Tag Archives: Online Security

Advent IM welcomes James Morris MP for cyber security skills gap discussions

Midlands-based cyber and information security consultancy Advent IM and members of the Malvern Cyber Security Cluster have enjoyed some serious discussions with James Morris (the MP for Halesowen and Rowley Regis) around how to bridge the current cyber security skills gap.

Advent IM welcomed the MP to its head office and training centre on 20 February. During the visit, Morris met with members of the team in addition to the company’s directors, Julia McCarron and Mike Gillespie, who highlighted the ongoing cyber security skills gap that the UK is experiencing.

The MP acknowledged this as a topic he himself is extremely keen to address with the local college and that he’s also keen to be a part of the solution to entry level skill building and a career path for young people interested in joining the cyber security sector.

James Morris MP (centre) with Mike Gillespie and Julia McCarron

James Morris MP (centre) with Mike Gillespie and Julia McCarron

Last year, Mike Gillespie joined Cyber Skills Challenge UK’s CEO Stephanie Daman on BBC Radio 4 to discuss this topic, and takes every opportunity to raise awareness of the threat that a continuing gulf between UK security needs and the number of available professionals actively forms.

“The youngsters growing up now are using technology in an ever-increasing array of ways,” stated Gillespie. “The Internet of Things connects people with their information in an unprecedented manner. It’s vital we engage the upcoming generation such that they’re interested in cyber security, not only as a career path towards being a security professional, which is what UK plc really needs, but also because security is becoming part of all employees’ lives. Their role in organisational security is increasingly acknowledged.”

Gillespie went on to tell Risk UK: “We cannot afford to allow our approach to security to remain static. Threats and risks to business proliferate in a dynamic landscape and we need to develop our talent to deal with that landscape in the same evolved and proactive way. Bringing young people into security via apprenticeships and helping them to develop down this route is going to form a vital part of safeguarding UK plc in the years to come.”

Advent IM is keen to explore options for bridging the skills gap in the local community. To this end, the company will be supporting James Morris MP in addressing the challenge of developing education and training programmes that will enable local youngsters to actively become the cyber security experts of the future.

Leave a comment

Filed under Risk UK News

KPMG on cyber crime in 2015: ‘This time it’s personal’

‘This time it’s personal’ will be the motto of 2015 as cyber criminals are predicted to become more selective in the way that they target victims.

According to Stephen Bonner, a partner in KPMG’s cyber security practice, the next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly-targeted ‘campaigns’ based on the data trail people leave in their online lives.

“Over the past year, the Internet of Things took its first tentative steps into the mainstream,” said Bonner, “but consumers’ willingness to adopt the latest trend has come at a price. Their desire to be seen has overtaken their desire to be secure, meaning that we can expect organised crime to find new ways in which to make money in our increasingly digitised society.”

Bonner continued: “It’s possible that our willingness to share and shop online will let criminals become more selective about who they target. They will not need to maintain the current ‘hit and hope’ approach of spear phishing, instead only attacking specific users and computers based on the data these give away about their owners.”

According to Bonner, the result will be a business world in which cyber protection matures and where Governments come together to improve ways in which confidential data is secured.

The next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly targeted ‘campaigns’ based on the data trail people leave in their online lives

The next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly targeted ‘campaigns’ based on the data trail people leave in their online lives

“2014 may have been a year in which hardly any time went by without news of a cyber attack,” asserted Bonner, “and the next 12 months will be no different. This time, however, third party assurance will become a burgeoning industry as firms seek to protect themselves against lawsuits for loss of data or revenue. As part of this, my hope is that EU Governments will reach agreement on data protection legislation in a post-Snowden world and implement a data breach disclosure regime.”

In conclusion, Bonner explained: “Ultimately, cyber defence will be akin to a game of whack-a-mole with more emphasis on spotting attacks, more sharing of intelligence in near real-time and enhanced efforts by companies and Governments to counter and disrupt cyber attacks as quickly as they can. However, to win the game a change in mindset is needed, with security teams necessarily having to reinvent themselves by engaging with the business to really understand its priorities and justify the budget, in turn ensuring that their efforts are focused on defending key business assets while being seen as an enabler for doing business in the digital world.”

Leave a comment

Filed under Risk UK News

CrowdControlHQ: “IT directors ignore social media risks at their peril”

Marc Harris (Chief Technical Officer at CrowdControlHQ) examines the issues facing IT directors from the use of social media.

Many IT directors operate their own personal Facebook and LinkedIn accounts. However, when it comes to corporate social media they pass responsibility for management of same to the Marketing Department. Are they doing so at their peril?

Let me start with the elephant in the room, namely the role of the IT director. After an extensive IT career in the media, telecommunication and technology sectors recent experience has led me to conclude that social media needs to be firmly at the top of the priority list of every IT director.

In my current role, I see at first hand the impact of reputational damage realised by both internal and external sources through the use of social media, and find it surprising how few IT directors are willing to discuss the issues or attend conferences on the subject. Perhaps they feel an unwelcome interference or ‘elbowed out’ by this new communication channel which has evolved extensively under the umbrella of marketing?

In future, the organisations succeeding in the social media space will have Marketing and IT Departments working seamlessly together to tackle the issues. The ‘DNA’ of IT makes it the most qualified department to deal with some of the risk issues that surround social media, so why isn’t it more involved?

Today, social media is being used in every aspect of business, from the Boardroom right through to the delivery of customer service. By its very nature, social media is a collective responsibility. Not surprisingly, its reliance on ‘collaboration’ has in some instances manifested itself as ‘sharing’ responsibility for posting of content… and even the sharing of passwords!

New rules now apply

I once overheard a social media officer quite gleefully boasting the fact that they had the Twitter login to hand for their company chairman. When challenged, the officer admitted that he was ‘The Chosen One’. If he was off sick that was it – no tweets or updates! Worse still, if he left the organisation he had the power to bring the place down tweet by tweet.

This is the stuff that would have kept me awake at night as an IT director, yet in a world powered by social engagement new rules seem to apply.

Marc Harris: CTO at CrowdControlHQ

Marc Harris: CTO at CrowdControlHQ

Recent research also reported that a scarily large number of employees still use the dreaded Post-It note to record their login usernames and passwords, stuck to walls, desks and even the computer screen. Apparently, we’re not coping well with the need to access everything online from social media to our weekly shop and fear our mobile devices could be pinched. We’re reverting to pen and paper, it seems.

This practice can only end in tears. There have now been too many examples of ‘rogue’ tweets, no audit trail of who posted them (or why) and organisations – who, frankly, should have known better – being left rosy cheeked, so why is this practice still so rife?

Why would an employee, with their job on the line, ‘fess up’ when they know that at least 15 other people had access to the account that day?

I also believe that few IT Departments have a handle on the number of users across their ‘official’ social media accounts, let alone a log of which password protocol they are using, how they are accessing the site or posting.

Need to look both ways

We cannot just blame the employees. Even organisations with the most robust and celebrated IT protocols let themselves down when it comes to simple issues such as data storage. I suspect very few IT directors are crystal clear about where their marketing communications teams are storing their social media campaigns, let alone harbour an understanding of the conversations from the past that they may need to reference in the future or where they keep their notes about their customers linked to these campaigns.

I would hazard a guess that many IT Departments are breaking their own compliance and governance issues when it comes to social media.

Today, there’s no need to share passwords. The social media ‘savvy’ have cottoned on to tiered password access, with both the IT and Marketing Departments having an ‘on/off’ switch to give them instant control in times of crisis. If IT is involved in the installation of a Social Media Management Solution (SMMS) they can see exactly who is plugged into the system, where accountability lies and who they need to train and develop to uphold the security protocols needed in order to keep an organisation’s reputation intact.

Within the scope of most IT budgets a SMMS will be a drop in the ocean but will address these major issues. Any smart IT director will already be looking at a SMMS if there isn’t already one in place. Such a system gives control back to the organisation. All passwords are held in one place such that accounts are not owned by individuals but by the company. The right system gives an organisation the ability to moderate content at a senior level. In turn, the risk of misuse or mistakes can be eradicated.

A SMMS also takes care of the practical management issues. I fear that some organisations are taking a step backwards in terms of their technological evolution, reverting to time-wasting, ineffective manual processing of social media (eg multiple logins to different social media platforms rather than using readily available tools for automation and effectiveness).

The message is clear. IT directors ignore social media at their peril. When it comes to corporate social engagement, it’s time for them to wake up, check and challenge.

Leave a comment

Filed under Risk UK News

Centrify survey pinpoints ID theft as key concern for digital consumers

Identity theft has ranked as the top concern among 2,000 consumers questioned about their digital lifestyles in new research commissioned by Centrify Corporation. The survey reveals that 81% of respondents stated they are concerned – or very concerned – about the prospect of having their identity stolen online.

Having credit card information stolen on the Internet is also extremely worrying for consumers, with 79% ranking it the second biggest concern above being a victim of cyber crime (73%).

Surprisingly, cyber bullying is the least concerning prospect for respondents with just 40% of consumers showing any real concern, while privacy of social networks (59%) and e-mail spam (68%) both ranked much higher.

The comprehensive survey also reveals the numbers of respondents that have a high, medium or low ‘digital footprint’ based on the amount of time they spend online in a typical week e-mailing, texting and sharing or watching digital images, songs, games, videos and apps.

62% of those very concerned about identity theft have a medium digital footprint, 46% low and 26% have a high digital footprint. Equally, only 26% of those with a high digital footprint are concerned about having credit card information stolen on an online shopping website and their e-mail accounts being spammed, showing that those who spend more time online are less concerned about their identity being stolen.

One-in-four respondents to the survey have definitely (or probably) been a victim of identity theft, 43% of victims suggesting the problem took more than one month to fix with one-in-five saying it took more than ten hours. 47% of interviewees admitted to having to spend their own money to resolve the issue, with 28% noting they’ve spent at least £60 (in turn highlighting the need for increased password security).

Identity theft remains a key concern for online shoppers in both America and the UK

Identity theft remains a key concern for online shoppers in both America and the UK

Security of personal information at risk

“With so much of our time now spent online, be it in relation to social networking, banking or shopping, the security of our personal information and, more importantly, our identities is being put at risk on a daily basis,” explained Tom Kemp (CEO at Centrify).

“According to our survey, online purchases are the top reason why users feel they became victims of identity theft, underscoring the importance of confidence in one’s own online security. Consumers have very little faith in the absolute security of their passwords. Just 15% believe those passwords are very secure, regardless of the amount and type of characters used. Being able to manage our password security is crucial.”

Other research highlights:

• The groups that are most likely to say they’ve been victims of identity theft are those that probably best understand and notice the signs of identity theft: IT workers, online shoppers, higher salary workers, the ‘tech-savvy’ and those with a high digital footprint

• Those with the least confidence that their passwords are absolutely secure include individuals that do less online shopping (12%), those aged 50-64 (11%) and those with a medium digital footprint (11%)

• A plurality of consumers are only somewhat confident that their passwords for personal accounts could not be cracked by a computer program, but few are very confident

*The Widmeyer Survey was developed to assess people’s engagement with (and perception of) passwords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions

Leave a comment

Filed under Risk UK News

“Organisations must act now to avoid hackers’ oldest trick in the book” urges ICO

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack – SQL injection.

The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.

The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – were stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and invested in improving its IT security systems.

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Attacks are preventable

Simon Rice, the ICO’s Group Manager for Technology, said: “It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over 3,000 customers to be compromised.”

Rice added: “Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”

Leave a comment

Filed under Risk UK News

Cyber Streetwise survey reveals 75% of Britons place online safety at risk

A new survey conducted by Cyber Streetwise has revealed that most people are not taking the necessary steps to protect their identity online, with 75% of those who took part in the study admitting they don’t follow Best Practice to create complex passwords.

The figures have been released during Cyber Security Awareness Month to mark the launch of the latest phase of the UK Government’s Cyber Streetwise campaign. In partnership with the police service and industry experts, Cyber Streetwise aims to raise awareness of wise and unwise behaviour in the online space.

Despite 95% of Britons saying it’s their own responsibility to protect themselves online, two thirds are risking their safety by not using symbols in passwords. Nearly half (47%) exhibit other unsafe password habits such as using pet names or significant dates as their password.

Modern Slavery and Organised Crime Minister Karen Bradley MP explained: “When passwords are compromised, financial and banking details can be stolen and cause problems for the person affected, for businesses and for the economy. There’s an emotional impact caused by the loss of irreplaceable photos, videos and personal e-mails, but even worse these can be seized to extort money.”

Bradley added: “We can and must play a role in reducing our risk of falling victim to cyber crime. Most attacks can be prevented by taking some basic security steps, and I encourage everyone to do so.”

Vulnerability to ID theft, fraud and extortion

This latest research shows that 82% of people manage more online accounts that require a password than they did last year, with the average Briton dealing with 19. Over a third (35%) of those questioned admit that they do not create strong passwords because they struggle to recall them. However, poor passwords leave people vulnerable to identity theft, fraud and extortion.

Cyber crime presents a serious threat to the UK and the Government is taking action to increase public awareness of the risk, dedicating £860 million to this issue over the next five years through the National Cyber Security Programme. In essence, the Government is working hard to transform the UK’s response to cyber security.

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

Jamie Saunders – director of the National Crime Agency’s (NCA) National Cyber Crime Unit – commented: “The NCA is working closely with law enforcement colleagues all over the world to target and disrupt cyber criminals. We should be clear that the criminals will target weaknesses. On that basis, having weak passwords will leave people vulnerable.”

Saunders continued: “Nobody wants their personal financial details, business information or photographs to be stolen or held to ransom, so simple things like using three or more words, a mixture of numbers, letters and symbols and upper and lower case letters will make it much more difficult for hackers to access personal information.”

Creating strong and memorable passwords

Advice on creating strong and memorable passwords can be found at http://www.cyberstreetwise.com along with other easy tips for staying safe online. Tips for creating and remembering passwords include the following:

Loci method
Imagine a familiar scene and place each item that needs to be remembered in a particular location (ie a red rose on the table, a book on the chair, a poster on the wall). Imagine yourself looking around the room in a specific sequence. Re-imagine the scene and the location of each item when you need to remember

Acronyms
Use a phrase or a sentence and take the first letter from that sentence

Narrative methods
Remember a sequence of key words by creating a story and littering it with memorable details (for example, ‘The little girl wore a bright yellow hat as she walked down the narrow street…’)

Further information on Cyber Security Awareness Month is available at: http://www.staysafeonline.org/ncsam/

Leave a comment

Filed under Risk UK News

Employees cost UK businesses £130,000 per annum in lost productivity managing passwords

According to new research conducted by Centrify Corporation (a leader in unified identity management across data centre, cloud and mobile platforms), poor password habits are not only placing employers at risk but also losing them hundreds of thousands of pounds in lost productivity every year.

The survey of 1,000 UK workers highlights that the average employee wastes £2611 each year in company time on trying to manage multiple passwords. For an organisation with 500 staff on the payroll, that equates to a loss of more than £130,000 every 12 months.

“In our new digital lifestyles, which see a blurring of the lines between our personal and professional lives, we’re constantly having to juggle multiple passwords for everything from e-mail and mobile apps through to online shopping and social media,” explained Barry Scott, CTO (EMEA) for Centrify.

“According to the results of our extensive survey, over a quarter of us now enter a password online more than ten times each day, which could equate to 3,500 to 4,000 times every year. This is becoming a real challenge for employers who need to manage security and privacy concerns, and also for employees who are costing their companies both time and money.”

While around half (47%) of those employees questioned use their personal mobile devices for business purposes, one-in-three (34%) admit they don’t actually use passwords on these devices even though they keep office e-mail, confidential documents, customer contact information and budget details on them.

Centrify's Infographic on Passwords

Centrify’s Infographic on Passwords

High on many people’s list of ‘most annoying things’, it seems that passwords are becoming the cause of major headaches. Centrify’s study reveals that forgetting a password for an online account is more annoying for individuals than misplacing their keys (39% of respondents), a mobile phone battery ceasing to work (37%) or receiving spam e-mail (31%).

One-in-six (16%) of respondents would rather sit next to someone talking loudly on their mobile phone, 13% would rather spend an hour on a customer service line and 12% would prefer to sit next to a crying baby on a flight than have to manage all of their passwords.

Multiple incorrect password entries

The Centrify research also shows:
• More than one-in-three (38%) employees have accounts they cannot access any more because they cannot remember the passwords
• 28% are locked out at least once a month due to multiple incorrect password entries
• One-in-five employees change their passwords at least once a month while 8% change them every week
• Most have little faith in password security – just 15% believe their passwords are ‘very secure’

With nearly half (42%) of respondents creating at least one new account profile every week – more than 50 per annum, in fact – the problems around password management will only worsen. In fact, 14% of employees quizzed believe they will have 100-plus passwords to deal with in the next five years.

Despite this, it’s believed that many employees already seriously underestimate the number of account profiles they have online, with nearly half (47%) believing they have just five profiles – although a quarter admit they harbour 21 or more.

Andy Kellett at analyst OVUM added: “When it comes to providing safe access to what should be highly secure business systems, the password model is no longer fit for purpose. It remains the primary security tool for businesses in environments where other authentication options should be considered. We used to go to work and stay in one place. Now we are just as likely to be working from a remote office, on the train or at home and simple passwords are neither robust nor secure enough to support secure remote access.”

Kellett added: “With today’s workforce also using social media and flexible remote tools and applications, we need to empower them to do this by allowing them to have more ownership of their identities and incorporate better, more balanced security measures that also improve productivity.”

Top 5 bad password practices

When asked what they do in order to remember their passwords, survey respondents stated that they:
(1) Always use the same password whenever possible
(2) Rotate through a variety of similar passwords
(3) Keep a written password in a master book of passwords
(4) Use personal information in a password
(5) Avoid using complicated symbols or combining upper and lower case

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Top 5 password tips

To help employers, Centrify has complied a list of top tips on effective password management:

• Educate staff about using passwords – make it a key part of your corporate security policy
• Make it easier for employees to work anywhere, any time by using technology that offers single sign-on capabilities (ie one click to access all of their work accounts and applications)
• With some mobile phones now providing both identity and access management capabilities, incorporate them as part of your BYOD (Bring Your Own Device) policy
• Create one profile for any corporate log-ins and then have privileges for individual employees within the one profile. Anyone who leaves the company can be removed automatically
• Think about replacing passwords with something much more intuitive like pass phrases.

The Widmeyer survey was developed to assess people’s engagement with – and their perception of – passswords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions. The final results can be found at: http://www.centrify.com/Password-Survey

Reference

1Figure calculated by taking an average of the hourly rate of personal income from one’s job multiplied by the amount of time spent dealing with password management

Leave a comment

Filed under Risk UK News

Customers urged to be vigilant as card fraudsters increase scam attacks

New figures released by Financial Fraud Action UK show that card and remote banking fraud increased during the first six months of 2014. The intelligence behind the figures reinforces recent trends, which have seen the growth of deception crimes seeking to persuade consumers to part with their personal and financial information, as well as criminals’ use of computer viruses. As a result, customers are being warned to remain vigilant and aware of the key warning signs of scams.

Fraud losses on UK cards totalled £247.6 million between January and June 2014, an increase of 15% from £216.1 million during the same period in 2013. Fraud as a proportion of card purchases has remained flat at 7.4 pence for every £100 spent, the same proportion as the industry reported at the end of 2013.

Losses on remote banking fraud rose to £35.9 million, up 59% from £22.6 million in 2013. Within this total, online banking fraud losses rose to £29.3 million, a growth of 71% from £17.1 million in 2013. Telephone banking fraud rose to £6.6 million, up 20% from £5.5 million. Intelligence suggests criminals are targeting business accounts which typically allow higher value fraudulent transactions.

Losses due to remote card purchases (those made online, over the telephone or by mail order) rose to £174.5 million in the first six months of 2014, up 23% from £142 million in the same period in 2013.

Within this total, the e-commerce fraud loss is estimated to be £110 million, up 23% from an estimated £89.5 million in the first half of 2013. While significant, this rise needs to be viewed in the context of the increase in Internet shopping by British consumers, with spending up from an estimated £40.5 billion in the first half of 2013 to an estimated £47 billion in the same period in 2014 (according to IMRG). Card payments are the main driver of online spending growth as they provide the most effective way to pay online.

Card fraud rises, but as a proportion of spending remains flat at 7.4 pence for every £100 spent during the first half of 2014

Card fraud rises, but as a proportion of spending remains flat at 7.4 pence for every £100 spent during the first half of 2014

Growth of deception crimes

A key driver for the rise in fraud losses has been the growth of deception crimes aimed at individuals and businesses. A combination of Chip and PIN and advanced fraud screening detection processes used by the banks drove a long-term decline in card fraud up to 2012. This is illustrated by the 72% decline in High Street fraud losses between 2004 and 2013. In response, fraudsters are increasingly concentrating their efforts on obtaining personal and financial details from individual customers rather than attacking the security systems used by the banks.

An increasing problem has been criminals telephoning people at home while posing as the bank, police or representatives of other trusted organisations such as Government departments. These cold calls typically involve the fraudster tricking their victim into revealing personal or financial information, such as their four-digit PIN or online banking details, transferring money to another account or accepting a courier into their home to pick up their card.

Once details have been compromised, they are then used to commit fraud through both remote (telephone or online) banking channels and via shopping online.

Commonly, fraudsters target retailers who have not introduced adequate Internet shopping protections. Research conducted by the ICM for Financial Fraud Action UK (FFA UK) showed that a quarter (25%) of customers do not take steps to challenge the identity of a cold caller, with this figure rising to 34% of 18-24 year-olds. To stop these scams, police and fraud experts are highlighting the key warning signs.

Your bank will never:
*Call you and ask for your four-digit PIN or your full online or telephone banking security codes over the phone
*Ask you to withdraw money to hand over to them, or to transfer money to another account (even if they say the account is in your name)
*Come to your home to collect your cash, payment card or cheque book
*Ask you to purchase goods using your card and then hand them over for safe keeping

Intelligence also shows criminals are using computer viruses to steal personal and financial information which is then used to commit fraud. FFA UK strongly endorses last month’s ‘Call to Action’ by the National Crime Agency for consumers to download and update security software. Free software is often available for customers to download from their banks’ website.

Distraction thefts: driver of fraud

Distraction thefts in shops and at ATMs have been identified as a driver of fraud on lost or stolen cards, which has increased by 3% to £29.2 million from £28.2 million in the first half of 2013.

Meanwhile, mail non-receipt fraud has increased by 10% to £5 million, up from £4.6 million, with fraudsters targeting multiple occupancy residences to intercept cards and personal details from post boxes.

Counterfeit card fraud rose by 4% in the first six months of 2014 to £24.2 million, up from £23.3 million in 2013. The key driver for this modest rise is that stolen card details in the UK are being used to create counterfeit cards for use overseas in countries which have not yet implemented Chip and PIN.

Fraud on contactless cards continues to be negligible at £51,000 over the first six months of the year, which is just 0.007% of contactless card spending. Cheque fraud losses fell by 34% to £10.5 million in the first half of 2014, from £15.8 million in January to June 2013. The continued success of improved fraudulent cheque detection methods and enhanced prevention controls is the driver for this long-term decline.

The industry is tackling fraud through enforcement, information sharing, technological advances and awareness campaigns. The industry fully sponsors a specialist police unit, the Dedicated Cheque and Plastic Crime Unit (DCPCU), which identifies and targets the organised criminal gangs responsible for payment fraud. Since its inception in 2002, the DCPCU has achieved an estimated £800,000 per week in savings from reduced fraud.

Through FFA UK, the card and retail banking industry securely shares intelligence on emerging threats and identifies patterns in fraud which protect consumers and strengthen the industry’s defences.

Banks use a range of increasingly sophisticated fraud screening detection tools to prevent fraudulent transactions. FFA UK will shortly be launching a ‘vishing’ awareness initiative aimed at increasing customer vigilance over such scams.

Detective Chief Inspector Perry Stokes, head of the DCPCU, said: “Be very suspicious of phone calls, texts or e-mails which come out of the blue asking for personal or financial details, regardless of who the person on the other end of the line claims to represent. Be aware of the warning signs. Your bank will never ask you for your four-digit PIN, to transfer or withdraw money or to give your card to a courier. We’re asking members of the public to pass this information on to any family and friends who may be unaware, and echo recent calls made by the Commissioner of the City of London Police for a national awareness-raising campaign led by Government.”

View the full 2014 half year fraud figures

Leave a comment

Filed under Risk UK News

The Customer is King… but what do they want when it comes to online security?

The latest eCustomerServiceIndex (eCSI) Survey produced by IMRG and eDigitalResearch suggests that online shoppers are far more interested in enhanced online security than the latest deals and discounts. Mark Kedgley (CTO at New Net Technologies) has the detail.

Tesco, Target, eBay, Office – all are major retailers with a significant online presence seeking to understand what their customers want to buy, how they want to buy it and what would make them buy more. Indeed, the delivered retail experience and an intimate understanding of consumer psychology is where the retail battles are being fought in 2014.

However, the latest eCustomerServiceIndex (eCSI) Survey1 conducted by IMRG and eDigitalResearch reveals that more than half of those online shoppers surveyed didn’t ask for more loyalty cards, coupon schemes or bigger discounts. What they requested is better online security.

Of course, all of the retailers mentioned have something else in common in that they have all recently been subject to security breaches involving customer payment cards or personal information.

Mark Kedgley: CTO at New Net Technologies

Mark Kedgley: CTO at New Net Technologies

Retailers must improve security measures

The main conclusion drawn by eDigitalResearch from the survey findings is as follows: “Onus is very much on retailers to invest in and improve their security measures for their online customers. Over two thirds (67%) expect organisations to contact them immediately (within six hours) by e-mail or phone if security has been breached and it leads to a potential loss of data.”

In other words, customers don’t just expect to be better protected, but are savvy enough to appreciate that breaches can still happen even with appropriate security Best Practices in place. They want to see contingency plans in place that allow them to be notified within the same business day in the event of a breach occurring.

It speaks of a very realistic view on cyber security and one that’s encompassed not only by the PCI DSS (which online retailers should be operating in order to meet agreements with their banks and the payment card brands), but all other security Best Practice frameworks.

If you consider that the breach at Target was only acted on after it had been operational for two-and-a-half weeks, but during that period over 40 million payment card details were stolen and 70 million customers had their personal identifiable information compromised, you can see why speed of detection is essential. If the six-hour detection and notification deadline expected by customers had been met in this case then the damage would have been minimal, rather than catastrophic as it has been.

Retailers would do well to listen to customers’ expectations and pay heed to the lessons learned by their peers.

The growing consumer awareness of online security will ultimately expose those organisations that fail to take online security seriously to significant repercussions of brand damage that reach far beyond the financial implications of a breach.

Reference
1*eDigitalResearch’s and IMRG’s eCustomerServiceIndex

Leave a comment

Filed under Risk UK News

Tesco.com data breach – comment from Kaspersky Lab and SafeNet

In response to this morning’s news that Tesco.com has experienced a significant data breach, David Emm (senior security researcher at Kaspersky Lab) and Jason Hart (vice-president of cloud solutions at SafeNet) offer advice on how consumers can make sure their data isn’t compromised in this type of attack.

“This latest data breach experienced by Tesco.com serves to prove the dangers of using one password across the board,” asserted David Emm (senior security researcher at Kaspersky Lab), “as this simply means that cybercriminals can gain access to all your online assets in one fell swoop.”

Emm continued: “It’s possible to create strong, memorable passwords which don’t use personal data. We’ve all heard the advice from security professionals:

1. Make every password at least eight characters long… and 15 plus is better
2. Don’t make passwords easily guessable. There’s a good chance that personal details such as your Date of Birth, place of birth and partner’s name, etc can be found online (maybe even on your Facebook wall)
3. Don’t use real words as they’re open to ‘dictionary attacks’ (whereby someone uses a program to quickly try a huge list of possible words until they find one that matches your password)
4. Combine letters (including uppercase letters), numbers and symbols
5. Don’t ‘recycle’ passwords (eg ‘david1’, ‘david2’, ‘david3’, etc)

Tesco has suspended thousands of online accounts after cybercriminals targeted log-in credentials and Clubcard points

Tesco has suspended thousands of online accounts after cybercriminals targeted log-in credentials and Clubcard points

“We are all aware that, if we follow this advice, there are too many, and they’re too complicated to remember – especially in the case of an account we don’t use very often.

“Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example… Begin with the name of the online resource. Let’s say ‘mybank’. Then apply your formula. For example…

1. Capitalise the fourth character
2. Move the second last character to the front
3. Add a chosen number after the second character
4. Add a chosen non-alphanumeric character to the end

“This would give you a password of ‘n1mybAk;’.”

There is an alternative method, too. “Instead of using the name of the online resource as the fixed component,” stated Emm, “create your own passphrase and use the first letter of each word. So, if your passphrase is ‘the quick brown fox jumps over the lazy dog’, the fixed component of each password starts out as ‘tqbfjotld’. Then apply your four-step rule.”

Emm also commented: “By using either of these methods, consumers can ensure they have a unique password for each online account and therefore secure themselves against these types of breaches that make use of previously gained information.

“If you find even this too complicated, consider using a password manager – software that automatically creates complex passwords for you, keeps them secure and auto-enters them when you need to log in.”

Companies must focus on what matters most – the data

A former ethical hacker for more than 15 years, Jason Hart (vice-president, cloud solutions at SafeNet) explained: “In 2013, there were over 595 million data records lost or stolen, demonstrating that conventional breach prevention and perimeter-based security are not sufficient for protecting modern data. It’s clear that it’s not a matter of ‘If’ a data breach will occur, but ‘When’.

“On that basis, it’s vital that organisations are taking the correct precautions to ensure their most sensitive data remains protected.

“While the latest Tesco data breach was not a result of a direct attack on the Tesco.com website, it does highlight the wider implications of data breaches. Many people often use the same password across multiple sites, so the true impact of the any data breach is always likely to be bigger than first anticipated.”

Hart went on to state: “This is not the first time that supermarkets have fallen foul to a cyber attack and should serve as a reminder to all retailers of the threat posed by data breaches. Too many Security Departments hold on to the past when it comes to their security strategies, focusing on breach prevention rather than securing the data that they’re trying so hard to protect.

“Methods used by cybercriminals are becoming increasingly sophisticated and, if they want to hack the system or steal data, they will find one way or another to do so.

In conclusion, Hart stressed: “Companies need to focus on what matters most – the data. By using technologies such as encryption that render any data useless to an unauthorised party, as well as tamper-proof and robust key management controls, companies can be safe in the knowledge that their data is protected whether or not a security breach occurs.”

Leave a comment

Filed under IFSECGlobal.com News