now browsing by tag
Cops conducted twin raids following a complaint lodged by the legal counsel of Microsoft Corporation who alleged that such fraudulent activity was causing loss of clients and prestige for them. This is for the first time Microsoft approached Kolkata Police, urging for an action against fraud.
“Two separate complaints were received from Bhupinder Singh Bindra, attorneys of Microsoft Corporation India against some illegal activities of technical support scams, run in the name of Microsoft. The first complaint was against a call centre at Topsia. The second complaint was against another call centre on Rafi Ahmed Kidwai Road,” said joint CP (crime) Murlidhar Sharma.
The post #cyberfraud | #cybercriminals | 2 fake call centres busted | Kolkata News appeared first on National Cyber Security.
View full post on National Cyber Security
Falling prey to online scammers is easier than you might think, with scams becoming increasingly more sophisticated and less blatant than the now well-known “Nigerian prince” emails that clog our spam folders.
According to the SA Banking Risk Information Centre (Sabric), reported incidents of digital banking crimes increased by 75 percent between 2017 and 2018, amounting to a total of R262.8 million lost in digital, mobile and app banking crimes last year alone.
Cyber criminals are becoming smarter in their attempts to steal and will use technology in conjunction with social engineering to try to defraud people. Here are just some of the many scams you need to be aware of, so you can start protecting yourself and your information online.
Phishing is one of the most common forms of online scams that uses email as a platform to scam people. Phishing is designed to trick you into clicking on malicious links that can result in malware being installed on your computer or device, or manipulating you into divulging login details for email, social media and bank accounts. This often takes the form of an email that looks like a legitimate and professional communication from a trustworthy source, except for a few small and easy-to-miss details that tell you it’s fake.
Vishing, or “voice phishing attacks”, occurs when fraudsters pose as bank officials or service providers in order to trick people into disclosing personal and sensitive information over the phone, giving criminals access to your bank card details, mobile banking apps and online banking profiles. Your bank will never call you and ask you to share information such as your account details, user name or passwords over the phone.
The post #cyberfraud | #cybercriminals | Banking scams becoming more sophisticated appeared first on National Cyber Security.
View full post on National Cyber Security
The fallacy of futility.
Thursday, October 17, 2019
Dave describes a ponzi scheme that bought up legitimate investment firms. Joe shares research into deep fakes. The catch of the day includes an invitation to join the illuminati. Ray [REDACTED] returns with followup from his prior visit, along with new information to share.
Links to stories:
Ray [REDACTED]: [00:00:00] We’re so numb to these massive breaches that it feels like they’re almost inevitable.
Dave Bittner: [00:00:06] Hello, everyone, and welcome to the CyberWire’s “Hacking Humans” podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I’m Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:24] Hi, Dave.
Dave Bittner: [00:00:25] We’ve got some good stories to share this week, and later in the show, we’ve got a return visit from Ray [REDACTED]. He’s got some follow-up from his previous visit as well as some new information to share.
Dave Bittner: [00:00:34] But first, a word from our sponsors at KnowBe4. So who’s got the advantage in cybersecurity – the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we’ll have some insights from our sponsor KnowBe4 that puts it all into perspective.
Dave Bittner: [00:01:01] And we’re back. Joe, I’m going to kick things off for us this week. You’re familiar with the notion of a Ponzi scheme.
Joe Carrigan: [00:01:07] Yes, I am.
Dave Bittner: [00:01:08] Similar, I guess, to a pyramid scheme.
Joe Carrigan: [00:01:09] Similar – very similar, yes.
Dave Bittner: [00:01:11] What’s the difference?
Joe Carrigan: [00:01:12] The difference is generally that in a pyramid scheme, people kind of know that they’re in some kind of scheme where they have to go out and recruit new people. But a Ponzi scheme, people may not know that or don’t know that. They’re just seeing returns on their investments.
Dave Bittner: [00:01:25] Yeah. So the way a Ponzi scheme works is I present you with an investment opportunity.
Joe Carrigan: [00:01:30] Right.
Dave Bittner: [00:01:31] I say you’re going to get amazing returns on this investment opportunity.
Joe Carrigan: [00:01:34] That’s right.
Dave Bittner: [00:01:35] But there is no investment opportunity. What I’m really doing is I’m going and finding other people…
Joe Carrigan: [00:01:39] Right.
Dave Bittner: [00:01:40] …To also give me their money, and I’m paying you returns based on the money that they’re giving me.
Joe Carrigan: [00:01:45] Right.
Dave Bittner: [00:01:45] But then I’m promising them returns.
Joe Carrigan: [00:01:47] Yep.
Dave Bittner: [00:01:47] So then I have to go get more people to pay the returns that I owe them.
Joe Carrigan: [00:01:51] Yep.
Dave Bittner: [00:01:52] Eventually, if you imagine the shape of a pyramid…
Joe Carrigan: [00:01:54] Yep.
Dave Bittner: [00:01:54] …It gets bigger and bigger and bigger as you go down and collapses under its own weight.
Joe Carrigan: [00:01:58] That’s right. If you’re an early investor in either one of these schemes, you can actually make out.
Dave Bittner: [00:02:01] You can.
Joe Carrigan: [00:02:02] Right.
Dave Bittner: [00:02:03] But chances are…
Joe Carrigan: [00:02:04] You won’t.
Dave Bittner: [00:02:04] …You’re not going to do well. Right. Or you’re going to run afoul of the law…
Joe Carrigan: [00:02:09] Oh.
Dave Bittner: [00:02:09] …Which is what happened to…
Joe Carrigan: [00:02:10] Very quickly, you’ll run afoul of the law.
Dave Bittner: [00:02:12] …This gentleman from Rochester, N.Y., a gentleman named Perry Santillo, who was running a Ponzi scheme. He bilked people out of over $100 million.
Joe Carrigan: [00:02:23] Wow.
Dave Bittner: [00:02:23] Actually, $155 million.
Joe Carrigan: [00:02:25] This is a pretty big Ponzi scheme.
Dave Bittner: [00:02:27] Ran this Ponzi scheme starting back in 2012 and lost over $70 million of the $155 million…
Joe Carrigan: [00:02:36] How did he lose $70 million?
Dave Bittner: [00:02:37] I think he spent it…
Joe Carrigan: [00:02:38] OK.
Dave Bittner: [00:02:40] …Or paid it out as…
Joe Carrigan: [00:02:42] Yeah, paid it out as returns.
Dave Bittner: [00:02:43] …As returns, which is money that cannot be recaptured…
Joe Carrigan: [00:02:46] Right.
Dave Bittner: [00:02:47] …And bilked people out of hundreds of thousands of dollars…
Joe Carrigan: [00:02:49] Sure.
Dave Bittner: [00:02:50] …By telling them that they were going to be investing in legitimate investment strategies.
Joe Carrigan: [00:02:54] Right.
Dave Bittner: [00:02:55] Now, what I think is particularly interesting about this scheme is one of the ways that they got people to have confidence in the scheme was they would buy up legitimate investment firms where the owners were about to retire.
Joe Carrigan: [00:03:12] Really?
Dave Bittner: [00:03:12] Yeah. So let’s say I’m running, you know, the Acme Investment Firm here in Maryland.
Joe Carrigan: [00:03:17] Right.
Dave Bittner: [00:03:18] And I decide I’ve had a great career, and it’s time for me to move on. I’m going to retire down to Florida and cash out of my business.
Joe Carrigan: [00:03:25] Right.
Dave Bittner: [00:03:26] These guys would come along, make me an offer for the business, buy out the business and, as part of that buyout, they’re buying my book of business. They’re buying…
Joe Carrigan: [00:03:34] Right. They’re buying your customers.
Dave Bittner: [00:03:35] They’re buying my customers.
Joe Carrigan: [00:03:36] Right.
Dave Bittner: [00:03:36] So then they would convince the customers to convert their investments.
Joe Carrigan: [00:03:41] Oh, this is horrible.
Dave Bittner: [00:03:42] Yeah.
Joe Carrigan: [00:03:42] I don’t know if I’ve discussed this before, but I come – my family is kind of a financing family.
Dave Bittner: [00:03:47] OK.
Joe Carrigan: [00:03:47] My mom worked for one of these investors that you’re talking about…
Dave Bittner: [00:03:50] Right.
Joe Carrigan: [00:03:50] …And my dad actually managed investment funds and was a CPA. But what they’ve done here is absolutely terrible.
Dave Bittner: [00:03:57] Yeah.
Joe Carrigan: [00:03:57] What this guy has done – because he’s gone into people who have had sound investment advice, and now he’s capitalizing on that and destroying these people’s nest eggs.
Dave Bittner: [00:04:07] Right. Yeah, and that’s precisely what happened. Evidently, this guy, not surprisingly, liked to live high off the hog.
Joe Carrigan: [00:04:14] Really?
Dave Bittner: [00:04:15] He had a extravagant lifestyle with expensive suits and cars and houses and all that sort of stuff.
Joe Carrigan: [00:04:22] Yeah.
Dave Bittner: [00:04:23] But now he’s behind bars, facing fines. Of course, the FBI, who took him in – they’re trying to get back as much of the funds as they can to return to the victims. But, of course, they say they’re not going to be able to.
Joe Carrigan: [00:04:35] They’re not going to be able to recover everything, and these people are probably out – it sounds like close to 75%. Was it?
Dave Bittner: [00:04:41] It’s – they’re going to get back pennies on the dollar…
Joe Carrigan: [00:04:43] Right.
Dave Bittner: [00:04:43] …Likely. It’s good that they caught him, but I think the cautionary tale here is about those investment firms. If someone comes to you and says, hey; we want to convert your investments to something else, do your due diligence.
Joe Carrigan: [00:04:57] Right. Yeah. This is tough because generally, you think that the people who are retiring – these are people you’ve trusted all their lives, and these people have also been scammed, right?
Dave Bittner: [00:05:05] That’s true. Right. Because they have relationships with these folks…
Joe Carrigan: [00:05:08] Exactly.
Dave Bittner: [00:05:09] …That they – their customers – I know – you know, I have friends who work in investment firms, and it’s not merely transactional.
Joe Carrigan: [00:05:16] No, it’s not.
Dave Bittner: [00:05:16] They’re helping people achieve their dreams and provide security for their retirement and so on and so forth. They know these people. It would surprise me very much if they were, you know, cavalierly turning the business over to someone that they hadn’t attempted to check out themselves.
Joe Carrigan: [00:05:30] Right. And they’re going to send an email out that says, I’m retiring. I’m selling my book of business.
Dave Bittner: [00:05:34] Right.
Joe Carrigan: [00:05:35] Here’s your new investment manager. I think he’s a good guy.
Dave Bittner: [00:05:38] Exactly.
Joe Carrigan: [00:05:38] Right.
Dave Bittner: [00:05:38] Turns out…
Joe Carrigan: [00:05:39] He’s not.
Dave Bittner: [00:05:40] …Not such a good guy.
Joe Carrigan: [00:05:41] He’s now in prison…
Dave Bittner: [00:05:43] Yeah.
Joe Carrigan: [00:05:43] …Where he belongs.
Dave Bittner: [00:05:45] Yeah, so – cautionary tale, one to look out for. That wrinkle about buying out other investment companies, that’s a new one.
Joe Carrigan: [00:05:51] Yeah, that’s…
Dave Bittner: [00:05:52] I hadn’t heard about that before.
Joe Carrigan: [00:05:53] …Smart. But, I mean, this guy has hurt a lot of people.
Dave Bittner: [00:05:56] Yeah. All right, well, that’s my story this week. What do you have for us, Joe?
Joe Carrigan: [00:05:59] Well, I’m staying with the same theme of hurting a lot of people.
Dave Bittner: [00:06:04] (Laughter).
Joe Carrigan: [00:06:04] This one comes from Lisa Vaas, who writes over at the Naked Security blog, which is from Sophos. You know, we do a lot of talking about deepfakes…
Dave Bittner: [00:06:12] Yeah.
Joe Carrigan: [00:06:12] …On this show. You talk about it on the CyberWire. Do you know who gets victimized most by them? Is it politicians?
Dave Bittner: [00:06:18] No. I would say there’s a lot of fear around the possibilities of what…
Joe Carrigan: [00:06:23] Right.
Dave Bittner: [00:06:23] …Deepfakes could do with politicians.
Joe Carrigan: [00:06:25] Right.
Dave Bittner: [00:06:25] But I would say so far, no, not yet.
Joe Carrigan: [00:06:28] No, it’s not. It’s actually women that get victimized by these things…
Dave Bittner: [00:06:33] Yeah.
Joe Carrigan: [00:06:33] …The most.
Dave Bittner: [00:06:34] Not surprising, I guess.
Joe Carrigan: [00:06:35] There is a report titled “The State of Deepfakes,” which has been released by a company called Deeptrace.
Dave Bittner: [00:06:40] Oh, yes. Actually, we have – a gentleman from Deeptrace is going to be a guest on this show in a few weeks.
Joe Carrigan: [00:06:45] Oh, very good.
Dave Bittner: [00:06:46] Yeah.
Joe Carrigan: [00:06:46] They use deep learning and computer vision for detecting and monitoring deepfakes on the internet. They found that 96% of deepfakes being created in the first half of this year were porn…
Dave Bittner: [00:06:55] Oh.
Joe Carrigan: [00:06:57] …Mostly being nonconsensual.
Dave Bittner: [00:06:59] Right.
Joe Carrigan: [00:06:59] Right. A lot of them are made of celebrities without compensation or even permission from the actors. I mean, when you have a serious actor, I really don’t imagine a situation in which they would give their permission for their face to be used in a video like this. Also, the number of deepfakes has doubled in the seven months leading up to July 2019, and this growth is because of the availability of easier-to-use tools. All right, one example of this was an app that came out a couple of months ago called DeepNude.
Dave Bittner: [00:07:31] I remember.
Joe Carrigan: [00:07:32] This was an app that let you create a nude photo of anyone you took a picture of, and I think it only let you create nude photos of women.
Dave Bittner: [00:07:38] That is correct.
Joe Carrigan: [00:07:38] If you took a picture of a guy…
Dave Bittner: [00:07:40] It would turn it into a naked woman.
Joe Carrigan: [00:07:42] …It would turn it into a naked woman. Exactly.
Dave Bittner: [00:07:44] I would hazard to say they knew who their target audience was.
Joe Carrigan: [00:07:47] Exactly.
Dave Bittner: [00:07:47] Yeah.
Joe Carrigan: [00:07:48] Yeah, their target audience is a bunch of gross guys, right?
Dave Bittner: [00:07:51] Right.
Joe Carrigan: [00:07:54] That got banned quickly, right?
Dave Bittner: [00:07:56] Well, it got pulled. Yes, it got banned and pulled.
Joe Carrigan: [00:07:58] Pulled…
Dave Bittner: [00:07:59] The – I think the person who created it was perhaps naively unprepared for the avalanche of criticism that would come his way and thought…
Joe Carrigan: [00:08:07] Was he really naively unprepared for that? I don’t think…
Dave Bittner: [00:08:10] I don’t know.
Joe Carrigan: [00:08:10] …He expected his app to be as popular as it was because he put a $50 price tag on it.
Dave Bittner: [00:08:14] Yeah.
Joe Carrigan: [00:08:15] And then people bought it up, and it got pulled from the markets, right? Then there was another one, a face-swapping app called Zao in China that got pulled because people were afraid of privacy violations. But deepfakes have been banned on lots of places. Reddit was one of the first places to ban it, and that’s actually where the term deepfake comes from – is from a Reddit board. Twitter has banned it, and major porn sites have banned it, right? Now…
Dave Bittner: [00:08:36] Yeah, that’s interesting.
Joe Carrigan: [00:08:37] If a major porn site bans something – right? I think I’ve said this before, but, you know, maybe that’s something we should be looking a little bit harder at.
Dave Bittner: [00:08:48] Right.
Joe Carrigan: [00:08:48] We should be analyzing this more and doing a little more thinking about it.
Dave Bittner: [00:08:51] Someone has the moral flexibility of a major online porn site when they think, you know? That’s too much for us.
Joe Carrigan: [00:08:56] Right. Yeah, exactly.
Dave Bittner: [00:08:58] But you could see the legal hazard that they’d have there, too.
Joe Carrigan: [00:09:01] Right.
Dave Bittner: [00:09:02] That could be a big problem.
Joe Carrigan: [00:09:03] Oh, absolutely. That could be a huge problem. Most of the software that makes these deepfakes require some kind of programming ability and a GPU. You need a good GPU or a system with a bunch of GPUs in it.
Dave Bittner: [00:09:14] Right, or a lot of patience…
Joe Carrigan: [00:09:16] Right, or a lot of patience.
Dave Bittner: [00:09:17] …A lot of free time on your hands.
Joe Carrigan: [00:09:18] Yeah, and when I say a lot of patience – I mean, these GPUs really process this deep learning data a lot faster than you could ever hope to process it on a CPU. It does require a GPU, essentially. It becomes an intractable problem without a GPU.
Dave Bittner: [00:09:32] So some sort of investment there in hardware…
Joe Carrigan: [00:09:35] Yeah, but it’s not a big investment. I mean, I think the most advanced GPU on the market right now for gaming is, like, seven or eight hundred bucks. It’s not a lot of money.
Dave Bittner: [00:09:44] And it’s only getting easier.
Joe Carrigan: [00:09:46] Yeah, exactly. That’s the thing. The technology is getting easier to use as well. There are tutorials out there on how to do this step-by-step, and also, the software is starting to implement better GUIs…
Dave Bittner: [00:09:56] Right.
Joe Carrigan: [00:09:56] …Graphic user interfaces that lets people do this. Now, here’s my concern for this, and this is something that Lisa Vaas has brought up as well. Think of the reputation damage that can be done to a young woman if a deepfake were to be released of her, even just a picture that starts circulating among her social group, and for no other reason than, say, like, revenge porn. This can be devastating.
Dave Bittner: [00:10:21] Well, I’m imagining someone out there looking for a job, and the employer does a Google search on that person’s name. Up comes the deepfake.
Joe Carrigan: [00:10:31] Yeah, that could have real-world implications there.
Dave Bittner: [00:10:34] Right.
Joe Carrigan: [00:10:34] I mean, financial implications for somebody – it could be devastating. I think we need to do a lot more thinking about this problem. Google and Facebook are investing heavily in this. Google just created a dataset for use in machine learning to detect these deepfakes, and Facebook has dumped something like $10 million into it. I think these big tech companies are starting to take it seriously. I think we need to ask people in government to start taking it a little more seriously, and not for their own selfish reasons, right? Of course, people in government have a real reason because they’re the ones that stand to lose some credibility here, but I really would like to see the focus shift to the general public, the general population of the world, really.
Dave Bittner: [00:11:14] No, I would imagine we’d see legislators jump on this when it became a real problem for them. If people started to flood online forums and so forth with deepfakes of the politicians themselves, that would get their attention and make them go, wait a minute. We need – perhaps some regulation is in order here.
Joe Carrigan: [00:11:32] Yeah, but I think you’re right. I think that if this started impacting politicians more in the same way that it could impact the rest of us, then maybe, but I’m not saying that we should advocate for that. I don’t want to see that either. I would like to see a little bit of forethought from people. This is something that should and kind of does have broad bipartisan support because it is a universal problem. I think it’s something that everybody agrees on. I’d just like to see some action on it.
Dave Bittner: [00:11:54] Yeah, I guess the challenge is you don’t want to overcorrect.
Joe Carrigan: [00:11:58] No, you don’t.
Dave Bittner: [00:11:58] You don’t want to stifle legitimate free speech by going too far with it. That’s always the trick, right?
Joe Carrigan: [00:12:04] That is a delicate balance we try to achieve here in the United States.
Dave Bittner: [00:12:07] Yeah. All right, well, certainly one to watch, and like I said, we’re going to have a gentleman from Deeptrace on the show here in a couple of weeks, so we’ll look forward to that. Right now it is time to move on to our Catch of the Day.
0:12:18:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:21] Our Catch of the Day was sent to us by a listener this week, and it goes like this. (Reading) Join the Illuminati. Greetings from the Illuminati world elite empire, bringing the poor, the needy and the talented to the limelight of fame, riches, powers and security. Get recognized in your business, political race. Rise to the top in whatever you do. Be protected spiritually and physically. All these you will achieve in a twinkle of an eye when you get initiated to the great Illuminati empire. Once you are initiated to the Illuminati empire, you will get numerous benefits and reward. Note that this email message was created solely for the purpose of our recruitment scheme, which will end next month, and this offer is for unique ones only. If you are not serious on joining the Illuminati empire, then you are advised not to contact us at all. This is because disloyalty is highly not tolerated here in our organization. Do you agree to be a member of the Illuminati new world order? If yes, then kindly reply back to us on our direct recruitment email. Please note, kindly make sure all your responses are sent directly to the email stated above for more instructions on our membership process. Note – some email providers incorrectly placed official Illuminati messages in their spam junk folder…
Joe Carrigan: [00:13:34] What?
Dave Bittner: [00:13:34] …Or promotion folder. This can divert and exclude our responses to your emails. Thank you, The Illuminati.
Joe Carrigan: [00:13:41] Dave, I have always wanted to join the Illuminati.
Dave Bittner: [00:13:44] (Laughter) I’m surprised they haven’t reached out to you before, Joe.
Joe Carrigan: [00:13:48] I know. You know, here – you know what the first red flag on this – is that they say that the Illuminati is bringing the poor, the needy and the talented to the limelight of fame, riches and power. That is not what the Illuminati does (laughter).
Dave Bittner: [00:14:01] Is that right, Joe?
Joe Carrigan: [00:14:02] Yes.
Dave Bittner: [00:14:03] How do you know that, Joe?
Joe Carrigan: [00:14:03] Well, I mean, as a guy who’s always wanted to join – I don’t know, Dave.
Dave Bittner: [00:14:08] I see. Right. You’ve done your homework.
Joe Carrigan: [00:14:09] I’ve done my homework.
Dave Bittner: [00:14:10] Yeah, all right – as an Illuminati hopeful.
Joe Carrigan: [00:14:13] As an Illuminati hopeful – right. Illuminati confirmed.
Dave Bittner: [00:14:17] All right. Well, thanks for sending that in. It’s a fun one.
Joe Carrigan: [00:14:19] That is awesome.
Dave Bittner: [00:14:20] Coming up next, we’ve got a return visit from the gentleman who goes by the name Ray [REDACTED]. He’s got some follow-up from his previous visit as well as some new information to share.
Dave Bittner: [00:14:29] But first, a message from our sponsors KnowBe4. Now let’s return to our sponsor’s question about the attacker’s advantage. Why did the experts think this is so? It’s not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And, as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn’t want to bat nearly 900? But this isn’t baseball. If your technical defenses fail in one out of 10 tries, you’re out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4’s free phishing test, which you can order up at knowbe4.com/phishtest. That’s knowbe4.com/phishtest.
Dave Bittner: [00:15:34] And we’re back. Joe, I recently had a chance to speak once again with the gentleman who goes by the name Ray [REDACTED] online. He prefers to maintain a certain amount of anonymity on his Twitter account.
Joe Carrigan: [00:15:46] So his last name’s not really [REDACTED]?
Dave Bittner: [00:15:47] His last name is not really [REDACTED], no. I imagine that would cause problems when he tried to apply for actual things. But no, he’s a good guy, well-known online, well-respected. And we had him on a few weeks ago, and we got some follow-up, a couple of things that we wanted to address. So here is my conversation with Ray [REDACTED]. Ray, it’s great to have you back, and after your last appearance, we had a couple of messages come in from listeners with some follow-up. So I just wanted to go through some things one at a time with you and maybe clarify some things, maybe a correction or two. Where do you want to begin?
Ray [REDACTED]: [00:16:22] Sure. So yeah, as you mentioned, after the previous podcast about SIM hijacking, we did get quite a bit of listener mail and some messages on Twitter. It was a couple different things, and I guess the easiest place to start with is just the blatant correction that I need to make with regards to – several listeners reached out and said I’d made the statement that SIM hijacking was not very common in Europe, and apparently, that was dead wrong. It is absolutely common.
Dave Bittner: [00:16:49] OK.
Ray [REDACTED]: [00:16:49] And it’s also growing as well. So we heard from a listener named Liam (ph) that was in Ireland that said, you know, it’s definitely a problem there. So I completely missed on that one and want to make sure that I retract – not redact, retract – that statement.
Dave Bittner: [00:17:02] (Laughter) OK, fair enough.
Ray [REDACTED]: [00:17:03] Can’t re-retract it (ph).
Dave Bittner: [00:17:04] Right, fair enough. What else did we hear about?
Ray [REDACTED]: [00:17:06] So a couple people actually reached out and talked about, how do you handle this if someone cannot necessarily afford a computer or possibly even have access to other online resources, especially around the Google Authenticator kind of resets and things like that? And I just wanted to kind of point out that there’s not a real easy answer for that. A lot of the modern banking things assume, rightly or wrongly, that people do have access online. But Google does have an option where you can print out actual emergency backup codes for resets – you know, as another possible option for resetting their services. And of course, the Google Voice service that we had mentioned as a potential way to mitigate some hijacking – that’s a free service from them, as well.
Dave Bittner: [00:17:52] So we’re talking about someone who may be in a situation where they don’t have a mobile device; they don’t have a computer; maybe they’re using a system at a local library or some public-access computers – how they’re limited with their access.
Ray [REDACTED]: [00:18:06] Correct. Yes. And then the question was, was, you know, if we can’t rely on text messaging on non-smartphones – right? – so just think in terms of, like, a flip phone or something like that – you know, what other ways could they implement multifactor? And the reason that this one caused me a lot of – I struggled with it a little bit is because we don’t ever want to fall in the pitfall of telling people not to use anything at all, right? That’s sort of a kind of a dangerous spiral when people say, well, SMS is so insecure, so just don’t use multifactor at all. Well, that’s certainly not the path we want to go on. It’s always better to have multifactor of some kind, but you just need to be aware of the strengths and weaknesses of each type.
Dave Bittner: [00:18:43] So there are a couple of options out there beyond having your own device.
Ray [REDACTED]: [00:18:48] Sure. Absolutely.
Dave Bittner: [00:18:49] Yeah. What else did we hear about?
Ray [REDACTED]: [00:18:51] So one of your listeners actually reached out to me and brought my attention to the fact that PayPal now allows OTP, or the – basically, the one-time password authenticators like Google Authenticator and Authy, which I’d kind of recommended be done. Unfortunately, I dug really deep into that PayPal implementation side, and there’s some serious problems with the way that they’ve brought it about.
Dave Bittner: [00:19:19] Hmm. It’s interesting because I saw a lot of positive feedback that PayPal had at long last enabled this.
Ray [REDACTED]: [00:19:26] Yeah. So as most people know kind of in the social engineering space, there’s a type of service called knowledge-based authentication, which is kind of the crappiest authentication you could ever do. That’s where they ask you, what street did you grow up on, or what your mother’s maiden name is or maybe your birthday, right? Unfortunately, on the PayPal multifactor authentication choices, if you go to log in and you don’t have your second factor, you can immediately say, I don’t have this, or, I don’t want to use that, and it defaults to asking you some very, very simple knowledge-based authentication questions. And there’s no way to turn that off.
Ray [REDACTED]: [00:20:03] So not only can you – well, once you get it set up with your Authy or your Google Authenticator, not only can you bypass it by forcing it to SMS unless you remove your phone number, but even worse, anyone can actually go to bypass it if they know the most basic information about you. Like, we’re talking about really accessible OSINT. So if you’re doing that on PayPal, I would recommend lying to those questions (laughter) because…
Dave Bittner: [00:20:28] Oh, right.
Ray [REDACTED]: [00:20:31] And think of it just as another password because if you give them the correct answers, then that’s going to leave a pretty big, gaping hole that could potentially be abused. And most people do have PayPal linked to a bank account, so it’s not like it’s a small vulnerability that’s there.
Dave Bittner: [00:20:45] Yeah. That’s surprising to me. In enabling this stronger factor, they still sort of fall back to the weakest.
Ray [REDACTED]: [00:20:52] Yes. And I know that a lot of people on Twitter have talked about this. I’ve seen Lesley Carhart, who goes by @hacks4pancakes, talk about it. I think even Krebs had brought attention to it, as well. So it’s not like this is a secret. We’re not, like, divulging anything that’s not publicly out there. But I’ve never seen a response from PayPal. And you would think that of all of the companies in the world that would want to have airtight multifactor, they have the biggest interest in fixing this and getting away from knowledge-based authentication bypass.
Dave Bittner: [00:21:20] Yeah. One other topic I want to hit with you – and that is this notion of people becoming resigned about their private information being out there. You listened to a recent interview that Carole Theriault did on our show, and the person she was talking to mentioned this. You had some thoughts.
Ray [REDACTED]: [00:21:38] Yes. So on the episode, Carole was saying that when she kind of evangelizes to her friends about protecting their data – credit card numbers and things like that, credit information – that she commonly hears people say, oh, Carole, it’s way too late for that; my data’s already out there; there’s nothing we can do about, you know, protecting that, et cetera. And that’s actually something that we talk about a lot in cybersecurity education courses. I actually call that the fallacy of futility. And what it is, is it’s the idea that if we take the fact that online privacy doesn’t exist anymore – right? – if we say, well, there’s no such thing as online privacy – as complete, the problem is, is, that’s not a binary statement, right? It doesn’t either exist or it doesn’t. There are varying degrees of privacy.
Ray [REDACTED]: [00:22:26] So for example, I’m resigned to the fact that because I was involved in the OPM breach, there are Chinese hackers that have access to my information, period, right? But that doesn’t necessarily mean that I want the 13-year-old script kiddies that are poring through IRC to have access to it, right? It’s very important to keep in mind that just because your data has been breached before – and if we look at things like Troy Hunt’s Have I Been Pwned, et cetera, almost everybody listening to this podcast has been involved in at least one breach – that doesn’t mean that you’d necessarily want to be involved in others, right? So – and ultimately, some of that data may be different, like, especially if you’re using unique email addresses, but it is in everyone’s best interest to try to protect themselves, you know, through OPSEC and practicing good security hygiene.
Dave Bittner: [00:23:11] Where do you think this false belief comes from? Why do people head down this path?
Ray [REDACTED]: [00:23:16] Well, I think it really is driven by the fact that, just like in cybersecurity, we have something called alert fatigue, we have something called outrage fatigue, and we have something called breach fatigue – right? – which is when you see a big announcement about DoorDash and, you know, millions and millions of people’s information being leaked or even Words With Friends – right? – we’re so numb to these massive breaches that it feels like they’re almost inevitable, right? And to a certain degree, when humans feel like something is basically inevitable, there is a tendency to just assume that it’s going to happen at all times and that there’s nothing that can be done to mitigate the impact of it.
Dave Bittner: [00:23:54] That’s interesting. It makes me think about – you know, I had people who – you know, they got their car stereo stolen so many times that they just started leaving the door unlocked, so at least that way, the glass wouldn’t get broken anymore.
Ray [REDACTED]: [00:24:06] Sure, but I would actually argue that there are better things to do that could prevent your car from being stolen, necessarily, than that. That is an interesting analogy that’s there because we’re not talking necessarily about your car getting hurt when they take that data. But reusing passwords, which is by far the most common OPSEC mistake that is being made – the reuse of even strong passwords – right? – that is a glaring example of – the people that are doing that are going to be victimized by credential stuffing, and the people that have unique passwords or password managers are not.
Dave Bittner: [00:24:37] Joe, what do you think?
Joe Carrigan: [00:24:38] I appreciate Ray coming back on to answer listener questions.
Dave Bittner: [00:24:41] Yeah.
Joe Carrigan: [00:24:41] Thank you, Ray.
Dave Bittner: [00:24:42] Yeah.
Joe Carrigan: [00:24:42] Unfortunately, there is some cost to multi-factor at some level. Yeah, a cell phone is kind of expensive, and maybe you have a limited number of texts that you can receive because you’re on a prepaid plan, but you can get inexpensive cell phones and then use Google Authenticator on them. That’s free, and getting the Google Authenticator code is free. There are low-cost options for this – not free options, though.
Dave Bittner: [00:25:05] Yeah. I think it’s a good point, though, that you shouldn’t have to buy your way into this type of security, and it’s good that there are printed-out paper options.
Joe Carrigan: [00:25:14] That is available for, like, account recovery but not necessarily for two-factor authentication, I think…
Dave Bittner: [00:25:18] Yeah.
Joe Carrigan: [00:25:19] …Which is unfortunate. You know, we should be able to have this for free, but this software still needs hardware to run on. And the software is free. It’s just that the hardware that it runs on isn’t. Knowledge-based authentication is bad. It is a form of multi-factor authentication. It’s probably better than nothing, but it’s really so much less secure than even SMS.
Dave Bittner: [00:25:38] Yeah.
Joe Carrigan: [00:25:38] And the fact that PayPal just defaults to KBA is really bad, and that you can’t turn that off – that’s terrible. And I do recommend that you do exactly what Ray says here, and that is lie on those questions. You know, what’s the street you grew up on? Copper Cup. I didn’t grow up on Copper Cup Way.
Dave Bittner: [00:25:54] And then put that in your password manager.
Joe Carrigan: [00:25:56] And then put that in your password manager in the notes field. Exactly.
Dave Bittner: [00:25:59] So you don’t have to remember it.
Joe Carrigan: [00:26:01] I really, really, really appreciate Ray’s stance here on what he calls the fallacy of futility. The data about us that’s out there is a lot like the overall security picture. I say that security is a spectrum, and you want to be on the more secure end of that spectrum. So, like, when Ray talks about using SMS as opposed to using nothing – yes, that’s not the most secure solution you can use, but it is way better than not having any multi-factor authentication. That moves you in the more secure direction on the spectrum, and the same is true for your data. You want to move yourself to the more secure side of the spectrum, and you do that by protecting your information. And don’t let the amount of information fatigue lull you into some form of learned helplessness. Vigilance is key, and yeah, I know it’s exhausting. Yeah, but you have to keep it up.
Dave Bittner: [00:26:48] Right.
Joe Carrigan: [00:26:48] Every time there’s a breach, yes, you may lose another piece of your data, but don’t lose hope is what I’m saying.
Dave Bittner: [00:26:55] I find myself falling back on the analogy of public health because I think it’s useful. Just because I get a cold doesn’t mean I’m going to stop washing my hands.
Joe Carrigan: [00:27:04] Yeah.
Dave Bittner: [00:27:04] You know, oh, I got a cold. I guess all that handwashing was a waste of time.
Joe Carrigan: [00:27:07] Right. No, it wasn’t.
Dave Bittner: [00:27:09] Yeah, you got to keep up, but it – yes, it’s a little extra effort, but, you know…
Joe Carrigan: [00:27:12] I think that’s an excellent analogy actually, Dave.
Dave Bittner: [00:27:15] Yeah, well, thank you very much.
Joe Carrigan: [00:27:16] Yeah.
Dave Bittner: [00:27:17] All right, well, that is our show. We want to thank Ray [REDACTED] for joining us once again. You can find him on Twitter @RayRedacted. We want to thank all of you for listening.
Dave Bittner: [00:27:25] And of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:27:41] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner.
Joe Carrigan: [00:28:02] And I’m Joe Carrigan.
Dave Bittner: [00:28:03] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The post #cyberfraud | #cybercriminals | The fallacy of futility. appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | American Consumers Recognize Their Role in Preventing Cybercrime, are Bothered by Perceived Inconveniences of Advanced Security
BROOKFIELD, Wis.–(BUSINESS WIRE)–
55% of consumers understand they need to do more to protect their personal data; but 59% are bothered by temporary inconveniences of advanced security measures
Only 45% of consumers have received formal cybersecurity training from their employer
According to the 2019 Cybersecurity Awareness Insights Study released today by Fiserv, most Americans consider themselves at least somewhat informed of cybersecurity threats, yet many fall short at proactively protecting their personal data. Despite this lack of action, more than half (55%) of American consumers understand they need to do more to protect their data, presenting significant opportunity for businesses to reinforce best practices.
Conducted in the summer of 2019 and originally commissioned by First Data, now Fiserv, the study gathered insights from 1,005 Americans ages 18 to 73. The study explores how aware American consumers are of online privacy and security risks, and how they behave when it comes to protecting themselves from cyber threats.
“While cybercrime continues to grab headlines, our study shows that many Americans have not taken action to protect themselves, and the majority say they are bothered by temporary inconveniences brought about by advanced security measures,” said Jay Ablian, Head of Merchant Security and Fraud Solutions, Fiserv. “There is a clear opportunity for businesses to educate consumers and employees to help them understand both the potential impact of inaction and how security measures are designed to protect them.”
The more consumers know, the better they’re able to protect their personal information online. According to the 2019 Cybersecurity Awareness Insights Study, 75% of consumers consider themselves at least somewhat informed of cybersecurity threats. In addition, 55% of respondents understand they should do more to beef up their online security – especially when using social media, online banking, or online shopping.
Despite this, more than half of consumers can be classified as ambivalent, in denial, or oblivious to cybersecurity risks, with only 6% currently taking the steps needed to proactively protect themselves.
Consumer inaction may be driven by perceived inconveniences. To that end, 59% of consumers report they are bothered by temporary inconveniences brought about by advanced security measures that help ensure higher levels of protection.
Consumer Behavior and Data Protection
Although many consumers consider extra cybersecurity precautions a hassle, they are taking some steps to protect themselves. According to the study, dodging inbound phishing attempts is a strong suit of consumers, but additional vigilance around password security is needed:
- The top measure consumers take to protect themselves is refusing to click email links or open attachments from people they don’t know, cited by 61% of consumers
- On the other hand, changing passwords is a cybersecurity step 42% of consumers take only if they are required to
- Of consumers surveyed, 33% have a go-to password they modify slightly to meet password requirements, and 20% use names of significant people, places or pets. Neither of these methods is considered a best practice.
Cybersecurity Awareness at Work
Consumers often look to their employer to provide cybersecurity training, but aren’t always getting the support they expect. Fifty-eight percent of consumers said their employer sends regular cybersecurity updates, and 45% said their employer offers formal cybersecurity training. Of consumers who aren’t provided cybersecurity training, only 9% said their employer has a plan in place to do so.
Employers have a vested interest in cybersecurity awareness, as educated employees can secure their own information and that of the business. Best practices for employers launching their own cybersecurity training include:
- Emphasize education at work – Ongoing education about new cybersecurity threats equips employees to recognize them and understand potential implications
- Encourage lockdown at home – Employees can secure their home networks, starting with changing all default passwords – especially for internet routers. Those with families can teach children about the dangers of cybercrime
- Keep information out of the public eye – Whether on personal or business computers, covering up screens when entering passwords and credentials in public areas helps keep information safe.
Fiserv, Inc. (FISV) aspires to move money and information in a way that moves the world. As a global leader in payments and financial technology, the company helps clients achieve best-in-class results through a commitment to innovation and excellence in areas including account processing and digital banking solutions; card issuer processing and network services; payments; e-commerce; merchant acquiring and processing; and the Clover® cloud-based point-of-sale solution. Fiserv is a member of the S&P 500® Index and the FORTUNE®500 and is among the FORTUNE Magazine World’s Most Admired Companies®. Visit fiserv.com and follow on social media for more information and the latest company news.
The post #cyberfraud | #cybercriminals | American Consumers Recognize Their Role in Preventing Cybercrime, are Bothered by Perceived Inconveniences of Advanced Security appeared first on National Cyber Security.
View full post on National Cyber Security
Three common small business scams
1. Fake billing or invoice scams
The scam: According to the ACCC’s Scamwatch, there have been 8,269 cases of false billing scams resulting in over $7 million in loses in 2019 alone. These scams occur when scammers send out fake invoices to businesses asking for payment for anything from supplies to website domain renewal. They can even be sent from a legitimate supplier or business you commonly deal with if their email address has been compromised.
How to protect your business: Both Scamwatch and NAB state that the best way for businesses to safeguard themselves against fake billing or invoice scams is through vigilance. Querying invoices or payment requests from unfamiliar sources is a must, as is contacting existing suppliers if they send through an invoice at an unusual time or with a different bank account in order to confirm whether or not it’s legitimate.
2. Tax scams
The scam: Many Aussies have likely received a dodgy call from someone pretending to be from the Australian Tax Office and figures show just how common these can be, with the ATO reporting that it had received over 40,000 reports of impersonation scams just in the period from January to April 2019!
According to NAB, there are two common small business tax scams. The first is scammers claiming to need personal and bank details in order to send a business a tax refund. The second is scammers claiming that a tax debt is owed which needs to be paid immediately (with a credit card, money transfer or even a git card) in order to avoid arrest.
How to protect your business: While the ATO has stated that it may contact businesses via a phone call, email or SMS, it has also released the following advice to help taxpayers remain cautious:
– The ATO will not send an email or SMS asking taxpayers to click on a link directing them to any login page
– The ATO will not threaten taxpayers with immediate arrest, jail or deportation
– The ATO will not request payment via iTunes or Google Play cards, prepaid cards, cryptocurrency or to a personal bank account
– The ATO will not request a fee in order to release a refund
3. Payment Scams
The scam: There a number of different common payment scams, including overpayment scams.
One example NAB gives is a ‘terminal takeover’ scam in which a scammer asks to take hold of a payment terminal when paying for goods or services. The scammer then cancels the original payment request (often while distracting the cashier) and enters a new payment amount far higher than the original which is then paid for with a stolen credit card. The scammer will then demand that a refund of the difference be made in cash or onto a different card.
How to protect your business: NAB recommends that in-person payments using a terminal are always conducted behind a counter so that potential scammers can’t edit a transaction themselves and that if a refund does need to be made, it should be done using the original card the customer provided.
Looking for more small business resources?
Check out the Mozo business banking hub for the latest small business news and a range of helpful guides, as well as comparison tables featuring some of the hottest business loans, business credit cards and business bank accounts around.
The post #cyberfraud | #cybercriminals | Australian small businesses targets of half of all cybercrime appeared first on National Cyber Security.
View full post on National Cyber Security
In an instance of robbers getting robbed, a large underground store for buying stolen credit card data has been hacked. Cyber-security journalist Brian Kerbs has reported that data stored by BriansClub, a dubious website that shares his name, was stolen.
BriansClub hosted more than 26 million credit and debit card records pilfered from online and physical retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.
“Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account,” wrote Kerbs.
The cyber-security journalist complains that the fraud website has been piggybacking on the cybersecurity journalist’s online popularity to carry on their activities, even using his image in one of their ads.
Data accessed by Kerbs shows that the blackmarket website added just 1.7 million card records for sale, and added 2.89 million stolen cards in 2016, 4.9 million cards in 2017 and 9.2 million in 2018. The addition between January and August 2019 was roughly 7.6 million cards.
BriansClub holds approximately £325 million worth of stolen credit cards for sale, according to an analysis byNew York-based security intelligence firm Flashpoint.
“All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground,” Kerbs wrote.
“There is no honour among thieves,” noted Sam Curry, chief security officer at Cybereason.
“The asymmetry of cyber-conflict is undeniable, and while cybercriminals and nation state attackers probe for holes at their leisure, it’s important to remember that the tables can be turned. Predator can become prey when they are successful enough,” he said.
The post #cyberfraud | #cybercriminals | Card data stolen from black-market website BriansClub appeared first on National Cyber Security.
View full post on National Cyber Security
At 10am on a late November morning in Freiburg, Germany, a bank employee noticed something was wrong with a bank ATM.
It had been hacked with a piece of malware called “Cutlet Maker” that is designed to make ATMs eject all of the money inside them, according to a law enforcement official familiar with the case.
“Ho-ho-ho! Let’s make some cutlets today!” Cutlet Maker’s control panel reads, alongside cartoon images of a chef and a cheering piece of meat. In an apparent Russian play-on-words, a cutlet not only means a cut of meat, but a bundle of cash, too.
A joint investigation between Motherboard and the German broadcaster Bayerischer Rundfunk (BR) has uncovered new details about a spate of so-called “jackpotting” attacks on ATMs in Germany in 2017 that saw thieves make off with more than a million Euros. Jackpotting is a technique where cybercriminals use malware or a piece of hardware to trick an ATM into ejecting all of its cash, no stolen credit card required. Hackers typically install the malware onto an ATM by physically opening a panel on the machine to reveal a USB port.
In some cases, we have identified the specific bank and ATM manufacturer affected. Although a European non-profit said jackpotting attacks have decreased in the region in the first half of this year, multiple sources said the number of attacks in other parts of the world has gone up. Attacked regions include the U.S., Latin America, and Southeast Asia, and the issue impacts banks and ATM manufacturers across the financial industry.
“The U.S. is quite popular,” a source familiar with ATM attacks said. Motherboard and BR granted multiple sources, including law enforcement officials, anonymity to speak more candidly about sensitive hacking incidents.
A screenshot of the Cutlet Maker control panel. Image: Twitter account of @CryptoInsane
During the annual Black Hat cybersecurity conference in 2010, late researcher Barnaby Jack demonstrated live on stage his own strain of ATM malware. The audience broke into applause as the ATM displayed the word “JACKPOT” and ejected a steady stream of bank notes.
Now, similar attacks have been deployed in the wild.
In that Freiburg instance no cash was stolen, the law enforcement official said. But Christoph Hebbecker, a prosecuting attorney for the German state of North Rhine-Westphalia, said his office is investigating 10 incidents that took place between February and November 2017, including attacks in which thieves did make off with bundles of cash. In all, hackers stole 1.4 million Euro ($1.5 million), Hebbecker said.
Hebbecker added that because of the similar nature of the attacks, he believes they are all linked to the same criminal gang. In some cases, the prosecutors have video evidence, but they have no suspects so far, they added.
“The investigation is still ongoing,” Hebbecker said in an email in German.
Multiple sources said a number of the 2017 attacks in Germany impacted the bank Santander; two sources said they specifically involved the Wincor 2000xe model of ATM, made by the ATM manufacturer Diebold Nixdorf.
“In general, we do not comment on dedicated, single cases,” Bernd Redecker, director of corporate security and fraud management at Diebold Nixdorf, said in a phone call. “However, we are of course dealing with our customers on jackpotting, and we are aware of these cases.” Diebold Nixdorf has also sold these ATMs to the U.S. market.
An overview of the 2000xe model of ATM. Image: Wincor Nixdorf.
A Santander spokesperson said in an emailed statement, “Protecting our customers’ information and the integrity of our physical network is at the core of what we do. Our experts are involved at every stage of product development and operations to protect customers and the bank from fraud and cyber threats. This focus on protecting our data and operations prevents us from commenting on specific security issues.”
Officials in Berlin said they had faced at least 36 jackpotting cases since spring 2018, resulting in several thousand Euro being stolen. They declined to name the specific malware used.
In all, authorities have recorded 82 jackpotting attacks in Germany across different states in the past several years, according to police spokespeople. However, not all of those attacks resulted in successful cash-outs.
Do you know about other jackpotting attacks? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
It’s important to remember ATM jackpotting is not limited to a single bank or ATM manufacturer, though. It is likely the other attacks impacted banks other than Santander; those are simply the attacks our investigation identified.
“You will see this across all vendors; this is not dedicated towards a specific machine, nor towards a specific brand, and definitely not a region,” Redecker said.
Part of the security issue for ATMs is that many of them are, in essence, aged Windows computers.
“These are very old, slow machines,” the source familiar with ATM attacks said.
ATM manufacturers have made security improvements to their devices, Redecker from Diebold Nixdorf stressed. But that doesn’t necessarily mean all ATMs across the industry will be up to the same standard.
And responsibility on securing access to the ATMs falls on the banks too.
“In order to execute a jackpotting attack, you have to have access to the internal components of the ATM. So, preventing that first physical attack on the ATM goes a long way toward preventing the jackpotting attack,” David N. Tente, executive director of USA, Canada & Americas at the ATM Industry Association (ATMIA), said in an email.
Redecker said he’s been seeing attacks across the globe since 2012, with Germany suffering its first jackpotting attacks in Berlin in 2014.
Around the time of the 2017 attacks, researchers at cybersecurity firm Kaspersky published research showing Cutlet Maker for sale on hacking forums since May of that year. It seemed anyone with a few thousand dollars could buy the malware, and have a go at jackpotting ATMs themselves.
“The bad guys are selling these developments [malware] to just anybody,” David Sancho, senior threat researcher at cybersecurity firm Trend Micro, and who works with Europol on jackpotting research, said. That has enabled smaller outfits or enterprising criminals to start targeting ATMs, he added.
“Potentially this can affect any country in the world,” Sancho said.
Motherboard spoke to one cybercriminal claiming to sell the Cutlet Maker malware.
“Yes I’m selling. It costs $1000,” they wrote in an email, adding that they can offer support on how to use the tool as well. The seller provided screenshots of an instruction manual in Russian and English, which steps potential users through how to empty an ATM. Sections of the manual include how to check how many banknotes are inside the ATM, and installing the malware itself.
The European Association for Secure Transactions (EAST), a non-profit that tracks financial fraud, said jackpotting attacks decreased 43 percent over the previous year, in a report published this month. But it’s worth stressing that EAST’s report only covers Europe.
“It happens in parts of the world where they don’t have to tell anybody about it,” the source familiar with ATM attacks added. “It’s increasing, but, again, the biggest problem we’ve got is that nobody wants to report this.”
That lowering of the barrier of entry to ATM malware has arguably driven to some of the spike in jackpotting attacks. In January 2018, the Secret Service began warning financial institutions of the first jackpotting attacks in the U.S., although those used another piece of ATM malware called Ploutus.D.
“Globally, our 2019 survey indicates that jackpotting attacks are increasing,” Tente from ATMIA wrote in an email.
As the source familiar with ATM attacks said, “There are attacks happening, but a lot of the time it’s not publicized.”
Subscribe to our new cybersecurity podcast, CYBER.
View full post on National Cyber Security
Shipping and technology behemoth Pitney Bowes is the latest in a string of high-profile companies to be hit in a cyberattack.
TechCrunch reported that the company was hit with a ransomware attack.
“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to our services,” the company said on Monday (Oct. 14). “At this time, the company has seen no evidence that customer or employee data has been improperly accessed. Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter. We are considering all options to expedite this process and we appreciate our customers’ patience as we work toward a resolution.”
In the past few months, Arizona Beverages, science company Eurofins, and a company that makes aluminum called Norsk Hydro, have all been targeted.
The FBI recently warned that “high impact” attacks would be hitting large companies.
“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” the FBI said in the warning. “Since early 2018, the incidence of broad, [indiscriminate] ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
It’s not yet known exactly what type of ransomware has affected Pitney Bowes, but it said it’s working with a third-party consultant on the issue.
The company has more than 1.5 million clients across the globe, some of which are Fortune 500 companies. It helps sellers with mailing and shipping needs with a goal of improving efficiency, and sellers on marketplace platforms like Etsy and Shopify use it often.
Several users of the service complained about not being able to perform basic maintenance of their accounts, according to TechCrunch.
The post #cyberfraud | #cybercriminals | Pitney Bowes Hit In Ransomware Attack appeared first on National Cyber Security.
View full post on National Cyber Security
The event in progress in Abu Dhabi on Monday.
Business Bureau, Gulf Today
In a collective effort to promote a secure and stable financial landscape in the UAE, UAE Banks Federation (UBF), in partnership with SWIFT, the leading provider of secure financial messaging services, on Monday hosted the ‘SWIFT Customer Security Programme (CSP)’ conference. The CSP conference, which took place in Abu Dhabi, witnessed industry experts coming together to discuss how the widespread implementation of SWIFT CSP can support banks in combating all types of threat of cyberattacks by equipping them with necessary information and tools to mitigate electronic financial frauds.
SWIFT CSP is an initiative aimed at reinforcing the overall security of the global banking system by improving information sharing throughout the community, enhancing SWIFT-related tools for customers, sharing best practices for fraud detection and enhancing support by third party providers. Through the programme, SWIFT has also recently launched the Customer Security Control Framework (CSCF), which outlines a series of compulsory and advisory security controls for customers, which can help them strengthen and improve cyber security standards across the UAE.
Commenting on the occasion, AbdulAziz Ghurair, Chairman of UBF, said: “On the back of accelerated technological innovation, the threat of cybercrime has significantly increased over the years, and the localised instances of payment fraud have reiterated the necessity for greater and more extensive partnerships to solve these issues. In line with our commitment to foster a safer and more protected banking environment across the UAE, we are delighted to collaborate with SWIFT to encourage the industry-wide adoption of the SWIFT CSP. Cybercriminals are becoming quickly smarter, and we are developing more sophisticated technologies that are becoming fundamental for banks to implement innovative platforms that promote improved transaction processes and provide relief and security for customers.”
Onur Ozan, Head of the Middle East, North Africa & Turkey, SWIFT, said: “With the Customer Security Programme, SWIFT is reinforcing the security of the entire global banking system. Worldwide, financial institutions are adopting SWIFT’s CSP as attackers prove increasingly determined and cunning. The CSP is delivering tangible results, supporting institutions in stepping up to this growing threat.”
The conference included several discussions focusing on SWIFT CSP and CSCF initiatives and the profound impact that such could have on finance and banking environment, emphasising the evolution of the payment landscape as a primary reason to adopt safer security measures.
Meanwhile, a meeting between members of the CEOs Advisory Council of the UAE Banks Federation (UBF) was held in Dubai to discuss recent developments, issues and advancements in the finance and banking sector in the UAE, with a particular focus on Emiratisation.
Directed by AbdulAziz Al Ghurair, Chairman of UBF, the meeting focused on a wide range of topics, including progress on existing UBF programs and initiatives, advances on Emiratisation efforts, findings and results from UBF’s latest Trust Index Survey, and the upcoming Middle East Banking Forum (MEBF) in November 2019.
Speaking on the occasion, AbdulAziz Al Ghurair said: “The astounding amount of change and transformation in the UAE banking industry means it is increasingly necessary for us to regularly hold these meetings, so that we may analyse key strengths, opportunities, and challenges in the sector. For this specific meeting we identified our priorities based on the current happenings in the financial and banking industry, as well as the overall larger economy. The recent announcement of the creation of more than 20,000 jobs for Emiratis in top-tier sectors, including banking, has driven us to focus on Emiratisation efforts within banks, and evaluate ways of working together to enhance the skills and expertise of UAE nationals. Additionally, we are confident that the banking sector will continue progressing and evolving in lieu of the highly positive results from the recently announce Trust Index Survey 2018.”
Distinctively positioned at the centre of the banking industry, which underpins the economy, UBF has a responsibility to support the UAE’s progressive vision to empower society at all levels. Whether it’s addressing the ever-changing challenges in the market, or developing the skills of UAE nationals to increase their recruitment to vital positions in the industry, UBF is continuously working towards a sustainable and diversified economy.
Current plans and initiatives in the banking sector focus on innovation and digitisation, and aim to provide easy access to multiple government and non-government services. From next month, banks will start adopting UAE Pass, a new mobile app which acts as a digital identity and digital signature solution, enabling individuals to conduct financial transactions, upload documents, validate documents and share data. The Emirates Digital Wallet, a tool aimed at promoting financial inclusion and driving a cashless society, is also being developed and will be launched soon.
The post #cyberfraud | #cybercriminals | Firms to combat cyberattacks and fraud in UAE banking sector appeared first on National Cyber Security.
View full post on National Cyber Security
October is National Cyber Security Awareness Month, so it can be a good time to be learn about the newest technology scams, especially those affecting you at home.
A favorite tactic of scammers is to convince consumers to pay for services that would otherwise be free.
The Better Business Bureau of Greater Houston and South Texas is getting reports of a con where scam artists charge activation fees for devices that are, in fact, completely free to set up.
The scam typically follows a playbook. You purchase a new media player, virtual assistant or other tech device for your home.
It could be a Roku, Google Home, Alexa, or any other device that needs to be activated after purchase. When you are ready to use it, you search for the customer support phone number; however, instead of getting the official website, you end up on a look-alike site with phony customer support information.
You call that number, and you are told there is a new policy in place: All device users must now pay an activation fee. Reports on BBB Scam Tracker indicate that people have been charged anywhere from $80 to $100 to “activate” their new device.
Scammers may ask for unusual forms of payment, such as prepaid gift cards, or they may ask directly for your credit card number.
Once payment is made, they may claim there was a problem and a second payment is needed. In some cases, they may “help” you come up with a new username and password, thereby gaining access to your device account. In any case, scammers hope to get away with your hard-earned money along with your personal information.
The Better Business Bureau offers the following tips on how to protect yourself from tech scams:
Make sure you are visiting an official website. Scammers are skilled at creating look-alike websites with addresses that are spelled slightly different than the official website’s address. Carefully double check the URL or go directly to the site listed in your device’s instruction booklet.
Beware of sponsored links. Fake websites sometimes pop up in your web browser’s sponsored ad section and appear at the top of the search list. Be careful what you click on.
Never make a payment with prepaid debit or gift cards. Reputable companies will never ask you to wire money or pay with prepaid cards. Money sent this way cannot be recuperated.
Protect your home computer and network. A computer should always have the most recent updates installed for spam filters, anti-virus and anti-spyware software, and also be sure to enable firewall protection for your Wi-Fi network.
For more information and tips, check with the BBB at BBBHouston.org.
The Better Business Bureau is an unbiased nonprofit organization that sets and upholds high standards for fair and honest business behavior.
Visit www.bbbhouston.org or call 713-868-9500. Leah Napoliello
is senior director of Investigative Services with the BBB of Greater Houston and South Texas. Send questions to Leah Napoliello, Better Business Bureau, 1333 West Loop South, Suite 1200, Houston, TX 77027, or e-mail email@example.com. Include your mailing address and phone number.
View full post on National Cyber Security