[metaslider id=2951] … Read More
‘Frighteningly Easy’ Hack Guesses Full Credit Card Details In 6 Seconds
From Dark Reading – Jai Vijayan
Attack works only on Visa network, Newcastle University researchers say.
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork — six seconds flat.
Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.
The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.
The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.
All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.
The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.
These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.
The guessing attack worked only on Visa’s network. MasterCard’s network – the only other network that the researchers tested – quickly detected the guessing in even across different networks.
To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.
For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.
With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.
As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper. If you become a victim of credit card theft, get help immediately.
The 3 Biggest Mistakes in CyberSecurity
August 23, 2016 – Chris Moschovitis – Information Management
Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.
Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?
The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:
1. They think cyber security is a technology problem.
2. They follow a cyber security check list once-and-done.
3. They don’t have a cyber security awareness training program in place.
First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.
Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.
Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.
Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in your work and in a regulated industry. Therefore, the concept, language, even governance of risk management is part of the daily lexicon. This is why it’s so important that you understand how to respond to risk as well as being aware of what the risks may be before they occur.
Not so with small and mid-market businesses less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.
More importantly: A company’s Information Technology generates Value. It does so through myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media, and technology businesses, etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.) Owing to these security breach issues, many businesses tend to opt for services of reliable service providers like Privacera (https://privacera.com/products/centralized-access-control/) and similar others. By having centralized and secure access to all the data of the business, they are most likely to be not affected by cybercrime.
That said, externally sourced IT management could do a better job at regulating data security as well as other IT-based functions. As they are professionals in the field, software facility management may be leveled and managed properly. Besides, the risk involved in such functions may be taken up by the IT outsourcing company, which means that external threats may be mitigated without client company involvement.
Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.
Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.
Cybersecurity is a crucial component of a defensive strategy for businesses that operate online, like e-commerce stores. It is likely that you will need to protect your website or mobile application from cyber threats if you operate such a store. In order to accomplish this, you may need to develop a strong security system to protect customer data and transactions. In the event that you do not have enough funds, you can consult with companies that provide ecommerce financing options to fund your cybersecurity development.
Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.
Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.
It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.
The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.
Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.
Average cost of a data breach up 12.5 percent among Canadian Firms
IT World Canada – Howard Solomon
Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show.
If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million.
Another way of looking at it is the average cost per record stolen or lost went up 10.6 per cent to $278 compared to the same period the year before.
These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations.
The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million.
Importantly, the study included the cost of losing customers: Of the Canadian companies studied, for those that lost less than one per cent of their existing customers the average total cost of a breach was $4.77 million, well below the global averae of $6.03 million. When companies had a churn rate of greater than 4 per cent, the average cost was $7.88 million.
There are two cautions: First, Ponemon admits that 24 firms is a small sample for this country, and second, only organizations that suffered a breach of between 1,000 and 100,000 lost or stolen records in 2015 were counted – meaning Ashley Madison isn’t there. That way catastrophic incidents don’t skew the results.
The number of Canadian breached records per incident in the study period ranged from 4,800 to 70,998 and the average number of breached records was 21,200.
“Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent ‘cost of doing business’ in the cybercrime era,” said institute head Larry Ponemon. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”
The report has other interesting numbers:
–It took more than five months to detect that an incident occurred and almost two months to contain the incident;
–54 per cent of the Canadian data breaches studied were caused by malicious or criminal attacks, 25 per cent were caused by human error and 21 per cent by system glitches. Companies that experienced malicious attacks had a per capita data breach cost of $304, which is above the average for all organizations studied. In contrast, companies that experienced system glitches ($250) or employee negligence ($246) had per capita costs below the mean value;
–The more records lost, the higher the cost of the data breach. The cost ranged from $3.59 million for data breaches involving 10,000 or fewer lost or stolen records to $6.88 million for the loss or theft of more than 50,000 records;
–Notification costs increased. These costs include IT activities associated with creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up. The average cost increased from $0.12 million in 2015 to $0.18 million in 2016;
–Lost business costs increased. This cost category typically includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Among all the 383 companies studied these costs increased from an average US$1.99 million in 2015 to US$2.24 million in 2016 — that’s of the overall $4 million average cost.
“The biggest financial consequence to organizations that experienced a data breach is lost business,” says the report.
Both direct and indirect per capita costs increased significantly. The indirect cost of data breach includes costs related to the amount of time, effort and other organizational resources spent to resolve the breach. In contrast, direct costs are the actual expense incurred to accomplish a given activity such as purchasing technology or hiring a consultant.
Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.
Ransomware poses complex legal and reputational risks
Brent Arnold and Christopher Oats Contributed to The Globe and Mail
As businesses and public institutions increasingly become the targets of ransomware – malware that blocks access to computer systems or the information they contain until the user performs actions demanded by hackers – legal risks surrounding such headline-making attacks have come to the fore in Canadian corporate consciousness.
A January report by the Online Trust Alliance reveals that ransomware attacks aimed at companies are not only growing more prevalent, but they are also becoming more sophisticated. Today’s hackers can custom tailor their demands according to the size and market value of their corporate mark. Making matters worse, last month Apple’s iOS operating system was infected with ransomware for the first time.
Ransomware typically gains access to a computer system when a user clicks on unfamiliar links or strange attachments (although a growing number of programs are infecting computers via the download of ostensibly legitimate applications). In its most benign form, an infection could force employees to complete a survey; at its most malignant, it has strong-armed companies into paying actual ransoms (typically in the nationless and virtually untraceable currency of bitcoin).
Businesses that fail to comply face the destruction of client and proprietary data, and intellectual property – not to mention sustaining significant reputational damage and exposure to third-party lawsuits from clients and consumers (and there is never any guarantee that meeting hackers’ demands will result in computers or data being unlocked).
Despite this growing threat, legal recourses for ransomware victims are slim. The activity is, of course, illegal and should be immediately reported to police (the RCMP also suggests reporting to the Canadian Anti-Fraud Centre). But despite the fact that such attacks have been reported for more than a decade, there are no documented cases of ransomware perpetrators ever having been prosecuted in Canada.
Given the often remote nature of the crime (the few attacks that have been successfully traced typically come from foreign countries), criminal and civil remedies may be unlikely to succeed. In the rare event that a cybercriminal is identified, civil proceedings against foreign nationals are most likely to result in default judgments that are difficult if not impossible to collect on.
While cybercriminals frequently avoid prosecution, their corporate victims may find themselves in the legal spotlight. Recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require companies subject to PIPEDA to alert the federal privacy commissioner, affected individuals and relevant organizations or government institutions following a breach of security safeguards that “creates a real risk of significant harm to the individual.” This can include risk of economic loss by the person whose personal information is subject to the breach, as well as potential reputational harms.
While reporting obligations provide an important consumer protection and will be a legal necessity in certain cases (companies that fail to report where required by PIPEDA may be subject to fines of up to $100,000), they are nonetheless problematic for businesses – particularly those for whom data security is a critical component of their brand identity. Recent hacks have shaken consumer and shareholder confidence and resulted in both significant disruption for targeted businesses and resignations by top executives.
All indicators suggest ransomware will only become more vicious and prevalent in the foreseeable future. With added reporting pressure looming on the horizon, companies that fall prey may soon find themselves facing complex legal and reputational risks.
Big data analytics a useful security tool, says analyst
By Warwick Ashford – Security Editor – ComputerWeekely.com
The majority of companies using big data security analytics report a high business benefit, according to the Business Application Research Center
While data analytics from places like KNIME are already helping businesses to make sense of their data and use it to inform decisions within the company, big data analytics is a useful tool for enabling organisations to become more resilient in the face of increasing cyber attacks, according to a software market analyst and IT consultant.
“A recent survey found that 53% of organisations that are using big data security analytics report a ‘high’ business benefit,” said Carsten Bange, founder and managing director of the Business Application Research Center (Barc).
“The survey also found that 41% reported a ‘moderate’ benefit and only 6% said benefit was ‘low’, so there is fairly strong evidence of the business benefits of big data security analytics, ” he told Computer Weekly.
While adoption across the board is still relatively low, more than two-thirds of the more advanced companies surveyed are adopting advanced big data security analytics technologies, such as user behaviour analytics, the Barc survey revealed. For example, Splunk Technology is one of the leading big data analytics companies that is getting adopted by many companies. Hiring splunk professional services to implement and leverage the tools has become common in big organizations.
The more advanced companies, which classified themselves as having “much better” skills and competency in security analytics than their companies, represented 13% of the total sample, with 68% saying they have deployed user behaviour analytics.
“Of the 87% who did not consider themselves to be in the more advanced group, only 27% have deployed user behaviour analytics,” said Bange.
User behaviour analytics can help improve an organisation’s cyber security resilience, he said, by tracking user behaviour across all IT systems, for example, to identify whenever there are significant deviations from normal behaviour to warn of potential malicious activity.
“There is nothing new in being able to identify patterns of behaviour – most of the analysis techniques are 30 to 40 years old – but now we are able to apply them to extremely large data sets across multiple information technology systems,” said Bange.
“Organisations need to know there is now the technology to support this kind of analysis that can be very beneficial in the field on information security. It can enable organisations to become more resilient through data-driven security decision-making, planning and incident responses,” he said.