Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

GUEST ESSAY: U.S. ‘chip’ adoption reduces card scams — but drives up new account fraud

By Robert Capps

Identity theft and fraud hit an all-time high in 2017, according to the 2018 Identity Fraud Study released last week by Javelin Strategy & Research.

Among Javelin’s key findings fraudsters claimed 1.3 million more victims in 2017, with $16.8 billion stolen. That’s a record high since 2003 when the firm first began tracking identity theft and fraud.

Related article: How a 19-year-old ran a bogus credit card empire

The retail and the financial services industry have put great effort and resources into stopping identity theft crimes. However, the complexity of fraud continues to rise, and there has been a shift towards other prevalent types of identity fraud taking place online, such as identity theft and new account fraud.

Javelin’s findings tell us that with the adoption of embedded chip cards now widespread in the U.S., criminals have begun to shift their fraud operations away from physical stores, favoring online transactions, new account fraud, and identity theft. While credit card information remained the most targeted for new account fraud, there has been significant growth in the opening of new intermediary accounts. Payment services are increasingly being targeted by fraudsters.


For the first time ever, Social Security numbers (35%) were compromised more often in breaches than credit card numbers (30%). These trends demonstrate that personal information is under siege, and protecting sensitive data with legacy methods is futile in the age of mega breaches. …more

MY TAKE: Turning a blind eye: 73% of companies are ill-prepared to defend cyber attacks

By Byron V. Acohido

Have we truly reached the point where a multiple-year run of nightmarish cyber attacks has become mere white noise to the business community?

I cannot think of any other way to explain the findings of a new report starkly showing that fully 73% of companies in five Western nations miserably failed a cyber security readiness test.

Related article: 3-day cloud outage wreaks $15 bil damages

New York City-based specialist insurance company Hiscox commissioned a survey of more than 4,100 organizations and found that fully seven of 10 reported being ill-equipped to face a cyber attack, despite roughly the same number acknowledging that they considered cyber attacks to be a top business risk.

This pervasive apathy about effectively defending business networks persists even though ransomware …more

MY TAKE: Here’s how the U.S. economy would lose $15 billion from a 3-day cloud outage

By Byron V. Acohido

Cyber attack scenarios have become fairly common. It doesn’t take too much imagination to conjure plausible assumptions and project Armageddon-scale damages attributable to crippling cyber attacks.

One prime example is the Herjavec Group’s 2017 cybercrime report which suggests damage caused by cyber criminals is climbing towards a whopping $6 trillion in annual global encomic damage by 2021.

Related article: Why Amazon, Microsoft, Google need to lock down cloud services

By comparison, the more narrowly defined estimates put out last week by insurance underwriting giant Lloyd’s of London and risk modeling consultancy Air Worldwide are on the conservative side. The two put out a new report, Cloud Down – The impacts on the US economy, which analyzes the financial impact of the failure of a leading cloud provider in the US.

One can actually visualize how the level of damage projected by the Lloyd’s/Air Worldwide report could play out – and how it could actually happen in the very near term. The study concludes that any failure of a top cloud services provider that extends for at least three days would cost the U.S. economy $15 billion.

Small- and mid-sized businesses that have come to rely so heavily on cloud services would be hit more heavily than Fortune 1000 companies; SMBs would sustain some two-thirds of the economic losses, the report says.

Rattling the economy

I can easily wrap my mind around how a three-day outage of Amazon Web Services, Microsoft Azure or Google Cloud could rattle the U.S. economy at that scale. These projections are sobering because they are based on tangible historical data.


“If anyone is in a solid position to estimate these losses it’s AIR Worldwide and Lloyds,” observes Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services.

Goddjin points out that Lloyd’s has been responding to business interruption claims, related to all manner of physical events, for decades. That puts the Lloyd’s in possession of actual downtime cost that is typically kept confidential. …more

NEWS WRAP-UP: Meltdown, Spectre discovered in the wild – live hardware attacks one step closer

By Byron V. Acohido

Week ending Feb. 9, 2018. We’re now one step closer to witnessing cyber criminals exploiting a new class of vulnerability that exists in the hardware level of virtually every computing device in active use.

Nearly 140 samples of malware that exploit the Meltdown and Spectre vulnerabilities have been discovered by AV-TEST. Most of these are on existing proof-of-concept code, which is probably originating with white hat researchers.

Related article: Why ‘Meltdown’ and ‘Spectre’ signal a banner year for hackers

Chip makers, led by Intel, have said they’ve seen no evidence the Meltdown and Spectre vulnerabilities have been exploited to steal customer data. AV-TEST’s latest findings show the number of unique samples has risen sharply in recent weeks.  Andreas Marx, CEO of AV-TEST, told SearchSecurity he believes malware authors are still in the “research phase” of developing attacks based on Meltdown and Spectre.

Let’s not sugar-coat what this means going forward. Malware writers aren’t doing this research for nothing. Chip-based attacks are coming.

Most breaches ever

Hard metrics that 2017 was a very, very bad year, indeed, for cyber attacks came this week from consultancy Risk Based Security, which released its 2017 Data Breach QuickView Report.

The 5,207 breaches recorded last year, surpassed 2015’s previous high mark by nearly 20%. The number of records compromised also surpassed all other years with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion. …more

MY TAKE: Epiphany strikes Amazon, Google, Microsoft about who bears burden for cloud security

By Byron V. Acohido

Amazon and Google last week very quietly made some moves that signal they’ve been hit by the identical epiphany: they each need to do a helluva lot more to secure cloud computing.

Microsoft was hit by this lightning bolt about a year ago. The Redmond giant all through 2017 took pronounced steps to relieve users of their cloud services of at least some of the responsibility to repel malicious attacks.

Related podcast: Is ‘homomorphic encryption’ the Holy Grail of cloud security?

Current versions of  Office 365 and Windows Defender Advanced Threat Protection have been equipped with new threat intelligence and malware hunting tools, and the security features of Azure Security Center has been similarly beefed up.

Me-too bandwagon

Last week both Amazon and Google climbed on the we-need-to-bake-in-cloud-security-band-wagon.  Amazon did so, fittingly, by going shopping. Its Amazon Web Services division  acquired Sqrrl, a Cambridge, Mass.-based threat detection technology start-up, with an NSA pedigree. That acquisition pairs nicely with AWS’s earlier buyout of Harvest.ai, a security startup that uses machine learning to ferret out anomalous behavior in cloud storage databases .

Meanwhile, it was easy to miss Google’s me-too move last week. That’s because it was made by the search giant’s freshly-minted parent company, Alphabet, which very quietly launched an independent business, dubbed Chronicle. According to Chronicle CEO Stephen Gillett, the service will feature a new cybersecurity intelligence and analytics platform intended to “help enterprises better manage and understand their own security-related data.” Chronicle also leverages VirusTotal, the malware intelligence service Google acquired in 2012.


“The announcements today by Amazon Web Services and Alphabet/Google are encouraging and demonstrate that more and more, cyber security is at the forefront of corporate agendas,” observes Terry Ray, CTO at Imperva. “Both of these technologies will likely serve as analytic platforms for threat detection, which isn’t necessarily a new idea, though I’m sure they’ll have their differentiators.” …more

NEWS WRAP-UP: Dutch spies corroborate Russia’s meddling in U.S. election — and 19 EU nations

By Byron V. Acohido

Week ending Feb. 2, 2018. Even more substantive corroborating evidence of Russia’s proactive interference in the 2016 U.S. presidential election comes from the Netherlands. European news reports detail how a Dutch intelligence agency secretly hacked into the Kremlin’s most notorious hacking group, Cozy Bear, and tracked Cozy Bear’s election tampering activities.

Dutch spies passed all of this information along to the CIA and NSA, including details of Russia hacking into the Democratic National Committee and other evidence the presumably is contributing to the ongoing FBI investigation, led by Special Counsel Robert Mueller.

What’s more the Dutch agency passed along evidence of Russian attacks targeting elections in at least 19 European nations. Perhaps, Mueller will draw a line the sand that puts a stop to Russian hackers operating with impunity in the U.S., and elsewhere.

Disastrous cloud hack scenarios

Lloyds of London has put out some research that demonstrates just how vulnerable cloud computing really is.  The insurance underwriting behemoth has constructed what it’s calling a “plausible scenario” of how a cyber attack could cause a catastrophic three-day cloud outage. …more

GUEST ESSAY: How children using illegal streaming devices get targeted by malicious actors

By Tom Galvin

It is good to see pressure from advertisers  prompting a tech titan to clean up its digital neighborhood.

I refer to steps being taken recently by Alphabet,  the parent conglomerate of Google and YouTube. Alphabet announced a new plan to keep ads from premium brands off YouTube pages with videos pushing dangerous, illegal, and/or illicit behavior.

Related article: Lawsuits allege ‘kid spying’

It remains to be seen how effective these measures will prove to be.  Threat actors are not easily discouraged. In fact, they will certainly look for other money-making ventures in the digital space. These criminals will likely target poorly policed, yet highly popular, devices offering content that is easy to compromise.

Entertainment bait

There is no bait quite like content – movies, music, and games – to lure consumers into digital traps. Increasingly, people are buying devices just for the purpose of getting programming they need to watch and play what they want.

At the Digital Citizens Alliance, our research team has worked with top researchers at cybersecurity companies and advertising watchdogs to find how cybercriminals make millions by pushing both advertising and malware through illegal and illicit movie sites.

Make no mistake, pirated movies are big business – an attractive opportunity for criminals looking for easy money, vulnerable targets (often teens and children), and little threat of police action. …more