Happy Data Privacy Day. Keep It Under Your Hat.

Posted on January 26th, 2015 by Dan Rampe

Standard-Header---Logo-Faulkner

In Conjunction with Data Privacy Day, ThreatMetrix Offers Strategies to Help Business Protect Privacy, Secure Data and Build Trust on the Internet.

Little more than a week after the President’s State of the Union call for vastly improved cybersecurity and privacy measures comes Data Privacy Day.

Coordinated and led by the National Cyber Security Alliance (NCSA), Data Privacy Day is held each year on January 28th to raise international awareness and empower individuals and businesses to better protect their privacy. This year’s theme is “Respecting Privacy, Safeguarding Data and Enabling Trust.”

ThreatMetrix Data Privacy Day Champion

For its third consecutive year, ThreatMetrix has signed on as a Data Privacy Day Champion, supporting the ideal that individuals, organizations, business and government all share the responsibility to be aware of data privacy challenges.

Cybersecurity on both Democratic and Republican agendas

The State of the Union address made it clear that cybersecurity is an urgent and growing concern for government, business, consumers, students — everyone. And, it is at least one thing that both parties agree on.

Privacy Bill of Rights

The proposed Privacy Bill of Rights would let consumers decide what personal data could be collected by companies and how the data would be used. Under the proposed legislation consumers could prohibit companies which collect data for one purpose to use it for another. These changes have the potential to significantly impact the way businesses process customer data.

Alisdair Faulkner, ThreatMetrix’s chief products officer

“The only way we can build trust on the Internet is through better control of the consumer data processed online. Obama’s proposed Privacy Bill of Rights will raise the bar for privacy protections, keeping all companies no matter where they reside to the same standards. It may seem backwards, but to build trust, businesses and government entities need to increase data sharing while ensuring privacy. This means implementing security solutions that share data in real time, but preserve customer privacy through encryption and tokenization.”

Businesses may have the will, but no way to ensure privacy and security

Many businesses are well-intentioned, but they lack the resources or knowledge to protect their customers’ privacy and data. And, through their use of stolen identities, compromised devices, and masked IP addresses, cybercriminals are often virtually impossible to locate or stop without special skill and resources.

Alisdair Faulkner

“All businesses, regardless of industry, need efficient, automated processes for fraud detection and customer notification,” said Faulkner. “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”

ThreatMetrix strategies businesses can implement for combating cybercrime while building trust online:

  • Digital Identity Proofing–Traditional identity verification technologies, e.g. challenge questions, rely on personal information that has already been breached and in the hands of the criminals they are trying to vet. Businesses need a different approach. By analyzing global patterns of identity usage, including locations, devices, accounts, transactions and associations over time, it’s possible to factor in all aspects of a user’s behavior without putting artificial speed-bumps in his/her path.
  • Secure Anonymized Shared Intelligence– You have to have a network to fight a network. Additionally, you need “privacy by design” built into the ecosystem. Intelligence networks must anonymize and secure data not just from outside attacks, but also internal theft and social engineering attacks. Legal restrictions, such as those proposed by the President will fail to protect consumer data if not backed by solid technology and processes.
  • Endpoint Threat Intelligence – To differentiate between trusted users and cybercriminals, businesses must consider the context of every access attempt and transaction from each user. Whether initiated by a customer or an employee, businesses have to establish the credibility of the transaction in real time based on the full context of the user’s identity, behavior over time and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromises, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Shares Strategies for Businesses to Protect Privacy, Safeguard Data and Build Trust on the Internet in Alignment with Data Privacy Day

Posted on January 26th, 2015 by Dan Rampe

Standard-Header---Logo-Faulkner

Following President Obama’s State of the Union Address, Businesses Must Increase Data Sharing to Protect Consumer Privacy While Combatting Fraud

San Jose, CA – January 26, 2015 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced its alignment with Data Privacy Day by outlining strategies for businesses to build trust on the Internet through better cybersecurity measures without compromising consumer privacy.

Coordinated and led by the National Cyber Security Alliance (NCSA), Data Privacy Day is held each year on January 28 to raise international awareness and empower individuals and businesses to better protect their privacy, centered on the theme of “Respecting Privacy, Safeguarding Data and Enabling Trust.” For its third consecutive year, ThreatMetrix has signed on as a Data Privacy Day Champion, supporting the ideal that individuals, organizations, business and government all share the responsibility to be aware of data privacy challenges.

During President Obama’s State of the Union address last week, it was clear that cybersecurity is an urgent and growing concern among the U.S. government and its citizens. The proposed Privacy Bill of Rights would allow consumers to decide what pieces of their personal data are collected by companies and decide how that data is used. The legislation would also enable consumers to prohibit companies that collect their data for one purpose to use it for another. These changes have the potential to significantly impact the way businesses process customer data.

“The only way we can build trust on the Internet is through better control of the consumer data processed online,” said Alisdair Faulkner, chief products officer at ThreatMetrix. “Obama’s proposed Privacy Bill of Rights will raise the bar for privacy protection, keeping all companies no matter where they reside to the same standards. It may seem backwards, but to build trust, businesses and government entities need to increase data sharing while ensuring privacy. This means implementing security solutions that share data in real time, but preserve customer privacy through encryption and tokenization.”

Many businesses lack the resources or knowledge to fulfill their responsibility of protecting customers’ privacy and data. Cybercriminals are often virtually impossible to locate due to the use of stolen identities, compromised devices, and masked IP addresses and many businesses simply don’t know how to stop those networks of fraudsters.

“All businesses, regardless of industry, need efficient, automated processes for fraud detection and customer notification,” said Faulkner. “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”

To help combat cybercrime while maintaining customer privacy to build trust online, ThreatMetrix has outlined several strategies for businesses to implement:

  • Digital Identity Proofing–Traditional identity verification technologies such as challenge questions rely on personal information that has already been breached and is in the hands of the cybercriminals. Businesses need to take a different approach and analyze global patterns of identity usage, including locations, devices, accounts, transactions and associations over time to consider all aspects of a user’s behavior without putting artificial speed bumps in the way of the customer.
  • Secure Anonymized Shared Intelligence– Businesses need a network to fight a network, but they also need “privacy by design.” Intelligence networks need to anonymize and secure data not only against outside attacks but also internal theft and social engineering attacks. Legal restrictions such as those proposed by Obama will fail to protect consumer data if not backed by advanced technology and processes.
  • Endpoint Threat Intelligence – To differentiate between trusted users and cybercriminals, businesses need to consider the context of every access attempt and transaction from each user. Whether initiated by a customer or an employee, businesses need to establish the credibility of the transaction in real time based on the full context of the user’s identity, behavior over time and device threats. These threats include man-in-the-middle and man-in-the-browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

The most effective way for businesses to protect against cybercrime is through information sharing, leveraging an anonymized global data repository, such as the ThreatMetrix® Global Trust Intelligence Network (The Network), which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312-241-1178
Email: beth.kempton@walkersands.com

Lessons from the Oval Office: Sharing Global Trust to Fight Cyber Fraud

Posted on January 23rd, 2015 by Dan Rampe

Standard-Header-Tony

Lessons from the Oval Office: Sharing Global Trust to Fight Cyber Fraud

Do firms understand the value of co-operation? When it comes to cyber security and online fraud prevention I remain sceptical. Not because there aren’t risk managers and information security professionals out there who know that the best way of fighting back is by collecting and analysing more complete industry-wide sets of data. Rather, because too often they’re shouted down by their legal and corporate counterparts who think that the risks of sharing outweigh the reward of more effective fraud prevention.

Now, last week Barack Obama and David Cameron stood in the Oval Office and jointly announced a series of new measures designed to improve information sharing and intelligence co-operation on cyber issues. I say we should all take a leaf out of their book this coming year.

Stronger together

The U.S. and UK leaders agreed that the problems both countries are facing from a faceless, but determined and well-resourced enemy in cyber space required an equally bold response. They agreed to share best practices and standards for the benefit of organisations in both nations; to increase threat information sharing; and conduct joint cybersecurity and network defence exercises. Also on the cards is deeper collaboration between MI5, GCHQ and the NSA, with the establishment of a “joint cyber cell” which will co-locate operatives from both sides, in each country.

The U.S. and UK are two of the world’s most advanced nations when it comes to e-commerce, internet infrastructure and the provision of services online. They also both regard themselves as world leaders in cyber security best practice. So by foregoing that advantage to gain an even greater one through improved co-operation, Obama and Cameron are sending out a clear example that we should all follow.

On the front line

Unfortunately, away from the heady world of geopolitics, ordinary businesses are still reluctant to co-operate in the fight against online crime and fraud. There’s little formalised information sharing of fraud data, leaving even third party platforms lacking that critical mass of data they need to provide accurate fraud and risk scoring to clients.

On the one hand it’s understandable. After all, no-one wants to hand over information on their business or online defences which competitors could use against them – it could be disastrous. But even when reassured about the anonymity of any data sharing, there can be a cultural barrier which stops many firms. Part of it has to do with the fact that the UK and much of Europe still doesn’t have mandatory data breach notification laws, so the approach has always been to keep any online fraud or breach incidents a secret.

Tentative steps

Now there are signs of changing attitudes. An agreement between the European Banking Federation and Europol will help banks understand fraud patterns better and boost law enforcers’ efforts to track cyber criminals. The British Bankers Association, meanwhile, will provide its members with a Financial Crime Alerts Service (FCAS) using government and law enforcement data. In addition, Action Fraud has been set up as the UK’s centralised fraud and cyber crime reporting centre.

It’s a start, but there’s a long way to go and an awful lot to do.

Global trust, shared

At ThreatMetrix®, we firmly believe in the power of shared fraud intelligence. It’s what our Global Trust Intelligence Network is based upon. Every month it analyses behavioural, device and identity data and threat assessments from over 850 million transactions to determine whether they’re fraudulent or not. All data is anonymised to protect the reputation and privacy of our 3,000+ clients and their customers.

The beauty of this system is that the more clients and data we have to crunch, the more accurate we can be about connecting up global fraud patterns and making the right call on logins, payments, new account registrations and remote access attempts. The decision is made in real-time and is completely invisible to the user.

Sharing information needn’t mean giving away competitive advantage. If two global giants like the UK and U.S. can do it, we can too.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Is Anywhere in the World Free from Payment Fraud?

Posted on January 22nd, 2015 by Dan Rampe

Taiwan

…NO. Taiwan’s Payment Fraud Is Four Times from What It Was in 2009. Lax Password Security Appears to Be a Major Factor

When it comes to cybersecurity, passwords have proven anything but effective. Alisdair Faulkner, ThreatMetrix’s Chief Products Officer, has been warning about their inherent weaknesses for years and dubbed the fallout from the many breaches they failed to prevent the “Password Apocalypse.”

So what’s worse than password protection? How about no protection at all?

Tsai Chin-lung, a legislator in Taiwan’s ruling Kuomintang (KMT) party observed that of the ten major web merchants based in Taiwan, only one, books.com.tw, asked consumers for password authentication when making a purchase. The other nine others, including PChome, Yahoo and Momo, requested only a credit card number and its three-digit security code.

Tsai added that of 37 major financial institutions surveyed, only seven required users’ credit card information and none required authentication before web transactions.

In her article on chinapost.com, Enru Lin discusses the alarming rise in online payment fraud and how Taiwan is facing the challenge. The following has been excerpted from her piece on chinapost.com and edited to fit our format. You may find the complete article by clicking on this link.

Fraud growing faster than online transactions

Kuomintang [Taiwan’s ruling party] Legislator Tsai Chin-lung said fraudulent web payments in Taiwan have been growing at a faster rate than total online transactions.

Citing data from the Ministry of Economic Affairs’ (MOEA) Institute for Information Industry, Tsai said web transactions rose from NT$295 billion in 2009 [9,366,250.00 USD] to NT$746.5 billion [23,701,375.00 USD] in 2013, a 2.5-fold increase.

Over the same period, web payment fraud rose from NT$54.77 million [1,738,947.50] to NT$268.94 million [8,538,845.00 USD or a] four-fold increase.

A call for standardized authentication

[Tsai] called on the central government to standardize authentication measures for both banks and online vendors — “a dual line of defense” — before rolling out third-party payment and other platforms for web commerce.

“The Financial Supervisory Commission has an obligation to create a safe environment for consumers,” he said.

The Executive Yuan’s (Cabinet’s) response

Chen Hsiang-yin, a section chief at the [Financial Supervisory Commission] FSC’s banking bureau, responded that the FSC already works closely with banks to maintain security [, adding that] fraud is not always due to banking vulnerabilities….

Banking security mechanisms already in place

Chen said many local banks have adopted security mechanisms that are exemplary, such as telephone confirmations for transactions and virtual accounts. “Based on my understanding, all banks have measures that secure transactions and the difference is only in form and degree,” she said.

Chen said the FSC will work with the Bankers Association of the Republic of China to publish a list of banks and the protection measures and security technologies they offer for online consumers.

Retailers base security on cost and compliance

Similarly, the MOEA’s Department of Commerce responded that while web merchants adopt different security mechanisms based on cost considerations, all merchants must comply with the standards of the Regulations Governing Institutions Engaging in Credit Card Business

The law stipulates that a merchant must ensure the accuracy of payment request data and maintain the confidentiality of the cardholder’s personal information, said Deputy Chief Chen Mi-shun

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

“Pigs Fly” at State of the Union

Posted on January 21st, 2015 by Dan Rampe

State of the Union

In a Speech Full of Proposals Most Pundits Say Can’t Pass Congress, President’s Historic Cybersecurity Push Clear Exception

After the State of the Union, analysts of every stripe concluded that most of the President’s agenda would pass the Republican-controlled Congress “when pigs fly.” However, on one issue, pigs have grown wings and are soaring. And that’s cybersecurity, where the President’s call had both Republicans and Democrats standing and applauding.

In his wide-ranging article on thehill.com, Cory Bennett describes the President’s measures for increasing cybersecurity, which Bennett noted, “easily surpassed any previous cyber mention in specificity, breadth and urgency.” The following has been excerpted from Bennett’s story and edited to fit our format. You may find the complete piece by clicking on this link.

High on national security priorities

[Cybersecurity] was the third issue Obama mentioned while discussing national security during the speech. The president also hit nearly every aspect of the new White House cyber agenda, which was rolled out last week.

Bipartisan standing ovation

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said to a bipartisan standing ovation.

Information sharing

The administration’s legislative cyber proposals include measures intended to facilitate cyber threat information-sharing between the public and private sectors; to protect student data; to raise the punishments for cyber crime; and to create a federal breach notification standard and nationwide cyber defense standards.

“We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism,” Obama said.

Bully pulpit promotion

The security industry and privacy advocates alike appreciated the president using one of the country’s biggest bully pulpits to promote national awareness of cybersecurity, even if they quibble with the administration’s policy specifics.

Roughly 33 million viewers watch the State of the Union each year….

Republicans join in

“I welcome him to the conversation,” said Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. “Confronting the cyber threat has been a priority of mine for the past 10 years.”

Attention now turns to those same lawmakers, as the White House looks for allies to introduce its legislative offerings.

“Tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information,” Obama said.

“That should be a bipartisan effort,” he added, going off script briefly.

Sen. Bill Nelson (D-Fla.), the ranking member on the Senate Commerce Committee, has already said he will introduce a data breach notification bill that closely resembles the White House proposal.

National breach notification proposed

It would require companies to notify consumers within 30 days that their information had been breached. Companies would also have to notify the government of certain breaches and adhere to cybersecurity standards set by the Federal Trade Commission.

Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus, said after the speech that he will soon introduce a House version of the president’s data breach proposal.

“I am particularly excited to see cybersecurity come center stage in the State of the Union and in the public dialogue,” he added.

A bone of contention

The most contentious issue will be Obama’s proposal to enhance cybersecurity information-sharing between the government and private sector. The offering would provide limited liability protections for companies sharing cyber threat indicators with the Department of Homeland Security.

The measure has been at the top of industry group’s cyber wish list for years. But cybersecurity firms caution that a rushed, non-specific bill could prove ineffective. “How are you going to implement limited liability?” Cole wondered. “What does that mean?”

Privacy advocates worry those same vagaries could give the government another way to collect personal information on U.S. citizens. They’ve pushed for National Security Agency (NSA) reform to come before any cyber information sharing bill.

Increased transparency, but privacy advocates wary

Obama insisted he would not let NSA reform fall to the wayside. “While some have moved on from the debates over our surveillance programs, I haven’t,” he said. “As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse.”

Privacy advocates remained wary after hearing Obama’s remarks.

“It’s heartening that President Obama’s address focused on Americans’ privacy, but the only way to fulfill that promise is to pass surveillance reform before taking up cyber [info sharing] legislation,” said Robyn Greene, policy counsel for the Open Technology Institute.

Not all sunshine

Different committees have pushed their own sharing proposals, creating intra-party squabbles and jurisdictional turf wars. Key Democrats on cyber issues have also broken with the White House on their own cyber threat sharing bills.

Rep. Dutch Ruppersberger (D-Md.) recently reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), which would enable sharing between the private sector and the NSA, not the DHS.

Senate Intelligence Committee ranking member Dianne Feinstein (D-Calif.) was also a big proponent of a Senate version of CISPA last Congress.

Well some sunshine

The two recently installed chairmen on the Senate Intelligence Committee and Senate Homeland Security and Governmental Affairs Committee will play a big role in setting the legislative agenda. Both Intelligence Chairman Richard Burr (R-N.C.) and Homeland Security Chairman Ron Johnson (R-Wis.) have indicated they’re willing to work with the White House on a joint cyber proposal.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

Credit Unions Pay Higher Price for Data Breaches

Posted on January 21st, 2015 by Dan Rampe

Credit Unions

Major Retail Data Breaches Hit C.U.s and Community Banks Harder Than the “Big Boys”

To a large financial institution such as JP Morgan Chase or B of A, breaches like the ones suffered by Target, Home Depot and Staples may be little more than an annoyance. But, to a credit union or community bank, a major retailer’s breach can turn out to be costly and time- and resource-consuming. That’s the message being delivered by Credit Union Association (CCA) President and CEO Jim Nussle.

In his article on bizjournals.com, Eric Jay Toll reports on credit union plans to help take the sting out of data breaches for C.U.s and community banks. The following has been excerpted from his story and edited to fit our format. You may find the full article by clicking on this link.

Getting the government involved

“Data breaches are one of the two most important issues we want to bring to Congress’ attention,” Nussle said. “We have to pay first and then wait to see how we’re going to get reimbursed. This needs to change for small organizations like credit unions and for community banks, too.”

Breaches costly for the little guy

Nussle and Scott Earl, Mountain West Credit Union Association president and CEO, both agreed that the constituent impact is serious.

“I talked with a CEO of a credit union that had to reissue cards three times last year,” said Nussle. “They must have had customers that shopped at Target, Home Depot and Jimmy John on the same day.”

[Earl observed,] “We’re not seeing a way to recoup the costs in time and expense for dealing with the breaches to protect our members. Those costs come out of funds we can use to provide member services.”

One example of the costs incurred

In 2013, Desert Schools Credit Union had to reissue 40,000 ATM and credit cards after the Bashas’ data breach, according to Vice President of Marketing Cathy Graham. The cost was not just for replacement credit cards, but the big hit was the dollars in fraudulent activity and the amount of reimbursement to members.

Can they make Congress act?

CUNA, which represents 90 percent of the 6,700 U.S. credit unions, plans to take the issue to Congress and seek legislation to protect members’ values.

Credit unions are also facing impacts from the Dodd-Frank legislation, said Nussle and Earl.

“Even though most credit unions are under the $10 billion threshold they still need to adapt the same kinds of record-keeping as large banks,” said Earl. “This is especially true with mortgage paperwork. The volume of paperwork and the cost is astounding.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Hackers Take Airlines for a Ride

Posted on January 16th, 2015 by Dan Rampe

Airlines

Thousands of American and United Airlines’ Usernames and Passwords Hacked from a Third Party. And Thieves Fly Free.

Airlines were taken for a ride when hackers booked or made mileage transactions on approximately three dozen accounts. In his nydailynews.com Jason Silverstein (link to article) cited an American Airlines spokesperson saying that 10,000 accounts were hacked, including at least two cases of a hacker booking a trip or making an upgrade.

Third-party source hacked

Both airlines denied their systems were hacked and pointed to an as yet undisclosed third-party source whose password protection evidently wasn’t up to the task. While credit card numbers and other account information wasn’t compromised, hackers were still able to steal usersnames and passwords and log into thousands of accounts.

A lucrative haul

In his story on computerworld.com (link to article), Jeremy Kirk cites Alex Holden, CTO of Hold Security, a company that specializes in monitoring illegal data trading, observing that “gaining control of a loyalty card account is almost as good as cash. For example, a hacker who gains control of an account with tens of thousands of reward miles can sell an airline ticket for cash and then pay for it with stolen miles.

“Holden says, ‘Attacks against airline loyalty programs are very common and profitable.’ With points or miles in hand, hackers have also used legitimate services such as Points.com, a service for managing multiple rewards programs. Loyalty rewards can be exchanged, redeemed or used for gift cards — an easy way to cash out.

“Holden said analysts at his company see travel-related login credentials circulate on lists sold by cybercriminals. In other cases, it appears travel agencies have been compromised.”

Pros consistently warn of password-protection weaknesses.

For years ThreatMetrix’s Alisdair Faulkner, Chief Products Officer and Andreas Baumhof, Chief Technology Officer, have been warning about the inherent weaknesses in password protection. The failure, which has resulted in millions upon millions of compromised accounts at Target, Home Depot, Staples, Sony and a host of others, is what Alisdair Faulkner dubbed the “Password Apocalypse.”

Alisdair Faulkner

Offers Faulkner, “Retailers are caught between a rock and a hard place. They loath introducing speed bumps, such as resetting passwords or requiring two-factor authentication, as these steps pose an inconvenience to their customers.”

He adds, “Consumers who store credit cards online or use the same login information across sites might as well hand their account information to cybercriminals. However, the bulk of the responsibility falls on retailers, who must implement a comprehensive cybercrime protection platform that differentiates between suspicious and authentic transactions without inconveniencing customers.”

Andreas Baumhof

In a recent bizjournals.com article Baumhof asked, “Did you know that two-factor-authentication is available on LinkedIn, Twitter and Google? My guess is that less than 2 percent of users know this and use it — and that’s exactly the problem. Businesses cannot push the responsibility to the end-user.

“The risk of relying on passwords is that once account login information is compromised, cybercriminals gain access to personal data and identities that can be used for fraudulent retail transactions. Once an attacker apprehends a username and password, the possibilities for fraud are endless, especially if the same information is used across multiple accounts — such as retail, social media and online banking accounts.

“Protecting account data requires effective cybersecurity strategies that go above and beyond passwords to quickly differentiate between suspicious and legitimate transactions.”

Preventing account takeover

Leveraging ThreatMetrix’s Global Trust Intelligence Network (The Network), ThreatMetrix’s TrustDefender Cybercrime Protection Platform delivers a comprehensive visitor assessment that screens out cybercriminals and hackers while allowing customers and employees frictionless, no-hassle access.

This ThreatMetrix solution incorporates comprehensive details about online user identities and behaviors, such as username and password email address, associated devices and more and creates a dynamic Persona ID.

In short, without relying on usernames and passwords and without creating annoying hoops for customers and employees to jump through, companies are able to prevent account takeovers.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

U.S. Privacy Guidelines No Longer Suggestions

Posted on January 15th, 2015 by Dan Rampe

Obama

President Prepares Comprehensive Online Privacy Bill of Rights to Be Announced at Upcoming State of the Union

A recent study has nine out of ten Americans feeling they’ve lost control of their personal information. A number of breaches, including that of Sony which exposed reams of employees’ personal data, only added to the public’s perception that its personal data is at risk. In the administration’s view, the threat of having personal information compromised could discourage many from taking advantage of the latest technological innovations and have a negative impact on the entire economy.

In a broadcastingcable.com story, John Eggerton lays out what the administration is proposing for the new law which will likely be addressed by President Obama in his upcoming January 20 State of the Union address. (ThreatMetrx® will be having more to say on this topic leading up to January 28, Data Privacy Day.) The following has been excerpted from his article and edited to fit our format. You may find the full story by clicking on this link.

Back to the future

The Administration will, within 45 days, release a revised legislative proposal for making its 2012 privacy Bill of Rights the new law of the land. The Commerce Department, which has been working with industry and public interest groups on voluntary codes of conduct related to various privacy issues—to mixed reviews of the success of those efforts—has completed its vetting of revised draft legislation that would turn those principles into laws.

30 day breach notice

[The] Personal Data Notification & Protection Act legislation…would “clarify and strengthen” notification obligations for hacks of customers’ personal information, including requiring breach notification within 30 days.

Chase and B of A

To help identify and better prevent identify theft, JPMorgan Chase and Bank of America will make credit scores available for free to consumer credit card customers. “Over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders,” the White House said.

Data collected for education is only used for education

Proposing the Student Digital Privacy Act,…would ensure that data collected for educational purposes is only used for those purposes. The law is based on a similar California statute and [builds] on a Big Data report released by the White House earlier this year.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

PCI DSS Version 3 Comes to Town But What About Account Fraud?

Posted on January 14th, 2015 by Dan Rampe

Standard-Header-Tony

You might have been too busy celebrating the start of 2015 to notice, but 1 January also marked a rather important date in the calendar when it comes to card data security. The long awaited Payment Card Industry Data Security Standard (PCI DSS) v3.0 finally came into full force, with a list of new requirements designed to make organisations more resilient to the kind of breaches that have become commonplace in 2014.

But while any steps designed to improve the security of firms which handle and store card data should be welcomed, PCI DSS doesn’t cover the whole picture. As we know all too well at ThreatMetrix®, account takeover fraud is also becoming a major problem but one which, disappointingly, is still under-addressed by many firms.

What’s new?

So what can organisations expect from version 3 of PCI DSS? Well, according to the PCI Security Standards Council (PCI SSC) more effort has been spent on trying to get firms on board with the often onerous task of compliance. The idea is that it should be viewed not as a tick box compliance affair, but a framework which can genuinely help make your business more secure.

Specifically, there are several new requirements designed to make it more relevant to the current payment security landscape. Broadly speaking, these are around:

  • Raising awareness and education amongst employees. More training on the dangers of clicking on malicious links, picking weak passwords or posting sensitive corporate information online could make a big difference to minimising the risk of breaches. That’s why there are new PCI DSS requirements around password education and training on POS security.
  • Improving flexibility. No organisation is the same so PCI SSC has tried to allow some extra latitude for complying firms. One new requirement allows firms to implement password strength appropriate to their strategy and another offers more flexibility to prioritise log reviews according to their needs.
  • Shared responsibility. Third parties are responsible for 63% of security issues which could be exploited by hackers, PCI SSC says. That’s why there is now guidance on outsourcing PCI DSS responsibilities, and a new compliance requirement for service providers.

The other side of the coin

That’s all good news for preventing breaches, but what about security breaches that occur at an individual account level? They may not generate the big headlines and negative publicity for retailers and the like, but if left unchecked could also lead to an exodus of customers. The ThreatMetrix Cybercrime Report: Q4 2014 revealed that device spoofing is rife: 5% of anything logging on to an online retail website to make a transaction is now trying to hide its identity.

Account log-in and account creation are now the highest risk fraud types facing online businesses. Cybercriminals know that they’ve a better chance of using trusted credit cards from valid customer accounts than to try and re-use stolen cards that have a limited shelf life. And netizens are making their job a whole lot easier by sharing passwords across accounts, many of which now require an email in lieu of a user name.

Hopefully PCI DSS 3.0 will help online businesses fortify their systems against attack, but no database is 100% breach proof against a determined enemy. Senior executives need to think more clearly about what happens to that stolen data downstream, and take ownership of the account fraud problem. After all, there are tools on the market that can help right now, but it’s also important not to add extra friction into the log-in or purchasing journey. That can end up putting off customers too.

ThreatMetrix products are powered by a Global Trust Intelligence Network which analyses 850 million transactions each month, using anonymous customer-based device, identity and behavioural data to decide who can be trusted. It’s completely transparent to the user and takes less than a second and costs less than a penny. So let’s start 2015 as we mean to go on and take the fight to the fraudsters.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

Home Smart Home

Posted on January 13th, 2015 by Dan Rampe

CES 2015

CES Features Internet of Things’ Products for Connecting Grills, Refrigerators, Coffee Makers, Baby Monitors, Locks…and Hackers

At this year’s Consumer Electronics Show (CES), manufacturers rolled out product after product that connects to the Internet and is designed to make life easier for the owner. Of course this connectivity also makes life easier for the hacker.

In her story on nytimes.com, Molly Wood details the risks that go along with the rewards the Internet of Things promises. The following has been excerpted from Wood’s piece and edited to fit our format. You may find the full article by clicking on this link.

Breaching the Internet of Things: Been there. Done that.

Hackers have already breached Internet-connected camera systems, smart TVs and even baby monitors. In one case, someone hacked a networked camera setup and used it to scream obscenities into a baby’s nursery.

FTC notes risk

In a speech at International CES, Edith Ramirez, chairwoman of the Federal Trade Commission, said the trend toward having so many things constantly connected to the Internet presented serious risks that start-ups and big companies needed to take seriously.

“Any device that is connected to the Internet is at risk of being hijacked,” she said in her prepared remarks. “Moreover, the risks that unauthorized access intensifies as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes.”

Few security features built into products

[Because] connected devices are relatively new, there are few security features built into many of them or the apps and services that power them. Even fewer products exist to lock down your smart home.

The box. Like antivirus for the PC

One noteworthy product, though — perhaps the sort of device we will see more of soon — was introduced at International CES. It comes from Bitdefender, which makes antivirus and anti-malware software for computers, and is called the Bitdefender Box. The box is a physical device that plugs into your Internet router and constantly scans your network and the websites you visit for potentially harmful software or viruses. [Bogdan Dumitru, the company’s senior threat analyst said,] “When you’re opening a malicious page, before the page is downloaded, it is intercepted in the box, flags are sensed in the cloud and it doesn’t show up in the first place.”

Hackers don’t care about the processor

“It doesn’t quite matter to the hacker how much processing power or what task those smart devices can accomplish,” he said. If they can reach a website — and most can, because they connect to their own websites — they can be used.

Same drawbacks as standard antivirus

But as with most antivirus and anti-malware products, the box can scan for and detect only code that has already been identified as a threat. Something new could still sneak through.

It’s only data

Ford announced plans to collect information about driving habits of company volunteers in Dearborn, Mich., and of volunteer drivers in London. The London project aims to create personalized driving information that can be used to calculate personalized insurance rates.

[Ford’s new chief executive, Mark Fields, said,] “We believe customers own their data and we are simply stewards of that data.”

Failing to protect customer data

[Accenture, the research firm, released a study this week that said consumers around the world doubted whether their personal data was secure online. With companies of all stripes suddenly interested in collecting reams of information about their customers, both on the Internet and elsewhere, those concerns are likely to continue.

It’s still early

And as Chris Babel, chief executive of the data privacy management company TrustE, noted, we are still in the very early stages of the Internet of Things.

“Everything is still very siloed and it’s not very connected,” he said. “But there’s massive amounts of value when it gets connected — both from the users’ perspective and from the hackers’ perspective.”

Build security into devices from the get-go

Mr. Babel echoed the advice of Ms. Ramirez of the F.T.C., who said companies needed to “prioritize security and build security into their devices from the outset.” She recommended privacy and risk assessments in the design phase of new products, forcing users to set new passwords instead of using default passwords on sensitive devices like Internet routers and using encryption wherever possible

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.