“Unsafe at Any Speed” — Even Standing Still

Posted on March 25th, 2015 by Dan Rampe

car on internet

Senator Proposes New Rules of the Road for Connected Cars That Leave Drivers Open to Invasions of Privacy and Cyberattack

When Ralph Nader’s Unsafe at Any Speed was published half a century ago accusing car manufacturers of resistance to spending money on safety, it caused a sea change in the auto industry. No. Not amphibious cars. But, it did lead to mandatory seat belt laws and the introduction of a host of other safety features.

Recently Sen. Ed Markey of Massachusetts released a report on the risks of cyberattack and loss of privacy posed by cars connected to the Internet. In a statement, he warned that “automakers haven’t done their part to protect us from cyber-attacks or privacy invasions [adding that even] as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

In her piece on washingtonpost.com, Andrea Peterson explores the many questions raised by the new Internet of Things smart cars and a few answers. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Who’s foot is on the brake pedal?

Cybersecurity experts have long warned that cars’ electronic systems might be vulnerable to hackers, especially as auto-makers started building wireless connections to the outside world into vehicles. Researchers Charlie Miller and Chris Valasek demonstrated how to take over the steering and brakes of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable in 2013.

Many attack surfaces

Last year, the pair released a report detailing the wireless “attack surfaces” of a wide variety of vehicles on the market — things like Wi-Fi, keyless entry systems, and Bluetooth that might be targeted by a malicious hacker.

Inconsistent and haphazard

Nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” according to Markey’s report…. Security measures to prevent remote access to a car’s electronic systems are “inconsistent and haphazard across all automobiles” and many manufacturers “did not seem to understand” the questions the legislator was asking. However, most manufacturers were either unaware or unable to report on previous hacking incidents.

“Cavalry” involved

Other groups have raised concerns about the security practices of auto-makers. I am the Cavalry, a group focused on where computer security intersects with physical safety, has urged vehicle manufacturers to adopt a five-star-style rating system for security best practices, akin to the ratings for traditional vehicle safety.

Your car is listening

The report also found that modern cars collect a significant amount of information on driving history and that drivers often cannot opt out of data collection without disabling features such as navigation. “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data,” it said.

Markey calls for new regulatory standards

[Markey] calls for the National Highway Traffic Safety Administration to set new regulatory standards with input from the Federal Trade Commission. The standards should ensure that car’s wireless and data-collection features protect against hacking and security breaches, require that carmakers test their systems with penetration testing, require drivers be explicitly told about how data is collected and used, and give drivers a way to opt out of such features, the report argues.

Rules of the road enforced

“We need to work with the industry and cyber-security experts to establish clear rules of the road – not voluntary agreements – to ensure the safety and privacy of 21st-century American drivers,” Markey said.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

Browser Beware

Posted on March 23rd, 2015 by Dan Rampe

Browsers

Ponemon Survey of 645 Information Tech Companies Says Half of All Malware Was the Result of Web Browsers That Weren’t Secure

Less than a third of respondents thought major browsers had “effective security tools for blocking web-borne malware.” And, close to 70 percent of IT professionals thought browser-borne malware was getting worse and was “a more significant threat today than [just] 12 months ago.” These were among the observations brought to light in the Ponemon study as reported by Cory Bennett on thehill.com. The following has been excerpted from Bennett’s article and edited to fit our format. You may find his full article by clicking on this link.

An unsettling thought

Over three quarters [of IT professionals] thought it was certain or very likely their organization had an undetected infiltration from browser-based malware.

Google hunting for bugs

[Google is taking …steps to root out more bugs in its Chrome browser, which recently became the second-most popular browser behind Microsoft’s Internet Explorer.

The [company] said it [would] start giving no-strings-attached grants to independent researchers to suss out flaws in its products, including Chrome. The company will post vulnerabilities they are looking to eradicate and will dole out up to $3,133.70 to researchers willing to take a shot at it.

The hunt gets harder

Since 2010, Google has rewarded researchers if they discovered flaws in Google products and services. The company said it’s adding the new grant program because these vulnerabilities are increasingly difficult to find, after years of independent researchers and Google’s in-house team working on the issue.

“Of course, that’s good news, but it can also be discouraging when researchers invest their time and struggle to find issues,” said Google security engineer Eduardo Vela Nava.

Chrome chief beneficiary

Chrome has benefited from these rewards as much, if not more, than any other product, Nava said. In 2014, more than half of the Chrome bugs discovered by outside researchers were found in beta versions of the browser.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

Have EMV Terminals? American Express Has a Hundred Simoleons for You.

Posted on March 9th, 2015 by Dan Rampe

American Express

American Express Rolls Out a “Small Merchant EMV Assistance Program” to Help Speed up Adoption of EMV Payments

Have to clear up something for anyone who’s not exactly sure what simoleons are. Okay they’re not a lost tribe of South Sea islanders discovered by Tim Cook using Google Earth who now do their tweeting on iPhones instead of conch shells. Also, they’re not anything you’d top with chipotle sauce – unless you wanted to put your money where your mouth is.

Simoleons are simply bucks, clams, ducats, greenbacks, smackers, i.e., dollars. And, as part of its Small Merchant EMV Assistance Program, American Express will give one hundred of those dollars to any U.S. merchant who’s already adopted EMV terminals. We should mention this is a one time only offer.

In her story on paymentweek.com, Melanie Macinas writes additional facets of American Express’s $10 million campaign to speed up the adoption of EMV payment terminals. The following has been excerpted from her article and edited to fit our format. You may find the full article by clicking on this link.

Educational resources

Small merchants will also receive educational resources on EMV via email, telephone hotline, and website.

EMV ambassadors

American Express Fraud Squad ambassadors will also visit Atlanta, Houston, Miami, and New York City to personally meet with small merchants and discuss with them the advantages of EMV.

Many small merchants still unaware of EMV

[Anré Williams, President, Global Merchant Services, American Express, notes,

“Unfortunately, many small merchants do not know about EMV or what they need to do to take advantage of it. We created the Small Merchant EMV Assistance Program to help them. By providing financial and educational assistance, we hope small merchants more quickly adopt EMV so they can ensure their customers feel safe when shopping at their stores.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

What Uber Might’ve Done to Prevent Compromising the Personal Info of 50,000 Drivers

Posted on March 6th, 2015 by Dan Rampe

Uber

Andreas Baumhof, ThreatMetrix’s CTO, Explains How a Holistic Approach to Security Might Well Have Made All the Difference

Shoulda, coulda, woulda can’t help the 50,000 past and present Uber drivers whose personal information (names and driver’s license numbers) was compromised in the company’s recent breach. However, Andreas Baumhof offers a practical approach that could help prevent a future recurrence and help other companies avoid a similar lapse in security.

In his article on scmagazine.com, Adam Greenberg tapped Baumhof and Steve Hultquist, chief evangelist at RedSeal for answers. His article has been edited to fit our format. You may find Greenberg’s complete piece by clicking on this link.

Enough compromised information for ID theft

“Names and driver’s license numbers are two key elements of verification of personal identity,” Hultquist said. “Combined with other information that could be gained by social engineering or by existing breaches, theft of personal identities is possible.”

Very valuable information

Andreas Baumhof, CTO of ThreatMetrix, [noted] that personally identifiable information (PII) increases in worth when more pieces of data related to a single individual are obtained.

“[If] I know your name and your associated email and then the associated address and then the associated credit card number and now the license plate, the information gets more valuable.” He went on to explain, “One reason is the use of knowledge-based authentication is still quite heavy (even by banks) where they ask you some questions that only you should know (e.g. what’s your license plate number?) to do a 2nd factor authentication.”

What they knew and when they knew it

Uber stated that a single instance of unauthorized access to one of its databases occurred on May 13, 2014. The company explained that it discovered the potential access on Sept. 17, 2014, and immediately changed the access protocols for the database.

How the breach might have occurred

“Given the information that Uber has shared, it seems likely that the breach came from the unauthorized use of an existing database access account,” Hultquist said. “The other likely option is access via a database system vulnerability, but that doesn’t seem indicated by the report.”

Baumhof’s comprehensive approach to protecting data

To prevent these types of incidents from occurring in the future, Baumhof said that a holistic approach needs to be considered. He explained that internal systems need to be restricted and secured, and access to data needs to be protected using context-based and behavioral approaches.

Uber’s John Doe Suit

According to the statement, Uber has filed a “John Doe” lawsuit so it can “gather information that may lead to confirmation of the identity of the third party.” The Register reported…that Uber subpoenaed GitHub so the latter company would turn over the IP addresses of visitors to a particular gist, which is believed to have contained a login key used to access the Uber database.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Labs Report Covers the Fish That Hooks People

Posted on March 5th, 2015 by Dan Rampe

Labs-Header

Superfish Adware Acting as “Man-In-The-Browser” Business and Banking Malware Is Outlined in the Latest ThreatMetrix Labs Report

Not familiar with Superfish? Ask any buyer of a Lenovo laptop purchased between October and December 2014 whose computer came preinstalled with the adware. But don’t think you’re going to hear kudos.

“Superfish Adware – A Closer Look”

Comparing Superfish and similar adware to “man-in-the-browser” (MitB) banking Trojans, the ThreatMetrix Labs report, “Superfish Adware – A Closer Look,” details the nature and behavior of this software. It also details Superfish’s HTML injection through browser add-ons and the type of sensitive information this injection allows the injected Javascript to access.

Komodia’s library vulnerable

The report also goes into issues associated with Superfish and other adware tools that use Komodia’s library for ad injection installing a Certificate Authority (CA) into users’ browsers. Protected only by easily-obtained, weak passwords, it’s no trouble at all for cybercriminals to create fake, legitimate-looking website certificates.

Andreas Baumhof, ThreatMetrix’s CTO, on the increasing adware threat

“Data from the ThreatMetrix Global Trust Intelligence Network shows that the Superfish Adware has been an increasing threat since October 2014. While this isn’t a new threat, its recent exposure has left many businesses and consumers questioning what they should know about its threats and how to protect against it. Since it has been around for some time and ThreatMetrix has long had capabilities to detect these kinds of threats, we provide technical details surrounding Superfish and its implications.”

A Javascript injection of Superfish

Depending on the page accessed, the Javascript injected by Superfish has full access to a wide range of sensitive information. For example, the ThreatMetrix Labs report outlines the information that can be accessed by this Javascript code when a user visits a website, including cookies, local storage information, any Document Object Model (DOM) element of the page, user input (such as form field data) and any events that are fired during the session (such as submission of a login form).

ThreatMetrix’s honeypot detects malware strains

ThreatMetrix provides a malware detection service (a “honeypot”) that allows its customers to detect the presence of malware strains like Superfish in real time without any interference in their customers’ journeys. This information is fully integrated into the analysis by the ThreatMetrix® Global Trust Intelligence Network (The Network).

Notes Baumhof about the honeypot

“Whenever a strain of malware like Superfish grows this rapidly, online businesses and banks struggle to protect their customers against its threats – such as compromised sensitive information – without adding friction to the user experience. ThreatMetrix’s honeypot detection techniques help businesses detect unauthorized webpage modification within a user’s browser as part of the user’s full risk assessment, all without any added steps to the customer journey.”

Authenticating customers in real-time

ThreatMetrix authenticates customer transactions using real-time identity and access analytics that leverage the power of the world’s largest shared intelligence network. The ThreatMetrix solution already protects leading online businesses and financial institutions against account takeover, payment fraud, and fraudulent account registrations as a result of stolen credentials obtained from malware, social engineering, phishing and data breaches.

The public ThreatMetrix Labs report can be downloaded here.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions leveraging a global shared digital identity network and real time customer driven analytics platform.  These solutions help customers differentiate between trusted users and potential fraud resulting in reduced friction, incremental revenue and lower fraud and operational costs.

ThreatMetrix secures customers against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over one billion monthly transactions and protects more than 250 million active user accounts across 3,000 customers and 15,000 websites and mobile applications. ThreatMetrix is deployed by industry leaders across financial services, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Sandpiper: An Eagle When It Comes to Fighting Cybercrime

Posted on February 27th, 2015 by Dan Rampe

Europol

EC3 Supports 18-Month EU-Funded “Project Sandpiper” to Stop Payment Card Fraud in Its Tracks

The latest statistics published by the European Central Bank reveal that card-not-present (CNP) fraud is on the rise accounting for 60% of all fraud losses on cards issued in the European Union. To address the problem, Europol’s European Cybercrime Centre (EC3) has launched several investigations.

Project Sandpiper

Initiated by UK authorities and supported by Europol’s European Cybercrime Centre (EC3), Project Sandpiper took out after the bad guys. The score after eighteen months: 59 arrests; 32 prosecutions; 17 convictions; 52,812 compromised card numbers recovered; £23 million ($35 million) estimated savings to the banking industry; and the disruption of 5 organized crime groups misusing electronic payments mainly in overseas destinations.

Troels Oerting, head of EC3

An article on eurasiareview.com (link to article) quotes the former head of the European Cybercrime Centre, Troels Oerting, who said, “The criminal networks involved in this sophisticated electronic payment crime have been taken down as a result of many months of hard work by police officers and prosecutors in the European Union. Through the international cooperation of law enforcement authorities, the European Commission and Europol, as well as cooperation with the financial industry, European customers’ payment transactions are safer. We continue our fight against this crime. The criminals continue to develop new methods for stealing our identities, money and ideas online, and we have to continue and further develop operations like Sandpiper and Skynet. [Skynet is the codename of a new EU-funded project. Just launched, it focuses on international cooperation to combat online CNP fraud. Six EU Member States are involved.]”

A joint EU effort

According to the eurasiareview.com story, Europol’s information and analysis systems are used to exchange and cross-check the intelligence received from member states.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

What’s Happening with Mobile Device Payments Is Criminal

Posted on February 23rd, 2015 by Dan Rampe

Mobile Devices

Mobile Device Fraud Makes Up a Disproportionate Share of the $6 Billion Fraud Costs Merchants and Card Issuers in the U.S. Each Year

Forrester Research says mobile payments accounted for $52 billion worth of U.S. transactions in 2014, up from $32 billion in 2013. And this year that number is expected to hit $67 billion.

A LexisNexis survey of 1,100 companies found that while mobile payments account for 14 percent of transactions among merchants, they make up 21 percent of fraud cases. In her story on bloomberg.com, Olga Kharif details how cyberthieves have continued to shift their focus to mobile devices. The following has been excerpted from her piece and edited to fit our format. You may find her complete article by clicking on this link.

More mobile fraud than on PCs

“We certainly see a surge in mobile payment attacks,” says Tomer Barel, chief risk officer at PayPal, who says his company deals with more cases of fraud on mobile devices than on PCs. “There are many more avenues for fraudsters to try.”

Every dollar of mobile fraud costs merchants $3.34

Each dollar worth of misbegotten mobile payments winds up costing a fooled merchant $3.34. That’s slightly more than the cost of a fraudulent credit card swipe or mail order, 27 percent more than a similar payment made from a PC.

Merchants aren’t equipped to handle mobile fraud

Along with the cost of lost merchandise, the total includes investigation of the fraud. That’s tougher on phones than on PCs, because many businesses aren’t equipped to track mobile devices’ unique identifiers such as IP addresses. Stores often don’t catch when a card issued in Los Angeles is used for a mobile order from Mexico, says Aaron Press, director of e-commerce and payments at LexisNexis Risk Solutions. “It’s kind of a wake-up call,” he says.

Lower-tech fraud

Some mobile fraud remains low-tech. Last year, the Better Business Bureau warned consumers about a scam in which people posted absurdly cheap offers for used cars online, then tricked interested buyers into wiring funds through a phony version of Google Wallet.

Higher-tech fraud

Other frauds are more technical, such as the hackers who found a bug in a Chilean public transportation app that let them top off their travel credits for free.

The weak link

Like the brief flurry of duplicate charges that accompanied Apple Pay’s debut in October, such glitches highlight the vulnerability inherent in a system that requires banks, card networks, and software makers to keep pace with thieves. “If you don’t make the proper investment, they’ll be attracted to the weakest link,” says PayPal’s Barel.

Biometrics may stop some cybercriminals

Smartphone operating systems, at least, are tougher to infiltrate than those of PCs. Phones with biometric sensors can also make a person’s identity tougher to steal. Mobile payment service LoopPay says it’s adding support for biometric features such as Apple’s fingerprint reader, despite hackers’ claims that they can fool the iPhone’s sensor. Rival CurrentC says it’s considering similar measures….

“There’s no perfect system,” says Will Graylin, chief executive officer of LoopPay. “It’s always a game of cat and mouse.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

A Billion Records Compromised in a Record-Breaking Year

Posted on February 19th, 2015 by Dan Rampe

Data Breach

Security Experts Discuss What Lessons Were Learned from 2014’s Data Breach Deluge

To be exact, there were 904 million records compromised in 2014, a record-breaking year in every sense of the word “record.” While a great deal was lost monetarily and even psychologically, i.e., a feeling of security, a great deal was learned as well. In a far-ranging piece on cio.com, Steve Ragan has security experts offer up their observations on what organizations can take away from a very tough learning experience. The following has been excerpted from his article and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Like candy from a baby

Thus, this year’s security problems have taught organizations a valuable lesson when it comes to protecting the supply chain and offering awareness training to staff and vendors. From phishing to weak third-party access, criminals walked in through the backdoor, and out the front, with relative ease.

Difficult to defend

“Businesses today have a maze of complex dependencies on outside service providers and suppliers. This makes a complex attack surface, and that in turn makes defenses weak. The more complex our infrastructure, the harder it is for defenders to see it all and understand its weaknesses,” commented Dr. Mike Lloyd, CTO at RedSeal.

Multiple baskets

Another lesson learned this year centers on keeping all of one’s eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records.

Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that the JPMorgan Chase breach was a perfect example of how the damage from an incident can be reduced by segmentation. “Attackers were able to steal millions of customer’s personal information such as names, emails, addresses, etc. However, they were unable to steal the actual financial data. That kind of data was hidden away behind another layer of security and one that was apparently impossible for attackers to get to,” Kujawa said.

“If all organizations used practices similar to that, then regardless of a breach, there would be a lot less damage in the aftermath.”

No longer a luxury

“Today, [security is] rapidly shifting to an imperative – auditors look for it, regulators demand it, and customers expect it. Cost is no longer the limiting factor – boards are willing to spend money to steer clear of the wrong kind of news coverage. The limiting factor is complexity – you can’t segment what you can’t map, and too many organizations have effectively lost the blueprints of the infrastructure they run their businesses on,” he explained.

Criminals prefer personal information

Criminals are starting to favor PII over financial information, because it’s easier to sell and leverage. To put it simply, the banks are making it harder to use stolen credit card details due to anti-fraud advancements.

Michele Borovac, VP at HyTrust, pointed out that while it’s relatively easy to cancel a credit card, it’s much harder to track down and recover your identity if it’s stolen. “Attackers with a few pieces of personal information can parlay that data into new credit card applications, online account access and many other nefarious – but lucrative – activities,” Borovac said.

Big data big breach

“Big Data leads to Big Theft,” said Dr. Lloyd. “Cyber criminals are savvy about risk vs. reward – if we make big piles of data, they are willing to put in more effort to get in to take it.”

HyTrust’s Borovac agrees:

“The primary reason that we’re seeing breaches of this magnitude is that data and applications are becoming more concentrated. As organizations consolidate and virtualize data centers, it becomes easier for someone who gets in to get everything.”

Lessons are lost on some

Despite the fact that 2014 was a record setting year for data breaches, for most organizations security is still an after-the-fact, bolted-on additive.

“Security professionals at heart have known for over a decade now that security, like all business practices, is ultimately dictated by ROI. Until companies feel that they will lose customers due to security concerns, there is no good business reason to address them with the same attention that they do sales or any other income-generating business infrastructure piece,” said Carl Vincent, security consultant at Neohapsis.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

White House Cybersecurity Summit Decisions Aligned with ThreatMetrix Solutions

Posted on February 16th, 2015 by Dan Rampe

Obama

President Calls for Threat Information Sharing and Right to Privacy

In the wake of the White House Cybersecurity Summit held at Stanford University last week, Alisdair Faulkner, chief products officer, ThreatMetrix® wrote:

In light of President Obama’s visit to Silicon Valley, now is a better time than ever to address online security and privacy. Collecting an unreasonable amount of personal information will lead to a “Privacy Pearl Harbor.”

How much information collection is too much?

Threat intelligence sharing is necessary but only to a certain extent – businesses must make sure that reasonable security is not an unreasonable privacy invasion. There needs to be a reasonable amount of digital identity verification such as verifying one’s location or phone number when using a banking app. However, some businesses, including ride sharing services and major banks, have access to information about your entire location and activity history each time you use the app. With so much information stored on users’ mobile devices and in specific mobile apps, this often leads to an unreasonable privacy invasion beyond what is necessary for security measures. Instead, the recent influx of data breaches and privacy concerns calls for industry-wide authentication guidelines that do not compromise privacy.

Anonymized shared intelligence: authentication and privacy

To maintain a balance between privacy and security, businesses should leverage anonymized shared intelligence, behavior-based identity proofing and context-based authentication. At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft without invading privacy.

Protecting customer and corporate identities

In addition to balancing privacy and security, businesses need to focus on protecting data in use in addition to data at rest. Data in use refers to customer or corporate identities that are used following a data breach without the individual’s knowledge. A key requirement for data protection is for businesses to ensure personally identifiable information is screened against unauthorized use prior to being processed. This can be done through device identification, malware detection and anonymized trust federation.

For more on preserving privacy while maintaining security, see:

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

ThreatMetrix Shares Strategies for Businesses to Protect Identities in Use in Support of Data Privacy Day

At summit President acknowledges challenge of info sharing vs. privacy

In her story on techcrunch.com, Sarah Buhr discusses the primary themes that emerged from the President’s call for closer cooperation between government and the private sector. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.

A new sheriff in town

While pushing for that collaboration, he admitted it would be a challenge to both keep up with cyber threats and protect American’s right to privacy at the same time. “Protecting the American people while making sure government is not abusing its capabilities is hard. The cyberworld is sort of the Wild Wild West and to some degree we are asked to be the sheriff…”

President signs Executive Order

[Obama] signed an Executive Order….. One of those provisions encourages information sharing and analysis organizations (ISAOs), which would serve as points of contact for information sharing between the government and the private sector.

The order added the Department of Homeland Security to the list of government organizations that would be able to approve the sharing of classified information and ensure that proper information is shared between entities.

The Snowden effect

The big question here is whether the private sector will be willing to offer this information. Many companies are still reeling from Edward Snowden’s revelations that they were handing over consumer information to the U.S. government and have since taken measures to encrypt data, even from themselves.

Constructing a cathedral

Obama acknowledged the challenge to protect American citizens from cyber threats, but at the same time protect their right to privacy. [He] likened the process of technological development to building a cathedral.

“[T]hat cathedral will not just be about technology but about the values we have embedded in this system. It will be about privacy and security and about connection. A magnificent cathedral and we’re all going to be a part of that.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

ThreatMetrix Cautions President and Participants at Cybersecurity Summit

Posted on February 13th, 2015 by Dan Rampe

Standard-Header-AF

ThreatMetrix’s Alisdair Faulkner Warns of a Possible “Privacy Pearl Harbor” Should Collecting Personal Info for Security Destroy Privacy

The long awaited presidential summit on cybersecurity taking place at Stanford University in Palo Alto, California brings together experts from industry, hi-tech, and law enforcement as well as consumer and privacy advocates, law professors who are specialists in the field, and students.

In its announcement of the Cybersecurity Summit, The White House says the Obama administration is pursuing five key priorities that will strengthen [the U.S.] approach to cybersecurity threats by:

  1. Protecting the country’s critical infrastructure — our most important information systems — from cyber threats.
  2. Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.
  3. Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.
  4. Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.
  5. Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.

One key issue not touched upon in the White House announcement is the issue of privacy.

Alisdair Faulkner, ThreatMetrix chief products officer,  warns about losing privacy to gain security

In light of President Obama’s visit to Silicon Valley, now is a better time than ever to address online security and privacy. Collecting an unreasonable amount of personal information will lead to a “Privacy Pearl Harbor.”

How much information collection is too much?

Threat intelligence sharing is necessary but only to a certain extent – businesses must make sure that reasonable security is not an unreasonable privacy invasion. There needs to be a reasonable amount of digital identity verification such as verifying one’s location or phone number when using a banking app. However, some businesses, including ride sharing services and major banks, have access to information about your entire location and activity history each time you use the app. With so much information stored on users’ mobile devices and in specific mobile apps, this often leads to an unreasonable privacy invasion beyond what is necessary for security measures. Instead, the recent influx of data breaches and privacy concerns calls for industry-wide authentication guidelines that do not compromise privacy.

Anonymized shared intelligence: authentication and privacy

To maintain a balance between privacy and security, businesses should leverage anonymized shared intelligence, behavior-based identity proofing and context-based authentication. At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft without invading privacy.

Protecting customer and corporate identities

In addition to balancing privacy and security, businesses need to focus on protecting data in use in addition to data at rest. Data in use refers to customer or corporate identities that are used following a data breach without the individual’s knowledge. A key requirement for data protection is for businesses to ensure personally identifiable information is screened against unauthorized use prior to being processed. This can be done through device identification, malware detection and anonymized trust federation.

For more on preserving privacy while maintaining security, see:

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

ThreatMetrix Shares Strategies for Businesses to Protect Identities in Use in Support of Data Privacy Day

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.