Posts Tagged ‘cybercrime’

Credit Card Fraud: Why the Payment Card Industry (PCI) Fails Consumers

Wednesday, February 12th, 2014

A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.”  The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.

ATM machine keypad

ATM with malware on it. Really!

But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.

When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.

(more…)

Has Target Done Enough?

Saturday, February 1st, 2014

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  (more…)

The Most Important Things to Know About Internet Safety While Traveling

Saturday, November 23rd, 2013

My cousin is on his way to Germany for a week and asked for some advice on being “cyber safe” while there. In other words, how can he stay connected with people and email but not become a victim of malicious software? Here are a few tips:

– Assume that every public computer everywhere – whether at an airport, cybercafé or the hotel business center – is infected with malware and will record your every keystroke. For this reason it’s best to avoid using public computers if you can. That said, googling “the word for hospital in Arabic“ or “toxicity of tarantulas” is pretty harmless. Bouncing over to check gmail, on the other hand, can be a huge mistake. Particularly if you use your gmail password anywhere else (because once a password/user name combination is discovered by criminals, it can be easily and automatically plugged into thousands of other websites to see if it works).  Or, if you use gmail to receive account statements, internet orders or banking validation codes. Once cybercriminals hack your account, they will sift through emails seeking these things.
 – If your kids like to play computer games, and they use the PCs at the hotel do to it, remind them as well: it’s best not to check or send personal email from those machines. If they insist on doing so, at least remind them to be sure to log out when they are finished.
– Before you leave the US, consider setting new passwords for sites you will be using and then change them again when you return. (more…)

Internet Safety While Traveling – Deeper Dive

Saturday, November 23rd, 2013

A “man in the middle” or MIM attack is not particularly difficult to pull off, and it represents one of the biggest cyber security threats we face when we are traveling – or in fact, any time we consider using an unknown wireless network.

Here’s how it works: it’s rather easy to find software which will monitor or “sniff” network traffic.  It’s even easier to set up a wireless network – by example, like many business travelers these days, I carry a portable wireless hub in my purse. If the intent is to trick other people into using it, all that’s left is giving it a name which sounds legit like, “Marriott SecureWifi”. These can even be set up as far as 15 miles away from the wifi area.

As people try to connect to the criminally controlled network, the cybercriminal allows them to do so (using the same password as the real network, or no password at all). Then the cybercriminal becomes the “man in the middle” (MIM). Sample scenario (there’s a more detailed example of a MIM in my book):
1. You ask for the gmail page in your browser and type in your gmail password.
2. The MIM intercepts your request and provides you a fake gmail login page (which looks pixel by pixel exactly like the legitimate one, including “https/gmail” in the browser, which indicates that it is securely linked to the gmail server).
3. The MIM sends your password to Google.
4. Google assumes it’s talking to you, and opens your gmail.
5. The MIM passes the gmail back to you and continues passing requests and information back and forth until your session is done.

(more…)

Why We Should All Pay for Smartphone Apps

Saturday, August 24th, 2013

Suppose Josephine and Rick have built the most incredible smartphone application ever.  They offer it up to the market for a few dollars, and next thing we know they are millionaires.  Their customers not only love the app, but they also appreciate not being deluged by incessant banner ads or pop-ups.   Jo and Rick didn’t have to bring in on-line advertisers because their profit model was simple: sell the app itself to make money.   

 

But not all developers are as lucky.  Steve and Sue can’t get anyone to pay attention to their app, and darn, they spent all their money creating it.  So they will have to figure out another way to earn their money back.  The most popular way to do this is to get paid when users view ads.  Steve and Sue decide to make their app available for free, and advertisers pay Steve and Sue to place ads alongside the application.  These ads change dynamically just as they would at a (more…)

When Your 401K Gets Hacked

Monday, March 11th, 2013

When Bill Foster’s 401K account was emptied and he lost over $40,000 he did what a lot of us might do: he sued the company managing his funds.  But the verdict was rendered a few months ago: the company is not responsible.  It’s his fault since he failed to file a change of address, and someone else used the information she received (by snail mail, at his old address) for accessing his account.

In another case in 2007 a man lost $179,000.  He was hacked by a cybercriminal, but it was also concluded there was no liability on the part of the fund company.  Fortunately for him, investigators were able to recover the funds before they were wired out of the country.  Unfortunately for the rest of us, cybercriminals are much smarter today than they were in 2007.

In the first instance, Bill had moved out of his home a few months before the 401K fund managers sent a letter to his home with details on how to access his accounts.  His estranged (soon to be ex) wife opened the letter and used his Social Security number to reset his password and receive a new pin.  Bill only discovered she had drained his account the following year.  Although clearly his ex-wife’s actions were fraudulent, Bill is considered liable (more…)

Zombies Attack Montana! (US Emergency Alert System Gets Hacked)

Tuesday, February 19th, 2013

Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System.  The station was muted as the following voice-over message was recited by a somber-sounding fellow:

Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police. (more…)

The Pitch for Paying Attention to Internet Safety

Sunday, September 30th, 2012

I’ve been busy this month giving webinars on cybercrime for my day job at Kaspersky.  Here’s a link to the latest one.  It is called “Top Cybercrime Threats 2012” and it also promised “10 tips to better internet security”.

But it could have been “Twenty Tips”.  Or even “Thirty”.  Because there are at least this many small things we could do to be more secure.  However, people don’t have infinite amounts of time to watch webinars, even if it’s about their own security.  So I’ll continue to work on slicing and dicing the information into small, consumable chunks for the non-security geeks in the world.

Here are two fun facts I want to share:

connected world

*  in the year 2000, there were 316 million people on the internet worldwide

*  in the year 2011, there were 2.3 billion

Stunning change in just a decade, isn’t it?  Never have so many people become connected and enabled so fast.  And with so much money continuing to fund this growth – high-tech as a whole, plus all the charities we support – it shows no sign of slowing down.  So how long will it be until 70% of the world is connected?

 

(more…)

Against my better judgment…a Hacktivist cause I like!

Tuesday, August 21st, 2012

Why is it that we only need make the most innocent of unequivocal statements and suddenly things pop up everywhere to prove us wrong?

Last week I gave a presentation to a partner of ours.  I was discussing the state of cybercrime and some of the most urgent threats.  On the subject of Hactivism I said, “these guys are the unruly mob of the internet.  The problem is, their attacks aren’t based on any consistent principle – any bored hacker can jump in and join the fun – so if you are working with clients who are on the shadier side of what is politically correct, Hacitivists (hackers for a cause) are a concern.”

Besides the fact that what they do is illegal, at least some Hacktivists seem to demonstrate a naïve perspective on complex issues (for example, I’m don’t think it’s reasonable to expect paypal or ebay to have a conscience).  So I have to admit I’ve not been much on their side.  But this weekend I read an article in Security Week about an attack I agree with.  It’s about Anonymous (probably the most well-known Hacktivist group) breaking into the Ugandan government’s main web server and posting a fake press release.  Who knew Anonymous had such a sense of humor?

Right now Uganda has legislation on the table which mandates death for all homosexuals.  Really.  So Anonymous (more…)

Writing Down Website Passwords versus Old-School Rules

Saturday, June 9th, 2012

There is an awful rule of basic password management which actually works counter to good security.  Yet it continues to be suggested by even the top security organizations in the world.  The rule is this: don’t write down your passwords.

There are lots of problems with this idea.  Not the least of which is the fact that if we make our passwords so easy to remember that we don’t have to write them down, well, they may well be too easy.  Or, if we decide to make it simple and use the same password for everything, that means all our banking accounts could be compromised the minute someone breaks into our gun club registry or recipe-swapping website.  And one glaring reality this rule hasn’t kept pace with is that these days we need way too many passwords: one person can easily visit 15 different sites in a few hours – all of which require passwords.

I like to write them on my mirror.

So why the dumb rule?

In their defense, this was accepted wisdom twenty years ago for two reasons.  Back then there was only one password that mattered: the one to get onto your computer.  Naturally you didn’t want that password to be in the same place as the system!  And apparently in those days people weren’t clever enough to write down passwords anywhere except on sticky notes attached to the computer.  (Duh!  At least put it in your shoe!)

More importantly – reason #2 – in those days what we worried about most of all was what we call “internal threats”.  That is, we worried about other people at our place of business gaining unauthorized access to the computer or the network. (more…)