You Can Never Start Too Early

Posted on September 1st, 2014 by Dan Rampe

Cybersecurity Club

Camp Prepares 9th to 12th Graders for Cybersecurity Threats

With some hackers not yet out of their teens before they’re into cybercrime, it makes sense that there would be a camp for high school students to learn about online threats. Seventy-five teenagers in one Virginia county are getting that opportunity in the Marshall Academy’s third annual camp.

In her piece on fairfaxtimes.com, Kate Yanchulis outlines what the camp is like and what the students learn, including how to avoid hackers and handle cyberbullying. The following has been excerpted from Yanchulis’ piece and edited to fit our format. You may find her full article by clicking on this link.

Teenagers stared with wide eyes at their laptops … as Ryan Walters told them that more than 90 percent of their computers likely had been hacked or infected by a virus. Of the 75 campers gathered at McLean High School for a cyber security camp, only one girl could rest easy, said camp leader Walters. Her new laptop had never been powered up.

But [Walters] told students not to feel too bad about their security lapses. Walters, a former Air Force captain who worked on government defense systems, said at least 30 percent of the U.S. Defense Department’s network is considered compromised.

The realities of cyber security — on both a large and small scale — provide the backbone for the camp.

Marshall Academy offers [Fairfax county Virginia] students specialized technical education courses in several subject areas, including information technology. The $185 registration fee for the camp goes toward Marshall Academy’s cybersecurity club.

The camp divides students into beginner and advanced cohorts and teaches students the basic elements of cybersecurity as well as providing hands-on experience, Walters said. Walters, now a digital entrepreneur, founded Marshall Academy’s club three years ago with his son Jacob, then a freshman. Walters serves as a mentor for the club and lead instructor for the camp.

Charles Britt of SySTEMic Solutions [which provides support for the program], says, “With this camp, we want to offer exposure to the cybersecurity field to as many students as possible.”

Marshall Academy’s cybersecurity club counts 60 students as members. The club teaches students about cybersecurity and also takes part in annual cyber security competitions. The money from the camp goes toward competition fees [and the] club is a three-time national finalist in CyberPatriot competitions.

While the camp has proved a fertile ground for developing future cybersecurity team members, Walters said he just wants students to learn how to protect themselves online, whether from hacking or cyberbullying

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Newest ThreatMetrix Patent Pushes the Envelope in Context-Based Security and Fraud Prevention

Posted on July 29th, 2014 by Dan Rampe

Patewnts

Patent expands fuzzy matching technology beyond network and device attributes. Now includes account details, transaction details and more.

The new patent is U.S. Patent 8,782,783: “Method and System for Tracking Machines on a Network Using Fuzzy GUID (Globaly Unique Identifier) Technology.” This is a continuation of a previous patent that provides the cornerstone technology for ThreatMetrix industry leading cookieless device identification and global device recognition. The new patent expands ThreatMetrix global identification technology beyond network and device attributes to include broader attributes such as account, identity and transaction details to build a complete picture of an online persona. The unique fuzzy matching capability of the patent creates a reliable, anonymous global identifier, enabling persistent global tracking and classification of malicious mobile and web devices and activities on the Internet, regardless of how underlying attributes change.

“Cybercriminals are learning to disguise themselves online in the same way thieves wear gloves to mask fingerprints at a crime scene,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “As cyberattacks become more sophisticated, we must evolve our defenses even faster to best detect and keep out cybercriminals, which is where this patented technology comes into play. Without the ThreatMetrix Fuzzy GUID patent, companies lose sight of both good customers and criminals when they change their IP Address, delete cookies or change their mobile or browser settings.”

Continuously updating its products in its worldwide fight against hacking, fraud and ID theft, ThreatMetrix has released a number of patents over the years, securing the company’s place as an industry leader in building trust on the Internet. Patents include:

  • U.S. Patent 8,141,148: “Method and System for Tracking Machines on a Network Using Fuzzy GUID Technology” This patent – which provides the basis for the new patent – provides the technology for device identification and global recognition regardless of cookie deletion and copying. This technology is available through ThreatMetrix SmartID™, which utilizes unique device attributes to identify visitors that have wiped cookies, use private browsing or changed IP addresses.
  • U.S. Patent 8,176,178: “Method for Tracking Machines on a Network Using Multivariable Fingerprinting of Passively Available Information” This patent detects fraudsters using proxies or virtual private networks (VPNs) through the most advanced device recognition risk assessment. The technology provides a complete view of each device, taking into account the device’s historical behavior and broader context.

To broaden the reach of the company’s context-based authentication and advanced fraud prevention solutions, in March ThreatMetrix secured $20 million in Series E.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Yes Again! Hackers Exploring Exploit of Explorer. Flaw in Versions 6 Thru 11 Puts Half the Planet’s IE Browsers at Risk.

Posted on April 28th, 2014 by Dan Rampe

Windows Explorer

Heartbleed was “so last week.” Maybe that’s why the tech gods decided to send us another little thunderbolt. And this one may not be that little.

The security firm that first discovered the flaw said that hackers are primarily concentrating their efforts on IE 9 through 11 though no version of Explorer is exempt from attack.

To exploit the flaw, the hacker requires the user’s cooperation. That is, the user must click on a link or open an attachment. Once inside, the hacker can install malware, which, Microsoft explained, makes it possible for the hacker to “gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

According to a piece on washingtonpost.com by Gail Sullivan, Microsoft says once it finishes its investigations “it will issue a fix for the problem, either in a monthly security update or a special security update.”

Till the fix is available, Microsoft suggests downloading its Enhanced Mitigation Experience Toolkit version 4.1 to help guard against attacks.

FireEye, which discovered the flaw, suggested disabling the Adobe Flash plugin (the attacks won’t work without it) and running IE in enhanced protection mode (only available in IE 10 and 11) for maximum protection.

If you’re still running XP, the best advice is to cross your fingers and hold your breath or use Firefox, Chrome or another browser. That’s because short-term solutions don’t work and Microsoft won’t be releasing patches.

If your OS is a later version that will be covered by a patch, you’re still not out of the proverbial woods. You see, about 10 percent of government computers still run XP. That, according to the Washington Post’s Craig Timberg and Ellen Nakashima, includes thousands of computers on classified military and diplomatic networks.

ThreatMetrix® builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

With 97% of Malware Aimed at Android, Can an Android Device Be as Safe as an iPhone for Example? App-solutely.

Posted on March 31st, 2014 by Dan Rampe

Malware

Two figures leap out of just about every survey on smartphones. Globally, Android has 87 percent of the market and 97 percent of the malware.

In 2012 there were 238 threats to Android. That jumped to 804 in 2013. And, over that same timeframe, threats to Apple iOS, BlackBerry OS and Microsoft Windows Phone were a goose egg, nil, zero, nada, none. These figures come from a piece on Forbes.com, which explains that the 3 percent of malware that didn’t go to Android went to Nokia’s now defunct Symbian platform.

So, if you want to be safe, get ABA (Anything But Android), right? Not so fast says Gordon Kelly in his Forbes.com piece:

Let’s be clear. From a statistical viewpoint researcher and security specialist F-Secure got them right. Android does account for 97% of all mobile malware, but it comes from small, unregulated third party app* stores predominantly in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be just 0.1% and F-Secure acknowledges rigorous checks mean “malware encountered there tends to have a short shelf life.”

If you want to stay safe on Android [here’s] the solution: stick to buying apps on the Play Store and every one in 1000 apps you buy may have had malware for a brief period.

Strangely F-Secure didn’t reveal figures for Amazon’s Apps for Android store, but other third party Android stores didn’t fare so well. Mumayi, AnZhi, Baidu, eoeMarket and liqucn were found to have 6%, 5%, 8%, 7% and 8% malware penetration respectively and an appalling 33% of apps were infected in Android159. Repacked or faked games were the big target and since it isn’t difficult to taint an app with malware the message is simple: steer clear of third party app stores that don’t have the resources to effectively scan and police their libraries.

Despite these figures, F-Secure … stressed each new version “has included a number of security-related changes that help mitigate the effects of malware. “ Consequently rather than laying the blame at Google’s feet, it stressed the real problem was fragmentation caused by hardware manufacturers failing to update their devices to the latest version of Android.

But Google doesn’t get off scot-free. Google lags a long way behind Apple when making its app store available around the world. The most notable omission is China, where Apple has made significant progress in recent years.

Furthermore, while Google Play users in most countries can now purchase apps, the countries where developers can sell apps remains hopelessly restrictive. For example there is no developer support in Africa and only Argentinian and Brazilian developers can sell apps through the Play Store in South America.

It is worse when it comes to media content with only Australia, Japan, the UK and US currently able to buy TV shows while music purchases only expand that list within European countries. As such the countries where customers and developers are most likely to be attracted by the cheap prices of budget Android handsets are the least well served.

Which leaves us with the all too familiar scenario that Android’s malware problem isn’t as black and white as many would have you believe. The truth is it is easy to stay safe on Android. The problem is that sentence relies on where you live.

One nagging question remains. Does Kelly himself use an Android smartphone? We guess that must depend on where he lives.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

A New Model for Building Trust on the Internet

Posted on January 28th, 2014 by Dan Rampe

Reed-Header

The beginning of a new year is often a time of reflection. At ThreatMetrix™, we have a lot to reflect on and look forward to. ThreatMetrix turns seven this year. In Internet- and dog-years alike, that’s a long time.

When we started ThreatMetrix, the online world was a simpler place. While we were developing our advanced device identification technologies in 2007, with proxy piercing and global device identification, Apple announced the iPhone. Amazon launched the Kindle in November of 2007. Those devices and others changed the way that we connect with the world.

We’ve worked hard to keep pace with those changes:

  • Since one size doesn’t fit all, we added customer-configurable rules to our risk analysis.
  • As cybercriminals got better at disguising their identities, we developed ThreatMetrix ExactID™ and ThreatMetrix SmartID™ technologies to look beyond the devices to the people using them.
  • Recognizing that legitimate user devices can be compromised by malware, we became the first advanced device identification technology to integrate malware detection.
  • Because it’s just as important for businesses to allow legitimate customers or employees access to applications as to keep out the false ones, we created ThreatMetrix™ Persona ID and ThreatMetrix™ Trust Tags technologies to help streamline access for trusted visitors.

The Trust Trifecta: Technologies, Processes and Data

Advanced device identification and malware detection were just the first phase in the evolution of the ThreatMetrix solution set. Although we started out as a first line of defense in the fight against fraud, in working with our customers we dove into the broader issues of online trust. In doing so, we have expanded our innovations to include processes for configuring and validating business policies and a global data set of shared intelligence.

For example, the Persona ID technology addresses the broader issue of tracking the behavior of a person online – whether or not you know exactly who that person is. The ThreatMetrix Persona ID approach is both passive and anonymous from the user’s perspective. This type of analysis is only possible by tracking and analyzing online behavior across sites – something we do through the ThreatMetrix™ Global Trust Intelligence Network.

So in addition to innovative technologies, we now have a core set of processes, a massive data set generated and refreshed daily by a global network, and comprehensive data analysis from that data. This combination of technologies, processes and data significant broadens the scope of the ThreatMetrix solution in the online world. We can address broader issues of risk assessment and identity authentication.

ThreatMetrix Today: Building Trust on the Internet

Which brings me to where the company is today, in early 2014. We’ve changed our tagline to reflect our broader purpose: Building Trust on the Internet. We’re building and growing our ThreatMetrix™ Global Trust Intelligence Network, which monitors and scores more than 500 million transactions per month. Our Persona ID and Trust Tag technologies, enhanced with our global network and data, enable a new kind of passive, context-based authentication for all kinds of online sites and applications. And we’re working not only with online banks and retailers, but also enterprises and government agencies to help streamline access for legitimate users and keep out those who don’t belong.

No one can see what twist and turns the Internet will take in the coming years – but building a foundation of trust with employees and customers is an important first step. And that’s where we’re putting all of our efforts from this point forward.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

Balancing Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3Online security and privacy have a love/hate relationship. We need security measures to protect our online privacy. However, complete online privacy (anonymity) can defeat security measures by giving cybercriminals an undetected place to operate. And we often sacrifice data privacy in the name of security – the NSA Prism project being one visible example.

The strange relationship between privacy and security is perfectly illustrated in the story of Tor, a software program for online anonymity. According to last week’s BusinessWeek article on Tor, much of its original funding came from the Department of Defense. Now the NSA is spending a huge amount of time and energy trying to defeat Tor in the name of security. Security and privacy would appear to be on opposite teams.

I don’t think that has to be true. It’s possible to respect the online privacy of your customers while protecting the security of their data and your applications. Striking the right balance is something that every business has to do for its specific customer needs and use cases.

In honor of Data Privacy Day, here are some thoughts on how businesses can and should balance privacy and security.

Stop Asking People to Give Up Privacy for Security

As I wrote in a previous blog, be wary of asking people for more personal information in the name of giving them better security. The more of their personal information you hold, the greater your obligation to guard that data – and the more attractive target you become for identity thieves. Even credit bureaus and identity data aggregators have been breached and hacked, so even outsourcing data collection to third parties is problematic.

Consider Context When it Comes to Privacy

People have many ways of trying to operate anonymously online, from disguising IP addresses or true location to cookie wiping. Many people want to escape the scrutiny of marketers tracking their movements. Businesses need to look for indicators of people obscuring their real identity in those situation that represent risk of identity takeover.

Let’s say someone is disguising their IP address online – should that be a concern? It depends on the business and online context. When connecting to a social network, someone might legitimately want to disguise their IP address or use a VPN connection. For example, they might be traveling in a country that bans the network. The social network might detect the activity but not deny access unless there were other behavioral factors.

However, if someone tries to create a credit card account while disguising their IP or geolocation, that should be a red flag. The context of the transaction or online interaction is a critical factor.

Honor the Customer’s Trust

Ultimately, striking the right balance of security and privacy comes down to honoring the customer’s trust.

• Don’t collect personally identifiable information unless you need it. Use behavior-based and data anonymization to prevent the need to share data with third-parties about your customer’s personal lives.

• Whatever information you do gather for security reasons, you should only use for protecting the customer identity and data. Do not share it or sell it for marketing purposes. Partner with companies that are in the business of protecting trust, not monetizing identities.

• Protect customer identity in use – during the point of a transaction or at the moment of login. As I wrote in the blog Let’s Do Something Different for Data Privacy Day, online businesses need to be accountable for protecting the customer identity when it is used on their site – even if the identity was stolen elsewhere. By preventing account takeover you can maintain customer trust.

For more information, see the press release, “ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

ThreatMetrix Shares Strategies for Walking the Tightrope Between Consumer Online Privacy and Security

Posted on January 28th, 2014 by Dan Rampe

Data Privacy 3

Businesses Can Protect Customer Identities While Enabling Confidentiality on the Internet Through Anonymized Trusted Identity Networks

San Jose, Calif. – January 28, 2014 – ThreatMetrix™, the fastest-growing provider of context-based authentication and advanced Web fraud solutions, commemorates Data Privacy Day by announcing strategies for businesses to protect consumer identities without compromising privacy.

In the age of big data enterprises are collecting and sharing unprecedented amounts of customer information, many times unintentionally. When a single employee can steal up to 40 percent of a country’s credit data on a USB stick, and identity thieves can illegally purchase credit data, better practices are urgently needed for protecting access to online information and identities. The flip side however, is that in order to protect against data breaches and malware, big data approaches to cybersecurity are essential for total situational awareness.

“Often, bad things happen to good people and sometimes good people – even a company’s own employees – go bad and compromise online security and privacy,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Therefore, enterprises need to combine big data techniques with a new approach to protecting privacy and unlawful access to customer and employee accounts.”

At the heart of the problem is the way trust is evaluated online. In the offline world, trust is situational, continually evaluated over time based on observed behavior and informed by reputation. In the online world, however, the vast majority of data and commerce is protected by static checks such as passwords, payment information or supposedly private “out-of-wallet” information. The problem is exacerbated by the lack of privacy-protecting intelligence sharing, meaning companies either operate in a silo, or customers must trust their identity information will not be abused by marketing organizations or breached by hackers.

“There is a fine line between offering customers comprehensive security and invading their privacy,” said Faulkner. “Finding the balance is essential to effectively protecting sensitive data while maintaining trust and preventing customer identities from falling into the hands of cybercriminals. With the advent of controversies surrounding government spying programs, the tightrope between privacy and security has become even narrower.”

Added complexity lies in differentiating between cybercriminals, who are looking for anonymity to hide their fraudulent activity, and consumers who simply want privacy. For example a person using an anonymized IP Address to read political news is one thing and it’s a completely different matter if the user is accessing a Tor network while applying for a credit card. The expectations for privacy by a legitimate consumer and what is viewed by a business as acceptable behavior are very different based on the context of the action taken.

Key strategies ThreatMetrix recommends businesses implement to achieve the balance between privacy and security include:

CEO-Sponsored Trust Protection Taskforce – It’s essential that the CEO takes a leadership stand in framing the privacy and security tightrope as a competitive opportunity to build brand trust and remove obstacles to increasing revenue. The often-competing requirements of security, privacy and marketing need to come together under a coherent strategy that moves the internal conversation beyond compliance to protection.

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leverage trusted identity networks that use strict anonymization practices to share risk intelligence and improve security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies using big data techniques without falling afoul to privacy laws and consumer trust.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers and employees to be treated unfairly when their identities or accounts are abused. Analyze anonymized global patterns of identity usage including locations, devices, accounts, transactions and associations over time to provide ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate users as fraudulent.

Context-Based Authentication – “Context is King” when it comes to differentiating between trusted users and cybercriminals. Businesses must dynamically establish the credibility of each and every access attempt and transaction, regardless of whether initiated by a customer or employee, based on business risk of the action and the full context of identity and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromise, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.

“At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft,” said Faulkner. “Otherwise, government agencies will be forced to step in. It’s crucial that privacy and security professionals move to frictionless solutions that can tell whether a user is who they say they are without needing to know their name. These standards can be used as a balancing pole for chief security officers and chief privacy officers walking the tightrope between privacy and security.”

ThreatMetrix uses an anonymized global data repository, the ThreatMetrix™ Global Trust Intelligence Network (The Network), to evaluate logins, payments, new account registrations and remote access attempts for validity in real time. The most comprehensive global repository of anonymized identity and trust data, The Network uses real-time analytics to protect hundreds of millions of accounts and identities each day from cybercrime.

Through sharing strategies to balance between privacy and security, ThreatMetrix continues its commitment to Data Privacy Day, an annual event sponsored by the National Cyber Security Alliance that encourages businesses and consumers to protect their online privacy and control their digital footprint. ThreatMetrix was named a Data Privacy Day Champion for its ongoing efforts to prevent cybercrime and preserve personal data on the Internet.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com

 

Just Because You’re Paranoid Doesn’t Mean They’re Not out to Get You. One Cyberreporter Refuses to Share Her Email Address with Retailers.

Posted on January 27th, 2014 by Dan Rampe

personal data

Maybe you’re overcome by politeness. Maybe people who stand behind counters represent childhood authority figures like teachers and principals and movie ushers. Maybe because it’s become routine. Whatever the reason, when a vendor asks for a phone number or email address to complete a transaction, there’s a tendency to comply without question.

However, there’s a big difference between the information merchants need for executing a transaction and the information merchants want for marketing. And, online or brick-and-mortar, personal information that’s compromised is costly to both customers and merchants.

One cybersecurity reporter hit the keys to tell how she deals with companies and clerks who want her email address. Nicole Perlroth writes on nytimes.com:

There is a temptation to think that major retailers like Target are more secure because they have more cash to spend on security. But the reality is that no company is entirely secure.

It’s hard out there for a paranoid cybersecurity reporter.

I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.

But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.

“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”

I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.

After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that.

She said it is always done but ‘Don’t worry, it is secure.’”

That, we now know, is absurd.

There is a temptation to think that major retailers like Target– and now Neiman Marcus– are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.

Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.

The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.

We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.

So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.

But for now, the sweet lady at the boutique just has this: privacyreporter@stopaskingme.com.

Note: We went to www.stopaskingme.com and found just this on the website:

It seems like today people want so much information from you. You have to spend 1-2 minutes on the phone, after you get to talk to a human, before you can ever get down to business. They need name, account number, (again) last for of something or other and on and on.

There is a fine balance between good customer service and down right annoyance. Anyways, I love the look on these peoples faces when I give them my email address of some name@stopaskingme.com. I can not tell you how many tech support people have bust out in laughter when I give them this email. Kind of lightens the whole mood and even has a calming effect when talking to some of the less, shall we say, less than helpful customer service reps.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

You Gotta Be Kidding Me. 17-Year-Old Russian Kid Wrote Code for Target, Neiman Marcus and Other Hacks.

Posted on January 24th, 2014 by Dan Rampe

Hacker

What did you do for money when you were 17? Mow lawns?. Do the Mickey D burger thing? Camp counselor? Whatever it was, chances are it wouldn’t have put you at the center of a worldwide manhunt. Which is where one Russian teenage hacker ended up.

Hearing a teenager wrote the code that put tens of millions of people in jeopardy of having their identities stolen can leave you conflicted. On one hand, like any prodigy or savant, he can be admired. On the other, for the pain he caused and will cause, he should be sent to Siberia with a thin moth-eaten blanket and Bermuda shorts and have a hungry grizzly for company.

The Washington Post’s, Hayley Tsukayama, writes about this latest twist in the Target-Neiman Marcus et al. hack with a reporter’s more objective eye:

Security firm IntelCrawler said Friday that it has identified a Russian teenager as the author of the malware probably used in the cyberattacks against Target and Neiman Marcus, and that it expects more retailers to acknowledge that their systems were breached.

In a report posted online, the Sherman Oaks, Calif., company said the author of the malware used in the attacks has sold more than 60 versions of the software to cybercriminals in Eastern Europe and other countries.

The firm said the 17-year-old has roots in St. Petersburg. He reportedly has a reputation as a “very well known” programmer in underground marketplaces for malicious code, the report said.

The company said the teenager did not perpetrate the attacks, but that he wrote the malicious programs — software known as BlackPOS — used to infect the sales systems at Target and Neiman Marcus. Andrew Komarov, the chief executive of IntelCrawler, said the attackers who bought the software entered retailers’ systems by trying several easy passwords to access the registers remotely.

“It seems that retailers still use quite easy passwords on most remote-access” servers, Komarov said. He added that there do not appear to be many restrictions on who has access to the remote point-of-sale servers in numerous companies. This, he said, could enable hackers to gain access to a prime target: back-office servers where criminals can pick up pools of data from multiple stores.

Target declined to comment on the report. Neiman Marcus spokeswoman Ginger Reeder said that she has heard no claim about weak passwords from anyone with direct knowledge of the retailers’ system.

Komarov first identified the software last March and reported it to Symantec and other security firms. Before both breaches, IntelCrawler said in its post, the company detected attempted attacks on point-of-sale terminals across the United States, Australia and Canada.

That indicates that more companies, specifically retailers, are likely to discover attacks on their systems in the near future, company executives said. The firm has identified six additional breaches at other retailers of various sizes across the country, Komarov said. He did not identify those retailers.

Last month, Target announced that hackers had gained access to as many as 40 million credit and debit cards used by its customers during the height of the holiday shopping season, later extending that figure to as many as 110 million. Neiman Marcus has also disclosed that it was the victim of an attack but has not disclosed how many customers were potentially affected.

Both companies have said the breaches are under investigation by federal authorities.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Global Trust Intelligence – Changing Economics of Identity Theft

Posted on January 22nd, 2014 by Dan Rampe

Data-Privacy-Day-Alisdair-PR-Blog

ThreatMetrix Shares Strategies For Implementing Effective Security Measures Without Disrupting Authentic Users And Compromising Privacy

San Jose, Calif. – January 22, 2014 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, continues its alignment with Data Privacy Day by announcing several strategies for businesses to change the economics of data breaches and identity theft through global trust intelligence.

The Identity Theft Resource Center recorded more than 600 data breaches in 2013, a 30 percent increase over the number of breaches in 2012. Target and Neiman Marcus are just two examples of companies that experienced significant breaches recently and more are expected to occur in 2014. Personally identifiable information exposed in past breaches includes credit card numbers, password hints, names, email addresses and other sensitive information.

To make matters worse, in the aftermath of data breaches, the solutions companies put in place to protect consumer identities are far from ideal. Businesses in the past have either implemented intrusive two-factor authentication solutions or offered customers credit monitoring.

“The current way in which companies prevent misuse of stolen identities is broken,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Many businesses that offer credit monitoring, two-factor authentication and other means of protecting personal information following a data breach end up causing additional damage to the customer relationship due to added charges, intrusive features or requesting more personal data. Instead we need solutions that make stolen identities worthless in the hands of cybercriminals.”

While two-factor authentication solutions such as SMS one-time passwords can provide an extra layer of protection, the reality is that they are expensive, can lead to abandonment and only protect the fraction of users that choose to adopt.

As an alternative to two-factor authentication, some businesses offer free trials of credit monitoring services, which expire and can require payment through automatic renewal. Instead of putting consumers at ease, these services can potentially cause backlash if customers perceive companies are profiting from their misfortune. In any case, credit monitoring doesn’t stop your identity being abused to hack accounts or commit payment fraud.

High profile breaches are a prime example of why businesses across industries – including retailers, financial institutions and others – should not rely on traditional identity verification services to screen users.

“Legacy identity verification solutions are largely a solution for a bygone era because they can prove that an identity exists, but not ownership of that identity,” said Faulkner. “The cat is out of the bag – cybercriminals and consumers are well aware that traditional verification and authentication solutions are no longer effective – and businesses need better strategies in place for customer identity protection.”

Instead of applying bandage-like solutions, ThreatMetrix recommends changing the economics of data breaches and identity theft by transparently rendering stolen data invaluable with global trust intelligence comprising of:

Anonymized Shared Intelligence – A collective problem requires a collaborative solution. Leveraging trusted identity networks that use strict anonymization practices to share intelligence improves security without compromising privacy. Anonymized networks used in this way enable trust to be federated across applications and companies to reduce challenge rates.

Behavior-Based Identity Proofing – Simple reputation systems cause authentic customers to be treated unfairly when their identities or accounts are abused. Analyzing patterns of usage including locations, identities, devices and associations over time provides ‘spoof-proof’ identity screening without false positives – incorrectly labeling legitimate customers as fraudulent.

Passive Two-factor Authentication– Use cookieless device identification technologies in combination with rich contextual information such as account usage, location profiles and business risk to reduce unwanted and intrusive step-up authentications.

“ThreatMetrix uses anonymized device, identity and transaction data to determine whether or not customers are who they claim to be without needing to know their name,” said Faulkner.

To effectively protect customers, businesses should leverage a global data repository that can process transactions in real time and verify their authenticity against anonymized user profiles and past behavior. The ThreatMetrix™ Global Trust Intelligence Network (The Network) is the most comprehensive global repository of identity and fraud data and protects hundreds of millions of users and revenues each day from cybercrime. Its real-time analytics evaluate logins, payments, new account registrations and remote access attempts to differentiate between good and bad actors.

Data Privacy Day takes place on January 28 and is sponsored by the National Cyber Security Alliance. ThreatMetrix, a Data Privacy Day Champion, will continue its commitment to Data Privacy Day by publishing additional news on protecting consumer identities throughout the month of January.

About ThreatMetrix

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
WalkerSands Communications
Tel: 312.241.11178
Email: beth.kempton@walkersands.com