Payments 101: An Intro to Payment Security and Transaction Trends

By | July 10th, 2014|Uncategorized|

EMVThe security of transactions and payments is a hotly debated topic around the world. Which methods are most secure? Which should we all adopt? And why one over the other?

But before we start diving more into the debate on this topic, how about a simple introduction? Let’s define some of the major terms and security issues that you will often see discussed:

This is a type of card that is capable of storing and transferring data within a magnetic stripe. The information is read by swiping past a magnetic reading head. If you’re in the US, this is likely what you are familiar with on your credit card, debit card, public transportation card or even ID card for your office. Typically, you are asked for your signature at a POS when using your magstripe card.

EMV, which takes its name from Europay, MasterCard and Visa, is a global standard for payment cards that is based on micropressor chips. These are often called IC cards or “chip cards.” A computer chip is embedded in the card and associated with a PIN. The owner must supply the PIN to allow for the card’s processing. This use of a PIN to identify the owner is considered more secure than the use of a signature, as you use with magstripe cards.

Chip and PIN:
This is another name for EMV cards or the EMV standard.

CNP Transaction:
CNP stands for Card Not Present. This is a type of transaction made with a card in which the cardholder does not or cannot physically present the card to the merchant. For instance, CNP transactions often take place over the phone or Internet. CNP transactions can be major sources of credit card fraud, as it can be difficult for the merchant to authorize the user’s identity. When you make a purchase in person, you may be requested to prove your identity with a photo ID, signature or PIN. However, in a card not present transaction, there isn’t an easy way to authenticate you are who you say you are.

Contactless Payments:
Now we are seeing more instances of contactless payments, in which the user can wave a card, device or fob over the POS system to make the transaction. This type of payment uses radio-frequency. Near Field Communication (NFC), for instance, is a set of standards for smart devices to establish radio communication when in proximity with one another. Security risks include malware and interception of the transaction. However, since smart cards and devices often have more than one use, the owner only has to replace the one card or device if it is lost or stolen.

Keep an eye out on our blog, cyberSAFE webinar series and social media channels for more on this topic as we begin to take part in the debate. In the meantime, what do you think about each type of card? What about each type of transaction? Join the conversation on Twitter, Facebook and LinkedIn.

News Recap: The Latest on Cyber Security Legislation

By | July 3rd, 2014|Uncategorized|

Security Bill_070714Senate Intelligence Committee Chairwoman Dianne Feinstein and Senator Saxby Chambliss recently announced a draft of a cyber security bill they co-authored that would give companies the legal protection to share cyber security threat information with other companies.

The bill addresses privacy concerns some have about sharing such sensitive information. US News’ Tom Risen reports that the bill “directs companies to keep personally identifying information from being shared, and directs the attorney general to ensure the government’s use of cybersecurity information is limited to appropriate purposes.” Despite addressing privacy concerns, Risen notes that cybersecurity legislation did not pass the Senate in 2012, foreboding the “uphill battle” this bill faces to get passed.

Those who are critical of the bill, InfoWorld’s Serdar Yegulalp reports, have concerns about the wording of the bill. Some view the bill as a platform “for potentially allowing companies to share any personal information they please with the government under the guise of being a security issue,” Yegulalp states.

Additionally, some believe the wording of the bill could be a way for ISPs to weaken Net neutrality. Jason Koebler at Motherboard uses Netflix as an example of this loophole:

“The cybersecurity bill making its way through the Senate right now is so broad that it could allow the ISPs to classify Netflix as a ‘cyber threat,’ which would allow them to throttle the streaming service’s delivery to customers.”

Would an information exchange about cyber security information between companies be helpful or harmful? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Facelock provides a new biometrics-based password alternative

By | June 27th, 2014|Uncategorized|

FacelockPasswords are tough to remember, which is why researchers at the Universities of York and Glasgow are testing a new alternative to passwords: Facelock. This new password alternative allows a user to look at a grid of faces and single out one familiar face into order to log in securely to a website.

Rob Jenkins, the lead author of the report, believes this is a step in the right direction from a security standpoint.

“Pretending to know a face that you don’t know is like pretending to know a language that you don’t know — it just doesn’t work. The only system that can reliably recognize faces is a human who is familiar with the faces concerned,” Jenkins said in CBS News.

Not only does this provide a way to protect against cyber criminals and identity thieves, it also reduces how often a password is forgotten. NYMag’s Jesse Singal reports that “97.5 percent of users could get into their hypothetical account a week after selecting faces for a Facelock system, and a full year later that number had only dropped to 86 percent (think of what your success rate would be for a password you didn’t use for a year).”

Is this a system that you would implement to help reduce security vulnerabilities and resetting your forgotten password? How would businesses incorporate Facelock? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Amazon Fire Phone Privacy Concerns

By | June 19th, 2014|Uncategorized|

FireflyThis week, Amazon released its first phone, which boasts a number of unique features including 3D functionality, dynamic perspective, and a number of convenient tie-ins to Amazon’s book, music and TV-streaming services. While many are simply discussing the array of new features on the device, one reporter is concerned about the phone’s unique powerful identification system called Firefly and what it could mean for consumer personal privacy.

First, let’s start with what Firefly actually does. Nick Statt of CNET explains, “With the press of a button, you can scan and tag songs—much like the popular Shazam app—and films and TV thanks to, which Amazon owns. You also can identify text and phone numbers printed on paper, like countless third-party apps in the iOS and Android stores.” However, the vital detail of the Firely feature is its ability to use the phone’s camera to scan barcodes, identify items online and then price check more than 70 million products for the ultimate online shopping experience.

While Amazon’s Firefly feature seems incredibly convenient, John Koetsier of Venture Beat is worried about the privacy implications of using the phone’s camera to identify items in pictures and locate them online. Koetsier states that Firefly and the camera feature of the phone are one and the same. This fact, in tandem with Amazon’s free cloud storage, means each and every photo taken on the Fire Phone and stored in Amazon’s cloud has the potential to be analyzed for its content and metadata. Koetsier remarks, “By storing all the photos you’ll ever take, along with GPS location data, ambient audio, and more metadata than you can shake a stick at in Amazon Web Services, Amazon will get unprecedented insight into who you are, what you own, where you go, what you do, who’s important in your life, what you like, and, probably, what you might be most likely to buy.”

Do you think Koetsier’s concerns are valid? Should consumers be concerned about the privacy features of this device? How should Amazon respond to make sure consumer data is protected? Tell us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: FCC Wants Communication Companies to Take Security More Seriously

By | June 13th, 2014|Uncategorized|

FCC postFCC Chairman Tom Wheeler recently addressed the agency’s cyber security plans. IDG News’ Grant Gross reports that Wheeler stated the “FCC will take steps to encourage cyber security in the coming months, acting first as a promoter of company-led initiatives instead of a regulator… But if that doesn’t lead to improvements, the agency is prepared to act.”

TechCrunch’s Alex Wilhelm reports that the purpose of this new effort is to “identify what constitutes risk, create tooling to combat the highlighted risk, deploy the tools, and then keep an eye on their performance.” The cyber security efforts will begin in the coming weeks, when the agency will audit network operators to see whether they have implemented 2011 cyber security recommendations, Gross reports.

“We cannot continue on a path that lets individual networks put other networks, American businesses and consumers at risk. We need to develop market accountability that doesn’t currently exist,” Wheeler said. “Cisco forecasts that by 2020, over 50 billion inanimate devices will be interconnected. Expressed another way, that’s 50 billion new attack vectors.”

Do you think the FCC will have to step in with more regulations to better control cyber security efforts? How will communication companies respond to the FCC’s new cyber security plan? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Online Activity Declines Following Data Breaches

By | June 9th, 2014|Uncategorized|

blog_060514It’s no surprise that small businesses would be impacted by recent retailer data breaches, including Target and eBay. A recent USA Today survey shows just how these breaches have affected online spending and account monitoring of individuals.

Elizabeth Weise and Jessica Guynn of USA Today, shared the results of the USA Today survey that found nearly a quarter of Americans have altered their online purchasing habits due to security concerns brought on by recent data breaches in major retailers.

“A full 24% of those surveyed said they had stopped buying anything online in recent weeks because they were concerned about the safety of information they might put online,” Weise and Guynn state, “Most surprisingly, 56% said they had cut back on the number of Internet sites they used and were only going to large, well-known companies they were confident were safe.”

Helen Leggatt of BizReport also shared findings from the USA Today survey that examines how individuals’ online behavior has changed to protect information that is already online. Leggatt writes, “The survey found that those with lower education and incomes were among those most likely to cease making online purchases while those with higher levels of education and income were more likely to continue shopping but take more precautions.” Leggatt points out that the USA Today’s survey results are similar to those of a Harris Interactive survey conducted earlier this year,” that prove consumers are more cautious when shopping online.

How do data breaches – even breaches that are not directly connected to your business – impact your business’ reputation and security? What measures are you taking to ensure you don’t encounter a breach of your own? How can your company reassure consumers that might be concerned about their online security? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Senate Report Aims to Stop Malvertisements

By | May 29th, 2014|Uncategorized|

Ads blogEarlier this month, the United States Senate published Online Advertising And Hidden Hazards to Consumer and Data Privacy, a report that analyzes and investigates the distribution of malware through online ads.

AdWeek’s Katy Bachman shared insights from the report, citing that “in some instances, clicking the play button would initiate a pre-roll ad on YouTube or Yahoo that could deliver malware to consumers’ computers… Sites that consumers would expect to be safe, including The New York Times, Major League Baseball and the San Francisco Chronicle, were found to host ads with malware, many delivered by third-party ad networks.”

The complexity of online advertising makes it difficult to identify who is responsible.

“An ordinary online advertisement typically goes through five or six intermediaries before being delivered to a user’s browser, and the ad networks themselves rarely deliver the actual advertisement from their own servers,” cites the Senate report. “In most cases, the owners of the host website visited by a user do not know what advertisements will be shown on their site.”

This presents a privacy problem for users, Lucian Constantin explains in PCWorld. According to Constantin, “in most cases users can’t control what data is being collected, who collects it and how it’s used.” Constantin pulled an example from the Senate report during which one visit to a tabloid news website sparked interactions with 352 web servers, “many of those interactions were benign; some of those third-parties, however, may have been using cookies or other technology to compile data on the consumer. The sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use.”

Should websites be held responsible for the advertising content hosted on their site? How can consumers protect themselves from malvertisements? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: eBay Gets Hacked and Facebook Updates Privacy Settings

By | May 23rd, 2014|Uncategorized|

eBay_Facebook blogThis week, online security has seen both ups and downs in the headlines. Online auction website, eBay, sent out a news release announcing that user passwords and personal information had been compromised by a cyber attack. On the other side of the coin, Facebook announced that in it’s latest round of updates, it has changed its default post settings to protect users from oversharing personal information.

Gordon Kelly of Forbes reports on the eBay attack saying, “the origin of the breach comes from hackers compromising a small number of employee log-in credentials, which gave access to eBay’s corporate network. eBay says it is working with law enforcement and leading security experts to aggressively investigate the matter.” eBay has asked its users to protect themselves by changing their password information.

Tony Bradley of PCWorld worries that the eBay breach will result in social engineering schemes and cautions readers to be on alert to potential danger from malicious actors attempting to take advantage of the situation through phishing schemes. Bradley comments, “The attackers can use information like your phone number, email address, and mailing address for targeted phishing campaigns… You can’t trust any emails or phone calls you receive. You can’t even trust snail mail. Any communication you receive should be treated with skepticism, and you should contact the company in question yourself to make sure it’s legitimate.”

Josh Constine of TechCrunch reports on the latest Facebook updates, saying, “After years of putting new users at risk of oversharing by defaulting the visibility of their status updates and photos to public, Facebook is switching the default to ‘friends’. Constine comments that this change will hopefully help protect users from accidentally oversharing information that would put them at risk online.

Vindu Goel of the New York Times also explores the latest Facebook update, which includes a feature to make sure users are properly updating their privacy settings. Goel writes, “the service will walk users through the privacy settings for their status updates, remind them of the applications that have permission to use their Facebook data, and review the privacy settings for some of the most private information on their profiles, such as their hometown, employer, email address, phone number and birth date.” Goel quotes Mark Zuckerberg on the matter saying, “what we really want is to enable people to share what they want.”

Will a simple password change be enough to protect eBay users or should alternative measures be taken? Will the latest round of Facebook updates improve online security and privacy? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Retailers Will Share Data To Battle Cybercrime

By | May 16th, 2014|Uncategorized|

CyberCrimeSharingThis week, The Retail Industry Leaders Association (RILA) announced the launch of an intelligence center where retailers can exchange information about data breaches and threats to help protect against cybercrimes.

According to the Associated Press, RILA’s president Sandy Kennedy said that retailers have a common goal: to protect their business against cyber threats.

“It’s really in everyone’s interest, every retailer’s interest, to protect information against cybercrime,” Kennedy said. “Criminals are getting more and more sophisticated. We’re looking at how we can deal with this long term.”

The New York Times and ZDNet reports that participating retailers include American Eagle Outfitters, Gap, J.C. Penny, Lowe’s, Safeway, VF Corporation, Walgreens, Nike, Lowe’s and Target, “which was hit with a large data breach at the height of last year’s holiday shopping season.”

ZDNet’s Natalie Gagliordi said the center will allow retailers to share threat information with one another, as well as “anonymized information” with the government through a cyber analyst and technician at the National Cyber Forensics and Training Alliance.

“The technicians and analysts are on the lookout for real-time cyber threats such as new strains of malware, activity on underground forums and potential software vulnerabilities, which they say can be translated into actionable insights,” Gagliordi writes.

Will this center help retailers protect against future cyber threats? What do you think about retailers banding together to fight cyber crime? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

News Recap: Covert Redirect Vulnerability

By | May 8th, 2014|Uncategorized|

Social FlawLate last week, it was reported that a flaw in an online security technology could likely expose social media users personal information to malicious actors.

Jodi Mardesich of ReadWrite, comments, “It’s not the next Heartbleed, but a security flaw in social-login services gives you one more thing to watch out for in apps and on the Web.” Mardesich explains the issue by saying, “the vulnerability stems from a flaw in OAuth 2.0 and OpenID technology that lets you use your login from Facebook, Google, or Amazon (among others) to access other sites and services. Because of the flaw, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. From there, depending on the level of access granted, it can expose your personal information, your contacts, your friends list, or in the case of Google Apps, stored data.” These different social logins offer connectivity to various services quickly and conveniently, but this shortcut in security comes with a price.

While this vulnerability exposes the potential actions of a malicious actor, it also sheds light on the security weaknesses in development and integration with social media sites. Mardesich expands on these weaknesses with this example: “Facebook, for instance, recommends developers use a whitelist that would effectively close the OAuth loophole by limiting redirections to safe and secure URLs. But Facebook doesn’t require a whitelist, and as a result, many developers don’t use one.”

What actions do social media sites need to take to improve security in development and prevent issues like this vulnerability? What precautions should individuals take to ensure the security of their information? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

Load More Posts