The Battle Over Digital Payments at the Cash Register

Apple Pay vs. CurrentC

Apple has launched their their new digital wallet service, but not all North American retailers are on board with the new service. Retailers that are members of the Merchant Customer Exchange (MCX) organization are developing an alternative based around an app that uses visual QR codes. The app is called CurrentC, and is currently in a pilot program scheduled to last through the end of 2014.

MCX members include Walmart, 7-11, Best Buy, Rite Aid, CVS and Target. Merchants that sign up for CurrentC cannot use other digital wallet services. Members that previously had the near-field communication (NFC) hardware used by Apple Pay and Google Wallet have removed it from their stores, a move that has upset some Apple and Android users.

Why Do Some Retailers Want CurrentC Over Apple Pay?

There are three major reasons. The first is Apple Pay still uses credit cards, meaning retailers must pay up to 3% percent of the charged amount to the credit card issuer. CurrentC access the user’s bank account directly, meaning the retailer can keep more of the money.

Apple Pay NFC

The second is due to the importance retailers place on customer data and demographics information. CurrentC collects and shares more data about the people who use it than Apple Pay and other digital wallet services. Customers can set their privacy levels in the app, but most will probably just leave it at the default settings. The MCX has claimed CurrentC has better security than its competitors, but whenever there’s valuable information there are people looking to steal it.

The third reason relates to hardware costs. Retailers that want to use services like Apple Pay must install expensive NFC readers at each register. In contrast, CurrentC is software-based and uses the same technology as the familiar UPC barcode. When retailers start changing over to more secure credit cards next year, those that have not signed up with a digital wallet service may opt to go with NFC when they upgrade.

CurrentC Hacked

On October 29th, the MCX announced CurrentC unknown hackers had broken into the service and gained access to user email information. The MCX PR agent claimed many of the email addresses were dummy accounts used for testing, and no other customer data was stolen. They also stated neither the CurrentC app or user devices were affected.

Stealing email addresses isn’t a serious breach in itself, but it is an embarrassment to the fledgling organization. Especially given Walmart specifically stated they went with CurrentC over Apple Pay due to better security. It could also show the MCX needs to focus on securing the information they are storing.

If you choose to use CurrentC on your device, make sure you browse through the security dashboard and disable the settings you don’t want to share.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube or our video Podcast on iTunes for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

Apple Pay or CurrentC?
What payment platform would you prefer and why?

Is Chinese Government Behind Apple iCloud Attacks?

China_MITM_iCloud_Attack

The October 17th launch of the iPhone 6 in China was overshadowed by a hack attack aimed at stealing Chinese users’ iCloud login information. Less than 24 hours after the release of the highly-anticipated smartphone, anti-censorship advocates in China tweeted about the attack. On the 20th they posted more information on a blog at greatfire.org accusing the Chinese government of being behind the attack.

How did the attack take place?

The hackers used a black hat technique known as a man-in-the-middle (MITM) attack. When a computer or device accesses a secured web page through the browser, the remote server provides a security certificate verifying it is the correct site. MITM attacks reroute the Internet traffic through another server that uses a fake certificate to fool the device into thinking it is communicating directly with the original site. When a user puts in their login name and password, the middleman can intercept the information.

Similar MITM attacks have occurred recently against Chinese users of Google, Github, Microsoft and Yahoo. The Apple MITM was the most serious, as it was nationwide in scope and occurred while many users were setting up their new devices. The hack only affected a single iCloud server IP address, and Apple was able to block the attack by directing Internet traffic to a different IP address.

Why do security experts believe the Chinese government is involved?

Like other aspects of the media, the Internet is heavily censored in China. The Chinese government regularly spies on private citizens looking for signs of political dissent. Apple stores iCloud information outside of China, out of the direct control of the Chinese government.

Since the Chinese government owns and operates the country’s telecommunications and wireless services, the attack may be an attempt to get around officials not being able to access iCloud information directly. It could also be in response to the iPhone 6’s increased security safeguards and the recent anti-government political demonstrations in Hong Kong.

How can you protect yourself against MITM attacks?

iCloud Safari verified

Unlike browsers commonly used in China, Safari uses an encrypted connection to iCloud

MITM attacks are difficult to orchestrate on such a large scale without deep access to public telecommunications networks. The latest hack may have been limited to Apple users in China, but smaller-scale MITM can happen anywhere. Here are some easy ways you can protect your information.

  • Use two-factor authentication when possible. Without the second piece of information, attackers won’t be able to access your account even if they have your username and password.
  • Watch for browser pop-ups alerting you to an expired or invalid certificate when you visit a secure site. If you receive a notification, view the certificate and verify the information is correct.
  • Do not access sensitive sites over open WiFi networks without using a virtual private network (VPN). MITM attacks are much easier to pull off over open wireless networks, and some criminals even set up their own WiFi hotspots just to steal data. A VPN prevents these attacks by setting up an encrypted connection between your device and the VPN server.

Subscribe to our 2 Minute CyberSecurity Briefing channel on Youtube for coverage on this story and the latest cyber security news events.

Visit www.CyberSecurityDictionary.com for linked terms in this blog and many more definitions.

Has Apple Pay Put An End To Credit Card Security Issues?

Apple Pay

All across America today, retailers have begun to accept Apple Pay purchases using secure encryption, Touch ID and Apple iPhones. So is cash still king or have we crowned a new form of payment winner?

Apple’s new smartphones and iPads use an NFC wireless module to communicate to a merchant’s payment terminal. Once connected, a tokenized transfer occurs, whereby shoppers only transfer a special, single-use digital token that the Point-of-Sale system will decode using a shared secret. At no time does a user’s credit card information ever actually leave the secure enclave contained on their device. This patent pending method also requires Apple’s Touch ID biometric fingerprint verification in order to verify the shopper is who they say they are. Since the Touch ID data is stored in a secured enclave and is also a hash, or a numeric value that represents the data, it’s almost like having 2-factor authentication built in without the hassle of pass codes for the user to enter.

Here is another way to look at it. Your phone and your merchant’s terminal agree upon a secret passphrase, and when that’s successful, they pass the info onto the payment provider or bank which then authorizes payment. Only you and the payment card provider ever know the credit card number used but the merchant’s terminal only ever knows the passphrase, which is unique and automatically generated for one-time use.

Apple does this so that even if the NFC communication is hacked and intercepted by a 3rd party, the data stolen is completely worthless. It’s a measure designed to alleviate the fear that transferring any kind of payment information wirelessly sets a user up for attack, which is likely one of the factors involved in slow adoption of NFC payment methods thus far. Google Wallet and many Android smartphones have been supporting NFC for a few years now but consumer fear and most U.S. merchant’s unwillingness to upgrade to NFC terminals has stalled mass adoption. This is all poised to change now that Apple has addressed some ease of use issues for consumers as well as secured partnerships with over 500 banks and 220,000 stores including Target, Bloomingdales, Duane Reade and of course Apple own retail stores.

Credit card and debit card fraud resulted in losses amounting to $11.27 billion during 2012. And that doesn’t even factor in identity theft and the hassle and cost of issuing new cards for every fraud report. Credit and debit cards trade security for convenience due largely to the fact that most cards are still using 40 year old technology. Is Apple Pay the major overhaul needed to secure an aging retail transaction system? Only time will tell.

Cybersecurity Insurance & What You Need To Know

insured

Every company that uses computers or the Internet needs to protect their assets, but how can companies prepare for threats that are so new they’re not even recognized? New technology can open security holes that aren’t detected until after cyber criminals have already broken in. Hackers develop new viruses and other malware every day, faster than security tools can keep up. With the ever-increasing number of cybersecurity threats, some companies are turning to cybersecurity insurance designed to protect them.

What is Cybersecurity Insurance?

The Department of Homeland Security defines cybersecurity insurance as “insurance designed to mitigate losses from a variety of cyber incidents.” It is meant to cover the company’s financial losses in the event of a data breach, not to take the place of robust digital security. A data breach can have long-lasting effects on the business that no insurance policy can cover. For example, the costs of intellectual property loss and damage to the company’s public image can be difficult to estimate.

Types of Cybersecurity Insurance

Because there are so many possible threats, ways your network can be breached and related costs few companies can afford to cover everything. There is no universal standard for coverage, but cybersecurity insurance falls into two categories.

First-party insurance covers direct losses such as network infrastructure damage, business interruption and sometimes damage to the business’s reputation. Third-party insurance covers liability and secondary costs such as customer notification and compensation, forensic investigation, legal defense, lawsuits and regulatory fines.

Insurance companies offer both first and third-party cybersecurity insurance. In the United States, data-breach notification laws make third-party insurance more popular, while businesses in Europe favor first-party. That may change as the European Union begins requiring businesses to notify customers in the event of a data breach.

What to Consider Before Buying Cybersecurity Insurance

Cybersecurity policies can be complex, and it’s important not to rush into the decision. Making the wrong decision can leave your business paying for coverage you don’t need or worse, finding the policy didn’t cover what you thought it did when you need it.

Before considering a cybersecurity insurance policy to protect your network and data, review your existing insurance. Determine what is already covered by your existing policies, where the gaps are and which uncovered assets need the most protection.

Work with an insurance broker and don’t be afraid to ask questions. Because cybersecurity insurance is relatively new compared to other types of insurance it is subject to frequent changes. Policies are in flux due to changes in laws, regulations and best practice recommendations. A savvy broker who is familiar with cybersecurity insurance can help you avoid pitfalls and provide the necessary clarity to make the right decision.

J.P. Morgan Chase Breach Affecting Up To 83 Million Accounts

JP Morgan

It seems every few weeks, another organization announces a big data breach putting their customers at risk. This time it’s the largest bank in the United States. J.P. Morgan Chase announced a breach on August 27th, but initially believed the number of compromised accounts was much smaller. It wasn’t until October 2nd that they revealed 76 million households and 7 million small business accounts were compromised.

The breach lasted from mid-June through mid-August and compromised more than 90 servers. It affected bank customers who accessed chase.com and JPMorganOnline on their computer or mobile device. While the breach itself lasted two months, it’s not clear how far back the records went, so customers who accessed the site before but not during the breach may also be at risk.

What are the risks for customers?

J.P. Morgan Chase has stated the hackers did not get any information that would allow them to access customer accounts, but they did get names, contact information and email accounts. At this point the most likely threat customers will face is phishing attempts where scammers send emails with links to fraudulent web pages designed to install malware or capture their banking login information.

Identity theft is a possibility, but because the hackers did not get customer birthdates or Social Security numbers they would not have all of the information they need. However, if a hacker has a customer’s email address and contact info they could attempt to break into the email account. As I mentioned in a previous post (Gmail Account Hack Shows Why Strong Passwords Are A Must), breaking into the customer’s primary email account can give cyber criminals access to a lot of sensitive information.

How did the hackers get access?

J.P. Morgan Chase, the Federal Bureau of Investigation and the Secret Service are investigating the attack. According to anonymous sources familiar with the matter, the hackers used a compromised employee account to break into a web-development server. From there they were able to worm their way into other servers and access the sensitive data.

What can companies do to combat hackers?

Switch to two-factor authentication. Two-factor authentication requires a password and an additional step such as a code texted to the user’s phone. According to the sources close to the investigation, the vulnerable server only required users to supply a login ID and password. It is possible using two-factor authentication would have prevented the breach altogether.

Be more open about sharing best security practices. During my Bloomberg TV appearance last week, I discussed how cyber criminals collaborate and share information. Companies that are targets for hackers should share more data about their best practices and how they are stopping these attacks. It’s not a matter of helping competitors, because when major data breaches come out they can make customers more hesitant to trust their information with your company as well.

Printers Are the Invisible Security Risk on Your Network

squirrel

The days of printers as simple unsophisticated devices are long gone. Today’s printers are specialized computers that have their own processors, RAM and storage. They also have easy setups and internal web pages for adjusting settings and updating firmware. The printer manufacture’s goal is to make their devices faster, more versatile and more user-friendly to set up and use.

Unfortunately, printer security has not kept up with these advances. When printers were dumb devices, the worst that could happen was an unauthorized person seeing a print job sent to the wrong printer. Now a printer can leak confidential information and provide hackers with a route into your network.

Printers Can Allow Data Out

The security risks printers pose don’t end when you get rid of them. Many printers have internal hard drives or flash memory that can store recently printed documents. Some store the information in unencrypted formats that are easy to retrieve. When a company or consumer sells, retires or recycles a printer they often neglect to clear out this storage area.

printer_input_output

Printers can allow data out as well as in

This is not a hypothetical risk. In 2010 CBS News purchased four used photocopy machines at random and used freely-available recovery software on their hard drives. A printer security expert uncovered everything from copied checks and patient medical records to design plans for a building near the World Trade Center.

Printers Can Allow Hackers In

Printers can also be a vulnerable point on your network. A white hat hacker named Michael Jordan demonstrated security vulnerabilities on a Canon Pixma MG6450 by getting it to run the 90s computer game Doom on its LCD screen. He showed off the hack at security conference 44Con in London earlier this month.

The Pixma is a line of all-in-one printer/scanner/fax machines popular with home users and small businesses. He used the Pixma’s unsecured web interface and lax encryption to install hacked firmware and control the printer over the Internet.

Getting a printer to run an old video game might seem like a curiosity, but the stunt was just to put a humorous spin on a very real problem. Jordan stated after uploading the hacked firmware, he could have used the printer as a gateway to attack other devices on the network instead. Since the Pixma also has an integrated scanner, a savvy hacker could have used the flaw to have it send them a copy of any image scanned without the user knowing.

Canon has released a firmware update for the Pixma line aimed at closing the security loophole, but other printers also have web interfaces and may be vulnerable to similar tactics.

Few people think of a printer as a security risk, but you should treat your printers with the same care as any other network-connected device.

Printers Are the Invisible Security Risk on Your Network
How worried are you about your printer's security?

Sources:

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/

http://www.theguardian.com/technology/2014/sep/15/hackers-doom-printer-canon-security

Gmail Account Hack Shows Why Strong Passwords Are a Must

Gmail

On September 9th a hacker published a list of 5 million Gmail accounts with associated passwords. The passwords may not have been the password for the account in question, and there’s no telling how old the passwords are or where they originally came from. For example, if the account came from the LinkedIn hack from a couple of years ago the data might be the Gmail address on the user’s account and the LinkedIn password.

When the breach was announced, Google tested the Gmail/password combination and found only 1-2% were still valid. Even though the passwords may not be useful for Gmail, there’s still a risk. People frequently reuse passwords on different sites across the web. According to Symantec, a typical user has 26 password-protected accounts, but only 5 passwords.

Have a unique password for all of your important sites. If one site gets hacked, the hacker may test your login information on other sites. For example, if you use a password on a forum, don’t reuse that same password for your primary email address.

Create strong passwords. A good password should contain at least 12 characters and have a mix of numbers, symbols and uppercase and lowercase letters.

Do not select passwords or security questions that someone might be able to guess by following your social media accounts such as your mother’s maiden name, your pet’s or children’s names or your school.

Don’t substitute symbols or numbers for word. P@$$w0rd is an example of a weak password that might appear strong at first glance. Acronyms or word combinations make good passwords that are easy to remember.

Change your sensitive passwords regularly. Most people don’t change their passwords often enough. Change passwords on sites storing sensitive information at least once every 3-6 months.

Think you’ll have trouble remembering all these new passwords? Download a password management utility that stores your passwords in an encrypted file. There are password managers for every platform of PC, tablet and smartphone.

Enable two-factor authentication for sites and services that store sensitive information such as your bank, your cloud storage, your email and online retailers that keep your credit or debit card on file. Two-factor authentication requires you enter your password and another verification step such as a PIN texted to your cell phone.

Limit the number of password login attempts. Some sites allow you to set a maximum number of tries before your account is locked. Enable this feature if the site offers it.

Unfortunately there are no foolproof solution to password security. If someone who has the skills wants to get in, they will. Just like in the real world, security is about making your car or password as difficult to steal as possible to break into so a thief moves on to an easier target.

Home Depot Admits to Potentially Massive Data Breach

home_depot

It wasn’t that long ago consumers were apprehensive about the risks of buying online. With the recent rash of retailers falling victim to point-of-sale malware, the tables may have turned. Last week Home Depot confirmed a potentially massive data breach and officially joined the ranks of Target, Neiman Marcus, P.F. Chang’s, Goodwill and other retailers that have been hit.

Signs indicate the hackers responsible for the attack belong to the same group that hit Target last year. Even the malware they used is a variant of the virus used against Target.

The Home Depot hack could go back as far as April, when security experts and financial institutions first linked stolen credit card data to compromised accounts of users who had made purchases from the chain.

This breach has the potential to touch even more consumers than the attack on Target. The Target breach affected 40 million cards. The number of cards affected by the Home Depot breach is unknown, but the home improvement giant is larger than Target and has more locations. Home Depot operates 2,266 stores and their systems could have been compromised for up to four months during the busiest season for the home improvement market. In comparison, Target has 1,795 stores and their breach lasted just 21 days

Home Depot is facing additional criticism because it appears they either ignored or were oblivious to the problem. The story was broken not by the company itself, but by security blogger Brian Krebs. Home Depot is already facing lawsuits from customers and financial institutions. The government has also gotten in on the action, with two Senators asking the Federal Trade Commission to probe the retailer’s systems and five states starting their own investigations.

Credit cards have not changed much in 50 years

Credit cards have not changed much in 50 years

The major challenge facing retailers is existing payment card technology itself. Credit cards have not changed much since they were introduced in the 1960s. They still use a magnetic strip that stores data in unencrypted format. There are more secure technologies available, but the retail and payment card industry have been dragging their feet due to costs. The newer cards contain an imbedded microchip so they’re more expensive to manufacture, and retailers must make expensive upgrades to their hardware.

Another issue for large is the sheer size of their networks. There are many vulnerability points, from unsuspecting employees who fall for a phishing attempt to logins used by vendors and suppliers. Once a hacker finds their way in, they can use lax permissions to move through the network, infecting vulnerable machines and gaining access to other stores. The Target breach was traced back to a single location.

While the exact details in the Home Depot breach are not yet clear, it’s unlikely the company will be the last victim. Hackers are undoubtedly working on the next generation of point-of-sale malware.

Learn more about the biggest retail hacking scandals in cyber security expert, Scott Schober’s Retail Sector Security Report. Download the PDF HERE.

Leaked Nude Photos Expose Cloud Security Risks

BVS CEO & Cyber Security Expert, Scott Schober provides security details on Inside Edition

Last week’s leak of confidential celebrity photos has focused renewed public attention on the security risks of storing data in the cloud. The photos were originally posted on a seedy Internet site by an anonymous user, then reposted to other disreputable sites. Some of the victimized celebrities released said the images were authentic but deleted a long time ago, others stated theirs were faked.

The original poster claimed the photos were taken from hacked iCloud accounts. A few simple account changes could have kept the victims’ accounts safe. Today we’ll look at what users can do to protect their cloud data.

Limit Login Attempts

It’s common for banks and other high-security web sites to lock user accounts after a few tries. If someone fails to enter the correct password, after 5 to 10 attempts the account locks and the user must call to have the account reset or wait a specific period of time before they can try again. Some sites make you turn on the feature and control the maximum number of attempts. Check the settings on your account and contact support if you have concerns.

exceeded_attempts

In this case, iCloud did not have a limit on the number of attempts. Hackers could use readily-available software to try an unlimited number of passwords. Since the nude photo story broke, Apple has patched this vulnerability, but hackers can still use this vulnerability at many sites holding confidential information.

Enable Two-Factor Authentication

Many hacks occur when the victim’s email account is compromised. The hacker can find sites where the victim might be a member by reading old messages, then go to the site and request a password reset. If a site uses single-factor authentication by email, the hacker can then reset the victim’s passwords and access their accounts on those sites.

Two-Factor-Authentication

Many cloud-based services and secure sites offer two-factor authentication. For example, when a user requests a password change, the service may send an authentication email to their address and text a security code to their cell phone. Two-factor authentication is more secure, because a hacker would need access to both the victim’s email and their cell phone.

Two-factor authentication adds an extra step to the process, so some sites offer it as an option. Users must enable it manually. iCloud had it as an option, but at the time the pictures were released it was not enabled by default.

Select Secure Security Questions

When a user sets up their account, the site may ask them to pick a security question in case they forget their password. Common questions include “What high school did you attend?” or “What was the name of your first pet?” If everyone in the user’s social network knows they went to Riverdale High and their first pet was Fluffy, the user should select a different question. Better yet, create unique passwords or gibberish answers to the questions. This will ensure no one but you will ever be able to get past this security checkpoint. Just be sure to remember or note your answers somewhere for future reference.

Deleted Doesn’t Mean Gone

Just like deleting a file from a computer doesn’t remove it from the hard drive, deleting a picture from a phone doesn’t necessarily mean it’s gone forever. With many cloud services, the device will automatically upload pictures and deleting them off the device may not delete them from the cloud. Another potential source of concern is the server backups. Some companies store backups for years, and hackers could access those backups if they’re not adequately protected.

Ultimately, keeping sensitive data and photos private is up to both the user and the company running the service. For the moment, it’s best to remember online security is not absolute. If you want to keep data private, keep it offline.

Cloud Privacy
How concerned are you about your private photos and data getting out there?

‘Backoff’ Retail Malware Threat Even Worse than Expected

Backoff Malware

Just a few weeks ago the Department of Homeland Security issued a warning to retailers about Backoff, the point-of-sale malware responsible for the massive payment card security breach at Target during last year’s holiday season. The initial report indicated up to 600 retailers were affected, but on August 22nd the DHS issued another advisory that stated the scale is much larger. The Secret Service estimated over 1,000 businesses of all sizes have been victimized by variants of Backoff.

Backoff Basics

The days of the simple mechanical cash register are long gone for all but the smallest retailers. The registers most retailers use are actually Windows computers running point-of-sale (POS) software. They are networked and connected to the Internet so they can verify payment cards and checks. Like any computer, they are vulnerable to attack by malicious software and hackers.

The Backoff malware takes advantage of a vulnerability in the process used to read and validate payment cards. The customer’s information is stored in unencrypted format on a magnetic strip on the back of the card. When a customer swipes their card at checkout, the card reader transmits the data to the computer. The POS software will then encrypt the information and send it to the payment card processing company for verification.

Backoff can read the POS computer’s physical memory and record the payment card data before it is encrypted. It uses its own encryption on the data and sends it to servers the hackers can access. The hackers either sell the data to other criminals through black market channels or use it to make purchases themselves.

Moving Payment Cards Forward

There is little consumers can do to protect themselves at the moment except pay with cash or checks. These payment methods are more costly for retailers to handle and come with their own complications.

The only solution is to move away from magnetic strip cards and toward other methods of payment. Companies are experimenting with digital wallets and other smartphone-based payment systems, but they have yet to see widespread acceptance.

EMV

Europay-Mastercard-Visa system, or EMV payment data is encrypted and stored on a microchip.

The system that’s most like the payment cards consumers are already familiar with is the Europay-Mastercard-Visa system, or EMV. It uses the same plastic cards, except the payment data is encrypted and stored on a microchip. The credit card industry has set a deadline for retailers to move to EMV cards by the end of 2015, but the equipment required is expensive. A retailer could pay up to $1,000 per register, leading many to drag their feet due to the cost.

The cost of a security breach is much higher. Target estimated costs associated with the breach had reached $148 million in the second quarter of 2014. The cost of the damage to the company’s reputation, brand and corporate image is harder to calculate. Unless more retailers want to follow in Target’s footsteps, they must leave magnetic payment cards behind.

Follow every major phase of the Target retail security breach along with my insights. Download my RETAIL SECTOR PDF for all the major retail security stories in 2013 and 2014.

'Backoff' Retail Malware Threat
How worried are you about the 'Backoff' malware threat?