Category Archives: Uncategorized

Some secrets are more valuable than others; Ashley Madison and the new 'data kidnapping'

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others. In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen. It now appears that tens of millions of people are at risk of being exposed. As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0. It’s not about the data, it’s about the context. Using stolen data, like credit cards, to get money is hard work. Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking. Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things. Actresses were insulted and underpaid. It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data. Credit cards, yes. Email servers, maybe not. Slowly, this will change. But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is. Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another. Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago. But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess? One possibility is paying a ransom. A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on. The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work. Cryptolocker made $27 million just in its first two months, from both home users and small organizations.

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams, about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies. In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context. Secrets are almost always valuable to someone.

Some secrets are more valuable than others; Ashley Madison and the new ‘data kidnapping’

Leave a reply

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago. But that is how these things go.

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams, about this recently, she said she believed things were only going to get worse.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context. Secrets are almost always valuable to someone.

Who owns the security budget? It’s not the CISO

Leave a reply

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report? Download it from Dell here.

Who owns the security budget? It's not the CISO

Leave a reply

Larry Ponemon

Want to read the rest of this report? Download it from Dell here.

Cost of a data breach keeps rising; in 2015 study, now $154 per lost or stolen record

Leave a reply

Larry Ponemon

IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis. According to our research, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million . The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.

In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations.

In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.

For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than 101,000 compromised records4 . We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

In this report, for the first time, we will examine two factors that affected the financial consequences of a data breach. The first is executive involvement in their organization’s IT security strategy and response to data breaches. The second is the purchase of cyber insurance to mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered by business leaders as a purely technology issue to a larger business risk. This shift has spurred increased interest in cyber insurance.

The three major reasons contributing to a higher cost of data breach in 2015:

Cyber attacks have increased in frequency and in the cost to remediate the consequences. The cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record. Last year, these attacks represented 42 percent of root causes of a data breach and this increased to 47 percent of root causes in this year’s study.

The consequences of lost business are having a greater impact on the cost of data breach. Lost business has potentially the most severe financial consequences for an organization. The cost increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.

Data breach costs associated with detection and escalation increased. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors. This total average cost increased from $.76 million last year to $.99 million in this year’s report

More companies are integrating forensic tools into their incident response procedures. In the long-term, deployment of these solutions will prove beneficial to companies because they will provide a clearer picture of the root causes of their data breaches. However, in many cases, these tools enable companies to discover the full extent of the breach. This may result in the reporting of higher data breach costs than in previous years.

NOTE: You may have heard about a Verizon report about data breach costs that came to a different conclusion than our report. We discuss the differences in methodology at this blog post. And we have a few additional observations about Verizon’s report at this post.

KEY FINDINGS

Data breaches cost the most in the US and Germany and the lowest in Brazil and India. The average per capita cost of data breach is $217 in the US and $211 in Germany. The lowest cost is in Brazil ($78) and India ($56). The average total organizational cost in the US is $6.5 million and in Germany $4.9 million. The lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).
The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.
Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $134 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
Malicious or criminal attacks vary significantly by country. Fifty-seven percent of all breaches in the Arabian Cluster and in France 55 percent of all breaches are due to hackers and criminal insiders. Only 32 percent of all data breaches occurring in India are due to malicious attacks and in Brazil it is 30 percent. However, India and Brazil have the most data breaches due to system glitches. Breaches due to human error are highest in Canada.
Board involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.5 per record. Insurance protection reduces the cost by $4.4 per record.
The loss of customers increases the cost of data breach. Certain countries have more problems retaining customers following a data breach and, therefore, can have higher costs. These are France, Italy, UK and Japan. Countries with the lowest churn rate are Canada, India and Brazil. Industries with the highest churn are health, pharmaceuticals and financial services.
Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.45 million in 2014 to $1.57 million in 2015. Notification costs have declined from $0.19 million in 2014 to $0.17 million in this year’s study.
Certain countries are more likely to have a data breach. Last year’s study introduced a new analysis on the likelihood of one or more data breach occurrences. It is interesting that the likelihood of a data breach varies considerably across countries. Brazil and France are most likely to have a data breach involving a minimum of 10,000 records. Canada and Germany are least likely to have a data breach.
Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.
Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.1 per compromised record.

To read the entire report, visit IBM’s Cost of a Data Breach website.

A lesson from that Cardinals-Astros hack: Don’t use old passwords at your new company

Leave a reply

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on. This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you. The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him. That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros. Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual. Computer networks are designed so such passwords cannot be retrieved, even by system administrators. They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course. That details in the New York Times story could be wrong. A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor. Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague. So be vigilant about your passwords. And when you change companies, change your password habits.

A lesson from that Cardinals-Astros hack: Don't use old passwords at your new company

Leave a reply

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

Starbucks: Blaming passwords, victims is bad security practice

Leave a reply

Bob Sullivan

Since I broke news of the Starbucks mobile pay / gift card /credit card attack, there has been some confusion about what the real risk is, who is to blame, and how to fix the problem. This is not unusual when a security issue arises with a large company that’s not offering a lot of detail about what’s going on. I’ve been talking to victims of the Starbucks fraud all week, and I’ll have a lot more detail on what’s really happening soon, but for now, I want to clarify a few important issues that keep cropping up: Bad passwords, what “hacked” means, what does mobile have to do with it, and why victims are “sharing” accounts with criminals.

Starbucks told media outlets around the world all last week that it hadn’t been hacked and blamed the situation on consumers with bad passwords. The firm also repeated many times that the attack has nothing to do with its mobile app. In its first response to my initial inquires, Starbucks told me the attack is “not connected to mobile payment.” Later, when the firm issued a statement, the first paragraph of that statement read, “News reports that the Starbucks mobile app has been hacked are false.” (Note, I never wrote that Starbucks mobile app had been hacked, though as you’ll see in a moment, I’m not a fan of the semantics being deployed here.)

Taken collectively, these positions are meant to create the impression that there’s nothing wrong with the way Starbucks is processing payments, and in fact, some journalists declared that to be the case. Fortune magazine wrote “Starbucks says its popular mobile app has not been hacked, contradicting multiple media reports that intruders have hijacked the accounts of hundreds of the coffee chain’s customers…” Starbucks actually never denied that intruders had hijacked consumers accounts, and anyone can find victims complaining about just that with a few moment’s work, but some journalists seemed eager to clear Starbucks of any culpability in the issue. That’s unfortunate, because my email this week makes it clear that plenty of Starbucks customers are pretty angry at the way this issue has been handled, and many of them don’t appreciate being blamed for having their money stolen after they placed their trust in Starbucks.

So let me try to clarify a few of these issues.

Blaming the victim (passwords)

It’s true that the attack begins with criminals managing to hijack consumers’ Starbucks accounts by somehow obtaining their username/password combination. As every firm that uses this most rudimentary authentication tool knows, a large percentage of those accounts will always be pretty hackable. People re-use passwords and they use common passwords. They even respond to phishing attacks and divulge their login information. But many years ago, financial institutions stopped blaming customers for this, since that doesn’t solve the problem.

Also, federal law prevents it. The Federal Reserve has ruled that even if customers give a hacker their online banking passwords, financial institutions can’t hold them liable. Here’s the relevant opinion: “Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E,” a decade-old Fed opinion concludes. “Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers.”

Blaming the victim is bad form, anyway.

What do banks do instead of blame the victim? They take matters out of consumers’ hands and use back-end software to spot fraudulent transactions and stop them. That’s why, even if you are tricked by a hacker into coughing up your Big Giant Bank login credentials, it’s unlikely that a $2,000 wire transfer to Romania will be approved.

Certainly, Starbucks has some back-end tools in place — I don’t know, because the firm isn’t answering questions about its security. But so many victims have come forward to show me repeated debits with obvious criminal patterns — changed login information followed by rapid-fire withdrawals — it’s obvious Starbucks isn’t doing a great job of spotting suspicious transactions and stopping them in progress. Why would that be? One obvious guess: Dialing up the fraud-spotting software would also lead to false positives, which would inconvenience some consumers as they tried to add value to their Starbucks cards. It’s a tough balancing act, but consumers who see their credit or debit cards hacked via their Starbucks account don’t want to hear about balancing acts.

There’s also this troubling element: I’ve spoken to consumers who swear they didn’t reuse their Starbucks login information, and that their Starbucks passwords were complex, and they’ve been hacked, too. Of course, consumers often “misremember” such things, and are notoriously unreliable when making claims about their security choices. But then, so are corporations under scrutiny.

Maria Nistri and several other consumers I’ve spoken with haven’t been happy that A) Starbucks hasn’t been able to stop fraudulent transactions even when they are reported within a few minutes and B) Starbucks toll-free fraud hotline doesn’t open for business until 8 a.m. east coast time. It seems unfair to blame consumers for bad passwords and then not answer the phone when they call to report fraud.

Has Starbucks been hacked? Wrong question

The word “hack” is always problematic in any news report involving a computer crime. Security folks hate its use, because to them, hacking merely means tinkering. Using a computer as an aid when stealing money is another thing entirely. Unfortunately, hacking is a really convenient shorthand term that readers have come to understand, and it’s fallen into common use.

So we arrive at the confusion over Starbucks’ statement that its mobile app has not been hacked, which is not inaccurate. To be precise: As far as I know, the crime I have described here doesn’t involve a criminal using some kind of advanced technique to intercept data from Starbucks mobile app, or any similar hacking technique that compromises the integrity of the Starbucks app itself (other researchers have discovered flaws in the app, but this is not that). Instead, criminals have figured out a rather old-fashioned way to drain value off of Starbucks gift cards — loaded onto the Starbucks app or not — and onto to cards they control. This gives them the ability to steal from consumers’ debit and credit cards using a Starbucks account as a relay of sorts. Consumers are very likely to experience this as their Starbucks app being “hacked.” I used the word “attack” instead. But really, does it matter? Starbucks consumers are being hacked, after all, and that’s what matters.

Mobile pay vs. gift card

Starbucks’ rather ingenious and simple app is really just an electronic representation of its gift cards, and this simplicity is part of the reason the coffee giant now operates the most popular mobile wallet payment system in the U.S., dwarfing Apple Pay. That makes Starbucks mobile pay incredibly important to the firm. Perhaps that’s why the main point Starbucks made to me in its initial statement was “what you’re describing is not connected to mobile payment – linking the two is inaccurate.” You could argue that this attack really targets Starbucks gift cards and not the app, but I disagree. The line between the Starbucks app and Starbucks gift cards is entirely blurry; they are basically one in the same.

Starbucks gift cards, and in particular the auto-reload function that is the source of some of this trouble — are so popular because the app is so popular. It’s also important to note that Starbucks has gone to immense trouble to push gift card users onto the mobile app, offering all manner of loyalty incentives and so on. I would argue that “de-linking” the two for the purposes of describing this attack would be inaccurate.

Hackers and consumers “sharing” accounts

Finally, one element of this story has confused me since I first spoke to Maria Nistri, and it’s been confirmed by many victims I’ve spoken to. Even after a criminal hijacked her Starbucks.com account, Nistri was able to log in to her account on her smartphone. That means Starbucks is permitting simultaneous logins for the same account using different credentials. The criminal is logged in using their new email address, while the victim is logged in with the old credentials — presumably because their mobile device never logs off. This turns out to be a good thing in some cases, because it has allowed many victims to hurriedly de-link their credit cards from the app in the middle of a fraud. But it’s also atypical security behavior. Why would old credentials ever allow someone to log in to an account? Clearly because the app isn’t verifying that it has up-to-date credentials very frequently. More than one consumer has rightly asked me: Once their account is restored, can the criminal still log in? Here’s what one consumer told me a Starbucks representative told her:

“I mentioned that when the hacker changed the login info, I was still logged in from my phone – so couldn’t the thief still have access to the account, too? The CSR said it should kick them off eventually’ because their login credentials will not be able to refresh. I asked for a specific timeframe and he had no idea. He said it should be a few hours…probably.”

Data Security in the Evolving Payments Ecosystem

Leave a reply

Larry Ponemon

Highly publicized payment card breaches affected millions of consumers in 2014. In the wake of these breaches, retailers, financial institutions, payment processors and credit card brands responsible for delivering these systems in the United States are facing more scrutiny than ever before and are meeting at a crossroads in the security conversation.

The discussion will only get more intense with continued innovation in the field. The payments
industry is undergoing a revolution led by emerging technologies including mobile payments and wallet technologies, virtual currencies and the deployment of chip and PIN technology. The
potential benefit of these new technologies is significant, but it remains to be seen if security risks will prove to be a major barrier to adoption.

Ponemon Institute and Experian® Data Breach Resolution are pleased to present the findings of Data Security in the Evolving Payments Ecosystem. The study explores the impact of mega
payments breaches on security and response, as well as the current levels of confidence in the
security of emerging payments technologies. Organizations in this study had an average of three data breaches in the past 24 months involving an average of 8,000 customer records.

You can access the entire study on Experian’s website.

As Figure 1 shows, 68 percent of survey respondents say pressure to migrate to new payment systems puts customer data at risk. Respondents are most positive about EMV chip and PIN cards. Fifty-nine percent of respondents cite it as an important part of their organization’s payment strategy and 53 percent of respondents believe chip and PIN cards will decrease or significantly decrease the risk of a data breach.

While some respondents doubt the ability of “chip and PIN” to address the current security issues with card payments, they also believe their companies face new threats posed by continued innovation in payment technologies. In fact, 59 percent of respondents expect data breach risk to increase through the use of mobile payments at point of sale in stores, and 54 percent believe near field communications technology will increase the risk of suffering a breach.

While risk and security concerns loom, large and new technologies are being
deployed because they offer vastly improved customer convenience.
Throughout our study, we found a large percentage of companies are likely to
keep moving forward with deployment of new technologies despite concerns about
security. More than half of respondents say customer convenience was a higher
priority to their organization than security.

In addition to concerns over the ability to secure the next generation of payments
technologies, there is also uncertainty about the ability of breached companies to
properly manage a security response.

Throughout the industry, organizations continue to be deficient in governance and security practices that could strengthen their data breach preparedness. Only 16 percent of respondents feel companies are very effective in breach response, which suggests much room for improvement in responding to the aftermath of a major incident. Left facing all these questions and the uncertain of new technologies, the industry can agree on one thing: the need for action.

While unprecedented threats and new security challenges may seem daunting, the payments
industry is taking steps to respond and focus more on security. Companies are prioritizing
customer needs in their security planning and investing time and resources in improving security.

Sixty-nine percent of companies say media coverage of breaches, including those in the
payments industry, over the past year caused their organizations to re-evaluate and prioritize
security.

It’s receiving much more attention at the highest levels of organizations with 67 percent of
respondents noting their C-level executives are more supportive of enhanced security measures to protect payments information. Forty-five percent of respondents said they were increasing their budget and 54 percent are investing in new technologies.

Along with improving security, companies also recognize their responsibility and the importance of protecting their customers after an incident occurs and improving incident response planning. A majority of companies (61 percent) provide identity theft protection and fraud resolution services as a best practice. While 56 percent are re-evaluating and improving incident response planning for a breach, leading to greater communication and guidance to affected customers.

Methodology
The study surveyed 748 US-based individuals in IT and IT security, risk management, product
development and others involved in the payments systems within their organizations. For
purposes of this research, payments ecosystem refers to the collection of retailers, financial
institutions, payment processors, credit card brands, regulators, consumers and other
stakeholders who ensure the smooth flow of payments and other transactional information.

Read the rest of the study on Experian’s website.

New chip credit cards called 'a joke' — lessons from Europe offer the punchline

Leave a reply

Bob Sullivan

The way Americans spend money is on the verge of its biggest change in decades, but the drumbeat of doubters continues to get louder. New chip-enabled credit cards are slowly getting into consumers’ hands in advance of a looming deadline later this year. But a Walmart executive recently told CNN that U.S. chip cards are a “joke,” and a new report examining other countries’ changeovers suggests criminals around the globe merely switched tactics and kept right on stealing from consumers’ accounts.

The switch to chip cards goes by the shorthand EMV, which stands for Europay, Mastercard and Visa. In Europe, when banks implemented the change, government rules forced consumers to start using credit cards like debit cards – requiring that PIN codes be entered each time a card is used. The change adds two important levels of security, or two-factor security. To complete a transaction, buyers need to have in their hands a chip card, which is incredibly challenging to counterfeit. And they must know something — a PIN — that’s not on the card.

The U.S. is poised to implement only half this system. Chip cards must be accepted by merchants by the fall deadline, but not PINs. The so-called “chip & signature” system is a half-measure, according to Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president.

“The fact that we didn’t go to PIN is such a joke,” Cook told CNNMoney.com.

For example, a criminal who physically steals a chip & signature credit card will have no trouble using it to commit fraud in a store by faking the consumers’ signature.

Meanwhile, a report issued recently by analyst firm Mercator raises even more concerns that the switch to chip cards might not reduce fraud, but simply nudge criminals towards different fraud.

“Unless the payment industry tackles other growing concerns like lost and stolen card fraud, overall fraud losses will continue to spiral up toward pre-EMV levels,” the report says.

Why? So-called “card-not-present” fraud is on the rise in places that adopted EMV long ago, according Mercator’s Tristan Hugo-Webb, who is Associate Director of the Global Payments Advisory Service.

For example, the United Kingdom was one of the first countries in the E.U. to complete the switchover to EMV back in 2006. While counterfeit card fraud has shrunk — from 27 percent of all fraud in 2003 to 13 percent in 2013 — other kinds of fraud have soared. Card-not-present fraud, which includes online and telephone sales, has climbed from 29 percent of fraud in 2003 to 67 percent in 2013. Chip cards have no impact on online or telephone sale fraud because the chips cannot be used for authentication.

So as e-commerce has risen, online fraud has risen right along with it. In the U.K., there has been a sharp increase since 2011, Hugo-Webb says.

New technologies that would add a layer of authentication to online purchases, such as electronic tokens that help verify consumers remotely, have been invented but have not been implemented.

“The hope is that with the creation of new security technologies like tokenization, the industry can begin to play offense rather than always having to play defense against payment fraud attacks,” Hugo-Webb says.

The trickiest part of the migration is that the U.S. is so far behind – at least a decade behind the U.K, for example – that new payment forms, such as mobile payments, may have overtaken old-fashioned plastic cards by the time the EMV adoption is complete. To some observers that lessons the urgency of the changeover.

But Hugo-Webb says the U.S. must still migrate, even if the step doesn’t reduce fraud. It’s more a matter of holding serve, he said.

“If the U.S. decided to skip EMV….it would be more of a target than it is today,” he said. “There is still value in migrating….it’s going to take a lot longer than people expect for mobile payments to really become commonplace. ”

Because of the decade-long delay, however, the value of the upgraded security will be less in the U.S. than it was in Europe, however, where banks enjoyed at least a few years of reduced fraud before criminals caught up. Here in the U.S., criminals already have quite a head start on their EMV workarounds.

That fact should help inform banks and merchants as they consider how much to invest in new forms of security for the coming generation of payment systems.

Sign up for Bob Sullivan’s free email newsletter.