of their day-to-day business," the agency told The Register in a statement. "Businesses that become aware of cyber security incidents should contact CERT Australia." The agency in 2014 published a guide for information security controls recommended for small- and medium-sized businesses.

The advice, if followed, will significantly reduce exposure to compromise.
It should be paired with advice within the Federal Government's Stay Smart Online website. The Open Web Application Security Project also offers security advice describing the worst perennial web application holes and mitigation strategies in its Top 10 list. Wise says PoS systems must be segregated from other premise networks. "Basically avoid combining venue networks - guest wireless, PoS terminals, etcetera," Wise says, citing an example of a dentist who ran the sensitive office network on the same LAN as his guest wireless. "Also remember that if you have systems that interface with bookkeeping and supply chain those should be protected and should be deployed in network segments that strictly control their access." Wise says PoS vendors should ensure data is protected at rest and in transit in large multi-site customer architectures where data is synchronised. Holden says the alleged breach should serve as a warning for PoS vendors to harden their systems noting that hackers will breach businesses using the easiest path available. "From my perspective, most hackers more often go along the path of least resistance and use the standard tools," Holden says. "I think security should deter types of attacks, not types of attackers.
In addition there must be better deterrents that would identify malicious changes in infrastructure and detect data loss." ®

Phisherfolk phlock to Rio for the Olympics

Virtually, that is. Zeus trojan ported to bash Brazil banks Criminals are ramping up their online presence in Rio de Janeiro, where the Olympic Games will open on Friday, August 5 – with IBM and Fortinet reporting new banking trojans and cyber crime activity in Brazil. Big Blue has reported a variant of the Zeus trojan has emerged on crime forums targeting local banks and exploiting financial habits of users in the country in what is evidence the trojan is not a mere copy-and-paste effort. The Panda Banker trojan began in Europe and the US hitting banks in the region earlier this year before being ported to smash the home of the looming 2016 Olympics. The Brazilian variant targets 10 unnamed national banks and localised payment services and is being flogged by the original developers under a subscription payment model. Panda can also raid Bitcoin exchange credentials, airline loyalty programmes, prepaid cards and gambling sites, IBM X-Force researchers say. Its customisation continues: the trojan has been written to target a local security firm, a supermarket chain, and even law enforcement. Researchers suggest the possibly Russian-speaking designers are worked in concert with Brazil locals to develop the latest variant. "Panda grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels," researchers say. "Panda’s operators’ favoured fraud methodology is account takeover, in which victim credentials are robbed and then used by the attacker to initiate a transaction from another device." Most infection comes via Word documents and poisoned macros with pop-up windows used to capture one-time banking passwords. Meanwhile Fortinet is warning of a huge 83 per cent spike in malicious domains and phishing URLs in Brazil across June compared to the global average of 16 per cent. Researchers with the company write in its latest threat report [PDF] that some 3,800 malicious government (gov.br) sites have spun up that target bureaucrats and Olympics officials. "As the 2016 Rio Olympics unfold, the history of increased attacks will undoubtedly continue and FortiGuard Labs is already seeing indicators of repeat techniques such as domain lookalikes for payment fraud and malicious websites or URLs targeting event and government officials," security strategist Ladi Adefala says. The findings are similar to those affecting previous major sporting events like the soccer World Cup and previous Olympic Games. In January Trend Micro found as part of its series of analysis on regional cybercrime markets that Brazil's underground was booming. Researchers at the firm said the South American nation had an "influx" of new criminals to its online communities who shirk anonymity when draining user bank accounts with malware and openly boast of their success. ® Sponsored: 2016 Cyberthreat defense report

Tor torpedoed! Tesco Bank app won't run with privacy tool installed

Money software blubs at the sight of onions Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. Who do @Tesco think they are, preventing free speech and internet security? @torproject @tescobankhelp @Android pic.twitter.com/xVcBmyjVKN — Marcus Davage (@spufidoo) June 17, 2016 Davage posted an image of the message, which advises that in order to use the Tesco app, the Tor Project's Orbot Android client has to not only be turned off but removed entirely from the device. The issue appears to be related to security.

Tesco's help site notes that the Android app checks for malware and other possible security risks (such as the phone being rooted) upon launching and, in this case, the Tor software triggers an alert. The Tor Project makes two apps for Android, the aforementioned Orbot and the Orfox browser, both of which allow users to encrypt their data traffic using the Tor network.

According to the Play Store, Orbot has been downloaded more than five million times by Android users. Tesco could not be reached for comment at the time of publication. ® Sponsored: Rise of the machines