Ransomware: Cyber Security Expert’s Next Big Threat

Ransomware: A Vital Course on the Next Big Cyber Threat

Ransomware is pretty much exactly what it sounds like: it holds your computer or mobile phone hostage and blackmails you into paying a ransom. It is a type of malware that prevents or limits users from accessing their system and forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems or to get their data back.

It’s been around since about 2005, but earlier this year, the FBI issued an alert warning that all types of ransomware are on the rise. Individuals, businesses, government agencies, academic institutions, and even law enforcement agents have all been victims.

Crowti (also known as Cryptowall), and FakeBsod are currently the two most prevalent ransomware families. These two families were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Another to take note of is known as Fessleak, which attacks Adobe Flash flaws. It is a “malvertising” trend that pushes fileless exploit into memory and uses local system files to extract and write malware to disk from memory.

How Ransomware Paralyzes Your Computing

There are different types of ransomware. However, all of them will prevent you from using your computer normally, and they will all ask you to do something (pay a ransom) before you gain access to your data. Ransomware will:

  • Lock your desktop or smartphone and change the password or PIN code
  • Encrypt important files so you can’t use them (photos, taxes, financials, My Documents, etc.)
  • Restrict your access to management or system tools (that would allow you to clean the computer)
  • Disable input devices like your mouse and keyboard
  • Stop certain apps from running (like your anti-virus software)
  • Use your webcam to take a picture of you and display it on screen or on a social network
  • Display offensive or embarrassing images
  • Play an audio file to scare you (i.e. “The FBI has blocked your computer for a violation of Federal law.”)

Common Ransomware Demands

  • Generally they demand money in order to unlock your system. Usually, they demand payment through an anonymous payment system like Bitcoin or Green Dot cards, and promise to give you the key if you pay the ransom in time (for example, $17,000 to be paid within 72 hours was the demand given to the Hollywood Presbyterian Hospital, which had all of it’s life-critical medical records frozen)
  • Sometimes the ransomware shows a “warning from the software company” telling you that you need to buy a new license to unlock your system. Other times, ransomware will claim you have done something illegal with your computer, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your computer and files.

How to Prevent Ransomware Blackmail

The best way to avoid downloading malware is to practice good computer security habits:

  • Create an offsite backup of your files. Seriously, right now. And make it automatic, so that it happens at least once a day. An external hard drive is one option, but be sure to disconnect it from the computer when you are not actively backing up files. If your back-up device is connected to your computer when ransomware strikes, the program will try to encrypt those files, too. If you have a secure cloud back service that encrypts your files before sending, consider using that as an offsite backup.
  • Don’t click on links or open attachments in an email unless you know who sent it and what it is. Instead type the URL of the site you want directly into your browser. Then log in to your account, or navigate to the information you need.
  • Make sure your software is up-to-date.
  • Don’t download software from untrusted sources.
  • Minimize “drive-by” downloads by making sure your browser’s security setting is high enough to detect unauthorized downloads. For example, use at least the “medium” setting in Internet Explorer.
  • Don’t open “double extension” files. Sometimes hackers try to make files look harmless by using .pdf or .jpeg in the file name. It might look like this: not_malware.pdf.exe. This file is NOT a PDF file. It’s an EXE file, and the double extension means it’s probably a virus.
  • Install and use an up-to-date antivirus solution.
  • Ensure you have smart screen (in Internet Explorer) turned on.
  • Have a pop-up blocker running in your web browser.

If you Become a Victim of Ransomware

  • Stop work! TURN OFF YOUR COMPUTER! Shut down your entire network, if possible until help arrives. You can do this by turning off your switches or routers inside of your premises. Ask your IT professional before taking this step if you think that you might be interrupting service.
  • Contact an IT Security firm that can visit your office (or home) in person. Handling this type of problem over the internet is not advised, as it could exacerbate your problem.
  • If you have an offsite backup of your data, have the IT Security firm reinstall your backup and clean it of any ransomware before putting the data and computers back on the network.
  • Alert other people on your network, as any work completed after infection will be overwritten when the backup is restored.

There is conflicting advice regarding paying ransom. Truly, there is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again. Paying the ransom could also make you a target for more malware. On the other hand, if you have not backed up your files, you may have little choice. Almost 90% of the companies that we have studied as victims of ransomware end up paying the ransom to have their systems unlocked – but only about 50% of them ever receive the unlocking code promised. It’s a gamble, but if you don’t have an off-site backup, it’s probably one you are going to need to take.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Don’t Get Hooked With Phishing Scams

Common Phishing Scenarios:

“Your account has been suspended” or “We suspect fraudulent activity on your account” or “You’ve won a contest” or “We owe you a refund”

If you’ve ever received an email, voicemail or text with a message like one of the above, you know how visceral your reaction can be. And chances are very high that the message is a fake.

Just as fishing is one of the oldest occupations around, phishing is one of the oldest scams around. Ever since email was invented, thieves have been phishing to get your information by cleverly impersonating a business or an acquaintance. They hope to trick you into giving out your personal information or opening a link or an attachment that downloads malware onto your computer so that they can gain access all of your data.

Even though it’s been around for a while, it still works with alarming regularity. Almost 90% of all corporate data breach is the result of a phishing attack.  The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month.  It’s always good to have a refresher of how to prevent getting hooked!

What to look for:

  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but may contain a mismatched URL (may vary in spelling like Annazon.com) or the URL contains a misleading domain name. (.com vs. .net). Use the hover technique to verify legitimacy.
  • Beware if you receive unsolicited (or out of character) phone calls, visits, or email messages often with an urgent request or threatening punitive action if you don’t respond.
  • Think twice if a company that seems legitimate asks you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Remember–legitimate companies don’t ask you to send sensitive information through insecure channels.

How to prevent/avoid phishing (It’s a lot, but every single tip matters!)

  • Never open email from an untrusted source and don’t open unexpected email attachments or instant message download links.
  • Don’t trust links in an email. Right click on the link to make sure it’s valid. Better yet, type in the real website address into a web browser.
  • Never give out personal or financial information upon email request.
  • Look carefully at the web address.
  • Be suspicious of unsolicited phone calls, visits, or email messages.
  • Don’t call company phone numbers in emails or instant messages. Check a reliable source such as a phone book or credit card statement.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the “s” stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Report phishing email to reportphishing@antiphishing.org

There is also SMiShing (fraud through SMS on your phone), Vishing (fraudulent voice calls) and Spear Phishing (customized email that appears to be from an individual or business that you know). As soon as a new method of communication is invented, I guarantee the fraudsters will be using it, so there will be a new term for that, too!

One of the most profitable steps you can take inside of your organization is training your people to detect phishing scams. They are a hacker’s first and favorite tool to separate you and your data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Benefits and Risks of Wearable Technology

Over the next ten years, wearable technology could change the way you live even more than smartphones have. Wearable technology combines all of the tracking, collecting and communicating power of current mobile devices with an intimate level of personal information captured in real-time. Common wearables include: Fitness Bands, GPS-enabled Cameras, Digital Glasses, Medical Devices and Smart Watches. Wearable technology can be a force for good, but you need to consider the privacy and security implications of the devices as well.

For the moment, wearable technology is more like a trendy hobby for early adopters than it is a means of recording highly accurate & useful information. In the future, businesses will likely utilize wearables to monitor everything from hours spent working to employee whereabouts throughout the day. It is this enterprise usage that will ultimately fuel the adoption of wearable technology in the consumer market. For now, your smart watch is a fun and shiny object with a few killer apps much like the computer back when email was introduced. Ten years from now, you might wonder how you lived without the increased convenience and connectivity.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Chip and PIN Credit Cards Finally Explained

Chip and Pin Credit Cards Lower Fraud by 700%

It will take at least 5 years for Chip and PIN (or EMV) transactions to make up the majority of retail card processing in the U.S.

  • Most large retailers are likely to implement Chip and PIN technology over the next two years
  • Other technologies, like mobile or electronic wallets (e.g. Apple Pay), could become the preferred payment method over Chip and PIN card technology due to their ease and advanced security.
  • Although Phase 1 (Chip and Signature) will prevent credit card fraud by making credit cards harder to clone, it WILL NOT make them harder to use if they get into the wrong hands. Therefore, continuing to closely monitor our accounts and personal information will help you avoid becoming a victim of fraud.
  • Phase 2 (Chip and PIN) WILL make credit cards harder for thieves to use, which is even more reason to support the transition to the new technology.

 

John Sileo is an an award-winning author and keynote speaker on keeping your organization from becoming the next data breach headline. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Beware Cyber Security Grinches & Holiday Scams

[youtube https://www.youtube.com/watch?v=gERBwp1o-yE&rel=0]

‘Tis the season to receive holiday scams in your email, on your Facebook page and via text. But you won’t be singing tra la la la la if you click on links that install malware on your computer! More and more of us seem to be conducting our holiday shopping online, and the cyber security Grinches are taking advantage of this new-found holiday convenience. There are several varieties of holiday scams that seem to come around each year.

The first red flag might be the Subject line of the email: “Order Confirmation”, “Acknowledgement of Order”, “Order Status”, “Thanks for Your Order”, “Problem With Your Order”, “Delivery Failure”, “Canceling Your Scheduled Delivery”, etc. It may tell you that an order is ready for you and you just need to click on the link to get the information about how to redeem it. Or, it may play on your fear of not getting a package out before Christmas and say you haven’t provided a correct address – this is a fear-based holiday scam.

Holiday scams usually appear to come from well-known companies, are VERY realistic looking and even use actual logos.

Once you click on the link, however, malware is installed on your computer that may gather email credentials, credit card data, logins and passwords in addition to making your computer a magnet for junk mail. It can also deploy a scanning technology that uses your computer to scan websites for vulnerabilities and then hack them!

Cyber Grinch or Real Deal? How to Tell the Difference…

If you do receive an email, scammy or otherwise, even if you did indeed order from that store, follow these steps:

  1. DO NOT CLICK ON ANY LINKS IN THE EMAIL!
  2. Instead, open your web browser and type in the merchant site and log in to your account (which you had to establish to order from them).
  3. If it the email you received was about a legitimate order, they will provide you with an order or reference number which you can type into their website to verify activity.

In other words, verify that the email is legitimate by going directly to the site; don’t depend on the email. If for some reason you did click on a link that brought you to a website, make sure that you don’t click any more times on that site, and don’t fill out any information that they might be requesting.

(For more solutions to common scams related to the holidays, or really, all year long, check out our entire 12 Days to a Safe Christmas blog series.)

When not protecting readers around the holidays, John Sileo is an an award-winning author and keynote speaker on identity theft, cyber security, internet privacy & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.
[youtube https://www.youtube.com/watch?v=B1st4gzcdLs&rel=0]

GameOver Zeus Virus Test

The original notice on GameOver Zeus appeared on the US-CERT site. If you’d like to go directly to the tests for the GameOver Zeus virus, scroll down.

Overview of GameOver Zeus

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

Systems Affected by GameOver Zeus Virus

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Impact of GameOver Zeus

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

Solutions to GameOver Zeus

Users are recommended to take the following actions to remediate GOZ infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date.
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

F-Secure      

https://www.f-secure.com/en/web/home_global/online-scanner(link is external) (Windows Vista, 7 and 8)

https://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142(link is external) (Windows XP)

Heimdal

https://goz.heimdalsecurity.com/(link is external) (Microsoft Windows XP, Vista, 7, 8 and 8.1)   

McAfee

www.mcafee.com/stinger(link is external) (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

Microsoft

https://www.microsoft.com/security/scanner/en-us/default.aspx(link is external) (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)

Sophos

https://www.sophos.com/VirusRemoval(link is external) (Windows XP (SP2) and above) 

Symantec

https://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network(link is external) (Windows XP, Windows Vista and Windows 7)

Trend Micro

https://www.trendmicro.com/threatdetector(link is external) (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

FireEye and Fox-IT

www.decryptcryptolocker.com(link is external) FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality.

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

Revisions

  • Initial Publication – June 2, 2014
  • Added McAfee – June 6, 2014
  • Added FireEye and Fox-IT web portal to Solutions section – August 15, 2014

 

John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple Pay Makes Mobile Payments Sexy; But Secure?

Apple has us ooing and ahhing about the iPhone 6, it’s big brother the 6+ and finally the Apple Watch. But the biggest announcement of all didn’t even have to do with gadgets. The most significant announcement was about a new service that will be built into those devices…

It is Apple Pay, Apple’s own version of a “mobile wallet” that will allow Apple users to pay for items with just a tap or wave of their device. That is if those items happen to be in stores that have agreed to install the technology necessary to allow near-field communication (NFC – no not the football conference, the radio-wave technology) to work. Of course, Apple has done the background work to ensure a lot of big names (MC, Visa, AMEX and retailers such as Target, Macy’s and McDonald’s to name a few) are already on board, which is a significant mark in their favor.  And with the upcoming mandatory implementation of EMV technology, Apple may have just timed this perfectly.

I’ve always been a bit freaked about digital wallets because the Internet giants offering them (Google, Amazon) are the same companies that collect reams of personal data, from search behaviors to my product preferences, and I don’t want any one company having all of that.

Many companies have tried to get mobile payments off the ground in the past without much success. So why might Apple be different (security implications in red)?

  1. Apple is a master at integrating hardware and software. This doesn’t just mean that their payment system will be more user friendly than previous offerings (which it will), it also means that Apple has more control over the security and the privacy of each transaction. For example…
  2. No cardholder data will be stored on the iPhone itself, OR on Apple’s servers. This is a significant divergence from previous offerings (Google Wallet) and is an extremely smart play on Apple’s part. Why? Because…
  3. Apple has basically chosen to stay out of the information collection business to focus on  what they do best, which is produce innovative digital devices and the corresponding behind-the-scenes software that make their devices so practical and useful. Consequently, they will continue to be a more trusted brand than their direct competitors. Unlike Microsoft, Facebook, and Google, Apple doesn’t appear to want to become a data-mining company. Apple executives have stated that they have no desire to collect or share user data. This could change when Apple realizes the profit they are passing up for the sake of privacy, but  in the meantime…
  4. The same companies that have always collected your purchasing data (Visa, MC, Amex and the retailers you buy from) will be responsible for the same sensitive cardholder information they’ve always had access to, and Apple will simply be passing the transaction through, using a unique series of numbers that will reveal nothing of value should the phone be hacked.
  5. Finally, like it or not, Apple will make mobile payments sexy (did I just say that – I think maybe I’ve drunk too much of the Apple CoolAid). That sounds shallow, but their similar effort (iTunes + iPods, iPhone + App Store) revolutionized the music and smartphone industries. Apple has had a knack for getting consumers to warm up to ideas that have been tried before but never really took off (think iTunes, music players, smart phones, and tablets)  Also, they have done what others who have tried mobile wallet concepts in the past have not: they’ve made it sexy.
  6. Instead of a credit card that reveals all of its secrets on a magnetic stripe (no security there), Apple Pay will require a thumbprint scan (which never leaves the device) in order to make a charge. In other words, it utilizes CHIP & PIN technology, which every retailer is required to implement before 2015 ends anyway. Apple’s timing is impeccable – let’s just hope the technology is up to the task.

I’m not in any way saying that Apple doesn’t face huge challenges in terms of security, privacy and adoption of Apple Pay. Of course they do. I’m simply saying that they have the best shot yet at bringing together the hardware, software, industry connections and marketing chops to finally make mobile secure payments, well… pay.

John Sileo is an an award-winning author and keynote speaker who specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes frequent media appearances on shows like 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

iCloud Hacked for Nude Jennifer Lawrence Photos? How to Keep from Being Next

Unless you’ve been living under a rock (or haven’t been on the internet in the past 24 hours), you most likely know that intimate photos of celebrities like Jennifer Lawrence and Kate Upton have been exposed (pardon the pun) to the public.

While it is not yet verified, Apple has said it is “actively investigating” the possibility that iCloud accounts have been hacked.  The photos surfaced immediately after an Apple “Find My iPhone” exploit was revealed, so Apple’s own security is being questioned. As of now, Apple is saying that iCloud has not been systematically hacked, but that the breach of celebrity photos was a limited, targeted attack. Whether or not iCloud was exploited in any way for these pointed attacks hasn’t been determined.

The sad truth is that this most likely boils down to user error (weak passwords by celebrities) rather than a sophisticated hacking attempt.  A brand new exploit, called “iBrute”, allows hackers to try one common password after another until they find one that works and then they can access the iCloud account if they know the email address for the Apple ID (which is probably your regular address).

This is but the tip of the iceberg of cloud-based security hacks.  So, to keep yourself safe on iCloud, change your password and turn on 2-step verification:

  • Login to My Apple ID.
  • Click “Manage your Apple ID” and sign in
  • Select “Password and Security” and answer your security questions (if requested)
  • For starters, reset your Apple ID password and make it a long, strong, alpha-numeric phrase like Th3 h!ll$ @r3 @l!v3 (The hills are alive)
  • Under “Two-Step Verification,” click “Get Started,” and follow the instructions. Two-step verification does take an extra step to login to your account, but it also gives you a layer of security that makes it exceptionally difficult to hack.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Biometrics are Like Passwords You Leave EVERYWHERE

Biometrics are like passwords, but worse.

Biometrics are like passwords that you leave everywhere (fingerprints, facial recognition, voice patterns), except that unlike passwords, you can’t change them when they’re lost or stolen. It’s easy to change your password, a bit harder to get a new retina. Like passwords, risk goes up as they are stored globally (in the cloud) versus locally (on a physical device).

In addition to the biometrics mentioned above that most of us have come to accept as commonplace, there are many other methods in use or under exploration:

  • hand geometry
  • vascular pattern recognition (analyzing vein patterns)
  • iris scans
  • DNA
  • signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.)
  • gait analysis
  • heartbeat signatures

At the 2014 Annual International Consumer Electronics Show, inventors displayed dozens of devices using biometrics, some of which will become just as commonplace as fingerprints in the near future, some of which will not catch on and be replaced by something even more amazing.  Some of the hot biometrics items this year:

  • Tablets that measure pupil ­dilation to determine whether you’re in the mood to watch a horror movie or a comedy.
  • Headbands, socks and bras that analyze brain waves, heart rates and sweat levels to help detect early signs of disease or gauge a wearer’s level of concentration.
  • Cars that recognize their owner’s voice to start engines and direct turns and stops, all hands-free.

(Do a search for “current biometric uses” if you want to be entertained for a while!)

Some less outlandish examples that are currently in place:

  • Barclays Bank in Britain utilizes a voice recognition system when customers call in.
  • Some A.T.M.s in Japan scan the vein pattern in a person’s palm before issuing money
  • World Disney World in Orlando, Fla., uses biometric identification technology to prevent ticket fraud or illegitimate resale as well as to avoid the time-consuming process of photo ID check.
  • Biometric passports contain a microchip with all the biometric information of holders as well as a digital photograph
  • Law enforcement agencies, from local police departments, to national agencies (e.g., the FBI) and international organizations (including Europol and Interpol) use biometrics for the identification of suspects. Evidence on crime scenes, such as fingerprints or closed-circuit camera footage, are compared against the organization’s database in search of a match.
  • Child care centers are increasingly requiring parents to use biometric identification when entering the facility to pick up their child.
  • And, of course, the most popular example has to be the use of fingerprint sensors on the iPhone to unlock the devices.  It will also increasingly be linked to mobile payment services.

So, the million-dollar question is: Are Biometrics a Better Way to Protect Your Personal Identification?

The answer is yes…and no.

  • Biometrics are hard to forge: it’s hard to put a false fingerprint on your finger, or make your iris look like someone else’s.

BUT…

some biometrics are easy to steal.  Biometrics are unique identifiers, but they are not secrets. You leave your fingerprints on everything you touch, and your iris patterns can be observed anywhere you look.  If a biometric identifier is stolen, it can be very difficult to restore.  It’s not as if someone can issue you a new thumbprint as easily as resetting a new password or replacing a passport. Remember, even the most complex biometric is still stored as ones and zeros in a database (and is therefore imminently hackable). 

  • A biometric identifier creates an extra level of security above and beyond a password

BUT…

if they are used across many different systems (medical records, starting your car, getting into your child’s day care center), it actually decreases your level of security.

  • Biometrics are unique to you

BUT…

they are not fool-proof.  Imagine the frustration of being barred by a fingerprint mismatch from access to your smartphone or bank account.  Anil K. Jain, a professor and expert in biometrics at Michigan State University  says (emphasis mine), “Consumers shouldn’t expect that biometric technologies will work flawlessly… There could and will be situations where a person may be rejected or confused with someone else and there may be occasions when the device doesn’t recognize people and won’t let them in.”

The scariest part of the biometrics trend is how and where the data is stored.  If it is device specific (i.e. your fingerprint data is only on your iPhone), it’s not so bad.  But if the information is stored on a central server and unauthorized parties gain access to it, that’s where the risk increases.  A 2010 report from the National Research Council concluded that such systems are “inherently fallible” because they identify people within certain degrees of certainty and because biological markers are relatively easy to copy.

I also feel compelled to mention the inherently intrusive nature of biometrics.  While it’s true that using facial-recognition software can help law enforcement agencies spot and track dangerous criminals, we must remember that the same technology can just as easily be misused to target those who protest against the government or participate in controversial groups.  Facebook already uses facial recognition software to determine whether photos that users upload to the site contain the images of their friends.  Retailers could use such systems to snoop on their customers’ shopping behavior (much like they do when we shop online already) so that they could later target specific ads and offers to those customers.

How long before we have truly entered into Tom Cruises’s Minority Report world where we are recognized everywhere we go?   “Hello Mr. Yakamoto and welcome back to the GAP…”

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.