27
Dec 2016
78

15 ways criminals steal money from your Debit/Credit card

Developers , , I. Romero

Card fraud basically involves theft of identity or information on your cards.

The stealing can take place in one of the following ways:

1. Skimming

“This involves attaching a data skimming device in the card reader slot to copy information from the magnetic strip when one swipes the card,“ says Mohan Jayaraman, MD, Experian India.

“They also set up cameras near the machine to get the PIN,“ he adds

2. Card trapping

This is a barb that retains the card when you insert it in the machine and the card is retrieved later.

3. Shoulder surfing

If you find friendly bystanders in the room or outside who try to help you if your card gets stuck or peer over your shoulder, beware.

They are there to get you to reveal your PIN.

4. Leaving card PIN

If you write your PIN on the card and forget it in the ATM kiosk, it’s a virtual invite to be scammed.

5. Online transactions

The ease of e-shopping or online bill payment is matched by the felicity with which identity theft can be carried out on computer or smartphone.

Mumbai-based Girish Peswani knows it well. “I was in my office when I got alerts about online transactions abroad made using my credit card,“ he says. There are various ways this card information could have been stolen.

6. Pharming

In this technique, fraudsters reroute you to a fake website that seems similar to the original.

So even as you conduct transactions and make payment via credit or debit card, the card details can be stolen.

7. Keystroke logging

Here, you unintentionally download a software, which allows the fraudster to trace your key strokes and steal passwords or credit card and Net banking details.

8. Public Wi-Fi

If you are used to carrying out transactions on your smartphone, public Wi-Fi makes for a good hacking opportunity for thieves to steal your card details.

9. Malware

This is a malicious software that can damage computer systems at ATMs or bank servers and allows fraudsters to access confidential card data.

10. Merchant or point-of-sale theft

This is perhaps the most effective form of stealth, wherein your card is taken by the salesperson for swiping and the information from the magnetic strip is copied to be illegally used later.

11. Phishing & vishing

While phishing involves identity theft through spam mails which seem to be from a genuine source, vishing is essentially the same through a mobile phone using messages or SMS. These trick you into revealing your password, PIN or account number.

12. SIM swipe fraud

Here the fraudster contacts your mobile operator with fake identity proof and gets a duplicate SIM card.

The operator deactivates your original SIM and the thief generates one-time password (OTP) on the phone to conduct online transactions.

13. Unsafe apps

Mobile apps other than those from established stores can gain access to information on your phone and use it for unauthorised transactions.

14. Lost or stolen cards, interception

Transactions are carried out using stolen cards, those intercepted from mail before they reach the owner from the issuer, or by fishing out information like PINs and passwords from trash bins.

15. Cards using other documents

New cards are made by fraudsters using personal information stolen from application forms, lost or discarded documents.

Source: http://www.gadgetsnow.com/slideshows/15-ways-criminals-steal-money-from-your-debit/credit-card/Malware/photolist/55414130.cms

27
Oct 2016
0

Five Ways to Prevent Data Hacks at the Point-of-Sale

Developers , , I. Romero

The chip card (EMV) era has arrived with the promise that data in retail environments will be better protected. Cardholders will have much greater security at the point of sale with their own card data. But, while it will be much more difficult for thieves to steal card data at the point of swipe, the hackers are still hacking and data is still being lost – almost daily.

Fast-food chain Wendy’s is facing a class-action lawsuit over a recent breach of its existing point-of-sale (POS) system. The Wendy’s breach comes on the heels of numerous other POS attacks at major retailers in recent years, including breaches at Michaels, eBay, Neiman Marcus, Target, and the largest of them all, Home Depot (56 million cards). Retailers have been shaken by these events; a recent study found that 100% of retailers cite cybersecurity as one of their top business concerns, up from only 55% in 2011, according to BDO, a business advisor to consumer business companies for over 100 years.

Retail customer data breaches can result in a company losing millions of dollars to class action lawsuits, possibly facing penalties for Payment Card Industry Data Security Standard (PCI DSS) violations, and irreparably harming its reputation. However, PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches. It merely means minimum standards have been achieved.

Following are five steps merchants in any industry can take to prevent their POS systems from being compromised:

1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks

There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe.

While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers are yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.

2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.

3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password.

Changing default passwords is required as part of an organization’s compliance with PCI DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.

4. Isolate the POS System from Other Networks

Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system.

The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.

5. Always Purchase POS Systems from Reputable Dealers

Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.

POS system security requires expertise in both information security and PCI DSS compliance, the latter of which is mandatory for any organization that processes, stores, or transmits cardholder data. Retailers and restaurants that do not have sufficient in-house IT staff to handle data security and PCI DSS compliance should partner with an MSSP to ensure that their POS systems are both safe and compliant. MSSPs are flexible and can tailor their solutions to fit each company’s needs, from remote monitoring to on-site security staff, either in conjunction with existing staff or on their own.

Automation has lowered labor costs and improved efficiency and the customer experience in the retail industry – and will do so in the restaurant industry – but the security of POS technology should not be disregarded. As POS data breaches continue to multiply, and especially as large fast-food chains plan to install brand-new ordering kiosks at a rapid pace, retailers and restaurants need to take proactive steps to protect their customers’ card data – and themselves from lawsuits, government penalties, and reputation damage.

Source: http://www.chainstoreage.com/article/five-ways-prevent-data-hacks-point-sale

17
Oct 2016
0

How small businesses can improve their cybersecurity

Developers , , , I. Romero

It’s not only large companies that face cyberattacks – there are affordable steps small companies can take to protect their business data and IT systems.

You can’t assume that your small business is not a target for hackers. As many as three-quarters of smaller businesses are at risk, according to the latest Government Security Breaches Survey, with the worst breaches costing up to £300,000.

Small companies face attack from multiple angles. “Like [larger] enterprises, they face targeted attackers who are interested in intellectual property and other confidential data, as well as using smaller organisations as a way into larger ones,” says David Emm, principal security researcher at Kaspersky Lab. “And like consumers, they face random, speculative attacks that make up the bulk of the threat landscape and are distributed indiscriminately by cybercriminals.”

That’s problematic for SMEs, which are less likely to have a dedicated IT department staffed with security professionals. “SMEs typically don’t allocate resources to cyber security, and they allocate very few resources to IT,” says Andy Patel, senior manager for technology outreach at F-Secure. “This leaves them open to attack in a variety of ways. A cyber security incident is likely to cost an SME proportionally more to recover from than a well-prepared company.”

Improving the security situation at your small business doesn’t need to be expensive, and it could well save you money in the long run. We asked experts across the security industry for their tips on how small businesses can stay secure without breaking the bank.

Adopt two-factor authentication

Take security into your own hands and enable two-factor authentication on any service or device used by the company for email accounts, social media feeds or more sensitive systems. Anyone using these accounts will need an extra credential to gain access from a new device, or to change profile settings, which stops hackers from breaking in even if passwords are leaked.

“Multi-factor authentication reduces the risk of a compromise, since a password alone is not enough to gain access to an online account,” says Mr Emm. “At the very least, multi-factor authentication should be mandatory for changes to account settings.” He adds that it’s essential for companies to shut down accounts, or change login credentials, when someone leaves employment.

Two-factor authentication does add steps to employees’ login procedures, so avoid frustrating them by taking it one step at a time. “Start with the critical accounts and scale up from there as it becomes a habit,” advises F-Secure security advisor Sean Sullivan.

Get smart with email

Email is a weak point for smaller enterprises, with criminals targeting companies with malware via phishing attacks. This is where an email is crafted to look like it’s coming from a trusted source, such as a supplier or bank, but is loaded with dodgy attachments or links to malicious pages, says Trustwave’s threat intelligence manager, Karl Sigler. “Our research has found that the vast majority of companies have been targeted with a phishing attack at least once over the past year, and the number is set to increase over the next 18 to 24 months.”

Phishing messages can be sent to any email address at random, but clever hackers can also use information gleaned online – from social networks, data breaches, or even your company website – to make attacks more effective (a trick called spear phishing).

To avoid becoming a victim, Mr Patel says staff should be trained to pay attention when reading an unexpected email. “Check the sender address carefully. Don’t open attachments you weren’t expecting. If you’re unsure, ask the sender. Be suspicious of certain file types – most people don’t use zip files nowadays. If you are asked to ‘enable content’ on an office document, don’t.”

Mr Sullivan takes a different approach. “Almost everybody can spot phishing during training,” he says. “Phishing works when people are distracted – and people are distracted by tools they don’t use well. Pay for productivity training and you will end up with better email hygiene.”

Avoid ransomware threats – and don’t pay up

Ransomware is where hackers gain control of your data, encrypt it and demand a payment to hand over the key. Research by Kaspersky Lab found that 49pc of SMEs believed such “crypto-malware” was one of the most serious threats they faced , with two-thirds of SMEs reporting complete or partial data loss from such attacks.

To mitigate the threat, follow the the email security tips above, as malicious messages are a common delivery method for crypto-malware, says Mr Emm. And, ensure your company has up-to-date, secure backups, so you aren’t forced to pay criminals to get your data back.

Beyond these steps, control access to files to those who need them, to help limit the spread of malware, and ensure staff don’t have administrator rights, as that makes it easier for malware to spread more widely across your network.

If you don’t have a backup, should you pay the demand? Mr Sigler says: “We would advise against paying the ransom as there’s no reason for the attacker to keep their promise and restore the system. Communicating with cyber criminals also provides them with more information, such as IP or email addresses, which can be used in future attacks – very likely if a company is willing to pay up.”

Undertake regular assessments

It’s an industry cliché, but the weakest link in any network is the people – and this applies to company leaders, as well as the IT department. “Security assessments should not be treated as a one-time event. It’s vital to perform regular testing to keep track of the fast-moving security landscape, especially if the business expands or implements new technology,” notes Mr Sigler, adding that Trustwave research revealed that one in five companies hadn’t done any testing in the past six months, “leaving them blind to new vulnerabilities and threats”.

So, what new threats are looming on the horizon? Kaspersky’s Mr Emm warns SMEs to keep an eye on the Internet of Things (IoT), which includes everything from smart CCTV cameras to connected children’s toys. “The IoT is bringing not only risks to privacy, but also the danger that connected devices will be used as a weak link to gain access to other systems,” he warns. Perhaps think twice before buying that web-connected coffee machine for the office kitchen.

Source: http://www.telegraph.co.uk/connect/small-business/business-solutions/how-to-improve-your-cybersecurity/