By Brandes Elitch
In July, Information Security Media Group held its annual cybersecurity conference in San Francisco. I attended this event last year and was impressed with the scope and depth of the presentations, and particularly struck by how much I didn't know about this subject, which was intimidating considering how scary it is. This year, I came prepared to be amazed, because when it comes to cybersecurity versus the fraudsters, anything goes.
In 2017, ISMG held events across four continents in over 50 cities. It is the world's largest media organization devoted solely to information security and risk management, with 28 media properties focused on key verticals such as banking, healthcare and the public sector. This seminar was two days packed with 17 presentations. In this article, I will touch on some things I found to be particularly interesting.
To put things into perspective, a recent study by Shape Security called The Credential Spill Report found that last year there were 51 reported major breaches, which compromised 2.3 billion credentials (user names and passwords). Ninety percent of all login attempts at online retailers are done by hackers. In the airline and consumer banking space, 60 percent of login attempts are from criminals. The cost of fraud is estimated to be $6 billion a year in ecommerce, and $1.7 billion a year in consumer banking. Hotels and airlines that offer loyalty points incur losses of $700 million a year. The community bank sector sees 200 million attacks a day.
In addition, the U.S. consumer banking industry faces about $50 million a day in potential losses from "credential stuffing" attacks, and actual losses are estimated to be $5 million per day. The number of hacked U.S. credit cards whose information was offered for sale to other criminals on the Dark Web has quadrupled in the last two years, totaling more than 4,000 credit cards per bank.
According to security firm RiskIQ, bad actors such as the criminal group called Magecart, target popular third-party software suppliers, which can enable large-scale compromises. Instead of going after large enterprises, the criminals have redirected their attention to smaller third-party suppliers that can act as gateways to more lucrative targets.
One example is the Ticketmaster compromise involving a malicious code was planted in automated customer support chatbot software from Inbenta Technologies. The code collected names, street addresses, email addresses, phone numbers, payment details, and Ticketmaster login details. RiskIQ identified malicious code in a third-party marketing service from a company called SociaPlus; a Magecart skimmer was added to a SociaPlus script and injected into multiple Ticketmaster websites.
Here is a compelling example from the banking community. Malware from fraudsters such as TrickBot, Qbot,and Dridex includes banking trojans distributed via phishing emails, which infect the victims' computer and steal credentials used to access the bank accounts. The attackers can redirect SMS messages from the banks, containing passwords and mobile transaction authentication numbers, and deliver them to phones controlled by the attackers. This was enabled by a vulnerability in the SS7 networking protocol used by cellphone providers, which can be used to eavesdrop on conversations, track geographic locations and intercept SMS messages.
The threat landscape includes identity theft, targeted malware, ransomware, cryptojacking, credential stuffing, and bring-your-own-device (BYOD) and Internet of Things attacks. Aside from web-based attacks and phishing, there are spam, denial of service, botnets and physical attacks. Criminals are also using big data, machine learning and automation.
Last year, a third of all consumers were notified of a data breach. The Equifax breach put everything over the top, because it closed the circle: fraudsters have all they need for ID fraud. Do I have your attention now?
The conference's keynote speaker was Brett Johnson, the original Internet Godfather, and the most compelling speaker I have heard in a long time (see www.anglerphish.com to learn more about him). As he explained, crime begins with ID theft. About 92 percent of every breach starts with a phishing attack.
Criminals are focused on ID theft, account takeover, friendly fraud and synthetic fraud. They are looking for a failure of multiple systems chained together, not just one system. Criminals are good at one or two things, not three things, and they are going for the easy target, so they can gather data, commit a crime and cash out, typically using bitcoin.
Brett had some important suggestions, including the following:
Another presentation was by Sam Elliott director of security product management at Bomgar. He said a breach is a matter of when, not if, and all you can do is to try to contain breaches to an acceptable level. You should automate privileged ID and access management to mitigate the threat of hacking, because 81 percent of this involves stolen or weak credentials. Remote access is the number one method of compromise, because everything is connected these days.
You can protect yourself by rotating and randomizing credentials, protecting Internet service accounts and middleware, and securing insider and vendor access. Do not connect a virtual private network to a vendor with remote desktop protocol access. Use an HTML 5 interface.
Focus on two key areas. First is identity management: authenticate customers using two-factor authorization, and eliminate passwords in favor of hardware-based tokens. The second is data integrity maintenance: the supply chain is soft and unprotected, and hardware can come with malware installed.
Over time, we will transition from a "root of trust" concept to a "web of trust" to ensure integrity and validation at every level of the supply chain. One speaker predicted that in five years, we will have standards-based compliance, cyber insurance for real risk transfer, and blockchain implementation, which will create a change in business models. In 10 years, it will be "all cloud all the time," and large enterprises will have gotten out of the data center business.
Purpose-built devices such as Chromebook and iOS devices will dominate; we will move away from the thick-client laptop model and the network-centric approach. We will pivot away from passwords to presence-based authentication, which will include a physical (biometric) property and a token.
A presentation from Javelin Strategy & Research indicated there has been an evolution in fraudster sophistication, and now it's hard to distinguish between a true consumer and a villain. Fraudsters are using data differently. They have honed the capability to validate credentials. With account takeover, the criminal can change a password or contact information, and separate your financial institution from you.
With this information, the criminal can apply for a credit card and a line of credit, change your phone number and address, open a new account, and move money. Banks need to tie authorization more closely to the customer's device, and transition from ID verification to ID proofing.
To detect threats, you need some form of network traffic analysis that detects such things as host, traffic and protocol anomalies, and automates data collection and analysis to detect and categorize complex threat behavior.
One presentation focused on the healthcare space, which has its own set of problems, including fraudsters altering or deleting information in the accounting system, changing electronic documents, and creating fraudulent electronic files.
This was the first presentation to discuss the applicability of blockchain, which can provide immutable traceability in a shared decentralized ledger, where invalid changes get rejected upfront. Blockchain would provide a highly trusted, permissioned and validated access control on an organizational level, with secure data sharing to facilitate smart contracts. Another topic was insider threats, one of the most pernicious and hard to detect. About 28 percent of breaches originate here. Insiders can delete information, bring down systems, deface websites, steal intellectual property, hijack confidential data and modify critical data. Fraudsters can be disgruntled former employees or employees on the verge of leaving. Typically, they have been in the job at least five years and, amazingly, it takes over a year to discover the damage they have done after their departure.
Another concern is the shortage of trained, experienced cybersecurity professionals. The Equifax CISO and Security Chief was a music major. There are 1.4 million unfilled security jobs, per LinkedIn. Meanwhile, fraudsters are attracting employees by offering benefit plans, insurance, paid holidays, etc. But the good guys are fighting back: last year venture capital placed $7.6 billion in information security companies.
Both the FBI and the Department of Homeland Security gave presentations. The FBI stated that we face a global criminal enterprise ecosystem in the Dark Web that interacts with digital currency and operates with 100 percent anonymity. Half of the threats come from outside of the United States. It is a global problem without borders. Attackers want credentials to get into your environment; 75 percent of the vulnerability comes from social engineering, spearfishing and poor patch management.
The four types of criminals are nation-states (Russia, China, Iran, etc.), hacktivists (they want to disrupt and typically have some kind of socially motivated agenda), insiders, and financially motivated individuals, who are experts in this and are focused on ROI. The DHS offers resources and publications at www.us-cert.gov and www.ics-cert.gov and www.ics-cert.gov.
While every enterprise is affected by activities on the Dark Web, those of us in the payments industry are particularly sensitive. Criminals are primarily motivated by the prospect of financial gain from getting access to credit card and demand deposit account data. They need access to payment information to monetize data and extract funds via bitcoin. Acquirers and payment processors are sitting on a mountain of personally identifiable information and payment data, including the automated clearing house addresses of their clients. Attending this conference is one way to get up to date on developments here, and to make useful contacts going forward. The 2018 schedule of events is at: http://events.ismgcorp.com/.
Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. A Certified Cash Manager and Accredited ACH Professional, Brandes has a Master's in Business Administration from New York University and a Juris Doctor from Santa Clara University. He can be reached at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next