Ecommerce Fraud To Surge, Says Radial Data: Fraudsters migrated from Card Present fraud, because it became hard, and are now focusing on Card Not Present. As card present fraud may have decreased over the past year, Radial’s data clearly shows that card-not-present fraud in the online arena is skyrocketing. It’s on the rise in the eCommerce arena, according to data released from omnichannel commerce technology and operations company Radial’s eCommerce Fraud Technology Lab. Radial’s Risk Analytics Manager, Michael Graff, shared with PYMNTS how best to avert future card testing fraud: “There are two key components to a Card Testing Prevention strategy: detection and response. Radial’s data also showed that overall fraud is up 30 percent year over year. Credit card testing means that stolen credit card numbers are tested with small purchases to ensure the account is valid prior to a larger purchases. This is driving the increase in card testing and the overall increase in fraud. As much as automation is a key principal in business, fraudsters have adopted this idea as well and are using automation in all phases of the fraud lifecycle. As such, retailers have either applied tools to over-reject orders, which decreases customer transaction approvals, or built an in-house fraud team. Graff also commented on what retailers can do to help further prevention moving forward, in addition to detection and response: “I strongly urge retailers to strengthen their protections when it comes to fraud.
We knew the U.S. and Russia were hacking powers, but Ethiopia and Pakistan? : Russian state hackers get the headlines, but nations across the globe are pouring money into cyber espionage units, a development, security experts say, that is allowing smaller nations to close the espionage gap without the satellites or tech muscle of big nations. It’s very efficient,” said John Hultquist, a cyber espionage analyst who’s studied the growth of hacking among smaller nations .“We’re going to see a massive investment across the board in offensive cyberattack tools,” said Eric O’Neill, a former FBI counterintelligence operative who now is a national security strategist . Other countries, ranging from small Macedonia to Ethiopia and Malaysia, are among nations with cyber units targeting regional rivals or dissident citizens abroad. Cybersecurity firms increasingly are drawing attention to the rise of hacking by previously unseen nations. “It used to be that if we, the security vendors, found a new unknown nation-state cyber espionage group from China, that would be front-page news. who is part of a unit studying cyber espionage at Symantec, the giant security software and storage company in Mountain View, California. If a hacking unit in a less developed country can penetrate and crack open the emails of key politicians or military officers in another country of interest, it may be able to harvest thousands upon thousands of documents. ” Strategists say the militaries of nations large and small view cyber activity today as necessary to secure their own safety and prepare for conflict tomorrow. An incredible explosion of criminal hacks worldwide has provided a fog of sorts for nations to probe each other with cyber espionage.
Hackers are using ‘bots’ to steal unused gift card balances from under your nose: Cybercriminals operating on the dark web have reportedly developed a fresh way of conducting gift card fraud by using automated bots to scour the web and locate legitimately-issued cards that remain unused, security researchers have found. “Cybercriminals continued interest in gift card fraud aligns with a common practice among many gift card issuers: the prioritisation of user experience and profits over security,” wrote Olivia Rowley, intelligence analyst at Flashpoint, “unlike bank-issued credit and debit cards, gift cards are not held to strict anti-fraud standards, which means that many gift cards may lack common-yet-effective security features aimed to help combat fraud,” Rowley said. Flashpoint researchers said they have witnessed a spike in dark web chatter using the terms “cracking” and “gift cards” since 2015, when businesses around the world started disrupt cybercrime enterprises by bulking up the security around “carded” plastic. In most cases, once an actor identifies a gift card with a balance, they will sell the cards information on the dark web as an “eGift card”, Flashpoint said. “Consumers of gift cards should recognise that inconsistent security measures among many gift card issuers have made instances of gift card fraud increasingly common. This is able to work because most gift card balance checking websites require users to enter full gift card numbers before providing results. She continued: “It is also crucial to recognise that many gift card balances remain unclaimed long after being purchased — a fact that further incentivises businesses to continue to market and sell less-secure gift cards despite their rising susceptibility to fraud. According to fresh analysis from Flashpoint, a cybersecurity firm, the latest methods are driving the costs of stolen card data down to as little as 5% of their proper worth as dark web vendors struggle to sell them.
Cloud Providers Serving Government Must Store Data in India: According to the new MeitY guidelines, the cloud service agreements will now need to specify the providers facilities and services are certified to be compliant to the following standards: ISO 27001 – The data center and cloud services should be certified for the latest version of the standard; ISO/IEC 27017:2015 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services and Information technology; ISO 27018 – Code of practice for protection of personally identifiable information in public clouds ISO 20000-9 – Guidance on the application of ISO/IEC 20000-1 to cloud services PCI DSS – Standard for storing, processing and transmitting credit card information. Although most cloud service providers have hosted websites and servers outside India due to perceived cost advantages as well as business continuity and legal concerns, it’s now critical to locate the data within India to take appropriate security and legal measures in case of cyberattacks, some cybersecurity experts say (see: Parliament: Store Critical Data in India. “The new guidelines will have a positive impact on the cloud service providers who can now take advantage of data localization and seek the government’s support on any legal implications it might face,” says Prashant Mali, a Mumbai-based attorney who’s an international cybersecurity expert. The guidelines require that cloud service providers’ contracts with the government must clearly state that all services and data will be guaranteed to reside in India. Focusing on More Than Cost In taking steps to ensure data security, the government must look beyond entering contracts with the lowest-cost cloud services provider, experts say. While government has issued security guidelines for cloud service partners, it has to do away with the concept of L1 bidding.
More than half of people are happy to share their passwords with others, McAfee study finds: “McAfee said many people still resort to using embarassingly weak passwords such as their dog’s name to access their online accounts. “With so much to remember, it is no surprise that the password of ‘password’ remains one of the most popular security measures people use,” he said. While 44% of respondents claimed security strength is their main concern when creating passwords, 34% said they were more concerned about the ease of remembering their passwords. More than 34% of US respondents said they regularly reuse passwords across multiple accounts – a seemingly routine but dangerous practice. About 69% resort to going through the “Forgot password” sequence when they do forget their password with 14% repeatedly trying various passwords until they are eventually locked out. People use various other “easy” measures to keep track of their passwords such as emailing them to themselves (9%), storing them in a notes app on their smartphone (8%), using a spreadsheet or other document on their computer (7%), or hiding the passwords in fake contacts on their phone (6%. While 10% of UK respondents admitted they forget their passwords all the time, 46% said they forget it occasionally. According to a recent McAfee study surveying 3,000 people across the US, UK, France, Germany and Australia, a shocking 59% of respondents said they were comfortable with sharing their passwords with others. Not surprisingly, around 75% choose to abandon whatever they were trying to do online simply because they forgot their password. Around 13% of UK respondents said they write down their passwords and keep them near their computer.
Unsuspecting Canadians are live online thanks to surveillance cam security flaws: A website registered in Russia called Insecam, is reportedly live streaming from security cameras all around Canada. Motherboard reports that security cameras at various places in Canada, including kindergartens, day care-centres, churches and even living rooms have been tapped into to procure these feeds. Webcam and surveillance camera security flaws are not new, but alarm bells go off when scores of unsuspecting people are streamed live online. The matter came to light when CBC reported that the Russian website has been broadcasting feeds of hundreds of school students from a Cape Breton school in Nova Scotia, Canada. One of the malls whose webcam was tapped into confirmed using them for surveillance but said they were not aware it was live outside of their internally accessible site. Earlier this year it was reported that unknown hackers accessed 70% of Washington DC’s surveillance cameras, preventing footage from being recorded for three days. There may be other sites too streaming such videos, the report claims. Unlike other digital devices, most security cameras are not password protected and can be spied on. The incident took place just eight days before President Donald Trump’s inauguration ceremony. Last year, a former NSA employee had detailed how the webcam and microphone of an Apple Macbook could be hacked.
Over 200 Android apps are silently spying everyday on users with ultrasonic beacons: Researchers say that ultrasonic beacons embedded into apps can track users via a mobile’s microphone, without users’ knowledge.Researchers said that they have found 234 Android apps currently using ultrasonic beacons to track users.For instance, users’ TV habits can be spied on; ultrasonic beacons can also be used to determine what other devices belong to the user and also potentially link a user’s personal and business devices “providing a potential infection vector for targeted attacks. Researchers from the Brunswick Technical University in Germany, in a research paper titled “Privacy Threats through Ultrasonic Side Channels on Mobile Devices”, said that various firms have begun exploring new tech options to track user habits and activities. “Ultrasonic side channels on mobile devices can be a threat to the privacy of a user, as they enable unnoticeably tracking locations, behavior and devices.”Researchers also said that ultrasonic beacons can help in tracking users’ indoor movements, without the need for GPS. “In the end, an adversary is able to obtain a detailed, comprehensive user profile with a regular mobile application and the device’s microphone solely,” researchers said. The ultrasonic tracking system can also be used to de-anonymize Tor users, potentially providing an avenue for “a side channel attack to Bitcoin or Tor users. Researchers also noted that 4 of 35 stores in two countries in Europe also use ultrasonic beacons for location tracking. Hundreds of Android apps are surreptitiously spying on users every day, using ultrasonic beacons, according to a new study.
Google was warned of Google Docs phishing technique 6 years ago: On 3 May, shortly after news of the phishing attack began spreading, a Twitter user, using an email address with the name Eugene Pupov — a name which also happened to match the sender of the mass phishing scam claimed responsibility for the attack. Google knew about the attack vector Motherboard also said that, in 2012, security researcher Andre DeMarre had warned Google about the phishing technique, suggesting that the company address the issue by checking if the name of any given app matched the URL of the firm behind it. In another interesting development a random Twitter user claimed responsibility for the mass phishing attack technique. Google boasts of over 1 billion users, indicating that nearly 1 million users may have been affected by the attack. “Based on information from the Agari Trust Network, we saw more than 3,016 organizations were compromised during the attack that sent 23,838 emails to Agari protected organizations,” Agari told IBTimes UK. The Twitter user claimed that the phishing emails were a “test” for his university research project and not part of a scam campaign. The Twitter user claimed that he was a student with Coventry University. The Twitter account in question has been deleted, indicating that the individual who claimed the attack may have done it for a lark. According to email security provider Agari, over 3,000 organisations were affected by the attack. The most shocking perhaps is that Google was warned of the possibility of such an attack six years ago but despite rewarding the security researcher who flagged the vulnerability, did not do enough to address it.
Game of Thrones season 7: Leak fears prompt HBO to dictate two-factor authentication for emails: As the makers prepare for the release of its seventh season, leaks surrounding its plot have started to surface, but HBO and the show runners are not taking any chances this time. Scripts this time are being sent digitally only and no on-set notes are allowed to be taken off the sets. Not only has the number of people receiving scripts for the season been drastically cut down, stars of the show have also been asked to adopt two-factor authentication for their mails so hackers cannot get in their inboxes and steal the scripts. Many sub-Reddits have claimed they have exact details of the plot just like last year where most of the leaks were found to match the actual show’s plot. This has set HBO and the show producers into taking extra precautions to protect the plot secrecy. For the first time, an entire season will be based on an original script different from what George R R Martin’s books have so far depicted. In an interview recently, Nikolaj Coster-Waudau, who plays Jaime Lannister on the show, said almost every major plot point of season 7 has been spoiled online somewhere or the other. but there’s 10,000 other spoilers out there, they’re not real. The unavoidable obsessive fan interest has also led HBO to refrain from making the show available to the press before release. A few episodes had even leaked online on torrent sites hours before their actual telecast on HBO.
Leaked document shows gory details about UK plans to break encryption and snoop in bulk: The UK government\’s spying law, the Investigatory Powers Bill (IPBill), faced renewed criticism this week (5 May) after key portions of its demands on UK telecommunications providers were leaked, shining a spotlight on demands for “real-time” snooping and the shattering of encryption. “These powers could be directed at companies like WhatsApp to limit their encryption,” he continued, adding: “The regulations would make the demands that Amber Rudd made to attack end-to-end encryption a reality.” The nine-page leaked document indicates UK companies providing end-to-end encryption will be forced to “modify” their products to allow access to the government upon demand. This never-before-seen consultation provides unprecedented insight on what exactly the UK government is asking of tech companies such as WhatsApp, Apple and Google. Limiting encryption Jim Killock, executive director of the Open Rights Group said: “Selective, secret consultations have no place in open government.” On the topic of encryption, it asks companies to “disclose, where practicable, the content of communications. It requires all UK telecommunications operators to “provide and maintain the capability to ensure the interception, in their entirety, of all communications.”The Secretary of State is in fact not under any obligation to consult the public, but instead must consult only a small selection of organisations,” it added. and how companies can challenge the demands. According to the Home Office, no obligations will be imposed on telecommunications firms which solely provide service to banking, insurance, investment or other financial services.