Posts by Joe Welker, CISA:
Dear Drebit: Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October? Sincerely, Online Payments Only
Dear Online Payments: As you may already know, I recently wrote an article to inform merchants about the Oct. 1 deadline to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology. When this change takes effect, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you continue to use the credit card’s magnetic stripe to process payments, your business will assume liability for any resulting fraud. For most businesses – especially smaller businesses – a single instance of fraud could be crippling.
EMV technology essentially swaps out the magnetic stripe used on credit cards today for an embedded chip. The chip scrambles sensitive cardholder data at the point of sale, which makes it increasingly difficult to fraudulently access and replicate consumer data.
But what changes lie ahead for businesses that utilize online payment methods and don’t require customers to physically swipe their credit card to pay for a product or service? Do they need to be concerned about this liability switch on Oct. 1 too?
EMV Concerns For Online Merchants
Your third-party processor (such as PayPal), is responsible for ensuring that the payment is authentic. These companies validate payments using a variety of methods.
Natalie Gagliordi, a blogger with Small Business Matters, writes that “for most online merchants, whatever payment processing technology they are using will likely contain out-of-the-box security and authentication protocols.” PayPal, for example, “has developed complex end-to-end encryption to help protect consumers and merchants with their payment information.”
But just because your business doesn’t bare the sole responsibility for keeping your customers’ credit card data safe, doesn’t mean you have nothing to worry about – quite the contrary. Some experts expect credit card fraudsters to pay more attention on hacking online consumer data. This means, for your customers’ sake, you must continue to be informed of online security best practices and should not only be knowledgeable about what your third-party payment processor is doing to keep credit card data safe, but what your third-party payment processor requires of you to maintain your compliance. This could include maintaining current antivirus protection, a secure firewall and other online safety protocols.
The EMV Migration Forum’s Card-Not-Present Working Committee recently published an informative whitepaper to address the growing threat of Card-Not-Present Fraud. This resource will give online merchants a little more insight into the numerous options currently available to help authenticate online payments.
In the meantime, if you have additional questions or concerns, contact your third-party payment processor immediately. Requirement 12.9 of the Payment Card Industry Data Security Standard v3.0 states that they must provide you with – in writing – the details of its role in providing PCI compliancy, as well as any requirements of your organization. Click here to learn more.
How Can Drebit Help You?
Readers, do you have questions about data security, fraud, accounting, succession planning and other general business topics, but don’t really know who to ask? Let Drebit help find the answer! Simply fill out the brief form at the top, right side of this page. You can also click here to reach out to one of fraud experts directly. If you like the advice we offer, why not click here to subscribe to Dear Drebit and get notified of new articles and updates the minute they are posted?
Would You Pay A Hacker’s Ransom If Your Phone’s Data Was At Risk?
Researchers and IT security experts from ESET, a global IT security company, recently announced that they had discovered a malware application that is designed to encrypt files and change PINs on Android devices in the United States. In return, victims are demanded to pay up to the tune of $500. Only then will hackers provide users with the recover key.
If it continues to spread, this form of malware could result in a staggering number of victims. Once again we are reminded of how important it is to vigilantly protect ourselves against fraudsters who will continue to exploit such weaknesses in our technological infrastructure.
According to the digital media analytics company comScore, between the months of December and March 2015, more than 187.5 million people in the U.S. owned smartphones. During that time, Google Android led the pack as the number one smartphone platform with 52.4 percent platform market share.
Malware Goes Mobile
The malware, called LockerPIN, spreads via third party applications, which are downloaded by the user to their Android device. Similar to the CryptoLocker and CryptoWall malware that has inundated users over the past several years, LockerPIN spreads malware’s reach to the mobile user.
Originally discovered in Ukraine in 2014 the malware has been modified to the point that it is just now making its North American debut. Disguised as a system update, the application changes the user’s PIN to a random setting without their knowledge. The worse part? The only known recovery solution is to perform a complete factory reset, which will result in the loss of all your data.
It’s only a matter of time before this malware progresses to the point of being able to infect all phones. In the meantime, there are actions you can take to protect yourself.
1) Never download apps outside of certified app stores.
2) Back up your mobile devices to your computer or to the cloud regularly.
3) Do not grant administrator privileges to apps unless you truly trust them.
4) Stay away from suspicious apps and sites.
Want to learn more ways to protect yourself and your business from IT threats? Check out these articles.
PCI to EMV – Protecting Credit Card Data
Your customers want their payment experience to be as easy and painless as possible, which is why you have come to depend on the ability to process credit card payments – especially if your average transaction is more than $20. But providing your consumers with the ability to pay with plastic has also been helpful to fraudsters looking to steal the information hidden within their card’s magnetic stripe. In an effort to crack down on fraudulent transactions, protect consumers and transfer liability from the credit card company to your business, the United States will begin to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology.
Change Is Necessary
Due to the increasing number of credit card breaches where millions of credit card numbers and associated data have been stolen, the industry has forced retailers and merchants to adhere to PCI (Payment Card Industry) Security Requirements. Supported by the PCI Security Council, the ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” states David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”
Understanding EMV Technology
Credit Card EMV technology, which has been used in Europe since the early 1990s, replaces the magnetic stripe we have grown accustomed to with an embedded chip that, scrambles sensitive cardholder data at the point of sale terminal. This technology ultimately makes it more difficult to access and replicate consumer data in an attempt to commit fraud.
Businesses Can’t Afford Not To Comply
Why should you be concerned about the credit card industry’s switch-over to EMV technology? As of Oct. 1, 2015, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you (the merchant) fail to adopt EMV technology, your business will be responsible for any loss that results from a fraudulent transaction. If your business currently accepts credit cards as a form of payment (and you would like to continue this practice), unless you want to be hit with potentially devastating losses, you must make sure to install and activate the new technology before the Oct. 1 deadline. That being said, some types of businesses will have a little more time to comply. If you aren’t quite sure whether or not your business is exempt, visit the website of each payment brand you accept to learn more.
- If you have not investigated or planned for EMV Technology, contact your card processor immediately to determine your business’s specific needs.
- Implementing EMV technology can be a cumbersome and time consuming project, but the best way to protect yourself from fraud and liability is to implement the new technology as soon as possible.
- If EMV technology has been implemented be sure to confirm that the chip reading capability has been enabled. In addition, confirm with issuers that cryptographic values are being associated with the card number to ensure that the EMV technology has been setup and configured properly. Verifying that cryptographic values are being assigned will eliminate the chance of misconfiguration and possible fraudulent activity.
- Train your staff on the new procedures. When a customer tries to pay for a product or service using their card, they will notice some changes, such as their credit card being held in the EMV reading slot throughout the entire transaction process. This is normal, however your staff should be prepared to answer the questions that will certainly arise.
Want to learn more ways you can protect your business and your customers from a fraudster? Check out these articles:
Red Flags To Be Aware Of When Opening Your Email
We hear it a lot and often – be careful when clicking on the links in your email (especially if you do not know the sender.) But what if the email is from someone you know, like your boss? And what if the email appears to come from their work account?
E-mail Account Compromise (EAC) is a sophisticated scam that uses legitimate email accounts that have been compromised to target unsuspecting victims, oftentimes tricking even the most tech-savvy individuals.
So that email your “boss” sent that asked you to click on a link to wire them money because they lost everything while on vacation in France may actually look authentic, but in reality it’s a scam that could have a divesting impact on your business’s network.
How can you tell the difference?
“Just 1 percent of employees are responsible for 75 percent of cloud-related enterprise security risks, and companies can dramatically reduce their exposure at very little additional cost by paying extra attention to these users.”
Recently, the FBI reported a 270 percent spike in victims and cash losses due to these scams. The numbers are scary, but educating yourself on what to be on the lookout for can help eliminate the scams.
Want to learn more about the recent EAC scam? Click here to read a recent public service announcement from the FBI or contact Rea & Associates to learn more ways to protect your business from unseen threats.
Looking for more information about securing the safety of your business? Check out these articles:
As if you didn’t have enough keeping you up at night, the topic of data security continues to send collective shivers up the spines of business owners worldwide. Unfortunately, the Aug. 24, ruling by the United States Court of Appeals for the Third Circuit didn’t make matters any better (or less expensive) for businesses guilty of failing to protect their customers’ data. In fact, companies that utilize poor security practices that ultimately lead to a breach of consumer data are at risk of facing further disciplinary action and penalties.
What does the FTC’s Courtroom Win Mean To Business Owners?
If you haven’t taken data security seriously in the past, it’s time to get real serious about it real quick.
Prior to the ruling, companies at the center of a data breach had to battle with lawsuits while working to rebuild their reputations. Now, in addition to litigation and negative headlines, your organization must also risk being fined by the Federal Trade Commission (FTC). Businesses can no longer operate with a subpar data security infrastructure. Those that do are at risk of losing everything.
The court upheld the FTC’s 2012 lawsuit against Wyndham Worldwide, a company known for operating hotels and time-shares. Records show that the FTC filed complaints against Wyndham for three data breaches occurring in 2008 and 2009, which resulted in more than $10.6 million in fraudulent charges. In its decision, the appeals court reaffirmed previous rulings that found Wyndham to be responsible for implementing better security practices, which would have helped prevent such breaches from occurring in the first place.
According to the FTC’s argument, software used at Wyndham-owned hotels stored credit card information as readable text, hotel computers lacked a system for monitoring malware, there was no requirement for user identification and or to make password difficult for hackers to guess, the company failed to use firewalls and, ultimately, failed to employ reasonable measures to detect and prevent unauthorized access to the computer network or to conduct security investigations.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Next Steps For Businesses
With regard to the case between the FTC and Wyndham, the next chapter of the story is uncertain. While the win in the courtroom has helped put some wind in the FTC’s sails, the commission has yet to levy any penalties or assertions against the defendant. What is clear, however, is that a data security breach is a very real threat – one that is felt by nearly every business in the world. Furthermore, as technology continues to advance and hackers adapt, the security procedures businesses deploy must be top-notch to avoid further complications and costs associated with a sloppy security infrastructure.
Will you be ready when disaster strikes? Email Rea & Associates today to learn what you can do to protect your business from unforeseen threats.
Want to learn more about how to protect your business from a data security crisis? Check out these articles:
The malware known as CryptoLocker or CryptoWall continues to be a major concern for individuals and companies alike. So much so, that the FBI saw fit to issue a warning just last month and help raise further awareness about the threat.
According to the FBI, this Ransomware continues to evolve, which helps it avoid user’s virus detection software applications – even if they are current. Since April 2014, reported the FBI, there have been 992 incidents of CryptoLocker reported. These occurrences have resulted in the loss of around $18 million.
Read Also: How Much Is Your Data Worth To Criminals?
The Threat Is Real
Ransomware is a computer infection that’s been programmed to encrypt all files of known file types on your local computer and your server’s shared drives. Once it takes hold, it’s all but impossible for you to regain access to the data that’s been infected. Once this happens, you have one of two choices. You can:
- Restore their machine by using backup media, or
- Accommodate the hacker’s demands and pay up.
As a direct result of my experience as an IT audit manager, I have been made aware of several situations in which businesses were left with no choice but to succumb to the demands of malicious cybercriminals carrying out Ransomware attacks. And while the companies I have worked with were finally able to obtain their assailant’s encryption key code to unencrypt and regain access to their data after the ransom was paid, others are not as lucky – after all, the FBI has reported $18 million worth of losses in just over a year. Furthermore, there are no guarantees that you won’t be targeted again in the future.
Preempt A Crisis
While there is no surefire way to prevent a Ransomware attack on your data, it’s wise to implement the following best practices to reduce the possibility of infection or reinfection.
- Implement mandatory computer safety training for all employees and implement and test an IT Disaster Recovery Plan in place.
- Always use reputable antivirus software and a firewall and be sure to keep both up to date.
- Put your popup blockers to good use. Doing so will help remove the temptation to click on an ad that could infect your computer.
- Limit access to company’s data by ensuring that only a few employees have access to certain folders and data. You can facilitate this type of action by conducting annual reviews of your company’s employee access rights.
- Backup all company-owned content. Then if you do become infected, instead of paying the ransom, you can simply have the Ransomware wiped from your system and then reinstall your files once it’s safe again to do so.
- Never click on suspicious emails or attachments, especially if they come from an email address you don’t recognize. And actively avoid websites that raise suspicion.
Shut Down The Attack
If you are surfing the Web and a popup ad or message appears to alert you that a Ransomware attack is in progress, disconnect from the Internet immediately. Breaking the connection between the hacker and your data could help stop the spread of additional infections or data losses. In addition to informing your company’s IT department about the threat or occurrence, be sure to file a complaint with your local law enforcement agency. The IC3, formerly known as the Internet Fraud Complaint Center, also encourages you to file a report at www.IC3.gov.
Email Rea & Associates to learn more about the importance of your company’s online security.
By Joe Welker, CISA (New Philadelphia office)
You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.
PCI Data Security Best Practices
In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.
The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”
The two requirements that could most affect your organization are Requirements 12.9 and 9.9.
- Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
- Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards. It is always best practice to document in detail when testing for PCI or communicating with your vendor.
Remaining Three Best Practice PCI Compliance Requirements
The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.
- Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
- Requirement: 8.5.1 – Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
- Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing. See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.
The End of Outdated Secure Sockets Layer Encryption Protocol
Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.
Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.
We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy. Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.
By Joe Welker, CISA (New Philadelphia office)
How much would you pay to regain access to your company’s network if it was compromised and held for ransom? Are you willing to shell hundreds of dollars to take your information back from a cybercriminal, or are you willing (and able) to just walk away and start anew? I wish I were asking hypothetical questions but, unfortunately, the increased popularity of Ransomware has made the risk of such an attack a very, very real possibility.
Sandra Ponczkowski, a manager of the IT security company KnowBe4, recently shared Your Money or Your Life Files, a whitepaper that details the history and real threat of Ransomware, a computer infection that encrypts all files of known file types on your local computer and server shared drives. Once infected, it becomes impossible for you to access your documents or applications that use these encrypted files. The only way to recover from such an infection is to either restore your machine by using backup media, or accommodating the hacker’s demands and paying their ransom.
Unfortunately, I know of several situations where the businesses involved in a Ransomware attack had no choice but to pay ransom demands to the cybercriminal. The silver lining for these companies was that, upon paying the ransom, they were able to obtain the assailant’s encryption key code, which allowed them to unencrypt their data and regain access to their data.
Long-term protection, however, cannot be guaranteed and there is a chance that your data can be held for ransom again.
The literature provided by KnowBe4 details the fluency with which the popular Ransomware infection CryptoLocker changes and adapts once a solution to unencrypt infected data files becomes available. When this happens, the CryptoLocker infection will evolve into a new strain, thus making the previous solution unusable.
While there is no way to completely protect yourself and your network, there are ways to preempt an attack against you and your business. I recommend the following best practices.
- Train yourself and your employees about computer safety practices.
- Complete a yearly review of your employee’s access rights to company-owned computers, server folders and backup media. For example, only a few, strategic employees should have access to the company’s folders and data. As a general rule, employee access should be restricted to include only the programs and software required for them to do their jobs. This also applies to work-from-home employees who typically attach a USB drive to their machines for backup protection.
- If you don’t already, put a disaster recovery in place and test it ever year to ensure accuracy and completeness.
Following these practices should make your business’s Ransomware prevention and recovery much easier. Email Rea & Associates to learn find out more about the importance of protecting your company’s online security.
By Joe Welker, CISA (New Philadelphia office)
If you purchased a Lenovo desktop or laptop between September 2014 and January 2015 you could be susceptible to “SuperFish” – adware that can be found lurking in the depths of your device.
Capable of hijacking Internet traffic data typically used for securing Internet transactions, SuperFish was installed on Lenovo devices by the manufacturer per an agreement with Superfish Advertising, a third-party software developer based out of Palo Alto, Calif.
“In our effort to enhance our user experience, we pre-installed a piece of third-party software … on some of our consumer notebooks. The goal was to improve the shopping experience using their virtual discovery techniques,” said the company in a prepared statement. “In reality, we had customer complaints about the software. … We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software.”
Until you are certain that your Lenovo system is safe from adware, refrain from online banking, making online purchases or engaging in any other online activity were security is critical.
To determine if SuperFish is present on your device and how to remove it, Lenovo released step-by-step SuperFish Uninstall Instructions on its website. You can also visit this secure site, which will run a basic scan on your device to determine if SuperFish is intercepting your connections.
Unfortunately, in his article about the Lenovo crisis, Zack Wittaker cites ZDNet’s Chris Duckett as saying that “the only confirmed way of completely removing SuperFish appears to be reinstalling Windows … or moving to another operating system entirely” as simply uninstalling the adware may not remove the root certificate authority.
According to reports from IDC Worldwide Quarterly PC Tracker and Gartner, Lenovo shipped more than 16 million desktops and notebooks worldwide during the fourth quarter of 2014. Lenovo’s statement indicates that following models may have been effected:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
- U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
- Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
- Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
- S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
- MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
- E Series: E10-30
Email Rea & Associates to learn more about the importance of protecting your virtual assets against cyber threats.
By Joe Welker, CISA (New Philadelphia office)
Late last week, the Federal Bureau of Investigation (FBI) issued a wire transfer scam alert for all small businesses in the United States. According to the FBI alert, between October 2013 and December 2014 a total of 1,198 complaints from U.S.- based companies were received dealing with wire transfer scams. Losses from these incidents totaled more than $179 million. The FBI also reports that the scams can follow a Ransomware incident, and may involve a fraudster contacting a vendor and requesting a change of payment to an alternate fraudster-controlled bank account.
How To Mitigate This Type of Scam
If you’re a small business owner, you may be at risk for this kind of scam. The FBI recommends the following mitigation steps for these types of scams:
- Keep all of your anti-virus software up-to-date.
- Educate your workforce about security best practices.
- Be sure that any changes to payments via electronic transfer are verified with an employee of the bank and at a phone number that you utilize for assistance.
- Don’t use alternate phone numbers provided via email or by a bank representative contacting you.
- Always call the institution back and verify that you are communicating with your bank.
- Monitor all of your business’s financial transactions on a daily basis. Suspected electronic fraud must be reported in a single business work day.
- Use two-party authorization access to complete all wire transfer transactions.
- Utilize biometric authentication to verify the identity of authorized users.
- Use online bank portals that require strong fraud controls to complete all wire transfer transactions.
You can find more information about the FBI’s scam alert here. This site also provides detailed samples of how the scams will be run against unsuspecting businesses.
If you have any specific questions about how this scam might impact you or if would like more information on IT security best practices, email Rea & Associates.
By Joe Welker, CISA (New Philadelphia office)