Afternoon Blog Readers,
Once an attack occurs, bringing a business back to proper functionality is CRUCIAL. Seconds, minutes, hours can pass where a company will lose money, valuable information, and put consumers at risk.
A couple months ago, the CEO of Sony released statements about the steps they took following the attack on their network in 2014. A proper business continuity strategy ensures critical business functions will continue following a disaster. According to Michael, top executives communicated through a calling tree where updates where relayed from 1 person to another. An attack of this magnitude was not expected, nor some experts argue, correctly planned for (via proper DR procedures).
The Wall Street Journal article highlights the lack of preparedness some companies face against hacks of this nature. While most would prepare for a natural disaster, a majority of companies would not have the BC plans to prepare for every computer in their organization to fall victim to an attack.
Alan Berman, CEO of Disaster Recovery Institute said it best:
"What we're learning from Sony is what we've supposedly learned from Target and [others]," Berman says. "We really do need better security. We need better sharing of knowledge, which doesn't take place."
Read more here:
http://www.bankinfosecurity.com/sony-hack-business-continuity-lessons-a-7743/op-1
- Angie
Tuesday, March 31, 2015
Tuesday, March 24, 2015
Tips for the Online Retailers
Good Afternoon Blog Readers & Shoppers alike!
Last week I reviewed how some of these hackers are gaining access to confidential and personally identifiable information from retail locations. What happens to the credit card numbers of those affected? While most physical retail locations require some form of identification if there is a physical stolen card, the proliferation of online purchasing has made it increasingly difficult for merchants to ascertain stolen credit card information. According to FraudLabs website, there was approximately 2.6 billion dollars in merchant cost due to online fraud in 2004. Yes, you read that right, this statistic is in the billions - and the data is 10 years old. So what's an online retailer to do?
Here are some tips for an online merchants to reduce the chance of fraudulent purchases:
1. Geolocation by IP Address - this technology can locate the physical address of the computer used to purchase online goods. It can be used to examine the distance between the billing address and the computer. Legitimate customers will not be deterred by legitimate authentication measures, which will protect them from credit card fraud also and keep the costs of doing business on the Internet down, especially if the customer is properly informed and advised.
2. Check whether an anonymous email address, or proxy internet server was used - Anonymous proxy servers and email addresses allow Internet users to hide their actual IP address. The main purpose of using a proxy server is to remain anonymous or to avoid detection. While well known businesses use this to protect internal networks, fraudsters hide themselves behind anonymous proxy servers
3. Check if the mailbox used is a ship-forward address or PO Box - since the criminal would need place for the inventory to be sent, a physical address or PO box location is a must. A way to conceal the true identity of the purchaser is to use an anonymous physical address.
Last week I reviewed how some of these hackers are gaining access to confidential and personally identifiable information from retail locations. What happens to the credit card numbers of those affected? While most physical retail locations require some form of identification if there is a physical stolen card, the proliferation of online purchasing has made it increasingly difficult for merchants to ascertain stolen credit card information. According to FraudLabs website, there was approximately 2.6 billion dollars in merchant cost due to online fraud in 2004. Yes, you read that right, this statistic is in the billions - and the data is 10 years old. So what's an online retailer to do?
Here are some tips for an online merchants to reduce the chance of fraudulent purchases:
1. Geolocation by IP Address - this technology can locate the physical address of the computer used to purchase online goods. It can be used to examine the distance between the billing address and the computer. Legitimate customers will not be deterred by legitimate authentication measures, which will protect them from credit card fraud also and keep the costs of doing business on the Internet down, especially if the customer is properly informed and advised.
2. Check whether an anonymous email address, or proxy internet server was used - Anonymous proxy servers and email addresses allow Internet users to hide their actual IP address. The main purpose of using a proxy server is to remain anonymous or to avoid detection. While well known businesses use this to protect internal networks, fraudsters hide themselves behind anonymous proxy servers
3. Check if the mailbox used is a ship-forward address or PO Box - since the criminal would need place for the inventory to be sent, a physical address or PO box location is a must. A way to conceal the true identity of the purchaser is to use an anonymous physical address.
Of course, with all of these examples, the customer could be a legitimate customer who values privacy on the internet. So when in doubt - it is best for the online merchant to request more information from the purchaser. Calling or faxing the customer would aid in further authenticating their identification.
Check out the rest of the tips for online merchants here:
https://www.fraudlabs.com/fraudlabswhitepaperpg1.htm
- Angie
Tuesday, March 17, 2015
Big and Small: Every Company At Risk
Target, Home Depot, TJ Maxx - they make the headlines. Large companies whose networks have been compromised leaving millions of consumers vulnerable to credit card fraud. Are the cyber criminals picking out the large corporations, or are they also attacking small mom & pop shops? Similarly, are merchants required to divulge security breaches to the public?
While it is true that most states have laws requiring companies to contact customers if certain personal information is compromised - usually, however, the task falls on the credit issuers. It was revealed in 2014 that some lesser known retailers (small outlet shops) may have also been the victim of the same person or persons responsible for the Target attack. It was believed in the case with Target, the breach was the result of a malware program called a RAM scraper -- a memory parsing software, which enables criminals to obtain encrypted data traveling through live memory of a computer, where it appears as plain text.
It would appear some of these are well planned, comprehensive attacks. Conversely, some may be crimes of opportunity or convenience. Many retailers simply delay disclosing breach information as they feel it might hurt their business and public image.
Read more about the Target fall out from Reuters:
http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
- Angie
While it is true that most states have laws requiring companies to contact customers if certain personal information is compromised - usually, however, the task falls on the credit issuers. It was revealed in 2014 that some lesser known retailers (small outlet shops) may have also been the victim of the same person or persons responsible for the Target attack. It was believed in the case with Target, the breach was the result of a malware program called a RAM scraper -- a memory parsing software, which enables criminals to obtain encrypted data traveling through live memory of a computer, where it appears as plain text.
It would appear some of these are well planned, comprehensive attacks. Conversely, some may be crimes of opportunity or convenience. Many retailers simply delay disclosing breach information as they feel it might hurt their business and public image.
Read more about the Target fall out from Reuters:
http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112
- Angie
Tuesday, March 10, 2015
The First Blog
Hi Blog Readers!
The purpose of this blog is to research and educate on the cyber security threats facing the retail industry. With the emergence of electronic payments online, and the ubiquity of credit and debit card transactions, the retail setting is a prime target for cyber criminals. This blog will hopefully shed light on the hacks from the past, and hopefully educate for the prevention of hacks in the future.
Happy Shopping! :)
Angie
The purpose of this blog is to research and educate on the cyber security threats facing the retail industry. With the emergence of electronic payments online, and the ubiquity of credit and debit card transactions, the retail setting is a prime target for cyber criminals. This blog will hopefully shed light on the hacks from the past, and hopefully educate for the prevention of hacks in the future.
Happy Shopping! :)
Angie
Subscribe to:
Posts (Atom)