Page 27 - gs180802_flipbook
P. 27

Views




                    ISMG's 2018 Global Summit Series:

                           Fraud and breach prevention






                                                                stuffing" attacks, and actual losses are estimated to be $5
                                                                million per day. The number of hacked U.S. credit cards
                                                                whose information was offered for sale to other criminals
                                                                on the Dark Web has quadrupled in the last two years,
                                                                totaling more than 4,000 credit cards per bank.
                                                                In with third-parties

                                                                According to security firm RiskIQ, bad actors such as the
                                                                criminal group called Magecart, target popular third-
                                                                party software suppliers, which can enable large-scale
                                                                compromises. Instead of going after large enterprises, the
                                                                criminals have redirected their attention to smaller third-
                                                                party suppliers that can act as gateways to more lucrative
                                                                targets.
        By Brandes Elitch
        CrossCheck Inc.                                         One example is the Ticketmaster compromise involving
                                                                a malicious code was planted in automated customer
              n July, Information Security Media Group held its   support chatbot software from Inbenta Technologies. The
              annual cybersecurity conference in San Francisco.   code collected names, street addresses, email addresses,
              I attended this event last year and was impressed   phone numbers, payment details, and Ticketmaster login
        I with the scope and depth of the presentations, and    details. RiskIQ identified malicious code in a third-party
        particularly struck by how much I didn't know about this   marketing service from a company called SociaPlus; a
        subject, which was intimidating considering how scary it   Magecart skimmer was added to a SociaPlus script and
        is. This year, I came prepared to be amazed, because when   injected into multiple Ticketmaster websites.
        it comes to cybersecurity versus the fraudsters, anything
        goes.                                                   Here is a compelling example from the banking community.
                                                                Malware from fraudsters such as TrickBot, Qbot,and
        In 2017, ISMG held events across four continents in over 50   Dridex includes banking trojans distributed via phishing
        cities. It is the world's largest media organization devoted   emails, which infect the victims' computer and steal
        solely to information security and risk management, with   credentials used to access the bank accounts. The attackers
        28 media properties focused on key verticals such as    can redirect SMS  messages from the banks, containing
        banking, healthcare and the public sector. This seminar   passwords and mobile transaction authentication numbers,
        was two days packed with 17 presentations. In this article,   and deliver them to phones controlled by the attackers.
        I will touch on some things I found to be particularly   This was enabled by a vulnerability in the SS7 networking
        interesting.                                            protocol used by cellphone providers, which can be used
                                                                to eavesdrop on conversations, track geographic locations
        The vast scope of fraud                                 and intercept SMS messages.
        To put things into perspective, a recent study by Shape   Expanding threat landscape
        Security  called  The  Credential Spill  Report found  that
        last year there were 51 reported major breaches, which   The threat landscape includes identity theft, targeted
        compromised 2.3 billion credentials (user names and     malware, ransomware, cryptojacking, credential stuffing,
        passwords). Ninety percent of all login attempts at online   and bring-your-own-device (BYOD) and Internet of Things
        retailers are done by hackers. In the airline and consumer   attacks. Aside from web-based attacks and phishing, there
        banking space, 60 percent of login attempts are from    are spam, denial of service, botnets and physical attacks.
        criminals. The cost of fraud is estimated to be $6 billion   Criminals are also using big data, machine learning and
        a year in ecommerce, and $1.7 billion a year in consumer   automation.
        banking. Hotels and airlines that offer loyalty points incur
        losses of $700 million a year. The community bank sector   Last year, a third of all consumers were notified of a data
        sees 200 million attacks a day.                         breach. The Equifax breach put everything over the top,
                                                                because it closed the circle: fraudsters have all they need
        In addition, the U.S. consumer banking industry faces   for ID fraud. Do I have your attention now?
        about $50 million a day in potential losses from "credential
                                                                                                                27
   22   23   24   25   26   27   28   29   30   31   32