| |
|
|
Scam Of The Week: Payment By Facebook Friend
.jpg) As of last Tuesday, Facebook has switched on person-to-person (P2P) payments for users in the US to "instant-message" money to their friends, using the debit cards connected to their bank accounts. Fantastic idea. What could go wrong? It's time for a Scam Of The Week post.
Essentially, how it works is pretty simple.
- Start a message with a friend
- Tap the dollar icon and enter the amount you want to send
- Tap 'Pay' on the top right and add your debit card to send money
To receive the money, you open your friend's conversation, click "Tap Add Card" in the message and add your debit card to accept money for the first time. After you've added a debit card to your Messenger account, you can also create a PIN for additional security the next time you send money which takes one to three business days.
Facebook claims they are not using credit cards to reduce fraud and fees. They also promise they have wrapped the whole system in encrypted connections between users and itself and "layers of software and hardware protection that meet the highest industry standards."
"Trust us!" Facebook says. HAH.
Looks like they overlooked a simple thing like social engineering. I predict that the press will be flooded with fraud stories very soon. Just like the Apple Pay system that was exploited by fraudsters a few months after its release, same thing is going to happen here.
The number one problem will be phishing attacks that claim the victim has received money from a Facebook friend... just click here to open Facebook Messenger and get your cash. Yeah sure. I would send the following or something like it to your employees, friends and family. Edit if you want, copy and paste:
"Facebook just announced a new feature that allows you to send money to a friend using your own debit card and your friend's debit card, which of course are linked to both of your bank accounts. You need to attach your debit card to your Facebook messenger to send and receive money. Facebook claims this is all technically secure.
Well, Apple thought their Apple Pay was secure too, but fraudsters started making cash right away gaming the system. This new Facebook payment option could allow several kinds of scams. To start with, you have to be alert when you get emails that claim a Facebook friend has sent you money. Also, when a friend messages you and their account has been hacked, there is a criminal trying to scam you impersonating your friend. So, anything to do with Facebook Payments: Think Before You Click!"
For KnowBe4 customers, we have a new pre-made security awareness training phishing template for you in the Social Media Templates section. I strongly suggest you send this to your users sooner rather than later!
If you are not a KnowBe4 customer yet, new school security awareness training which combines web-based on-demand training by a social engineering expert, combined with frequent simulated phishing attacks is a must these days to protect your organization against these kinds of attacks. Find out how affordable this is today:
http://info.knowbe4.com/kmsat_get_a_quote_now
|
Confidence In Antivirus Falls To All-time Low
Bromium is an IT Security company with a new malware mousetrap, so it will try to make old mousetraps look, well... old.
They are repositioning antivirus as "detection" tools and present themselves as "prevention", which in itself is a bit of a cheesy marketing tactic. However, they do point out correctly that traditional antivirus is starting to get smelly.
Their recent survey showed confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation. However their number one worry had nothing to do with technology.
Users are the Greatest Risk To The Organization
When asked, “Which do you feel are the greatest areas of risk to your organization?” the overwhelming response was the user, which makes sense considering that untrained users click on anything, open anything and circumvent security controls that they find restricting.
Less confidence in legacy detection solutions - An overwhelming majority of respondents (92 percent) said they have lost confidence in the ability of traditional endpoint protection solutions, such as antivirus and white listing, to detect unknown threats like zero-day attacks. Additionally, 78 percent believe antivirus is not effective against general cyber attacks.
Endpoint threat isolation is most effective - When asked to select from a list of security solutions, information security professionals said they consider endpoint threat isolation the most effective solution at preventing cyber threats (58 percent). Nearly one-third said network-based solutions are effective; 28 percent have faith in intrusion detection/intrusion prevention (IDS/IPS); and 27 percent think network sandboxes are effective.
Prevention is the foundation of security - A majority of respondents (58 percent) believe that prevention, such as hardening and isolating systems, is the most foundational aspect of security architecture, compared to 23 percent who cited detection, 16 percent who cited response (investigation/remediation), and 34 percent who said predictive analytics.
The IT pros surveyed correctly observed that prevention is the most important. Remember the old expression about an "ounce of prevention". It's obvious that effective security awareness training should be a key part of your IT security puzzle. Done right, it's highly cost effective. |
Warm Regards,
Stu Sjouwerman
|
" Tell me and I forget. Teach me and I remember. Involve me and I learn." - Benjamin Franklin
" Experience is a good teacher, but she sends in terrific bills." - Minna Antrim |
Thanks for reading CyberheistNews!
|
This Week's Five Most Popular HackBusters Posts
OPM Phishing Attack: "Your Data Was Hacked, How To Protect Yourself"
And yes, as we predicted, there are now phishing attacks that mimic Office of Personnel Management (OPM) data breach notifications. The breach has expanded to millions more records. It now looks like 14 million -- and who knows how many more -- have been exfiltrated to China. Anyone who works for the government or has worked for it in the past must now worry about scammers trying to capitalize on the data that was stolen.
We are talking about current and former federal employees, people that recently applied for federal jobs, several types of industry contractors and -- because of the highly detailed Standard Form 86 used for security clearances -- a wide swath of applicants' family members, friends and acquaintances.
Just think of the spear-phishing opportunities when you'd have all this data. These hackers have hit the motherlode.
A June 30 alert from the U.S. Computer Emergency Readiness Team stated: "US-CERT is aware of suspicious domain names that may be used in phishing campaigns masquerading as official communication from the Office of Personnel Management (OPM) or the identity protection firm CSID. US-CERT recommends that users visit the OPM website for more information. Users are also encouraged to read US-CERT's guidance on avoiding social engineering and phishing attacks and report suspicious emails.
I'd send an email out to all employees, and give them a heads-up about this potential threat they need to watch out for. As part of your security awareness training program, here is a link to a free job-aid that you (or they) can download, print and pin on the wall of their cubicle. It shows the 22 Social Engineering Red Flags that you need to watch out for in emails. Let's stay safe out there:
http://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf?
|
Criminal Hackers Steal Your Database? See You In Court
Jim Flynn wrote: "Helping to demonstrate that every cloud has a silver lining if you look hard enough, hacking has proven to be of great benefit to the legal profession. That's because every major hacking event has resulted in a flurry of litigation.
For example:
- Sony Pictures Entertainment is being sued in a class-action lawsuit initiated by nine former employees who claim the company failed to take adequate safeguards to protect personal information.
- Shortly after the Anthem data breach this year, the company was sued in several lawsuits alleging the company did not take adequate measures to secure its data.
- Target, in the aftermath of the massive breach it suffered in late 2013, has agreed to pay $10 million in damages to settle a class-action lawsuit brought on behalf of individuals whose personal information was compromised.
|
But that's not all. There is also a widespread finger-pointing exercise going on involving merchants who accept credit card payments, banks where merchants deposit their credit card payments, banks that issue credit cards, and credit card payment system companies such as MasterCard and Visa.
The reason is, when a data breach involving credit card information occurs, federal law protects card holders from liability for unauthorized transactions. Losses, therefore, initially fall on credit card issuers, which are, for the most part, banks.
There are then complex contractual arrangements that give credit card issuers the right to go back against banks where merchants deposit their credit card payments - and give those banks the right to go back against the merchants. Under these contracts, however, merchants are supposed to be protected against losses from unauthorized transactions as long as they follow customer verification procedures imposed on them by the contracts and otherwise adhere to something called "payment card industry data security standards."
As an example of how this finger-pointing plays out in the legal arena, MasterCard and Target reached an agreement in March whereby Target would pay $19 million to MasterCard to settle contractual claims arising out of the Target hack. However, three of the largest banks that issue credit cards - Citigroup, Capital One Financial and JPMorgan Chase - vetoed the settlement, saying $19 million wasn't nearly enough to compensate them for the hit they took in the aftermath of the Target data breach.
In another credit card industry- related lawsuit, Genesco - a large shoe, hat and sports apparel retailer - has sued Visa, claiming the contractual arrangements by which credit card-issuing banks can take money out of bank accounts where merchants deposit their credit card payments is illegal.
In Genesco's case, it saw $13.3 million suddenly disappear from its accounts at Wells Fargo and Fifth Third Financial for what Visa called a "fine" before any determination was made of Genesco's rights and obligations under the contracts governing its participation in the Visa system.
If all of that isn't enough, the Federal Trade Commission has declared itself to be the chief regulator of cybersecurity in this country. Relying on vague language in the Federal Trade Commission Act (which goes back to a time when people still used smoke signals to communicate), the FTC has, over the past 13 years, brought administrative enforcement actions against more than 50 companies, alleging their lack of adequate data security systems constitutes an unfair or deceptive trade practice. These actions are intended to send a message to all other data collecting companies that they'd better clean up their act - or see you in court."
Lawyers at this moment are suing for a variety of issues caused by hackers. Not to say all of the cases will be successful in court, either through settlements or outright wins, but "plaintiff's attorneys are remaining steadfast in their attempt to establish working theories of liability and carve out new ground for legal standing."
What that means for your organization is that complying with various regulations (like PCI) is becoming a very high priority. Here is a whitepaper written by a lawyer who is also CISA, CISSP, CIPP, ISSMP, and CRISC that will help you understand better why having an effective security awareness program can prevent a significant amount of legal fees:
http://info.knowbe4.com/whitepaper-overly-kb4-13-08-20
|
SANS Announced July Issue Of OUCH!
They said: "We are excited to announce the July issue of OUCH! This month, led by Guest Editor Tanya Baccam, we focus on social media -- specifically, the risks of social media and how you can continue to use it, but more securely and safely.
As always, we encourage you to share OUCH! with family, friends or as part of your security awareness program. All we request is you do not modify or sell the newsletters. English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201507_en.pdf
|
Woman Conned Out Of £50,000 In Shrewd Spearphishing Scam
In a variation of the "CEO Fraud", spearphishing is getting more up close and personal. Read this story and apply the lesson learned in your own life before you lose your life savings.
Vivian Gabb, 59, of London, was in the middle of buying a house. Her email account had been hacked and was monitored for a considerable time before the scam.
The criminals learned of the closing details by intercepting an email from her lawyer. They then spoofed an email from her attorney, and sent her instructions to wire the money to their own account instead of the lawyer's bank and immediately emptied the account the moment the money arrived.
After she lost the money she went back and looked at the email and noticed that the email address the scammer used was missing an "s" in "partners." She lost almost £50,000, her life savings. She tells her alarming story in this short BBC video. Read it and send it to your friends:
http://www.bbc.com/news/uk-33257129
Lesson learned: -- And this is true for individuals as well as larger organizations -- when you are dealing with large amounts of money, ALWAYS get on the phone with the person on the receiving end by dialing a phone number that is known to be correct for that organization, and confirm the transaction. ALWAYS have two people responsible for signing off checks or transfers of large amounts. NEVER act on just an email with instructions for money transfers.
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|
|
