Fraud Landscape Shifts as EMV Adoption Becomes More Widespread

It’s been just over two years since the liability shift around EMV pushed retailers and financial institutions towards adopting chip-enabled cards and terminals, and the fraud landscape for cybercriminals has shifted along with that adoption.

In June, Visa reported that it had issued nearly 450 million chip cards and that 50% of U.S. storefronts now accept the more secure payment cards. Visa also said that merchants who have upgraded their systems saw their counterfeit fraud dollars drop substantially from the previous year.

However, fraud is not disappearing, it’s just shifting, said Monica Eaton-Cardone, the co-founder and COO of Chargebacks911, on SurfWatch Labs recent Cyber Chat podcast.

“We have enough adoption — enough people, enough merchants are making that transition — that it’s already scared a lot of the criminals who were preying on these card-present ways of stealing cards, and they’ve already started leaving that market,” Eaton-Cardone said. “Unfortunately, what has happened is that all of that criminal activity has just migrated to the online environment.”

Squeeze one area of fraud, and malicious actors will simply rush to exploit other areas — a “fraud balloon,” as SurfWatch Labs Adam Meyer describes it. For example, in recent months SurfWatch Labs has observed an increase in both cryptocurrency attacks and attacks against consumer accounts tied to payment card information, and gift card fraud is expected to surge in the coming months as well.

Although the fraud landscape is shifting, ample opportunity still remains for fraudsters to exploit the old payment cards. The EMV liability shift for gas station pumps, which holds merchants using outdated technology responsible for fraudulent transactions on EMV cards, was originally set to go into affect last month — but that has since been pushed back until October 2020. Visa said the delay was due, in part, to gas stations needing more time to upgrade because of issues with a sufficient supply of regulatory-compliant EMV hardware and software.

Merchants have traditionally been focused on removing friction from purchases and making the process as fast as possible, Eaton-Cardone said. As a case in point, Chipotle announced a point-of-sale breach earlier this year after reportedly stating prior to the 2015 EMV deadline that it did not plan on upgrading its point-of-sale systems due to concerns such as increased transaction times.

“When you’re focused on speed, you’re probably not as focused on security, so maintaining that balance really can be a lifesaving item when it comes to protecting your business from liability,” Eaton-Cardone said.

That security should start with the basics, she said, such as:

  • continually keeping software up to date in order to avoid known exploits,
  • having a layered approach to fraud that includes both technology and human review so there is more than one line of defense,
  • and putting a key focus on protecting data by following the Payment Card Industry Data Security Standard (PCI-DSS) and other well-established best practices.

Fraud is a dynamic issue, not a static one, and organizations need to adapt as the landscape changes — and that shift is increasingly towards the theft of data, Eaton-Cardone said.

“The world is transforming into a digital environment. It’s no longer cash is king. It’s really data is king.”

Listen to the podcast for more from Monica Eaton-Cardone on EMV technology, how organizations can defend against fraud, and what the fraud landscape will look like in the future.

How to Organize and Classify Different Aspects of Cyber Threat Intelligence

Over the past few years, cyber threat intelligence has matured to cover many different aspects of business. What threat intelligence is and how people view and define it can vary quite a bit depending on the vendor providing the intelligence, the business unit consuming that intelligence, the deliverables expected of the intelligence, and the ultimate cyber risk management goals of the organization.

The evolution of threat intelligence has generally been a good thing for organizations, but it has also made it more difficult to wrap one’s head around the concept — particularly for those new to the subject. SurfWatch Labs chief security strategist Adam Meyer recently created a threat intelligence mind map to help show the different areas of threat intelligence and how they all tie together for organizations.

“It’s meant to give the individual looking at it kind of an overview of what cyber threat intelligence is,” said Meyer, who came on the latest Cyber Chat podcast to discuss the mind map and associated whitepaper. “If I was to start a cyber threat intelligence program, these are the components of what that program would be — at the high level.”

2017-09-20_MindMapFinal.png
Adam Meyer’s threat intelligence mind map.

Meyer said he was looking to standardize some of the resources that have already been published in the intelligence community and other thought leadership, as well as bring together some important parts of threat intelligence that weren’t always discussed, such as the people and process behind intelligence.

For example, early adopters of threat intelligence often begin with the mindset of collect, collect, collect, Meyer said, but all that raw data doesn’t necessarily translate into better security.

“Their eyes glaze over and they start realizing, ‘While how am I supposed to process all this information now, and not only process it in general, but how do I process it in a timely fashion; how do I put context around it’ — all those people-and-process-centric type of things,” Meyer said.

As SurfWatch Labs noted in its recent whitepaper on the mind map, the starting point for most organizations should be strategic threat intelligence.

Download the free whitepaper, “How Cyber Threat Intelligence Fits Into Your Security Program”

“Strategic cyber threat intelligence can help to answer many of the big-picture cyber risk questions facing organizations,” the paper noted. “Those answers can help to inform every other aspect of an organization’s threat intelligence operation and help ensure that cybersecurity efforts and investments and aligning with business priorities.”

Meyer echoed that sentiment.

“Basically, it’s looking at who is the decision maker and why do they care,” Meyer said. “Your intelligence should be driving the answer to that question.”

With those high-level questions answered, organizations can dive more deeply into other interconnected areas of the mind map, and those risk areas — whether it’s technology or fraud or supply chains or other risk concerns — will likely continue to blend together in the future, Meyer said.

“There seems to be an increase in awareness of needing to bring things together, which is what drove me to create the mind map.”

For more on the using the Threat Intelligence Mind Map, download the whitepaper or listen to our Cyber Chat Podcast with Adam Meyer below:

Talking the Preparedness Cycle and Reducing Cyber Risk with Andy Jabbour

Many organizations are struggling with how to best manage and mitigate the array of cyber risks they are facing. Those growing number of risks — from deliberate threats such as ransomware, data theft and social media hacking to non-deliberate risks such as poorly trained employees or issues that spread through the supply chain — can be challenging to quantify, prioritize and prepare against.

But don’t despair, said Andy Jabbour, the co-founder and managing director of Gate 15, there is hope. Andy recently wrote a series of blogs outlining how the Preparedness Cycle, which is often used to prepare for traditional threats, can also be implemented to help organizations prepare for cyber threats.

“The preparedness cycle has been around for quite a long time now and it has been used by the Department of Homeland Security, FEMA, and other federal, state, and local government agencies as part of managing the preparedness process,” Jabbour said during a recent Cyber Chat Podcast about his blog series. “The idea of applying it towards cyber risk is maybe something people don’t necessarily think about right away, but it certainly applies very well.”

As Jabbour noted in his eight-part blog series (linked below), a key part of successfully overcoming the impacts of incidents, including cyber incidents, is taking the time to properly prepare. Building a flexible, multi-year plan that addresses all stages of the Preparedness Cycle can help to provide the focus, thought and structure needed to begin tackling cyber risks in a more thoughtful and organized way, Jabbour said.

The Preparedness Cycle includes five general steps for organizations to work through when it comes to addressing their cyber risks (for an overview of the process, start with Jabbour’s Introduction to the Preparedness Cycle):

2017-09-05_PreparednessCycle
Source: FEMA
  1. Preparedness and Operational Planning
  2. Organize and Equip
  3. Awareness and Operational Training
  4. Exercises
    1. Intro to Exercises
    2. Discussion-Based Exercises
    3. Operations-Based Exercises
  5. Evaluate and Improve

“No one has time to tackle every threat or to build a plan for every potential situation that may arise, so you need to build adaptable plans that work on addressing the most important risks,” Jabbour said. “We can’t do all of it, but we can do some, and if we’re smart we can try to put some things together to get the most bang for our buck — in both our training and our exercises.”

For more on the using the Preparedness Cycle to help manage your organization’s cyber risk, read the blog series above or listen to our Cyber Chat podcast.

 

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

  • How the digital footprints of organizations have changed over the past couple years.
  • Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
  • The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
  • How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Talking Strategic, Operational and Tactical Threat Intelligence

Cyber threat intelligence has become increasingly popular over the past few years. With that rise comes a variety of questions around the different types of intelligence that is available and how that intelligence can be best implemented by organizations looking to mitigate their cyber risk.

According to SurfWatch Labs chief security strategist Adam Meyer, there are three main types of threat intelligence — tactical, operational, and strategic — however, a focus has recently emerged on strategic threat intelligence.

“Strategic is where a lot of the business alignment can happen,” Meyer said this week on the Cyber Chat podcast. “You’re translating the capabilities out there, intentions out there, of adversaries — how they’re targeting things — and comparing it against you as an organization.”

That type of intelligence has proven to be a good starting point to answering a key question that organizational leaders may have: “Are we well-positioned for cyber risk or are we not? And if not, why not?”

On the Cyber Chat podcast, Meyer discusses a variety of topics related to cyber threat intelligence, including:

  • the difference between tactical, operational, and strategic threat intelligence,
  • how that intelligence can help manage an organization’s cyber risk,
  • what organizations should look for when evaluating threat intelligence,
  • and how threat intelligence will likely evolve in the coming years.

“The intent is to deliver finished and evaluated intelligence and put it on the desk of the decision maker. That helps them make better decisions,” Meyer said. “If you’re not doing that, you’re not technically in my book doing intelligence.”

Listen to the full Cyber Chat podcast below:

Banner Health Data Breach Leads to Series of Class Action Lawsuits

Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.

The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.

The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.

Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.

“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”

Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.

“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”

Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.

 

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.