STE WILLIAMS

Consumers love paying for goods and services with their smartphones. But as more retailers release their own mobile apps with in-store payment options, the threat of fraud must be carefully considered. Retailers offering in-store purchasing through a mobile app should be aware of major card-not-present fraud schemes.

Let’s imagine a fictitious retailer called Smoothie Shop; its mobile app allows saves customers’ credit card information to facilitate in-store purchases. And that opens the door to at least three kinds of potential fraud.

In the first scenario, the fraudster takes over an existing Smoothie Shop account. Since the account already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information, and enjoy a refreshing smoothie that was paid for with someone else’s stored credit card.

In a second scenario, the fraudster takes over a Smoothie Shop account again, except this account lacks a saved credit card. That in turn prompts the fraudster to buy a stolen credit card off the Dark Web or some other electronic market, then add the newly obtained card to the Smoothie Shop account and app. They can then proceed to the closest shop to buy smoothies using the stolen credit card. 

Why would fraudsters go through the trouble of taking over an existing account instead of just creating a brand new account to commit fraud? It’s because savvy fraudsters know that “aged” accounts more than 3–6 months old with a good transaction history are less closely scrutinized than a brand new account with no transaction history. 

Finally, in a third and more sophisticated scheme, the fraudster uses a bot tool or a human click farm to create hundreds of fake Smoothie Shop accounts. Once the fraudster has access to multiple fake accounts, he can then add as many stolen credit cards as he pleases in order to make in-store purchases.

What, then, can retailers and consumers do to protect themselves?

Prevent account takeover (ATO)
There are many ways to prevent or at least significantly reduce the amount of ATO — eliminating credential stuffing, for instance. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster, and they will likely go elsewhere to commit fraud. 

Maintain control of the account creation process
Creation of accounts by bots and scripts can be limited by using a captcha, but these can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device-level information in order to restrict the number of new accounts that can be created by a single device. Forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere. 

Ensure customers aren’t logging in with compromised credentials 
This is a set of NIST recommendations concerning authentication and digital identities that make a lot of sense in today’s world of daily breaches. The customers who are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first. 

Build controls around misuse of credit cards in the mobile app
Legitimate customers will likely need to add one, maybe two, unique credit cards to their account/device. Any account/device trying to add a third or more credit cards to an account should be closely inspected and possibly restricted from adding more. The stored credit card should also be tied to the device rather than to the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier at the device level. 

Even if apps are more convenient for customers and encourage repeat business, they’re a liability for consumers and retailers alike. It’s important retailers learn how to protect their customers and avoid the fallout from a breach by making critical changes in the development and monitoring of their apps. After all, while using apps to purchase goods is a fun novelty, it’s even better when no one has to worry whether the credit card info has been stolen.

Related Content:

• 5 Updates from PCI SSC That You Need to Know
• Mobile Security: IT Pros Anything But Secure With Mobile Devices
• Companies Having Trouble Translating Security to Mobile Devices
• Application Infrastructure Risk Management: You’ve Been Doing It Backward

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Security 101: What Is a Man-in-the-Middle Attack?“

Carlos Asuncion manages a team of Strategic Solutions Engineers at Shape Security, helping the world’s largest organizations prevent automated and human fraud. His cybersecurity experience spans 10 years across SIEM, DLP, IAM, DPI, EDR, TI, and many other obscure acronyms. … View Full Bio

Article source: https://www.darkreading.com/theedge/as-hackers-target-mobile-payment-apps-heres-how-to-keep-them-at-bay/b/d-id/1336625?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

California’s governor, Gavin Newsom, had a busy 2019 as he reviewed a total of 1,042 different bills. Newsom ended up signing 870 of those bills into law, with most going into effect on January 1, 2020. Of those 870, one of the most discussed is the California Consumer Privacy Act (CCPA), which had five amendments signed by Newsom earlier in October.

When CCPA goes into effect on January 1, California residents will have the right to know the data that organizations are collecting about them, the right to tell companies not to share or sell their personally identifiable information (PII), and the right to protection against corporations that fail to keep their PII secure. As with the European Union’s GDPR, we will eventually see major fines and lawsuits dealt to companies that fail to abide by CCPA. However, there is still an aura of ambiguity around the regulation as well as confusion among California legislators — this will ultimately cause a slow start to enforcement in early 2020.

The fact that several different associations have already suggested alterations to the original version of CCPA (which was passed in 2018) suggests that legislators may not be prepared to adequately and consistently enforce the new law. Additionally, a number of organizations will undoubtedly be confused about the specific requirements of the act, meaning that they won’t be compliant by January 1. For the most part, small and medium-sized businesses (SMBs) are going to make up the majority of noncompliant organizations. This is because they lack the resources that large corporations can use to ensure proper security and compliance.

As a result of this ambiguity, California will likely wait an extended period of time before it issues its first major fine under the regulation. Similarly, even though GDPR was enacted in May 2018, it was nearly a year after a September 2018 breach before British Airways was fined $250 million for violating the EU privacy act in July 2019.Once the lull period that will follow the initial establishment of CCPA concludes, we can expect a greater volume of penalties dealt to organizations that fail to adhere to the law’s requirements.

CCPA poses a challenge to businesses of all sizes as they seek to retain competitive edges in their respective California markets. However, the Golden State’s data privacy act also represents an opportunity for companies to obtain consumer trust and increase their market share as they adhere to the law and prioritize consumer privacy. For example, Microsoft announced last month that it will be honoring CCPA throughout the US and not just within California. By prioritizing security and customer privacy, the multinational technology company will cement customer loyalty in the Microsoft brand.

For that reason, businesses should not delay the process of transforming their security and privacy strategies to conform to CCPA. Failing to adhere to CCPA will not just result in large fines for companies, but it can also significantly damage customer trust. To adhere to (and benefit from) the enactment of CCPA, organizations should take a page out of Microsoft’s playbook and make the protection of consumer data a priority by implementing proactive cybersecurity strategies and maintaining transparency around how they handle and protect data. Bottom line: Complying with CCPA and continually reevaluating cybersecurity measures and strategies are critical steps for any organization that wants to succeed.

Related Content

• Assessing Cybersecurity Risk in Today’s Enterprise
• How to Get Prepared for Privacy Legislation
• Employee Privacy in a Mobile Workplace

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘Motivating People Who Want the Struggle’: Expert Advice on InfoSec Leadership“

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer … View Full Bio

Article source: https://www.darkreading.com/endpoint/ambiguity-around-ccpa-will-lead-to-a-slow-start-in-2020/a/d-id/1336627?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Source: Twist and Shout Communications Ltd.

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/someones-been-very-naughty--/b/d-id/1336685?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Question: Should I have a security travel policy to protect devices and sensitive data, particularly when our staff are crossing international borders?

Kurtis Minder, CEO of GroupSense: Absolutely, unless you don’t mind constantly losing those devices. According to a Ponemon Institute and Dell study, 12,000 laptops are lost each year in airports alone. Laptops, mobile phones, and other devices are also frequently left in cabs, bars, ballparks — you name it. And the passwords people use on their laptops are easily cracked because most people use the same passwords across multiple accounts, so some simple credential stuffing will give bad people access to your system. We saw this happen when Disney+ launched, and the same approach can be used to gain access to your laptop and all of the systems and accounts on it.

What should a travel policy include? First of all, rigid requirements around disk encryption, VPN use, and secure communications (encrypted messaging, calling, etc.) should be standard for international travel. Further, for some countries, policy may dictate that corporate devices or devices containing corporate or client information cannot be taken. In this case, the company may offer “burner” devices specially configured for the team member and the trip mission.

Related Content:

• 5 Things to Know About Cyber Insurance
• VPNs’ Future: Less Reliant on Users, More Transparent, And Smarter
• Mega Breaches Are Forcing Us to a Passwordless World. Are We Finally Ready?
• 6 Ways Airlines and Hotels Can Keep Their Networks Secure

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/should-i-have-a-security-travel-policy-to-protect-devices-and-sensitive-data/b/d-id/1336686?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

From the 1950s through the 1970s, popular magazines carried an ad for the Famous Artists School that asked, “Could you be an artist?” The ad promised that if you had the basic traits for art, you could become a famous artist.

Could the same be said about a cybersecurity career? 

Hundreds of thousands of people have gone into the field, but what specific intellectual and personality traits are more useful — ones that make it a bit easier to become a success?

Recently, we looked at some nontechnical degrees that can lead to cybersecurity success. Their existence means success is not just about being good at mathematics or having the right background in computer science. Also worth noting: There are many paths to success in cybersecurity, just as there are many positions within the field. However, certain qualities bear cultivating for anyone who wants to enter — or advance — in the cybersecurity field.

(Image: Alex Po VIA Adobe Stock)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/6-traits-to-develop-for-cybersecurity-success/d/d-id/1336591?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Global Cyber Alliance (GCA) has announced it will use a $750,000 gift from Craig Newmark Philanthropies to launch the Craig Newmark Trustworthy Internet and Democracy Program. The program is intended to provide election officials, government offices, community organizations, and media outlets with tools to help protect them from cyberthreats.

“To thrive, America needs a safe, trustworthy press and secure elections, yet bad actors are attacking the folks who facilitate these aspects of our democratic process,” says Craig Newmark, who is also founder of Craigslist. “Especially with the 2020 US presidential election coming up, we seriously need to shore up our defenses.”

The new program comes on the heels of earlier GCA projects to develop cybersecurity toolkits for election officials, voting rights nonprofits, and journalists. This latest effort will develop toolkits for elected officials, enhance existing toolkits for election officials, establish forums in which officials can seek guidance and assistance from the GCA, expand outreach for the program, and translate toolkits into Arabic, Chinese, French, German, Japanese, and Spanish.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Manage API Security.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/global-cyber-alliance-launches-new-security-efforts-for-election-officials/d/d-id/1336672?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Optiv Security recently conducted a survey of 200 chief information security officers (CISOs) across the US and UK and, despite their geographical differences, their view of patch management is the same: It’s on the bottom of their list of priorities. This result is startling because unpatched vulnerabilities are one of the most common causes of data breaches — 57% of all breaches in fact, according to Ponemon Research.

Survey respondents were asked: If you could stop the business for six months and have the luxury of time to execute any security priorities, which of the following areas would you choose to focus on? CISOs cited employee education, infrastructure simplification, and the creation of DevSecOps models as their top priorities. Catch up on basic functions like patching and vulnerability scanning finished dead last.

These results raise this question: Why is it that one of the biggest problems in cybersecurity is also one that is least paid attention to by CISOs? There are a variety of factors at play here, but the three most commonly encountered are:

Factor 1: For CISOs, patch management is likely a long-term friction point between security and IT (and operations and engineering). Typically, security informs IT of the need to patch, and then IT implements the patch. This relationship has been in place for two decades now and is one of the oldest security workflows. A consistent attribute of that relationship is also that IT will not have the velocity that security wants when it comes to applying patches, so it ends up being a sore spot between the two groups. Compared with other security challenges and new security technologies, it can seem both mundane and a point of conflict to be avoided.

Factor 2: Since patching is an administrative function, a CISO’s responsibility is to inform that a patch is needed versus dictate how patches are applied and when. This is generally more of a political or psychological factor, as security needs cooperation with IT to be successful and respecting boundaries of either group’s responsibilities is a part of that. Although the role of security can sometimes be seen as “job done” when the owner of the asset that needs to be patched is informed, that’s not always the most effective approach.

Factor 3: The final, and perhaps toughest, factor to modify is the culture and set of policies that restrict patch and change management. Organizations that have been around for long enough to experience a bad patch rollout and deal with the consequences will have a substantial amount of rigor that security remediation activity needs to pass through. Many of these policies were drafted before automation and orchestration existed, and often, best practices for change management will reflect a cautionary approach that may not factor in capabilities enabled by current technologies. Also, security doesn’t want to be seen as the one removing current safeguards in the name of risk reduction. More often than not, the prime mover in improving speed here is going to be the business adopting a broader change.

So, what else can companies do to help prioritize patch management in this landscape? Here’s a road map that security teams can follow:

Discover and analyze the full patch management cycle. This means security should have a full understanding of exactly how every asset is being patched, down to the specific tools and revisions. The goal here is to map the steps in the process and also identify points where security can be an instrument for visibility. If it takes over a month on average to patch a vulnerability, a company should be able to see that workflow and break out where slowdowns are occurring. Does the capability exist to patch a vulnerability immediately, but it needs to wait until the next change window? Does the patch need to go through multiple levels of a change management process that takes weeks? Does the organization lack automation for patch management? Without breaking down the workflow into discrete steps, it is difficult to give a precise diagnosis.

Perform an independent tools analysis. When it comes to tooling for patch and configuration management, it is almost always going to be a decision from IT and engineering. That said, as a CISO, it is worthwhile to research and understand what capabilities exist in that market versus what the organization is currently using. The goal here isn’t to call out IT if the department is behind the times, but to be able to go to IT staff with information that will help them be more successful overall, and provide an additional voice for the resources they would need to bring those capabilities online. The older an organization is, the more value you will tend to gain from this exercise.

Attack surface reduction. Have a conversation about attack surface reduction with IT and work down two primary tracks: first, reduction as a factor of reduced attack surface from the start of an asset’s life cycle, and second, how IT determines when an asset is retired from the network. Modern configuration management and orchestration platforms can reduce the need for repeated manual work during hardening of hardened images but still requires more up-front development than all-in-one-style builds. At the other end of the life cycle, you have assets that are still live in the environment but not in active use, and often not under active management. These forgotten systems are often standouts in vulnerability management reports because the vulnerabilities present are an attractive target for attackers.

While patch management isn’t the most dynamic topic on a CISO’s agenda, it is still a foundational component of a security program. Being one of the most long-lived topics also can lead to a mindset of “everything that can be done has been done,” and a challenge without room for improvement. However, given the capabilities that are now widely available, it should be worth a re-evaluation of current processes and seen as an opportunity where security can achieve its goals while still keeping up with the velocity of the business using a modern approach.

Related Content:

• 8 Trends in Vulnerability and Patch Management
• Attackers’ Costs Increasing as Businesses Focus on Security
• 9 Principles to Simplify Security

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Next Security Silicon Valley: Coming to a City Near You?“

John Bock is the vice president of threat research for Optiv focused on the emergent security landscape and threats to new technologies that are security-immature. Prior to this role, John was the leader of Optiv’s application security practice, which provided application pen … View Full Bio

Article source: https://www.darkreading.com/operations/patch-management-how-to-prioritize-an-underserved-vulnerability/a/d-id/1336601?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An advanced persistent threat (APT) actor likely operating out of China has, for the past two years at least, been quietly targeting organizations in the United States and around the globe in a sweeping espionage campaign.

Among its dozens of victims are companies in the aviation, construction, energy, finance, healthcare, transportation industries, as well as others, across 10 countries, including the US, UK, Brazil, China, France, and Germany.

The attacker, identified as “APT20” in a report this week from NCC Group’s Fox-IT, is likely geopolitically motivated and state-backed, the security vendor said.

“Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes,” the vendor said in its report.

Fox-IT’s analysis of APT20’s tactics shows that in several incidents, the attackers gained initial access to a victim network via a vulnerable Web server, typically running versions of JBoss. Often the servers through which APT20 broke into had already been compromised in an unconnected previous attack and had Web shells placed on them. APT20 used those Web shells for initial lateral movement and reconnaissance.

The group’s other approaches for gaining initial access include the use of phishing and spear-phishing emails, supply chain compromise, and via infected removable media devices.

Like many other threat actors, APT20’s strategy after gaining an initial foothold has been to try and harvest and use access credentials belonging to privileged accounts, such as those belonging to enterprise and domain administrators. The group has then brazenly used the admin accounts to access the victim network through its own corporate VPN.

Fox-IT says its investigation shows APT20 uses an assortment of custom tools and legitimate services in carrying out its attacks. Among the custom tools it uses is one for collecting information on installed software, open connections, and running processes; a file upload and command execution webshell; and a custom backdoor written in C#.

The many legitimate tools and services that APT20 leverages in its attacks include PowerShell, command-line interface, external remote services, and Windows Management Instrumentation (WMI) and Windows Admin Shares. APT20 uses legitimate tools in every aspect of the attack chain, from initial access and execution, to privilege escalation and lateral movement, to persistence, defense evasion, collection, exfiltration, and command-and-control. Attack data shows members of APT20 are likely based in China and follow a regular eight- to 10-hour workday routine, with no work during the weekends.

Economic Espionage Activity
APT20 is one of numerous threat actors believed to be engaged in economic espionage activity in support of Chinese government initiatives, such as “Made in China 2025” and “Belt and Road.” Even though President Xi Jinping of China signed an accord with the US in 2015 not to engage in cyber-enabled economic espionage, little has changed on the ground, according to security experts.

For example, China’s first domestically built commercial airliner, C919, which is due for release sometime in the next few years, is thought to be based on designs taken from other aerospace companies. In a report earlier this year, security vendor CrowdStrike described an APT group called Turbine Panda targeting aerospace companies since at least 2010 in support of the commercial plane venture.

Last year, ProtectWise released a report describing how it had linked several threat groups — operating under an umbrella group called “Winnti” — to China’s intelligence apparatus.

FireEye, which maintains a roster of APT groups, lists several with suspected links to China. The list includes APT12 targeting government and defense companies; APT10 focused on construction, telecom, engineering firms, and other sectors; APT41 targeting healthcare, high-tech, and others; and APT40 focused on engineering and defense.

Related Content:

• Cyber Theft, Humint Helped China Cut Corners on Passenger Jet
• Public Exposure Does Little to Slow China-Based Thrip APT
• Report: China’s Intelligence Apparatus Linked to Previously Unconnected Threat Groups
• Rethinking Enterprise Data Defense 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-targeting-orgs-in-10-countries/d/d-id/1336676?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple