by Bob | Jul 7, 2016 | Views
Further to my post about identify theft the other day (here), the National Crime Agency this week published their 2016 Cyber Crime Assessment, and it makes sobering reading. The NCA reports that there were 2.46 million “cyber incidents” last year, including 700,000 frauds, with the biggest threat coming from “a few hundred” criminals. Furthermore “Data breaches are the most common cyber crimes committed against businesses and the NCA estimates that cyber crime costs the UK economy billions of pounds per year.” and that “Under-reporting continues to obscure the full impact of cyber crime in the UK.“. A study conducted by PWC in 2015 suggested that ‘90% of large companies and 74% of small companies had experienced some kind of breach in the previous 12 months, and most had experienced more than one – the average was four’. When you add these statistics to our own most recent consumer research – available here – which found that 97% of people alter their behavior as a result of a data breach and 30% of those respondents stated that they wouldn’t do business with the company again – there’s a clear message. And unfortunately that message is that businesses will be hacked, and data breaches will continue to take place – despite the best efforts of the NCA, and the UK government promising to spend £1.9bn on cyber defences over the next five years. Surely the safest path for any business – to quote Stephen Orfei of the PCI Standards Council – is to “take risk off the table“. If you’re not storing card or sensitive data then, even if your organisation is breached,...
by Bob | Jul 5, 2016 | Views
We recently attended a seminar in London that included a sobering presentation by Mike Haley, the Deputy Chief Executive of CIFAS – the Credit Industry Fraud Avoidance System. CIFAS reported that the number of victims of identity theft rose by 57% last year – from 94,500 in 2014 to to 148,000 in 2015. A report out earlier this year estimated the annual cost of fraud in the UK was £193bn – equal to nearly £3,000 per head of population. The introduction of ‘Chip & Pin’ in the UK since 2003 has driven ‘Card Present’ fraud down dramatically, but forced fraudsters to ever more subtle methods of fraud. CIFAS suggests that fraudsters harvest details from social media accounts to gather enough information to create a fraudulent, duplicate identity of a person, and then commit fraud using that identity; only a small percentage of frauds use wholly fictitious identities. CIFAS recommend that people check their social media settings, and think twice before publicly posting information online that could be useful to a fraudster – names of schools, pets, and so on. There’s a link to an article on the BBC website...
by Bob | Jun 21, 2016 | Views
My old mother had a phrase that she would use if I ever did anything particularly stupid; which was perhaps more frequently than I remember. The phrase was ‘God loves a tryer’, and while it was evident from my lack of success in many foolhardy ventures that God might indeed ‘love a tryer’, he didn’t necessarily encourage them. The phrase came to mind when I saw this picture posted on social media, and at least one ill-advised person on my media feed had fallen for it and posted the keys to their wallet on FaceBook for all to read and – in theory – exploit. Much like my recent post showing somebody allegedly harvesting card data from contactless cards (here), I doubt that many people fell for this gambit, but it highlights Compliance3’s message of ‘devaluing data’ – the information that this meme was attempting to harvest was undeniably valuable data – ‘Sensitive Authentication Data’ in the words of the PCI Standards Council. There’s a world of bad people ‘out there’ and they’re trying to get card details, by any means they can. We work with companies to ‘take risk off the table’. If card data doesn’t enter a business’s environment then they can’t be storing it – whether deliberately or innocently – and if they’re not storing it then it can’t be...
by Bob | May 25, 2016 | Views
We’ve written in the past about data breaches, where customers’ card details are stolen, and while the press tend to dwell on the ongoing risks to customers as a result of their data being compromised, it’s rare for the subsequent exploitation of data breaches to make news. This week, however, saw the news of an audacious and sophisticated attack using stolen account data to create 1,600 fake payment cards and then steal nearly $13 million dollars from South Africa’s Standard Bank. The thieves exploited the high maximum withdrawal amounts allowed in Japan, where the maximum amount that can be withdrawn from an ATM is ¥100,000 (or about £630), and withdrew that maximum amount 14,000 times from 1,400 machines. The targeted machines were installed in 7-11 stores across Japan, unusually for Japan these particular machines accept international cards. The thefts took place over a three hour period, early on the morning of Sunday May 15th, that would be late Saturday night in South Africa. While customers have not suffered any losses, Standard Bank estimate their total losses to be close to $19 million. Standard Bank described the heist as “a sophisticated, co-ordinated fraud incident” involving what it said was a “small number” of fake cards from account data belonging to...
by Katrina Greenwood | May 18, 2016 | Uncategorised
On May 6, 2016 Nulled.IO tag line ‘expect the unexpected’ became a reality for the hacker forum. An unknown hacker broke through the simple MD5 hashing algorithm securing the website and gained access to a 9.45GB file containing all of the websites information. By securing a sensitive website with such a simple algorithm suggests that the forum didn’t follow their tagline themselves! Nulled.io is a forum for hackers where they can trade and purchase leaked information (including stolen credentials), hacking tools and cracks as well as have access to Nulled software. Risk Based Security discovered the hack and found the 3GB compressed file ready to download free on the open Internet. This breach is seen as a gold mine for law enforcement. They now have access to IP addresses, email address and conversations for 473,000 registered users, including information from the seemingly private VIP forums. Risk Based Security noted: “If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” The breach also means that VIP access for older contents on the site is now deemed as worthless as it is all freely accessible within the download. This clearly impacts Nulled.IO business model. The current site is deemed under temporary unscheduled maintenance, and has been since the breach...
by Bob | May 9, 2016 | Views
The UK Government yesterday published some worrying new statistics about the state of cybercrime affecting British business. The headline – which the BBC reported on the breakfast news – was that “Two thirds of large UK businesses hit by cyber breach or attack in past year.” The Cyber Security Breaches Survey also reported that a quarter of four large firms experienced data breaches – often involving viruses, spyware or malware – on a monthly basis. But that only half of all firms have taken any recommended actions to identify and address vulnerabilities. Scarier still, only a third of all firms had formal written cyber security policies and only a tenth had an incident management plan in place. As these are prerequisites for the PCI DSS, one hopes that those companies who have their act together are those that process card data for their customers. The survey found that almost half of the top FTSE 350 businesses regarded cyber attacks as the biggest threat to their business, up from just 29 per cent in 2014. The Government will be publishing a new national cyber security strategy later in the year, but with cyber attacks and data breaches becoming more prevalent, why wait? We work with companies to help them reduce the risk of expensive and embarrassing data breaches. If the bad guys do manage to hack your organisation and you’re not storing card data then you’ve protected both your customers from potential fraud and your business’s reputation. We also help companies put together standards, policies and procedures to help protect data, and to develop incident and data breach response plan....
by Bob | Apr 28, 2016 | Views
The Payment Card Industry Data Security Standard – PCI DSS – is fundamental to much of the work we undertake with clients. First published in December 2004 in the wake of the Enron scandal, PCI DSS consolidated the security standards being enforced by Visa, MasterCard, American Express, JCB and Discover. It is applicable to all businesses that Store, Process or Transmit payment card data, and compliance is enforced by the card schemes, through Payment Service Providers. Failure to comply can result in the card schemes levying unfavourable or punitive transaction rates on non-compliant merchants, or ultimately the card schemes could withdraw payment capabilities. Version 3.2, published today, places increased emphasis on rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocols. The old standard – Version 3.1 – will be retired in December 2016 and after that date all PCI DSS assessments will be made against the new standard. The major changes that the new standard bring in are: Data Access The new data access rules will mean that enhanced, multi-factor, authentication will be required for all employees who can amend systems that contain card data – User ID and Password will no longer cut it. There’s a direction here, how long before all access to the Cardholder Data Environment will require such credentials? Ongoing Compliance Programmes The new standard incorporates “Designated Entities Supplemental Validation” (DESV) – which Troy Leach of the PCI Security Standards Council describes DESV as “a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments....
by Katrina Greenwood | Apr 26, 2016 | Views
The EU’s General Data Protection Regulations (GDPR) are some of the most important regulations in terms of data security. Christopher Graham, The UK Information Commissioner, stated the following at the ICO’s annual Data Protection Practitioners’ Conference in March 2016. “The EU data protection reforms promise to be the biggest shake up for consumers’ data protection rights for three decades.” The regulations are expected to harmonise data protection legislation across Europe, as well as increasing the shock of failing to comply. The GDPR will raise the level of fines for companies who have data breaches to heights of €20m or up to 4% of annual global turnover. These regulations are a way off however, they have been released now and are given a 2year transition period, which means they are not becoming legally binding until latest summer 2018. This is to allow companies to adjust and prepare before these fines could blow up businesses that fail to comply. “Now, now,” you might be saying, “What if we leave Europe?“. What will they have over British companies then? Unfortunately we won’t be escaping that easily. Any company that engages with European customers will be forced to comply with European legislation. So the choice is to exclude one of the most accessible markets to us today, or to abide by these regulations. Luckily for businesses that handle card data there are some simple solutions to compliantly handling payment card and personal data. If you are worried how these regulations will affect your company then feel free to get in touch with us at Compliance3. We are here to guide you through every step of the...
by Bob | Apr 20, 2016 | Views
I wrote recently about the Panama Papers, probably the largest and most significant data breach of our times. While the dust has settled for now, the breach cost the Icelandic Prime Minister his job and caused severe embarrassment to the British Prime Minister. Well, how about following that with the sobering tale of the world’s largest cyber heist to date? News is only now coming to light about the heist, which took place in February. Nearly $81 million was illegally transferred using the SWIFT interbank network from the Bangladesh Central Bank’s account with the Federal Reserve Bank of New York. The funds were transferred from New York to a Chinese businessman’s account in the Philippines. They were then transferred to local Filipino casinos for laundering, and the businessman in question – whose accounts have now been frozen – claims that his signatures on the fraudulent transactions had been forged. The fraudulent transfers took place on Friday February 5th, a day when the Bangladesh bank was closed, but the fraudulent transactions were not identified until the next day due to a ‘printer problem’. The Federal Reserve Bank was then closed over the weekend, meaning that a full response was not possible until the following Monday – which was, in turn, a public holiday in the Philippines. Details of the hack were kept from the Bangladesh government for ‘several weeks’. While the governor and two deputy governors of the Bangladesh Central Bank have been replaced following the breach and the Bangladesh banking system branded ‘incompetent’, it could have been much, much worse. The criminals requested a total of 35 transfers from...
by Bob | Apr 11, 2016 | Views
Possibly the most significant data breach of our age. We’ve seen data breaches come and go; they make headlines for a couple of days, maybe a couple of weeks and are largely forgotten, except by those whose data has been compromised and their subsequent victims. The ‘Panama Papers’ take data breach to a whole new level, they’ve already cost the Icelandic Prime Minister his job, and have made life very uncomfortable for David Cameron, the British Prime Minister, even if his sins would appear to be of lack of communication rather than financial impropriety. They’re not alone, though, 12 national leaders are listed among the 143 politicians. Well, Mossack Fonseca – the source of the data breach – is the world’s fourth biggest provider of offshore services; it has acted for more than 300,000 companies, more than half of which are registered in the UK or British administered tax havens. The scale of the breach in itself is mind boggling – 2.6 terabytes of data, comprising 11.5 million documents – extracted from Mossack Fonseca’s systems. That dwarfs the 1.7 gigabyte ‘Wikileak’ in 2010 or the 3.3 gigabyte leak of files from HSBC in 2015. The most recent breach is thought to have taken place in December 2015, but papers are currently being analysed by 370 reporters from 100 media organisations. The documents take the form of 4.8m emails, 3m databases, 2m PDFs, 1m images and 320,000 image files. And the source of the breach? Well the smart money currently suggests that Mossack Fonseca were using WordPress and Drupal plugins that stored database credentials in clear text. The Mossack Fonseca...
