Naked Security Naked Security

News in brief: Whole Foods holed; Facebook face lock; Mining malware

Your daily round-up of some of the other stories in the news

Whole Foods Market suffers payment card breach

The Whole Foods Market chain is investigating a payment card breach at locations with taprooms and full table-service restaurants.

The company’s statement acknowledging the investigation is brief and leaves many questions unanswered:

Whole Foods Market recently received information regarding unauthorized access of payment card information used at certain venues such as taprooms and full table-service restaurants located within some stores.

Questions yet to be answered include which specific locations were affected, what kind of card data may have been put at risk and how the breach happened.

Whole Foods Market has close to 500 stores in the US, Canada and UK.

With facial recognition, Facebook can unlock your account

Facebook is working on a facial recognition approach to help users regain access to their accounts if locked out. Users who can’t receive two-factor authentication SMS because they’re in transit will no doubt benefit from such a tool.

Answering a query from TechCrunch, Facebook confirmed it’s working on the new tool:

We are testing a new feature for people who want to quickly and easily verify account ownership during the account recovery process. This optional feature is available only on devices you’ve already used to log in. It is another step, alongside two-factor authentication via SMS, that we’re taking to make sure account owners can confirm their identity.

This isn’t the first time Facebook has experimented with ways to help users get back into a locked account. In some cases, it has asked the user to identify photos of their friends to prevent unauthorized logging in. It has also played around with a technique of letting users designate several “trusted friends” who receive a code they can then ask for to unlock their account.

Of course, facial recognition isn’t foolproof – as both Apple and Samsung can attest.

Malware maker mined Monero, made $63,000

One or more malware creators made around $63,000 in five months by invading unpatched IIS 6.0 servers and mining the cryptocurrency Monero.

Bleepingcomputer reported that attackers exploited the CVE-2017-7269 vulnerability in IIS 6.0 servers to hijack machines and install a Monero miner. Monero is a cryptocurrency like Bitcoin that’s designed for even greater privacy than its more well known peer.

Windows Server owners still running IIS 6.0 should install a patch Microsoft released in June.

Two Chinese researchers discovered the CVE-2017-7269 vulnerability in March. They made proof-of-concept exploit code available on GitHub to help sysadmins find vulnerable IIS 6.0 installations in their organizations.

Catch up with all of today’s stories on Naked Security

Leave a Reply

Your email address will not be published. Required fields are marked *