Big fraud: Companies struggle to combat cyber-enemies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbsnews.com/news/big-fraud-companies-struggle-to-combat-cyber-enemies/

For most people, securing their homes from intruders involves locking
doors, latching windows and perhaps switching on an alarm. But what if
thieves could breach these defenses through doors and windows that connect
your home with the next-door neighbor's house, or the neighbor's neighbor
or, for that matter, the neighbor's neighbor's accountant, who happens to
live on the other side of the world? And what if you didn't know that some
of these routes leading into your house even existed?

Welcome to the business world circa this minute, an age of deepening
technological insecurity in which the dark side of interconnectedness is
emerging in a wave of fraud, hacking and many other kinds of cybercrime.

As the recent attacks on Target (TGT), Neiman Marcus and other retailers
make clear, the risks for companies include financial losses, reputational
damage and lengthy investigations. Credit and debit card issuers, along
with merchants, lost $11.2 billion in 2012 because of fraud, up nearly 15
percent from the previous year, according to The Nillson Report, a payment
industry publication.

The financial impact of individual attacks is also mounting, with the
number of incidents causing losses of at least $1 million reaching record
highs.

Dangerous world

To be sure, computer crime is practically as old as the computer. But a
host of factors are combining to raise the risks -- and the stakes -- for
consumers and businesses alike.

What's changed? First, and most obviously, the virtual world continues to
expand across the physical world, with the advent of social media, mobile
technology, cloud computing and "Big Data" creating new vulnerabilities for
covert government agencies, criminal bands and hackers to exploit.

Second, the bad guys, often operating as part of international crime rings,
are smarter, better organized and willing to compare notes. The tools of
the trade have also become highly sophisticated and easier than ever to
procure, allowing fraudsters to execute their schemes from virtually
anywhere in the world.

Cybercriminals are increasingly working together, U.S. Secret Service agent
William Noonan told lawmakers earlier this month in a hearing convened to
discuss the recent attacks on Target. Fraudsters patronize illicit digital
bazaars to sell and trade malicious software (or "malware"), payment card
data, bank and brokerage account information, counterfeit identity
documents and hacking services.


"The Secret Service has observed a marked increase in the quality, quantity
and complexity of cybercrimes targeting private industry and critical
infrastructure," he said. "These crimes include network intrusions, hacking
attacks, malicious software and account takeovers leading to significant
data breaches affecting every sector of the world economy."

Third, even as hackers are sharpening their skills, many companies remain
largely ignorant of the emerging threats. Although criminals typically know
exactly what information they're after, companies are often unsure even of
what systems they have to protect.

Fourth, companies have a hard time deterring an attack even when they do
have a game plan for fighting fraud.

In part, that reflects a limitation in the approach that security companies
have taken in the past in battling cyber-criminals, which is to identify
known viruses, malware and other suspicious online activity. But criminal
elements also have become more adept at hiding their tracks, disguising and
customizing attacks in ways that make them difficult to anticipate, let
alone stop once they are unleashed.

Caught napping

One thing is apparent from some of the recent incidents: no one is safe.
The range of wrongdoing spans from run-of-the-mill data theft targeting
isolated individuals to massive break-ins of the kind that hit Target.

Just last week, for instance, PayPal President David Marcus said on Twitter
that someone had stolen his credit card information -- perhaps from a hotel
or business he had visited during a recent trip to the U.K. -- and gone on
a shopping spree (an incident he used to tout PayPal's services):

According to the Privacy Rights Clearinghouse, a nonprofit advocacy group,
since 2005 some 663 million records have been violated in a total of more
than 4,100 separate incidents. Other companies that suffered major database
breaches last year include software maker Adobe, which in October saw 2.9
million customer accounts compromised, and social media company
LivingSocial, where 50 million records were violated.

A more sinister invasion took place in 2010, when hackers exploited a
simple design flaw in a type of video camera consumers use to monitor their
homes remotely to post live feeds on the Web -- into people's homes.

"The feeds displayed babies asleep in their cribs, young children playing
and adults going about their daily lives," the Federal Trade Commission
said in cracking down on the camera vendor, called TRENDnet, in September.

Widening "attack surface"

The spate of attacks in recent years reveal something else: Most companies
aren't ready for them. A 2013 survey of 500 corporate executives, security
experts, government staff and others by management consulting firm PwC
(conducted with CSO Magazine, Carnegie Mellon University and the U.S.
Secret Service) found that many business leaders lack even basic knowledge
about who oversees information security for their companies.

Asked if they had methods in place to evaluate the efficacy of their
security programs, a whopping 60 percent said "no" or weren't sure.

It is the nature of business that companies struggle to keep up with
changes in technology, along with the inevitable security issues that are
the byproduct of innovation. And computer fraud is nothing new. In 1970,
just to cite one early scam, a teller at the Manhattan branch of the Union
Dime Savings Bank over three years managed to steal $1.5 million from
hundreds of customer accounts by fooling the company's computer system.

What's different today is the unprecedented level of interconnection
between consumers, businesses, suppliers and contractors. For companies,
those myriad touchpoints -- from social media accounts, to HR databases,
third-party payment-processing and customer-management systems -- represent
an expanding "attack surface" for fraudsters, said Dave Burg, global and
U.S. cybersecurity leader for PwC.

Clearly, the days when businesses could focus only on securing their own
fortress are long gone. Today, even the humblest startup is likely to
exchange sensitive information with a range of customers, business
partners, suppliers and government agencies. For global corporations, the
challenge is staggering given the many opportunities for such entities to
mishandle confidential data or to fail to protect their own systems.

"The reality today is that many companies rely on third parties to deliver
services," Burg said. "They might rely on contractors to deliver pieces of
a business process, or they could have joint-venture partners. We have a
highly interconnected ecosystem where no business operates on its own."

The Christmas attack on Target, which is thought to have affected as many
110 million current and former customers, is a case in point. Security
expert Brian Krebs reports that the scheme may have started when hackers
infiltrated a heating and refrigeration company that did business with the
retailer. Although an investigation into the breach continues, he believes
that malware-infected emailwas sent to employees of the HVAC company,
allowing criminals to gain access to Target's information systems.

The retail industry should expect such attacks to proliferate in the coming
years. In a confidential report shared with some 20 retailers following the
Target breach, the FBI said it expects point-of-sale malware crime "will
continue to grow over the near term, despite law enforcement and security
firms' actions to mitigate it," according to Reuters.

Aite Group, a research and advisory firm, estimates that in early 2013 more
than 150,000 new strains of malware were introduced -- every day. These
include so-called keylogging attacks, such as the ZeuS Trojan malware used
to steal more than $1 million from U.K. businesses and consumers in 2010,
and malware that targets merchants at the point of sale.

"The technology and techniques utilized to undertake all manner of attacks
are increasingly becoming commoditized," Burg said. "The barriers to entry
to carry out an attack are getting lower and lower because of the
commoditization of many of these kinds of tools, which are now sold on the
open market."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!