A full 87.6% of the root domains operated by top e-retailers in the United States and the European Union are putting their brands and consumers at risk for phishing attacks by not implementing email security policies, like DMARC or the Sender Policy Framework (SPF), which detects sender-spoofing attempts.
According to analysis from 250ok of 3,300 domains of the top 1,000 US internet retailers and top 500 EU internet retailers by revenue, the majority of retailers do use some level of email authentication on their domains. However, many are inconsistent in their approach across all the domains they control. Only 11.3% of top US retailer and 12.2% of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel. That consists of publishing SPF records for all domains, ensuring that SPF records are valid and without errors, and publishing a DMARC policy for all domains.
“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”
A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91% of all cyber-attacks begin with a phishing email.
"Time and again, we see that phishing is among the most common cyber-risks. DMARC protects both consumers and businesses from some of the worst types of phishing," said Global Cyber Alliance director of operations Shehzad Mirza. "The value of the protection is such that both the UK and US governments have mandated their respective government domains to implement DMARC. We urge all governments and businesses to do the same."
“This is a moment in time where we have the opportunity to make a real impact on the security of consumers and brands,” said Greg Kraios, 250ok CEO.
Ransomware continues to be a major issue across the globe, with 54% of organizations surveyed hit in the last year and a further 31% expecting to be victims of an attack in the future.
That’s according to the Sophos State of Endpoint Security Today survey, which shows the extent to which businesses are at risk of repeated ransomware attacks and are vulnerable to exploits. The survey polled more than 2,700 IT decision makers from midsized businesses in 10 countries worldwide, including the US, Canada, Mexico, France, Germany, UK, Australia, Japan, India and South Africa.
On average, respondents impacted by ransomware were struck twice—which is not an inexpensive state of affairs. According to the report, the median total cost of a ransomware attack was $133,000. This extends beyond any ransom demanded and includes downtime, manpower, device cost, network cost and lost opportunities. A few (5%) of those surveyed reported $1.3 million to $6.6 million as total cost.
“Ransomware is not a lightning strike – it can happen again and again to the same organization. We’re aware of cybercriminals unleashing four different ransomware families in half-hour increments to ensure at least one evades security and completes the attack,” said Dan Schiappa, senior vice president and general manager of products at Sophos. “If IT managers are unable to thoroughly clean ransomware and other threats from their systems after attacks, they could be vulnerable to reinfection. No one can afford to be complacent. Cybercriminals are deploying multiple attack methods to succeed, whether using a mix of ransomware in a single campaign, taking advantage of a remote access opportunity, infecting a server or disabling security software.”
This relentless attack methodology combined with the growth in ransomware-as-a-service, the anticipation of more complex threats and the resurgence of worms like WannaCry and NotPetya puts businesses in serious need of a security makeover, according to Sophos.
“Organizations of all sizes are starting 2018 with inadequate protection against ransomware, despite last year’s international headlines,” said Schiappa. “Given the ingenuity, frequency, and financial impact of attacks, all businesses should re-evaluate their security to include predictive security technology that has the capabilities needed to combat ransomware and other costly cyber-threats.”
The report also uncovered that IT professionals also need to be aware of how exploits are used to gain access to a company’s system for data breaches, distributed-denial-of-service attacks and crypto-mining. The survey revealed considerable misunderstanding around technologies to stop exploits, with 69% unable to correctly identify the definition of anti-exploit software. With this confusion, it’s not surprising that 54% do not have anti-exploit technology in place at all. This also suggests that a significant proportion of organizations have a misplaced belief that they are protected from this common attack technique yet are actually at significant risk.
“The lack of awareness and lack of protection against exploits is alarming. We’ve seen a resurgence in cybercriminals looking for vulnerabilities to actively use in countless attack campaigns,” said Schiappa. “Five or six years ago we saw one per year, and last year as many as five new Office exploits have been used for cybercriminal activity, according to SophosLabs. When cybercriminals are deliberately seeking out both known and zero-day vulnerabilities and an organization has a deficit in defenses, it adds up to a bad security situation.”
Salaries for cybersecurity specialists are set to rise by 7% this year, according to the Robert Walters 2018 Salary Survey.
That will be the highest wage raise among IT professionals, the recruitment consultancy claimed, with the increase across all roles within IT and technology estimated to be an average of 2%.
Developers and infrastructure specialists will also benefit from a higher pay increase (3%) in 2018.
This comes at a time when cybersecurity professionals are in particular demand, with a widening cyber-skills gap estimated to result in a shortage of 1.8 million professionals by 2022 (according to (ISC)2’s most recent Global Information Security Workforce Study).
“This survey by Robert Walters is a welcome recognition of the importance of cybersecurity specialists to corporations and individuals in 2018,” said Tim Helming, director of product management at DomainTools. “As data breaches, high profile ransomware attacks and other forms of cybercrime become more common, sophisticated and easy to pursue, the need for cybersecurity professionals to be incentivized to stay in the industry is crucial.
“What’s more, a visible industry-wide average salary increase could help to draw more talented people into the cybersecurity industry.”
However, Ahsan Iqbal, associate director at Robert Walters, was quick to point out that whilst competitive and increasing salaries will always be a draw for cybersecurity pros, there are also other important factors for attracting talent that must not be overlooked.
“For many IT professionals, while a high salary is important, there are other incentives which can attract them to a role,” he said. “In particular, flexibility is regarded as highly important, with many IT specialists looking to work for employers who are open to remote working and flexible hours.”
The nature of the projects they will be working on is also considered important to many IT professionals, he added, as is the working culture of the organization they are joining.
“Employers should consider highlighting these aspects of their organization and the role itself when aiming to secure top caliber talent.”
Cyber-criminals will find new ways to blackmail and extort organizations and individuals in 2018, supercharging ransomware, launching online smear campaigns and firing out targeted attacks aimed at key facilities, according to Trend Micro.
The security giant’s latest report, Digital Extortion: A Forward-Looking View, warns that 2017 was just the tip of the iceberg in terms of what the black hats can do.
Over the coming year, ransomware campaigns are likely to be tweaked yet further for greater impact: for example, by focusing more on organizations like hospitals and manufacturing companies, where downtime could be catastrophic but security investments may lag other sectors.
“We expect ransomware criminals to add new features to their creations by reusing the old book of traditional malware techniques,” explained report author, David Sancho. “It would not be unreasonable to think that they might use portable executor infectors or any other more aggressive delivery technique in order to increase the speed of the infections and spread the impact far and wide.”
Attacks could be accelerated by ensuring the malware knows what file types to search for and encrypt according to the organization — i.e. image and video files at a media company.
The report also warns of dynamic pricing techniques which could automatically set a fee for the decryption key based on the nature of the business.
Other forms of targeted attack designed to extort companies and individuals in 2018 could include breaches of adult websites, like the infamous Ashley-Madison incident; attacks on blockchain technologies; supply chain disruption; and manufacturing process alterations.
In the case of the latter two examples, attackers could plant malware and/or alter processes and then demand a fee to call off their attack.
Online blackmail could also make a big impact this year, with digital smear campaigns timed to cause maximum damage to an individual or organization — think a politician in the run-up to a major election.
The potential for convincing spoofed video footage to cause mayhem makes fake news fact checking even more important, the report claimed.
Organizations should prepare for the above scenarios in their incident response plans and educate employees and management “against both typical and atypical digital extortion attempts, especially when it comes to phishing and social engineering,” urged Sancho.
Crypto-currency start-up Experty has promised to refund investors taken in by a phishing scam which left them $150,000 worse off ahead of a recent initial coin offering (ICO).
The firm’s mission statement claims it wants to encourage the global adoption of digital currency within three years “by creating an intuitive, easy to use application that is suitable for wide scale usage.”
That application will apparently help to solve the current blockchain skills crisis by allowing “experts to monetize their skills through a skype-like voice and video application.”
However, Experty’s ICO last week went wrong after scammers jumped in ahead of the event by sending phishing emails to investors.
These emails, which were reportedly littered with spelling mistakes, promised a special bonus of Experty tokens (EXY) for those who sent Ethereum to a third-party wallet address not connected to the company.
It appears as if the phishers managed to get hold of the email addresses by compromising the machine of an Experty user who was conducting a Proof of Care (PoC) review.
That’s why the firm said it is giving 100 EXY tokens to everyone whose ETH address was sat in the firm’s database. It followed-up on Sunday to say that it would be contacting those affected by the phishing attack individually.
“We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier, from our company allocation. If someone wishes to receive ETH instead, we ask them to please contact us privately about this.
“Any ETH sent to the scammer after this announcement [January 28, 2018 at 21:30 UTC] will not be refunded in order to prevent people purposely sending money to the scam address to receive EXY tokens.”
Crypto-ICOs are an increasingly lucrative way for cyber-criminals to make money.
According to a recent report from Ernst & Young, 10% of all ICO funds have been stolen, with phishing the primary tactic.
Plans drawn up by Donald Trump’s security team to build a government-run nationwide 5G network to combat Chinese spying have been shot down by the FCC and others.
A PowerPoint presentation from the President’s national security team is said to have claimed the US needs to build such a network quickly because: “China has achieved a dominant position in the manufacture and operation of network infrastructure,” and “China is the dominant malicious actor in the Information Domain.”
The idea is that the government would build the network – which it says needs to be done within three years – and then license access to providers such as AT&T and Verizon.
Such a plan is even more important given that autonomous connected cars and other emerging technologies would have to run over it, the proposal argued.
“Eventually this effort could help inoculate developing countries against Chinese neo-colonial behavior,” the presentation continued, according to Axios.
However, key private sector players have already begun work on 5G and spent billions acquiring spectrum for the new protocol.
FCC chairman Ajit Pai dismissed the idea, claiming in a statement that: “Any federal effort to construct a nationalized 5G network would be a costly and counterproductive distraction from the policies we need to help the United States win the 5G future.”
Even Mark Warner, vice chairman of the powerful Senate Select Committee on Intelligence, claimed the plans “would be both expensive and duplicative,” costing an estimated $30bn.
The arguments presented by the Trump team here are in many ways a continuation of the thought which led the US government in 2012 to effectively ban Huawei and ZTE from tendering for telecoms infrastructure projects, due to national security concerns.
Those concerns, and tensions between the two superpowers, have since increased significantly and belated attempts are being made at a government level to prevent Chinese companies from gaining a greater foothold in the US.
AT&T was pressured earlier this month to pull out of a deal to sell Huawei handsets, for example.
Strava, a fitness-tracking app, is revealing potentially sensitive information about military bases and supply routes via its global heat-map website.
The data map shows 1 billion activities and 3 trillion points of latitude and longitude from "Strava's global network of athletes,” according to the company, with the idea being to make finding common and popular workout locations easy. It collects the data from people who use fitness devices like Fitbits, to show where people have been exercising over the past two years.
The only issue is that some of those people are soldiers stationed at sensitive locations such as military bases. Most of the Middle East portions of the map are dark, except for pockets of activity here and there; those that don’t match up with known settlements and bases could be deduced to be secret installations.
Further, the data isn’t live, but it does show habitual workout routes; that’s information that could in theory be used to plan ambushes.
While it sounds like plenty of conclusion-jumping to arrive at that assessment, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, cautions that it’s imperative not to underestimate how such data can be used.
"I have seen some bizarre arguments on this in the past with people asking why we should care about hacking devices for location, arguing what could actually be done with the information,” he said, via email. “The military issues associated with this are alarming, and the military should be regularly testing these issues much like businesses should. There should really be no personal equipment or devices allowed during military operations, and military issued devices should be put through much more rigorous testing to look for different types of threats and risks to that of a commercial product."
American soldiers and other personnel using fitness trackers could opt out of being tracked, if they remember to do so.
"Our global heat map represents an aggregated and anonymized view of over a billion activities uploaded to our platform," a spokesperson said. "It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share."
For its part, the US Department of Defense said that it was reviewing the situation.
“The DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad,” it said in a statement.
Tom Bonner, senior manager of threat research EMEA at Cylance, told us via email that the incident serves to highlight a distinct lack of operational security employed by various government organizations around the world.
“Access to personal communication devices with geolocation services should be banned in sensitive/restricted locations, and broader assessments and awareness training undertaken by employers to understand and mitigate the potential risk posed by these types of services,” he said.
The tide is turning when it comes to consumer perspectives around digital identity and authentication: A report from IBM Security has found that people now prioritize security over convenience when logging into applications and devices, while biometrics is going mainstream.
The Future of Identity study, which surveyed nearly 4,000 adults from across the US, Asia Pacific (APAC) and Europe, uncovered that security has become the highest priority for logging in to the majority of applications, particularly when it came to money-related apps: 70% of respondents ranked security as the top priority over convenience or privacy when logging into investing, budgeting, and banking apps.
However, the report found generational differences in terms of how that security is enabled. Younger adults are putting less care into traditional password hygiene yet are more likely to use biometrics, multifactor authentication and password managers to improve their personal security.
About 67% of all respondents are comfortable using biometric authentication today (and 87% said they will be in the future), compared to 75% of those aged 20-36. However, less than half of millennials are using complex passwords and 41% reuse passwords. Older generations showed more care with password creation but were less inclined to adopt biometrics and multifactor authentication.
With millennials quickly becoming the largest generation in today’s workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future, IBM noted.
Overall, respondents recognized the benefits of biometric technologies like fingerprint readers, facial scans and voice recognition, as threats to their digital identity continue to mount. Asia-Pacific is leading the charge on this front; respondents in APAC were the most knowledgeable and comfortable with biometric authentication, while the US lagged furthest behind.
The evolving threat and technology landscape has created widely known challenges with traditional log-in methods that rely heavily on passwords and personal information to authenticate our identities online. In 2017, data breaches exposed personal information, passwords and Social Security numbers for millions of consumers. Additionally, the average internet user in America is managing over 150 online accounts that require a password, which is expected to rise to over 300 accounts in coming years.
“In the wake of countless data breaches of highly sensitive personal data, there’s no longer any doubt that the very information we’ve used to prove our identities online in the past is now a shared secret in the hands of hackers,” said Limor Kessem, executive security adviser, IBM Security. “As consumers are acknowledging the inadequacy of passwords and placing increased priority on security, the time is ripe to adopt more advanced methods that prove identity on multiple levels and can be adapted based on behavior and risk.”
Communications service providers (CSPs), which have notoriously poor customer satisfaction ratings as an industry, can bolster loyalty by delivering security-as-a-service for mobile devices, research has revealed.
According to Allot Communications’ latest report on mobile security trends, CSPs can realize a twofold to threefold increase in customer satisfaction over those who provide legacy app-based security.
As both consumer and business customers look for an effective yet worry-free solution to protect their mobile devices, the report findings reveal a significant opportunity for mobile operators to take ownership of the security market and to protect users while generating recurring revenue streams, enhancing brand loyalty and reinforcing customer trust.
The findings dovetail with Allot’s MobileTrends H1/2017 Report, which found that 61% of global respondents said they would like to buy a security service from their CSP for their connected devices.
The latest mobile security trends report examined the penetration rates of network-based mobile security as compared to the legacy device-based security app model and found a clear distinction in success rates, with network-based security demonstrating a three- to tenfold greater penetration with subscribers.
Drilling down, the try-and-buy model for opt-in network delivered security services achieves penetration rates of 12% to 15%, while promotional opt-out services perform even better, with penetration rates of 40% to 60%.
Conversely, while mobile operators have historically spent millions of dollars marketing legacy device-based security apps, they are failing to engage consumers, with typical penetration rates of just 3% to 5%.
“Our data distinctly substantiates that network-based security services are a clear winner for CSPs who opt to offer them,” said Ronen Priel, vice president of product management at Allot. “Already, Allot customers enjoy high penetration rates and significant improvement in Net Promoter Score (NPS), as well as increased revenues and brand differentiation, by delivering security-as-a-service to subscribers.”
The government has warned providers of “essential services” that they face fines of up to £17m if they fail to put in place robust cybersecurity to comply with the EU’s NIS Directive by May 10.
The Security of Network and Information Systems Directive, to give it its full name, is an attempt by the European Commission to improve baseline security across the region for critical infrastructure (CNI) providers. Like the GDPR, the UK government will adopt the law post-Brexit.
After a consultation period, the government has clarified certain elements of the new directive, which will apply to operators in electricity, water, energy, transport, health and digital infrastructure — with regulators to be appointed to oversee each sector.
They will be able to levy fines and force companies to improve security.
The directive covers all kinds of cyber-incident, including ones targeting data theft or seeking to cause service outages, as per the ransomware campaigns WannaCry and NotPetya last year.
Also covered will be other IT threats such as power outages, hardware failures and environmental hazards, the government claimed.
The National Cyber Security Centre (NCSC) has released detailed guidance for such operators designed to help them comply with the new law.
It is split into four objectives: managing security risk; protecting against attacks; detecting security “events”; and minimizing the impact of incidents.
Key recommendations cover areas such as: access controls, data security, vulnerability management, network segregation and resilience, staff training, incident response, and supply chain security.
“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said digital minister, Margot James.
“I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cybersecurity.”
Talal Rajab, head of programme, Cyber and National Security, at techUK, welcomed the new directive but warned that much work still needs to be done before the May deadline.
“However, we are particularly pleased to see that detailed guidance has already been published by the NCSC on the security measures that organizations need to adopt in order to comply,” he added.
“Operators of essential services must act now and take heed of this guidance, ensuring that the essential services that we rely on are cyber-resilient and secure.”
Rob Norris, head of enterprise and cybersecurity EMEIA at Fujitsu, argued that CNI organizations need to combine improved employee training with investments in security controls.
“In doing so, organizations can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen,” he said.
“Even the best-run company could suffer from a hack or data breach. The ripple effects of an attack no longer stay within the four walls of an organization, and businesses of all sizes must rethink their approach and stop defying cybersecurity practices.”
Hacked Japanese crypto-currency exchange Coincheck has promised affected customers that it will return around 90% of the NEM tokens stolen in a cyber-attack last week.
That amounts to 523m XEM, or $425m, to be redistributed to the 260,000 or so users impacted by the attack. The money will be repaid from “company funds” in Japanese yen via users’ Coincheck Wallet, the firm explained in a blog post.
“We realize that this illicit transfer of funds from our platform and the resulting suspension in services has caused immense distress to our customers, other exchanges, and people throughout the cryptocurrency industry, and we would like to offer our deepest and humblest apologies to all of those involved,” Coincheck continued.
“In moving towards reopening our services, we are putting all of our efforts towards discovering the cause of the illicit transfer and overhauling and strengthening our security measures while simultaneously continuing in our efforts to register with the Financial Services Agency as a Virtual Currency Exchange Service Provider.”
Coincheck was forced to suspend activity on the platform on Friday following the attack. Reports suggest the stolen crypto-currency was stored in an internet-connected “hot wallet” rather than a more secure “cold wallet.”
The news comes just days after a new report warned that cyber-criminals are increasingly targeting initial coin offerings (ICOs).
It claimed crypto-currency exchanges are particularly popular targets, with $2bn having been stolen already from such companies.
North Korean hackers have been highlighted as one group ramping up operations against exchanges, often via spear-phishing emails aimed at harvesting the log-ins of employees working there.
This increase in cyber-activity has coincided with tough new sanctions on the Kim Jong-Un regime, hinting that it could be a government-sanctioned effort to get money into the country.
Microsoft has been forced to issue an out-of-band patch to fix problems caused by a buggy Intel update for one of the Spectre vulnerabilities disclosed earlier this month.
The Redmond fix (KB4078130) was issued over the weekend and disables the mitigation for branch target injection vulnerability CVE-2017-5715.
The fix covers Windows 7 (SP1), Windows 8.1 and all versions of Windows 10, for client and server.
Intel first reported “reboot issues” for Broadwell and Haswell platforms on January 11.
Last week it claimed to be making good progress on fixing the problem, and recommended that in the meantime “OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.”
The chip giant then claimed during its fourth quarter financials that the ‘fix’ may also lead to “data loss or corruption.”
Microsoft agreed, but said its new out-of-band update reverses the problem. It can be applied by downloading from the Microsoft Update Catalog website or – for advanced users – via registry setting changes.
“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
This is the second unscheduled fix Redmond has been forced to issue since the Spectre and Meltdown flaws were made public at the start of the year.
The previous one was issued in the first week of January to address the Meltdown vulnerability, but itself ended up causing problems for customers because of compatibility issues with some AV tools. These caused blue screen (BSOD) errors for some customers.
The London Football Exchange (LFE) is set to launch its own cryptocurrency.
The idea is to let football (a.k.a., soccer in the US) fanatics take part in various club and fan experiences at a reduced cost, including match-day tickets, tours and player meet-and-greets, along with specific merchandise and third-party partner offers – while clubs can benefit from financing opportunities. It will be enabled by LFE Points, a blockchain-based loyalty, rewards and offers platform.
“Our vision is to allow football clubs to take advantage of the token funding economy for their financing needs by providing them with a tokenized financing infrastructure, which involves token design and issuance services,” said Charles Pittar, corporate CEO of LFE.
Discussions are already under way with over 50 clubs, including Premier League Clubs in the UK and prominent teams throughout Europe, the US and Australia, LFE said.
“The LFE aims to become a one-stop shop for clubs of all sizes to raise capital via equity sales and also offer LFE contributors a wealth of fan experiences and social interaction,” said Scott Smith, football CEO of LFE. “Clubs will be encouraged to offer some equity through the LFE and required to offer a minimum number of unique experiences or special offers so that the real fans can take part in their favorite clubs.”
LFE is being advised on the launch by leading law firm CMS. Sam Robinson, a partner at CMS, added, “It is very exciting to advise LFE on establishing a business that is aiming to have an impact on the entire football industry using blockchain technology. As a firm, CMS has a particular focus on fintech, and we are delighted to be able to support businesses like LFE that are at the cutting edge of regulation and technology.”
For the clubs, the LFE tokens aim to also help them eliminate the antiquated ticketing technology from legacy operators, which means they pay fees ranging from 5% to 8% in commission based on the notional value of tickets sold.
As part of its initial token offering, LFE will generate a total of 4 billion tokens, with 2.4 billion tokens made available for general sale. The tokens will be priced at 20 cents, which equates to a fundraising goal of approximately $350 million. The pre-sales run from now to February 11, with the public sale taking place directly afterwards, from February 12 to May 20.
The LFE platform will use the Ripple and Stellar networks to support token issuance, trades, and transfers, with Bitcoin, Ethereum and Ripple all accepted as part of the token sale. Bank transfers of British pounds, euros, US dollars, Australian dollars and Swiss francs will also be accepted.
Six out of every 10 businesses are experiencing the same or more fraudulent losses online compared with a year ago.
Experian's Global Fraud and Identity Report shows that fraud trends and patterns continue to grow around the globe. The research found that most businesses – 72% – cite fraud as a growing concern.
The research also shows that businesses need to better identify their customers to help combat online fraud. Currently, most businesses tend to demonstrate suspicion when it comes to preventing fraud, following a route of detection rather than one of permission or trust: 71% know that they deny more transactions than they should. This doesn't just lead to a loss of sales; it's also likely to damage the lifetime value of that customer.
Business leaders agree that if they were more precise in identifying customers and avoiding denial of real transactions, they would see an increase in revenue. In fact, 84% of businesses say the need for fraud risk mitigation could be reduced if they were certain about customers' identity.
As businesses undergo digital transformation, they also recognize the importance of trust and the need for technology to deliver it.
"Whether it's in our favorite coffee shop or shopping online, being recognized by the people we do business with goes a long way," said Kathleen Peters, Experian senior vice president of global fraud and identity. "Recognition helps to stimulate trust, and trust is what makes all of us feel safe and protected. Trust is the currency of digital commerce. Technology is the enabler that underpins it."
Findings from the study, which is based on interviews of more than 5,500 consumers and 500 business executives in 11 markets around the world, show that while consumers want to be recognized, they also expect online banks and retailers to do everything they can to protect their information and secure their transactions. Nearly 7 out of every 10 consumers like security protocols when they transact online, because it makes them feel protected. But that doesn't mean they like too many hurdles and inconveniences. The most effective fraud prevention and identity strategies keep people safe without disrupting their experience.
"Fraud is always evolving, and fraudsters are becoming more resourceful. Good fraud detection requires multiple strategies, including better customer recognition," added Peters. "Simply put, the better you recognize your customer, the better you can recognize fraud."
On the customer recognition front, Lisa Baergen, marketing director at NuData Security, told us via email that in this age of data breaches, password reuse and password-guessing technology, a simple username and password method of authentication is simply not enough. But there are technologies that can help.
“The ability for organizations to limit fraudulent activity is at present marred by their inability to accurately identify customers,” she said. “The use of two-factor authentication, or, even better, passive biometrics, which is capable of identifying users based on passive biological factors impossible to mimic, could help to bridge the identification gap for companies and put 84% of fraudsters out of business. Behavioral and passive biometrics, in a layered approach, help to identify the identity of the real consumer without applying additional friction or inconveniencing the transaction. Simply analyzing how a consumer holds or enters keystrokes on their device or hundreds of other behavioral data points can verify that there is a human behind the transaction and that it is the right human. At the end of the day, trusting the online environment is what matters.”
The number of cyberattacks doubled in 2017, with ransomware leading the way.
That’s according to the Online Trust Alliance (OTA), which has named 2017 “the worst year ever in data breaches and cyber-incidents around the world.”
OTA’s Cyber Incident & Breach Trends Report found that skyrocketing ransomware usage resulted in 160,000 cyberattacks. That’s nearly doubled from 82,000 in 2016. And since the majority of cyber-incidents are never reported, the actual number in 2017 could easily exceed 350,000, the firm estimated.
Of those, there were 134,000 ransomware attacks on businesses, nearly doubling that of 2016. In mid-2017 another type of ransomware attack emerged—the ransom denial-of-service (RDoS) attack. In this attack, criminals send an email to domain owners threatening a distributed denial-of-service (DDoS) attack that will make a website inoperable unless a ransom (usually via Bitcoin) is paid.
“Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber-incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”
In the report, OTA analyzes data breaches, ransomware targeting businesses, business email compromise (BEC), DDoS attacks, and takeover of critical infrastructure and physical systems over the course of a year, using data from its members.
It also concluded that 93% of breaches could have been avoided had simple steps been taken, such as regularly updating software, blocking fake email messages by using email authentication and training people to recognize phishing attacks.
Of the reported breaches in 2017, OTA found that 52% were the result of actual hacks, 15% were due to lack of proper security software, 11% were due to physical skimming of credit cards, 11% were due to a lack of internal controls preventing employees’ negligent or malicious actions and 8% were due to phishing attacks.
“Regular patching has always been a best practice, and neglecting it is a known cause of many breaches, but this received special attention in 2017 in light of the Equifax breach,” said Wilbur. “In 2018 we expect patches to play an even more integral role due to the recently discovered Spectre and Meltdown vulnerabilities, where nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.”
The HMRC is claiming victory against the scammers in the busy run-up to the UK Self Assessment tax deadline, saying it stops 90% of the most convincing “smishing” texts reaching their intended recipients.
Although the tax office did not clarify what qualified as the “most convincing” texts, it claimed that it has saved thousands of taxpayers from potential phishing scams sent via mobile channels. Reports of scam HRMC texts have dropped from over 5000 in March 2017 to fewer than 1000 in December, it said.
Often these fake texts spoofed to appear as if sent by the HMRC claim the recipient is due a rebate and need only click on the link to recover it.
However, that link could lead to a phishing site designed to harvest personal information, or even begin a malware download.
HMRC claimed individuals are nine times more likely to fall for a so-called smishing scam than a phishing email because they can appear more convincing, with the sender displaying only as “HMRC” rather than an actual number.
The revenue collection agency claimed the tech it now uses identifies fraudulent texts with “tags” and stops them from being delivered.
This comes in addition to its implementation of DMARC which HMRC said has already blocked over 300 million phishing emails spoofed in its name, plus moves to remove 16,000 phishing websites.
The outreach comes as part of Take Five To Stop Fraud Week which aims to raise public awareness of digital scams.
Also this week, security awareness platform provider KnowBe4 revealed research into six million employees across 11,000 US organizations in multiple sectors.
It found that insurance company employees were the most likely to fall for phishing emails (33%) followed by those in the manufacturing industry (31%).
Large business services organizations apparently had the lowest “phish-prone benchmark” at 19%.
The value of fines issued by the Information Commissioner’s Office (ICO) over the past year has soared by 69% to reach nearly £5m, with higher penalties potentially to come when new EU regulations land, according to new data.
The increase in financial penalties issued by the privacy watchdog brought the total for 2017 to £4.9m, rising from £2.9m the year before, according to data compiled by API developer The SMS Works.
That’s a substantial chunk of the £8.8m in fines issued since August 2015.
Data breaches accounted for over a third (39%) of all fines, with companies including TalkTalk and Dixons Carphone Warehouse on the receiving end of a near-maximum penalty from the ICO for systemic failings that led to customer data theft.
That doesn’t bode well for organizations after May 25, when the GDPR finally comes into force.
It will bring with it new maximum financial penalties of 4% of global annual turnover, or £17m, whichever is higher. The ICO has moved to dampen speculation it will be looking to issue crippling charges from day one.
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm,” wrote information commissioner Elizabeth Denham.
However, those organizations that fail to show they have their customers’ and employees’ best interests at heart when it comes to data protection may be in for a shock.
“The fines data should act as a wake-up call to all companies and organizations that process and handle consumer data,” The SMS Works founder, Henry Cazalet, told Infosecurity.
“The clock is ticking and companies that haven't done so already, need to urgently address data security before the deadline.”
Financial services firms have been hit most frequently by the ICO, 24 times since 2015, with the charity sector in second place.
Another area punished more frequently by the ICO is nuisance calls, accounting for 46% of all fines issued by the ICO (£4m ). In fact, nuisance calls offenders on average have been fined to the tune of £91,000, versus £73,500 for data breach offenders, and £40,000 for email spammers.
Interestingly, the highest average fine per incident type is reserved for SMS spammers: £108,000.
Cybercrime against consumers appears to be falling in the UK, but is soaring when specific offenses against organizations are tallied, according to the latest official statistics.
The Office of National Statistics’ (ONS) latest bulletin on Crime in England and Wales shows a mixed picture for the year ending September 2017.
It had this:
“Offences involving computer misuse showed a 24% decrease from the survey year ending September 2016 (down to 1.5 million offences), largely owing to a fall in ‘computer viruses’ (down 26% to 1.0 million offences).”
In addition, cases of reported fraud dropped 10%, from 3.6 million to 3.2 million incidents, driven mainly by a drop in “consumer and retail fraud” – i.e. “online shopping or fraudulent computer service calls” which fell 20% from 0.9 million to 0.7 million offenses, ONS said.
Cyber-related incidents accounted for the majority (56%) of fraud cases: 1.8 million incidents.
However, when taken alone, computer misuse crimes reported to the National Fraud Intelligence Bureau (NFIB) by Action Fraud increased 63%, driven by a rise in “computer viruses” of 145%.
The ONS added:
“More specifically, this is thought to be due to a rise in levels of malware (mainly ransomware and Trojans), including several high-profile attacks and security breaches on national institutions (for example, the WannaCry virus linked to the NHS cyber-attack in May 2017), which would not have been captured by the CSEW as the primary victims were organizations rather than individuals.”
RSA Security director of fraud and risk intelligence, Tim Ayling, claimed that despite the headline drop in cybercrime figures, online fraudsters are having a “feeding frenzy.”
“In the near future, as more automated services such as virtual assistants and driverless cars have access to this data and make our purchases for us, cyber-fraudsters will even start to target our non-human counterparts,” he added.
“Before this becomes a reality, it’s vital users get a handle on who has their information, and how they are protecting it now as we move into uncharted territory of ‘human-not-present’ fraud.”
Sundeep Tengur, banking fraud solutions manager at SAS UK & Ireland, pointed out that despite the drop in the volume of fraud, the value of scamming activity has hit a 15-year high of £2.1bn over recent years.
“Financial organizations have seemingly improved their game but let’s not forget that fraudsters are constantly gaining in sophistication, often at a faster pace. Even a single missed fraud attempt can result in a very costly hit,” he warned.
“The true challenge in the fight against fraud now lies in bolstering the ability to proactively detect and prevent fraud, ideally in real time. With new payment schemes such as SEPA instant credit transfer, and the disintermediation of the banking sector with PSD2, speed of execution is now more important than ever for an effective anti-fraud system.”
Mastercard is implementing biometrics for card payments, with plans to go live by April 2019.
The financial giant said that all consumers will be able to identify themselves with biometrics such as fingerprints or facial recognition whenever they pay in stores with Mastercard. Biometric options will also be implemented for all contactless transactions made at terminals with a mobile device.
In practice, that means that banks issuing Mastercard-branded cards will have to be able to offer biometric authentication for remote transactions, alongside existing PIN and password verification.
The increased availability of biometric capabilities on tablets and smartphones – like Apple’s FaceID – and the EU’s new regulatory requirements for strong authentication are driving Mastercard’s move, the company said.
“Biometric technologies perfectly meet the public’s expectation for state-of-the-art security when making a payment,” said Mark Barnett, president, Mastercard UK & Ireland. “This will be of great benefit to everyone: consumers, retailers and banks. It will make the purchase much smoother, and instead of having to remember passwords to authenticate, shoppers will have the chance to use a fingerprint or a picture of themselves.”
The vast majority of consumers – 93% –prefer biometrics over passwords for validating payments, according to a research paper conducted by Oxford University in collaboration with Mastercard. It also found that 92% of banking professionals want to adopt biometric solutions.
Banks also report that when such biometric authentication is used, customers are much more inclined to go through with their purchase. The abandonment rates can drop by up to 70% compared to other methods, like two-factor authentication with codes sent via SMS.
Existing methods to prove an identity online can also take shoppers away from a retailer’s website if they’re too time consuming or complex. One way to solve that is moving from a reliance on what the consumer knows (e.g., passwords) and what they have (card or smart device) to what they have (e.g. ,mobile phone) and who they are (their biometrics).
Mastercard is not new to the biometrics game. Mastercard Identity Check, now available in 37 countries around the world, is an authentication solution that enables individuals to use biometric identifiers, such as fingerprint, iris and facial recognition, to verify their identity using a mobile device during online shopping and banking activities. Better known as "pay-by-selfie" across Europe, its goal is improved friction-free authentication for users.
When it comes to malware, 2017 saw a significant shift in attack methodology, a distinct evolution in the predominant attack tools and a distinct divergence in the types of attacks against businesses from attacks against consumers, according to research from Malwarebytes.
Malwarebytes' Cybercrime Tactics and Techniques: 2017 State of Malware report shows sharp increases in malware-based cybercrime, including ransomware, banking Trojans, spyware, adware, cryptocurrency miners and others. Ransomware was the tool of choice, though, spiking more than 93% against consumers and 90% against businesses.
"Between July 2017 and September 2017, there was a 700% increase in ransomware, with just two families making up most of that statistic," states the report, which is based on the company’s internal data from its systems and customers. The first, GlobeImposter, increased 341% from July to August 2017, while the second, WannaCry, increased 375% from August to September 2017.
In all, the monthly rate of ransomware attacks increased up to 10 times the rate of 2016, with September 2017 having the largest volume of attacks against businesses ever documented.
It wasn’t all ransomware though: 2017 also saw a massive increase in the malicious use of cryptominers.
“Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim’s personal computers in the process,” the firm said in the report. “This includes a significant increase of miners through compromised websites..., malicious spam and exploit kit drops, and adware bundlers.”
Malwarebytes blocked an average of 8 million drive-by mining attempts per day in September 2017.
Meanwhile, cybercriminals continued utilizing banking Trojans and hijackers to steal data from businesses, with the second half of the year marking an average increase of 102% in banking Trojan detections. Hijackers rose nearly 40% year-over-year, moving this threat to the most common threat detected against businesses in 2017.
On the consumer front, the overall threat volume against consumers rose 12% last year, with worms and ransomware moving into Malwarebytes’ top 10 types of threats for this segment. The volume of adware increased 132% year-over-year, making up 40% of consumer threat detections (up from less than 20% in 2016). That makes it Malwarebytes’ second-most detected threat, despite fewer adware families in the mix. Most of the work is being done by a handful of active adware developers for Windows, macOS and Android, the firm added.
“Ransomware continued to dominate in 2017, with this tool of choice for hackers increasing 90% from the previous year,” said Marcin Kleczynski, Malwarebytes CEO. “What cybercriminals could not hold for ransom, they stole from businesses. For example, spyware is up 30% and hijackers are up 40%. Each year, we spend countless hours providing analysis on the methodologies, tactics and tools being used by cybercriminals to help our customers and partners protect against the most rampant and prolific threats affecting businesses and consumers worldwide.”
He added, “The last year has certainly thrown us a few curve balls, with massive ransomware attacks, changes in malware distribution and the significant increase in cryptocurrency miners,” said Kleczynski. “With 2018 just getting started, these findings can help pave the wave for increased awareness, C-level participation and enhanced technologies to better protect both consumers and businesses.”