alternative_right shares a report from the Smoking Gun: Minutes after vandalizing 17 cars in a Missouri college parking lot, a 19-year-old sophomore had a lengthy ChatGPT conversation during which he confessed to the crime, asked about the possibility of getting caught, and wondered, "is there any way they could know it was me," according to a police probable cause statement. Ryan Schaefer was arrested yesterday and charged with felony property damage for a rampage early Sunday at a Missouri State University parking lot. Investigators allege that Schaefer shattered car windows, ripped off side mirrors, dented hoods, and broke windshield wipers during the 3 AM spree.

When confronted with surveillance footage and other evidence, Schaefer said that he could see the resemblance between the suspect and himself. At that point, Schaefer reportedly consented to a search of his iPhone. A subsequent review of the device revealed location data placing Schaefer "at or near the scene of the crime," as well as a "troubling dialogue exchange this defendant seems to have had with artificial intelligence software installed on his phone," prosecutors reported. The incriminating ChatGPT conversation can be found here.

Alan W. Filion, an 18-year-old from Lancaster, Calif., was sentenced to four years in prison for making nearly 400 false bomb threats and threats of violence (source may be paywalled; alternative source) to religious institutions, schools, universities and homes across the country. The New York Times reports: The threatening calls Mr. Filion made would often cause large deployments of police officers to a targeted location, the Justice Department said in a news release. In some cases, officers would enter people's homes with their weapons drawn and detain those inside. In January 2023, Mr. Filion wrote on social media that his swats had often led the police to "drag the victim and their families out of the house cuff them and search the house for dead bodies."

Investigators linked Mr. Filion to over 375 swatting calls made in several states, including one that he made to the police in Sanford, Fla., saying that he would commit a mass shooting at the Masjid Al Hayy Mosque. During the call, he played audio of gunfire in the background. Mr. Filion was arrested in California in January 2024, and was then extradited to Florida to face state charges for making that threat. Mr. Filion began swatting for recreation in August 2022 before making it into a business, the Justice Department said. The teenager became a "serial swatter" and would make social media posts about his "swatting-for-a-fee" services, according to prosecutors.

In addition to pleading guilty to the false threat against the mosque in Florida, Mr. Filion pleaded guilty in three other swatting cases: a mass shooting threat to a public school in Washington State in October 2022; a bomb threat call to a historically Black college or university in Florida in May 2023; and a July 2023 call in which he claimed to be a federal law enforcement officer in Texas and told dispatchers that he had killed his mother and would kill any responding officers.

quonset shares a report from CNN: Between August 2022 and January 2024, hundreds of swatting calls were made across the country targeting religious institutions, government offices, schools, and random people. Authorities were finally able to track down the criminal, Alan Fillon, who entered the plea to four counts of making interstate threats to injure the person of another, the US Attorney's Office for the Middle District of Florida said in a news release. He faces up to five years in prison on each count. A sentencing date has not yet been set.

The US Attorney's Office said Filion made more than 375 swatting and threat calls from August 2022 to January 2024. Those calls included ones in which he claimed to have planted bombs in targeted locations or threatened to detonate bombs and/or conduct mass shootings at those locations, prosecutors said. He targeted religious institutions, high schools, colleges and universities, government officials and people across the United States. Filion was 16 at the time he placed the majority of the calls.

AT&T paid more than $300,000 to a member of the team that stole call records for tens of millions of customers, reports Wired — "to delete the data and provide a video demonstrating proof of deletion." The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin... The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that. WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer...

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It's been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date...

The timeline suggests that if [John] Binns is responsible for the AT&T breach, he allegedly did it when he was likely already aware that he was under indictment for the T-Mobile hack and could face arrest for it.

An anonymous reader quotes a report from Fortune: Ellen Bagley was delighted when she made her first sale on a popular second-hand clothing app, but just a few minutes later, the thrill turned to shock as the 20-year-old from Linkoping in Sweden discovered she'd been robbed. Everything seemed normal when Bagley received a direct message on the platform, which asked her to verify personal details to complete the deal. She clicked the link, which fired up BankID -- the ubiquitous digital authorization system used by nearly all Swedish adults.After receiving a couple of error messages, she started thinking something was wrong, but it was already too late. Over 10,000 Swedish kronor ($1,000) had been siphoned from her account and the thieves disappeared into the digital shadows. "The fraudsters are so skilled at making things look legitimate," said Bagley, who was born after BankID was created. "It's not easy" to identify scams. Although financial crime has garnered fewer headlines than a surge in gang-related gun violence, it's become a growing risk for the country. Beyond its borders, Sweden is an important test case on fighting cashless crime because it's gone further on ditching paper money than almost any other country in Europe.

Online fraud and digital crime in Sweden have surged, with criminals taking 1.2 billion kronor in 2023 through scams like the one Bagley fell for, doubling from 2021. Law-enforcement agencies estimate that the size of Sweden's criminal economy could amount to as high as 2.5% of the country's gross domestic product. To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it's a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.Using complex webs of fake companies and forging documents to gain access to Sweden's welfare system, sophisticated fraudsters have made Sweden a "Silicon Valley for criminal entrepreneurship," said Daniel Larson, a senior economic crime prosecutor. While the shock of armed violence has grabbed public attention -- the nation's gun-homicide rate tripled between 2012 and 2022 -- economic crime underlies gang activity and needs to be tackled as aggressively, he added. "That has been a strategic mistake," Larson said. "This profit-generating crime is what's fueling organized crime and, in some cases, leads to these conflicts."

Sweden's switch to electronic cash started after a surge of armed robberies in the 1990s, and by 2022, only 8% of Swedes said they had used cash for their latest purchase, according to a central bank survey. Along with neighboring Norway, Sweden has Europe's lowest number of ATMs per capita, according to the IMF. The prevalence of BankID play a role in Sweden's vulnerability. The system works like an online signature. If used, it's considered a done deal and the transaction gets executed immediately. It was designed by Sweden's banks to make electronic payments even quicker and easier than handing over a stack of bills. Since it's original rollout in 2001, it's become part of the everyday Swedish life. On average, the service -- which requires a six-digit code, a fingerprint or a face scan for authentication -- is used more than twice a day by every adult Swede and is involved in everything from filing tax returns to paying for bus tickets.Originally intended as a product by banks for their customers, its use exploded in 2005 after Sweden's tax agency adopted the technology as an identification for tax returns, giving it the government's official seal of approval. The launch of BankID on mobile phones in 2010 increased usage even further, along with public perception that associated cash with criminality.The country's central bank has acknowledged that some of those connotations may have gone too far. "We have to be very clear that there are still honest people using cash," Riksbank Governor Erik Thedeen told Bloomberg.

Kalyeena Makortoff reports via The Guardian: US regulators have accused a man of making $1.8 million by trading on confidential information he overheard while his wife was on a remote call, in a case that could fuel arguments against working from home. The Securities and Exchange Commission (SEC) said it charged Tyler Loudon with insider trading after he "took advantage of his remote working conditions" and profited from private information related to the oil firm BP's plans to buy an Ohio-based travel centre and truck-stop business last year.

The SEC claims that Loudon, who is based in Houston, Texas, listened in on several remote calls held by his wife, a BP merger and acquisitions manager who had been working on the planned deal in a home office 20ft (6 meters) away. The regulator said Loudon went on a buying spree, purchasing more than 46,000 shares in the takeover target, TravelCenters of America, without his wife's knowledge, weeks before the deal was announced on 16 February 2023. TravelCenters's stock soared by nearly 71% after the deal was announced. Loudon then sold off all of his shares, making a $1.8m profit.

Loudon eventually confessed to his wife, and claimed that he had bought the shares because he wanted to make enough money so that she did not have to work long hours anymore. She reported his dealings to her bosses at BP, which later fired her despite having no evidence that she knowingly leaked information to her husband. She eventually moved out of the couple's home and filed for divorce.

An anonymous reader quotes a report from Wired: A California teenager prosecutors say is responsible for hundreds of swatting attacks around the United States was exposed after law enforcement pieced together a digital trail left on some of the internet's largest platforms, according to court records released this week. Alan Winston Filion, a 17-year-old from Lancaster, California, faces four felony charges in Florida's Seminole County related to swatting, or fake threats called into the police to provoke a forceful response, according to Florida state prosecutors. Police arrested Filion on January 18, and he was extradited to Seminole County this week.

Filion's arrest, first reported by WIRED on January 26, marks the culmination of a multi-agency manhunt for the person police claim is responsible for swatting attacks on high schools, historically black colleges and universities, mosques, and federal agents, and for threats to bomb the Pentagon, members of the United States Senate, and the US Supreme Court. Ultimately, a YouTube channel, Discord chats, and usernames related to The Lord of the Rings helped lead authorities to Filion's doorstep.

Florida prosecutors charged Filion with four felony counts, including three related to allegedly making false reports to law enforcement and one for unlawful use of a two-way radio for "facilitating or furthering an act of terrorism" that authorities say targeted people based on race, religion, or other protected classes. While prosecutors alleged that Filion "is responsible for hundreds of swatting and bomb threat incidents throughout the United States," the charges Filion faces relate to a single May 12, 2023, swatting attack against the Masjid Al Hayy Mosque in Sanford, Florida. [...] At 2 pm EST on Wednesday, Filion shuffled into a Seminole County courtroom and stood quietly as the judge read the charges against him. He is currently being held without bond.

Kevin Mitnick, once the so-called "most wanted computer criminal in US history," died on Sunday. He was 59. The New York Times adds: The cause was complications from pancreatic cancer. He had been undergoing treatment at the University of Pittsburgh Medical Center following his diagnosis more than a year ago, according to the King David Memorial Chapel & Cemetery in Las Vegas. After serving prison time for breaking into and tampering with corporate computer networks, he was released in 2000 and began a new career as a security consultant, writer and public speaker.

Mr. Mitnick was best known for the crime spree during the 1990s that involved the theft of thousands of data files and credit card numbers from computers across the country. He used his skills to work his way into the nation's phone and cell networks, vandalizing government, corporate and university computer systems. Investigators at the time named him the "most wanted" computer hacker in the world.

In 1995, after a more than two-year-long manhunt, Mr. Mitnick was captured by the F.B.I. and charged with the illegal use of a telephone access device and computer fraud. "He allegedly had access to corporate trade secrets worth millions of dollars. He was a very big threat," Kent Walker, a former assistant U.S. attorney in San Francisco, said at the time. In 1998, while Mr. Mitnick awaited sentencing, a group of supporters commandeered The New York Times website for several hours, forcing it to shut down. The next year, Mr. Mitnick pleaded guilty to computer and wire fraud as part of an agreement with prosecutors and was sentenced to 46 months in prison. He was also prohibited from using a computer or cellphone without the permission of his probation officer for the three years following his release.
From an obituary: Kevin was an original; much of his life reads like a fiction story. The word that most of us who knew him would use -- magnificent.

He grew up brilliant and restless in the San Fernando Valley in California, an only child with a penchant for mischief, a defiant attitude toward authority, and a love for magic. Kevin's intelligence and delight in holding the rapt attention of audiences revealed themselves early in his childhood and continued throughout his life. In time, he transitioned from pranks and learning magic tricks to phone phreaking, social engineering, and computer hacking.

When his desire to push boundaries led him too far astray, he landed in juvenile detention and eventually served a couple of stints in prison. His time on the FBI's Most Wanted List was well documented in his New York Times bestselling book, The Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, and his other titles: The Art of Deception, The Art of Intrusion, both co-authored with William Simon, and The Art of Invisibility with Robert Vamosi.

Kevin emerged from his final prison term, which he deemed a 'vacation,' in January 2000. He was a changed individual, and began constructing a new career, as a White Hat hacker and security consultant. He became a highly sought-after global public speaker, a writer, and established the successful Mitnick Security Consulting. In November 2011, he became the Chief Hacking Officer and part owner of security awareness training company KnowBe4, founded by close friend and business partner Stu Sjouwerman.

An anonymous reader quotes a report from Ars Technica: Federal prosecutors have charged two men with allegedly taking part in a spree of swatting attacks against more than a dozen owners of compromised Ring home security cameras and using that access to livestream the police response on social media. Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, gained access to 12 Ring cameras after compromising the Yahoo Mail accounts of each owner, prosecutors alleged in an indictment filed Friday in the Central District of California. In a single week starting on November 7, 2020, prosecutors said, the men placed hoax emergency calls to the local police departments of each owner that were intended to draw an armed response, a crime known as swatting.

On November 8, for instance, local police in West Covina, California, received an emergency call purporting to come from a minor child reporting that her parents had been drinking and shooting guns inside the minor's home. When police arrived at the residence, Nelson allegedly accessed the residence's Ring doorbell and used it to verbally threaten and taunt the responding officers. The indictment alleges the men helped carry out 11 similar swatting incidents during the same week, occurring in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.

Prosecutors alleged that the two men and a third unnamed accomplice would first obtain the login credentials of Yahoo accounts and then determine if each account owner had a Ring account that could control a doorbell camera. The men would then use their access to gather the names and other information of the account holders. The defendants then placed the hoax emergency calls and waited for armed officers to respond. It's not clear how the defendants allegedly obtained the Yahoo account credentials. A separate indictment filed in November in the District of Arizona alleged that McCarty participated in swatting attacks on at least 18 individuals. Both men are charged with one count of conspiracy to intentionally access computers without authorization. Nelson was also charged with two counts of intentionally accessing without authorization a computer and two counts of aggravated identity theft. If convicted, both men face a maximum penalty of five years in prison. Nelson faces an additional maximum penalty of at least seven years on the remaining charges.

Charter Communications must pay out $7 billion in damages after one of its Spectrum cable technicians robbed and killed an elderly woman, a jury decided Tuesday. The Register reports: Betty Thomas, 83, was stabbed to death by Roy Holden Jr in December 2019. He had dropped by her home in Irving, Texas, on a service call after she reported a problem with her internet-TV bundle, and returned the next day in his company uniform and van, inviting himself in and killing her using his Spectrum-issued gloves and utility knife. She was found dead by her family on her living room floor after she didn't show up to a Christmas and birthday party that night. Holden pleaded guilty to murder last year and was sentenced to life behind in bars.

Thomas' family sued Charter [PDF] in 2020 for negligence. It was alleged in testimony that Holden had complained to his bosses that he was penniless and desperate after a divorce. It was further alleged that he had stolen credit cards and checks from elderly Spectrum subscribers, and that the corporation turned a blind eye to a pattern of theft by its installers and technicians. During that civil trial it was also claimed Thomas' family was charged $58 for Holden's service call, and continued to be billed after their grandmother's brutal slaying to the point where her account was sent to collections.

The court heard how Holden was not working the day he killed Thomas, and went out to her home anyway to rob her. He was able to use his company keycard to access a Charter vehicle lot and drive off in one of its service vans even though he was off-duty. According to the family's legal team, while Holden was seemingly making repairs, he tried to steal one or more of her bank cards from her purse, and murdered her when he was caught in the act. He later went on a spending spree with her funds, it was claimed. "This was a shocking breach of faith by a company that sends workers inside millions of homes every year," said the one of family's trial lawyers Chris Hamilton, of Dallas-based Hamilton Wingo, in a statement.

According to the law firm, Holden lied about his employment history -- such as not revealing he had been previously fired -- which wasn't checked by Charter when it hired him and would have been one of many red flags against him. During the civil trial, the court heard how Holden would break down crying at work, at one point was convinced he was a former Dallas Cowboys football player, suffered from insomnia, and was probably sleeping overnight in his Spectrum van. It was further claimed the cable giant tried to force the lawsuit into closed-door arbitration where the results would have been secret and damages limited.

The International Monetary Fund "has indicated it will not give El Salvador a much-needed loan unless it drops bitcoin" as one of the country's legal tenders, reports the Los Angeles Times. And meanwhile the "bitcoin bond" proposed by El Salvador has been "delayed indefinitely."

But the government has taken other actions:
After a dramatic spike in killings here over a single weekend last month, Salvadoran President Nayib Bukele's reaction was swift — and extreme. He sent soldiers into poor neighborhoods to round up thousands of people who he claimed were gang members, then paraded them in front of news cameras in their underwear and handcuffs.

He tweeted pictures of detainees who had been bruised and bloodied by security forces, suggesting they "maybe fell" or "were eating fries with ketchup." And he started feeding the nation's prisoners two meals a day instead of three, warning that if violence continued, "I swear to God that they won't eat a single grain of rice."

It is a distinct look for Bukele, who has been focused in recent months on presenting himself to the world as a modern tech innovator on a quest to turn El Salvador into a cryptocurrency paradise. Not only is Bukele now embracing the mano duro techniques of past Latin American leaders, he is going much further, using the homicide spree — which left 87 people dead in three days — as a pretext for suspending civil liberties and attacking the press.

In recent days, Bukele and his loyalists in the Legislative Assembly ordered a state of emergency that restricts freedom of association, suspends the norm that detainees be informed of their rights at the moment of arrest and denies prisoners access to lawyers....

That Bukele would use the spate of homicides as a pretext to further consolidate power is no surprise to many of his critics, who believe he may be preparing to stay in office past 2024, when he is supposed to step down, even though El Salvador's constitution bans consecutive presidential terms.

But they also say that there may be another motive for his new tough-on-crime stance: diverting attention from the deepening failure of his cryptocurrency experiment.

The United States has charged three North Korean computer programmers with a massive hacking spree that stole more than $1.3 billion in money and cryptocurrency, the Department of Justice said Wednesday. From a report: Officials added that a Canadian-American citizen has pleaded guilty to laundering some of the alleged hackers' money. The indictment alleges that Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, stole money while working for North Korea's military intelligence services. Park had previously been charged in a complaint unsealed in 2018.

A computer programmer at America's tax-collecting agency "stole multiple people's identities, and used them to open illicit credit cards to fund vacations and shop for shoes and other goods," write Quartz, citing a complaint unsealed last week in federal court.

An anonymous reader quotes their report: The complaint accuses the 35-year-old federal worker of racking up almost $70,000 in charges over the course of two years, illegally using "the true names, addresses, dates of birth, and Social Security numbers" of at least three people.

The US Treasury Department's Inspector General for Tax Administration, which oversees internal wrongdoing at the Internal Revenue Service (IRS), is investigating the crime, although the complaint doesn't specify how the employee obtained the information. The arrest, however, comes just months after the Government Accountability Office -- the federal government's auditor, essentially -- issued a report raising concerns about the security of taxpayer information held at the IRS. The report said that unaddressed shortcomings left taxpayer data "unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure," which could allow employees or outsiders to illegally access millions of people's personal information. An IRS call center employee in Atlanta pleaded guilty last year to illegally using taxpayer data to file fraudulent tax returns, ultimately collecting almost $6,000. In 2016, another IRS worker in Atlanta admitted to improperly accessing the personal information of two taxpayers, amassing close to half a million dollars from illicit tax refunds....

The IRS employee's alleged scheme took place between January 2016 and February 2018, according to court filings. Investigators say he used a fraudulently obtained American Express card to fly to Sacramento and Miami Beach. He also used the card for some 37 Uber rides, nine payments on his father's Amazon account totaling $1,200, various purchases at Lowe's, the Designer Shoe Warehouse, BJ's Wholesale Club, and a flooring outlet, as well as a $7,400 payment to a business he owned. The complaint says the employee, who works for the tax agency as a software developer, obtained a second fraudulent credit card, which he used to fly to Montego Bay, Jamaica. A third fraudulent card was used to travel to Iceland.

In a particularly brazen move, investigators say the suspect linked this card to a phony PayPal account he opened using his official IRS email address.
Two of the credit cards were delivered to his home address, while a third was sent to his parents' address, according to the article. "The phone numbers listed on the accounts also belonged to the suspect, and he accessed emails associated with the accounts from his home IP address."

A former student of The College of Saint Rose in Albany, New York, has pled guilty to charges that he destroyed tens of thousands of dollars worth of campus computers using a USB device designed to instantly overwhelm and fry their circuitry. The plea was announced today by the Department of Justice, FBI, and Albany Police Department. The Verge reports: Vishwanath Akuthota, the former student, now faces up to 10 years in prison (with up to three years of supervision after release) and a fine totaling up to $250,000. He was arrested and taken into custody in North Carolina on February 22nd, just over a week after he went on a spree of inserting the "USB Killer" device into 66 of Saint Rose's computers around various locations on campus. Such devices can be easily and freely purchased online and can overload the surge protection in many PCs.

Akuthota, 27, apparently made video recordings of himself inserting the malicious USB device into the computers and said "I'm going to kill this guy" as the PCs were overloaded and permanently ruined. So it's fair to say the FBI and APD had all the evidence they needed. In total, Akuthota caused $58,471 worth of damage. As part of his guilty plea, he has agreed to pay back that amount to the college, a small private school in New York's capital city. The Verge reached out to The College of Saint Rose for a statement on today's news, but a spokesperson said the college had been asked by law enforcement to refrain from commenting.

Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

California authorities say a 20-year-old college student hijacked more than 40 phone numbers to steal $5 million in Bitcoin, including some from cryptocurrency investors at a blockchain conference Consensus. Motherboard, which broke the story citing court documents: This is the first reported case of an alleged hacker who was using SIM swapping (also known as SIM hijacking or Port Out Scam) specifically to target people in the blockchain and cryptocurrency worlds.

Joel Ortiz was arrested at the Los Angeles International Airport on his way to Europe, according to sources close to the investigation, who said Ortiz was flashing a Gucci bag as part of a recent spending spree they believe was financed by the alleged crimes. He is facing 28 charges: 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to the complaint filed against him on the day before his arrest.

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment. Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."

theodp writes: Police allege that Uber driver Jason Dalton shot 8 people in three different locations, killing six people. But the story gets even crazier, Gizmodo reports, as Dalton allegedly not only picked up Uber passengers between shootings, he continued to drive people around after his last shooting at 10:24pm at a Cracker Barrel restaurant. One of his last passengers before Dalton was arrested even joked, "You're not the shooter, are you?" Uber Chief Security Officer Joe Sullivan issued the following Statement on Kalamazoo: "We are horrified and heartbroken at the senseless violence in Kalamazoo, Michigan. Our hearts and prayers are with the families of the victims of this devastating crime and those recovering from injuries. We have reached out to the police to help with their investigation in any way that we can."

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.

chicksdaddy writes: The Christian Science Monitor's Passcode features a harrowing account of one individual's experience of identity theft. CSM reporter Sara Sorcher recounts the story of "Jonathan Franklin" (not his real name) a New Jersey business executive who woke up to find thieves had stolen his identity and racked up $30,000 in a shopping spree at luxury stores including Versace and the Apple Store. The thieves even went so far as to use personal info stolen from Franklin to have the phone company redirect calls to his home number, which meant that calls from the credit card company about the unusual spending went unanswered. Despite the heinousness of the crime and the financial cost, Sorcher notes that credit card companies and merchants both look on this kind of theft as a "victimless crime" and are more interested in getting reimbursed for their losses than trying to pursue the thieves. Police departments, also, are unable to investigate these crimes, lacking both the technical expertise and resources to do so. Franklin notes that he wasn't even required to file a police report to get reimbursed for the crime: "'As long as their loss is covered they move on to [handling] tomorrow's fraud,' Franklin observes. And that makes it harder for victims like Franklin to move on, 'In some way, I'm seeking some sense of justice,' Franklin said. 'But it's likely not going to happen.'"