Thursday, December 10, 2009

Duh! Chip and PIN Doesn't Prevent Card Not Present Fraud!

What an enlightenment!  Chip and PIN doesn't prevent CNP Fraud.  Gee...I wonder why?  I'll tell you.  Read on... (or look at the graphic on the left)



I blogged earlier in the day about the rampant growth of Card Not Present (CNP) Fraud.  Well Chip and PIN is "Card Present." (CP)  CNP fraud is the result of ramping up security on CP. Hackers,  like water, find the path of least resistance.



When you think about it, it makes absolutely NO SENSE to ramp up security in the brick and mortar world (with Chip and PIN) when the bad guys can simply go online with stolen credit and debit card numbers and make fraudulent purchases. Especially when you consider that the vast majority of these stolen debit and credit card numbers are obtained because we continue to foolishly "type" (enter) our card numbers into boxes located in browsers on merchant check out sites.



It's nuts. It's like watching someone dive into a section of the Amazon River and, in seconds, be torn to shreds by a school of piranhas...and then diving in yourself seconds later.



No...better yet, it's like reading in the paper that over the last year, 285 million people have had their butts chewed off by these terrible phish and then thinking, hey I'm up for a swim!  I can't help but think that if a "school" of piranha can't teach people to stay out of the water, then it's time to put on the dunce cap the next time you "type your card numbers" (yes entering them is the same thing) into a box in a browser. 



Here's more on the rampant rise of "Card Not Present" Fraud.  




Chip and PIN doesn't prevent card fraud. Fraudsters find joy in card-not-present transactions instead.



Editor's Note:  Wow!  Think about that headline for a second.  Chip and PIN doesn't prevent fraud?  Yes it does...studies have empirically proven Chip and PIN reduces fraud.   It simplydoesn't prevent "Card Not Present" Fraud because people can't insert their card into a card reader and enter their PIN on the Internet. (yet) 





Card-not-present (CNP) fraud, which involves online shopping, increased by 25 percent in the 12 months to June 2009, according to new data from the Australian Payments Clearing Association. 



CNP fraud has been shown to grow exponentially in international markets where banks and other card issuers have rolled out chip cards to replace their less secure magnetic stripe equivalents.It has also occurred to some that fraudsters are still able to commit  fraud on magnetic stripe cards at ATMs.



I don't mean to sound like a totally sarcastic smart ass, but...here goes!



Gee...I wonder if it has "occurred" to anybody that unless we transform the web into a "card present" environment, fraudsters are still going to be able to commit "card not present" fraud? 



Even if we were able to wave a magic wand and instantaneously eliminate every magnetic stripe card from existence, then provide EVERY consumer with a Smart Card...and EVERY Retailer with a Chip and PIN reader worldwide, "Card Not Present" fraud would continue to rise because...?




We are STILL TYPING our card numbers into boxes in browsers! 



C'mon people...it's not that hard to figure out...is it?  If you want to eliminate Card Not Present Fraud we have to eliminate the "Card Not Present" environment...BY INSERTING OUR CARD INTO A READER! 



If the card wasn't "present" we wouldn't be able to insert it would we? 
(If it was a "cloned card" the fraudster would still need to know the PIN) 
If they knew the PIN, it would be because the card owner fell victim to ATM Skimming/Hidden Camera

Hack which would still vastly reduce the existing rate of "Card Not Present" Fraud. 






The article continues...A report by APCA released this week showed that fraud has grown by more than 200 percent in the last three years.







Payments fraud on credit and debit cards in Australia continues to experience double digit growth, despite ongoing moves by the financial services industry to enhance security, such as the introduction of chip cards. (Again...DUH!) That's because although CNP transactions are only about 10% of the worlds transactions, they constitute about 50 percent of all card fraud!





Investment in chip-based cards has often been touted as the solution to skimming fraud, but skimming still grew by 5.1 percent last financial year."Chip transactions at the point of sale are already commonplace, but we estimate it will take another three years before the rollout is complete," said Chris Hamilton, chief executive officer of APCA



Editor's Note:  And then what?  Internet Card Not Present Fraud will magically start decreasing?  The ONLY way to ELIMINATE CNP fraud is to eliminate the CNP environment.  And yes...HomeATM has a Smart Card Reader version of our PCI 2.x certified PIN Entry Device (our next gen version can be seen in the video below)






Continue Reading







Consumers WILL Sacrifice Convenience to Increase Security





Consumers Are Ready to Protect Their Accounts, But Will Bankers Let Them?



By James Van Dyke, Javelin Strategy & Research




A popular misconception about consumers’ willingness to be involved in fraud protection is holding back retail bankers’ profitability. New Javelin factual research debunks the mistaken belief that consumers won’t sacrifice convenience in order to increase security.




By analyzing rigorous data comparing latest behaviors and preferences toward banking security, Javelin identifies steps bankers can take to not only lower their fraud mitigation costs but to launch marketing efforts to strengthen customer relationships. On top of decreased losses, the customer value proposition of security partnering can be translated into profitable opportunities such as: increased online shopping, retaining customer revenue, gaining new customers, creating a top-of-wallet card, and garnering income from identity protection offerings. Read More







Editor's Note:  I don't know how "inconvenient" it is to Swipe a Card and Enter a PIN, people do it all day long at ATM's and Checkout Counters, but it's good to see that this "convenience" myth has been exposed. 



It's more "inconvenient" to spend 40 plus hours (the average time it takes to deal with debit or credit card fraud) combating identity theft than spending a few extra seconds securing the online banking session. 



When it comes to eCommerce, I would argue that Swiping your card and Entering your PIN is immensely more "convenient" than typing in a 14-18 digit card number into a box on a website, typing in your expiration date and then typing in your CVV on the back of the card.  It's definitely faster to swipe and I guarantee you it's 100 times more secure. 



Ask any keystroke logger!






Reblog this post [with Zemanta]

73% Say Shopping Online is Riskier than Offline, Survey Says



73% of consumers say shopping is riskier online than offline, survey says



Shoppers’ fears of identity theft are heightened during the holiday shopping season, with 54% of consumers in a recent survey from ProtectMyID.com, a vendor of identity theft identification, protection and fraud resolution, saying they are more concerned about identity theft at this time than during the rest of the year.





In addition, 73% of those surveyed say that shopping online poses a greater risk of identity theft than shopping in a store.





“This heightened fear combined with the busiest shopping period of the year underscores the need for education and awareness surrounding identity theft,” ProtectMyID.com says.





Plans to shop in-store versus online were split 50/50 overall, though a much larger percentage of those aged 18–20, 74%, said they would do more shopping in stores than online, the study found.  (that's interesting...)





The survey of 1,035 consumers who use debit or credit cards, conducted for the vendor by Impulse Research, found that 44% of those surveyed claim to know someone who has been a victim of identity theft, and 18% have personally experienced identity theft.





ProtectMyID.com is operated by ConsumerInfo.com Inc, an Experian company.

'Square' Peg, Round Hole: Jack Dorsey's Solution for Payment Processing



The introduction of the device that plugs into an ear-Jack (Dorsey) got a lot of hype.  I immediately  noted that nothing was said about the security of the device, i.e. what type of encryption and when, is it PCI "Compliant" (let alone "Certified." Now that the dust has settled a bit, people are starting to see that this particular empire wears no clothes...



'Square' Peg, Round Hole: Jack Dorsey's solution for payment processing


Summary



Lots of folks have great ideas that don't necessarily translate into viable products and services. Some serial entrepreneurs are off to the next thing before fully-baking their current batch of cookies and I think this is the case with Dorsey's payment processing concept. If I were Dorsey, I'd be cooking up a solution for generating some cash for Twitter (revenue).



Analysis



I do not find anything particularly innovative about what Dorsey is proposing. In fact, the technology to do it has been around for a long time. I often spoke about mobile payments as I helped to launch the GSM network at AT&T Wireless. After all, while we were launching the first GSM net here in the U.S., Europeans and others were already using Smartcards/SIMs for mobile banking and payments.



While I do expect mobile payment processing to grow in years to come, I don't think our financial organizations are yet ready to embrace it. While the app might be free to the consumer, it will require the financial community to embrace it and there will be costs to do that.



Dorsey's argument for this is that while nearly all of us have credit cards, they are still difficult for sellers to accept. I don't buy that at all. Particularly when you have services like Paypal - anyone can accept a credit card payment. If I were selling $2,000 glass sinks, I'd already be equipped to ring up any customers order anytime, anywhere.



If I were Dorsey, I'd be keenly focused on shaking some bucks out of the Twitter tree. ###



Editor's Note: Here's an interesting comment from a PYMNTS reader on the Square...



Industry Reaction the New iPhone Payments Device, Square



Each week PYMNTS.com posts new discussions in our LinkedIn group where we encourage members to weigh in, share their thoughts or propose their own topics.



These discussions are often the product of breaking news or noteworthy events. This week the big story was the buzz around Twitter co-founder Jack Dorsey's hush-hush startup, aka Squirrel, has a new name and potential game-changing product -- Square. The company has launched a Web site for its iPhone payment system, which appears to still be in private beta testing.



Q: What do you think about the release of the new mobile payments device, Square?



A: Great HYPE!!! Where's the substance? Its a mag stripe reader attached to a phone? there's a bunch of those already, been around for years, look at infinite peripherals. I do not understand why you see this as game changing, can you elaborate? Also we have these these regulatory requirements and certifications, simple little things around payment security and device acceptance. One look at this and it screams "SKIMMING DEVICE" to me. This is perfect for those in the hospitality industry (where most of the skimming happens) to take a credit card, swipe it, and then save the data for later personal use or heck just sell it Poland (sorry Poland but we all know its true). You see if I buy this device for $60. and skim one card and sell it then I've paid for the device. That's a great business plan.



If square is fronting the merchant account and taking the risk that now becomes a better business model for the fraudsters. Without the controls in place for rating and qualifying a business (even small mobile merchants) your opening doors for creative fraud. Within 10 seconds I can accept credit cards? WOW let's see if I open 1 square merchant account every minute for one hour that's 60 merchant accounts I can swipe a couple hundred cards in that same hour and perhaps some people will catch the charge before I get my money but surely some will not. As long as I keep the charges small (under $40) I could make 4k per merchant account. That's 100k I could charge in 1 hour and lets say I get 1/3 of that. Wow I could make $30k for one hours work and guess what in 1 months time when the consumers catch on I'll be gone and Square will be left with the bill.



P.S. Not sure this truely qualify's as card present transaction, needs to be a certified device for that? That's really all the squear thingy could do. There's lots of other apps on the iPhone for taking credit cards already.



As for the business model, well that is a game changer, for the fraudsters!



— Steve McRae, President | Growth + Profit, Inc.

Want to connect with Steve McRae? Click Here to view Steve's LinkedIn Profile

To weigh in on the discussion, join our LinkedIn group, PYMNTS.com: What’s Next In Payments, click here

Internet Pushes Card Fraud Higher



THE rate of fraud in credit cards and other payments systems rose by almost 30 per cent in the year to June, driven by an increase in fraudulent use of credit cards on the internet.





Figures from The Australian Payments Clearing Association (APCA) showed fraud on cheques, credit and debit cards rose from 7c in every $1000 of payments to 9c, an increase of almost 30 per cent.



The biggest contributor was an increase in fraud where the card was not present, mostly transactions over the internet,  - The Australian reported



The amount of transactions on Australian cards in this category of fraud increased from $65.5 million to $82.1m in the 12 months to June.



APCA chief executive Chris Hamilton said card-not-present (CNP) fraud was growing and it was important to tackle it early because of the expected rapid growth in use of the internet with the arrival of high-speed broadband. "The National Broadband Network is going to lead to more of a problem unless we have this under control," Mr Hamilton said. An online fraud typically started when a person's credit card number was stored online to make regular transactions easier and was then stolen by a hacker. Or a virus on an individual's computer could record their keystrokes as they entered their card number.



Here's my favorite part of the story:  Mr Hamilton said the payments industry's two main lines of attack were having the cardholder's financial institution track their spending for unusual payments (nah...there's a better way) or a new internet-only PIN





We don't need an Internet "ONLY" PIN, just another thing to remember...instead, our PCI Certified PIN Entry Device uses existing PINs.  But let's say there was an "internet only" PIN.  Our device could do that too.  And since we are the manufacturers of the ONLY PCI 2.x certified PED in the world, I really like the APCA chief executive's suggestion to combat CNP fraud.  Like I've been saying.  "It's Only a Matter of Time" before everyone realizes that in order to conduct secure transactions on the web, it has to be done outside the browser.  HomeATM literally eliminates "card not present" fraud by changing the whole environment into a "Card Present" one.  Can anything be more simpler than that?



 

INTERAC(R) Offers Tips to Ensure a Smooth Online Shopping Experience this Holiday Season





Here's an interesting press release in today's 285 million stolen financial information records world...I break it down, albeit, I suspect not as quickly as a hacker could.  What do you think?  Would you trust this "Type" of payment mechanism in a web browser? 





TORONTO, Dec. 10 /CNW/ - Just in time for the holiday season, Chapters.Indigo.ca, and Roots.com are some of the latest online retailers to begin offering INTERAC Online, a payment service that allows Internet shoppers to pay for goods or services directly from their bank accounts.



From books and music, to games and electronics, to clothing and accessories, and even groceries and charitable donations, INTERAC Online is available at a wider variety of retailers than ever before this holiday season. INTERAC Online allows consumers to do their holiday shopping online from the comfort of their own home or office while paying directly from their bank account.



"Canadians are increasingly turning to the Internet for their purchases and as high users of debit, many will also be turning to INTERAC Online for secure and reliable payments," said Caroline Hubberstey, Director, Public and Government Affairs, Acxsys Corporation, whose shareholders are the architects of the INTERAC network.



For those who prefer to hit the Internet instead of the malls to do their holiday shopping this season, INTERAC offers a few tips to ensure an enjoyable online shopping experience. (Editor's Note:  I only share the first tip, because if they tell you to Shop Securely in one breath and then use this system in the next, well...let's just say I felt the tips were full of hot air...)



1. Shop Securely  (Editor's Note:  I checked the year of this press release just to be sure I wasn't making a mistake, because if you start making payments using your online banking username and password, you are opening up a huge door for hackers.  I suppose they can't get your card number but they CAN get your online banking credentials.  This type of payment mechanism assumes your online banking session is secure, but with critical SSL flaws, online banking Trojans, phishing and a multi-step process which includes selecting your financial institution, being redirected to it, typing your username and password, then being redirected back to the merchant site, there's too many holes for hackers to get in.  For instance, they could hi-jack the redirect and take you to a cloned website of your financial institution.  Again, as Avivah Litan says and most everyone with (at least) half a brain agrees...Nothing in a browser is safe. 



Keep your card data secure. With INTERAC Online, your personal financial information remains secure because the payment service is integrated with online banking.  (OUCH!) When you're ready to checkout, you are re-directed  (hopefully) to your financial institution's trusted  (who trusts it?) online banking website to make the payment from your existing bank account(that sound's scary)



How INTERAC(R) Online Works



The INTERAC Online service is secure, convenient (those two words don't usually mix well) and easy-to-use (when you combine convenient with "easy to use" you can pretty much bet that it has the potential to become a hackers paradise)  because it works with the consumer's existing web banking service. (in a browser?)  Consumers who are registered for web banking services with a participating financial institution can use the INTERAC Online service in just a few easy steps:  (but it will be difficult for hackers?)



- When checking out on a merchant's e-commerce website, select the INTERAC Online payment option;

  • Select your financial institution; (translation: Identify your FI to the possible eavesdropping hacker)


  • Log onto your trusted web banking site using existing login ID and password; (translation: Type (provide the hacker with) your login ID and password)


  • Select your account to process payment;  (translation: identify and provide the bad guy with YOUR account)


  • Confirm the payment (you are logged out of online banking and automatically redirected back to merchant's website); (translation: redirect's are bad)


  •  Print confirmation page for future reference and proof of purchase.

INTERAC Online is currently available to customers of BMO Bank of Montreal, RBC Royal Bank, Scotiabank, and TD Canada Trust. More information about INTERAC Online and a complete list of merchants can be found at www.interaconline.ca.



About Acxsys Corporation



Acxsys Corporation, comprised of eight large financial institutions as shareholders, is headquartered in Toronto, Ontario. Acxsys specializes in the development and operation of new payment service opportunities as well as consulting and management services in the field of electronic payments. The Corporation's shareholders are the architects of Canada's national network for shared electronic financial services: INTERAC Direct Payment, Canada's national debit card service and INTERAC Shared Cash Dispensing Service for cash withdrawals at Automated Banking Machines. For more information, please visit www.interac.ca.



(R) Trade-marks of INTERAC Inc. Used under licence.

For further information: Tina Romano, Acxsys Corporation/Interac Association, (416) 869-5062 or tromano@interac.ca

International Payments Appoints Ron Carter as President to Oversee its $150 Million Acquisition Strategy





SAN JOSE, Calif.--(BUSINESS WIRE)--International Payments Corporation (IPC), a privately held merchant services company, today announced it has appointed industry veteran, Ron Carter as President. Mr. Carter’s extensive experience in both operations and acquisitions will accelerate IPC’s recently announced $150 million strategic plan to acquire Independent Sales Organizations (ISOs) and merchant credit card portfolios.



“IPC is in a unique position to grow in today’s challenging market due to its favorable cash position and the exceptional scalability of its account management and sales operations,” says Carter. “The company is able to quickly integrate newly acquired business units and strengthen these acquisitions by implementing proprietary technologies and sales techniques that it has developed.”



“Mr. Carter brings a very powerful combination of hands-on operations knowledge and acquisition experience to our company,” says David McMackin, the former President of IPC who will remain as Chief Executive Officer and Chairman of the Board. “He has led some of our industry’s most successful companies, where he has performed numerous acquisitions, significantly streamlined operations, and increased the bottom-line.”



Mr. Carter served as President and COO of Verus Financial Management, where under his leadership the company’s revenues grew from zero to approximately $30 million in EBITDA before it was sold in a $325 million transaction to Sage Payment Solutions. At Vital Processing Services, then a partnership between TSYS (NYSE: TSS) and Visa (NYSE:V), Mr. Carter served as Executive Vice President. Carter served as President of Network Systems at Alliance Data (NYSE:ADS), where he led the acquisition and integration of Sears Payment Systems (SPS) and Harmonic Systems. These acquisitions and others were part of strategy implemented just prior to the IPO of Alliance Data. Prior to ADS, Mr. Carter was the President of Buypass Corporation, now a wholly-owned subsidiary of First Data Corporation (FDC). (Editor's Note:  He also ran the Merchant Services division of Pay By Touch)



International Payments Corporation (IPC) is a national merchant services company that delivers secure, scalable and reliable payment processing solutions to small- and middle-market businesses, large corporations, governments, financial institutions, and independent sales organizations. IPC processes electronic payments between buyers and sellers, utilizing virtually any payment device or form of electronic payment, including credit and debit cards, checks, and gift cards. For more information, visit www.intlpay.com.

VirtualBank Strengthens Online Banking Security With PhoneFactor



SOURCE: PhoneFactor
Dec 10, 2009 09:05 ET


VirtualBank Adds Out-of-Band Two-Factor Authentication to High-Risk Account Logins



OVERLAND PARK, KS--(Marketwire - December 10, 2009) - PhoneFactor, a leading global provider of two-factor security services, announced today that VirtualBank will be deploying PhoneFactor's phone-based two-factor authentication to enhance security for their online banking customers after the first of the year.



In addition to existing security measures, VirtualBank customers will now also authenticate with PhoneFactor when additional verification is needed, such as logging in from an unknown computer or other scenarios. When this occurs, the customer will receive an automated phone call after entering their user name and password. They will simply answer the phone and enter a passcode to complete the login. By adding PhoneFactor authentication to high-risk logins, VirtualBank can add additional security when needed without impacting customers' day-to-day online banking experience.



"Real two-factor authentication is critical to secure online banking sessions, particularly those that are deemed high-risk. Historically, banks have deployed methods like security questions or secret phrases to authenticate users," said Steve Dispensa, CTO, PhoneFactor. "With today's threat landscape -- especially with man-in-the-middle attacks on the rise -- going outside the online channel for authentication truly helps keep customers secure."



VirtualBank has branded the process they have built around the PhoneFactor service "PhoneGuardian," and will make it available to all of its customers free of charge. PhoneFactor will be used to authenticate logins that are considered high risk based on a custom algorithm that examines numerous parameters at the time of login. If a user gets an authentication call when they are not logging in, a fraud alert can immediately be sent to VirtualBank to instantly lock the account and protect the client.



"Security comes first for us at VirtualBank and we are constantly working to make it better," comments Frank Barbato, Virtual Bank Chief Information Officer. "We feel equally as strong about our clients' on-line experience and the impact that all the security protections have on them. After all, our clients just want to access their accounts and get on with their lives rather than answering questions about their pet's name. PhoneFactor's flexibility in their platform enables us to both meet today's security needs while offering a superior user experience."



About PhoneFactor



PhoneFactor is an award-winning two-factor authentication service that uses any phone as a second form of authentication. Its out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. PhoneFactor is easy and cost effective to set up and deploy to large numbers of geographically diverse users. PhoneFactor was recently named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today, and as a 2010 SC Magazine Readers Trust Award Finalist. Learn more at www.phonefactor.com.



About VirtualBank VirtualBank was founded in 2000 and is a federally chartered, FDIC-insured on-line bank based in Palm Beach County, Florida. Learn more at www.virtualbank.com.





Reblog this post [with Zemanta]

Online Banking Trojan Video







Live Demo: Banking Trojan from Panda Security on Vimeo.















































So why don't banks use the world's only PCI Certified PIN Entry Device to authenticate online banking?



Especially if Secure Socket Layer (SSL) has a critical flaw as outlined in the video above?



Two words. They will.

Six more. It's only a matter of time.



Because what they are doing now simply ain't working...and with two newly discovered next generation online banking Trojans having cropped up since October 4th of this year, it's probably going to be sooner rather than later...







Reblog this post [with Zemanta]

Keystroke Logging Video

Here's an example of why we should Swipe vs. Type:







Next up...Video showing how an Online Banking Trojan works...should have it for you within 30 minutes or so...



But be warned...you'll probably never bank online again!!



At least not until banks start issuing you your own personal HomeATM Online Banking Authentication device which allows you to authenticate yourself the same way you do at an ATM.



Instead of foolishly typing in your username and password, (and falling victim to a keystroke loggin attack as outlined in the video above, you can Swipe your Card and Enter your PIN.



The card data is instantaneously 3DES DUKPT encrypted outperforming even stringent PCI Guidelines because we 3DES DUKPT the Track 2 data as well...



That means NOTHING travels via the browser and you never touch your keyboard.  Can you imagine if ATM's required you to type in a username and password?  There's a reason they require you to Swipe your Bank Issued card and Enter your Bank Issued PIN.



What's the reason for not requiring the same thing to authenticate an online banking session?  Here's some suggestions...Do you think it might be any of these?



  • Because Keystroke Logging doesn't exist?

  • Because typing your username and  password into a box is safe? 

  • Because nobody falls victim to phishing attacks? 

  • Because there's no such thing as a cloned bank website?

  • Because SSL or EV-SSL doesn't have a critical flaw?

  • Because millions of people won't bank online for fear of falling victim to card fraud?

  • Because 49% of online banking customers would switch banks if they (or someone they knew) fell victim to card fraud?

  • Because the problem is getting better not worse?

  • Because online banking trojans don't exist?

  • Because Next Generation online banking Trojans beat even the most sophisticated software authentication programs?

  • Because banks don't want to gain a competitive advantage over their peers?

  • Because our device costs less than most of the useless promotions banks currently run?



    Guess you'll have to ask your bank...because it certainly cannot be any of the aforementioned reasons.  See what they tell you.  Then come on back and share what they said with me! 












Reblog this post [with Zemanta]

315,000 UK Shoppers Likely Victims of Credit/Debit Fraud this X-mas

Tis the season...For hackers, "It's the most wonderful time of the year!"



315,000 shoppers at risk of credit and debit card fraud on the high street


More than 315,000 high-street shoppers are likely to be the victim of credit and debit card fraud this Christmas, with each losing over £600 on average to fraudsters targeting shoppers.

Thousands are expected to fall victim to credit and debit card thieves this Christmas



Rather than online, retail fraud is being fuelled by shoppers returning to the high street, as experts warn people are more susceptible to losing track of what they spend. Brits are rejecting online shopping over concerns about postal delays, and 65 per cent say they will buy at least half their gifts in person.



Research carried out by Opinion Matters amongst more than 1500 adults on behalf of international marketing group CPP warns that the number of lost and stolen cards will peak on December 18 as stressed last-minute shoppers become less careful with their cards.



Continue Reading

285 Million Records Compromised in 2008 - New Verizon Business Report





According to a new report released yesterday from Verizon Business, keystroke loggers and spyware are the most commonly occurring attacks in companies that suffer major data breaches.



The report, "2009 Supplemental Data Breach Investigations Report: An Anatomy of a Data Breach," looks at the 15 most common security attacks (listed below)



1. Keylogging and spyware: Malware specifically designed to covertly collect, monitor, and log the actions of a system user.



2. Backdoor or command/control: Tools that provide remote access to or control of infected systems, or both, and are designed to run covertly.



3. SQL injection: An attack technique used to exploit how Web pages communicate with back-end databases.



4. Abuse of system access/privileges: Deliberate and malicious abuse of resources, access, or privileges granted to an individual by an organization.





5. Unauthorized access via default credentials: Instances in which an attacker gains access to a system or device protected by standard preset (widely known) usernames and passwords.



6. Violation of acceptable use and other policies: Accidental or purposeful disregard of acceptable use policies.



7. Unauthorized access via weak or misconfigured access control lists (ACLs): When ACLs are weak or misconfigured, attackers can access resources and perform actions not intended by the victim.



8. Packet sniffer: Monitors and captures data traversing a network.



9. Unauthorized access via stolen credentials: Instances in which an attacker gains access to a protected system or device using valid but stolen credentials.



10. Pretexting or social engineering: A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information. 11. Authentication bypass: Circumvention of normal authentication mechanisms to gain unauthorized access to a system.



12. Physical theft of asset: Physically stealing an asset.



13. Brute-force attack: An automated process of iterating through possible username/password combinations until one is successful.



14. RAM scraper: A fairly new form of malware designed to capture data from volatile memory (RAM) within a system.



15. Phishing (and endless "ishing" variations): A social engineering technique in which an attacker uses fraudulent electronic communications (usually email) to lure the recipient into divulging information.





Reblog this post [with Zemanta]

Disqus for ePayment News