Posts

How Law Enforcement Detects Breaches Before Victims

Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

1GUnlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Bankers on the Front lines of Cyber Defense

There was once a time when the only threat to a bank’s security was when that innocent-looking man hands a note to the bank teller that makes her face go ashen. And the only security, save for video surveillance, was the armed guards and the silent alarm that the teller triggers.

2DNowadays, terms like firewalls, encryption, anti-virus and cloud providers are just as important to a bank’s security as are the armed guards, huge windows, security cameras and steel vaults. No longer is the masked robber who says “Hand over the money” a bank’s biggest threat. ATM skimming, where nobody is ever shot at, is at the top of the list.

The Three Directions of Banking Security

  • Analyzing big data and assessing potential threats
  • Banks joining forces by sharing information relevant to protection against cybercrime
  • Focusing more on fast recovery and less on prevention of crime

That last point is because breaches are always going to occur no matter how thick the security is, and there’s a lot of room to improve in terms of recovery speed. So it makes sense that this shift in attention is developing at an increasing rate.

A New Breed of Locks

Banks require many layers of protection, and this includes keycards, which allow select employees through specific doors at specific times. Just stick the card in a slot and the door opens (a common device also used in hotels).

Keycards are also used by extraneous service people. A lost card can be immediately turned off, and cheaply replaced, whereas traditional locks would cost a bundle.

Customized badges are another way that financial institutions have improved security measures, replacing keys and keycards. Employees can be “add onto” a badge, and a lost and found badge can be deactivated and activated, respectively.

Anti-Skimming Devices

Anti-skimming devices can significantly reduce this crime, when a thief puts a phony reader over an ATM device to capture a customer’s card data. The volume of skimming crimes is enormous, yet many ATMs still have no anti-skimming protection.

Cloud Storage for Data

More and more financial organizations are relying upon cloud computing, though this technology also brings with it some concerns, since the cloud involves a third-party provider—which can turn bank data over to the government without the bank’s permission.

A way around this is for the bank to encrypt data prior to placing it in a cloud, and to keep encrypting it even when at rest, and retain the encryption keys.

Biometrics

Fingerprint swiping to withdraw money is one of the latest security tactics: multispectral imaging (MSI). Who can possibly “skim” that? This is biometric technology and is already in thousands of ATMs. This “inner fingerprint” is immune to breakdown from grime, wear or moisture, making it very tamper resistant.

Look for even more progress in the multilayered security of financial institutions in the years to come—technologies that right now we can’t even comprehend.

For more information about this shifting industry, visit:

securitymagazine.com/articles/print/85356-banking-battlegrounds-cyber-and-physical-security-risks-today

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

ATM Skimming, Cyber Fraud Keep Bankers up at Night

Last year there were hundreds of cyber fraud incidents that struck banks and put consumers’ personal data at risk, even though the one involving Target stole the scenes. These crimes included payment card skimming, denial-of-service and web app tampering.

1DAs we’ve discussed, security is a top concern for banks at the board level. It’s not that the criminals are particularly bright and that’s why they’re causing so many problems, but rather, security for banks just cannot keep up with the volume and type of attacks. Security can also be under-resourced and/or putting too much of its attention in the wrong places.

A web app attack is the interference of web applications, (such as sending a phishing e-mail ) that tricks the recipient into revealing their banking information. Another example is cracking passwords.

Web attacks are ubiquitous and can be conducted by mediocre-skilled crooks, hunting for the user names and passwords of online banking customers. Banks are responding by beefing up verification processes for their customers rather than relying on just the one-step authentication.

The denial-of-service attack is the second big threat upon banks, when malicious traffic is heaped upon the institution’s web server to disrupt site operation. A malfunctioning site turns off customers—including potential customers. But a DDoS attack can also be launched to divert attention away from another planned attack that actually steals data.

Payment card skimming hits banks hard. The crook puts a phony card reader over the card-swiping device to collect the card’s data off its magnetic strip. The thief will then create phony ATM cards.

The skimming tool can be made at home with a 3D printer—and the cost of the printer can very quickly be recovered with fraudulent use of the phony cards. Skimmers are not traceable, putting a lot of load on bankers’ backs. The fact that some ATMs are remotely located doesn’t help.

There’s still room for the criminals to become savvier, joining forces and sharing ideas, getting organized etc. However, many still remain solitary, which enhances their ability to go undetected.

As renowned security expert Bruce Schneier recently said “Security is now about resilience – it’s not about defense. Banks must up their security awareness, and have a plan in place to respond quickly and thoroughly should there be a breach.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Study Shows Businesses not prepared for Attacks

Amazing: With the proliferation of cyber attacks globally, most businesses are ill-prepared to deal with this, says research from the Economist Intelligence Unit and Arbor Networks.

1DPerhaps businesses have an “It won’t happen to us” mindset, even though hackers steal the most sensitive data, force the company to make enormous payments to fix the situation, and crush its customers’ trust, in turn damaging future profits. It’s a pebble-thrown-into-a-pond effect: Those ripples just keep going out and out.

Haven’t companies learned from that giant retailer breach in December of 2013? That big retailer was left toppled. Companies don’t realize that if they nickel-and-dime security, they’ll get what they pay for.

The research turned up the following after surveying 360 senior business leaders in organizations nationwide and in Europe and Asia-Pacific:

  • 77 percent experienced a security breach within the past two years.
  • 38 percent lack a response plan for a cyber attack.
  • 17 percent believe they’re “fully prepared” for a cyber attack.
  • Many of the survey participants reported that they relied upon IT departments to deal with the issue of cyber threats. However, companies that indeed suffered a data breach within the past two years were actually twice as likely to have relied upon a third-party IT team.
  • 41 percent of business decision makers believe that a more solid understanding of risks and potential threats would assist them in being better prepared, but, oddly, only one-third of businesses share concerning situations with other businesses for the sake of spreading best practices and information.
  • 57 percent do not report incidents on a voluntary basis if they’re not legally required to do this.

Interestingly, while 41 percent of business decision makers believe that a more solid understanding of potential threats would increase preparedness, only one-third of businesses are willing to share information with other businesses about incidents concerning data security.

The big message regarding cyber attacks on businesses all over the world: It’s not “if,” it’s WHEN.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is a Backdoor Threat?

Did you accidentally leave the back door open? This thought can be scary because you know that leaving the back door open at home could allow someone to enter your home and take your personal belongings.

6DThe same is true for a backdoor in the computer world. It is a vulnerability that gives an attacker unauthorized access to a system by bypassing normal security mechanisms. This threat works in the background, hiding itself from the user, and it’s very difficult to detect and remove.

Cybercriminals commonly use malware to install backdoors, giving them remote administrative access to a system. Once an attacker has access to a system through a backdoor, they can potentially modify files, steal personal information, install unwanted software, and even take control of the entire computer.

These kinds of attacks represent a serious risk to users of both computers and mobile devices since an attacker can potentially gain access to your personal files, as well as sensitive financial and identity information.

Say, for instance, an attacker uses a backdoor to install keylogging software on your computer, allowing them to see everything that you type, including passwords. And once this information is in the hands of the cybercriminals, your accounts could be compromised, opening the door to identity theft.

Here are a few tips to protect you from back door threats:

  • Use comprehensive security software on your computers and mobile devices, like McAfee LiveSafe™ service, to protect you from malware.
  • Never click on an email attachment or a link sent from people you don’t know and watch what you download from the web.
  • Be careful about which sites you visit, since less secure sites could contain a so-called “drive-by download”  which is able to install malware on your computer simply by visiting a compromised web page. You can check the safety of a website before you visit it by using our free McAfee® SiteAdvisor® tool, which tells you if a site is safe or not right in your search window.
  • Only install programs that you really need, minimizing your exposure to potential vulnerabilities.

Make sure you don’t leave any back doors open. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Banking Security Guidelines Go Into Effect in January 2012

As banking applications evolve, common attacks on banks are becoming correspondingly more sophisticated. Small businesses, municipalities, and moneyed individuals are often targeted for obvious reasons: they have hundreds of thousands of dollars, if not a few million, in the bank, but their security is often no more effective than that of an average American household.

The Federal Financial Institutions Examination Council’s (FFIEC) updated security guidelines go into effect in less than a month. It is imperative that financial institutions recognize that the security precautions currently in place are ineffective in the face of new, more sophisticated attacks. Criminals have gotten around the minor hurdles posed by the tools being used to authenticate clients and prevent unauthorized transactions.

Basic multifactor authentication may be relatively effective for bank accounts that generally contain only enough to pay a month’s worth of bills. But high value accounts are more prone to attacks, and require additional levels of security. Ultimately, what is most important is that a security program includes multiple layers of protection rather than relying on a single mechanism of defense.

Using advanced device identification is also essential. The FFIEC suggests complex device identification, which is more advanced than previous techniques, and the leader in this space is iovation Inc.  They take complex device identification much further by delivering to financial institutions, a reputation of the device as it accesses their site to apply for credit, create an account, transfer money and more.
This proven strategy not only utilizes advanced methods to identify the devices being used to connect to a bank, it also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect financial institutions from cybercrime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

The Benefits of Multifactor Authentication

The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, recently issued a supplement to the 2005 document “Authentication in an Internet Banking Environment” effective January 2012. The FFIEC has acknowledged that cybercrime is increasing and financial institutions need to increase their security and that of their customers.

Specifically the FFIEC states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

This means the simple “username/password” combination for accessing your online banking is ineffective. And that banks should “adjust their customer authentication controls as appropriate in response to new threats to customers’ online accounts” and “financial institutions should implement more robust controls as the risk level of the transaction increases.”

The FFIEC’s previous statement implies it is encouraging the use of dual customer authorization typically seen when using digital security devices including smartcards and password generating key fobs.

This is where multifactor authentication comes in. Multifactor is generally something the user knows like a password plus something the user has like a smart card and/or something the user is like a fingerprint. In its simplest form, it is when a website asks for a four digit credit card security code from a credit card, or if our bank requires us to add a second password for our account.

Some institutions offer or require a key fob that provides a changing second password (one-time password) in order to access accounts, or reply to a text message to approve a transaction. All of this extra security is good for you.

Like Mom used to say, “Broccoli: like it or not, it’s for your own good.”

These measures provide layers of protection, which allow you to enjoy the convenience of online services with minimal risk. The benefits of logging in online and adding an extra code is far more convenient than schlepping all the way to the bank in person.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Criminal Web Mobs Responsible For Most Cyber Crime

New reports confirm what we’ve been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up corporations’ and financial institutions’ networks. According to a new Verizon report, a staggering 900 million records have been compromised in the past six years. Up to 85% of the breaches were blamed on organized criminals.

The hackers who infiltrate these networks include brilliant teens, 20-somethings, all the way up to clinical psychologists and organized, international cyber criminals. Many are from Russia and Eastern Europe.

Motivated by money and information, they either exploit flaws in applications to find their way inside networks, or they target their victims psychologically, tricking them into disclosing usernames and passwords, or clicking malicious links.

Flawed web applications often make these types of hacks possible. Criminals use “sniffers” to seek out flaws, and when they find them, the attack begins. Malware is generally used to extract usernames and passwords. Once the criminals have full access to a network, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

To protect yourself, update your PC’s basic security, including Windows updates and critical security patches. Make sure your antivirus software is up to date and set to run automatically. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through. Run spyware removal software. And set up your wireless network with a “key” or passcode so it’s not open to the public.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another data breach on Fox News. (Disclosures)