Month: August 2020

How Safe is the Divvy Bike Share System Security?

Why doesn’t Divvy Bike Share System use the same GPS technology as Lyft? Isn’t Divvy managed by Lyft? We have more solutions for Divvy Bike Share Security. Check this out!

We were wondering how safe is the Divvy bike-share system security? Enigma Forensics has been following the Divvy bike story. We love the idea of the ease and accessibility to rent a bike but don’t want the criminals to ruin this city-wide opportunity.

Divvy Bike Share System

The Divvy Bike Share System is a great resource that has been open for business 24 hours a day, 7 days a week, and 365 days a year. All different shapes and sizes of people are able to use bike share to commute to work or school, explore the city, attend appointments, meet up with friends, and everything else in between. The beauty of the Divvy bike-share system is that it offers affordable transportation and features bikes that can be unlocked from one station and returned to any other station throughout the city. This all sounds like a great program for the city but the recent looting in Chicago has led to occasional lockdowns on Divvy Bike usage. We thought we would take a deeper dive and discover how safe is the Divvy Bike security.

Divvy Bike Issues

Divvy has been plagued with several issues that not only include difficulty in docking at stations that allow bikes to be obtained when legitimate riders fail to fully dock and lock their bikes. It has also been reported these docking issues lead to a significant amount of stolen bikes used in crimes. To make matters worse, additional ways to obtain access to a Divvy bike can be easily accomplished by using a stolen credit card to unlock a bike. How? There isn’t a two-factor authentication required to unlock a bike and the credit card system doesn’t require the entry of the billing card member’s zipcode. The lack of security allows the ability to use anyone’s credit card which makes it easier for the thief to steal a bike. By adding these two simple changes; a two -factor authentification and zip code requirement Divvy could dramatically improve the situation.

The latest crime that has Divvy in the hot seat with local Chicago Aldermen, happened on the morning of July 27, 2020, when an 82-year-old man was carjacked in Streeterville by a group of Divvy bike riders. After they stole his car they left the Divvy bikes at the scene. We assume these bikes were stolen and if so it makes criminal activity in otherwise safe neighborhoods a lot easier. Additionally, you may have noticed abandoned Divvy bikes while traveling through the city of Chicago. If you see an abandoned Divvy bike, do the last paying rider a favor and dock the bike to prevent racking up hourly charges. These issues have bubbled up to a few Chicago Alderman who have informed Divvy of the complaints brought forth by their constituents.

Stolen Bikes

During our research about current docking station flaws, we found this article from The Chicago Reader. The article’s title, “FOIA’d emails reveal an ongoing citywide epidemic of Divvy thefts.” Chicago Reader wrote the culprit is the hasty decision by Divvy to remove a critical piece of security hardware from Chicago’s docking stations. They reported the security device that was removed had been making it difficult for users to dock bikes at the end of their rides. By removing the device it also made stealing docked bikes easier. https://www.chicagoreader.com/chicago/divvy-bike-thefts-chicago-security-hardware-removed/Content?oid=58659144

Enigma Forensics agrees with a solution to integrate GPS locating technology so that stolen bikes can be disabled remotely. Once the thieves know that are being tracked and the bike will be disabled, it will curtail the problem. Another solution we found that could help improve the situation is alerting users via a phone alarm if they fail to lock their bike properly.

Use GPS Technology

Divvy doesn’t utilize GPS technology to track the bikes down and release the last rider from the costs. Since Divvy Bike Share is supported by Lyft, why can’t they adopt the bikes to include GPS technology and install digital cameras at each station to help record criminal behavior? After all, the Lyft drivers use GPS! We urge Divvy to install a better credit card payment system using two-factor authentication and requiring the billing zip code associated with the credit card to be entered. GPS technology will allow remote locating of lost or stolen bikes with remote brake locking technology that would curtail illicit use of bikes and theft. These are potential solutions that we hope our Alderman will be able to move forward to help keep Divvy bikes a program for all Chicagoans.

Top Five Cyber Attacks

Phishing, Ransomware, Endpoint Security, IoT Devices and Cloud Jacking. What do they have in common? Top Five Cyber Attacks we are concerned about and you should be too!

The frequency of cyberattacks is growing. The following is Enigma Forensics’ top five cyber attacks that you should be made aware of.

Phishing Attacks are specific forms of email or text messages that are targeting victims to gain access to their personal information. Phishing messages often try to induce the receiver to click a link to a package shipment delivery message or other seemingly legitimate hyperlinks. It acts like a harmless or subtle email designed to get victims to supply login credentials that often become harvested by the attacker for later use in efforts to compromise their target. Sometimes phishing emails spoof the sender to be someone who has already been compromised. Once compromised, often times the compromised user’s mailbox is used to relay other outbound messages to known individuals in their saved contacts. This form of attack earned its name because it masquerades as an email of someone you may know and because you know the sender, you are more likely to nonchalantly open the email and click on the attachment to learn more about the content. With a click of a mouse, BOOM you can be compromised. This is a very easy and effective scam for cybercriminals. Warning: Do not open attachments or forward chain emails!

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. The cybercriminal then holds the stolen information for ransom, thus the name! They may ask for a ransom payment in the form of digital currency such as bitcoin. Whether or not the victim pays the ransom depends on what information they have stolen or what criminals have threatened to do with the stolen information. Warning: Do not visit unsecured sites!

Remote Worker Endpoint Cyber attacks are currently the most popular because of the number of employees working from home caused by the Coronavirus. In the month of March, many workers were sent scurrying to their homes without companies placing proper cyber protection protocols. Employees are using their personal devices to conduct work and often are not fully patched, updated, and using encryption to protect their home devices against cybercriminals. Many company executives have been targeted at their homes, where they are much less likely to have commercial-grade firewalls designed to protect endpoints and company trade secrets.

IoT Devices attacks are a popular vehicle used by cybercriminals to establish a beachhead for launching lateral attacks across a home or work network. IoT devices involve extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones, and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet. They can also be remotely monitored and controlled. IoT Devices should be segmented and on a different network than corporate work from home devices. IoT devices pose a great threat because many of these devices lack automatic update processes and can become a beachhead for cybercriminal attacks in your home.

Cloud Jacking will increase with an estimated growth of cloud computing to be a $266.4 billion dollar industry in 2020. The idea of cloud storage makes one believe it is an improved option rather than the traditional on-premise computing storage. This will and has become a major security concern and has created a strong urgency to increase the creation of cloud security measures. Cybercriminals will up their game and cloud jack data information whenever possible. The race in on to see who does it cloud security better; the good guys or the bad guys. To protect against Cloud Jacking cyber attacks, organizations should enable two-factor authentication options, such as Google authenticator.

Two-factor authentication requires two of the three following means of authentication:

  • Something you know (A password)
  • Something you have (A key fob or cell phone authenticator)
  • Something you are (Retina Scan, Facial recognition, fingerprint)