now browsing by tag


#cybersecurity | #hackerspace | In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud

Source: National Cyber Security – Produced By Gregory Evans

Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.

As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.

In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.

(Smoothie Shop mobile app login)

CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app

In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.

In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.

CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app

Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.

Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.

*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.


(screenshot from Dark Web Credit Card market)

CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account

This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.


(In-store payment via Smoothie Shop mobile app and stored credit card)

What can Retailers and Consumers do to protect themselves?

Prevention Methods for Retailers

1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.

2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.

3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.

4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.

Prevention Methods for Consumers

1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.

2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.

3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.

4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.

5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.

*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Carlos Asuncion. Read the original post at: https://blog.shapesecurity.com/2020/02/13/in-store-payments-via-mobile-apps-can-lead-to-increase-in-card-not-present-cnp-fraud/

Source link

The post #cybersecurity | #hackerspace |<p> In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Can Cybersecurity Overconfidence Lead To Extinction For Businesses?

Source: National Cyber Security – Produced By Gregory Evans

Can Cybersecurity Overconfidence Lead To Extinction For Businesses?

In the first half of 2017, we have seen plenty of cybersecurity headlines—from the recent WannaCry attack to hacks on Gmail and Chipotle, as well as hundreds of Twitter accounts like CNN, it seems that cyberattacks are increasingly becoming the “norm.” These cybersecurity breaches aren’t to be taken lightly either. Companies can suffer huge financial losses and as importantly, reputational damage that has lasting negative effects on businesses.

Despite high-profile hacks and attacks happening on a more frequent basis, enterprises and small to medium-sized businesses (SMBs) are surprisingly confident in their cybersecurity preparedness. Companies are maintaining that their cybersecurity defence is continually being ramped up, and more investment is being made each year to maintain that level of confidence. There also seems to be a common belief that “it won’t happen to us.” Unfortunately, this belief simply doesn’t hold true.

The Stark Reality

According to research conducted on 400 SMBs and enterprises in the UK and US, almost all businesses – 87 percent – have complete trust in their security techniques and technology. More than half even believe they are less vulnerable than they were 12 months ago. And given that 61 percent said they were about to receive a substantial boost to their cybersecurity budgets, it’s easy to see why businesses are confident in their preparedness.

It’s not just high-level assurance either. When asked, businesses were confident in their ability to tackle very specific threats. For instance, half were certain that if a mobile device was stolen, they would know exactly what data was on that device and the level of risk to the business. Fifty-seven percent were also sure of the measures they have in place to protect clients’ and employees’ personally identifiable information (PII).

For all the self-assuredness, 71 percent still admitted they had been breached in the last year. And with only 29 percent reporting a breach in 2016, businesses’ overconfidence in cybersecurity is somewhat alarming. It’s even more alarming when you consider that 77 percent reported a tangible loss, such as the loss of a customer or partner, monetary loss, or operational impact such as downtime.

The Cost Of Cyber Attacks

In hard commercial terms, what does a cyber-attack cost a typical SMB or enterprise? Beyond the readily identifiable impacts of a lost customer or downtime leading to lost opportunity, what are the wider implications?

When taking into consideration the average number of records held for SMBs (5,000) and enterprises (6,000), along with the standard cost of a stolen record calculated by IBM and Ponemon as £122/$157 (which factors direct and indirect costs, as well as brand damage, and the impact on future customer acquisition), the typical cost of a breach to an SMB is £59,000/$76,000. For a larger enterprise, the average cost is £724,000/$939,000.

No company can afford this degree of liability. So why does the vulnerability exist? And what can businesses do to prevent such attacks taking place?

The Seven Pitfalls Of Cybersecurity

It seems there are seven pitfalls that are opening UK and US businesses to cyberattacks and huge financial liabilities.

The first is inconsistency in enforcing security policies. A security policy is only helpful to businesses if it is enforced and its suitability is regularly checked, but businesses aren’t enforcing their security policies. Only a third can claim their security policies are reliably applied and regularly audited. The rest either only enforce them occasionally, fail to audit them, or have no policies in place at all!

The second pitfall is negligence in the approach to user security awareness training. Training plays a huge role in cybersecurity preparedness, but only 16 percent consider it a priority. A massive 71 percent pay lip service to security awareness as a one-off event at employee on-boarding, or at best are only reinforcing it once a year.

The third, is that businesses also appear to be short-sighted when it comes to the application of cybersecurity technologies. Six out of nine of the top cybersecurity technologies were deployed by fewer than a third of businesses. Web protection, email scanning, and anti-malware had each been rolled out by only 50-61 percent of businesses, but the remaining six (including firewall rules, and patch management) had been deployed by only 33 percent at the most (SIEM), or 25 percent at the lowest (intrusion systems).

The fourth is complacency when it comes to vulnerability reporting. Fewer than a third (29 percent) say their reporting is robust. Surprisingly, 19 percent have no reporting, and a further 11 percent have no plans to investigate the usefulness of vulnerability reporting.

But it’s not just a lack of reporting on vulnerabilities—the fifth pitfall is inflexibility when it comes to adapting processes and technologies after experiencing a breach. After a breach, only 44 percent implemented new technology, and only 41 percent changed their processes.

The sixth is that businesses are stagnant when it comes to applying key prevention techniques, with the majority of businesses failing to adopt the leading prevention techniques. While the most prevalent technique was full disk encryption on mobile and portable endpoints, this was only performed by 43 percent of businesses.

The seventh and final cybersecurity pitfall is lethargy around detection and response. In fact, detection, response, and resolution times have all increased compared to 2016.

Business Best Practice

While it is overwhelmingly clear that SMBs and enterprises are overconfident in their cybersecurity preparedness, this confidence does create an opportunity for managed service providers (MSPs). First, MSPs can offer cybersecurity training to customers. Training can make a huge difference in your clients’ security. Whether it’s offered as a service to build revenue, or it’s given for free to provide retention, training can cut down on the number of security incidents. That translates to fewer emergency calls and, ultimately, happier clients.

MSPs can also prepare their customers with disaster drills—just like marketing teams practice their responses to PR crises, financial services organisations stress test their portfolios, and logistics teams plan for transportation hubs closing down unexpectedly. MSPs can practice disaster events with clients, both in terms of technology and processes, to discover weak points and make improvements. Are the lines of communication and equipment sufficiently robust? Are expectations and metrics reasonable? MSPs are also likely to find a few upsell opportunities while doing so.

But the onus isn’t just on the customer. MSPs also need to make sure that their own security practices are up to scratch. MSPs should review practices and their security technology stack not only for current best practices, but with an eye to the future too. Does security meet the current and future needs of the typical SMB or enterprise? Does it work well across on-premises, cloud, and hybrid environments? Can clients in highly-regulated verticals be served?

Finally, MSPs should determine the partnerships or skills they will need to deal with cyber-attacks. Many security incidents require specialists to handle—so whether it’s warding off DDoS attacks, protecting IoT at an architectural level, or implementing digital forensics incident response, MSPs need to either hire expertise in-house, or partner with someone that can handle these. You never want to have to build new skills in the middle of a crisis.

Preparing For The Worst

Businesses need a stark reality check. While they are confident in the processes they have in place, the truth of the matter is that businesses are failing to implement the technology and techniques that could save them hundreds of thousands of pounds. And businesses are naïve to think that cybercriminals won’t capitalise on this overconfidence. But all is not lost. With the right approach, relationships and tools, businesses can help to ensure that they don’t fall victim, and aren’t yet another headline.

The post Can Cybersecurity Overconfidence Lead To Extinction For Businesses? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Lead Security Engineer

Source: National Cyber Security – Produced By Gregory Evans

Worldpay – Atlanta, GA Why is our Technology Team the next step for you? Payment technology is changing faster than ever and we are at the heart of that change. Our teams work together to solve everyday problems for our customers, vendors and internal business partners. We are creating the…

The post Lead Security Engineer appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Team Lead – Security SOC and Incident Response

Source: National Cyber Security – Produced By Gregory Evans

Description   Community Health Systems, Inc. is one of the nation’s leading operators of general acute care hospitals. The organization’s affiliates own, operate or lease 158 hospitals in 22 states with approximately 26,000 licensed beds. Affiliated hospitals are dedicated to providing quality healthcare for local residents and contribute to the…

The post Team Lead – Security SOC and Incident Response appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Forensic Specialist Team Lead

Source: National Cyber Security – Produced By Gregory Evans

Cyber Forensic Specialist Team Lead

Description   Do you desire a patriotic role and the chance to defend our nation’s cyber infrastructure? Do you enjoy learning about new technologies and how they can be used to provide cutting edge services to our customers? If so, then look to join the Catapult Consultants team. The selected…

The post Cyber Forensic Specialist Team Lead appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Lead Cyber Security Engineer

Lead Cyber Security EngineerSource: National Cyber Security – Produced By Gregory Evans Location Reston, VA Position Id EB-2857561303 Job Description   TITLE: Lead Cyber Security Engineer CLEARANCE REQUIREMENTS:  Qualified candidates must have a current and active TS/SCI with polygraph clearance to be considered for this position. LOCATION: Washington Metropolitan Area LIFE AT … The post Lead Cyber Security […]

The post Lead Cyber Security Engineer appeared first on AmIHackerProof.com.

View full post on AmIHackerProof.com | Can You Be Hacked?

Student tips lead to sex trafficking arrest

It all started with a presentation on human trafficking at Shadow Hills High School in Indio. It was followed by a tip from not one, but two female students who said the same woman on Facebook, identified as Marlissa Garcia, had attempted to recruit them for prostitution.

Recently-released court records showed that those actions then sparked an investigation into what eventually revealed more than 69 potential victims over the course of nearly one year. Riverside County District Attorney Michael Hestrin is going after the perpetrator in court. The trial began earlier this week.

According to court documents, the Facebook account in question, led investigators back to an IP address on a computer located inside the home of 46-year-old Eliberto Cruz Jacobo, of Hemet.

Read More

The post Student tips lead to sex trafficking arrest appeared first on Parent Security Online.

View full post on Parent Security Online

Lead Network Information Security Specialist


Source: National Cyber Security – Produced By Gregory Evans

Lead Network Information Security Specialist

As a Security Consultant within Verizon’s Investigative Response Team, the candidate will be expected to serve a a tactical arm of the team, conducting computer forensic analysis, data recovery, eDiscovery, and other IT investigative work. Due to the inherent

The post Lead Network Information Security Specialist appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Feds Award Flint Schools $480K Grant for Lead Crisis Support – District Dossier – Education Week

The money is meant to be used to hire attendance specialists, counselors, and psychologists to help deal with problems that may occur because students were exposed to lead-contaminated tap water.

View full post on Education Week: Bullying

#pso #htcs #b4inc

Read More

The post Feds Award Flint Schools $480K Grant for Lead Crisis Support – District Dossier – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online

Missouri school districts prepare to test water for lead – Education Week

View full post on Education Week: Bullying

#pso #htcs #b4inc

Read More

The post Missouri school districts prepare to test water for lead – Education Week appeared first on Parent Security Online.

View full post on Parent Security Online