Three Things Small Businesses Can Learn from High Profile Data Breaches

Posted on October 21st, 2014 by Dan Rampe

Andreas Header

National Cyber Security Awareness Month started off with a bang this year – the news that a breach at JPMorgan Chase compromised accounts of 76 million households and 7 million small businesses. Leading up to National Cyber Security Awareness Month, another high profile data breach was disclosed – Home Depot confirmed that 56 million credit and debit cards were exposed in a recent breach in an attack on the company’s point of sale systems.

In line with this week’s National Cyber Security Awareness Month theme, “Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs,” I’m going to focus here on the special challenges of smaller businesses when it comes to cybersecurity.

If you’re running a small or mid-sized business, or if you are an entrepreneur starting a new venture, this breach holds three important lessons:

  1. As a small or mid-sized business, you are not immune from data breaches.
  2. Your customers may be among those 76 million households or 56 million cardholders with compromised identities – a fraudster is likely trying to do business with you using a stolen identity.
  3. Small businesses are at a disadvantage, with fewer resources to build defenses or ride out the impact of a breach. And as Byron Acohido of ThirdCertainty points out on his guest blog for ThreatMetrix, the legal banking protections are different for small businesses than consumers, resulting in a greater risk exposure.

Let’s look at each of these issues in turn.

Small businesses are in the cross hairs

There is no such thing as a business that’s too small for cybercriminals. Many cybercriminals target smaller businesses precisely because they lack the resources of larger companies to keep systems patched and spot fraudulent access.

One thing we regularly see is that because large institutions are better prepared to deal with cyberciminals, they turn to smaller organizations. I have seen dedicated malware configurations for credit unions as small as 500 members!

Further, how many businesses plan to remain under the radar? If you have a growing business or are a growth-hacking entrepreneur, you want to world to sit up and take notice of your business. You cannot possibly hide from the cybercriminals. In fact (and unfortunately), some businesses see their first cyber attack or breach as an early sign of business growth and recognition.

And even if you have low profile today, you may be collateral damage in breaches of the larger organizations that you do business with. This is the case for the JPMorgan Chase small business customers.

Stolen identities are a growing problem

The latest breach added millions of stolen identities to the ones already available on black markets. Every stolen identity is a risk factor for your business, as attackers may spoof identities of legitimate customers to do business with you.

Identity spoofing is already a big and growing problem for businesses. Businesses in the ThreatMetrix® Global Trust Intelligence Network frequently detect and deter identity spoofing attacks in logins, new account creation and transactions.

We expect the trend to accelerate, particularly for account creation. The adoption of “chip and pin” credit card technology in 2015 in the U.S. will drive credit card fraud into new channels. Because counterfeiting a card is difficult, criminals will turn their focus to online channels and to gaining credit cards using stolen identities. This was one of the lesson learned when Europe moved to “chip and pin” in 2012.

Smaller businesses have fewer resources

If a financial giant with advanced security measures like JPMorgan Chase cannot protect its customers’ data, how can small businesses do the job with fewer resources? You may not have teams of people dedicated to security, but surviving the damage caused by a data breach has the potential to seriously derail your growth. In addition, new, fast-growing businesses often prioritize business success and revenue while placing fraud prevention on the back burner – and this is a big mistake.

The only way for small and mid-sized businesses – or fast-growing startups – to level the playing field is to collaborate on security. Be part of something larger by sharing threat intelligence and information with other businesses, large and small, around the globe. By participating in a network like the ThreatMetrix Global Trust Intelligence Network, which analyzes and protects more than 850 million monthly transactions, you can build trust into your customer transactions and other activities by placing them in a broader, worldwide context.

The strategic business value of trust

Security may seem like a defensive tactic or cost of doing business, but building trust is strategic. If you want your business to grow, you need customers to trust in their interactions with you and to trust you with their data. And to expand confidently beyond geographic borders, you need to trust that you can do business with overseas entities securely. At ThreatMetrix, our goal is to make that kind of online trust a reality.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

ThreatMetrix Reveals Strategies for Small and Medium-Sized Businesses to Avoid Falling Victim to Data Breaches

Posted on October 21st, 2014 by Dan Rampe

Andreas Header Two

Continuing its Alignment with National Cyber Security Awareness Month, ThreatMetrix Draws on Recent Data Breaches to Outline Cyber Security Lessons for Small Businesses

San Jose, CA – October 21, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced several risks and preventative strategies for small and medium businesses (SMBs) protect against data breaches, continuing its commitment to this year’s National Cyber Security Awareness Month (NCSAM) theme, “Our Shared Responsibility,” as well as the fourth week’s theme of examining cybersecurity for SMBs in addition to entrepreneurs.

The theme of NCSAM’s fourth week is “Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs,” calling attention to the importance of cybersecurity measures for smaller businesses, as well as addressing the special challenges faced by these entities when it comes to cybersecurity. Recent high-profile breaches such as JPMorgan Chase and Home Depot – which have compromised millions of accounts and other sensitive information – make now a more important time than ever for SMB owners and entrepreneurs to educate themselves on cyber security. Several risks these businesses face, along with preventative strategies include:

  • No Business is Too Small

Cybercriminals will target any business, large or small, so long as there is a consistent flow of revenue. Since large companies often have more comprehensive cybercrime prevention strategies in place, cybercriminals often turn to smaller organizations instead. Rapidly-growing, small businesses also risk falling victim to cybercriminals as they increasingly gain recognition. As a result, some SMBs choose not to expand internationally because of the possible increased fraud risk and end up missing out on revenue opportunities.

“The unfortunate fact is that some small businesses see their first cyber attack or breach as an early sign of business growth and recognition,” said Andreas Baumhof, chief technology officer at ThreatMetrix. “The focus for every small business is to grow as fast as possible. The mindset is ‘If I don’t sell anything, I don’t need a fraud solution, so let’s first sell and then figure out the fraud problems later.’ However, this is an ineffective way for businesses to treat their customers’ sensitive information, as these businesses will ultimately be targeted by cybercriminals.”

  • Stolen Identities Are a Growing Problem

The recent JPMorgan Chase, Home Depot and other breaches added millions of stolen identities to the millions already on black markets. The JPMorgan Chase breach alone compromised the accounts of 76 million households and seven million small businesses. These compromised accounts pose the risks of stolen credit card information, personal information sold on black markets and fraud ranging from account takeover to financial fraud to businesses of all sizes.

According to recent data from a ThreatMetrix Cybercrime Index™ Benchmark Report businesses in the ThreatMetrix® Global Trust Intelligence Network have reported frequently detecting and deterring identity spoofing attacks in logins, various transactions and account creation. ThreatMetrix expects this trend will accelerate over the next year as the U.S. adoption of “chip and signature” credit card technology in 2015 drives more fraud online.

  • Smaller Businesses Have Fewer Resources

Recent high-profile breaches of large enterprises draw attention to the fact that SMBs are at even higher risk with fewer resources available for cybercrime prevention. Not only do many of these organizations not have dedicated cyber security teams, but if for those who are breached, it is extremely difficult to recover from the damage to their business, as growth and profits are stunted post-data breach. Fast-growing SMBs often make the mistake of prioritizing business success and revenue over fraud prevention.

“Small and medium-sized businesses will always have fewer resources than large enterprises to protect themselves, so the focus needs to be on how all enterprises, small and large, can work together to level the playing field and combat fraud altogether,” said Baumhof. “Threat intelligence sharing through an anonymized global network benefits every business involved and helps to build trust on the Internet. It’s the responsibility of small and large businesses alike to collaborate against cybercriminals.”

In order for SMBs to get ahead of the curve on cybersecurity strategies, there needs to be collaboration and information sharing at the business and the government level, while protecting consumer privacy. The ThreatMetrix® Global Trust Intelligence Network anonymizes and encrypts data to enable businesses of all sizes to identify threats and keep their organizations secure without providing any personally identifiable information.

In addition to the overall theme of “cybersecurity is a shared responsibility,” the U.S. Department of Homeland Security outlined weekly themes to commemorate National Cyber Security Awareness Month throughout October. The remaining the upcoming theme is:

  • Week Five – Cyber Crime and Law Enforcement

ThreatMetrix will continue to support each week’s theme through the end of the month. To commemorate National Cyber Security Awareness Month, ThreatMetrix has also signed on as a “Champion” with the National Cyber Security Alliance.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

Rebuilding Trust on the Internet: Fact or Fiction?

Posted on October 21st, 2014 by Dan Rampe

Tony Header

At ThreatMetrix® we’ve made it our mission to try and build greater trust in the internet and I think we’ve assembled a pretty decent set of products and capabilities to do just that. It’s no easy feat though. The UK now boasts one of the largest e-commerce markets on the planet, with Brits spending around £91 billion a year online. Government initiatives such as the UK Trade & Investment’s e-Exporting Programme, designed to help more UK firms sell overseas via the web, will boost the figure even further. Why does that matter? Because where there’s money, there’s opportunity for cyber criminals.

It’s no surprise that online fraud shot up over the past year and now sits at over £100m, according to Financial Fraud Action UK. The same industry body claimed that online banking fraud rose 71% over the same period. Scary stuff. But what can we do about it?

Know Fraud, No Fraud

Whether it’s account creation, log-ins or payment fraud, the bad guys often seem to have the jump on us. So it’s encouraging to see the industry take a more proactive approach to raising awareness around fraud prevention. Last week, the British Bankers’ Association (BBA) launched a major awareness drive – Know Fraud, No Fraud – designed to offer consumers best practice advice to help them spot suspicious behaviour.

It includes a handy eight-point list of “things your bank will never ask you to do”, in a bid to teach users how to spot phishing and other types of online fraud. It should go some way to helping and is certainly a step in the right direction.

However, banks and online businesses can’t rely alone on educating consumers. A YouGov poll commissioned by the BBA to highlight the problem found that four million UK consumers might transfer money into a supposedly “safe” account if instructed to do so by someone pretending to represent their bank. A further three million would carry out “test transactions” online if instructed – another trick scammers use to defraud consumers online.

The Fightback Begins

No, the most profitable businesses will take matters into their own hands, with a multifaceted approach to consumer security which will strike the right balance between usability and fraud protection. They will understand that some highly secure authentication processes can actually result in lost sales, as potential customers abandon carts due to slow or complex payment processes. They will also realise that in-house fraud prevention efforts simply can’t provide the visibility needed into global trends to keep the bad guys out with any degree of certainty.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Why Cyberinsurance?

Posted on October 16th, 2014 by Dan Rampe

Insurance

Home Depot, Michaels, eBay, Target, Neiman Marcus, Veterans Affairs, Sony, JPMorgan Chase. Or in a Word…Data Breaches.

Cyberinsurance is hotter than the Geico Gecko sunbathing on a rock in the Mojave at high noon. Too much? Anyway, the point is that in less than a decade corporations have gone from “What’s cyberinsurance?” to “Cost of doing business.”

In her extensive story on northjersey.com, The Record’s Joan Verdon explores the many aspects of cyberinsurance from cost to coverage. The following has been excerpted from her piece and edited to fit our format. You may find the complete, unedited version by clicking on this link.

What is cyberinsurance?

  • Cyberinsurance policies typically protect businesses from costs incurred through data breaches or shutdowns of computer systems.
  • In data breaches, the policies cover costs of investigating the breach, notifying affected parties, legal expenses and related fines.
  • Businesses are seeking coverage for both “first-party” risks, such as notification costs, and “third-party” risks, such as class-action lawsuits brought by credit card holders.
  • $200 million is the typical maximum for coverage, with several insurers “stacking” policies to add up to that amount, rather than one insurer taking on all of the risk. But some companies are starting to offer “catastrophic” cybercoverage for larger amounts.
  • Insurance companies require businesses to meet certain standards for data security and monitoring before they will provide coverage.

Up over 200 percent on cyberpolicies

[Robert Morris, president of Rampart Group insurance brokerage offers] “We’re up over 200 percent on cyberpolicies since last year, and it’s still growing rapidly.”

Bad news is good news for cyberinsurers

[News] that JPMorgan Chase, the financial giant with a reputation for investing heavily in data security, had been breached and that addresses and phone numbers connected to 83 million household and business accounts had been stolen reinforced fears that no one is safe from cyberattack.

News of the Chase breach came 11 months after Target, the nation’s second-largest retail chain, was hit by a holiday-season hacking that compromised some 40 million credit and debit cards. The total cost to Target of that attack is expected to top $1 billion. Home Depot, Neiman Marcus, [and] eBay, as well as smaller retailers, also have been breached.

Retail and bank breaches involving payment cards get the most publicity, but any place that handles confidential or financial information — hospitals, law offices, government agencies — [has] to worry about cyberleaks.

Ponemon Institute and PwC cybercrime numbers

[Ponemon observes that] cybercrime has cost a sampling of 59 U.S. companies an average $12.7 million this year, up roughly 10 percent from last year’s average of $11.6 million. This year’s average includes two companies that were each hit with more than $50 million in cyberattack costs.

The accounting firm PricewaterhouseCoopers reported in September that data breaches increased 48 percent this year, with 117,339 attacks occurring each day around the globe.

Cybercoverage plans vary with different businesses

American International Group, Chubb, Travelers and other large insurance carriers have rolled out corporate cybercoverage plans. Warren-based Chubb has developed a number of specialized cybersecurity products, including policies designed for health care organizations, lawyers and small businesses. Marsh, the insurance brokerage division of Marsh & McLennan Cos., last month announced it would provide catastrophic cyberattack coverage for large companies that want an additional $300 million in coverage above the first $100 million in costs, which the company would be expected to cover.

Rates all over the map

Experts say the costs of cyberinsurance vary greatly and depend on the number of records or amount of data a company collects and needs to protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in August said standard rates are $20,000 to $25,000 for $1 million of coverage.

Tom Ridge, the first U.S. homeland security chief, said last week that his company, Ridge Insurance Solutions, was joining with the venerable Lloyd’s of London to offer cyberattack insurance. The Chase breach, Ridge said at an appearance in London reported by Bloomberg News, scared corporate executives around the world.

“Who would have thought that JPMorgan, with its security budget, could be hacked into,” Ridge said. “Now a lot of people are thinking, ‘If it could happen to them, it could happen to us, too.’ ”

How do cyberinsurers arrive at a pricing structure?

One problem insurers face, however, is knowing how to price a policy based on anticipated risk when information about the impact of cyberattacks is limited.

“The problem is there’s not enough actuarial data to tell us how many attacks there are going to be and what’s going to be the cost of the attack,” said Rampart Group’s Morris.

If a company comes to an insurer seeking fire insurance, Morris said, “they know what’s going to burn, within certain parameters because they have the statistics for hundreds of years. We don’t have that in cyber at all. Not even close.” That causes prices for policies to be “all over the place.”

Rampart Group brokered its first cyberinsurance some four or five years ago, Morris said. The policies, however, have become far more complex and sophisticated since then. Insurers now provide coverage packages that help a company notify customers of a breach, that provide forensic accounting services and credit-monitoring services and that pay for public relations or legal assistance.

Morris said Rampart Group itself pays for cyberinsurance coverage as part of its business insurance because it needs to protect itself if any confidential information on its customers is breached.

A cost of doing business

[HiTouch Business Services, an office products and services company,] has never had a breach, but the company has had cybercoverage since it was founded in 2010.

“We had a very small policy from Day One, and we’ve kept increasing it every year,” [said Michael Palmer, HiTouch’s CEO.]

Recently, HiTouch has seen that its larger business customers, who enter into contracts for large purchases or services, want to deal with vendors who have cyberinsurance. “Their legal departments are saying these are the insurances every vendor you have must carry,” Palmer said.

Cyberinsurance could improve security

Industry experts say the drive for cyberinsurance should help strengthen corporate cyberdefenses in the same way that insurance companies years ago led the push for uniform building codes and code enforcement to reduce fire and property liability risks.

What about coverage for consumers?

The growth in corporate cyberinsurance is causing some insurance companies to also look at cyberinsurance riders on personal life insurance or homeowners policies, coverage that would provide reimbursement in cases of identity theft, stolen information, or even lawsuits linked to social media misuse.

Morris said he is trying to develop a personal cyberinsurance policy to provide $500,000 to $1 million in coverage for a premium of about $200 a year. The coverage could protect someone who might be sued because of something a family member posted on social media or bring in digital-reputation repair experts if the policy owner is attacked on social media.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

 

 

 

 

 

Massive MBIA Data Leak is “Tip of the Iceberg”

Posted on October 15th, 2014 by Dan Rampe

Byron

(NOTE: The following is used with the permission of Byron Acohido, a Pulitzer Prize-winning journalist and editor-in-chief for ThirdCertainty, an IDt911-sponsored online publication dedicated to helping individuals and companies assess risks and embrace best security practices. Acohido will be speaking at the ThreatMetrix Cybercrime Prevention Summit 2014, November 5 – 7.)

By Byron Acohido, ThirdCertainty

Hundreds of companies, local government agencies and universities—including two Ivy League schools—continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.

These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.

Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.

MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.

Seely has reviewed 25,000 Oracle web servers known to have a vulnerability that can be accessed if the web server owner fails to configure the Oracle server in the proper way.

“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”

8,000 exposed servers

Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.

Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:

  • Texas Department of Family Protective Services
  • Meridian Community College in Mississippi
  • University of Wisconsin
  • Purdue – Calumet Campus
  • Maryland Port Authority

MBIA initially gave Seely the cold shoulder, but took action after they received a phone call from Brian Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”

More: 3 steps for figuring out if your business is secure

A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service—by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.

Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.

That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger start-up backed by Cuban, for security soft spots.

Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management—the company found to have the exposed accounts—but it appears MBIA and Cutwater dodged one big bullet.

MBIA dodged bullet — will others?

“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”

Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.

Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses, and phone numbers of authorized account users.

“If you needed to add someone, you could just fill out a form and email it,” he says.

Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers who are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.

More on emerging best practices

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Internet of Things – A Consumer Dream or Cybersecurity Nightmare?

Posted on October 14th, 2014 by Dan Rampe

Andreas

Don’t look now, but your life is more online and connected today than it was last year – and the trend is accelerating.

Late last year, we predicted that risks associated with the Internet of Things (IoT) and critical infrastructure would be two emerging cybercrime trends this year. (See our 2014 predictions blog.) These topics are the theme of this third week of the National Cyber Security Awareness Month, “Critical Infrastructure and the Internet of Things.”

IoT and Critical Infrastructure are two sides of the same coin

This year has seen a burst of innovation in the Internet of Things. Intel is getting into the wearable technology field, while the Consumer Electronics Show was filled with wearable devices such heart monitors, sensor-equipped golf gloves and networked pet collars. Other devices already on the market are gaining traction, from cars that email us when they need service to health monitors that publish our glucose levels. The possibilities are endless and so are the products that come to market quickly.

When it ships early next year, the Apple Watch will no doubt expand the wearable technology market beyond the earliest adopters to the broader Apple faithful.

Even if you’re not using these technologies, you are part of a connected world through the public infrastructure around you. Wireless cameras and embedded sensors permeate public facilities and transportation hubs. We all depend on power grids and water delivery systems (also known as critical infrastructure) that are controlled by networked devices. In the near future, drones may zoom around us on city streets.

The increasing connectivity of the world poses a growing cybersecurity threat that we are not securing well. For consumer technologies, personal privacy is often at risk. The public safety risks are higher for critical infrastructure.

All these devices are Internet enabled, but remember: they run software. They run the very same software that is being attacked on a daily bases for high risk applications such as online banking. The only difference is: they cannot be updated – and this has the potential to make these a lethal target.

Point of Sales Systems – The Canary in the Coal Mine
Lest you think I’m being alarmist, let’s consider one of the earliest entrants in the Internet of Things – Point of Sale (POS) systems. You see them everywhere – devices such as cash registers and credit card readers use POS to take payments at retail stores.

You would think that POS systems would be secure, for several reasons.

  • They’ve been around for a while, so we’ve had time to figure out how to make them safe.
  • They handle financial transactions, therefore we are extra motivated to keep theme secure.
  • They are locked down and run in dedicated networks

Yet POS exploits were responsible for two of the largest data breaches in the past year – the Target and the Home Depot breaches.

If we cannot manage to protect those network-attached devices that we know are targeted by thieves, how much better will we be at protecting the various technologies we’re embedding in our personal lives? Or the devices controlling critical infrastructure? Even our highway signs have been hacked. (See http://www.threatmetrix.com/a-sign-of-the-times-hacking-signs-electronic-road-sign-hackers-reveal-a-downside-to-the-internet-of-things/)

A roadmap to a more secure connected world

We can address these risks, but only with concerted and collaborative efforts. My recommendations for connected devices are as follows:

  1. Think twice about what goes on public networks. Network segmentation and isolation are critical, particularly for critical infrastructure.
  2. Strengthen authentication to these devices and the systems that manage them. Logins continue to be the weakest point in most systems. We’re reaching a point at which it is irresponsible to protect critical systems with passwords alone. Use multiple authentication factors or context-based authentication to reduce risk of stolen identities and unauthorized access.
  3. Look for anomalies at all levels, including patterns that represent known threats or never-before-seen patterns that may indicate an emerging threat.
  4. Provide a mechanism to securely update these devices. In order to do so, many of the previous points need to be considered.

To put these strategies in place, we must exchange and share threat information at both the business and government level. The federal government is committed to sharing information with the private sector related to critical infrastructure. (See Executive Order 13636)

For businesses that handle personal or consumer-based products, sharing information must be balanced with protecting consumer privacy. As the data collected about us from devices continues to grow, privacy will be more important than ever before. That’s why we’ve built data anonymization and encryption into the ThreatMetrix® Global Trust Intelligence Network.

As new technologies continue to reshape our future at a rapid pace, we have to act quickly to make sure that the future we’re building is secure and private, not dystopian.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

ThreatMetrix Announces Strategies to Combat Growing Threats to Critical Infrastructure and the Internet of Things

Posted on October 14th, 2014 by Dan Rampe

Andreas2

In Conjunction with National Cyber Security Awareness Month, ThreatMetrix Outlines Security Measures to Properly Secure Web-Connected Devices and Critical Infrastructure

San Jose, CA – October 14, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced strategies to combat security risks for the Internet of Things (IoT) and critical infrastructure, continuing its commitment to this year’s National Cyber Security Awareness Month (NCSAM) theme, “Our Shared Responsibility,” as well as the third week’s theme of examining potential security implications associated with critical infrastructure and the IoT.

The theme of NCSAM’s third week is “Critical Infrastructure and the Internet of Things,” calling out the risks faced by devices and critical utilities as they increasingly connect to the Internet. As devices ranging from watches and heart monitors to refrigerators, as well as critical utilities such as water and power, continue to connect online, our everyday lives are placed at an increased risk to of being compromised by fraudsters.

In the past year alone, innovations in wearable technology and other fields have included a burst in Internet-connected devices. From cars that can send email reminders when they need service to health monitors that publish heart rate and glucose level to online tracking tools, the inter-connected world is growing and not slowing down, creating significant risks for consumers’ privacy and cyber security.

However, the users of these new technologies are not the only ones affected by the increasing connectivity of the world. Public infrastructure is all connected online, from power grids to water delivery systems, all controlled by networked devices. This is critical infrastructure, and it opens the door to individual cybercriminals or nation states to wage a new form of online warfare if proper security measures are not immediately set in place.

“The rapid growth of the Internet of Things creates a new wealth of information for cybercriminals to compromise, from our everyday appliances to critical operations, allowing them to steal personal information and cripple resources,” said Andreas Baumhof, chief technology officer at ThreatMetrix. “Apple will soon launch the Apple Watch, taking wearable tech from obscurity to the consumer forefront. It is becoming increasingly imperative that we ensure the information shared through these devices is secure as they will contain, collect, and track sensitive information about our personal physical lives, as well as elements tied directly to our financial being. In addition, point-of-sale system hacks have caused massive damage to major retailers over the past year, as we saw in the Target and Home Depot breaches, among others. Imagine what harm the mass distribution of health and critical infrastructure information can bring to the lives of millions.”

As the Internet of Things and online connectivity of our nation’s critical infrastructure shows no signs of slowing down, ThreatMetrix has outlined several security strategies to address some of the associated risks:

  • Network Segmentation and Isolation – Network segmentation or “zoning” is a popular practice in Internet security. Through network segmentation the possibility of limiting the risk of a data breach to your entire network maximizes. It also can help businesses determine what information to keep on public or private networks.
  • Account Authentication – Username and password authentication is the weakest point of entry for most businesses operating online, often making businesses an easy target for hackers. At this stage, it is irresponsible to protect any information stored online with passwords alone. The use of multiple authentication factors, such as context-based authentication and real-time fraud prevention can help reduce the risk of stolen user identities and fraudulent transactions without disrupting the user experience for authentic customers.
  • Tracking – Tracking data enables businesses across industries to differentiate between authentic and fraudulent transactions and other activity. By identifying anomalies such as hiding behind proxies and virtual private networks or change in shipping address through a global network of shared intelligence, businesses can recognize patterns that represent known threats or never-before-seen patterns that show a potential threat.
  • Secure Updates – It is important that Internet-connected devices are updated on a regular basis to stay one step ahead of cybercriminals as they become increasingly sophisticated.

For comprehensive cybersecurity strategies to be effective and protect Internet of Things devices as well as critical infrastructure, there needs to be collaboration and sharing of information at both the business and the government level, while protecting consumer privacy. The ThreatMetrix® Global Trust Intelligence Network anonymizes and encrypts data to enable businesses to identify threats and keep their business secure without providing any personally identifiable information.

In addition to the overall theme of “cybersecurity is a shared responsibility,” the U.S. Department of Homeland Security outlined weekly themes to commemorate National Cyber Security Awareness Month throughout October. The remaining upcoming themes include:

  • Week Four – Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs
  • Week Five – Cyber Crime and Law Enforcement

ThreatMetrix will continue to support each week’s theme throughout the month. To commemorate National Cyber Security Awareness Month, ThreatMetrix has also signed on as a “Champion” with the National Cyber Security Alliance.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

 

FBI Provides Tool for Checking Out Suspicious Files

Posted on October 13th, 2014 by Dan Rampe

FBI

Businesses, Researchers and Academics Will Soon Be Able to Upload Files to FBI Portal to Ensure They Don’t Contain Malware

The FBI offers a portal for law enforcement agencies to check out files. Now a separate FBI portal will be made available for a much wider audience. Called Malware Investigator, the portal will be accessible to established FBI partnerships, including members of the U.S. Intelligence Community (USIC), domestic and foreign law enforcement, academia, and private industry.

How it works

According to Charlie Osborne’s article on zdnet.com (link to article), here’s how it works. “Once a file is uploaded, the system pushes [it] through antimalware engines to [extract] information…whether it is malicious, what the malware does, and [whom it affects.]

“The Malware Investigator analyses threats through sandboxing, file modification, section hashing, correlation against other submissions and the FBI’s own entries concerning viruses and malware reports. Windows files and common file types can currently be analyzed, but this will expand to include other file types in the near future.”

The FBI’s Jonathan Burns noted that API access has been granted for businesses that want to integrate the engine into their platforms. Personal details of submitters would not be disclosed.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Largest U.S. Bond Insurer Learns of Exposed Customer Accounts — from Blog

Posted on October 10th, 2014 by Dan Rampe

MBIA

Security Guru Brian Krebs of KrebsOnSecurity Notifies Municipal Bond Insurance Association (MBIA) of Web Server Misconfiguration That Put Customer Accounts at Risk

MBIA is a public holding company that offers municipal bond insurance and investment management products to diversify the holdings of insurance companies that include Aetna, Fireman’s Fund, Travelers, Cigna and Continental.

In his piece on KrebsOnSecurity.com, Brian Krebs reports how he learned that MBIA had exposed countless customer account numbers, balances and other sensitive data to potential attackers. The following has been excerpted from Krebs’ blog and edited to fit our format. You may find his complete, unedited piece by clicking on this link.

Bryan Seely, an independent security expert, discovered the exposed data using a search engine. Seely said the data was exposed thanks to a poorly configured Oracle Reports database server. Normally, Seely said, this type of database server is configured to serve information only to authorized users who are accessing the data from within a trusted, private network — and certainly not open to the Web.

Worse yet, Seely noted, that misconfiguration also exposed an Oracle reports diagnostics page that included the username and password that would grant access to nearly all of the customer account data on the server.

“Malicious hackers finding dozens of universities or companies with Social Security numbers, health data or other information is devastating, but stumbling on bank accounts and the instructions for how to empty them is potentially catastrophic,” Seely said. “Billions in taxpayer funds, invested into one of the largest institutions in the world that were essentially being guarded by a sleeping security guard.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Taking the Fight to the Fraudsters in a Month to Remember

Posted on October 9th, 2014 by Dan Rampe

Standard-Header-Tony2

September was a great month if you work in fraud prevention circles. A major new agreement between the European Banking Federation and Europol’s European Cybercrime Center (EC3) will make information sharing and co-operation between the region’s law enforcers and banks more extensive and effective than ever before.

It’s to be applauded. After all, fraud across Europe is increasing and becoming increasingly “cyber” in nature.

An annual report from the European Central Bank back in February revealed that card fraud rose for the first time in 2012 since 2008 – driven mainly by internet fraud. It claimed €1 in every €2,635 spent on credit and debit cards issued within SEPA (Single European Payments Area) was lost to fraud. While fraud via POS systems and ATMs dropped since the previous year, card not present fraud – including payments by post, telephone and the internet – jumped from 56% to 60%; the highest since records began.

It’s not hard to see why. Online fraud is difficult to trace and easy to commit. Cybercriminals have become adept at logging into online bank and other accounts with phished credentials, or setting up new ones with ill-gotten personal information. User awareness is increasing, but not fast enough, and alternatives to password-based systems such as two-factor authentication (2FA) can be too user-unfriendly. Meanwhile, traditional behind-the-scenes anti-fraud systems can be slow to spot suspect behaviour, and often end up blocking innocent customers.

A step in the right direction

So we applaud the new memorandum of understanding between EC3 and the EBF. It should speed up and improve cross-border sharing of stats on fraud and cyber attacks. On the one hand this will give the police an advantage when pursuing organised crime and, on the other, it should help banks understand fraud patterns better so that they can prepare their cyber defences more effectively. Fraud prevention is finally moving from ad-hoc and localised to systemic, automated and cross-border.

That’s not the only good news from September. The British Bankers Association announced plans for a new Financial Crime Alerts Service (FCAS) – where it will share with its members real-time alerts on cyber crime, fraud and other activities generated by law enforcers and government agencies.

The UK has in fact been quietly ramping up the number of specialist fraud officers in the police force – with staff levels rising 11% since 2011 to reach 448 today. The number civilian investigators also increased, from 235 to 289, the BBC said. However, there’s still a feeling that officers are swamped with requests, as fraud increased in England and Wales by 40% during the same period.

In the US, meanwhile, a joint venture between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and The Depository Trust & Clearing Corporation (DTCC) will lead to the creation of Soltra. This new body will focus on developing “software automation and services that collect, distill and speed the transfer of threat intelligence from a myriad of sources to help safeguard against cyber attacks.”

Our approach

ThreatMetrix® fully supports any moves to improve the sharing of actionable intelligence between financial institutions and law enforcements for a win-win scenario. But we’d also argue that there’s another, proactive step organisations of all shapes and sizes can take to minimise the risk of account fraud.

Our approach is to understand the endpoint, the user’s identity (which is anonymised) and their behaviour to determine if a transaction can be trusted or not. Our fraud information does not come from law enforcement but from over 850 million monthly transactions that our 3,000+ customers – from major banks to social networks, enterprises and e-commerce giants – provide us with. Just as the users of the fraud initiatives above will get better over time at spotting and predicting threats, so the ThreatMetrix® Global Trust Intelligence Network gets smarter with each risk assessment.

It’s global, cross-industry, real-time intelligence that works in the background without any customer input needed to spot and block fraud before it has a chance to get anywhere near your business.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.