Fraud Landscape Shifts as EMV Adoption Becomes More Widespread

It’s been just over two years since the liability shift around EMV pushed retailers and financial institutions towards adopting chip-enabled cards and terminals, and the fraud landscape for cybercriminals has shifted along with that adoption.

In June, Visa reported that it had issued nearly 450 million chip cards and that 50% of U.S. storefronts now accept the more secure payment cards. Visa also said that merchants who have upgraded their systems saw their counterfeit fraud dollars drop substantially from the previous year.

However, fraud is not disappearing, it’s just shifting, said Monica Eaton-Cardone, the co-founder and COO of Chargebacks911, on SurfWatch Labs recent Cyber Chat podcast.

“We have enough adoption — enough people, enough merchants are making that transition — that it’s already scared a lot of the criminals who were preying on these card-present ways of stealing cards, and they’ve already started leaving that market,” Eaton-Cardone said. “Unfortunately, what has happened is that all of that criminal activity has just migrated to the online environment.”

Squeeze one area of fraud, and malicious actors will simply rush to exploit other areas — a “fraud balloon,” as SurfWatch Labs Adam Meyer describes it. For example, in recent months SurfWatch Labs has observed an increase in both cryptocurrency attacks and attacks against consumer accounts tied to payment card information, and gift card fraud is expected to surge in the coming months as well.

Although the fraud landscape is shifting, ample opportunity still remains for fraudsters to exploit the old payment cards. The EMV liability shift for gas station pumps, which holds merchants using outdated technology responsible for fraudulent transactions on EMV cards, was originally set to go into affect last month — but that has since been pushed back until October 2020. Visa said the delay was due, in part, to gas stations needing more time to upgrade because of issues with a sufficient supply of regulatory-compliant EMV hardware and software.

Merchants have traditionally been focused on removing friction from purchases and making the process as fast as possible, Eaton-Cardone said. As a case in point, Chipotle announced a point-of-sale breach earlier this year after reportedly stating prior to the 2015 EMV deadline that it did not plan on upgrading its point-of-sale systems due to concerns such as increased transaction times.

“When you’re focused on speed, you’re probably not as focused on security, so maintaining that balance really can be a lifesaving item when it comes to protecting your business from liability,” Eaton-Cardone said.

That security should start with the basics, she said, such as:

  • continually keeping software up to date in order to avoid known exploits,
  • having a layered approach to fraud that includes both technology and human review so there is more than one line of defense,
  • and putting a key focus on protecting data by following the Payment Card Industry Data Security Standard (PCI-DSS) and other well-established best practices.

Fraud is a dynamic issue, not a static one, and organizations need to adapt as the landscape changes — and that shift is increasingly towards the theft of data, Eaton-Cardone said.

“The world is transforming into a digital environment. It’s no longer cash is king. It’s really data is king.”

Listen to the podcast for more from Monica Eaton-Cardone on EMV technology, how organizations can defend against fraud, and what the fraud landscape will look like in the future.

How to Organize and Classify Different Aspects of Cyber Threat Intelligence

Over the past few years, cyber threat intelligence has matured to cover many different aspects of business. What threat intelligence is and how people view and define it can vary quite a bit depending on the vendor providing the intelligence, the business unit consuming that intelligence, the deliverables expected of the intelligence, and the ultimate cyber risk management goals of the organization.

The evolution of threat intelligence has generally been a good thing for organizations, but it has also made it more difficult to wrap one’s head around the concept — particularly for those new to the subject. SurfWatch Labs chief security strategist Adam Meyer recently created a threat intelligence mind map to help show the different areas of threat intelligence and how they all tie together for organizations.

“It’s meant to give the individual looking at it kind of an overview of what cyber threat intelligence is,” said Meyer, who came on the latest Cyber Chat podcast to discuss the mind map and associated whitepaper. “If I was to start a cyber threat intelligence program, these are the components of what that program would be — at the high level.”

2017-09-20_MindMapFinal.png
Adam Meyer’s threat intelligence mind map.

Meyer said he was looking to standardize some of the resources that have already been published in the intelligence community and other thought leadership, as well as bring together some important parts of threat intelligence that weren’t always discussed, such as the people and process behind intelligence.

For example, early adopters of threat intelligence often begin with the mindset of collect, collect, collect, Meyer said, but all that raw data doesn’t necessarily translate into better security.

“Their eyes glaze over and they start realizing, ‘While how am I supposed to process all this information now, and not only process it in general, but how do I process it in a timely fashion; how do I put context around it’ — all those people-and-process-centric type of things,” Meyer said.

As SurfWatch Labs noted in its recent whitepaper on the mind map, the starting point for most organizations should be strategic threat intelligence.

Download the free whitepaper, “How Cyber Threat Intelligence Fits Into Your Security Program”

“Strategic cyber threat intelligence can help to answer many of the big-picture cyber risk questions facing organizations,” the paper noted. “Those answers can help to inform every other aspect of an organization’s threat intelligence operation and help ensure that cybersecurity efforts and investments and aligning with business priorities.”

Meyer echoed that sentiment.

“Basically, it’s looking at who is the decision maker and why do they care,” Meyer said. “Your intelligence should be driving the answer to that question.”

With those high-level questions answered, organizations can dive more deeply into other interconnected areas of the mind map, and those risk areas — whether it’s technology or fraud or supply chains or other risk concerns — will likely continue to blend together in the future, Meyer said.

“There seems to be an increase in awareness of needing to bring things together, which is what drove me to create the mind map.”

For more on the using the Threat Intelligence Mind Map, download the whitepaper or listen to our Cyber Chat Podcast with Adam Meyer below:

Talking the Preparedness Cycle and Reducing Cyber Risk with Andy Jabbour

Many organizations are struggling with how to best manage and mitigate the array of cyber risks they are facing. Those growing number of risks — from deliberate threats such as ransomware, data theft and social media hacking to non-deliberate risks such as poorly trained employees or issues that spread through the supply chain — can be challenging to quantify, prioritize and prepare against.

But don’t despair, said Andy Jabbour, the co-founder and managing director of Gate 15, there is hope. Andy recently wrote a series of blogs outlining how the Preparedness Cycle, which is often used to prepare for traditional threats, can also be implemented to help organizations prepare for cyber threats.

“The preparedness cycle has been around for quite a long time now and it has been used by the Department of Homeland Security, FEMA, and other federal, state, and local government agencies as part of managing the preparedness process,” Jabbour said during a recent Cyber Chat Podcast about his blog series. “The idea of applying it towards cyber risk is maybe something people don’t necessarily think about right away, but it certainly applies very well.”

As Jabbour noted in his eight-part blog series (linked below), a key part of successfully overcoming the impacts of incidents, including cyber incidents, is taking the time to properly prepare. Building a flexible, multi-year plan that addresses all stages of the Preparedness Cycle can help to provide the focus, thought and structure needed to begin tackling cyber risks in a more thoughtful and organized way, Jabbour said.

The Preparedness Cycle includes five general steps for organizations to work through when it comes to addressing their cyber risks (for an overview of the process, start with Jabbour’s Introduction to the Preparedness Cycle):

2017-09-05_PreparednessCycle
Source: FEMA
  1. Preparedness and Operational Planning
  2. Organize and Equip
  3. Awareness and Operational Training
  4. Exercises
    1. Intro to Exercises
    2. Discussion-Based Exercises
    3. Operations-Based Exercises
  5. Evaluate and Improve

“No one has time to tackle every threat or to build a plan for every potential situation that may arise, so you need to build adaptable plans that work on addressing the most important risks,” Jabbour said. “We can’t do all of it, but we can do some, and if we’re smart we can try to put some things together to get the most bang for our buck — in both our training and our exercises.”

For more on the using the Preparedness Cycle to help manage your organization’s cyber risk, read the blog series above or listen to our Cyber Chat podcast.

 

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

  • How the digital footprints of organizations have changed over the past couple years.
  • Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
  • The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
  • How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Talking Strategic, Operational and Tactical Threat Intelligence

Cyber threat intelligence has become increasingly popular over the past few years. With that rise comes a variety of questions around the different types of intelligence that is available and how that intelligence can be best implemented by organizations looking to mitigate their cyber risk.

According to SurfWatch Labs chief security strategist Adam Meyer, there are three main types of threat intelligence — tactical, operational, and strategic — however, a focus has recently emerged on strategic threat intelligence.

“Strategic is where a lot of the business alignment can happen,” Meyer said this week on the Cyber Chat podcast. “You’re translating the capabilities out there, intentions out there, of adversaries — how they’re targeting things — and comparing it against you as an organization.”

That type of intelligence has proven to be a good starting point to answering a key question that organizational leaders may have: “Are we well-positioned for cyber risk or are we not? And if not, why not?”

On the Cyber Chat podcast, Meyer discusses a variety of topics related to cyber threat intelligence, including:

  • the difference between tactical, operational, and strategic threat intelligence,
  • how that intelligence can help manage an organization’s cyber risk,
  • what organizations should look for when evaluating threat intelligence,
  • and how threat intelligence will likely evolve in the coming years.

“The intent is to deliver finished and evaluated intelligence and put it on the desk of the decision maker. That helps them make better decisions,” Meyer said. “If you’re not doing that, you’re not technically in my book doing intelligence.”

Listen to the full Cyber Chat podcast below:

Banner Health Data Breach Leads to Series of Class Action Lawsuits

Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.

The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.

The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.

Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.

“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”

Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.

“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”

Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.

 

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Podcast: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 76: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends:

The popular Pokemon Go was this week’s top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici’s Pizza’s point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.

Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: info.surfwatchlabs.com/cyber-threat-…eport-1h-2016

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

More Financial Institutions Fall Victim to SWIFT Attacks

In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.

“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).

These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial —  including an $81 million theft from Bangladesh’s central bank in February.

According to the Kyiv Post:

[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.

“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.

The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.

These groups are becoming smarter and often know the inner working of banks, Gazit said.

“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”

Growing Problem for Financial Organizations

Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.

This means that cyber-attacks have more impact throughout organizations.

“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”

On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.

Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.

“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”

He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”

For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.

 

Podcast: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 75: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News:

Several large healthcare databases have been put up for sale on the dark web, and the actor behind the leaks is promising more. Point-of-sale breaches made headlines this week at Hard Rock Hotel & Casino Las Vegas and Noodles & Company. More SWIFT attacks are impacting “dozens of banks.” Sports and cybercrime intersected as ransomware hit NASCAR and the SEC was the victim of a Twitter hack. Advisories this week include vulnerabilities in Symantec products that Google’s Project Zero called “as bad as it gets,” Bart and Cerber ransomware warnings, Marcher and Retefe banking Trojan developments, and a botnet utilizing CCTVs. The legal side saw congressmen urging HHS to examine ransomware, the FTC clarifying what they’re looking for during investigations, privacy lawsuits affecting both researchers and the FBI, and new and potential cybersecurity laws in Rhode Island and China. Lastly, a man is using technology to fight parking tickets.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.