Why Cyberinsurance?

Posted on October 16th, 2014 by Dan Rampe

Insurance

Home Depot, Michaels, eBay, Target, Neiman Marcus, Veterans Affairs, Sony, JPMorgan Chase. Or in a Word…Data Breaches.

Cyberinsurance is hotter than the Geico Gecko sunbathing on a rock in the Mojave at high noon. Too much? Anyway, the point is that in less than a decade corporations have gone from “What’s cyberinsurance?” to “Cost of doing business.”

In her extensive story on northjersey.com, The Record’s Joan Verdon explores the many aspects of cyberinsurance from cost to coverage. The following has been excerpted from her piece and edited to fit our format. You may find the complete, unedited version by clicking on this link.

What is cyberinsurance?

  • Cyberinsurance policies typically protect businesses from costs incurred through data breaches or shutdowns of computer systems.
  • In data breaches, the policies cover costs of investigating the breach, notifying affected parties, legal expenses and related fines.
  • Businesses are seeking coverage for both “first-party” risks, such as notification costs, and “third-party” risks, such as class-action lawsuits brought by credit card holders.
  • $200 million is the typical maximum for coverage, with several insurers “stacking” policies to add up to that amount, rather than one insurer taking on all of the risk. But some companies are starting to offer “catastrophic” cybercoverage for larger amounts.
  • Insurance companies require businesses to meet certain standards for data security and monitoring before they will provide coverage.

Up over 200 percent on cyberpolicies

[Robert Morris, president of Rampart Group insurance brokerage offers] “We’re up over 200 percent on cyberpolicies since last year, and it’s still growing rapidly.”

Bad news is good news for cyberinsurers

[News] that JPMorgan Chase, the financial giant with a reputation for investing heavily in data security, had been breached and that addresses and phone numbers connected to 83 million household and business accounts had been stolen reinforced fears that no one is safe from cyberattack.

News of the Chase breach came 11 months after Target, the nation’s second-largest retail chain, was hit by a holiday-season hacking that compromised some 40 million credit and debit cards. The total cost to Target of that attack is expected to top $1 billion. Home Depot, Neiman Marcus, [and] eBay, as well as smaller retailers, also have been breached.

Retail and bank breaches involving payment cards get the most publicity, but any place that handles confidential or financial information — hospitals, law offices, government agencies — [has] to worry about cyberleaks.

Ponemon Institute and PwC cybercrime numbers

[Ponemon observes that] cybercrime has cost a sampling of 59 U.S. companies an average $12.7 million this year, up roughly 10 percent from last year’s average of $11.6 million. This year’s average includes two companies that were each hit with more than $50 million in cyberattack costs.

The accounting firm PricewaterhouseCoopers reported in September that data breaches increased 48 percent this year, with 117,339 attacks occurring each day around the globe.

Cybercoverage plans vary with different businesses

American International Group, Chubb, Travelers and other large insurance carriers have rolled out corporate cybercoverage plans. Warren-based Chubb has developed a number of specialized cybersecurity products, including policies designed for health care organizations, lawyers and small businesses. Marsh, the insurance brokerage division of Marsh & McLennan Cos., last month announced it would provide catastrophic cyberattack coverage for large companies that want an additional $300 million in coverage above the first $100 million in costs, which the company would be expected to cover.

Rates all over the map

Experts say the costs of cyberinsurance vary greatly and depend on the number of records or amount of data a company collects and needs to protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in August said standard rates are $20,000 to $25,000 for $1 million of coverage.

Tom Ridge, the first U.S. homeland security chief, said last week that his company, Ridge Insurance Solutions, was joining with the venerable Lloyd’s of London to offer cyberattack insurance. The Chase breach, Ridge said at an appearance in London reported by Bloomberg News, scared corporate executives around the world.

“Who would have thought that JPMorgan, with its security budget, could be hacked into,” Ridge said. “Now a lot of people are thinking, ‘If it could happen to them, it could happen to us, too.’ ”

How do cyberinsurers arrive at a pricing structure?

One problem insurers face, however, is knowing how to price a policy based on anticipated risk when information about the impact of cyberattacks is limited.

“The problem is there’s not enough actuarial data to tell us how many attacks there are going to be and what’s going to be the cost of the attack,” said Rampart Group’s Morris.

If a company comes to an insurer seeking fire insurance, Morris said, “they know what’s going to burn, within certain parameters because they have the statistics for hundreds of years. We don’t have that in cyber at all. Not even close.” That causes prices for policies to be “all over the place.”

Rampart Group brokered its first cyberinsurance some four or five years ago, Morris said. The policies, however, have become far more complex and sophisticated since then. Insurers now provide coverage packages that help a company notify customers of a breach, that provide forensic accounting services and credit-monitoring services and that pay for public relations or legal assistance.

Morris said Rampart Group itself pays for cyberinsurance coverage as part of its business insurance because it needs to protect itself if any confidential information on its customers is breached.

A cost of doing business

[HiTouch Business Services, an office products and services company,] has never had a breach, but the company has had cybercoverage since it was founded in 2010.

“We had a very small policy from Day One, and we’ve kept increasing it every year,” [said Michael Palmer, HiTouch’s CEO.]

Recently, HiTouch has seen that its larger business customers, who enter into contracts for large purchases or services, want to deal with vendors who have cyberinsurance. “Their legal departments are saying these are the insurances every vendor you have must carry,” Palmer said.

Cyberinsurance could improve security

Industry experts say the drive for cyberinsurance should help strengthen corporate cyberdefenses in the same way that insurance companies years ago led the push for uniform building codes and code enforcement to reduce fire and property liability risks.

What about coverage for consumers?

The growth in corporate cyberinsurance is causing some insurance companies to also look at cyberinsurance riders on personal life insurance or homeowners policies, coverage that would provide reimbursement in cases of identity theft, stolen information, or even lawsuits linked to social media misuse.

Morris said he is trying to develop a personal cyberinsurance policy to provide $500,000 to $1 million in coverage for a premium of about $200 a year. The coverage could protect someone who might be sued because of something a family member posted on social media or bring in digital-reputation repair experts if the policy owner is attacked on social media.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

 

 

 

 

 

Massive MBIA Data Leak is “Tip of the Iceberg”

Posted on October 15th, 2014 by Dan Rampe

Byron

(NOTE: The following is used with the permission of Byron Acohido, a Pulitzer Prize-winning journalist and editor-in-chief for ThirdCertainty, an IDt911-sponsored online publication dedicated to helping individuals and companies assess risks and embrace best security practices. Acohido will be speaking at the ThreatMetrix Cybercrime Prevention Summit 2014, November 5 – 7.)

By Byron Acohido, ThirdCertainty

Hundreds of companies, local government agencies and universities—including two Ivy League schools—continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.

These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.

Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.

MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.

Seely has reviewed 25,000 Oracle web servers known to have a vulnerability that can be accessed if the web server owner fails to configure the Oracle server in the proper way.

“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”

8,000 exposed servers

Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.

Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:

  • Texas Department of Family Protective Services
  • Meridian Community College in Mississippi
  • University of Wisconsin
  • Purdue – Calumet Campus
  • Maryland Port Authority

MBIA initially gave Seely the cold shoulder, but took action after they received a phone call from Brian Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”

More: 3 steps for figuring out if your business is secure

A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service—by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.

Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.

That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger start-up backed by Cuban, for security soft spots.

Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management—the company found to have the exposed accounts—but it appears MBIA and Cutwater dodged one big bullet.

MBIA dodged bullet — will others?

“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”

Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.

Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses, and phone numbers of authorized account users.

“If you needed to add someone, you could just fill out a form and email it,” he says.

Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers who are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.

More on emerging best practices

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Internet of Things – A Consumer Dream or Cybersecurity Nightmare?

Posted on October 14th, 2014 by Dan Rampe

Andreas

Don’t look now, but your life is more online and connected today than it was last year – and the trend is accelerating.

Late last year, we predicted that risks associated with the Internet of Things (IoT) and critical infrastructure would be two emerging cybercrime trends this year. (See our 2014 predictions blog.) These topics are the theme of this third week of the National Cyber Security Awareness Month, “Critical Infrastructure and the Internet of Things.”

IoT and Critical Infrastructure are two sides of the same coin

This year has seen a burst of innovation in the Internet of Things. Intel is getting into the wearable technology field, while the Consumer Electronics Show was filled with wearable devices such heart monitors, sensor-equipped golf gloves and networked pet collars. Other devices already on the market are gaining traction, from cars that email us when they need service to health monitors that publish our glucose levels. The possibilities are endless and so are the products that come to market quickly.

When it ships early next year, the Apple Watch will no doubt expand the wearable technology market beyond the earliest adopters to the broader Apple faithful.

Even if you’re not using these technologies, you are part of a connected world through the public infrastructure around you. Wireless cameras and embedded sensors permeate public facilities and transportation hubs. We all depend on power grids and water delivery systems (also known as critical infrastructure) that are controlled by networked devices. In the near future, drones may zoom around us on city streets.

The increasing connectivity of the world poses a growing cybersecurity threat that we are not securing well. For consumer technologies, personal privacy is often at risk. The public safety risks are higher for critical infrastructure.

All these devices are Internet enabled, but remember: they run software. They run the very same software that is being attacked on a daily bases for high risk applications such as online banking. The only difference is: they cannot be updated – and this has the potential to make these a lethal target.

Point of Sales Systems – The Canary in the Coal Mine
Lest you think I’m being alarmist, let’s consider one of the earliest entrants in the Internet of Things – Point of Sale (POS) systems. You see them everywhere – devices such as cash registers and credit card readers use POS to take payments at retail stores.

You would think that POS systems would be secure, for several reasons.

  • They’ve been around for a while, so we’ve had time to figure out how to make them safe.
  • They handle financial transactions, therefore we are extra motivated to keep theme secure.
  • They are locked down and run in dedicated networks

Yet POS exploits were responsible for two of the largest data breaches in the past year – the Target and the Home Depot breaches.

If we cannot manage to protect those network-attached devices that we know are targeted by thieves, how much better will we be at protecting the various technologies we’re embedding in our personal lives? Or the devices controlling critical infrastructure? Even our highway signs have been hacked. (See http://www.threatmetrix.com/a-sign-of-the-times-hacking-signs-electronic-road-sign-hackers-reveal-a-downside-to-the-internet-of-things/)

A roadmap to a more secure connected world

We can address these risks, but only with concerted and collaborative efforts. My recommendations for connected devices are as follows:

  1. Think twice about what goes on public networks. Network segmentation and isolation are critical, particularly for critical infrastructure.
  2. Strengthen authentication to these devices and the systems that manage them. Logins continue to be the weakest point in most systems. We’re reaching a point at which it is irresponsible to protect critical systems with passwords alone. Use multiple authentication factors or context-based authentication to reduce risk of stolen identities and unauthorized access.
  3. Look for anomalies at all levels, including patterns that represent known threats or never-before-seen patterns that may indicate an emerging threat.
  4. Provide a mechanism to securely update these devices. In order to do so, many of the previous points need to be considered.

To put these strategies in place, we must exchange and share threat information at both the business and government level. The federal government is committed to sharing information with the private sector related to critical infrastructure. (See Executive Order 13636)

For businesses that handle personal or consumer-based products, sharing information must be balanced with protecting consumer privacy. As the data collected about us from devices continues to grow, privacy will be more important than ever before. That’s why we’ve built data anonymization and encryption into the ThreatMetrix® Global Trust Intelligence Network.

As new technologies continue to reshape our future at a rapid pace, we have to act quickly to make sure that the future we’re building is secure and private, not dystopian.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

ThreatMetrix Announces Strategies to Combat Growing Threats to Critical Infrastructure and the Internet of Things

Posted on October 14th, 2014 by Dan Rampe

Andreas2

In Conjunction with National Cyber Security Awareness Month, ThreatMetrix Outlines Security Measures to Properly Secure Web-Connected Devices and Critical Infrastructure

San Jose, CA – October 14, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced strategies to combat security risks for the Internet of Things (IoT) and critical infrastructure, continuing its commitment to this year’s National Cyber Security Awareness Month (NCSAM) theme, “Our Shared Responsibility,” as well as the third week’s theme of examining potential security implications associated with critical infrastructure and the IoT.

The theme of NCSAM’s third week is “Critical Infrastructure and the Internet of Things,” calling out the risks faced by devices and critical utilities as they increasingly connect to the Internet. As devices ranging from watches and heart monitors to refrigerators, as well as critical utilities such as water and power, continue to connect online, our everyday lives are placed at an increased risk to of being compromised by fraudsters.

In the past year alone, innovations in wearable technology and other fields have included a burst in Internet-connected devices. From cars that can send email reminders when they need service to health monitors that publish heart rate and glucose level to online tracking tools, the inter-connected world is growing and not slowing down, creating significant risks for consumers’ privacy and cyber security.

However, the users of these new technologies are not the only ones affected by the increasing connectivity of the world. Public infrastructure is all connected online, from power grids to water delivery systems, all controlled by networked devices. This is critical infrastructure, and it opens the door to individual cybercriminals or nation states to wage a new form of online warfare if proper security measures are not immediately set in place.

“The rapid growth of the Internet of Things creates a new wealth of information for cybercriminals to compromise, from our everyday appliances to critical operations, allowing them to steal personal information and cripple resources,” said Andreas Baumhof, chief technology officer at ThreatMetrix. “Apple will soon launch the Apple Watch, taking wearable tech from obscurity to the consumer forefront. It is becoming increasingly imperative that we ensure the information shared through these devices is secure as they will contain, collect, and track sensitive information about our personal physical lives, as well as elements tied directly to our financial being. In addition, point-of-sale system hacks have caused massive damage to major retailers over the past year, as we saw in the Target and Home Depot breaches, among others. Imagine what harm the mass distribution of health and critical infrastructure information can bring to the lives of millions.”

As the Internet of Things and online connectivity of our nation’s critical infrastructure shows no signs of slowing down, ThreatMetrix has outlined several security strategies to address some of the associated risks:

  • Network Segmentation and Isolation – Network segmentation or “zoning” is a popular practice in Internet security. Through network segmentation the possibility of limiting the risk of a data breach to your entire network maximizes. It also can help businesses determine what information to keep on public or private networks.
  • Account Authentication – Username and password authentication is the weakest point of entry for most businesses operating online, often making businesses an easy target for hackers. At this stage, it is irresponsible to protect any information stored online with passwords alone. The use of multiple authentication factors, such as context-based authentication and real-time fraud prevention can help reduce the risk of stolen user identities and fraudulent transactions without disrupting the user experience for authentic customers.
  • Tracking – Tracking data enables businesses across industries to differentiate between authentic and fraudulent transactions and other activity. By identifying anomalies such as hiding behind proxies and virtual private networks or change in shipping address through a global network of shared intelligence, businesses can recognize patterns that represent known threats or never-before-seen patterns that show a potential threat.
  • Secure Updates – It is important that Internet-connected devices are updated on a regular basis to stay one step ahead of cybercriminals as they become increasingly sophisticated.

For comprehensive cybersecurity strategies to be effective and protect Internet of Things devices as well as critical infrastructure, there needs to be collaboration and sharing of information at both the business and the government level, while protecting consumer privacy. The ThreatMetrix® Global Trust Intelligence Network anonymizes and encrypts data to enable businesses to identify threats and keep their business secure without providing any personally identifiable information.

In addition to the overall theme of “cybersecurity is a shared responsibility,” the U.S. Department of Homeland Security outlined weekly themes to commemorate National Cyber Security Awareness Month throughout October. The remaining upcoming themes include:

  • Week Four – Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs
  • Week Five – Cyber Crime and Law Enforcement

ThreatMetrix will continue to support each week’s theme throughout the month. To commemorate National Cyber Security Awareness Month, ThreatMetrix has also signed on as a “Champion” with the National Cyber Security Alliance.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

 

FBI Provides Tool for Checking Out Suspicious Files

Posted on October 13th, 2014 by Dan Rampe

FBI

Businesses, Researchers and Academics Will Soon Be Able to Upload Files to FBI Portal to Ensure They Don’t Contain Malware

The FBI offers a portal for law enforcement agencies to check out files. Now a separate FBI portal will be made available for a much wider audience. Called Malware Investigator, the portal will be accessible to established FBI partnerships, including members of the U.S. Intelligence Community (USIC), domestic and foreign law enforcement, academia, and private industry.

How it works

According to Charlie Osborne’s article on zdnet.com (link to article), here’s how it works. “Once a file is uploaded, the system pushes [it] through antimalware engines to [extract] information…whether it is malicious, what the malware does, and [whom it affects.]

“The Malware Investigator analyses threats through sandboxing, file modification, section hashing, correlation against other submissions and the FBI’s own entries concerning viruses and malware reports. Windows files and common file types can currently be analyzed, but this will expand to include other file types in the near future.”

The FBI’s Jonathan Burns noted that API access has been granted for businesses that want to integrate the engine into their platforms. Personal details of submitters would not be disclosed.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Largest U.S. Bond Insurer Learns of Exposed Customer Accounts — from Blog

Posted on October 10th, 2014 by Dan Rampe

MBIA

Security Guru Brian Krebs of KrebsOnSecurity Notifies Municipal Bond Insurance Association (MBIA) of Web Server Misconfiguration That Put Customer Accounts at Risk

MBIA is a public holding company that offers municipal bond insurance and investment management products to diversify the holdings of insurance companies that include Aetna, Fireman’s Fund, Travelers, Cigna and Continental.

In his piece on KrebsOnSecurity.com, Brian Krebs reports how he learned that MBIA had exposed countless customer account numbers, balances and other sensitive data to potential attackers. The following has been excerpted from Krebs’ blog and edited to fit our format. You may find his complete, unedited piece by clicking on this link.

Bryan Seely, an independent security expert, discovered the exposed data using a search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Normally, Seely said, this type of database server is configured to serve information only to authorized users who are accessing the data from within a trusted, private network — and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.

“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Taking the Fight to the Fraudsters in a Month to Remember

Posted on October 9th, 2014 by Dan Rampe

Standard-Header-Tony2

September was a great month if you work in fraud prevention circles. A major new agreement between the European Banking Federation and Europol’s European Cybercrime Center (EC3) will make information sharing and co-operation between the region’s law enforcers and banks more extensive and effective than ever before.

It’s to be applauded. After all, fraud across Europe is increasing and becoming increasingly “cyber” in nature.

An annual report from the European Central Bank back in February revealed that card fraud rose for the first time in 2012 since 2008 – driven mainly by internet fraud. It claimed €1 in every €2,635 spent on credit and debit cards issued within SEPA (Single European Payments Area) was lost to fraud. While fraud via POS systems and ATMs dropped since the previous year, card not present fraud – including payments by post, telephone and the internet – jumped from 56% to 60%; the highest since records began.

It’s not hard to see why. Online fraud is difficult to trace and easy to commit. Cybercriminals have become adept at logging into online bank and other accounts with phished credentials, or setting up new ones with ill-gotten personal information. User awareness is increasing, but not fast enough, and alternatives to password-based systems such as two-factor authentication (2FA) can be too user-unfriendly. Meanwhile, traditional behind-the-scenes anti-fraud systems can be slow to spot suspect behaviour, and often end up blocking innocent customers.

A step in the right direction

So we applaud the new memorandum of understanding between EC3 and the EBF. It should speed up and improve cross-border sharing of stats on fraud and cyber attacks. On the one hand this will give the police an advantage when pursuing organised crime and, on the other, it should help banks understand fraud patterns better so that they can prepare their cyber defences more effectively. Fraud prevention is finally moving from ad-hoc and localised to systemic, automated and cross-border.

That’s not the only good news from September. The British Bankers Association announced plans for a new Financial Crime Alerts Service (FCAS) – where it will share with its members real-time alerts on cyber crime, fraud and other activities generated by law enforcers and government agencies.

The UK has in fact been quietly ramping up the number of specialist fraud officers in the police force – with staff levels rising 11% since 2011 to reach 448 today. The number civilian investigators also increased, from 235 to 289, the BBC said. However, there’s still a feeling that officers are swamped with requests, as fraud increased in England and Wales by 40% during the same period.

In the US, meanwhile, a joint venture between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and The Depository Trust & Clearing Corporation (DTCC) will lead to the creation of Soltra. This new body will focus on developing “software automation and services that collect, distill and speed the transfer of threat intelligence from a myriad of sources to help safeguard against cyber attacks.”

Our approach

ThreatMetrix® fully supports any moves to improve the sharing of actionable intelligence between financial institutions and law enforcements for a win-win scenario. But we’d also argue that there’s another, proactive step organisations of all shapes and sizes can take to minimise the risk of account fraud.

Our approach is to understand the endpoint, the user’s identity (which is anonymised) and their behaviour to determine if a transaction can be trusted or not. Our fraud information does not come from law enforcement but from over 850 million monthly transactions that our 3,000+ customers – from major banks to social networks, enterprises and e-commerce giants – provide us with. Just as the users of the fraud initiatives above will get better over time at spotting and predicting threats, so the ThreatMetrix® Global Trust Intelligence Network gets smarter with each risk assessment.

It’s global, cross-industry, real-time intelligence that works in the background without any customer input needed to spot and block fraud before it has a chance to get anywhere near your business.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

E-Commerce Executives Value Stopping Fraud in Real Time as the Top Capability in an Advanced Fraud Prevention and Cybersecurity Solution

Posted on October 8th, 2014 by Dan Rampe

Standard-Header-Ken

According to a Recent ThreatMetrix Survey, 75 Percent of E-Commerce Executives Indicate Stopping Fraud in Real Time as a Key Capability

San Jose, CA – October 8, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the results of a recent customer survey, which found that e-commerce executives value stopping fraud in real time as a key capability in their fraud prevention and cybersecurity solution.

With the holiday shopping season around the corner, real-time fraud prevention is particularly important for e-commerce executives. According to comScore, in 2013, U.S. holiday e-commerce sales reached a record $46.5 billion and 2014 holiday spending is projected to increase by nine to 16 percent. Such a high volume of spending makes e-commerce websites and customers a top target for cybercriminals.

“The holiday shopping season is the most profitable time of year for online merchants and these businesses must have a solution in place that accelerates the shopping experience and reduces customer friction without compromising security,” said Ken Jochims, director of product marketing at ThreatMetrix. “By stopping fraud in real time, online merchants can process more authentic transactions and avoid shopping cart abandonment associated with manual reviews and step-up authentication.”

According to a recent ThreatMetrix survey conducted with TechValidate, 75 percent of executives using the ThreatMetrix TrustDefender™ Cybercrime Protection Platform indicate stopping fraud in real time as a key capability in their fraud and cybersecurity solution. Additional key capabilities include uniquely and persistently identifying device data (71 percent), on the fly modification of business rules and policies (58 percent), and access to global, anonymized, device and behavior data (58 percent).

The 2014 holiday shopping season presents more risks than ever before for online fraud and cybercrime. Following high profile data breaches such as Target and Home Depot, as well as recent news about a Russian cybercrime ring gaining access to 1.2 billion usernames and password combinations, online merchants must make security a priority to assure stolen credentials from these breaches are not fraudulently used to make holiday purchases.

“Countless recent data breaches present a significant opportunity for card-not-present fraud, fraudulent account creation and login risks this holiday shopping season for retailers who are not protected with a real-time fraud prevention solution that leverages a global, anonymized network,” said Jochims. “At the same time, in order to maximize revenue, retailers must assure legitimate customers do not experience an arduous screening process or get incorrectly identified as fraudsters.”

During the holiday shopping season and year round, advanced fraud prevention and context-based authentication can help identify good users and protect customers without adding additional steps to the authentication process. The ThreatMetrix® Global Trust Intelligence Network analyzes more than 850 million monthly transactions and combines device identification, threat assessments, identity and behavioral intelligence to accurately identify cybercriminals without creating friction for good users.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

“Stop Fraud in Real Time” — E-Commerce Execs

Posted on October 8th, 2014 by Dan Rampe

Standard-Header-Ken

ThreatMetrix Survey of E-Commerce Execs Finds 75 Percent Want Top Capability of Advanced Fraud Prevention and Cybersecurity Solution to be Stopping Fraud in Real Time

A ThreatMetrix survey conducted with TechValidate showed that 75 percent of executives using the ThreatMetrix TrustDefender Cybercrime Protection Platform said stopping fraud in real time was a key capability for their fraud and cybersecurity solution. Additionally the survey found that executives wanted their solutions to uniquely and persistently identifying device data (71 percent); do on-the-fly modification of business rules and policies (58 percent); and provide access to global, anonymized, device and behavior data (58 percent).

2014 holiday spending to increase 9 to 16 percent

According to comScore, in 2013, U.S. holiday e-commerce sales reached a record $46.5 billion and 2014 holiday spending is projected to increase by 9 to16 percent. Such a high volume of spending makes e-commerce websites and customers a top target for cybercriminals.

Ken Jochims, director of product marketing, ThreatMetrix

“The holiday shopping season is the most profitable time of year for online merchants and these businesses must have a solution in place that accelerates the shopping experience and reduces customer friction without compromising security,” said Ken Jochims, director of product marketing at ThreatMetrix. “By stopping fraud in real time, online merchants can process more authentic transactions and avoid shopping cart abandonment associated with manual reviews and step-up authentication.”

Security tops list for online merchants

Following Target, Home Depot et al. data breaches as well as recent news of a Russian cybercrime ring gaining access to 1.2 billion usernames and password combinations, it makes good sense for online merchants to make security a priority.

“Countless recent data breaches present a significant opportunity for card-not-present fraud, fraudulent account creation and login risks this holiday shopping season for retailers who are not protected with a real-time fraud prevention solution that leverages a global, anonymized network,” said Jochims. “At the same time, in order to maximize revenue, retailers must assure legitimate customers do not experience an arduous screening process or get incorrectly identified as fraudsters.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Building a More Secure Smartphone

Posted on October 7th, 2014 by Dan Rampe

Data-Privacy-Day-Alisdair2

Like many others in Silicon Valley, I waited with bated breath to see what Apple’s iPhone 6 would look like last month. And it wasn’t just to see what my next phone might look like.

From my perspective at ThreatMetrix®, I was eager to see how the new phone handled data security and privacy issues while delivering groundbreaking new features. (For my thoughts on that subject, see the infographic iPhone 6 Cybersecurity Pros and Cons.)

I’m not the only one worrying about mobile devices and cybersecurity. The theme of this second week of the National Cyber Security Awareness Month is “Secure Development of Information Technology Products.” The Department of Homeland Security specifically calls out the need to build security into our phones, tablets and computers.

Why mobile matters: 3 trends to watch

At ThreatMetrix, we analyze anonymized data from across the ThreatMetrix® Global Trust Intelligence Network (The Network). According to data from a recent ThreatMetrix Cybercrime Index™ Benchmark Report, three major trends are emerging that have significant implications for overall cybersecurity.

  1. Mobile usage for online commerce and transactions is increasing. Nearly 50 percent of all new account creations originate from mobile devices, and 30 to 50 percent of all banking logins come from mobile, meaning consumers are entering a lot of sensitive information through potentially insecure mobile apps and sites. Companies and brands behind those sites need to ensure frictionless onboarding experience without sacrificing security.
  1. There is steady growth in the number of high-risk activities originating from mobile devices. The data shows steady growth in the number of high-risk activities detected from mobile devices across The Network. These include suspicious account creation or fraudulent payments, as well as an increase in malware. While devices need to be secure, consumers must also do their part in avoiding jailbreak phones, downloading suspicious apps, and not entering their information on insecure sites and apps.
  1. The number of advanced apps and features on mobile phones is growing. The most recent Apple release of the iPhone 6 arguably came with the largest number of groundbreaking features consumers have ever seen in a new generation iPhone, including Apple Pay, HealthKit and HomeKit. IT product developers are all competing to release the most innovative apps and features, and consumers are jumping at the chance to be first to try them. The more embedded mobile devices are in our lives, the more attractive they become as targets for malware writers and cybercriminals.

The law of unintended consequences

There are often unintended consequences of product design features, and frequently those are security flaws. For example, some of the photos leaked in the recent celebrity nude photo scandal were a result of iPhone photos automatically backing up into iCloud. Many of the people whose photos were leaked may not have even realized they were being stored somewhere else, and much less realized that they were only protected by a simple username/password combination, which has proven ineffective in the wake of recent high profile data breaches. Developers must consider all possible security issues when designing the newest IT products and mobile devices, and top of their mind should be the assumption that the user’s identity and account is the target, not just the device and its encrypted data.

There are few easy answers

If cybersecurity is a shared responsibility, then application developers have to shoulder their part of the burden. We can agree on a few guidelines:

  • Embed security into the design process and try to anticipate those unintended consequences of the newest features you’re adding. In terms of the iPhone 6, Apple has made progress on this front. For example, credit card details for Apple Pay are not stored on the device or in iCloud, so malware that intercepts traffic cannot get the credit card number.
  • Don’t rely on simple logins and passwords to protect customer information. Beyond simple, easy to hack username and password combinations, developers should consider other methods through contextual and behavioral methods to authenticate identities.
  • Developers cannot count on customers taking extra steps to secure their identities or transactions – particularly in the consumer market. Security must be frictionless and embedded at all layers of the information technology stack to keep consumers safe without damaging the user experience.

At ThreatMetrix, we collaborate with many businesses that build and support mobile apps for payments and other valuable transactions. We help them find ways to embed device context and communications into mobile apps to increase trustworthiness without adding barriers for customers.

The road ahead for developers is clear – security can no longer be an afterthought, but must be part of the design process. Beyond the development process, the security of an application resides not in the application itself, but in its context and usage. Improving cybersecurity requires collaboration on all fronts.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.