The EMV Cards That Never Were

Posted on October 29th, 2014 by Dan Rampe

EMV

U.S. Banks Received Tens of Thousands of Dollars Charged on EMV Cards — Despite Not Having Sent Customers Chip-Enabled Cards!

During World War II, British intelligence used a real dead body to create a fictitious Royal Marine Major William Martin. The body was dropped in the sea by a submarine and washed ashore on a Spanish beach where it was hoped it would fall into the hands of German intelligence. Attached to the body was a briefcase containing letters falsely stating that an Allied attack would be launched against Sardinia and Greece rather than Sicily, where the invasion took place.

Operation Mincemeat, the macabre name given to the highly successful ruse which may have saved thousands of Allied lives, was turned into a book and movie titled, The Man Who Never Was. Now, Brian Krebs on his blog, KrebsonSecurity.com, relates the story of the EMV Cards that never were and the very real fraudulent credit and debit card transactions that could cost financial institutions in the USA and Canada tens of thousands of dollars. The following has been excerpted from Krebs blog and edited to fit our format. You may find the complete, unedited article by clicking on this link.

Card data compromised as part of Home Depot breach

[At] least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

[All the charges were] submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards [hadn’t] begun sending customers chip-enabled cards.

Charges difficult to dispute

Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

Replay attacks

According to [one bank Krebs spoke with], MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Bad EMV implementation at Canadian bank

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it.

Cybercriminals kept doubling down

[It] appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Important to set up EMV properly

[Litan observes] “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Outlines Strategies for Law Enforcement and Businesses to Collaborate to Combat Cybercrime

Posted on October 28th, 2014 by Dan Rampe

Andreas

In Conjunction with National Cyber Security Awareness Month, ThreatMetrix Presents Three Ways for Law Enforcement and Businesses to Bring Cybercriminals to Justice

San Jose, CA – October 28, 2014 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, announced today three methods for law enforcement and businesses to collaborate in the fight against cybercrime, continuing its commitment to this year’s National Cyber Security Awareness Month (NCSAM) theme, “Our Shared Responsibility,” as well as the fifth week’s theme examining the current state of cybercrime and law enforcement’s involvement.

The theme of NCSAM’s fifth and final week, “Cyber Crime and Law Enforcement,” examines the ever-growing number of cyber attacks on U.S. companies and stresses the importance of law enforcement and businesses of all sizes to join forces to identify cybercriminals and bring them to justice.

Unfortunately, cybercriminals are often virtually impossible to locate due to the use of stolen identities, compromised devices, and masked IP addresses. To heighten the problem, these criminals come from various backgrounds, and range from individuals to entire governments. Law enforcement agencies, businesses and individuals are fighting their own battles against cybercriminals, operating individually making them easy targets if they fail to collaborate on prevention efforts.

“While businesses have a responsibility to protect their customers’ privacy and data, they often lack the resources, knowledge, or both to do so,” said Andreas Baumhof, chief technology officer at ThreatMetrix. “Law enforcement agencies also have difficulties protecting consumers, as they are constantly hampered by incomplete information and jurisdictional challenges. Therefore, both parties need to collaborate on a global level to assure the best resources are available to stop cybercriminals in their tracks.”

In recent years, law enforcement officials and business worldwide have increasingly realized the importance of working together to fight cybercrime. However, for this to momentum to continue, businesses need to take the following steps to help law enforcement bring cybercriminals to justice:

1. Share – “Cybercrime is the only crime that is truly international,” said Baumhof. In order to get ahead of the curve information sharing must exist at the business and the government level, while still protecting consumer privacy. Financial and retail industries have already starting to share threat information, but all industries can benefit from collaboration. Many businesses are afraid of sharing customer information with competitors, but through an anonymized global network, they can collaborate without losing a competitive edge.

The ThreatMetrix® Global Trust Intelligence Network anonymizes and encrypts data across 850 million monthly transactions to enable parties on the right side of the war against cybercriminals to identify threats and keep their organizations secure without providing any personally identifiable information.

2. Take – Individuals and businesses often do not understand that cybercriminals get away with their crimes because it is much more difficult to secure evidence than it is for physical crimes. In order for law enforcement to prosecute these criminals, businesses must have the capabilities to identify suspicious activity and provide a chain of evidence linked to the crimes. ThreatMetrix has the capabilities build such a chain of evidence and take away cybercriminals’ hiding places through its proxy piercing and device identification technologies, which are used to map online personals to the physical devices used in cybercrime attempts.

For example, ThreatMetrix aided the London Metropolitan Police eCrime Unit in arresting several individuals who were responsible for a large phishing attack in 2012. This was only possible through the collaboration between the law enforcement and business. In working with the London law enforcement, ThreatMetrix assisted in providing evidence that linked to the confiscated devices that contained accounts linking criminals to the phishing crimes.

“The data ThreatMetrix collected from the London phishing attacks helped support the capture and conviction of the cybercriminals,” said Baumhof. “This victory serves an ideas example of how a global network of anonymized trust intelligence can bring down illegal online operations – whether large or small – and ensure that cybercrime ring cannot commit further online fraud.”

3. Collaborate – Businesses, consumers and law enforcement working together is the only way to truly defeat cybercrime. Businesses should begin to build relationships with law enforcement officials as soon as they suspect illicit activities on their networks. Doing so enables law enforcement agencies to become better informed about the nature of the crime at hand. Regardless of the size of the crime, it is only a matter of time before that business’ weaknesses are further exposed. By sharing information with law enforcement, businesses are connected to a larger network of law enforcement agencies across borders and boundaries, which decreases the overall security threat of customer and business data being exposed.

In addition to the overall theme of “cybersecurity is a shared responsibility,” the U.S. Department of Homeland Security outlined weekly themes to commemorate National Cyber Security Awareness Month throughout October. The themes for this year included:

  • Week One – Promoting Online Safety with the Stop. Think. Connect.™ Campaign
  • Week Two – Secure Development of IT Products
  • Week Three – Critical Infrastructure and the Internet of Things
  • Week Four – Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs
  • Week Five – Cyber Crime and Law Enforcement

ThreatMetrix proudly supported each week’s theme through the end of the month. To commemorate National Cyber Security Awareness Month, ThreatMetrix signed on as a “Champion” with the National Cyber Security Alliance.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

© 2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Dan Rampe
ThreatMetrix
Tel: 408-200-5716
Email: drampe@threatmetrix.com

Beth Kempton
Walker Sands Communications
Tel: 312.241.1178
Email: beth.kempton@walkersands.com

 

 

Three Ways to Change the Odds for Cybercriminals

Posted on October 28th, 2014 by Dan Rampe

Andreas

If I tried to rob a bank, I’d probably be caught, no matter how carefully I plan. Once caught, I would certainly face prosecution and probably be found guilty. The criminal justice system is good at handling this type of crime. I’ll stick with my day job.

The story is not the same for the cybercriminals that defraud businesses and consumers of billions of dollars each year. For many years, cybercrime gangs have been getting away with their crimes. We’re just starting to turn the corner on prosecuting online fraud and crime.

For this closing week of National Cyber Security Awareness Month, let’s look at the current state of law enforcement and cybercrime – and what businesses of all sizes can do to improve their odds.

It’s a lopsided battle

The fight against cybercrime doesn’t seem like a fair fight.

On one side are the many cybercriminals around the world. Unlike individual bank robbers, who may have a few accomplices in one physical location, cybercriminals collaborate globally. They share exploits and stolen identities, and operate behind networks of compromised devices and spoofed identities.

Arrayed against these criminals are individuals, government agencies and businesses of all sizes. Unlike the cybercriminals, they tend to operate individually and openly. When individuals make a credit card purchase at a local retailer or take a photo on a smart phone, they may not even see the online transactions happening behind the scenes. They’re often not aware of the risk.

Businesses have additional regulatory burden. They are accountable for protecting customer privacy and data, without always having the information necessary to do so. In the US, the Office for Foreign Access Control (OFAC) prohibits business transactions with embargoed or restricted entities. Cybercriminals are particularly good at hiding behind spoofed IP addresses and proxies, making it look like they are somewhere they’re not. Businesses must make decisions based on imperfect information.

Law enforcement agencies are hampered by incomplete information and jurisdictional challenges, as cybercrime is truly global crime.

The situation seems grim, but we can change the outcomes. In the past year, law enforcement groups worldwide have collaborated with each other and businesses to put cybercriminals behind bars. For this trend to continue, businesses should take the following three steps.

1. Share information with others in your industry.

To even the odds, we have to join forces with each other. The financial industry already shares threat information, and the retail industry is following with the National Retail Federations Information Sharing and Analysis Center (ISAC)

Businesses of all kinds can join a network like the ThreatMetrix Global Trust Intelligence Network to share anonymous information about your site visitors, logins, and transactions with other businesses worldwide.

2. Take away the online hiding places.

For successful law enforcement and prosecution, businesses must be able to identify cybercriminals and create a chain of evidence. ThreatMetrix can help with this step. Using proxy piercing and device identification technologies, we can map online personas to the physical devices used in cybercrimes.

In 2012, London’s Metropolitan Police Central eCrime Unit (PCeU) arrested individuals and confiscated laptops responsible for a large phishing attack. Working with its customers, ThreatMetrix provided evidence that linked the confiscated laptop with the accounts that performed the phishing exploits. This data contributed to a chain of evidence that supported the eventual conviction of the individuals on multiple counts of fraud and possession of criminal property. The phishing gang is off the streets for many years.

3. Collaborate with law enforcement

Sometimes the best way to protect your customers is to get the criminals off the streets altogether. To do this, you need to build relationships with law enforcement. Law enforcement agencies are becoming more informed and collaborating across boundaries, but they need the help of affected businesses to make any progress.

In 2013, StubHub (part of eBay) discovered that a global ring of criminals was taking over legitimate customer accounts to fraudulently buy and sell tickets. Rather than simply writing off the losses and making the customers whole, the company also set out to prosecute. StubHub collaborated with law enforcement authorities around the world to shut down the operation. This past summer, six people were indicted in New York in connection with the fraud.

If every business took these three steps now, when National Cybercrime Awareness Month rolls around next October, we might be sharing more stories of successful prosecutions and fewer stories of successful exploits.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Significant Drop in Fraud Rates and Chargebacks When Organizations Implement ThreatMetrix Solution

Posted on October 23rd, 2014 by Dan Rampe

Ken

Survey Shows 100 Percent of E-Commerce Execs Using ThreatMetrix TrustDefender Cybercrime Protection Platform See Measurable Decrease in Fraud Rates and Chargebacks

Here they come — both the holidays and the cybercriminals who prey on consumers and retailers during the holidays.

According to the National Retail Federation, the 2014 holiday shopping season is expected to bring in $616.9 billion, representing approximately 19.2 percent of the retail industry’s total annual sales. And what could be more attractive to a cyberthief than a high volume of sales condensed into a very brief time period?

Ken Jochims, ThreatMetrix director of product marketing, observes

“It’s critical that online merchants have a comprehensive solution to decrease fraud without impacting the customer experience, especially with so many customers flooding to e-commerce sites on Black Friday, Cyber Monday and throughout the holiday season,” said Ken Jochims, director of product marketing at ThreatMetrix. “By stopping suspicious account access and transactions, businesses can reduce the number of chargebacks and manual reviews resulting from fraudulent transactions.”

TechValidate survey shows ThreatMetrix gets results

The survey conducted with TechValidate clearly demonstrates that every e-commerce company (100 percent) using the ThreatMetrix TrustDefender Cybercrime Protection Platform reported a decrease in chargebacks. Fifty percent of respondents noted a 40 to 60 percent decrease in chargebacks. Three out of four companies indicated their fraud rates decreased by more than 20 percent. And fully one quarter of respondents saw a 60 to 80 percent decrease in fraud rates. Additionally, 35 percent of customers surveyed experienced more than a 40 percent reduction in manual reviews.

Jochims adds

“E-commerce companies cannot afford to sit back and wait for their business to be hit with increased holiday fraud and then deal with it after the fact,” said Jochims. “The costs of paying for fraud – whether it’s card not present, account takeover or fraudulent account creation – far exceed the costs of preventative solutions that can stop cybercriminals at the front gates. However, solutions that add additional authentication steps for users lead to lost sales due to shopping cart abandonment are less than ideal. Online retailers need to implement a solution that effectively stops fraudulent activity and flags suspicious activity for additional screening, all without changing the customer experience for trusted and returning users.”

No friction. No hassle for the customer

The survey also found that, while the ThreatMetrix TrustDefender Cybercrime Protection Platform dramatically improved its e-commerce customers’ fraud detection, 100 percent of respondents experienced no additional friction to their customer experience with almost 60 percent actually having improved their revenue from 5 to 25 percent.

E-commerce companies can’t be last-minute shoppers

Obviously e-commerce sites can’t wait till November or December to implement new security strategies. The time is now and ThreatMetrix has the solutions —ThreatMetrix’s TrustDefender Cybercrime Protection Platform is powered by the ThreatMetrix Global Trust Intelligence Network, which analyzes more than 850 million monthly transactions and combines device identification, threat assessments, identity and behavioral intelligence to accurately identify cybercriminals without creating friction for good users.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

A New View of Most Major Breaches 2004 – 2014

Posted on October 22nd, 2014 by Dan Rampe

cybercrime-2-large

RAND Corporation Chart Offers Fresh Perspective Comparing Major Breaches Occurring So Frequently — JPMorgan Chase, Home Depot and MBIA Breaches— Were Not Included

News flash — all breaches are bad. Everybody knows that, but did you know… — to paraphrase (steal from?) a current Geico campaign — how bad major breaches were compared to each other?

The amount of data compromised and numbers of individuals affected are often so staggering they’re difficult to visualize. Just look at these numbers: JPMorgan Chase (76 million households and 7 million businesses exposed), Home Depot (56 million credit card holders exposed) and the Municipal Bond Insurance Association or MBIA (thousands of local governments, universities and companies and billions in taxpayer funds exposed). So, it’s unfortunate the RAND report could not have included these massive breaches as well. Still, the visual offers a fascinating new insight.

In her story on businessinsider.com, Natasha Bertrand discusses the RAND Corporation National Security Research Division report including the chart (Figure 6.2 — see page 55 of the PDF or page 36 of the hardcopy) comparing major breaches from AOL to Target.

In her story, Bertrand highlights some fascinating points about breaches. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

The best-known is not the worst

[The] chart shows, the biggest cyberattacks have not always been on the most high-profile companies. Social application site RockYou! is not particularly well-known, but it had a data breach that exposed over 32 million accounts. By comparison, a hack of the popular shoe website Zappos exposed just 24 million accounts.

Some big breaches are not “newsworthy”

And some of the biggest attacks have not always made for the most interesting, or newsworthy, hacking stories. Over 50 million Evernote users had their passwords stolen last year, but the attack was largely the result of users simply not having strong enough passwords.

What does the future portend?

According to the RAND report, experts disagree on the scale of future attacks. Some believe future hacks will be targeted and persistent, as they have been recently with photo-sharing apps such as iCloud and Snapsave.

Others foresee more opportunistic, mass “smash-and-grab” attacks, like the attack on Target last year when hackers stole 40 million credit card numbers from every one of the company’s 1,797 US stores.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Three Things Small Businesses Can Learn from High Profile Data Breaches

Posted on October 21st, 2014 by Dan Rampe

Andreas Header

National Cyber Security Awareness Month started off with a bang this year – the news that a breach at JPMorgan Chase compromised accounts of 76 million households and 7 million small businesses. Leading up to National Cyber Security Awareness Month, another high profile data breach was disclosed – Home Depot confirmed that 56 million credit and debit cards were exposed in a recent breach in an attack on the company’s point of sale systems.

In line with this week’s National Cyber Security Awareness Month theme, “Cyber Security for Small and Medium-Sized Businesses and Entrepreneurs,” I’m going to focus here on the special challenges of smaller businesses when it comes to cybersecurity.

If you’re running a small or mid-sized business, or if you are an entrepreneur starting a new venture, this breach holds three important lessons:

  1. As a small or mid-sized business, you are not immune from data breaches.
  2. Your customers may be among those 76 million households or 56 million cardholders with compromised identities – a fraudster is likely trying to do business with you using a stolen identity.
  3. Small businesses are at a disadvantage, with fewer resources to build defenses or ride out the impact of a breach. And as Byron Acohido of ThirdCertainty points out on his guest blog for ThreatMetrix, the legal banking protections are different for small businesses than consumers, resulting in a greater risk exposure.

Let’s look at each of these issues in turn.

Small businesses are in the cross hairs

There is no such thing as a business that’s too small for cybercriminals. Many cybercriminals target smaller businesses precisely because they lack the resources of larger companies to keep systems patched and spot fraudulent access.

One thing we regularly see is that because large institutions are better prepared to deal with cyberciminals, they turn to smaller organizations. I have seen dedicated malware configurations for credit unions as small as 500 members!

Further, how many businesses plan to remain under the radar? If you have a growing business or are a growth-hacking entrepreneur, you want to world to sit up and take notice of your business. You cannot possibly hide from the cybercriminals. In fact (and unfortunately), some businesses see their first cyber attack or breach as an early sign of business growth and recognition.

And even if you have low profile today, you may be collateral damage in breaches of the larger organizations that you do business with. This is the case for the JPMorgan Chase small business customers.

Stolen identities are a growing problem

The latest breach added millions of stolen identities to the ones already available on black markets. Every stolen identity is a risk factor for your business, as attackers may spoof identities of legitimate customers to do business with you.

Identity spoofing is already a big and growing problem for businesses. Businesses in the ThreatMetrix® Global Trust Intelligence Network frequently detect and deter identity spoofing attacks in logins, new account creation and transactions.

We expect the trend to accelerate, particularly for account creation. The adoption of “chip and pin” credit card technology in 2015 in the U.S. will drive credit card fraud into new channels. Because counterfeiting a card is difficult, criminals will turn their focus to online channels and to gaining credit cards using stolen identities. This was one of the lesson learned when Europe moved to “chip and pin” in 2012.

Smaller businesses have fewer resources

If a financial giant with advanced security measures like JPMorgan Chase cannot protect its customers’ data, how can small businesses do the job with fewer resources? You may not have teams of people dedicated to security, but surviving the damage caused by a data breach has the potential to seriously derail your growth. In addition, new, fast-growing businesses often prioritize business success and revenue while placing fraud prevention on the back burner – and this is a big mistake.

The only way for small and mid-sized businesses – or fast-growing startups – to level the playing field is to collaborate on security. Be part of something larger by sharing threat intelligence and information with other businesses, large and small, around the globe. By participating in a network like the ThreatMetrix Global Trust Intelligence Network, which analyzes and protects more than 850 million monthly transactions, you can build trust into your customer transactions and other activities by placing them in a broader, worldwide context.

The strategic business value of trust

Security may seem like a defensive tactic or cost of doing business, but building trust is strategic. If you want your business to grow, you need customers to trust in their interactions with you and to trust you with their data. And to expand confidently beyond geographic borders, you need to trust that you can do business with overseas entities securely. At ThreatMetrix, our goal is to make that kind of online trust a reality.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Rebuilding Trust on the Internet: Fact or Fiction?

Posted on October 21st, 2014 by Dan Rampe

Tony Header

At ThreatMetrix® we’ve made it our mission to try and build greater trust in the internet and I think we’ve assembled a pretty decent set of products and capabilities to do just that. It’s no easy feat though. The UK now boasts one of the largest e-commerce markets on the planet, with Brits spending around £91 billion a year online. Government initiatives such as the UK Trade & Investment’s e-Exporting Programme, designed to help more UK firms sell overseas via the web, will boost the figure even further. Why does that matter? Because where there’s money, there’s opportunity for cyber criminals.

It’s no surprise that online fraud shot up over the past year and now sits at over £100m, according to Financial Fraud Action UK. The same industry body claimed that online banking fraud rose 71% over the same period. Scary stuff. But what can we do about it?

Know Fraud, No Fraud

Whether it’s account creation, log-ins or payment fraud, the bad guys often seem to have the jump on us. So it’s encouraging to see the industry take a more proactive approach to raising awareness around fraud prevention. Last week, the British Bankers’ Association (BBA) launched a major awareness drive – Know Fraud, No Fraud – designed to offer consumers best practice advice to help them spot suspicious behaviour.

It includes a handy eight-point list of “things your bank will never ask you to do”, in a bid to teach users how to spot phishing and other types of online fraud. It should go some way to helping and is certainly a step in the right direction.

However, banks and online businesses can’t rely alone on educating consumers. A YouGov poll commissioned by the BBA to highlight the problem found that four million UK consumers might transfer money into a supposedly “safe” account if instructed to do so by someone pretending to represent their bank. A further three million would carry out “test transactions” online if instructed – another trick scammers use to defraud consumers online.

The Fightback Begins

No, the most profitable businesses will take matters into their own hands, with a multifaceted approach to consumer security which will strike the right balance between usability and fraud protection. They will understand that some highly secure authentication processes can actually result in lost sales, as potential customers abandon carts due to slow or complex payment processes. They will also realise that in-house fraud prevention efforts simply can’t provide the visibility needed into global trends to keep the bad guys out with any degree of certainty.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Why Cyberinsurance?

Posted on October 16th, 2014 by Dan Rampe

Insurance

Home Depot, Michaels, eBay, Target, Neiman Marcus, Veterans Affairs, Sony, JPMorgan Chase. Or in a Word…Data Breaches.

Cyberinsurance is hotter than the Geico Gecko sunbathing on a rock in the Mojave at high noon. Too much? Anyway, the point is that in less than a decade corporations have gone from “What’s cyberinsurance?” to “Cost of doing business.”

In her extensive story on northjersey.com, The Record’s Joan Verdon explores the many aspects of cyberinsurance from cost to coverage. The following has been excerpted from her piece and edited to fit our format. You may find the complete, unedited version by clicking on this link.

What is cyberinsurance?

  • Cyberinsurance policies typically protect businesses from costs incurred through data breaches or shutdowns of computer systems.
  • In data breaches, the policies cover costs of investigating the breach, notifying affected parties, legal expenses and related fines.
  • Businesses are seeking coverage for both “first-party” risks, such as notification costs, and “third-party” risks, such as class-action lawsuits brought by credit card holders.
  • $200 million is the typical maximum for coverage, with several insurers “stacking” policies to add up to that amount, rather than one insurer taking on all of the risk. But some companies are starting to offer “catastrophic” cybercoverage for larger amounts.
  • Insurance companies require businesses to meet certain standards for data security and monitoring before they will provide coverage.

Up over 200 percent on cyberpolicies

[Robert Morris, president of Rampart Group insurance brokerage offers] “We’re up over 200 percent on cyberpolicies since last year, and it’s still growing rapidly.”

Bad news is good news for cyberinsurers

[News] that JPMorgan Chase, the financial giant with a reputation for investing heavily in data security, had been breached and that addresses and phone numbers connected to 83 million household and business accounts had been stolen reinforced fears that no one is safe from cyberattack.

News of the Chase breach came 11 months after Target, the nation’s second-largest retail chain, was hit by a holiday-season hacking that compromised some 40 million credit and debit cards. The total cost to Target of that attack is expected to top $1 billion. Home Depot, Neiman Marcus, [and] eBay, as well as smaller retailers, also have been breached.

Retail and bank breaches involving payment cards get the most publicity, but any place that handles confidential or financial information — hospitals, law offices, government agencies — [has] to worry about cyberleaks.

Ponemon Institute and PwC cybercrime numbers

[Ponemon observes that] cybercrime has cost a sampling of 59 U.S. companies an average $12.7 million this year, up roughly 10 percent from last year’s average of $11.6 million. This year’s average includes two companies that were each hit with more than $50 million in cyberattack costs.

The accounting firm PricewaterhouseCoopers reported in September that data breaches increased 48 percent this year, with 117,339 attacks occurring each day around the globe.

Cybercoverage plans vary with different businesses

American International Group, Chubb, Travelers and other large insurance carriers have rolled out corporate cybercoverage plans. Warren-based Chubb has developed a number of specialized cybersecurity products, including policies designed for health care organizations, lawyers and small businesses. Marsh, the insurance brokerage division of Marsh & McLennan Cos., last month announced it would provide catastrophic cyberattack coverage for large companies that want an additional $300 million in coverage above the first $100 million in costs, which the company would be expected to cover.

Rates all over the map

Experts say the costs of cyberinsurance vary greatly and depend on the number of records or amount of data a company collects and needs to protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in August said standard rates are $20,000 to $25,000 for $1 million of coverage.

Tom Ridge, the first U.S. homeland security chief, said last week that his company, Ridge Insurance Solutions, was joining with the venerable Lloyd’s of London to offer cyberattack insurance. The Chase breach, Ridge said at an appearance in London reported by Bloomberg News, scared corporate executives around the world.

“Who would have thought that JPMorgan, with its security budget, could be hacked into,” Ridge said. “Now a lot of people are thinking, ‘If it could happen to them, it could happen to us, too.’ ”

How do cyberinsurers arrive at a pricing structure?

One problem insurers face, however, is knowing how to price a policy based on anticipated risk when information about the impact of cyberattacks is limited.

“The problem is there’s not enough actuarial data to tell us how many attacks there are going to be and what’s going to be the cost of the attack,” said Rampart Group’s Morris.

If a company comes to an insurer seeking fire insurance, Morris said, “they know what’s going to burn, within certain parameters because they have the statistics for hundreds of years. We don’t have that in cyber at all. Not even close.” That causes prices for policies to be “all over the place.”

Rampart Group brokered its first cyberinsurance some four or five years ago, Morris said. The policies, however, have become far more complex and sophisticated since then. Insurers now provide coverage packages that help a company notify customers of a breach, that provide forensic accounting services and credit-monitoring services and that pay for public relations or legal assistance.

Morris said Rampart Group itself pays for cyberinsurance coverage as part of its business insurance because it needs to protect itself if any confidential information on its customers is breached.

A cost of doing business

[HiTouch Business Services, an office products and services company,] has never had a breach, but the company has had cybercoverage since it was founded in 2010.

“We had a very small policy from Day One, and we’ve kept increasing it every year,” [said Michael Palmer, HiTouch’s CEO.]

Recently, HiTouch has seen that its larger business customers, who enter into contracts for large purchases or services, want to deal with vendors who have cyberinsurance. “Their legal departments are saying these are the insurances every vendor you have must carry,” Palmer said.

Cyberinsurance could improve security

Industry experts say the drive for cyberinsurance should help strengthen corporate cyberdefenses in the same way that insurance companies years ago led the push for uniform building codes and code enforcement to reduce fire and property liability risks.

What about coverage for consumers?

The growth in corporate cyberinsurance is causing some insurance companies to also look at cyberinsurance riders on personal life insurance or homeowners policies, coverage that would provide reimbursement in cases of identity theft, stolen information, or even lawsuits linked to social media misuse.

Morris said he is trying to develop a personal cyberinsurance policy to provide $500,000 to $1 million in coverage for a premium of about $200 a year. The coverage could protect someone who might be sued because of something a family member posted on social media or bring in digital-reputation repair experts if the policy owner is attacked on social media.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

 

 

 

 

 

 

 

 

Massive MBIA Data Leak is “Tip of the Iceberg”

Posted on October 15th, 2014 by Dan Rampe

Byron

(NOTE: The following is used with the permission of Byron Acohido, a Pulitzer Prize-winning journalist and editor-in-chief for ThirdCertainty, an IDt911-sponsored online publication dedicated to helping individuals and companies assess risks and embrace best security practices. Acohido will be speaking at the ThreatMetrix Cybercrime Prevention Summit 2014, November 5 – 7.)

By Byron Acohido, ThirdCertainty

Hundreds of companies, local government agencies and universities—including two Ivy League schools—continue to expose sensitive financial, medical, academic, personal and other records to anyone who knows a few finer points about how to use Google or the Shodan search engine.

These organizations are all in the same boat as MBIA, the nation’s largest bond insurer, which has been scrambling to downplay the revelation that it has not taken very good care with customer accounts.

Ethical hacker Bryan Seely of Seattle-based Seely Security showed how MBIA has long been exposing details of municipal bond and investment management accounts in a way that made it easy for criminals to transfer funds from existing accounts into newly created ones they control. There’s no evidence any theft took place, only because the bad guys appear to have overlooked this freebie.

MBIA’s security lapse came to light in a story posted by security blogger Brian Krebs early last week. But that’s just the tip of the iceberg, Seely tells ThirdCertainty.

Seely has reviewed 25,000 Oracle web servers known to have a vulnerability that can be accessed if the web server owner fails to configure the Oracle server in the proper way.

“In the case of MBIA, it was not at risk because of a flaw in Oracle,” Seely says. “This was simply because the customer did not configure the server correctly when they deployed it, and it caused private banking records to be exposed to the Internet.”

8,000 exposed servers

Seely says he has identified more than 8,000 other servers that are similarly misconfigured and likewise exposing sensitive accounts on the open Internet. These are accounts that should be kept under lock and key.

Seely has been on a one-man campaign to notify organizations, and a few have listened to him. Among those who have heeded Seely’s heads up and locked down their misconfigured Oracle servers are:

  • Texas Department of Family Protective Services
  • Meridian Community College in Mississippi
  • University of Wisconsin
  • Purdue – Calumet Campus
  • Maryland Port Authority

MBIA initially gave Seely the cold shoulder, but took action after they received a phone call from Brian Krebs. Most organizations Seely has tried to alert assume he’s out to hustle them. “They think it’s a ransom attempt or a scam,” he says. “I’m not selling anything, and I’m not asking for money. If they want to hire me to help fix or find more problems, I would welcome it, but it is not a condition by any means.”

More: 3 steps for figuring out if your business is secure

A one-time U.S. Marine, Seely is no slouch. He has worked as a network engineer at Microsoft and Avanade. Last February, he demonstrated a way to set up and record calls between unwitting citizens and the FBI and Secret Service—by hacking Google Maps. Billionaire Dallas Mavericks owner and Shark Tank TV personality Mark Cuban is a fan.

Last month Seely and fellow ethical hacker Ben Caudill proved LinkedIn does not do a robust job of protecting email addresses by using a low-tech hack to find and manipulate Cuban’s email address, and those of other celebrities.

That hack led to Cuban asking Seely and Caudill to check Cyber Dust, a privacy-centric chat messenger start-up backed by Cuban, for security soft spots.

Seely says it would have been trivial for criminals to steal from MBIA subsidiary Cutwater Asset Management—the company found to have the exposed accounts—but it appears MBIA and Cutwater dodged one big bullet.

MBIA dodged bullet — will others?

“It’s highly unlikely that criminals accessed MBIA’s data because the only thing at risk was the money,” Seely says. “If the money is there, then nothing has been stolen. There were not any Social Security numbers or PINs, but the ability to change or otherwise add and remove signers, additional bank accounts and such. It would have been all too easy to take money from accounts in small or large amounts prior to discovery.”

Cutwater’s server was misconfigured to expose countless account numbers, balances and forms in such a way that the records were being indexed by Google and Shodan, a search engine that looks for specific types of routers and servers connected to the Internet.

Seely personally was able to use Google and Shodan to directly access individual financial accounts, account balances, participant profiles, lists of names, addresses, email addresses, and phone numbers of authorized account users.

“If you needed to add someone, you could just fill out a form and email it,” he says.

Now that the cat is out of the bag, you can bet the attention of organized cyber gangs has been directed to this low-hanging fruit. Companies using misconfigured Oracle servers who are slow to address this exposure are at risk of paying a high price. The two Ivy League schools Seely found to be exposed have not yet fixed the problem, he says.

More on emerging best practices

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Internet of Things – A Consumer Dream or Cybersecurity Nightmare?

Posted on October 14th, 2014 by Dan Rampe

Andreas

Don’t look now, but your life is more online and connected today than it was last year – and the trend is accelerating.

Late last year, we predicted that risks associated with the Internet of Things (IoT) and critical infrastructure would be two emerging cybercrime trends this year. (See our 2014 predictions blog.) These topics are the theme of this third week of the National Cyber Security Awareness Month, “Critical Infrastructure and the Internet of Things.”

IoT and Critical Infrastructure are two sides of the same coin

This year has seen a burst of innovation in the Internet of Things. Intel is getting into the wearable technology field, while the Consumer Electronics Show was filled with wearable devices such heart monitors, sensor-equipped golf gloves and networked pet collars. Other devices already on the market are gaining traction, from cars that email us when they need service to health monitors that publish our glucose levels. The possibilities are endless and so are the products that come to market quickly.

When it ships early next year, the Apple Watch will no doubt expand the wearable technology market beyond the earliest adopters to the broader Apple faithful.

Even if you’re not using these technologies, you are part of a connected world through the public infrastructure around you. Wireless cameras and embedded sensors permeate public facilities and transportation hubs. We all depend on power grids and water delivery systems (also known as critical infrastructure) that are controlled by networked devices. In the near future, drones may zoom around us on city streets.

The increasing connectivity of the world poses a growing cybersecurity threat that we are not securing well. For consumer technologies, personal privacy is often at risk. The public safety risks are higher for critical infrastructure.

All these devices are Internet enabled, but remember: they run software. They run the very same software that is being attacked on a daily bases for high risk applications such as online banking. The only difference is: they cannot be updated – and this has the potential to make these a lethal target.

Point of Sales Systems – The Canary in the Coal Mine
Lest you think I’m being alarmist, let’s consider one of the earliest entrants in the Internet of Things – Point of Sale (POS) systems. You see them everywhere – devices such as cash registers and credit card readers use POS to take payments at retail stores.

You would think that POS systems would be secure, for several reasons.

  • They’ve been around for a while, so we’ve had time to figure out how to make them safe.
  • They handle financial transactions, therefore we are extra motivated to keep theme secure.
  • They are locked down and run in dedicated networks

Yet POS exploits were responsible for two of the largest data breaches in the past year – the Target and the Home Depot breaches.

If we cannot manage to protect those network-attached devices that we know are targeted by thieves, how much better will we be at protecting the various technologies we’re embedding in our personal lives? Or the devices controlling critical infrastructure? Even our highway signs have been hacked. (See http://www.threatmetrix.com/a-sign-of-the-times-hacking-signs-electronic-road-sign-hackers-reveal-a-downside-to-the-internet-of-things/)

A roadmap to a more secure connected world

We can address these risks, but only with concerted and collaborative efforts. My recommendations for connected devices are as follows:

  1. Think twice about what goes on public networks. Network segmentation and isolation are critical, particularly for critical infrastructure.
  2. Strengthen authentication to these devices and the systems that manage them. Logins continue to be the weakest point in most systems. We’re reaching a point at which it is irresponsible to protect critical systems with passwords alone. Use multiple authentication factors or context-based authentication to reduce risk of stolen identities and unauthorized access.
  3. Look for anomalies at all levels, including patterns that represent known threats or never-before-seen patterns that may indicate an emerging threat.
  4. Provide a mechanism to securely update these devices. In order to do so, many of the previous points need to be considered.

To put these strategies in place, we must exchange and share threat information at both the business and government level. The federal government is committed to sharing information with the private sector related to critical infrastructure. (See Executive Order 13636)

For businesses that handle personal or consumer-based products, sharing information must be balanced with protecting consumer privacy. As the data collected about us from devices continues to grow, privacy will be more important than ever before. That’s why we’ve built data anonymization and encryption into the ThreatMetrix® Global Trust Intelligence Network.

As new technologies continue to reshape our future at a rapid pace, we have to act quickly to make sure that the future we’re building is secure and private, not dystopian.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.