Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

For consumers

 

MY TAKE: Account hijackers follow small banks, credit unions over to mobile banking apps

By Byron V. Acohido

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons.

Related: OneSpan’s rebranding launch

Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions.

These smaller institutions, much like the giants, are hustling to expand mobile banking services. Yet, they are much less well equipped to detect and repel cyber attackers, who are relentlessly seeking out and exploiting the fresh attack vectors spinning out of expansion of mobile banking.

I had the chance at RSA 2019 to discuss this war of attrition with Will LaSala, director of security services and security evangelist at OneSpan, a Chicago-based provider of anti-fraud, e-signature and digital identity solutions to 2,000 banks worldwide. The good news is that OneSpan and other security vendors are innovating to bring machine learning, data analytics and artificial intelligence to the front lines. For a drill down on our conversation, give a listen to the accompanying podcast. Key takeaways:

Shifting risks

We’ve seen a shift in bank fraud, especially for small banks and credit unions, over the past couple of years. In the not-so-distant past, banks dealt with online and account takeover fraud, where hackers stole passwords and used phishing scams to target specific individuals.

Now this fraud has moved into the mobile space because nearly every financial institution now has an app, changing the fraud landscape. Organizations like OneSpan now analyze bank fraud through the mobile app landscape through areas like social engineering attacks, screen captures, or changing SIM cards, LaSala told me. …more

MY TAKE: What ‘fake news’ really is: digital disinformation intended to disrupt, manipulate

By Byron V. Acohido

President Trump’s constant mislabeling of mainstream news reports he doesn’t appreciate as “fake news” has done much to muddle the accurate definition of this profound global force – and obscure the societal damage this rising phenomenon is precipitating.

Related: The scourge of ‘malvertising’

Fake news is the willful spreading of disinformation. Yes, much of political propaganda, as practiced down through the ages, fits that definition. But what’s different, as we approach the close of the second decade of the 21st century, is that it is now possible to pull the trigger on highly-targeted, globally-distributed disinformation campaigns – by leveraging behavior profiling tools and social media platforms.

Like seemingly everything else these days, this is a complex issue, and it takes effort to decipher the bottom line. Here are three things it is vital for every concerned citizen to grasp about disinformation campaigns in the digital age.

Fake news is scaling.

There are plenty of factual articles  about how “fake news” influenced the 2016 U.S. presidential election. What many citizens still don’t realize is that this was just one of the major elections jarred by this potent variant of disinformation spreading. This includes England’s Brexit vote and very recent cases in Brazil and India, where disinformation campaigns fueled some tragic outcomes.

In the 2016 US elections, Russia targeted Facebook users to receive incendiary ads and bogus stories, and used botnets to facilitate intelligence gathering and distribution. And human  “supersharers” – mostly Republican women older than the average Twitter user – got into the act, as well, Tweeting stories from ideological websites at a furious daily pace, according to a study by Northeastern University in Boston.

Meanwhile, in January 2016, during the heat of the presidential contest, some 39 percent Trump’s Twitter followers were faked.  A tally by Twitter Audit showed Candidate Trump with 22.7 million Twitter followers – 16.6 million real, and 6.1 million fabricated.

Fast forward to Brazil’s presidential election last October. WhatsApp was flooded with fake news about both of the leading candidates. And in India’s national elections, which are underway right now, disinformation has stoked emotions tied to India’s conflict with Pakistan over Kashmir. …more

NEW TECH: Cequence Security deploys defense against botnets’ assault on business logic

By Byron V. Acohido

One way to grasp how digital transformation directly impacts the daily operations of any organization – right at this moment —  is to examine the company’s application environment.

Related: How new exposures being created by API sprawl

Pick any company in any vertical – financial services, government, defense, manufacturing, insurance, healthcare, retailing, travel and hospitality – and you’ll find employees, partners, third-party suppliers and customers all demanding remote access to an expanding menu of apps — using their smartphones and laptops.

This translates into a sprawling attack surface available to determined, well-funded threat actors. I had the chance at RSA 2019 to visit with Larry Link, CEO of Cequence Security, a Sunnyvale, CA-based startup that has secured $30 million in venture funding to help companies address this exposure.

Cequence’s technology detects and repels bot attacks designed to manipulate business logic. Such attacks can create or takeover accounts, detonate reputation bombs, scrape content, deny inventory and carry out extortion variants. For a full drill down on our discussion, give a listen to the accompanying podcast. Here are the big takeaways:

Hyper-connectivity

We live, work and play in a hyper-connected environment. Because we are constantly switched on and tuned in, organizations are now being forced by their customers to provide a much broader suite of access points into their application environment. Customers are all demanding access and requiring access from all of their devices, new and old.

Take the airline industry as an example. A decade ago, purchasing an airline ticket online was straight forward. You found the flight you wanted, …more

Cloud computing 101: basic types and business advantages of cloud-delivered services

By Mike James

If you are looking for a simpler method of managing issues such as storage, software, servers and database, cloud computing could have the answers that your business needs. The cloud is becoming increasingly popular around the world, as organisations are starting to understand the organisational and cost benefits to using them.

Related: Using a ‘zero-trust’ managed security service

In this article we will take a look at the different types of cloud computing services available to see whether this might be something suitable for your business.

Four types

Before you can establish whether or not cloud computing is right for your business, it is necessary to understand the differences between the forms of cloud computing that are available to you. Known by the …more

NEW TECH: CyberGRX seeks to streamline morass of third-party cyber risk assessments

By Byron V. Acohido

When Target fired both its CEO and CIO in 2014, it was a wake-up call for senior management.

The firings came as a result of a massive data breach which routed through an HVAC contractor’s compromised account. C-suite execs across the land suddenly realized something similar could happen to them. So they began inundating their third-party suppliers with “bespoke assessments” – customized cyber risk audits that were time consuming and redundant.

Out of that morass was born CyberGRX, a Denver, CO-based start-up that’s seeking to dramatically streamline third-party risk assessments, and actually turn them into a tool that can help mitigate cyber exposures.

I had the chance to visit with CyberGRX CEO Fred Kneip at RSA 2019 at San Francisco’s Moscone Center last week. He shared a telling anecdote about how CyberGRX got its start — essentially from backlash to the milestone Target breach.

Kneip also painted the wider context about why effective third-party cyber risk management is an essential ingredient to baking-in security at a foundational level. For a full drill down, please listen to the accompanying podcast. The key takeaways:

Rise of third parties

In 2016, Jay Leek – then CISO at the Blackstone investment firm, and now a CyberGRX board member —  was collaborating with CSOs at several firms Blackstone had invested in when a common theme came up. The CSOs couldn’t scale their third-party risk assessment programs to keep up with growth. The problem had become untenable.

The Target firings lit a fire under senior management to make third-party security audits standard practice. But they did so without taking into account the hockey-stick rise in reliance on third-party suppliers. No one thought deeply enough about how they were distributing privileged access to innumerable third-party vendors.

Facilities repairman, like the HVAC vendor, was a small part of this trend. The corporate sector’s pursuit of digital transformation had given rise to new cottage industries of third-party contractors for everything from payroll services, accounting systems and HR functions to productivity suites,  customer relationship services and analytics tools.

“Think about the CEO who’s overstretched and one step removed . . . the problem of how  third-parties might be exposing company data became, not so much neglected, as de-prioritized, even as companies became more and more dependent on these third party providers,” Kneip told me. …more

MY TAKE: Why the next web-delivered ad you encounter could invisibly infect your smartphone

By Byron V. Acohido

Google, Facebook and Amazon have gotten filthy rich doing one thing extremely well: fixating on every move each one of us makes when we use our Internet-connected computing devices.

Related: Protecting web gateways

The tech titans have swelled into multi-billion dollar behemoths by myopically focusing on delivering targeted online advertising, in support of online retailing. This has largely shaped the digital lives we’ve come to lead.

Turns out all of this online profiling has a dark side. Cybercriminals have begun escalating their efforts to bend the legitimate online advertising and retailing fulfillment ecosystem to their whims.

This development is unfolding largely off the radar screen of the website publishers who depend on this ecosystem, says Chris Olson, CEO of the Media Trust, a 15-year-old website security vendor, based in McLean, VA that is on the front lines of mitigating this seething threat.

Meanwhile, billions of consumers who participate in this ecosystem each minute of every day remain blissfully ignorant of how they are increasingly being placed in harm’s way, simply doing routine online activities, Olson told Last Watchdog.

Losing control of risk

Like most other pressing cybersecurity challenges today, the problem is rooted in digital transformation. Specifically, to make their digital operations ever more flexible and agile, enterprises have grown ever more reliant on third-party software developers. …more

MY TAKE: Here’s why the Internet Society’s new Privacy Code of Conduct deserves wide adoption

By Byron V. Acohido

When Facebook founder Mark Zuckerberg infamously declared that privacy “is no longer a social norm” in 2010, he was merely parroting a corporate imperative that Google had long since established. That same year, then-Google CEO Eric Schmidt publicly admitted that Google’s privacy policy was to “get right up to the creepy line and not cross it.”

Related: Mark Zuckerberg’s intolerable business model.

We now know, of course, they weren’t kidding. Facebook’s pivotal role in the Cambridge Analytica scandal and Google getting fined $57 million last week by the French for violating Europe’s privacy rules are just two of myriad examples demonstrating how the American tech titans live by those credos.

But what if companies chose to respect an individual’s right to privacy, especially when he or she goes online? What if consumers could use search engines, patronize social media, peruse news and entertainment sites and use other internet-enabled services without abdicating all of their rights? What if companies stopped treating consumers as wellsprings of behavioral data – data to be voraciously mined and then sold to the highest bidder?

With Jan. 28 earmarked as Data Privacy Day —  an annual international privacy awareness campaign — these are reasonable questions to ask. These are ponderings that have been debated by captains of industry, government regulators, and consumer advocates in Europe and North America for the past decade and a half. …more