Business Expert: Is e-commerce now big business for the cybercriminal?
5th February 2019
E-commerce sales in 2018 reached $653 billion with Black Friday alone generating billions in online sales. However, what is good for online retailers is also good for cyber criminals.
Last year witnessed massive cyber-attacks against e-commerce websites, the so-called Magecart attacks exploited vulnerabilities in one the largest e-commerce payment platforms to breach numerous retailers' e-commerce sites. Magecart specialises in skimming credit card details from unsecured payment forms on websites.
The Payment Card Industry (PCI) standard has been in place since 2004 and provides security controls and objectives designed to protect cardholder data. But compromises of cardholder data resulting in poor security controls can result in the payment brands fining retailers and merchant banks.
Outsourcing e-commerce is more often than not a necessity for a small business seeking to achieve more flexibility in business transactions, but it is important to realise that under PCI the merchant must ensure its service provider is also PCI complaint.
These attacks will continue into 2019 with organised crime increasingly targeting poorly configured and secured web sites to collect customer credentials and payment card details. PCI will continue to evolve and offer more security guidance on the protection against online attacks, but it is important that small businesses that use e-commerce are investing in secure and reputable platforms for their online business transactions.
Online e-commerce platforms are not our only worry as the mobile phone will play an even greater role in our lives as a key authenticator and payment mechanism. Hence, we can expect organised crime to show a growing interest in compromising and intercepting such traffic, racing with the telecommunication companies to block such attacks.
Good security controls that provide a good security culture across your people, processes and technology controls will go a long way in defeating the cybercriminal and keeping your business safe.
Business expert: Ssshhhush! Don't mention GDPR, it might just all go away
22nd January 2019
The General Data Protection Regulation (GDPR) arrived at our doors last year.
It triggered a rush of activity in most organisations to firstly understand the regulation then to franticly obtain consent from all their customers to continue to send them marketing emails in order to be compliant.
However, the process resulted in many firms realising that they may have more fundamental issues over the security of their legacy IT systems, the amount of personal data they hold, and the cost and time needed to resolve all the problems.
After the first few of months of GDPR has it really had the impact we thought it might, and if you keep quiet will just be seen as another fad. And of course, with Brexit, it might just go away completely.
More realistically for 2019, organisations will be on the lookout for the first tranche of GDPR fines and sanctions. They will then ask themselves just how severe a data breach would need to be to justify the 4% of global turnover maximum fine.
Many believe the Information Commissioners Office is simply not resourced to cope with the potential surge of data breaches had could be reported, but this is no excuse to ignore the importance of data security.
But is this such a major change? Data protection has been in place since 1998, and the new Data Protection Act 2018 (DPA 18) brings everything inline with the array of technological advances and the amount of data now processed online.
DPA 18 and the GDPR already place more emphasis on good cyber and data security, so it is important not to get worried about compliance and see both initiatives as good information security practice. We don't want to ignore these practices - they are here to stay.
Finally, we can expect to see more transparency around cyber security and data security incidents as the obligation to report them will provide more visibility of the threat. But with this comes more class action litigation and political demands for action by firms to improve their security.
But remember improvements in security is not just about technology and must also come from your organisation, people and process initiatives.
Business expert: 'If it's too good to be true - then it probably is'
15th January 2019
We have all received the leaflets through the post-box, promising free gifts and entries into a lottery with a guaranteed winning gift.
But we don't fall for these and simply throw away the leaflets - so why don't we do the same when we receive these same promises by email?
The terms email phishing and spam are not new, but they continue to be used because they remain a successful way of tricking us into some form of interaction.
Anyone with an email address is a target, with the attacker trying to convince you to interact with the sent email. Opening the email is not enough for the attacker to get what he wants, but clicking on a link, opening a document or going to a web-site are all ways where the attacker could make a connection from his computer to your computer or device.
Once the attacker has made a connection, he can then download malicious software, also known as Malware, to infect your computer or device. Once this has happened the attacker could stop you gaining access to your computer and demand a ransom to allow you back in (Ransomware), or secretly get all your personal information including passwords to steal your identity or gain access to your bank accounts.
Sometimes the attacker does not even have to infect your computer, he could simply take you to a fake bank account page and ask you to put in your bank details - which he then has because you have simply given them to him.
Recently Action Fraud reported that they had received 5,000 complaints in just 3 months of victims receiving fake TV License emails regarding payment issues. The emails claim that TV Licencing has been trying to contact customers regarding the payment of a bill or a change to their personal information.
When a victim clicks on a link, they will be led to a convincing looking TV Licencing website. The website is designed to harvest as much personal and financial information as possible from the victim. Although all the emails are different in style, they all lead to the same website which is being hosted on different domains.
Cyber Security Associates recommends that we treat all emails with caution and remember promises of a free gift or a large lottery win are likely to be malicious and not legitimate. If in doubt go to the web-page direct rather than clicking the link in the email.
If you are worried about a phishing campaign could affect your business, then contact Cyber Security Associates direct for our eLearning packages. Click here, email firstname.lastname@example.org or call 01452 886982 for more information.
If you are a victim of a phishing campaign then report it to Action Fraud.
Business expert: Password spraying attacks - more common than you think
8th January 2019
Keeping passwords safe, secure and changed regularly are 'cyber tips' most people hear on a frequent basis.
But despite this many users, both at work and home, continue to use basic and simple passwords for multiple accounts.
The National Cyber Security Centre (NCSC) recently reported that one common way that online accounts are breached is through password spraying. This is simply where a small number of common passwords are used to brute force large numbers of accounts. These attacks can be very successful because for any given large set of users there will likely be some who are using very common passwords.
The NCSC reported that:
• 75% of the participants' organisations had accounts with passwords that featured in the top 1,000 passwords
• 87% had accounts with passwords that featured in the top 10,000
This data suggests that password spraying attacks are likely to have some success against these organisations, and many other organisations across the UK. Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.
Password complexity doesn't guarantee that passwords will be more difficult for attackers to break, but it usually does make them harder for users to remember - which can lead to weaker passwords and more password reuse overall.
So instead, users should be encouraged to disable complexity requirements and adopt other strategies such as 'three random words'. However, this means that the onus is now even more on users to pick 'good' passwords (that is, passwords that cannot easily be guessed).
Fortunately, there are actually a variety of approaches organisations can take to mitigate these attacks, and the number of available options is growing regularly.
As a starting point, Cyber Security Associates recommends making sure that you do some of the following:
• One of the most effective approaches to stopping these attacks is to prevent users from using common passwords in the first place.
• Consider using outsourced protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks.
• Enforce multi-factor authentication on your externally-reachable authentication endpoints.
• Provide pragmatic advice and training to users on how to choose 'good' passwords.
Copyright 2019 Moose Partnership Ltd. All rights reserved. Reproduction of any content is strictly forbidden without prior permission.