Cybersecurity Monthly Highlights
· The EMV Switch
· Savvy Cybersecurity Threat Spotlight #1: Phishing
· Emerging Threats
· Cybersecurity Shorts
· Software Updates
· New threats against “elite” credit cards
· Warnings about insecure apps in the Apple App Store
· New information about the average tax refund delays experienced by identity theft victims
The EMV Switch
A new type of payment card has been making the news—EMV cards (short for Europay, MasterCard, and Visa). These cards have been used around the world for years but are just beginning to make their debut in the United States.
By October 2015, all credit card companies, banks, and merchants must make the switch to EMV technology. Credit cards and banks must issue new cards with EMV chips to their customers and merchants must switch to payment systems that can read EMV cards.
So what exactly is EMV technology?
EMV cards contain a small computer chip that creates a new code for every transaction. Once that code is used, it cannot be used again which helps cut down on certain types of fraud. In comparison, current credit and debit cards in the U.S. produce the same code every time the card is used (stored on the magnetic strip) which allows fraudsters to easily duplicate cards.
There are two types of EMV cards—”chip and PIN” and “chip and signature.” Chip and PIN cards require you to enter your card into the chip-enabled terminal and then enter your PIN to finish the transaction. Your card would not be ejected from the terminal until the transaction is complete. Chip and signature works the same way—but rather than entering your PIN, you must sign to complete the purchase.
Chip and PIN cards are considered the more secure option, but the majority of EMV terminals in the U.S. will only be able to accommodate chip and signature transactions. This option is more secure than the magnetic strip cards, but requiring a PIN would cut down on fraud even further. Merchants and banks were concerned that requiring consumers to enter a PIN for each transaction would be too time consuming and would turn people off from using their cards.
What will they do?
EMV cards are being introduced to cut down on the growing fraud problem in the U.S. — however this switch will not stop all fraud. In fact, EMV cards are only useful in stopping in-person fraud. Due to the computer chips that create unique codes for every purchase, EMV cards cannot be successfully duplicated and used.
For example, if you used your EMV card at a store that suffered a data breach, it would be difficult for a physical, counterfeit card to be created with the information on file. The one time transaction code will be stored but that code will not work again. So while EMV cards will not stop data breaches from occurring, they will lessen the profit that thieves currently make from duplicating and selling physical cards in the underground market.
But, a thief could use your EMV card information stolen in a breach to make online purchases. The chip technology is not used during online purchases since you are not physically entering your card into a chip-enabled payment system machine. Therefore, the thief would only need your card number, security code, and expiration date.
Almost every country that has switched over to EMV technology has seen a surge in online fraud.
Savvy Cybersecurity Threat Spotlight #1: Phishing
One hundred and forty four billion phishing emails are sent daily by scammers trying to trick unsuspecting email users into clicking on a malicious link or sharing personal information. That’s six billion every hour.
In addition, 100,000 new malware strains are created every day. And our anti-virus software can’t always keep up.
Phishing is the number one cybersecurity threat we face because it requires us to constantly decide if an email or link is safe or not— and we’re not always so good at it. You can implement all of the cybersecurity actions and still fall victim to a cyber-attack from one, single click.
The good news is that there are warning signs to look for when going through your email. Remember the savvy acronym: E.M.A.I.L. It stands for: Examine Messages and Inspect Links.
Stop an attack in its tracks
The first step to unmasking a phishing attack is to keep an eye out for some common warning signs. For example, many phishers will try to get you to act quickly by saying it is urgent that you take some action. Another sign is that the email refers to you as “customer” instead of using your name. Lastly, the email asks you to add or update personal data.
Next, you need to take a closer look at the sender. In many cases, the phisher will alter the “From” line so it appears that the email is from a legitimate institution. In order to see the true sender, you need to expand the “From” field by hovering your mouse over the email address. A box will pop up with the actual sender’s email address.
Lastly, you need to inspect links closely. Like the “From” line, phishers can spoof links to look real at first glance. Again, you’ll want to hover your mouse over any link to reveal the true URL. One thing to note is that secure sites begin with HTTPS:// which is difficult for phishers to fake. Of course, if you are unsure, you should call the company directly and ask about the email.
Additionally, you should never open an attachment in an unsolicited email. A click there could put a malware, virus, or ransomware attack right on your computer. And the next thing you know, your machine is secretly recording all your keystrokes or it’s locked up in a ransomware attack.
E.M.A.I.L.
Fighting off phishing attacks requires our complete attention and can be tricky. Always remember E.M.A.I.L (Examine Messages and Inspect Links) and when in doubt, don’t click.
Emerging Threats
Be careful when connecting to hotel Wi-Fi. Researchers discovered a vulnerability in the routers used in many hotel chains around the world. The security hole would allow hackers to see the data shared across the network and even hack into the hotel’s network itself—gaining access to reservation information and keycards. The routers affected are made by ANTlabs.
New scam impersonating FTC Director hits mailboxes. The FTC warns of a letter going around appearing to be from Jessica Rich, FTC director of consumer protection. The letter tells recipients that they have won a cash prize and asks them to pay a fee in advance. The letter is a scam.
Scammers prey on recent college grads struggling with student loans. A new fraud scheme targets college graduates with the promise of helping them pay back their college debt more quickly or lessen the amount. The scammer sets the student up with a payment plan—and either steals the money or charges a very high interest rate. The BBB warns grads that a third party cannot help you consolidate or forgive your loan.
Anti-virus for your home? Protecting your computer and other digital devices with anti-virus software is one of the most important steps for protecting your digital life. And as we become more connected, we need to become more protected. As our homes become “smart” and refrigerators, TVs, home security systems, and more become interconnected and connected to the web, we need to protect those devices as well. Many anti-virus software companies such as Bitdefender and Symantec are coming out with anti-virus protection for the devices in your house. Like anti-virus for your laptop, you should research different options to see what software works best for you.
1,500 apps in the Apple App Store vulnerable to eavesdropping hack, according to SourceDNA. The vulnerability found in popular apps such as Flixster, Uber, Microsoft, and Yahoo allow hackers to intercept traffic that should be encrypted. Many affected companies have already fixed the vulnerability in their app. You can search for affected apps here.
Cybersecurity Shorts
IBM discovers “The Dyre Wolf”—a fraud scheme run by a European cyber gang which has scammed over $1 million from US companies. The scheme uses a combination of phishing attacks, malware, and scam phone calls to load malware onto different businesses’ networks. The malware, “Dyre,” remains dormant until the user tries to visit a bank website. Then, the malware creates a fake screen alerting the user that the site is not working and to call a number. When the user calls the number they speak to an operator who pretends to be from that bank. They ask for the user’s banking details and then use that information to wire the money out of their account.
Tax fraud is more successful at the state level, according to fraudsters. Security expert, Brian Krebs, discovered some tips from these tax fraudsters who reported a 50% success rate with fraudulent state tax returns compared to 15% of federal returns. Many believe a solution to the fraud problem could be eliminating the option to receive a refund on a prepaid debit card—the option most fraudsters choose.
80 seconds: The median time it takes for an employee to open a phishing email, according to the 2015 Data Breach Investigation Report by Verizon. By 82 seconds, 11% of phishing email recipients have clicked a malicious link. That doesn’t give your IT team much time to react. It’s important that all employees are educated on the signs and dangers of phishing.
Two New Jersey universities hit with cyber-attack. Rutgers University and Fairleigh Dickinson University were both hit with cyber-attacks this month which disrupted services at both schools. Rutgers’s network was shut down for part of a weekend while IT staff worked to get the network back up and running after a denial of service attack. FDU also experienced a network shut down before service was restored.
“Elite” credit cards are twice as likely to be used for fraudulent purchases compared to regular credit cards, according to a study from Forter. These credit cards, such as the American Express Centurion, often have higher credit limits, making them more attractive to fraudsters and less likely to be declined. Forter’s study also found that fraudsters used Microsoft Outlook the most for sending emails, followed by Hotmail.
British Airways, GitHub, and Slack all hit by cyber-attacks in April. The attacks are not thought to be connected. British Airway’s frequent flier accounts were affected by the attack and some users reported that their entire account was wiped. GitHub experienced a distributed denial of service (DDoS) attack which they believe to be from China. Lastly, Slack experienced an attack on their network that gave hackers access to user information such as usernames, email addresses and Skype IDs. In response, the company has implemented two-factor authentication for its users.
HSBC mortgage customers affected by data breach. HSBC Finance Corporation shared that they experienced a data breach in late 2014 and early 2015 that affected some mortgage customers. The company is notifying affected customers via letters. Names, Social Security numbers, account numbers, and phone numbers were breached and shared online.
Cyber sanctions program introduced by the White House this month. This executive order signed by President Obama aims to penalize overseas hackers who engage in malicious cyber-attacks and espionage. The sanctions would also apply to corporations. The penalties for those found guilty have not yet been announced.
Merchants request delay in EMV card switch. The merchant industry sent a letter to major credit card companies asking the October 2015 date to be pushed back until after the holiday season. Retailers, who previously pushed for the switch to EMV cards, believe the October date will cause long lines during the 2015 holiday season as consumers get used to the new card readers.
Social Security numbers to be removed from Medicare cards following bill signed by President Obama. In the past, Social Security numbers were used as an identification number for Medicare recipients and were visible on the back of Medicare cards. These cards are carried by recipients, however, leading to a greater chance of identity theft. The change will take place over the next four years.
278 days: average amount of time a tax refund is delayed due to identity theft, according to an audit done by the Treasury Inspector General for Tax Administration. TIGTA also found that 10% of identity theft cases handled by the IRS were resolved incorrectly. This delay is due to cases being reassigned frequently. This delay, however, is 34 days shorter than a previous audit done by TIGTA.
Utah attacks child identity theft with new statewide program. After experiencing a surge in child identity theft cases, Utah partnered with Transunion to help protect children’s credit and Social Security number. Since launching the free program, 13,600 children have been enrolled. The program allows parents to keep track of their child’s identity in one place.
The key to strong cybersecurity: People, not technology. Senior Vice President of Hewlett-Packard’s software enterprise security products stressed that companies should focus on training their employees rather than purchasing new cybersecurity technology. Many cybersecurity incidents occur because an employee clicks on a link or opens a phishing email. While software can be helpful, employees must also know good cybersecurity practices.
AT&T fined $25 million by F.C.C. for privacy breach in 2013-2014. Employees at call centers located in Mexico, Colombia and the Philippines stole personal information of over 250,000 AT&T users in the US and then sold that information to others. AT&T will provide free credit-monitoring services to all affected customers.
White Lodging hotels suffer data breach. The hotel franchise is investigating their second breach this year at ten of their locations. The company believes the points of sales systems at their dining establishments in the hotels were breached. White Lodging says names, credit card numbers, security codes, and card expiration dates were accessed in the breach. Impacted customers are being offered one year of credit protection services.
50% of American households with children under 18 say that their child has breached their cybersecurity. While younger children may download malicious apps or click on unsafe links on accident, some older children purposely breach the network to get around parental restrictions or to play a joke. Regardless of your children’s ages, you should be talking to your children about good cybersecurity practices and the dangers of playing with internet security.
Insurers in NY State must have a cybersecurity plan in place beginning this month. Insurers must send their plan to preventing a hack as well as who is in charge to a regulator at the state Department of Financial Services. The department will also begin scheduling cybersecurity examinations of insurers.
Software Updates
Adobe: This month, Adobe released a patch for Flash Player fixing 22 security flaws, one of which was a zero-day bug. Adobe should update automatically but you can download version 17.0.0.169 here.
Apple: If you are an Apple user, be sure to update your devices. Apple released updates this month for OS X, iOS, Apple TV, and Safari. Your devices should prompt you to update and you can learn more here.
Firefox: Mozilla released an update to Firefox this month to patch an HTTPS vulnerability. Firefox users should update to version 37.0.1. Firefox should update on its own although you may need to close your browser and re-open.
Google: An update for Chrome is available closing 45 security holes. It also introduces some new apps and browser extensions. You can update Chrome by clicking on the three bars next to your URL bar. You can learn more about the update here.
Microsoft: Microsoft released 11 security fixes this month, four of which are critical. The bundle closes holes in Windows, Office, Internet Explorer, and .Net. You can update by going to your “Start” button and then clicking “All Programs” followed by “Windows Update.”
Oracle: A patch for 15 security holes in Java was released this month. You should be running Java 8 Update 45 on your devices that require Java. You can download the update here.
It’s a Good Life!
Randall A. Luebke RMA, RFC
