Coronavirus has canceled many things, but Black Friday and Cyber Monday may be as big as ever in 2020. Only this year, it will be different.

Some stores promise to end the famous Black Friday sea of bodies clambering over each other for heavily discounted items by offering, for example, no shipping fees for online purchases. And consumer choices on how they shop look set to shift sharply. Google’s US shopper survey found 75 percent plan to buy online more than they did last year. UK retailers point to a surge online shopping since COVID-19 lockdowns hit and urge customers to shop early for Christmas, which will drive more customers to online Black Friday sales.

Black Friday and Cyber Monday are big retail events at the best of times. In the US alone, 2019 online sales on the two days were worth nearly 17 billion US dollars.

It’s not just retailers and consumers gearing up to benefit. Black Friday and Cyber Monday present lucrative opportunities for hackers and social engineering scammers.

To reduce risks and reap gifts this season, retailers need to improve their defenses against cybercrime.

Retail is an attractive target for cybercriminals

Verizon’s 2020 data breach investigations report found financial motivations lay behind 86 percent of attacks. The holiday season excitement is distracting, but businesses can’t afford to let their guard down.

Cyberattacks damage retailers in many ways, like lost sales, loss of reputation and legal sanctions if they’ve not met regulations such as the European Union’s General Data Protection Regulation (GDPR.) The stakes are high on Black Friday and Cyber Monday – in 2019, Kaspersky research identified a range of cleverly designed phishing scams masquerading as seasonal discounts from big brands, almost indistinguishable from the real thing.

It’s not just phishing emails – smart scammers also launch malicious websites for the occasion to further build a sense that they’re credible.

Scammers know legitimate businesses use the season to create a sense of urgency, with time-limited offers and low prices that are hard to turn down. They use these exact tactics to dupe victims into taking the desired action.

Cybercriminals’ tactics against retail

Cybersecurity advice around the November-December shopping extravaganza is mostly aimed at consumers, but there are two sides to every transaction. Retailers have a duty to protect their customers from scams.

Social engineering attacks depend on scammers being able to convince would-be victims they’re authentic. If an attacker masquerades as your brand, it reflects poorly on you, even if you’re not to blame.

In the holiday season, there’s also a greater likelihood of direct attacks on retailers. You may be too distracted to notice attacks in progress. Hackers can target your website, leading online shoppers to malicious clones to steal their personal or payment information.

Attackers may plant malicious links and code where consumers click, such as in branded websites and mobile apps. Others might set up fake websites and social media profiles from scratch. Social media and business email are popular ways to attack. By compromising employee accounts, cybercriminals can greatly increase their impact.

Lockdowns and travel restrictions this year will drive more people to buy gifts online and have them delivered directly to the recipient. Mismatched billing and shipping addresses challenge retailers because they may indicate fraud, requiring sophisticated systems or time-consuming manual checks. Often, it will be someone with no recorded purchase history who may have device characteristics not typical of their usual consumer.

How retailers should respond to threats

Be proactive in letting everyone know you’re a step ahead of the threats. See your cyberawareness as a value proposition that drives business growth, rather than just taking care of the necessary. For example, if scammers masquerading as your company target your customers, inform them: Ask them to make sure they check links to your website are legitimate.

Don’t wait for customers to tell you about the scams – look for them. Find and isolate scams posing as your brand and lock down any compromised online accounts before they cause irreparable damage. Look beyond conventional perimeter security (thorough checks for all attempts to connect to corporate resources from outside the infrastructure,) locking down social media and other online endpoints.

National- or multinational-scale retail business should monitor the web around the clock to increase the chances of finding fake websites or other assets disguised as their brand. Threat intelligence or a Security Operations Center are two ways to do it. Monitoring the dark web is also crucial because it’s where criminals sell stolen information and assets.

In the lead up to Black Friday, warn customers you face threats beyond your direct control. Educate them on how to spot social engineering scams, like poor spelling and grammar, and asking for confidential information over email. Remind them of your security and privacy procedures. Tell customers what you’re doing to combat threats and what they can do to be safer when shopping online. Your transparency will build trust in your brand.

Another often-overlooked holiday season threat is distributed denial of service (DDoS) attacks: When hackers bombard servers with requests until they slow to a crawl or crash. For bigger business, ruthless competitors, state-sponsored hackers or political activists may use this tactic, hoping to damage your business finances and reputation. To protect your online store from being taken offline on a landmark retail day, have DDoS protection.

Black Friday and Cyber Monday security challenges are undeniable. Overcoming them will make the holiday season more profitable for your business and safer for your customers. Be honest, transparent and proactive in how you communicate with your customers. Get the right security in place against the kinds of threats your retail business faces, then sit back and enjoy watching the sales roll in.

Author: Claire Hatcher

Source.

One-in-five adults who use the internet said they had experienced cyber fraud or computer misuse, according to a new report.

The latest Scottish Crime and Justice Survey said most victims reported no impact on them but they changed their online behaviours as a result.

The most common problem encountered was having a device infected by a virus.

Other common types of cyber fraud were having someone access online accounts for fraudulent purposes.

Having card or bank account details stolen online was also among the most common computer misuse.

About 4.5% of internet users said they had been a victim of a scam email.

Not reported

The SCJS for the year 2018-19 found that the majority of victims did not report the incident to the police.

This was particularly true in the case of scam phone calls and viruses.

The only type of cyber fraud which was reported by most victims was the online theft of a bank card or bank account details.

• $3.5bn of cyber-crime reported to FBI in 2019
• UK cyber-crime victims lose £190,000 a day

This is the first time the annual Scottish Crime and Justice Survey into public experiences and attitudes to crime has asked about cyber crime and online fraud.

The SCJS is a large-scale social survey which asks more than 5,500 adults about their experiences and perceptions of crime.

It is important because it provides a picture of crime in Scotland, including crimes that have not been reported to, or recorded by, the police and captured in police recorded crime statistics.

‘Safer place’

The latest report, for 2018-19, shows large falls in crime over the past decade, meaning people are less likely to be victims and feel much safer.

It found that the total number of crimes had fallen by two-fifths since 2008-09.

The proportion of adults experiencing crime fell from one in five to one in eight over the decade.

Other key findings were:

• The volume of crime in Scotland, including incidents not reported to the police, has fallen by 45% over the last decade or so – from an estimated 1,045,000 incidents in 2008/09 to 573,000 in 2018/19.
• The SCJS estimates that the police became aware of 36% of crime in 2018/19, a similar proportion to previous years.
• Most adults (87.6%) were not victims of any crime in 2018/19.
• The proportion of adults experiencing crime decreased from one-in-five (20.4%) to one-in-eight (12.4%) between 2008/09 and the latest year.
• The likelihood of experiencing any crime was higher among those living in the 15% most deprived areas.

The SCJS said the overall crime victimisation rate enabled a “broad comparison” with the equivalent rate in England and Wales.

The report said adults in Scotland were less likely to have experienced crime than those in England and Wales during 2018/19, with victimisation rates of 12.4% and 14.9% respectively.

Scotland’s Justice Secretary Humza Yousaf said: “While it is encouraging that Scotland remains a safer place than a decade ago, with fewer victims of crime, there is no room for complacency.”

He said the Scottish government would continue to focus on early intervention and prevention.

Source: https://www.bbc.com/news/uk-scotland-53063418?intlink_from_url=https://www.bbc.com/news/topics/c1xp19421ezt/cyber-crime&link_location=live-reporting-story

Deepfakes are just one unfortunate product of recent developments in the field of artificial intelligence. Fake media generated by machine-learning algorithms have gained a lot of traction in recent years. Alyssa Miller’s talk at RSA Conference 2020, titled Losing our reality, provides some insights on why it’s time to consider deepfakes a threat — election year aside — and what your business can actually do to mitigate the impact if it’s attacked in such a way.

How deepfakes are made

The most common approach to creating a deepfake is using a system called GAN, or generative adversarial network. GANs consist of two deep neural networks competing against each other. To prepare, both networks are trained on real images. Then, the adversarial part begins, with one network generating images (hence the name generative) and the other one trying to determine whether the image is genuine or fake (the latter network is called discriminative).

After that, the generative network learns, and learns from the result. At the same time, the discriminative network learns how to improve its performance. With each cycle, both networks get better.

Fast forward, say, a million training cycles: The generative neural network has learned how to generate fake images that an equally advanced neural network cannot distinguish from real ones.

This method is actually useful in many applications; depending on the preparatory data, the generative network learns to generate certain kinds of images.

Of course, for deepfakes, the algorithm is trained on real photos of certain people, resulting in a network that can generate an infinite number of convincing (but fake) photos of the person ready to be integrated into a video. Similar methods could generate fake audio, and scammers are probably using deepfake audio already.

How convincing deepfakes have become

Early deepfake videos looked ridiculous, but the technology has evolved enough at this point for such media to become frighteningly convincing. One of the most notable examples of frighteningly convincing deepfakes from 2018 was fake Barack Obama talking about, well, deepfakes (plus the occasional insult aimed at the current US president). In the middle of 2019, we saw a short video of fake Mark Zuckerberg being curiously honest about the current state of privacy.

To understand how good the technology has become, simply watch the video below. Impressionist Jim Meskimen created it in collaboration with deepfake artist Sham00k. The former was responsible for the voices, and the latter applied the faces of some 20 celebrities to the video using deepfake software. The result is truly fascinating.

As Sham00k says in the description of his behind-the-scenes video, “the full video took just over 250 hours of work, 1,200 hours of footage, 300,000 images and close to 1 terabyte of data to create.” That said, making such a video is no small feat. But such convincing disinformation can potentially have massive effects on markets — or, say, elections — which makes the process seem frighteningly easy and inexpensive.

For that reason, almost at the same time that the abovementioned video was published, California outlawed political deepfake videos during election season. However, problems remain. For starters, deepfake videos in general are a form of expression — like political satire. California’s ban doesn’t exactly protect freedom of speech.

The second problem is both technical and practical: How exactly are you supposed to tell a deepfake video from a real one?

How to detect deepfakes

Machine learning is all the rage among scientists all over the world, and the deepfake problem looks interesting and challenging enough to tempt many of them to jump in. For this reason quite a few research projects have focused on how to use image analysis to detect deepfakes.

For example, a paper published in June 2018 describes how analyzing eye blinks can aid in the detection of deepfake videos. The idea being that typically not enough photos are available of a certain person blinking, so neural networks may not have enough to train on. In fact, people in deepfakes at the time the paper was published were blinking far too rarely to believe, and though people found the discrepancy hard to detect, computer analysis helped.

Two papers submitted in November 2018 suggested looking for face-warping artifacts and inconsistent head poses. Another one, from 2019, described a sophisticated technique that analyzes the facial expressions and movements that are typical for an individual’s speaking pattern.

However, as Miller points out, those methods are unlikely to succeed in the long run. What such research really does is provide feedback to deepfake creators, helping them improve their discriminative neural networks, in turn leading to better training of generative networks and further improving deepfakes.

Using corporate communications to mitigate deepfake threats

Given the abovementioned issues, no purely technological solution to the deepfake problem is going to be very effective at this point. But other options exist. Specifically, you can mitigate the threat with effective communications. You’ll need to monitor information related to your company and be ready to control the narrative should you face a disinformation outbreak.

The following suggestions summarize Alyssa Miller’s suggestions for preparing your company to face the deepfake threat — by the way, the same methods can be useful for dealing with other types of PR mishaps as well:

• Minimize channels for company communications;
• Drive consistent information distribution;
• Develop a disinformation response plan (treat these as security incidents);
• Organize a centralized monitoring and reporting function;
• Encourage responsible legislation and private sector fact verification;
• Monitor development of detection and prevention countermeasures.

Source: https://www.kaspersky.com/blog/rsa2020-deepfakes-mitigation/34006/

If you are reading this post, it’s safe to assume that you have a Steam account. Unfortunately, in addition to Steam’s millions of bona fide gamers, the platform includes scammers looking to profit at others’ expense. We tell you the security and privacy settings you can use to guard against them.

How to protect your Steam account

To keep your account from being hijacked, you need to protect it. This is where the security settings come in. To open them, in the app on your computer:

• Click your name in the upper right corner.
• Select Account Details.

Another way to reach the very same settings in the desktop Steam app:

• Click Steam in the upper left corner.
• Select Settings.

 Your Steam password must be strong

Is your Steam password short and guessable like 123456 or the name of a pet? Or do you use the same one as for your Facebook and/or Gmail accounts? Then we recommend changing it right away.

We have a separate post about how to come up with (and not forget) a virtually unbreakable password. And here’s why you should never reuse passwords.

To change your Steam password:

• Open the Steam settings.
• Select Change Password….

 How to configure Steam Guard — two-factor authentication on Steam

Even the most reliable password will not help if it gets stolen — no one is insured against that, unfortunately. So be sure to enable two-factor authentication (2FA), which Valve calls Steam Guard. With 2FA, when you or anyone else tries to log into your account from an unknown device, Steam asks not only for your password, but for an additional code that is sent to your e-mail or generated in the mobile app.

These codes are updated automatically every 30 seconds, so it is almost impossible to guess them. What’s more, they work only once, so if you log in with it, no one else can.

By default, Steam sends those codes by e-mail. Here’s what to do if for some reason you disabled it or want to receive codes in the Steam mobile app (which we’ll cover in the next section):

• Open the settings.
• Click Manage Steam Guard Account Security… or Manage Steam Guard.
• Choose how you want to receive access codes: by e-mail or in the mobile app.

 How to set up Steam Guard Mobile Authenticator

Receiving one-time codes by e-mail is rather slow and not very reliable because e-mail accounts often get hijacked. There is a better way: Steam lets you generate one-time codes in the mobile app. First, it’s safer. Second, the code is always generated instantly. Here’s how to set up Steam Guard on your phone:

• Install the Steam app on your smartphone (iOS or Android), and log in to your account.
• Tap the three bars in the upper left corner.
• Select Steam Guard.
• Tap Add Authenticator.
• Enter your phone number, if it’s requested.
• Open the e-mail from Steam and confirm that you want to link the number to your account.
• In the app on your phone, tap Next and enter the code from the text message.
• Make a note of the recovery code the app displays and keep it in a safe place — you will need it if you ever lose your phone.
• Tap Done and you’re all set. From now on, the app will display your 2FA codes in the Steam Guard section.

 How to ensure that only you are logged in to your account

If you forget to log out on someone else’s computer, or suspect that you’ve been hacked, you can force a logout on all devices save for the one that you are using. To do so, in the app on your computer:

• Open the settings.
• Select Manage Steam Guard Account Security… or Manage Steam Guard.
• Click Deauthorize all other devices.

Now the only person logged in to your account is you. Now is also the ideal time to change your password and enable Steam Guard to keep outsiders out of your account.

How to guard against phishing links on Steam

Cyberpoachers in search of accounts full of games and items are constantly creating fake sites to steal Steam logins and passwords. To lure users in, they post links in the comments section or elsewhere, promising things like game keys, free items, or huge discounts. If you swallow the bait, your credentials go straight to the scammers.

To protect you against this fatal mistake, Steam warns about links that lead to third-party sites. This option is available and active by default in the mobile app, but if for some reason you disabled it:

• Open the mobile app.
• Tap the three bars in the upper left corner of the screen.
• Select Settings.
• Open Application Preferences.
• Select Alert for non-Steam Links.

 Configuring Steam privacy

Having an excessively public profile can cause problems. For example, if scammers see that you have expensive games or items in your collection, they are more likely to take an unwanted interest in your Steam account. And if you allow just anyone to leave comments on your page, don’t be surprised if you get flooded with spam and insults. Therefore, we recommend spending some time configuring restrictions on third-party access to the information in your profile.

Here’s where the settings are in the desktop version of Steam:

• Click your name in the upper right corner of the screen.
• Select View my profile.
• Click Edit Profile.
• Select My Privacy Settings.

In the Steam mobile app, you can find them here:

• Tap the three bars in the upper left corner of the screen.
• Select Settings.
• Open Application Preferences.
• Click Steam Preferences.
• Open the Privacy Settings tab.

 How to hide your Steam profile from outsiders

If you don’t want strangers to see your profile at all, make it fully private. To do so:

• Open the privacy settings.
• Tap the link next to My profile.
• Select Friends Only or Private.

Now only your name and avatar are visible to outsiders. These elements cannot be hidden, but on Steam there is nothing to stop you from using a fictitious name and a favorite anime character as your profile picture.

How to hide information about your games, items, and friends

If you want to hide only some information (such as lists of games, or collections of skins) from outside eyes, use Steam’s privacy settings to tailor its visibility.

• Open the privacy settings.
• Click the link next to Game details, Friends List, or Inventory.
• Select Friends Only or Private.

 How to hide screenshots and illustrations on Steam

Screenshots and illustrations also do not have to be shown to everyone. You can limit their visibility at any time. The settings for each picture are individual; that is, you can choose for each image whether you want it to be visible to everyone, or shown only to friends, or maybe just for you.

To hide a new screenshot or illustration, select Private or Friends only under Visibility in the upload window.

To hide an already uploaded screenshot or illustration:

• Open your screenshots or illustrations.
• Click Manage Screenshots or Manage.
• Select the images that you want to hide.
• Click Make Friends Only or Make Private.

Sometimes it is more convenient not to hide a picture, but to make it viewable by link only. That way, it will not appear in search results or the Steam community feed, allowing you to choose who to share it with. If the picture is new, select Private under Visibility in the upload window. If you want to restrict access to an already uploaded screenshot or illustration:

• Open your screenshots or illustrations.
• Click Manage Screenshots or Manage.
• Select the images that you want to hide.
• Click Make Unlisted.

On the relevant pages of your profile, you can limit the visibility of videos, mods, and items created in the Steam Workshop as well.

How to avoid spammers and trolls on Steam

Already hidden your most personal stuff? Now let’s deal with spam and trolling. To prevent strangers from posting comments or dropping questionable links in your profile, you can restrict access to comments. To do so:

• Open the privacy settings.
• Click the link under Can post comments on my profile.
• Select Friends Only or Private.

How to avoid leaking data, money, and items on Steam

Your profile is now configured, thank Gaben. Now your gaming life is much better protected than before. However, cybercriminals can still try to scam you — for example, by selling an already used game key or asking to borrow an expensive item. Be careful and don’t trust just anyone.

• Don’t follow links in messages from “support service” or other users. Scams can be based on carrots (such as fake lotteries with juicy prizes) or sticks (threats to block user accounts and the like). Check all information in official sources.
• Don’t rely on good faith and scout’s honor. And be wary of any freebie. Remember that if something is too cheap, it’s probably a trap.
• Don’t install game-enhancing extensions or third-party programs. Using cheat software could result in a VAC ban, and in most cases it will simply infect your computer instead of giving you a leg up on the competition.
• Use a reliable security solution that identifies malware and phishing links. If you have our antivirus installed, find out how to hook it up with Steam (spoiler: It’s easy).

Scammers pretending to have hacked and shot video of people watching porn is not exactly news. However, from time to time the scheme gets a new twist. Last time, it was alleged CIA involvement to heighten the threat — the supposedly watched adult video was of an illegal sort. The purpose of these tales is to panic the user so they’ll send money without thinking too hard about the false claims.

Most often, cybercriminals demand a ransom in cryptocurrency; such transactions are anonymous and extremely hard to trace. The wallet address for transferring the money is usually specified in the text of the e-mail. Lately, however, we’ve been seeing sextortion messages with no such address. The scammers ask to be contacted in a more traditional way — by e-mail — and demand a different sort of ransom.

Prepaid ransom cards

Having delivered the bad news to the victim, the scammers ask them to go to a store from a list (in this case, Walmart, Lojas Americanas, Extra, Pão de Açucar, or Casas Bahia) and purchase some prepaid debit cards there. These cards need to be topped up to a certain amount and photographed on both sides, and the pictures sent to the specified e-mail address.

Generally speaking, the main difference between prepaid debit cards and the usual kind is that there is no need to go to a bank to get them — you can buy and top them up right in the store. At the same time, such cards are connected to the major global payment systems, such as Visa and Mastercard, and are accepted anywhere those systems operate.

The debit cards in this particular sextortion scheme — Acesso cards — are sold in Brazil and work with the Mastercard system. One of the features of these cards is that they are usable not only in Brazil, but internationally as well. Perhaps that’s the feature that the cybercriminals in question are particularly interested in. Acesso cards are sold in supermarkets and hypermarkets of the abovementioned chains for some 15 reals (a bit more than $3.50) and can be topped up with any amount of money right there and then.

So, having been fed the prepaid card details (hence the requirement to photograph both sides), the scammers can immediately use it to withdraw money.

Brazilian-style sextortion

A particular e-mail that caught our eye targeted users in Brazil. Brazilian extorters had previously demanded prepaid cards from victims, but only the telephone variety. In some ways the demand for prepaid debit cards could actually be described as innovative.

Note that although the message text in the example is indeed in Portuguese, it’s simply the output from an online translator. By all appearances, the scammers are not local. That said, they seem well-versed in the day-to-day realities of the target country. For example, they know that such cards can be bought in Brazil, and where.

E-mails like this one are typically crafted using more or less the same templates, automatically translated into different languages (for the target audience), and dispatched to millions of e-mail addresses from spam databases.

Goodbye to bitcoin?

It is still too early to say if prepaid debit cards will supplant bitcoin as the new ransom currency of choice, or whether such messages are the exception rather than the rule.

In any event, it is worth remembering that such e-mails are not the work of genius hackers, but a social engineering shot in the dark. Such messages are not targeted; they’re sent in bulk using spam databases. The scammer did not hack anyone and has no compromising information on you at all. Their only goal is to scare the victim into obeying the instructions as quickly as possible.

To rest easy about such threats, use a reliable security solution with up-to-date databases that will block fake messages before they wind up in your mailbox.

Resource: https://www.kaspersky.com/blog/prepaid-card-sextortion/31790/?es_p=10757088

Kaspersky security researchers have reported on thousands of notifications of attacks on major banks located in the Sub-Saharan Africa (SSA) region.

The malware used in the attacks indicates that the threat actors are most likely to be an infamous Silence hacking group, previously known to be responsible for the theft of millions of dollars from banks across the world.

The Silence group is one of the most active Advanced Persistent Threat (APT) actors, which has carried out a number of successful campaigns targeting banks and financial organisations around the globe.

The typical scenario of the attack begins with a social engineering scheme, as attackers send a phishing e-mail that contains malware to a bank employee. From there, the malware gets inside the banks’ security perimeter and lays low for a while, gathering information on the victim organisation by capturing screenshots and making video recordings of the day to day activity on the infected device, learning how things work in the targeted banks.

Once attackers are ready to take action, they activate all capabilities of the malware and cash out using, for example, ATMs. The score sometimes reaches millions of dollars.

The attacks detected began in the first week of January and indicated that the threat actors are about to begin the final stage of their operation and cash out the funds. To date, the attacks are ongoing and persist in targeting large banks in several SSA countries.

Kaspersky researchers attribute the attacks to the Russian speaking Silence group based on the malware used in the attacks, which was previously used solely in the group’s operations.

In addition, the language of the malware is Russian – threat actors attempted to slightly cover this fact by typing Russian words using the English keyboard layout.

“Silence group has been quite productive in the past years, as they live up to their name; their operations require an extensive period of silent monitoring, with rapid and coordinated thefts,” said Sergey Golovanov, security researcher at Kaspersky.

“We noticed a growing interest of this actor group in banking organisations in 2017 and since that time the group would constantly develop, expanding to new regions and updating their social engineering scheme. We urge all banks to stay vigilant, as apart from the large sums Silence group also steal sensitive information while monitoring the Banks activity as they video record screen activity. This is a serious privacy abuse that might cost more than money can buy.”

Kaspersky detects the malware used in the operation as HEUR:Trojan.Win32.Generic,PDM:Exploit.Win32.Generic

To protect from this and similar attacks, we advise financial organisations to apply the following measures:

• Introduce basic security awareness training for all employees so that they can better distinguish phishing attempts
• Monitor activity in enterprise information systems information security operations centre
• Use security solutions with dedicated functionality aimed at detecting and blocking phishing attempts. Businesses can protect their on-premise email systems with targeted applications inside the Kaspersky Endpoint Detection and Response or use the Kaspersky Anti Targeted Attack platform.
• Provide security teams with access to up to date threat intelligence data, to keep pace with the latest tactics and tools used by cybercriminals
• Prepare an incident response plan to be ready for potential incidents in the network environment

Resource: https://www.intelligentcio.com/africa/2020/01/13/russian-speaking-hacking-group-is-attacking-banks-in-sub-saharan-africa-according-to-kaspersky/

Imagine if it didn’t take an average of 190 days to identify a data breach and then a further 57 days to contain it. Imagine if instead you could cut down those times to just a few days or even a few hours, mitigating the effects of a data breach and minimize long-term damage to your organization.

It all starts with understanding how cybercriminals work and knowing what they do with stolen data. The dark web plays an important role, since that’s where most hackers and scammers go to trade their ill-gotten gains. This mysterious counterpart of the public internet is home to stolen information and wanton criminality. But what does that mean for protecting your business, and is there really any value in using dark web monitoring services?

What exactly is the dark web?

By now, most of us have heard of the hidden version of the public internet known as the dark web, but few other than cybercriminals and the law enforcement agencies tasked with tracking them down really know much about it.

Firstly, it’s important to explain what the dark web isn’t. It exists separately from the public internet for a start, and neither is it the same thing as the deep web. The deep web is the part of the web we spend a lot of our time on already, since it includes everything that’s hidden behind a login page, such as our email, intranet and bank accounts. It’s everything online that isn’t indexed by search engine crawlers, and remains inaccessible to those without the right account credentials.

Although the two are commonly confused, the dark web is an entirely different beast. While it uses the same infrastructure as the public internet, the dark web is an overlay network that requires specialized software to access it, such as the popular Tor browser. Servers connected to the dark web hide behind multiple layers of security and anonymity. This makes it notoriously difficult for law enforcement agencies to track down their location and the people who maintain them. Also, criminals invariably use cryptocurrencies like Bitcoin to hide their transactions, which is why ransomware payments are never demanded in US dollars or other mainstream currencies.

Another common misconception about the dark web is its legality. Although a lot of content on the dark web is illegal, the network itself isn’t. In fact, it does have its legitimate uses, at least in theory. For example, journalists may use it to allow their sources to remain anonymous, and citizens of oppressive regimes may turn to it as a platform for free speech. As far as companies are concerned though, it’s primarily a hotbed of criminality.

Why is the dark web so dangerous?

Naturally, the fact that people think they get away with just about anything on the dark web, whether that’s hiring an assassin or selling ransomware as a service, has made it the medium of choice for all manner of criminals. Perhaps the most poignant example of all was the Silk Road marketplace, a darknet market that mostly sold drugs. Despite being the first and biggest illegal darknet marketplace, it took the FBI in the US three years to track down its founder Ross Ulbricht, who is now facing life imprisonment without the possibility of parole. The site, along with its successors, have now been closed down.

While you might think that the Silk Road’s takedown would set an example, it hasn’t had much of an impact on darknet criminality. Despite the past couple of years seeing a significant uptick in dark web law-enforcement, thanks to Operation Onymous by Europol and the multinational Operation Bayonet, many illegal marketplaces are alive and well – and growing fast. Most transactions now take place over darknet forums and smaller marketplaces, since many of the big names like AlphaBay, Wall Street and Dream Market have been taken down. But that hasn’t made the dark web any less of a threat to businesses.

Cybercriminals most often carry out their attacks for financial gain. That means they need a place to sell their ill-gotten gains, and the dark web presents the perfect marketplace. In other cases, victims may be held to ransom, with attackers claiming they’ll publicly disseminate their stolen data, which might include anything from explicit photos to bank account details, if they don’t pay up. A lot of stolen data, however, ends up on the dark web. For example, ‘fullz’ is dark-web lingo for full packages of identifying information, which is sold to identity thieves for use in credit card fraud. If these records are stolen in a data breach that targets your business, then that’s likely where they’ll end up.

Help or hype – are dark web monitoring services worth the money?

Dark web monitoring services have received a lot of hype in the in the last two years, following the catastrophic data breach that befell the Equifax consumer credit reporting agency, which exposed private information belonging to 147 million people. Rival agency Experian saw this as a market opportunity, so it quickly launched its dark web monitoring service in the US. It touts it as an identity theft protection product, although it does also let you freeze your assets to stop unauthorized individuals opening new lines of credit in your name.

Many companies are now offering dark web monitoring services, but there’s still a widespread misunderstanding about how they work, or even if they work at all. For a start, they don’t scan the entirety of the dark web, since doing so would be practically impossible. And neither can they initiate takedown proceedings against stolen records or intellectual property. The reality is that, once something ends up on an underground marketplace, there’s often nothing you can do to prevent it from being sold or misused.

Dark web monitoring services can only detect information that’s publicly available. Just like the search engine crawlers can’t see anything that’s hidden behind a login or paywall, dark web scanners can’t access anything that’s being shielded from scraping software. Instead, they’re looking out for big data dumps containing leaked personal information like passwords and payment card details. If your business suffers a data breach, and the stolen records have ended up on the dark web, then a dark web monitoring service will inform you, but only provided they could get their hands on it in the first place. Fortunately, there are many more effective ways to protect your business from the dangers of the dark web, such as by staying away from it, ensuring all data is encrypted and educating your employees of the dangers.

But if you’ve had a breach, it’s time to face facts – your data has already been stolen. If a massive data dump containing sensitive information pertaining to your business, employees or customers ends up on the dark web, then having the means to monitor it may allow you to identify the breach and act faster to alert anyone whose information has been stolen and lock down any compromised accounts. But it’s not a fool-proof solution, and neither will it protect you from the worst effects of identity theft.

However, in addition to helping you react quicker, dark web monitoring does offer some proactive value by helping keep business decision makers informed about trends and developments in these underground communities that might compromise their security. For example, if there’s chatter about targeting a particular company in dark web forums, a monitoring service could reveal it, giving you a chance to brace for an attack.

How else can you find out if you’ve been hacked?

As dark web monitoring isn’t a fool-proof option, many business leaders are looking for other, more reliable, ways to tell if they’ve been hacked. Some methods don’t even require you to invest a monthly fee. For example, individuals and businesses can quickly find out if their email addresses or any accounts associated with it have been compromised on Have I Been Pwned.

In the end, the only truly reliable way to find out if you’ve been hacked is to keep full audit trails of all activity across your network and every device connected to it. Today’s security solutions go far beyond the limited capabilities of conventional antivirus software and firewalls to search for suspicious activities rather than just detect known threats. These might include unusual computing activities, strange network connections or unwanted software installations.

Remember that no information security infrastructure is 100 percent effective. But if your organization does fall victim to a data breach, then the sooner you learn about it, the more time you’ll have to prevent unacceptable losses. That’s why a multi-layered, proactive approach to cybersecurity that provides full, real-time visibility into all your digital assets, is the only proven solution for keeping your business and your customers safe.

Resource: https://www.kaspersky.com/blog/secure-futures-magazine/dark-web-monitoring/29084/

New technologies are clearly changing the world, but not the human psyche. As a result, evil geniuses are devising new technological innovations to target vulnerabilities in the human brain. One vivid example is the story of how scammers mimicked the voice of an international CEO to trick the head of a subsidiary into transferring money to shady accounts.

What happened?
The details of the attack are unknown, but the Wall Street Journal, citing insurance firm Euler Hermes Group SA, describes the incident as follows:

Answering a phone call, the CEO of a U.K.-based energy firm thought he was speaking with his boss, the chief executive of the firm’s German parent company, who asked him to send €220,000 to a (fictitious, as it later turned out) Hungarian supplier within an hour.
The British executive transferred the requested amount.
The attackers called again to say the parent company had transferred money to reimburse the U.K. firm.
They then made a third call later that day, again impersonating the CEO, and asked for a second payment.
Because the transfer reimbursing the funds hadn’t yet arrived and the third call was from an Austrian phone number, not a German one, the executive became suspicious. He didn’t make the second payment.

How was it done?
Insurers are considering two possibilities. Either the attackers sifted through a vast number of recordings of the CEO and manually pieced together the voice messages, or (more likely) they unleashed a machine-learning algorithm on the recordings. The first method is very time-consuming and unreliable — it is extremely difficult to assemble a cohesive sentence from separate words without jarring the ear. And according to the British victim, the speech was absolutely normal, with a clearly recognizable timbre and a slight German accent. So, the main suspect is AI. But the attack’s success had less to do with the use of new technologies than with cognitive distortion, in this case submission to authority.

Psychological postmortem
Social psychologists have conducted many experiments showing that even intelligent, experienced people are prone to obeying authority unquestioningly, even if doing so runs counter to personal convictions, common sense, or security considerations.

In his book The Lucifer Effect: Understanding How Good People Turn Evil, Philip Zimbardo describes this type of experiment, in which nurses got a phone call from a doctor asking them to inject a patient with a dose of medicine twice the maximum allowable amount. Out of 22 nurses, 21 filled the syringe as instructed. In fact, almost half of nurses surveyed had followed a doctor’s instructions that, in their opinions, could harm a patient. The obedient nurses believed they had less responsibility for the orders than a doctor with the legal authority to prescribe treatment to a patient.

Psychologist Stanley Milgram likewise explained the unquestioning obedience to authority using the theory of subjectivity, the essence of which is that if people perceive themselves as tools for fulfilling the wills of others, they do not feel responsible for their actions.

What to do?
You simply cannot know with 100% certainty who you are talking to on the phone — especially if it’s a public figure and recordings of their voice (interviews, speeches) are publicly available. Today it’s rare, but as technology advances, such incidents will become more frequent.

By unquestioningly following instructions, you might be doing the bidding of cybercriminals. It’s normal to obey the boss, of course, but it’s also critical to question strange or illogical managerial decisions.

We can only advise discouraging employees from following instructions blindly. Try not to give orders without explaining the reason. That way, an employee is more likely to query an unusual order if there’s no apparent justification.

From a technical point of view, we recommend:
Prescribing a clear procedure for transferring funds so that even high-ranking employees cannot move money outside of the company unsupervised. Transfers of large sums must be authorized by several managers.
Train employees in the basics of cybersecurity, and teach them to view incoming orders with a healthy dollop of skepticism. Our threat awareness programs will help with this.

Resource: https://www.kaspersky.co.in/blog/machine-learning-fake-voice/16753/

Cyber fraud in car sharing services has been booming in the digital era. The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?

The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

How do fraudsters advertise stolen accounts on the Dark Web?

First of all, the benefits of a stolen account present less responsibility for the driver. If they crash the car or hit a pedestrian with the car, cyber criminals promise that the user won’t suffer the legal consequences of the offense, meaning that the person whose account credentials were stolen will be held accountable. 

Secondly, the cyber criminals promise more “anonymity” that helps the end buyer not disclose their personal information, such as phone number, photocopies of their passport and drivers’ license and other credentials.

Thirdly, one of the main target audiences for the fraudsters are entities who are yet to reach the legal age of 21 or driving experience (usually 2-3 years) required by car sharing services, saying that their service helps people not pay the fees for road accidents, drive under influence and not be held responsible in any way.

The alleged anonymity, however, is a dangerous concept for both the car sharing service providers who end up losing up to $400.000 because of car theft and users, whose information might be compromised, as well as pedestrians and other drivers who risk their lives being on the road with a reckless driver who’s using a stolen car sharing account. 

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

 Application security

So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

• the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
• an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.

Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

 Password strength

Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code. The validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle.

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the cybercriminal knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

Protection from overlaying

Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome

The situation is very similar to what the Kaspersky team found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Recommendations to car sharing services

• Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
• Use mechanisms to detect operations on rooted devices.
• Allow the user to create their own credentials; ensure all passwords are strong.
• Notify users about successful logons from other devices.
• Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
• Protect your application interface from being overlaid by another app.
• Add a server certificate check.
• Consider investing into a fool-proof anti-fraud solution for your business that will help prevent fraud and cut costs on inefficient 2nd factor authentication

Resource: https://securelist.com/a-study-of-car-sharing-apps/86948/

There’s no doubt that loyalty schemes are a winning way to keep your customers loyal and grateful for your service and products. However, have you ever wondered who’s being lured into these e-commerce sales tricks even more so than your devoted customers? We suggest it’s fraudsters, and according to our latest research the schemes they employ to complete fraud are at the very least impressive. So how does a fraudster get to take advantage of an e-commerce/retail vendor’s offerings?

One way cybercriminals exploit loyalty programs is by acquiring as many bonus points as they can by creating multiple fake accounts. They then offer the additional discounts online, granting the buyer some bonus points, but on the condition that they make the purchase themselves (with the buyer’s money) and receive the additional benefits that come with the purchase (e.g. gift scratch cards). This way the criminals can turn their accumulated points into cashback.

A fraudster can accumulate enough bonus points using this scheme to cover the full cost of a product. This allows the criminal to make a purchase, either for himself or to resell afterwards.

What do the numbers show?

The Kaspersky Fraud Prevention team recently discovered over 3,000 fake accounts in the loyalty program of just one major retailer. The accounts were used to acquire welcome bonuses for newly registered users, and were then sold on the dark web at a reduced fee.

Statistics show that a physical bank robbery may result in average gains of around $5,000-$7,000, while selling 100-150 gift cards at $50 each brings the same rewards but a much reduced risk of being caught.

In the past year, almost 7% of digital service users were subject to various kinds of identity fraud, while account takeover losses tripled and reached more than $5 billion globally.

Contact us to get the full report!

Why is fighting fraud necessary?

At this point it is quite clear that monitoring user activity and detecting correlations between devices and customers is essential for preventing fraudulent activity and making sure bonus points and loyalty programs are safe. But just how important is it for fraud prevention to take action? Let’s analyze two examples:

In this instance the client is actually combating fraud, so the fraudsters delete all their cookies and use new devices for new sessions to ensure they are under the radar. View the illustration below to see what happens when they don’t remove cookies:

Now let’s look at how global reputation operates when it comes to detecting fraudsters’ circles on an example of a major e-commerce vendor:

The fraud network above was formed in 2018 and was subject to massive expansion that culminated in thousands of synthetic accounts:

Moving to the digital world means elevating cybersecurity for e-commerce and retail enterprises. It is essential to provide security for consumers during the entire session, including registration, login and transactions, but not just limited to this.

Creation of synthetic accounts to obtain promotional codes for a loyalty program

At the end of 2017, a group of almost 3,000 synthetic accounts was discovered among the accounts of a loyalty program. They were used to receive ‘welcome’ bonuses for registering new accounts, with a view to reselling them on related internet sites. A distinctive feature of this group was the use of a single email box to manage the entire group. This was made possible due to a feature of the Gmail service that does not take into account the dot symbol in an alias, allowing all accounts in the incident to become modified versions of the main primary address with the addition of a dot. After Kaspersky Fraud Prevention was connected to another major marketplace bonus program it was found that the same scammer had begun creating synthetic accounts to receive welcome bonuses for this service as well, using the same devices and the same trick with the email addresses on Gmail. The attacker managed to create a total of 542 synthetic accounts in the bonus program.

Below is an illustration of the compromised account links for two different loyalty programs via the fraudster’s devices:

Timing is a major factor for retailers when interacting with their customers via digital channels. It is no surprise that buyers expect the service to be instant: fast payment for a fast order that will be delivered fast. This leaves the merchant no room for error. Fraud rates are soaring and it is impossible for any fraud specialist to keep up with all the threats.

Criminals are exploiting these vulnerabilities: they are aware that no human analyst is capable of tracking ever emerging attacks at the pace required to keep customers satisfied and secure.

Making sure that an organization does not suffer financial and reputational consequences requires strong yet seamless authentication and analysis of both identities and session data. Striking a balance between protecting customers from  new account fraud and account takeover and ensuring the user experience is seamless and smooth remains a difficult task.

Data gathered by Kaspersky Fraud Prevention presents the big picture when it comes to a correlation between suspicious user activity and actual fraud taking place within the network of a retail or e-commerce provider. Taking into account the possible negative outcomes and damage that they might bring, the decision to protect your business with the help of a proven cybersecurity provider should be seriously considered.

Cybersecurity giant Kaspersky Lab has launched new service packages for crypto and blockchain businesses to protect them from cyberattacks and fraud.

With the proliferation of blockchain and crypto-focused businesses, cybersecurity risks are also on the rise. In the past two years, Kaspersky Lab said that its experts have identified a number of such risks and threats such as phishing copies of a popular ICO website, targeted attacks on crypto exchanges, and adware intended to steal cryptocurrency, among others.

To help blockchain and crypto businesses overcome these challenges, Kaspersky Lab has launched new service packages. The services specially targeted at token offering projects include:

• Smart Contract Code Review, which identifies flaws and undeclared features, as well as finds discrepancies between stated in the supporting documentations and smart-contract business logic.
• Application Security Assessment, which helps a startup team analyze the state of security of applications developed by a startup.

Kaspersky Lab is also offering a tailored service pack to provide a high level of protection for crypto exchanges, which includes:

• Application Security Assessment to help owners of crypto exchanges detect critical bugs and address them before they cause damage.
• Penetration Testing to help crypto exchanges identify weak spots in their systems and to ensure that hackers won’t penetrate them easily.
• User Account Takeover Prevention to detect attempts from criminals to get access to user wallets.

Kaspersky Lab Blockchain Security services also include ‘Phishing Protection’ which will provide alerts when fake copies of crypto exchanges and ICOs are generated, ‘Incident Response’ service and ‘Cybersecurity Awareness’ training to improve the overall level of cybersecurity hygiene, helping the companies protect themselves against social engineering attacks.

For crypto exchanges with basic cybersecurity measures, Kaspersky Lab provides additional enhancements – identifying potentially fraudulent blockchain transactions to prevent money laundering, and automatically identify and respond to targeted attacks. For crypto exchanges that have an internal Security Operation Center, it offers Threat Data Feeds and information security training and awareness programs for security operation teams to enhance their forensic and detection capabilities.

“We see a growing demand for cybersecurity from blockchain startups that are looking for both protection from cyberthreats and additional evidence that they can be trusted by investors. That’s what we’re helping them to achieve with our new offering,” Vitaly Mzokov, Head of Verification, at Kaspersky Lab, said.

Resource:https://www.tokenpost.com/Kaspersky-Lab-rolls-out-services-to-protect-blockchain-and-crypto-businesses-from-cyberattacks-and-fraud-1774

By
Robin-Leigh Chetty

AfricaCom 2018 is taking place this week which means some of the top organisations on the continent will be descending on Cape Town to discuss the current technology landscape and look to how things can be improved.

One organisation with a focus on cybersecurity is Kaspersky Lab, and they will be showcasing some of their fraud prevention solutions at the week-long conference.

In order to highlight the need for more robust cybersecurity solutions, Kaspersky recently conducted a survey that focused on the Middle East, Turkey and Africa (META) region, and the insights for South Africa in particular make for interesting reading.

More specifically the report found that 86 percent of South Africans make regular use of online banking services and platforms, which is higher than the numbers for the Middle East and Turkey.

While this points to a strong local uptake of such technologies, the report also adds that South Africans are still quite skeptical of online banking.

“South African online bankers were the highest targeted in hacking attempts in the region, at 18%. Banking is just one of the sectors that are challenged by cybercrimes as consumers become more connected and service provider networks grow,” says Tim Ayling, global head of fraud prevention solutions at Kaspersky Lab.

“Fraud losses are now in the tens of billions of dollars globally, where it has been reported that South African credit card fraud alone increased to R436 million in 2017. Though some can argue that technology changes are partially to blame for this, consumers also seem very happy to share personal information online, without any thought on how this can be used for bad,” adds Ayling.

A possible solution to combat this growing issue could lie with machine learning, with Kaspersky Lab recently putting it to use in their latest fraud prevention offerings. In particular Kaspersky Lab is using machine learning in four precise ways when tackling fraud.

The first is client-less malware protection, which checks if a customer’s machine or device is infected with malware. Next is assisting in determining the legitimacy of sessions with the help of behavioural biometrics to see how users interact with mobile devices. Then there’s behavioural analysis, which looks at what the user clicks when creating a “normal behaviour” profile. Lastly, device and environment analysis examines areas which may be known for being “involved in fraud” like global device and location reputation.

“As African economies continue to emerge and grow, there have to be lessons that must be applied. Firstly, to succeed, information is treasure that businesses cannot do without, so be aware of the risks this information faces. Be ready to protect and nurture that data – the future depends on it,” concludes Ayling.

All of these new technologies will be on show in Cape Town for AfricaCom 2018 this week, where Kaspersky Lab aims to educate those in the industry about the threat that fraud poses.

Source:  https://www.htxt.co.za/2018/11/12/kaspersky-lab-report-says-south-africans-most-susceptible-to-online-banking-attacks/

By  Marco Preuss

You are uniquely you

From your walk to your heartbeat, your body is unique – and the ID industry wants to use that.  This isn’t because they’re creepy, it’s because over the last few years the world has discovered that traditional approaches to confirming identities, particularly online, don’t work anymore.

A determined attacker with sophisticated tools, or even an opportunistic, low-skilled one who’s bought some malware on the dark web, can find it worryingly easy to hack into people’s online accounts and fill a cart with credit card details and more. Especially if the victim’s password is ‘password’ or the name of their pet goldfish and they’ve used it 20 times or so in the last year alone.Connected businesses have had enough, and so have consumers.  Having to create and remember ever more convoluted passwords is not the answer. It’s rather like following a nutritious but complicated diet. You know it’s good for you, but 20 minutes a day spent cleaning the juicer will eventually diminish the appeal of glowing skin and boundless energy. Strong security requires convenience and simplicity, at least for the user.

So the ID industry and the organisations that rely on accurate authentication and identification, including banks, healthcare, technology companies and government agencies such as border control have started to explore other options – many centred in, on or around our bodies.

Bodies and technology: inside or out?

There are, broadly speaking, two kinds of approaches: in the first, the technology sits outside the body and uses aspects of it that are totally unique to each individual; and in the second the technology sits on the inside: tiny microprocessors implanted under the skin.

Here we look at the first approach.

The bits of you that can confirm you are most definitely you, particularly in the digital world, include: your face, your fingerprints, your eyes, your ear, your vein pattern, your heartbeat, your gait, how you type and your voice. Technology translates this into binary data and uses that to authorise access to your online accounts, digital devices and more – or for identification, such as passports.  Effortless for the user, secure and unambiguous for the organisation.  No more pesky passwords. Job done.

Only, it’s not quite that simple.

The top biological identifiers

Eyes – The scanning of the iris has now largely taken over from retina scanning (using the pattern of veins in the back of the eye).  Like most other biometric identifiers, the iris is unique to each individual and doesn’t change over time.  However, the cost and equipment required to implement this biometric mean that it is has, to date, been used mainly by business, and for access to physical premises in particular.  CERN – where the Large Hadron Collider is located – uses iris scanning to control access, for example.  Having said that, the technology is now appearing on smartphones. Samsung’s Galaxy Note7, a few Lumia Windows and Fujitsu phones, as well as some iOS devices are now able to incorporate scanning. However, in 2015, a researcher known as Starbug claimed to have successfully spoofed iris recognition technology by extracting the iris data from an online picture of the German Chancellor, Angela Merkel.

Fingerprints – Probably the most well-known and widely used biometric, fingerprint recognition became popular after it was introduced into mobile phones by Apple in 2013. Within a day of the launch, Starbug announced he had successfully compromised the feature, making a dummy ‘finger’ from fingerprints found on the phone.

Hands – This can include the three-dimensional geometry of a finger or hand, as well as the pattern of veins in a hand or finger. Barclays Bank has introduced finger vein recognition for its corporate clients, and more than 80,000 biometric ATMs across Japan now identify accountholders via palm or finger vein scanning. I t has also been introduced elsewhere in the Far East and in Europe.  Other parts of the face that can be used as biometric markers include the shape of the ear or a broader analysis of facial features or patterns. These are currently used by, among others, Microsoft’s Xbox ONE and Playstation 4.  And while there is no indication that these markers have been compromised successfully, there is evidence that they are starting to attract the attention of cybercriminals.

Recent Kaspersky Lab research into the criminal underground uncovered at least twelve sellers offering card-skimmers capable of stealing victims’ fingerprints. And at least three are researching devices that could illegally obtain data from palm vein and iris recognition systems. The researchers also found online community discussions regarding the development of a mobile application for ‘fake face masks’.  Such an app would allow an attacker to take someone’s picture from the internet and use it to fool a facial recognition system.

Heartbeat – This is a very new area. There are a number of products under development, one of which is Nymi, a wristband that can confirm your identity through the unique electrical impulses generated by your heartbeat.  In August 2015, Nymi and Mastercard announced they had undertaken the first, real-life, heartbeat-authenticated mobile payment.  It is too soon to assess the security vulnerability of this approach.

Voice – Voice recognition is already widely used in financial services, mainly alongside other methods of authentication.  It is a sophisticated, complex process that involves analysing many parameters and patterns, including intonations, natural speech defects, word order and more, and then comparing them with each other.

The depth of analysis and the vast volume of data that needs to be processed means that the risk of voice ID being compromised by attackers is currently fairly low.  But Kaspersky Lab experts believe this could change.  In late 2016, Adobe announced a new voice editing technology, Voco that would allow users to create and alter voice recordings using just 20 minutes’ worth of conversation. Similar solutions already exist but they don’t make the process quite so easy. If you add to this trend the ever-growing database of voice recordings collected by new home connection devices, such as the Echo Dot, the threat of an attacker collecting enough data to recreate someone’s voice in a way that convinces authentication systems suddenly becomes a lot more realistic.

Gait, typing style and other ‘behavioural biometrics’ – These are often used in conjunction with other metrics, providing a clever additional layer of security.  Gait measures posture, speed, stride length, and the movement of feet, legs and arms in motion, among other things – but currently most interest is focused on using people’s unique way of interacting with their computing devices, such as typing style and mouse movement.  Kaspersky Lab is one of a number of organisations implementing such technologies.

Kaspersky Lab’s new cloud-based fraud prevention solution, for example, integrates mouse tracking and navigation to help spot fraudulent activity in online banking. Everyone has a unique way of moving the mouse across the screen. If you’re an incurable mouse-jiggler, or the kind to cut straight to the chase, the system will come to know it’s you.  Should anything change, it will get worried and trigger an alert. Not just because it could be someone else using your account, but because it could be something else, such as malware. For example, if the system detects the mouse moving across the page at a constant speed, or no mouse movement at all – this is a strong indicator of automated software, such as malware, or someone using a remote administration tool (known as a RAT).

Online navigation is similarly revealing. Account holders tend to head first for the transaction pages to deal with bills and things.  Malware and fraudulent users, on the other hand, are not interested in paying your electricity bill, but do want to know what your credit limits and personal details are.  So that’s where they go first, tripping an alert in their rush to get there.

Canny malware authors who’ve worked this out and amble nonchalantly past your credentials after kicking their heels in the payment templates for a bit, will still be caught out as the security solution never stops monitoring.

The use of keystroke patterns as identifiers is becoming less relevant as so many online services are now accessed using mobile devices, and keypad activity is often kept to a minimum.

Then, last but not least, there are those who want to identify you using just about everything.  Google’s new Abacus Project will authenticate people using a cumulative ‘trust score’, where your phone continuously monitors and recognises your location patterns, how you walk and type, as well as your facial features, and more.  Our own experience suggests that multiple biometric markers will always be more secure than a single one, but this needs to be weighed against the potential loss of personal privacy.

Addressing the security risks

Biometric markers are ideal for use as identifiers because they are unique and unchanging over time. That also makes them very vulnerable. If these identifiers are compromised, the potential consequences for victims in terms of loss privacy and security are severe.

Biometric identifiers are, by their very nature, often public – anyone could be taking a picture of your ear or eye right now.  And if they are the gateway to some of your most personal information, it follows that you could be revealing everything about yourself without even knowing.  A nightmare scenario of a total loss of privacy.

Further, despite the fact that biometric data is already widely used for authentication and identification, the use of data about your body parts is largely unregulated.  We must address all these vulnerabilities before the attackers figure out how to exploit them.

Two years ago, we, and others like us started to worry about such things. In addition to the new Kaspersky fraud prevention technologies, Kaspersky Lab also holds a patent for multi-factor biometric and contextual authentication, and we will be exploring this area further from a security technology perspective. All this builds on the theory, increasingly recognised across business and the security industry, that one metric on its own is too vulnerable. The most effective protection will combine at least two of the following: something you are (your body), something you know (your personal info) and something you have (a passcode, or similar).

Conclusion

Collaboration will be key: between the developers of biometric authentication and identification technologies, the security industry and the organisations who will be implementing the final products. Between us we have a responsibility to develop solutions that make life easier and safer for the innocent, and harder if not impossible for the guilty.

We can’t afford to fail. Each of us comes with just the one body. It’s possible to replace a stolen credit card or bank account number, not to mention set a new password, but how do you replace compromised retinas, ears, even fingerprints? You can’t just tick a box and, in return, receive an email with a link to create a new heartbeat.

Source: http://www.itp.net/617626-using-our-bodies-as-secure-id-%E2%80%93-when-do-we-worry

By Staff Writer, ITWeb

Securing digital growth

The company says the rapid growth of digital channels has seen online fraud become a problem for a wide range of businesses beyond the finance sector, including loyalty programme providers and eCommerce entities.

These businesses need to improve the security of online transactions and lower the risk of fraud, without negatively affecting user experience.

Kaspersky’s Advanced Authentication solution employs a set of technologies that identify any anomalous or possible fraudulent activity at both the login and session stages, and flag it to the company for additional checks and confirmation with the user.

The solution analyses behavioural and biometric data, device reputation and other non-personalised metadata, while machine learning and complex algorithms ensure high detection rates and lower anomaly detection time.

The authentication process requires no intervention from the user, allowing organisation to prioritise high user retention and growth of their digital channels.

Fraud, money laundering

According to Kaspersky, financial crimes, including fraud and money laundering, are a serious concern for today’s economy, and are seeing regulating bodies continually introduce legislation to prevent them.

“This puts a responsibility on financial organisations who must achieve complete transparency in their operations, not only for the sake of their businesses, but also to maintain compliance with evolving regulations,” says Kaspersky.

The company’s Automated Fraud Analytics helps organisations lower fraud-related costs and reduce the risk of fines for non-compliance from regulatory bodies.

“It adds an extra level of knowledge of industry-specific fraud and money-laundering scenarios, through access to fraud intelligence, and combines this knowledge with advanced technologies that automatically detect serious incidents while still in the early stages.

The solution gathers and analyses hundreds of depersonalised indicators, such as the user’s device and its environment, behavioural and biometric patterns of a user, remote access tool and bot usage, mobile malware and Web injects.

Machine learning algorithms help the solution correlate these findings with the patterns of account takeover, new account fraud and money laundering, via Kaspersky Fraud Prevention Cloud and global fraud intelligence based on big data.

Due to its linking and mapping functionality, the solution automatically identifies cross-organisational money laundering schemes by looking for correlations between typical profiles, devices used, behavioural patterns and other details of the sessions that are known to be involved in similar operations.

Alessio Aceti, VP, New Business, at Kaspersky Lab, says while online fraud remains a disturbing reality, primarily for financial organisations, more and more industries are at risk, as they invest money and resources in developing the digital part of their businesses.

“That is why we have revised our offering to include more diversified, tailored solutions for specific scenarios and business requirements: whether it’s a secure authentication of users without extra layers, or more in-depth fraud analysis and intelligence,” he concludes.

Source: https://www.itweb.co.za/content/VgZeyvJAZpWqdjX9

There’s a lot of pressure on people to keep themselves and their data safe. We have to create long, strong, complex passwords with capitals, symbols and numbers, but never use that password for more than one website.

We have to stay alert to the many potential risks of fraud online and in person, and behave cautiously when contacted by anyone pretending to be from a financial provider.

We even have to exercise incredible caution when making large payments to our lawyers or other service providers in case their email system has been compromised and we’re inadvertently transferring our life savings to a criminal.

Yet despite the extensive, elaborate caution that we are responsible for taking, we are still reliant on businesses and companies keeping our sensitive data safe.

And they fail. New research from Which? has shown that almost one in 10 people who have shared their data online believe they have been subject to a data breach in the last year and three-quarters are concerned they are at risk of a leak.

This should not be happening

There have been some absolutely major data leak stories just recently; the news broke in September that credit report giant Equifax had data on up to 143 million customers stolen by hackers.

And the major Yahoo! data breach revealed earlier this year meant that all three billion of its user accounts were affected, although the stolen data didn’t include passwords or payment details.

But those are the massive disaster movie stories. At the other, less-reported end there’s a constant flood of firms admitting they failed to keep their customers safe.

For example, Pizza Hut revealed last month that its website and app had been hacked, potentially compromising data including delivery addresses and card numbers.

And Wonga revealed in the spring that a data breach may have compromised the financial information of up to 245,000 UK customers.

Frankly, you should be able to use your email, order a pizza and manage your money without the risk of a data leak.

Check your credit report for anything suspicious

Corporate responsibility

As customers, we need to demand that firms keep our data safe but also that they innovate to make it easier for us to protect ourselves.

They are the businesses with the innovation and research budgets, after all; they need to make us a priority.

Emma Mohan-Satta, fraud prevention consultant at Kaspersky Lab, told me: “Financial providers need to continue investing and researching to ensure they are using fraud prevention solutions that are keeping up and keeping their customers protected.

“As new technology emerges it’s important that financial providers also think about options for making the digital experience easy for customers while still protecting them from fraud; for example behavioural biometrics can be a great ‘invisible’ indicator of whether the genuine customer is accessing the account but doesn’t require any additional action from the customer themselves.

“Financial providers should also educate customers on the latest attacks and offer advice on how to safely use online and mobile services so that consumers can be better informed and help in keeping themselves protected.”

Too right. More responsibility for them and more information and education for us. It is the only way we will keep safe from fraudsters.

What’s more, that education needs to include the major changes coming next year. Research from Exonar shows that 70% of British people don’t know that from May 2018 new EU privacy laws mean that we all have more control over what data is held.

We will have greater rights over how much data is held by firms and even have the right to be forgotten. Firms need to ensure their customers understand their new rights before they come into force.

That’s especially true given that:

It’s just getting worse

You might like to think that there’s steady, ongoing improvement in the fight against data criminals. After all, surely firms are getting better at securing sensitive information and customers are increasingly good at staying clear of compromising situations.

However, the US-based Breach Level Index, a global assessment of compromised data records, there were more data breaches in the first six months of 2017 than in the whole of 2016.

In fact, in the first half of this year there were 1.9 billion data records compromised worldwide.

The data provided by the index is staggering. Less than 1% of the stolen, compromised or lost records were encrypted. Encryption would mean the thieves would be unable to use the data.

In the half-year report, created by the company behind the index, Gemalto, the message was clear – poor internal security is helping fuel the rise in data theft.

Let’s be frank, it doesn’t matter how great our passwords are if the businesses we share our data with don’t do enough to protect our data at their end.

So what could be done?

We have to hit firms in the pocket, it’s the only place that hurts them.

In the last few days, Which? has called for the current Data Protection Bill going through parliament to be amended to allow independent organisations to assist customers in gaining collective redress.

Which? spokesperson Alex Neill, said: “Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised.

“The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.”

Doing so would certainly be a good start.

And finally

One last thought. It may seem as if everything is done electronically and online now. However, we are still at the beginning of our connected, digital era.

In the future, cars will be connected to one another, medical records will be connected via the web, even our smart houses and appliances will have an online presence.

Without far more serious action on the part of companies to keep our data safe and make that a priority, we face a future with even more fraud and all the resulting frustration, wasted time and lost money.

Source: https://www.lovemoney.com/news/68957/personal-data-breach-hack-companies-password-online