You Know the EMV Chip That’s Supposed to Make It Nearly Impossible to Fraudulently Use Credit/Debit Cards — Guess What? There Are Flaws.

Posted on June 11th, 2014 by Dan Rampe

EMV

If you like movies, you likely already heard the classic movie tagline for the sequel to Jaws,Just when you thought it was safe to go back in the water…” (Incidentally a great tagline for a lousy movie)

In any case, with a little massaging, the line works for flaws discovered in the EMV chip protocol for credit and debit cards, i.e., “Just when you thought the EMV chip was the solution to most credit and debit card fraud…”

In his piece on darkreading.com, Matthew Schwartz, InformationWeek information security reporter, writes about the flaws that Cambridge University computer security researchers warned about at the IEEE Symposium on Privacy and Security in San Jose, California. The following has been edited to fit our format. You will find the complete article by clicking this link.

[The Cambridge researchers] detailed two major problems with the EuroPay, MasterCard, and Visa (EMV) standard now used to secure more than 1.6 billion cards worldwide.

[The problems came to light after a] British bank, HSBC, refused to refund a series of transactions to a customer [Mr. Gambin] based in Malta…. During related disputed-transaction negotiations, HSBC shared detailed ATM log data with Gambin, which included the date, time, as well as an “unpredictable number” (UN), or “nonce,” generated by the ATM to validate the transactions.

Reviewing the unpredictable number, however, the researchers found that it was, in fact, often predictable. “Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce [which] exposes them to a ‘pre-play’ attack. [This] is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and…can be carried out even if it is impossible to clone a card physically.”

In some cases, obtaining a legitimate ATM nonce on which to base an attack would also be easy. According to the researchers, for example, the UN is printed on all receipts generated in Italy.

Digging further, the researchers also spotted a deeper flaw in the protocol that attackers could use to compromise transactions, even when an ATM generated a cryptographically strong random number. That flaw is due to the ability of attackers to intercept the unpredictable number via a man-in-the-middle attack and replace it with a different pre-computed one, which would likely pass muster with the authorizing bank. Such an attack could be executed via malware installed on POS devices, even if those devices include tamper-resistant EMV modules.

To date, some of the random-number-generator flaws spotted by the researchers have now been patched. But the EMV alliance has yet to address the deeper flaw in the protocol itself. [Researchers said, "The banks appear to have ignored this, perhaps reasoning that it is difficult to scale up an attack that involves access to specific physical cards and also the installation of malware or wiretaps on specific terminals. We disagree. The Target compromise shows that criminals can deploy malware on merchant terminals widely and exploit it to earn serious money."

The researchers added that they know of at least one "likely case" of a related skimming attack in the wild, and warned that "the spread of ATM and POS malware is making it ever more of a threat."

[A] liability shift — scheduled to begin in October 2015, although not until October 2017 for gas station terminals — by Visa seeks to drive more EMV uptake. “The liability shift encourages chip transactions because any chip-on-chip transaction — i.e., a chip card read by a chip terminal — provides dynamic authentication data, which helps to better protect all parties,” Visa explained.

According to the new research, however, that dynamic authentication system is vulnerable to spoofing. Any related liability, however, would rest with the consumer, unless he or she can prove that attackers subverted the EMV security system.

In their paper, the researchers expressed frustration at the EMV alliance failing to address the flaws they exposed more than one year after receiving related security disclosures. “We are now publishing the results of our research so that customers whose claims for refund have been wrongly denied have the evidence to pursue them, and so that the crypto, security, and bank regulation communities can learn [related] lessons.” [The researchers have] also called on banking regulators in the United States and abroad to use their muscle to force merchants, banks, and vendors to put related fixes in place.

[The] researchers called on the payment card industry to take responsibility for keeping the EMV system secure. “Again and again, customers have complained of fraud and been told by the banks that as EMV is secure; they must be mistaken or lying when they dispute card transactions. Again and again, the banks have turned out to be wrong.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

All Eyes on the Spies. U.S. Calls Out 5 Chinese Army Officers by Name. Charges Them with Stealing Trade Secrets.

Posted on May 23rd, 2014 by Dan Rampe

China

The Department of Justice charged Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, five members of China’s People’s Liberation Army, with economic espionage. The five are accused of hacking American companies including Westinghouse, United States Steel and Alcoa.

The five reportedly worked as members of the “Comment Crew” or “Shanghai Group” at a 12-story white office tower on a Chinese Army base in the outskirts of Shanghai. Last year, the building was identified as the source of multiple attacks on the U.S. government and American corporations.

Since there’s a better chance of the Cubs winning the 2014 World Series, Kim Jong-un becoming a world class sprinter and the Tea Party endorsing Hillary Clinton for president than these Chinese soldiers coming to the United states and standing trial, what’s the point? To get somebody’s attention or maybe to get everybody’s attention both here and in China.

In Michael S. Schmidt’s New York Times piece, John Carlin, an assistant Attorney general for national security, talked about the damage done by Chinese hackers. ”He said that while SolarWorld was rapidly losing its market share to Chinese competitors that were pricing exports well below costs, the hackers were stealing cost, pricing and strategy information from SolarWorld’s computers. And while Westinghouse was negotiating with a Chinese state-owned enterprise over the construction of nuclear power plants…hackers stole trade secret designs for components of those plants.”

This link will take you to Michael Schmidt’s complete New York Times article.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Let’s Put Our Cards on the Table. U.S. Briefs China on Cyberwarfare Plans.

Posted on April 10th, 2014 by Dan Rampe

China

The U.S. is briefing China’s military how it plans to defend against cyberattacks and use cybertechnology against adversaries. China, for its part, is saying nothing about its plans. Does this sound like playing poker with just your hold card showing? Anyway, you gotta hope somebody’s playing with a full deck.

In his piece in The New York Times, David E. Sanger explains the idea behind the American strategy and what the U.S. hopes to accomplish with the new cyber openness. (The story has been edited to fit our format.)

The idea was to allay Chinese concerns about plans to more than triple the number of American cyberwarriors to 6,000 by the end of 2016, a force that will include new teams the Pentagon plans to deploy to each military combatant command around the world. But the hope was to prompt the Chinese to give Washington a similar briefing about the many People’s Liberation Army units that are believed to be behind the escalating attacks on American corporations and government networks.

So far, the Chinese have not reciprocated.

The effort, senior Pentagon officials say, is to head off what Mr. Hagel and his advisers fear is the growing possibility of a fast-escalating series of cyberattacks and counterattacks between the United States and China. This is a concern especially at a time of mounting tensions over China’s expanding claims of control over what it argues are exclusive territories in the East and South China Seas, and over a new air defense zone. In interviews, American officials say their latest initiatives were inspired by Cold-War-era exchanges held with the Soviets so that each side understood the “red lines” for employing nuclear weapons against each other.

“Think of this in terms of the Cuban missile crisis,” one senior Pentagon official said. While the United States “suffers attacks every day,” he said, “the last thing we would want to do is misinterpret an attack and escalate to a real conflict.”

Mr. Hagel’s concern is spurred by the fact that in the year since President Obama explicitly brought up the barrage of Chinese-origin attacks on the United States with his newly installed counterpart, President Xi Jinping, the pace of those attacks has increased. Most continue to be aimed at stealing technology and other intellectual property from Silicon Valley, military contractors and energy firms. Many are believed to be linked to cyberwarfare units of the People’s Liberation Army acting on behalf of state-owned, or state-affiliated, Chinese companies.

“To the Chinese, this isn’t first and foremost a military weapon, it’s an economic weapon,” said Laura Galante, a former Defense Intelligence Agency cyberspecialist.

Administration officials acknowledge that Mr. Hagel, on his first trip to China as defense secretary, has a very difficult case to make, far more complicated than last year. The Pentagon plans to spend $26 billion on cybertechnology over the next five years — much of it for defense of the military’s networks, but billions for developing offensive weapons — and that sum does not include budgets for the intelligence community’s efforts in more covert operations. It is one of the few areas, along with drones and Special Operations forces, that are getting more investment at a time of overall Pentagon cutbacks.

Moreover, disclosures about America’s own focus on cyberweaponry — including American-led attacks on Iran’s nuclear infrastructure and National Security Agency documents revealed in the trove taken by Edward J. Snowden, the former agency contractor — detail the degree to which the United States has engaged in what the intelligence world calls “cyberexploitation” of targets in China.

The revelation by The New York Times and the German magazine Der Spiegel that the United States has pierced the networks of Huawei, China’s giant networking and telecommunications company, prompted Mr. Xi to raise the issue with Mr. Obama at a meeting in The Hague two weeks ago. The attack on Huawei, called Operation Shotgiant, was intended to determine whether the company was a front for the army, but also focused on learning how to get inside Huawei’s networks to conduct surveillance or cyberattacks against countries — Iran, Cuba, Pakistan and beyond — that buy the Chinese-made equipment. Other cyberattacks revealed in the documents focused on piercing China’s major telecommunications companies and wireless networks, particularly those used by the Chinese leadership and its most sensitive military units.

Mr. Obama told the Chinese president that the United States, unlike China, did not use its technological powers to steal corporate data and give it to its own companies; its spying, one of Mr. Obama’s aides later told reporters, is solely for “national security priorities.” But to the Chinese, for whom national and economic security are one, that argument carries little weight.

“We clearly don’t occupy the moral high ground that we once thought we did,” said one senior administration official.

For that reason, the disclosures changed the discussion between the top officials at the Pentagon and the State Department and their Chinese counterparts in quiet meetings intended to work out what one official called “an understanding of rules of the road, norms of behavior,” for China and the United States.

The decision to conduct a briefing for the Chinese on American military doctrine for the use of cyberweapons was a controversial one, not least because the Obama administration has almost never done that for the American public, though elements of the doctrine can be pieced together from statements by senior officials and a dense “Presidential Decision Directive” on such activities signed by Mr. Obama in 2012. (The White House released declassified excerpts at the time; Mr. Snowden released the whole document.)

Mr. Hagel alluded to the doctrine a week ago when he went to the retirement ceremony for Gen. Keith B. Alexander, the first military officer to jointly command the N.S.A. and the military’s Cyber Command. General Alexander was succeeded last week by Adm. Michael S. Rogers, who as the head of the Navy’s Fleet Cyber Command was a central player in developing a corps of experts who could conduct cyberwarfare alongside more traditional Navy forces.

“The United States does not seek to militarize cyberspace,” Mr. Hagel said at the ceremony, held at the N.S.A.’s headquarters at Fort Meade, Md. He went on to describe a doctrine of “minimal use” of cyberweaponry against other states. The statement was meant to assure other nations — not just China — that the United States would not routinely use its growing arsenal against them.

In Beijing, the defense secretary “is going to stress to the Chinese that we in the military are going to be as transparent as possible,” said Rear Adm. John Kirby, the Pentagon press secretary, “and we want the same openness and transparency and restraint from them.”

Experts here and in China point out that a lot was left out of Mr. Hagel’s statement last week. The United States separates offensive operations of the kind that disabled roughly 1,000 centrifuges in Iran’s nuclear program, America’s best-known (and still unacknowledged) cyberattack against another state, from the far more common computer-enabled espionage of the kind carried out against the Chinese to gather information about a potential adversary.

“It’s clear that cyberspace is already militarized, because we’ve seen countries using cyber for military purposes for 15 years,” said James Lewis, an expert at the Center for Strategic and International Studies. “The Chinese have had offensive capabilities for years as well,” he said, along with “more than a dozen countries that admit they are developing them.”

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Credit Monitoring Services: Real Protection or Self Deception?

Posted on March 20th, 2014 by Dan Rampe

Credit Monitoring

Hopefully you weren’t one of those kids who heard a noise in the middle of the night and pulled the covers up over your head to protect you from the monster under the bed. Or in the closet. Or in the hallway. Or staring in the bedroom window. And, hopefully you’re not a grownup who does it either.

The point is: are credit monitoring services the equivalent of pulling a blanket over your head to provide you with the appearance of security? Or do they offer real blanket protection?

Security expert, Brian Krebs, of Krebs on Security,  who’s often been the target of identity theft because of his efforts uncovering cybercrime, has thoroughly investigated whether credit monitoring services are really worth having. Following is what he’s discovered. Note: it’s been edited to fit our format.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

“These are basically PR vehicles for most of the breached companies who offer credit report monitoring to potentially compromised consumers,” Litan said. “Breached companies such as Target like to offer it as a good PR move even though it does absolutely nothing to compensate for the fact that a criminal stole credit card mag stripe account data. My advice for consumers has been – sure get it for free from one of the companies where your data has been compromised (and surely these days there is at least one). But don’t expect it to help much – by the time you get the alert, it’s too late, the damage has been done. It just shortens the time to detection so you may have a slightly improved chance of cleaning up the damage faster. And you can get your credit reports three times a year from the government website for free which is almost just as good so why pay for it ever?”

FRAUD ALERT BREAKDOWN

Normally, I place fraud alerts on my credit file every 90 days, as allowed by law. This step is supposed to require potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You merely need to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union). Whichever one you file with is required by law to alert the other two bureaus as well.

Most consumers don’t know this (few consumers know the names of the three main credit bureaus), but there is actually a fourth credit bureau that you should alert: Innovis. This bureau follows the same rules as the big three, and you may file a fraud alert with them….

Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).

I’m not sure what happened last year, but I believe some fraudsters managed to apply for credit in my name right after my 90-day fraud alert had expired. In any case, I received a call from AllClearID (formerly Debix), a credit monitoring service that I’ve used for nearly two years now. AllClearID called to tell me someone had made several applications for credit with Capital One.

AllClearID quickly conferenced in a representative from Capital One’s fraud team, but Capital One wouldn’t tell us anything about the application unless I gave them every piece of information about me they didn’t already have. We went round and round with Capital One for hours about this, but got nowhere; I refused to hand over more personal information just to prove to them I wasn’t the one who made the application, and each new representative we spoke with made us retell the story from the beginning.

In all, I had several fraudulent applications for credit in my name, and while none of them were granted, each resulted in a “hard pull” against my credit file. Anytime a creditor pulls your credit file for the purposes of checking an application for new credit, it dings your credit score down a few notches. And as Evan Hendricks writes in his primer on the credit industry (Credit Scores & Credit Reports: How the System Really Works, and What You Can Do), “the worse your credit score, the more you pay for mortgages, loans, credit cards, and insurance. Conversely, the better your credit score, the more favorable terms you will get on interest rates and premiums.”

Unfortunately, another thing that often happens with fraudulent applications is that thieves use only part of your real information — mixing your name and Social Security number with an alternate address, for example. This is what happened on two of the fraudulent applications for credit in my name, with the result that this incorrect data was added to my credit file.

AllClearID has been tremendously professional, and quickly alerted me each time Capital One pulled my credit file. But the company could do nothing to stop creditors from pulling my file, or fraudsters from making new applications in my name. The biggest help they’ve been so far is in getting Capital One to remove the fraudulent (score-dinging) credit pulls from my file, and in scrubbing the fraudulent data from my credit file (actually, that part is ongoing: Trans Union has steadfastly ignored requests to remove bogus addresses on my file, necessitating AllClear’s filing of an official complaint with the Consumer Financial Protection Bureau).

I asked several experts that I trust for their views on credit monitoring services in general, and to explain their benefits and weaknesses. I also wanted to know why none of the credit monitoring services will offer to renew 90-day fraud alerts on behalf of customers.

Julie Ferguson, a board member of the Identity Theft Resource Center, said a lawsuit by Experian against Lifelock effectively killed that service for virtually all credit monitoring services, with the exception of Equifax. “After Experian sued Lifelock, none of the banks wanted to distribute and sell it as a service,” Ferguson said. “Equifax will still. Nobody else does anymore, not even Experian.”

Ferguson also stressed that there are varying levels of protection services offered by the credit bureaus and private companies, and that although many of them are priced similarly ($10-$15 per month), they vary widely in the services they provide. Take, for example, the ProtectMyID package that Experian contracted with Target to offer customers following last year’s massive data breach. The service will monitor your credit report daily and alert you of any changes, and includes up to $1 million in identity theft protection insurance. The service also offers users a fraud resolution agent if identity theft does surface, and it provides a free copy of the user’s credit report (Experian is required by law to provide a free copy of your credit report each year anyway, via annualcreditreport.com). Those who sign up for the free service still have to pay extra to see a copy of their credit scores

“The ‘protection’ provided by these services is really all over the map once you delve into the services they provide,” Ferguson said. “Some will give you credit monitoring only on one credit bureau, while others will monitor your file at all three.”

Avivah Litan…rattled off a long list of reasons why credit monitoring services aren’t much use to most consumers.

-Most won’t tell you if a new wireless or cable service has been taken out in your name.

-They do nothing to monitor your bank account transactions, credit card accounts (for fraudulent charges), retirement accounts, brokerage accounts, loyalty accounts and more. And these are all areas where consumers should be very concerned about account takeover.

-They do nothing to tell you if a bad guy has hijacked your identity for non-financial purposes, i.e. to get a new driver’s license, passport or other identity document. Of course a bad guy impersonating a consumer using a forged identity document can end up in prison, causing lots of problems for the victim whose identity was hijacked.

-They do nothing to stop tax fraud (typically tax refund fraud) against you. Same is true for other government benefit programs, i.e. Medicare fraud, Medicaid fraud, welfare fraud, and Social Security fraud.

“In short, they only give consumers limited help with a very small percentage of the crimes that can be inflicted on them,” Litan said. “And consumers can get most of that limited help for free via the government website or free monitoring from a breached entity where their data inevitably was compromised.”

DO THESE SERVICES HELP AT ALL?

“They help if it’s too hard for you to look through your free credit report and make sense of all the activity in it,” Litan said. “Also they can alert you faster than the free credit report does, depending on timing of the infraction and when you look at your free credit report.”

Litan added that some services — such as Lifelock — have a few extra bells and whistles. For example, Lifelock sometimes gets information (such as from the Early Warning System) when profile information on your bank account has changed (e.g. change of address).

“They also have access to most mobile carrier account application data,” Litan said. “Equifax has some extra utility company data. So, some of these firms have access to some extra data than can help in other scenarios.”

While most plans offer identity theft insurance — usually advertised as up to $1 million — most of that is coverage consumers already have under existing laws and Visa/MC zero liability rules, Litan says.

“On top of that they reimburse ID theft victims for some legal fees and some minor expenses like postage stamps,” Litan said. “But if someone takes out a mortgage in your name and now you owe the bank $100k or more – nobody covers that, and that’s what they need to cover.”

Ferguson said credit monitoring services are most useful for people who have already been victimized or for those who are likely to be victimized (by a jilted spouse/lover, or stalker, for example). For those individuals, it makes sense to purchase a plan that offers triple credit bureau monitoring for maximum protection. The main downside of this approach is that a fraudulent application for credit can result in a deluge of alerts, emails and phone calls from all three bureaus simultaneously.

ALTERNATIVES TO CREDIT MONITORING

As mentioned above, placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file.

When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

ThreatMetrix Named 2014 Cyber Defense Magazine Award Winner in Two Categories: Most Innovative Anti-Malware Appliances Solution and Best Product Network Access Control Solution

Posted on February 24th, 2014 by Dan Rampe

Cyber Defense Magazine

We’re not bragging. Okay maybe just a little. But, it looks like we’re going to have to invest in a larger trophy case. That’s because ThreatMetrix™ just won Cyber Defense Magazine awards for the most Innovative Anti-Malware Appliances Solution and for the Best Product Network Access Control Solution. (See below for list of other recent ThreatMetrix awards.)

Cyber Defense Magazine presents the awards at this week’s RSA Conference 2014, February 24-28 in San Francisco. They recognize the top IT security leaders who strive to offer cutting-edge knowledge of cybercrime and create advanced solutions for solving the online security issues facing businesses today.

ThreatMetrix was selected because of its anonymized global trusted identity network known as the ThreatMetrix™ Global Trust Intelligence Network or simply The Network. The Network, which differentiates between authentic and suspicious transactions and online activity, is the most comprehensive global repository of identity and fraud data in the world. It protects hundreds of millions of users and data points from cybercrime with real-time analytics that evaluate logins, payments, new account registrations and remote-access attempts for their authenticity.

In conjunction with the conference, ThreatMetrix is announcing it now offers frictionless context-based authentication for enterprise applications. Frictionless context-based authentication combines contextual information and user credentials to evaluate the possible risk of users who attempt to access resources. The new offering provides key benefits for enterprises, including frictionless access, increased security and operational efficiency.

“Our team is continuously developing new solutions to stay one step ahead of cybercriminals, and we’re thrilled to be honored by Cyber Defense Magazine in recognition of those efforts,” said Bert Rankin, chief marketing officer, ThreatMetrix. “We’re uniquely positioned to help companies prevent cybercrime as our trusted identity network is the largest in the world and protects more than 160 million active user accounts.”

To learn more about ThreatMetrix’s context-based security and advanced fraud prevention solutions, visit ThreatMetrix at Booth 232 in the South Hall at the RSA Conference 2014.

ThreatMetrix has garnered a whole host of awards:

• Named One of SINET’s Top 16 Cybersecurity Solution Entrepreneurial Companies.

• Won an American Business Award Gold Stevie in the category of the “Best New Product or Service of the Year – Software – Security Solution” and a Silver Stevie for the “Most Innovative Tech Company of the Year.”

• Named a TechNavio Top 15 Cloud Security Company

• Gold for “Most Innovative Company of the Year” in Best in Biz Awards 2013 International

• Named to the 2013 AlwaysOn Global 250 Top Private Companies List

• Named one of the Top 15 Most Important Startups of 2013 by Business Insider

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

“Healthcare Breaches to Soar in Twenty One-Four” — Bad Rhyme. Worse News. Experian Says Healthcare Industry a Prime Cybertarget in 2014.

Posted on February 10th, 2014 by Dan Rampe

Healthcare

Credit bureau and consumer data tracking service Experian, which also helps companies recover from personal data breaches, and which in 2013 was tricked by a Vietnamese hacker and identity thief into selling consumer records directly to his online identity theft service, (hey nobody’s perfect) just published its “2014 Data Breach Industry Forecast.”

David F. Carr, writing on informationweek.com reviewed the report and pointed out its salient points.

“The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014,” according to the report (registration required), which addressed healthcare risks as one of six major trends. “The sheer size of the industry makes it vulnerable when you consider that as Americans, we will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches.” The “attack surface” of a system refers to the parts that pose the greatest opportunity for attack or error.

…Michael Bruemmer, vice president of its breach resolution service, Data Breach Resolution, and author of the report, said healthcare accounted for about 46% of the breaches his division serviced in 2013 — and he expects that to rise significantly in 2014.

Bruemmer said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states. The web infrastructure to support health insurance reform was “put together too quickly and haphazardly.” The most glaring problem for these sites has been their inability to keep up with consumer demand. The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. “So we have volume issues, security issues, multiple data handling points — all generally not good things for protecting protected health information and personal identity information.”

Another factor: In 2014, the industry will feel the full force of tightened rules that that went into effect in September for protecting health information and disclosing breaches.

Part of the problem is that many participants in the healthcare industry, such as individual doctor’s offices, don’t think of themselves as being in the data management business, so they are inadequately prepared to protect data against the threats that exist today, according to Bruemmer. In most cases, data breaches have less to do with advanced hacking techniques than with lost laptops, failing to shred paper records, and other employee errors. Though the threat from malicious insiders is significant, a bigger threat is “people doing dumb things.”

In the IT realm, there are stories of people installing anti-malware software but forgetting to turn it on. “And then there’s my favorite: where the people in the network operations center actually left the door unlocked, and another employee came in, sat at a console, and played around with the system to see what he could get.”

Overall, Experian’s remediation group worked on more than 2,200 breaches in 2013, versus 1,700 in 2012. In three of the top 10 breaches, the error was traced to a system administrator’s sloppy password practices, such as neglecting to change a default password or carelessly sharing the password.

Whether stolen or accidentally disclosed, healthcare data is valuable, and that makes it a target. On the black market, personal records suitable for use in identity theft are worth $10-$12 each at the low end or maybe $25-$28 for a particularly attractive identity, he said. When enriched with health data, the value of an identity data set jumps to about $50 per record, because then it can be used for medical and insurance fraud.

“The threat is out there, and the threat is going to get bigger,” Bruemmer said. “The point is to ensure that you’re prepared and have a plan in place.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

What You Say on Facebook Stays on Facebook…Maybe. Lawsuit Accuses Company of Mining Private Messages for Advertisers.

Posted on January 17th, 2014 by Dan Rampe

facebook

In mining private messages, has Facebook dug itself a hole? That’s what a federal court is going to have to decide. The question is clear cut. Should a social media user, who pays nothing for the service which earns revenue selling user information to advertisers, have a right to expect his/her information will be kept private?

And, while the question is clear cut, the answer is anything but. Writing on csoonline.com, Antone Gonsalves tackles a case, which one day might end up before the Supreme Court.

The lawsuit filed in federal court in Northern California seeks class-action status for all Facebook users allegedly duped into believing that they could send confidential messages. Specifically, the suit says Facebook has violated the federal Electronics Communications Privacy Act and California privacy laws.

Facebook has allegedly gone wrong by scanning private messages containing links to websites and searching the destinations for clues about the sender that it can sell to advertisers, marketers and other data aggregators.

The plaintiffs argue that Facebook implied the opposite when it launched its integrated email and messaging service in November 2010.

“Facebook telegraphs through the use of the words ‘privately’ and ‘private’ that when a user sends a private message to another party, only the user and the intended recipient will be privy to the contents of that communication,” the suit says.

Plaintiffs Matthew Campbell, Pulaski County, Ark., and Michael Hurley, North Plains, Ore., are seeking the greater of either $100 a day for each day of violation or $10,000 for each affected user, plus damages under California law.

Facebook denies any wrongdoing. “We believe the allegations are without merit and we will defend ourselves vigorously,” the company said in a statement emailed to Computerworld.

Expecting privacy from an ad-driven Web site that needs to check all posted links for malware and spam is ludicrous, Anton Chuvakin, research director for security and risk management at Gartner, said. “Frankly, this is an idiotic suit,” he said. “If the message is really private, as in secret, use encrypted email or hand-deliver it. Why is it on Facebook?”

Of course, the social network has the responsibility of clearly explaining what it does with all user-generated content, so the courts will have to decide whether Facebook was misleading in the use of the word private with its email service.

In the meantime, experts say the suit should remind companies that all business communications should be done through corporate email. Essentially, only information meant to be public should go out on a social network on behalf of the company.

“All social networking companies at this point are making their revenue via advertising and all are using data mining techniques to target ads in one way or another,” Jody Brazil, president and chief technology officer for security management company FireMon, said. “As such, communication must be considered semi-public regardless of how it is posted.”

For easier monitoring of social media use, companies need to have a strict policy that only authorized employees can post content on behalf of the business, privacy expert Rebecca Herold said. In addition, posted content should never contain information about a company’s intellectual property, employees, customers or partners.

“All organizations, in all industries, need to have social media policies in place for not only Facebook, but also for all other social media sites,” Herold said.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

ThreatMetrix Shares Strategies for Businesses to Protect Identities in Use in Support of Data Privacy Day

Posted on January 13th, 2014 by Dan Rampe

Data-Privacy-Day-PR

Businesses Must Move Beyond Focusing Merely on Data at Rest and Protect Customer Identities Against Fraudulent Activity Following Data Breaches

San Jose, Calif. – January 13, 2014 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime solutions, kicks off its commitment to Data Privacy Day by announcing several strategies for businesses to protect identities in use following a data breach.

Every time an identity is used online, especially when a new account is opened, there’s a chance that identity has been stolen or compromised. However, many organizations simply focus on guarding data at rest–inactive data stored on an internal server–rather than understanding the implications of identities in use and taking action to protect them.

Following a data breach, a significant implication is that customer and corporate identities are used without an individual or company’s knowledge. A key requirement for data protection is for businesses to assure personally identifiable information is screened against unauthorized use prior to being processed. Every year, ThreatMetrix protects more than four billion transactions and identities in use and has several strategies for businesses across industries to prevent spoofed or stolen identities.

Key strategies that businesses can implement to protect identities in use include:

Device Identification – Using a visitor’s browser and machine attributes as a passive form of two-factor authentication reduces effectiveness of cybercriminals reusing stolen credentials from a new or known fraudulent device. In addition, advanced proxy piercing and virtual private network (VPN) detection capabilities eliminate IP spoofing, the most common attack vector for identity thieves.

Malware Detection – Frictionless malware detection can analyze risk on a customer’s behalf giving businesses the option to prevent access to sensitive data if there is a known Trojan on the customer’s device.

Behavior-Based Identity Proofing – Analyzing patterns of usage including locations, identities, devices and associations over time provide ‘spoof-proof’ identity screening.

Anonymized Trust Federation – Passively leveraging prior authentication and verification information across departments and organizations reduces customer friction and authentication costs.

“Cybersecurity strategies often prioritize minimizing a company’s monetary losses following a data breach over protecting customer identities and data obtained by cybercriminals,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Personal identities, both consumer and workforce, account for a large amount of identities in use, and organizations and service providers must protect individual identities by investing in frictionless customer protection and fraud prevention technologies. Examples of fraudulent activity may include using a spoofed IP address to hide online location, using work-at-home scams for stolen goods deliveries or using bots for brute force attacks against customer account passwords.”

Customer data contains sensitive information–including banking credentials, email passwords, medical information and social security numbers. Once this data is exposed, it is at risk for fraudulent activity by cybercriminals or can be sold via online crime rings. To prevent such risks, businesses need to understand how stolen identities are used against consumers and companies – including fraudulent credit card transactions, social media logins and banking logins.

“Data breaches are a key focus for cybersecurity providers, but many companies don’t consider how stolen identities are eventually used against their customers for cybercrime,” said Faulkner. “ThreatMetrix is uniquely positioned to help businesses measure and understand how identities are used online, especially regarding the risks and implications of exposed customer identities following a data breach or cyber attack.”

One of the most effective ways businesses can protect online data is through an anonymized global data repository, such as the ThreatMetrix™ Global Trust Intelligence Network (The Network), to differentiate between authentic and suspicious transactions and online activity. The Network is the most comprehensive global repository of identity and fraud data, protecting hundreds of millions of users and data points each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts for validity.

By collaborating on a global level through a shared network, businesses can effectively build trust on the Internet by mitigating cybercrime risks. Given the severity of today’s high profile data breaches, no business can afford to stand alone in the fight against cybercrime and protecting customer identities.

Data Privacy Day, sponsored by the National Cyber Security Alliance, takes place annually on January 28, and encourages businesses and consumers to make protecting privacy and data a greater priority. Due to its alignment with online data protection and cybercrime prevention, ThreatMetrix was named a Data Privacy Day Champion by the National Cyber Security Alliance, which educates and empowers a digital society to use the Internet safely at home, work and school. ThreatMetrix will publish additional news surrounding data privacy throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

40 Million Credit/Debit Card Data Breach Makes Target a Target for Lawsuits by Attorneys and Investigations by Attorneys General

Posted on January 8th, 2014 by Dan Rampe

Target

Suddenly Target has become one of the most aptly named companies in the world as attorneys general from four states (and counting) and three class-action lawsuits (and maybe more down the road) take aim at the retailer.

Connecticut, Massachusetts, New York and South Dakota have requested information about the breach. And two class action suits have been filed in California with an additional one filed in Oregon. Two of the suits are seeking damages in excess of $5 million.

Brian Krebs on KrebsOnSecurity.com notes, “Credit and debit card accounts stolen in (the Target breach) … have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.”

For a time, to mitigate damage to the company’s reputation, Target offered customers a 10% discount in its approximately 1,800 U.S. stores, but there was no mention of a discount for customers of Target’s 124 Canadian outlets. What’s with that? Eh? Additionally CEO Gregg Steinhafel said the company would provide free credit monitoring for at-risk customers.

Mike Snider in his piece on usatoday.com quoted Daren M. Orzechowski, a New York-based intellectual property attorney with White & Case LLP, noting that “With these data security breaches, there’s usually the question of consumer confidence and trust. They [may] feel they need to do more to try to preserve consumer confidence.”

Columbia Law School professor John Coffee told Snider, “We do not yet know if Target was negligent or whether these were very skillful hackers who could have penetrated any system–but those critical factual issues seldom slow the race to the courthouse.”

In addition to states’ attorneys general and lawyers bringing class-action suits, the U.S. Secret Service is also investigating the breach, the second largest for a retailer in U.S. history, the first involved retailer TJX in 2005.

Snider reports that the breach might spur the adoption of smart cards, which instead of a magnetic strip on the reverse side, have digital chips that create a unique code every time a card is used. Of the cards currently in use, Mallory Duncan, general counsel at the National Retail Federation notes, “We are using 20th century cards against 21st century hackers.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Pro-Assad Syrian Electronic Army Hacked Skype. No User Info Compromised.

Posted on January 8th, 2014 by Dan Rampe

Skype

The weapons in Syria’s civil war run the gamut from poison gas to poisoning public opinion. While world condemnation is forcing the Assad regime to dispose of its poison gas reserves, the public opinion war continues unabated.

In the latest “battle,” Skype, which is owned by Microsoft, had its Twitter feed hacked and the following message left, “Don’t use Microsoft emails (hotmail, outlook), they are monitoring your accounts and selling the data to the governments. More details soon. #SEA.” Also posted was contact information for outgoing Microsoft chief executive Steve Ballmer, saying, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA.”

In its reporting of the hack, latimes.com, Nabih Bulos noted that the Syrian Electronic Army on its Facebook page said, “In continuation of our electronic war that we started in defense of the borders of our homeland … the command of the SEA declares its success in hacking Microsoft … and finding many documents that prove Microsoft’s selling of information and passwords for Hotmail and Outlook and other accounts to government in exchange for large sums of money.” Following was a link in Arabic.

Bulos went on to point out the underlying cause of SEA’s disenchantment with Microsoft. “Skype has been a mainstay of communications among opponents of the Syrian government and is often the only way to reach activists, largely because of the widespread belief that the service is secure.”

For its part, a Skype spokesperson made clear in a statement that “no user information was compromised.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.