One-Third of Banking Account Takeover Attempts Successful

/in /by

The Financial Services Information Sharing and Analysis Center (FS-ISAC), which works with the Department of Homeland Security, has released a study indicating that attacks on customer bank accounts have increased considerably in recent years.

The FS-ISAC, in collaboration with the American Bankers Association, surveyed large financial institutions to collect data on fraud attempts. The responding banks reported a combined 314 break-in attempts in 2011, up from 239 in 2010 and 87 in 2009.

Roughly one third of these attempts were successful in fraudulently transferring money out of hacked customer accounts, with institutions losing a total of $777,064, which is actually a decrease from $3.12 million in 2010. Customers lost only $489,672 in 2011, down from $1.16 million in 2010.

While less money was ultimately siphoned from banks and customers than in past years, there are new attack strategies on the horizon, which may push these numbers up in 2012. Threats, defenses, and vulnerabilities continually emerge, so stay tuned as we track the shifts in our evolving security landscape.

When asked what they were doing to prevent fraud and theft, banks’ three most common responses were:

  • Increased customer education
  • Multi-factor authentication
  • Anomalous behavior detection

This year, the FFIEC updated the security requirements recommended for banks. One of the recommendations encourages financial institutions to employ complex device identification. Oregon-based security firm iovation goes a step further offering device reputation technology, which builds on device identification by offering real-time risk assessments, exposing any history of fraud associated with a particular device or group of devices, and investigating relationships between devices and accounts that have been associated with fraud in order to expose fraudsters working in cahoots to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

The Role Of The CIO: What’s Really at Stake

/in /by

The Chief Information Officer (CIO) has become as important as the CEO. It’s a pivotal position that often can make or break the success of a corporation. As criminal hackers have launched various campaigns against numerous organizations, the CIO has become much more than an information officer. They are the guardian of corporate secrets, instrument of progress and the pulse of all communications and connectivity.

Securitymanagement.com recently reported the global cybersecurity market is expected to reach $120.1 billion by 2017. This is nearly twice its current size of $63.7 billion, according to a report by MarketsandMarkets, a Dallas-based research and consulting firm. The increase would represent an annual compound growth rate of 11.3 percent from 2012 to 2017.

Cyberspace is becoming an ever-important part of people’s lives. It’s also powered by a gamut of devices and applications that have made it vulnerable to threats from people and groups including students, spies, hackers, propagandists, and terrorists. Cybersecurity is also becoming an important aspect of the military realm. This has helped make battles “fought in cyberspace as imperative as battles occurring on the ground.”

As a result, as reported by CIO magazine,“the IT leader will still be the nucleus of any company, working closely with business executives and strategizing about future technology directions, leading a staff of highly trained professionals and championing streamlined technical operations. The position will still require a mix of analytical foresight and management prowess over the next decade.”

Going forward the role of the CIO will be critical not only to the organization, but to the public who does business with it and the governments who rely on it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Do You Know What Your Teens Are Doing Online?

/in /by

A new study called “The Digital Divide: How the Online Behavior of Teens is Getting Past Parents” (conducted by Tru Research and commissioned by McAfee) shows an alarming 70% of teens have hidden their online behavior from their parents, up from 45% in 2010. And yet half of parents live under the assumption that their teen tells them everything he/she does online.

It’s perfectly normal for teens to be less than forthcoming during these years when their hormones are raging and teen angst boggles their brain and body. However the Internet has drastically changed our culture and teens today have access to an incredible amount of information that they didn’t have, just a decade ago.

This instant access to information and digital devices is having an impact on our teens that many of us as parents don’t realize. Some of the revealing consequences are:

Friendships – 20% of teens said they had ended a friendship with someone because of something that happened on a social network.

Physical safety – 7% feared for their safety because of something that happened online, and 5% reported getting into a physical fight because of a problem that started online. More than 1 in 10 (12%) of teens have met someone in real life that they only knew online.

Criminal record – 15% said they have hacked someone’s social networking account and 31% have pirated music and movies.

Cheating – 48% of teens admitted to looking for test answers online, and 16% have used a smartphone to do this.

Innocence – 46% of teens report accidentally accessing pornography online and 32% reported accessing pornography intentionally.

 

 

 

 

 

 

 

 

 

And what about the parents? The study showed:

1 in 3 believes their teen to be much more tech-savvy then they are, leaving them feeling helpless to keep up with their teen’s online behaviors.

22% of parents do not believe their kids can get into trouble online.

Less than 1 in 10 parents are aware their teens are hacking accounts or downloading pirated content.

78% of parents are not worried about their kids cheating at school.

Only 12% of parents thought their children accessed pornography online.

 

 

 

 

 

 

 

 

 

Parents, you must stay in-the-know. Since your teens have grown up in an online world, they may be more online savvy than their parents, but you can’t give up. You must challenge yourselves to become familiar with the complexities of the teen online universe and stay educated on the various devices your teens are using to go online.

As a parent of two young girls, I proactively participate in their online activities and talk to them about the “rules of the road” for the Internet. I’m hoping that this report opens other parent’s eyes so they’ll become more involved in educating their teens with advice and tools.

For more information, please visit:

Full report: http://www.mcafee.com/us/resources/misc/digital-divide-study.pdf

Press release: http://www.mcafee.com/us/about/news/2012/q2/20120625-01.aspx

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Protect Your Gaming Account As You Would Your Bank Account

/in /by

Most people are aware of the need to protect their financial accounts, and generally take at least some degree of care to prevent criminals from accessing their money. Protecting your online game account, on the other hand, might not be such an obvious priority, but when accounts created for playing massively multiplayer online games are not properly secured, but connected to credit card accounts, gamers set themselves up for fraud.

PCMech offers some insider tips for MMO players. The fundamentals of account protection include:

Password protection: Never give out your password. If you contact customer service and they ask you to verify your account by providing a “knowledge-based answer,” such as the name of your pet or high school, it’s okay to answer. But never provide any identifying information in response to an unsolicited phone call or email from someone who may be posing as a representative of the MMO.

Beware of infected downloads: Add-ons and modifications downloaded from unofficial sources may be infected with spyware. PCMech’s Nick Greene suggests checking out a game’s online forum to get recommendations for reputable download sources.

Secure connected accounts: For example, if your social networking or email accounts are in any way connected to your MMO account, they both need to be equally secure, with unique passwords.

And, as always, it’s vital to keep your PC up-to-date with antivirus, anti-spyware, anti-phishing, and firewall protection. Remember to update your critical security patches, as well.

While players must do what they can to protect their accounts, the more mature gaming publishers employ multiple layers of defense behind the scenes, to protect their valued members. One proactive anti-fraud technology that doesn’t interrupt the player experience and keeps the bad guys out, is called device reputation, which examines computers, smartphones, and tablets being used to connect to a game, and helps gaming publishers know who to trust in order to keep their players safe and in a fun environment.

 Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Ode to the Nigerian Scammer

/in /by

Most of us would never fall for a Nigerian email scam. The obvious “scammer grammar” and outlandish requests would tip us off, as would the supposed Nigerian origin of the message, since we’re probably familiar with the typical claims about Nigerian royalty. So you might wonder why these scammers persist in such an obvious ruse, rather than tweaking their stories to make them more believable.

According to a recent study by Microsoft researcher Cormac Herley, the Nigerian scam is designed to tip off all but the most oblivious recipients. The intended targets are people so unaware of common online scams that they must have been living in a cave without Internet access until, like, yesterday.

In Why do Nigerian Scammers Say They are from Nigeria? Herley explains, “Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.”

In other words, scammers are disqualifying the majority of potential victims in order to pinpoint the most gullible as quickly as possible. Anyone naïve enough to respond to such ridiculousness is far more likely to willingly empty their bank account.

Unfortunately for consumers, the #1 method of prevention is education—knowing when something looks too good to be true, not accepting friend connections from people you don’t know, not publishing your personally identifiable information (Teens: please stop posting photos of your freshly-printed driver’s permits and licenses on Facebook), and of course, changing passwords often and not sharing them with others. Installing anti-phishing technology on one’s computer or other device is also known to prevent many of the messages from reaching you in the first place.

On the business-side, banks, retailers, dating sites and social networks help prevent scams by identifying known scammers and spammers the moment they touch their website. By using iovation’s device identification service, ReputationManager 360, which shares the reputations of more than 975 million devices from all countries in the world, they not only know a device’s rap sheet (which could include online scam solicitations, spam, identity theft, credit card fraud and more), they know about devices related to it, and are alerted to other forms of suspicious behavior in real-time as well.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Mobile Security Apps and Tips

/in /by

Nearly three-quarters of Americans have never installed any type of data protection or security software on their mobile devices, leaving themselves completely open to data loss, viruses, and malware. 72% of us, to be exact, have unsecured smartphones, even as they take on an increasingly important role in our digital lives.

Update your OS: The expanding selection of mobile devices results in more complex operating systems and applications, which ultimately increases attack opportunities. One hopes that, as criminal hackers and security researchers expose new vulnerabilities, OS manufactures will role out timely updates to fix flaws.

Most OS updates require a USB connection to your Mac or PC and a desktop application that bridges the connection between your device and the manufacturer’s website. Newer OS updates can sometimes be downloaded directly to a phone through a Wi-Fi connection or your carrier’s network.

Update your applications: Just as an operating system can have a security or privacy vulnerability, so can an application. Most applications require functionality updates in order to remain compatible with OS updates. Updating an application should be fairly straightforward. Apps can usually be updated from the phone by accessing the official app store through the carrier’s network. Depending on the size of the download, a Wi-Fi connection may sometimes be necessary.

Lock your mobile device: 4-digit PINs for iPhones; or pattern recognition for Androids, are the current standard security measures. These flimsy defenses need to be updated to a more secure alternative, or at least a longer alphanumeric string, especially for the phones used for business purposes.

A very high percentage of owners lock their devices with a short PIN, and may be unaware of the alternatives to this bare minimum, such as a “non-simple” security option on the iPhone. And most PINs are weak as well as short. Five basic combinations ¾ “1234,” “0000,” “1111,” “2580,” or “0852 ¾ make up more than 10% of all PINs.

Install antivirus protection: Just like on a PC, mobile antivirus products should provide real-time protection against viruses, worms, spyware, Trojan horses, and battery-sapping malware. Adequate mobile antivirus protection guards against threats that originate via email, instant messaging, and Internet downloads. It detects data received from multiple entry and exit points, including email, instant message attachments, Internet downloads, SMS, MMS, WiFi, and Bluetooth.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

70% of Teens Hide Online Activities from Parents—Why We Should be Concerned

/in /by

Most major media picked up on a study that McAfee released called “The Digital Divide: How the Online Behavior of Teens is Getting Past Parents” that shines a scary light on how much trouble kids are getting themselves in online and how clueless most parents are.

Many people commented saying “I don’t need McAfee telling me kids lie” and I get that. But those who recognize the obvious may not realize the actions and consequences of those lies.

I’ll be the first to admit, and I’ve said this on national TV and radio, I should be buried 6 feet under based on the way I lived my teen years. I lied as a means of survival to cover up my various acts that would have surely got me the belt. But what I did compared to what teens are doing today was a different kind of trouble.

People snicker when they learn that almost half of teens are looking at porn weekly. Really? This is no big deal? It’s true they say “we become what we think about” and a 13-year old isn’t in an emotional or physical position to be consuming hard core violent porn.

Another example is that more than 10% of 13-17 year olds are meeting strangers online then actually meeting them in the real world. I doubt before social media there were as many teenage girls meeting 30-year old men on the street and then getting in his car. But with the Internet these “friends” can seduce teens girls via text or social networking sites and fill her emotional needs until he’s “got her.”

Are you really aware what this hidden behavior and lying is concealing? From the study, McAfee revealed that teens readily admitted to:

Breaking into others’ social media accounts

Hacking and manipulating grades in school

Downloading illegally pirated movies, music and software

Bullying, whether it was actively being a bully, being bullied or witnessing bullying

All of these activities could potentially get you, as parents, involved in numerous lawsuits because of these illegal activities.

This study more than anything points out how outrageous kids are acting online and how oblivious and overwhelmed their parents are. Perhaps Kevin Parrish, journalist and parent of teens from Toms Guidesummed it up best when he said:

“The Internet can be a dangerous place, and allowing teens to run free in a virtual new frontier seemingly run by hackers is just downright insane. Allowing children to do whatever they want online is a huge security risk to your personal data, and a potential legal risk for them. Bottom line, the Internet is a privilege, not a right. Teens should be allowed to express themselves, but not to the point where predators come calling or the FBI comes knocking at the front door. Teens are propelled by emotion, not knowledge and experience, especially early on.”

At least one parent gets it.

Here’s the top 10 ways teens fool their parents. Are you aware of all these?

 

 

 

 

 

 

 

 

 

 

Robert Siciliano is an Online Security Expert to McAfee

Dutch Hacker Extradited From Romania, Charged With Credit Card Fraud

/in /by

A 21-year-old Dutch hacker known within the online hacking community as “Fortezza” was arrested in Romania in March, and extradited to the United States in June.

U.S. Attorney Jenny A. Durkan, who chairs the Attorney General’s Advisory Committee on Cybercrime and Intellectual Property Enforcement, said, “This defendant has wrought havoc on victims and financial institutions around the world, this indictment alleges that in just one transaction he trafficked in as many as 44,000 stolen credit card numbers resulting in millions of dollars in losses to financial institutions. Cybercriminals need to know: We will find you and prosecute you. I commend the cyber investigators at the U.S. Secret Service Electronic Crimes Task Force and Seattle Police Department for tracking down these international criminals.”

Hackers like “Fortezza” employ a variety of methods to obtain credit card data. One technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. “Smishing” is similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims’ PCs, while others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

All this stolen data is ultimately used to steal from financial institutions, which lose $40 billion a year to credit card fraud, and from retailers. These business fraud targets must employ multiple layers of protection to thwart cybercriminals.

One layer that businesses put upfront in their fraud detection process is based on device intelligence—what that device is doing right now on the site, and what fraud or abuse that device has caused with other businesses, even in other geographies. The leader in device identification technology is iovation, and they offer a fraud prevention service that allows online businesses to create customized business rules for identifying potentially risky transactions, and those rules can be adjusted on the fly as new threats emerge.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

June Was National Internet Safety Month

/in /by

The Internet is an indispensable tool that citizens, corporations and governments all over the world have come to rely on. There are tremendous benefits to the World Wide Web including: having the information highway at your fingertips, being able to find and purchase products and services from anywhere, working from home, connecting with distant friends and family and saving time by conducting various transactions right from your couch.

The problem of course, is that all these conveniences have led to gaping security holes that allow criminals from all over the world to compromise your computer and various accounts which of course leads to identity theft and financial loss.  Even scarier is when criminal predators use the Internet to exploit children in various ways.

What this means is that all of us need to increase our security intelligence by understanding what to look out for and what systems need to be put in place so we can reap the benefits of the Internet safely and securely.

Since June is Internet Safety Month, it’s a good time to review essentials that all of us should be aware of every day.

Protect your personal information. Don’t give out personal data unless it is a trusted source requesting it and a secure site accepting it.

Look for httpS in the address bar when you are shopping online or on a site where you are entering personal information.

Update your browser with the latest version and use the highest security settings.

Update all your devices’ operating systems whenever a new version or critical security patch is available.

Beware of requests coming in via email asking you to update personal information. It’s best to go directly to sites instead of clicking on links in emails, or text messages.

Teach your children the “rules of the road” for the Internet and make sure they understand what is and isn’t acceptable online.

Think before you post online. It’s always good to use this rule of thumb—everything you post online is public and available forever—even if you use the highest security and privacy settings.

Keep your devices updated with the latest version of antivirus, anti-spyware and anti-phishing and make sure to have a 2-way firewall.

And remember, if something sounds too good to be true—it usually is, so don’t fall for the scam.

We can all do our part to stay safe and be better digital citizens by staying educated on the latest threats and scams.

Robert Siciliano is an Online Security Expert to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Watch for New Attacks Aimed at Mobile Devices

/in /by

A mobile device is an indispensible extension of your life, containing some of your most private conversations and confidential information. It’s your phone book, email, photo album, social life, and even your wallet, all rolled into one device. Chances are if you own a smartphone or tablet, it is connected to your money or financial accounts. For many, it’s like a right hand (or in my case, left hand), so it’s essential to secure your device and the information it holds.

The phone is moving in to replace the PC for the next generation. Carriers are increasing network speeds, cutting download time in half, and new phones have capacities of up to 64 GB ¾ that’s more hard drive space than my three-year-old laptop.

Software application developers are responding to this shift by focusing primarily on mobile devices, with PCs demoted to a secondary consideration. And as with any major transition to a new technology, the uncertainty and newness fosters a perfect opportunity for scammers to launch attacks.

In McAfee Labs’ report, “Securing Mobile Devices: Present and Future,” Dr. Igor Muttik states, “Despite steady progress in securing desktop computers—using safer hardware, operating systems, and applications—malware is not going extinct. With today’s explosive proliferation of smartphones, tablet computers, and other mobile devices, we have to wonder whether our pocket devices can also be secured. We might assume from our extensive knowledge in protecting desktop computers that the new wave of mobile hardware should be relatively secure because we shall benefit from the lessons we have already learned.” But so far, many have neglected to consider the security of their mobile devices.

As new tablets and smartphones are released, along with thousands of new mobile applications, hackers are working to create bugs and viruses that modify the legitimate software industry’s processes. The burgeoning ubiquity of these mobile devices offers criminals the same sorts of possibilities today that they found in PCs several years ago.

Only download mobile payment applications from a reputable app store. Check user reviews of the app and make sure to read to app’s privacy policy on what data of yours it is accessing and sharing.

Don’t do any mobile transactions over unsecured Wi-Fi connection. It’s much more secure to use your mobile data network.

Keep your mobile software current. This includes the latest updates for your operating system, mobile browser and mobile security software

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures