Posts

How Does Your Bank Protect Your Data?

Consumers tend to be oblivious to the various layers of security financial institutions utilize to protect their bank accounts. But having a better understanding of what occurs behind the scenes can help consumers adapt to influential new technologies.

The Federal Financial Institutions Examination Council responds to innovations and increases in cybercrime with updated security guidelines for banks and financial institutions. In January of 2012, new rules went into effect requiring banks to protect their consumers with increased security. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

Financial institutions have established a layered security approach that includes multi-authentication, which may involve requiring users to punch in a second security code or carry a key fob, as well as doing due diligence when it comes to identifying customers as real people whose identities haven’t been stolen. This defense-in-depth approach is all about assessing risk throughout multiple points on an organization’s website.

These layers of security include:

Device identification: Complex device identification identifies the user’s PC, mobile, or tablet. The next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences.

Out-of-wallet questions: “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” are examples of typical challenge questions, as opposed to out-of-wallet questions, which are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Malware prevention & detection: Many banks offer antivirus, anti-spyware, and anti-phishing tools from well-known security vendors as full suites of total protection products.

You can take comfort in knowing that your bank has systems in place to protect your investments. But you should also bear in mind that your own PC or mobile that might be the weakest link in the process, so be sure to keep your device secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

McAfee Mobile Security Delivers at Mobile World Congress

In Barcelona, Spain on Feb. 27, 2012 McAfee unveils its series of technology advancements that deliver upon its vision of providing comprehensive mobile security and privacy protection for devices, data and apps. McAfee® Enterprise Mobility Management (EMM™) 10.0, available now, includes significant security updates for enterprise customers to enable ‘bring your own device’ practices in the enterprise. With EMM 10.0, IT professionals will have improved control to identify, secure, and assign policies to both employee- and business-owned smartphones and tablets.

The concern for IT professionals is “BYOD” (Bring Your Own Device) which has become widely adopted to refer to mobile workers bringing their own mobile devices, such as smartphones, tablets and PDAs, into the workplace for use and connectivity. Today, many consumers expect to be able to use personal smartphones and mobile devices at work, which is an IT concern. Many corporations that allow employees to use their own mobile devices at work implement a “BYOD policy” to help IT better manage these devices and ensure network security.”

Expanded Data Security, Application Security and Ease of Administration

McAfee EMM software gives enterprises the ability to offer their employees mobile device choice, while delivering secure and easy access to mobile corporate applications. New features and functionality include:

Expanded Data Security: Email “Sandboxing” for iOS and an integrated Secure Container for Android, available by Q2

Enhanced Application Security: Application Blacklisting for Android and iOS allows the administrator to define a set of applications and block access.

Ease of Administration: Bulk provisioning for Android and iOS

 Enhanced Protection for Consumers

McAfee® Mobile Security 2.0 for consumers, which offers an all-encompassing approach to mobile security and protects a user’s privacy when using smartphones and Android tablets. McAfee Mobile Security combines powerful anti-theft, antivirus, call and SMS filtering, web and app protection. It was also recently awarded with the LAPTOP Magazine Editors’ Choice award for best mobile security app.

McAfee can also be seen the week of Feb. 27 at Mobile World Congress in Barcelona, Spain at the Intel stand in Hall 8 B197 and at the RSA Conference in San Francisco, CA at McAfee booth #1117 or Intel booth #1324. Be sure if you are attending Mobile World Congress to stop by for a chance to win a Samsung Galaxy Tab!

 

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

I Found Your Data on That Used Device You Sold

Over the past 15 years, the increasingly rapid evolution of technology has resulted in new computers or mobile phones becoming outdated in a matter of one or two years. Chances are, you’ve gone through no less than ten digital devices in the past decade, if not more. It has become standard practice to upgrade to a newer device and often sell, donate, or discard the old one. Or you’ve received a new computer or mobile phone for a holiday gift and need to get rid of the old one.

What did you do with all of your old devices? Some may be in your basement, others were given away, and you might have hocked a few on eBay or Craigslist. Did you know it is very likely that you inadvertently put all of your digital data in someone else’s hands if you no longer have the device?

I recently bought 20 laptops, desktops, netbooks, notebooks, tablets, Macs, and mobiles through Craigslist, all from sellers located within 90 minutes of my home. Of the 20, three of them had never been wiped, meaning that I bought the devices exactly as they once sat on someone’s desk. The original owners had made no effort to clean out the data, which meant that I was able to access the records of their entire digital lives. 17 of the devices had been wiped, meaning that the seller took the time to reformat or reinstall the operating system. Of the 17 wiped drives, seven contained remnants of the previous users’ digital lives. Despite the effort made to reformat or reinstall the operating systems, there were partitions and leftover data on the drives.

After having spent the past few months working with a forensics expert, I’ve come to the conclusion that even if you wipe and reformat a hard drive, you may still miss something. IT professionals tasked with data destruction use “wiping” software, and you can too. But after what I’ve seen, more needs to be done. This means external and internal drives, thumb drives, SD cards, and anything else that stores data really should be destroyed.

So whether you destroy an unwanted drive with a sledgehammer, or use a drill press to turn it into swiss cheese, or use a hack saw to chop it into pieces, and then drop those pieces into a bucket of salt water for, oh, say a year, just to be safe, for your own good, don’t sell it on eBay or Craigslist.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Do You Have A False Sense of Cybersecurity for Mobile?

Nearly three-quarters of Americans have never installed data protection applications or security software on their mobile devices to prevent data loss or defend against viruses and malware. 72% of us have unsecured smartphones, to be exact, even though we are using them more frequently in our digital lives.

A recent survey shows that 44% of Americans use smartphones to access the Internet, and 75% say they access the Internet more frequently on their device today than they did one year ago.

Digital research firm comScore found that close to 32.5 million Americans accessed banking information via mobile device at the end of the second quarter of 2011, a 21% increase from in the fourth quarter of 2010. Approximately 24% of consumers store computer or banking passwords on their mobile devices, according to Consumer Reports’ 2011 State of the Net Survey. More than half of smartphone users do not use any password protection to prevent unauthorized device access. And according to Gartner, 113 mobile phones are lost every minute in the U.S. alone.

With unit sales of smartphones and tablets eclipsing those of desktop and laptop PCs, cybercriminals will continue setting their sights on mobile, and increased mobile Internet use will continue exacerbating security and data breach issues.

Protect yourself:

Use mobile security software and keep it current. Having complete mobile security protection like that offered in McAfee Mobile Security is a primary safety and security measure.

Automate software updates. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.

Protect all devices that connect to the Internet. Along with computers, smartphones, gaming systems, and other web-enabled devices also need protection from viruses and malware.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Women Proved “Securest” in the Defcon Social Engineering Game

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.

Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women who gave up zero data to the social engineers.

Computerworld reports, “Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.”

Contestants had twenty minutes to call unsuspecting employees at the target companies and obtain specific bits of (non-sensitive) information about the business for additional points. Participants were not allowed to make the target company feel at risk by pretending to represent a law enforcement agency.

The players extracted data that could be used to compile an effective “attack,” including “information such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.”

Social engineering is the most effective way to bypass any hardware or software systems in place. Organizations can spend millions on security, only to have it all bypassed with a simple phone call.

The players in this game were all men. Maybe the women didn’t give up any data because they were simply untrusting. It could be that the women were properly trained in how to deter social engineers and protect company data over the phone. Or maybe the women simply paid attention to their sixth sense, and felt they were being conned.

Any time the phone rings, a new email comes in, someone knocks on your door, or visits your office, question those who present themselves in positions of authority.

Don’t automatically trust or give the benefit of the doubt.

Within your home or business, communicate what can and can’t be said or done, or what information can or cannot be provided.

Keep in mind that when you lock a door, it’s locked, but it can be opened with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face to face, with a cynical eye for a potential agenda.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures

Organized Web Mobsters Getting Jobs Inside Corps

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet. Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)