Blog Posts Tagged:Online Fraud

With successful hacks on Burger King’s, The Onion’s and the Associated Press’ Twitter accounts, Twitter has added another layer of security called login verification.

According to the piece on Mashable by Samantha Murphy, “The two-factor authentication is SMS-based, which means Twitter sends a code in a text message to users’ phones each time they want to log in. The code is generated when someone tries to log in; the code changes after each login attempt.”

Security expert Derek Halliday observed that, “Two-factor authentication is especially crucial for Twitter accounts that represent a brand, high-profile person or organization, and the management of those accounts should make it mandatory…. As with any security measure, there’s no silver bullet to prevent all hacks, but if people adopt safety precautions, the risk can be minimized.”

Google, Facebook, PayPal et al. already provide users the option of having two-factor authentication. Now Twitter has decided to follow suit though many social media brand managers may not be enthusiastic about the move.

Security professional Amber Gott, who strongly approves of Twitter’s two-factor authentication, can see the social media brand mangers’ point of view. “It’s true that you’re adding a few seconds to the login process, and you have to ensure you have access to the correct device or email account in order to complete the login.”

While Alisdair Faulkner, ThreatMetrix’s chief products officer, agrees that two-factor authentication can’t hurt, he believes much more is required to protect accounts from hackers. “Two-factor verification can be like airport screening: It is inconvenient (and) everyone in the security industry knows it has holes. (But it) can give people a sense of protection.”

Faulkner added, “If adopting (two-factor authentication), the average user should start with protecting their email account. Email is the number one target for hackers because it is where the majority of password reset links are sent.” Gmail is one of the email services offering two-factor authentication.

Another security expert, Ali Reza Manouchehri advises that companies be wary of third-party apps on Twitter. “If you want to use a third party app to tweet for you, you’re giving that service access to your account. Companies should put controls in place to identify apps that are approved through a vetting process and require that all employees follow those processes.”

Sounding a similar cautionary warning to Alisdair Faulkner, Manouchehri adds, “No security is ever perfect and there’s always more than can be done.”

ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

Hackers Ryan Cleary, 21; Ryan Ackroyd, 26; Mustafa Al-Bassam, 18, and Jake Davis, 20, who went under the online handles of ViraL, Kayla, tFlow and Topiary, pleaded guilty in a London courtroom to causing millions of dollars of damage to corporate and government computer networks during an online crime spree they boasted about on Twitter.

The hackers were members of LulzSec, an offshoot of Anonymous. The name LulzSec is combination of lulz or lol, i.e., laughing out loud and sec, which is short for security. Put them together and LulzSec becomes “Laughing Out Loud at Security.”

They hacked into News International’s computer system to post a fake story from the Sun tabloid, announcing that owner Rupert Murdoch had committed suicide and into PBS’s Website, redirecting users to a fake news report that rapper Tupac Shakur was alive. Although such stories might well have caused anguish to their families, the death of Rupert Murdoch and the resurrection of Tupac Shakur some might chalk up to youthful pranks. However, according to Reuters, they also “hacked into Pentagon computers, crashed the CIA’s website, stole millions of items of private individuals’ data such as passwords and user names from companies including Fox or Sony and posted them online on sites such as Pirate Bay.”

Prosecutor Sandip Patel observed, “(These men are) at the cutting edge of a contemporary, emerging species of international criminal (who see) themselves as latter-day pirates.”

Patel went on to say, “the four men’s activities were as much about self-promotion as they were about hacking, describing them as adept at getting the attention of media and of hundreds of thousands of Twitter followers and motivated by ‘anarchic self-amusement.’” The prosecutor noted that a LulzSec press release said they acted the way they did, “just because we could.”

According to Reuters, “The alleged ringleader of LulzSec was U.S.-based Hector Xavier Monsegur, known as “Sabu”, who was arrested in June 2011 but agreed to cooperate, maintaining his online persona for a time and leading the FBI to other members of the group. Monsegur is awaiting sentencing in the United States, while a 24-year-old IT worker was arrested in Australia in April in connection with LulzSec.”

Ryan Cleary (ViraL) also pleaded guilty to charges of downloading pornographic images of babies and children.

ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

ThreatMetrix Offers Best Practices for Consumers to Avoid Falling Victim to Fraud

San Jose, CA – May 9, 2013 – ThreatMetrix™, the fastest-growing provider of integrated Web fraud and cybersecurity solutions, today announced several cybercrime scenarios and preventative tips for consumers to stay protected while shopping for mom this Mother’s Day.

According to the National Retail Federation, Mother’s Day spending this year is expected to reach $168.94 on average, with total spending expected to reach a staggering $20.7 billion.

“The unfortunate reality is that today, any major spending holiday places consumers at high risk for fraud, malware and account takeover as cybercriminals capitalize on consumer spending for personal gain,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Consumers must be vigilant of the risks associated with online shopping. The last thing you want to give dear old mom for Mother’s Day is a case of malware or identity theft.”

Mother’s Day ranks fourth in spending holidays, behind the winter holidays, back to school shopping and Valentine’s Day. To help consumers stay protected, ThreatMetrix has identified the following top account takeover threat scenarios for consumers to be aware of when shopping for Mother’s Day:

1. Phishing is a concern for consumers around major spending holidays, especially Mother’s Day. Here’s how it works: Cybercriminals will send out an email with a fake offer – “Click Here to Send Mom One Dozen Roses for $20.” You click on the link and are taken to a fake website where you enter your credit card details along with mom’s personal information for delivery. Once the “order” is submitted, the cybercriminal has stolen your credit card details and no roses ever arrive for mom.

2. Data Breaches and Password Reuse occurs when a customer’s account at an e-merchant, financial services organization or social media site has been hacked and personal information, including the account password, has been compromised. Reusing the same password across multiple sites puts all customers’ accounts at risk of being compromised. For example, if the website you purchased flowers from for your mom suffers a data breach, all of your accounts with the same password are now at stake.

3. Mobile devices offer consumers the convenience of shopping on the go. With this convenience comes security risks you need to be aware of when shopping for mom this Mother’s Day. If you lose your mobile device, whoever finds it may be able to access your phone and all the sites and applications containing your saved passwords. To help prevent this scenario as you’re purchasing a gift for mom, be sure to lock your screen when not in use.

According to ThreatMetrix, the most effective ways for consumers to stay protected when shopping for Mother’s Day online include:

• Only purchase from verified retailers

• Avoid using the same password across several online shopping and banking sites

• Avoid storing credit card information on retail sites and mobile phones

• Avoid clicking on suspicious links in unsolicited emails

“While consumers should be extra cautious to avoid cybercrime around major spending holidays, it is just as important for retailers to put preventative measures in place,” said Faulkner. “It is much easier and more effective to avoid cybercrime all together than have to pick up the pieces once customer accounts have been verified. Without preventative cybercrime solutions in place, retailers risk jeopardizing customer accounts and company revenue.”

About ThreatMetrix

ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Meghan Reilly
Walker Sands Communications
Tel: 312-445-9926
Email: meghan.reilly@walkersands.com

Online Merchants Alarmed By Rise in Identity Theft and Account Takeover Attempts

San Jose, CA – May 6, 2013 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, today announced that it is hosting a complimentary, one-hour webinar on “Account Takeover Fraud: The Newest Threat to Online Business,” which will take place at 10 a.m. PDT on Thursday, May 9.

The webinar will be led by Andreas Baumhof, chief technology officer, ThreatMetrix, and Julie Conroy, senior research director, Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues and their impact on the financial services industry.

Account takeover attacks are an increasing threat to online businesses. Although many financial institutions have implemented anti-takeover strategies, cybercriminals are now using these techniques to attack e-commerce merchants and other online businesses. According to a 2012 survey conducted by the Merchant Risk Council, two of the top online fraud threats experienced by e-commerce merchants were account takeover and identity theft. As more customers set up and use online accounts to expedite purchases, it is becoming more profitable for fraudsters to develop strategies to access and exploit them.

“Account takeover is sharply on the rise for e-commerce merchants, eclipsing stolen card fraud for many thanks to the vast quantity of compromised identities provided by recent database breaches,” said Conroy. “Online merchants need to adjust their defenses to protect themselves and their clients from this rapidly growing attack.”

To defeat account takeover attacks and identity theft, businesses need to know the risks, understand attack methodologies, and deploy effective solutions to identify and stop attacks. The webinar will educate attendees on the following:

• The latest research on account takeover threats to e-merchants

• What e-merchants can learn from banks about account takeover attacks

• What you should know about account takeover risks to online businesses

• Techniques cybercriminals use to deploy account takeover attacks

• How you can use risk analytics and shared global intelligence to stop attacks in real-time

“Using ThreatMetrix’s TrustDefender™ Cybercrime Protection Platform, e-merchants can identify a variety of attacks designed to steal user account credentials – the precursor to e-commerce fraud,” said Baumhof. “Our platform detects Trojans, phishing attacks, man-in-the-browser (MitB) attacks and other threats to Web-enabled devices, including computers, smartphones and tablets. By using our account takeover prevention solution, e-merchants can gain instant visibility into the integrity of their user accounts and credentials.”

To register for the complimentary webinar, please visit: https://www1.gotomeeting.com/register/426074017

Resources

• ThreatMetrix Unified Solutions for Account Takeover Solutions Brief

• Five Trends to Track e-Commerce Fraud Whitepaper

• ThreatMetrix™ 2013 Cybercrime Prevention Summit, September 11 – 13, Resort at Squaw Creek, Lake Tahoe, CA

About ThreatMetrix

ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

© 2013 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Meghan Reilly
Walker Sands Communications
Tel: 312-445-9926
Email: meghan.reilly@walkersands.com

Fifty million of LivingSocial’s 70 million customers discovered their data may have been compromised when hackers attacked a company server. LivingSocial, a website that features discounted gift certificates, disclosed that hackers gained access to names, email addresses, encrypted passwords and the dates of birth for some users. However, the company maintained that credit card data was not affected.

Julianne Pepitone on money.cnn.com reported, “All LivingSocial users had some data stored on the hacked server…except for customers in Korea, Thailand, Indonesia and the Philippines. Those countries use TicketMonster and Ensogo, which are on different systems.”

LivingSocial said it was “actively working with law enforcement to investigate” and instructed users to reset their passwords.

LivingSocial’s hack comes on the heels of the Associated Press’s Twitter account hack, which sent a tweet claiming an attack on the White House had been attacked and the president injured. The news briefly sent the stock market into a precipitous dive until the tweet was debunked.

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

According to energyfiend.com, the most expensive Starbucks drink is the 3000mg caffeine-loaded Quadriginoctuple Frap at $47.30. If you think that’s an expensive cup of joe, try sharing your private personal financial information with cyberthieves.

Starbucks, Peets, et al. have become a kind of home away from home – well at least the living room part. People tend to feel comfortable and secure much as they would at home. Checking Facebook, emailing, downloading photos, online shopping, mobile banking and accessing all sorts of sensitive documents over public Wi-Fi networks has become standard operating procedure for a lot of people.

“Consumers can easily access public Wi-Fi networks from just about anywhere – and so can cybercriminals,” said Dean Weinert, product manager, ThreatMetrix. “Cyber threats are certainly a reality at local coffee shops and other wireless hotspots. If consumers don’t take extra precaution to protect their personal devices, they can unwittingly share sensitive information with cybercriminals interfering on the network.”

To help consumers avoid online fraud and malware traps, ThreatMetrix offers a number of scenarios that demonstrate how cybercriminals access sensitive transactions on public networks.

• Network Scanners – A network scanner detects open ports on a device that’s connected to a network. A cybercriminal can integrate a network scanner with hacking tools to automatically exploit system vulnerabilities, giving the criminal complete control of a customer’s device.

• Man-in-the-Middle – Hackers use off-the-shelf or other devices configured as “hotspot honeypots” to intercept a user’s Internet connection, granting the hacker full access to the user’s network connection. This allows hackers to launch man-in-the-middle attacks such as Website redirection, session hijacking and other network-based attacks.

• Social Hacking – Cybercriminals leave a malicious USB drive on a café table for an unsuspecting, curious customer to insert it into his or her device. The attacker then captures sensitive information, such as social network logins.

• Hi-Res Video Cameras on Mobile Phones – Cybercriminals use hi-resolution video cameras on a mobile device to capture a nearby user’s activity. For example, a consumer may enter credit card information or Gmail login into a device while waiting in line, without knowing the cybercriminal has videoed his/her credentials.

How should consumers avoid these traps? Conduct banking and other personal business in genuinely safe environments – not in a public place akin to counting out hundred dollar bills in a dark alley. Also consumers should take care to frequently update their operating systems and anti-virus software.

“The bottom line is – consumers are better off conducting mobile banking and other transactions at home on a secure, password-protected network,” said Weinert. “Even so, approximately one in five consumers don’t update fraud and malware protection software beyond the initial three-month trial period after purchasing a new device. Consumers must continuously update such software or risk losing their caffeine buzz once they realize their account has been compromised by a cybercriminal.”

For more information and a list of tips, visit http://threatmetrix.com/resource-center/infographics/.

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

Here’s the report everybody’s been waiting a full year for. Well, maybe not everybody. But if you’re charged with security for your company’s enterprise, Verizon’s latest 2013 Data Breach Investigations Report (DBIR) covering 2012 is must reading. It’s also easy reading.

“Motives for these attacks appear equally diverse. Money-minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue.” As we said, easy reading.

The report was put together by the Verizon RISK Team in cooperation with a host of companies and agencies from U.S. Homeland Security and the Danish Defence Intelligence Service to Carnegie Mellon’s Software Engineering Institute and Deloitte and literally covers the globe.

Two types of cyberrotters were responsible for the vast majority of breaches. Seventy-five percent were driven by greed or as the report put it “financially motivated cybercrime” while twenty percent were “state-affiliated espionage campaigns” defined as “cyberthreats aimed at stealing intellectual property-such as classified information, trade secrets and technical resources to further national and economic interests.”

Following are some of the report’s high points though low points might be a more apt description:

• Cybercrime victims in 2012 represented a wide range of industries from financial organizations (37 percent) to retailers and restaurants (24 percent).
• 20 percent of network intrusion cases covered in the report involved the manufacturing, transportation and utilities industries, with the same percentage affecting information and professional services firms.
• Hacking was the number one way breaches occurred-factoring in 52 percent of data breaches; while 76 percent of network intrusions exploited weak or stolen credentials such as usernames and passwords. 40 percent incorporated malware tactics and 35 percent involved physical attacks, such as ATM skimming.
  Additionally, phishing factored in 20 percent of cases in the report.
• Breaches continue to go undiscovered for months or even, years. And in 69 percent of cases, third parties are the ones who detect a data breach.

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

They happen to achieve political objectives. They happen to extort ransom. They happen as a decoy while cyberthieves steal money and personal information. And, they’re happening more and more — Distributed Denial of Service attacks (DDoS).

One security firm’s study cited by Dan Kaplan, Executive Editor of scmagazine.com states, “In the first quarter of 2013, DDoS attacks on average measured 1.77 gigabytes per second (GB/sec), a 19.5 percent climb over the first quarter of last year, while the portion of attacks ranging from 2 to 10 GB/sec grew from 15 percent to 21.5 percent.”

What’s worse is there’s been a sharp increase in the number of higher-than 10 GB/sec attacks; a 74 percent jump from all of 2012. This increase is attributed to hackers using compromised Web server botnets as opposed to individual PCs with their much lower bandwidth.

Kaplan notes that, “Aside from the volumetric-style attacks that use traditional means for attacking sites, application-layer attacks, which leverage encrypted traffic, are becoming more common because they are more difficult to deter.”

The outlook doesn’t look particularly bright for the foreseeable future because firewalls and other intrusion prevention systems are unable to stop DDoS attacks. In fact, Kaplan writes, “A recent study found that the market for DDoS mitigation solutions is projected to grow 18.2 percent between 2012 and 2017, hitting $870 million in spending.”

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

Have bloggers using WordPress become more surly lately? We can’t answer that. But, if they did, they’d have good reason. A study by one security company says in the last few months WordPress customer login pages have been having “issues” in the form of 30 to 40,000 attacks per day. “In April 2013, (the number of attacks) increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days,” says Web-hosting company, IXWebHosting.

Now it appears a botnet with more than 90,000 servers has been attempting to log in by cycling through different usernames and passwords. Mohit Kumar, Founder and Editor-in-Chief of thehackernews.com, observes that the attacks have had an impact on Linux servers. Addressing the issue, hosting administrators have blocked all connections to wp-login.php.

Hostgator tells its customers, “At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including ‘special’ characters (^%$#&@*).”

Spiral Hosting issued this notice, “A large botnet has been attempting to break into WordPress websites by continually trying to guess the username and password to get into the WordPress admin dashboard. This is affecting almost every major web hosting company around the world. Our Network Operations Centre (NOC) has detected a significant increase in botnet activity in the last 24 hours.”

Kumar’s article contains two pieces of advice. One is that users should utilize .htaccess to protect their admin area and rename login pages. The second is to stay tuned to Twitter and Facebook WordPress pages for more information.

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.

Burger King’s Twitter account was hacked and renamed McDonalds. Jeep’s Twitter account was hacked and Jeep was made part of the Cadillac line.

Devin Coldewey on nbcnews.com wrote, “The account was briefly rebadged, so to speak, to feature a brand new Cadillac ATS, and tweets are pouring out praising Cadillac in the same coarse and thuggish vernacular seen on Burger King’s account. The Jeep account also called out several users of Twitter as ‘da bad guys,’ one of which tweeted that it was the user @GUHTI_, or ITHUG, who had actually perpetrated the hack.”

Call it irony or plain old bad luck, but Coldewey noted that prior to the hack, Jeep “had only a few minutes earlier tweeted about online security, specifically in response to the Burger King hack.” What’s that old cliché about timing being everything? Anyway, Coldewey added, “The nature of the hack is unknown as yet — it could be a serious security hole on Twitter’s end, or the hacker could have compromised a computer with access to the Jeep account. Cadillac denied any involvement, much as McDonalds did yesterday.”

Fresh on the heels of the Jeep and Burger King hacks, MTV’s twitter account looked like it’d been hijacked changing MTV to BET.

No. It was just a publicity stunt by Viacom, which owns both properties. Great publicity – if your aim is for some reason to look like you just got hacked.

In any case, Michael Lee on zdnet.com wrote that Twitter appears to be looking into a way to implement two-factor authentication to shore up its security and prevent breaches that, in addition to Jeep’s and Burger King’s, recently put 250,000 other Twitter users’ information and reputations at risk.

However, OneID founder Steve Kirsch, among other security pros, is sure two-factor authentication is not the right solution for Twitter. And in Lee’s zdnet.com piece Kirsch explains why:

Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users’ accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won’t prevent the attack from occurring.

While not dismissing two-factor authentication systems’ effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn’t do much for improving overall security.

“From a practical point of view, it would be like offering a feature that no one used,” he said.

Given that many attacks are opportunistic, focusing on the number of accounts that attackers and scammers can hack, Kirsch said that it would barely make a difference. In fact, he said that introducing two-factor authentication would hurt the user experience.

“Even adding a single character to a password in Twitter — if you require nine characters versus eight characters — even just doing that requirement measurably affects sign-up rates and so forth. Twitter wants to do whatever it can to make it easier for customers, and adding two-factor authentication is moving in exactly the wrong direction,” he said.

“Even if they move to two-factor, and even if everyone adopted it, which they wouldn’t … it’ll make no difference.”

The reason for this is that the most recent attack on Twitter wasn’t conducted on users’ accounts; it was on Twitter’s own infrastructure. By directly attacking the servers containing the password hashes of Twitter users, two-factor authentication would make little difference.

Kirsch admitted that although user passwords might be salted and hashed, if attackers have compromised a server to the point where they can retrieve that information, it would be likely that they could do worse. This includes sniffing users’ passwords as they enter the server, and converting them into hashes to be compared. Such examples have been documented for some time, where sensitive information that’s sent to a web server is intercepted as it appears in plain text in the machine’s RAM prior to processing.

Kirsch said that at the centre of the attack is the fact that Twitter, along with many other organizations that already use two-factor authentication, relies on a “shared secret” — a user password, whether it is eventually converted into a hash, a keyfile, or similar.

He argued for a better system, where even if the server is completely compromised, it would still be impossible to gain access to users’ information. And he says that such a system has existed for years.

Kirsch is pushing for companies like Twitter and Google to use public key cryptography. In this case, if attackers wanted to retrieve passwords for accounts, they wouldn’t have a single point that they could break into, because the only thing they would obtain from centralized servers are public keys, which are useless by themselves. The private keys — the other part of the “secret” needed to secure communications — would be located on users’ machines, jointly opening the possibility to remove passwords altogether.

“We basically said, let’s take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect.”

As for why it hasn’t been adopted in greater numbers yet, Kirsch said that the relative complexity of public key cryptography schemes has been user unfriendly, but that those days are numbered.

“It’s the advances in browser technology; things like having HTML5 local storage, things like JavaScript, which is powerful enough to run these cryptographic algorithms; things like the invention of elliptic curve cryptography, which makes the computation very fast.

“All of these factors have come together (and) we can finally make this public key-digital signature world a reality. (Users will) essentially have one username (and) one password, that they can use everywhere. (Even) if there’s a breach of any site, or multiple sites, (it won’t) matter. That will truly change usability for everyone.”

ThreatMetrix is the fastest-growing provider of integrated cybercrime prevention solutions.The TrustDefender™ Cybercrime Protection Platform helps companies protect customer data and secure transactions against payment fraud, malware, account takeover, fraudulent new registrations, data breaches, as well as man-in-the browser (MitB) and Trojan attacks. The platform consists of advanced cybersecurity technologies, including TrustDefender™ ID, which is cloud-based, real-time device identification, malware protection with TrustDefender™ Cloud and TrustDefender™ Client, as well as TrustDefender™ Mobile for smartphone applications. ThreatMetrix cybersecurity solutions protect more than 1,500 customers and 8,500 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.