Call to Confession: Companies Who Have Been Hacked, But Aren’t Telling

Data breaches are happening every day. Companies worldwide are losing large amounts of sensitive data to hackers, who can turn a pretty penny selling credit card numbers and healthcare information on the black market.

The problem here is, many of these companies are trying to keep their hacks out of the evening news, and this comes with major negative consequences for consumers.

When a company reports on a hack, the gears of remediation begin to turn. Associating banks will reissue credit cards to all those affected, and breach victims will be sent letters warning them to watch for any unusual activity on their accounts.

By not reporting on hacks, companies are basically denying their customers the right to defend themselves from credit card fraud.

Many companies are afraid to report on hacks, because they believe that what comes next is a drop in reputation, and a potential spending millions of dollars in remediation.

On the other hand, though, if they get caught not reporting a breach, it spells even more trouble. The media will drag their names through the mud and shame them publicly. And on top of the usual remediation costs, those companies will have to fork out even more moolah to cover the inevitable onslaught of lawsuits and fines.

Now, you might be thinking that you simply have to avoid getting caught, but staying off the radar isn’t as easy as you might think. Once the banks are able to determine your company was a common denominator for hack victims, a thorough investigation will be conducted, and your mismanagement will be brought to light.

"And I would have gotten away with it too, if it hadn't been for all those meddling banks and individuals noticing unusual activity on credit card spends!

“And I would have gotten away with it too, if it hadn’t been for all those meddling banks and individuals noticing unusual activity on credit card spends!

Simply put: the best solution for everyone involved is for you to notify the authorities as soon as you discover a breach.

Somehow, unfortunately, all of this is not enough to convince many organisations to come clean once they’re hacked, which has lead the US to introduce strict data breach notification laws, stricter than anywhere else in the world.

The US accounts for the most reported data breaches in the entire world.

Coincidence? I think not.

While many countries like Australia and Singapore have guidelines for data breach notifications, they don’t have any concrete laws making it compulsory to do so.

This makes it hard to get a read on just how bad the state of cybersecurity is in those countries. The situation might seem good on the surface, but for all we know, data breaches may be a rampant problem that needs to be addressed urgently.

Don’t Wait, Call Now

One way to think about the whole issue is that getting hacked is just one half of a problem. Many cybersecurity experts believe that all companies are at risk of getting breached, and it’s just a matter of time till yours is too.

The second half of the problem starts when you don’t report on a breach. You’re basically aiding the hackers in selling the data they steal, which will be used by other criminals to commit easy credit card fraud.

Don’t be the person who fails to report a breach. On top of the multitude of business-related reasons listed to report a breach, you owe it to your customers that they be given a head start in securing their sensitive data, before the threat of fraud comes around.

(Image sources: 1, 2)

 

Gamers, It’s Time To Get A 1-UP On Hackers

Watch Dogs, a video game which puts you in the shoes of a hacker.

Last week, I received this email from Twitch.tv, a popular livestreaming service for gamers.

The first thought that popped into my head was “I’m not even mad, just disappointed”.

(The second thought was that I am slowly sounding more and more like my Dad, but that’s irrelevant.)

Data breaches are a definite scourge of the gaming world, and unless you learn to level up your defense against hackers, you’re liable to lose a lot more than just the game.

What Does Hacking Mean To Gamers?

Hacking and video games have gone hand-in-hand for as long as anyone can remember, and to gamers, it is not always seen as a bad thing.

Many games could be hacked to give players unfair advantages. Even Pokemon can be hacked, and officials have to place strict checks in place to make sure that hacked Pokemon, which are typically stronger than regular Pokemon, are not used in official tournaments.

Hackers have also been providing free versions of games online that could otherwise have cost $60-70, distributing them on sites like The Pirate Bay.

Hacking and scamming is also very common in video games, with many users trying to gain access into the accounts of powerful players, with the intent of stealing their rare items or precious loot.

It’s a large problem which many gaming companies spend large amounts of money to prevent, as well as remediate.

Rated E For Everyone

To understand hacking behavior, It’s important that we analyze the average gamer caught in the crosshairs.

Over 59% of Americans (150 million people) play games, and over 48% of them are female. The average age of the gamer is 31, and 29% of gamers are under 18.

What this all basically means is that gaming is no longer an exclusive club for nerdy teenage boys. Anyone can be, or probably already is, a gamer.

This is in part due to how accessible games are. Just 10 years ago, you would need a high-end computer or a special console just to play video games.

Now, there are thousands of games available on your smartphone, on Facebook, and pretty much everywhere else. There’s even an adorably stupid video game you can play on Google Chrome when your internet is down.

Hack ‘N’ Slash

And if there’s an online community with millions of users, you can bet that hackers will want a piece of it.

If there’s an online gaming platform, you can bet that it’s come under fire at some point.

Both Microsoft’s Xbox Live and Sony’s Playstation Network, the two largest console gaming platforms, were hacked last year by the infamous Lizard Squad group. The platforms were taken offline by the hackers, and millions of gamers were unable to login and get their daily doses of virtual jollies.

While not being able to play video games online for a couple of days sounds relatively harmless, it can get much worse.

In 2011, the Playstation Network was hacked for 77 million credit card details. The platform (and Sony in general) have been hit by hackers so many times (more than 10) that at this point, they look like little more than a sandbag to digital thieves.

And even on trusted platforms like Steam, a digital software distribution platform with over 125 million active users, phishing attacks and password scams are rampant.

Let’s not forget the more “casual” gamers playing seemingly harmless 16-bit graphic games on their smartphones during their morning commute. Flappy Bird, a sleeper hit which famously earned its creator $50,000 a day, spawned countless clones, of which 80% contained malware.

And with news of Twitch being the latest casualty, we are reminded that there is no safe haven for gamers from hackers.

You don’t even have to be playing games to get hacked – now you’re equally at risk just watching people play.

League Of Legends, one of the most popular games to watch on the Twitch livestreaming site.

Why Us Gamers?

Hackers are not proud creatures- they are like lions in the savannah, going after the weakest gazelles. Phishing scams are designed to target greedy players looking for a quick score, or exploit players afraid of having their accounts lost.

Many hackers are gamers themselves, so they are often familiar with game infrastructures, and they understand the mentality of the average gamer.

In addition, as The Lizard Squad has demonstrated multiple times by going after large gaming networks, it’s a quick way to gain infamy. If you take down a major gaming network, you can bet the entire internet will be abuzz with angry gamers.

Tutorial: Don’t Get Hacked

So how’s an average gamer supposed to defend himself? It’s actually really simple: trust no one.

If you get an email/private message from an “admin” asking you to tell him your password, report him.

If someone offers to sell you in-game items for real money, take every necessary precaution to make sure he doesn’t leave you high and dry.

Before downloading a game (or any application, for that matter) on the App Store, make sure it is a trusted application from a reputable company.

Still, getting hacked is a rite of passage for many gamers, and in a way, it prepares us for the liars and dirty, dirty cheats of the real world.

Gaming platforms and networks can only do so much to keep us safe.

Just like with data security in any other sector, it’s up to every individual to stay vigilant, and take data security seriously.

(Image sources: 1, 2, 3)

4 Types of Hacking Attacks you May have Never Heard Of

In this previous blog post, we went over how various consumer technologies have been developed to reduce the risk of having your personal information stolen by hackers.

However, just as the peppered moth evolved to adapt and avoid extinction, hackers are constantly hatching new devious schemes to take what they want.

In this post, we’re going to cover 4 types of hacking attacks that you may not have heard of. It’s better to arm yourself with information so you know what to look for and avoid being caught off-guard.

1. Bottom-feeding Phishing

Remoras, AKA sharksuckers, are an interesting breed of fish. Instead of foraging for food themselves, they simply follow larger sea creatures around, and scavenge for stray scraps of food.

Some hackers seem to have taken a page out of the Remora’s book, and have started leeching off the success of other hacking groups.

Just moments after the American health insurance provider Anthem announced publicly that they had been attacked by hackers, a large number of phishing and phone scam calls were made, in an attempt to lead unsuspecting folks to exposing more of their personal information.

So even if you’re just a small-time hacker, you can still steal personal information by leeching off the success of professional state-sponsored hackers.

Avoiding being a phishing victim is as simple as not taking the bait – be careful of suspicious looking emails and links, and look out for that little lock icon in your address bar stating if a website is secure.

2. Smishing

While it sounds like an old fishing technique where you smash fish with rocks, smishing is actually “SMS phishing”, where victims are baited with SMS text messages.

Phishing is generally done by embedding a URL which leads to a website designed to make you give away your personal information, or load your computer with malware.

While some smishing messages operate in the same way as traditional phishing, it has become commonplace to instead include a telephone number leading to an automated voice response system.

Upon calling the listed number, you will be prompted to key in your personal information, the same way you would when calling a bank.

What makes smishing so effective is that many tech-savvy people tend to be more suspicious around emails, where URLs are clearly visible and your HTML layouts will be scrutinized.

On a whole, smartphones can pose a huge threat to your personal data security. For example, the Google Play store is swarming with malware-ridden apps, and many users are not using any form of anti-malware solutions on their mobiles.

Because smishing is very similar in nature to phishing, the same defenses apply: keep your guard up, and trust no one, not even your closest friends (more on that below).

3. Zero-Day Exploits

For some hackers, news of a new software patch being released is like Christmas coming early.

If they look hard enough, vulnerabilities may sometimes be found in new software patches; vulnerabilities that they may exploit before software vendors can discover and patch.

Zero-day exploits are a lot more common than you might think. Last year alone, 3 big zero-day exploits named Heartbleed, Shellshock and POODLE were discovered, along with numerous other vulnerabilities in common software like Internet Explorer.

Most recently, hackers found a zero-day exploit in Adobe’s Flash Player, another common software found on many computers worldwide.

Keeping your system safe from the looming threat of zero-day exploits is not easy; it requires you to constantly be in the know about new exploits, and quick action to fix those exploits.

Of course, sometimes the threat of vulnerabilities could come built into the very computer that you purchased, in which case, you’re more vulnerable.

4. Roleplay

Getting someone to tell you their innermost secrets requires trust, which is built slowly over time. Or, you could just impersonate someone who has already gained your victim’s trust and exploit that for your own ends, which is what a lot of hackers are doing.

In a threat report published by FireEye, it was discovered that hackers impersonating IT staff is a popular tactic in data breaches. 44% of observed phishing emails were designed to impersonate the targeted company’s IT department.

On a more personal level, just a few months back a gift card scam scheme was circulating on the popular messaging app LINE, where hackers broke into LINE user accounts and convinced their contacts to iTunes gift cards on their behalf.

I received a few of those phony requests myself, and while I found myself wondering “Who would fall for this”, I did hear first-hand accounts of a friend who got scammed out of $100 through this method.

Again, to avoid falling prey to these scams, practice simple caution when dealing with anyone over the internet.

Knowledge Of These Hacking Attacks Can Help You Stay Protected

Many of these lesser-known attack types are so effective because they are just that: lesser known.

Many Generation X and a shamefully large portion of Generation Y tech users are simply not aware of the possible threats that come with staying connected, which is why they don’t stop to consider the risks before giving hackers what they want.

Sometimes, staying safe is as simple as staying educated. You and your company would greatly benefit from investing time and resources into education on security issues. Even giving someone the responsibility to stay abreast on this subject, and sharing information across your company, can go a long way.

(Image sources: 1, 2, 3, 4)

Get Thee Behind Me, Hackers: 6 Consumer Technologies to Keep You Hack Free

It’s no secret that paying with a credit card now comes with the risk of having your card details compromised, but the good ol’ piece of plastic is still a key piece of technology that makes paying for things, and collecting revenue safe and easy. It’s not something we can expect to ever disappear. If there was an easier way to send our cold hard cash through the internet to make payments for online transactions, we would all already be doing so.

So how is an honest every day person supposed to avoid losing their personal information? A large number of consumer technologies have been developed to help you keep your credit card’s magic sixteen digits a secret. How safe are they, though? And are they more trouble than they are worth?

Chip and Pin (EMV)

If you’re doing a “Card Present” transaction which usually means shopping in a retail store, when paying always make sure the transaction is performed using the chip on your card (and if your card doesn’t have a chip – call your bank and demand one!). Chip transactions are secured at the source before any transmission occurs, so even if hacker have broken into the retailers computer network and are listening to every byte of network traffic within the retailers network, your card details will remain safe as only the bank can decrypt the details of the transaction and process it. Never let the retailer swipe your magnetic stripe. This can quickly lead to your details being stored somewhere that’s easy for hackers to steal, as proven countless times by the large number of US retailer hacks that have occurred over the last several years.

Apple Pay (and Other NFC Payment Methods)

NFC (near-field communication) is not a very new technology, but Apple is investing serious effort into trying to make it mainstream. Paying with NFC is as simple as placing an NFC-enabled device near a terminal to make a purchase, and it’s supposedly more secure than paying with a credit card.

After tapping your device on the credit card terminal, you will have to scan your finger or enter a passcode to approve the transaction. NFC payments are designed to be tamper-proof and protected by a unique digital signature.

So how secure is NFC payment? One mobile payment system known as CurrentC, which is backed by a large number of retailers like K-mart, Walmart and Target, was hacked while still in the beta testing phase. While Apple Pay and Google Wallet haven’t had any vulnerability issues to date, they’re not exactly seeing frequent use. But if history has taught us anything, hackers see terms like “tamper-proof” as more of a challenge than a restriction, and they aren’t the type to give up easily.

UPDATE: Fraud is already rampant on Apple Pay, although it’s technically not Apple’s fault. Still: not foolproof.

eWallets

What of online payments? How are we to stay breach-free when purchasing pants two sizes too small on the internet?

Just like how the only way to bend a spoon in the Matrix is to realize that there is no spoon, perhaps the only way to avoid your credit card being hacked is to have no credit card.

One solution is eWallets like Ecopayz and Matchmove which allows you to purchase prepaid pseudo-credit cards you can use to buy stuff online. All you have to do is sign up for a virtual card, top it up via online banking or at an ATM machine, and you’re good to go.

The downsides are that you don’t earn any perks or reward points for using these cards, and that they are pretty much limited to making purchases online. While you only stand to lose the amount you have topped up inside your prepaid card, we figure that these cards are more likely to be used by youths without credit cards looking to make online purchases than paranoid adults in tinfoil hats trying to stave off getting hacked.

Wallets with Data Safe Lining

As mentioned in this previous blog post, a very specific scenario was published where hackers could trick your chip-n-PIN card into approving transactions amounting to a million dollars, and the best part is your card never has to leave your wallet. Now, cards with RFID (Radio Frequency IDentification) can be scanned by hackers in a similar manner, where they can procure your personal information.

To combat this threat, wallets with Data Safe lining have been developed, one example being this stylish Dolcevita classic wallet. The lining blocks radio waves, much like how Magneto’s helmet protects him from all forms of psychic attacks.

Another alternative is using an Altoids mints tin, which accomplishes the same thing but at a fraction of the price. The downside is, well, you’re using a mints tin as a wallet- all the obvious drawbacks apply, like the sound of metal jingling with every step you take, or looking like you might be homeless.

Virtual Credit Card Numbers

Some banks, including CitiBank and the Bank of America, are offering virtual credit card number services for their customers. How this works is that you generate a new virtual credit card number which is tied to your actual credit card account, which you may use to shop online as-per-normal. You can even set a spending limit on the dummy card, which means that even if hackers manage to get your details they won’t be able to make any purchases that go beyond your spending limit.

However, this technology has not caught on. While it does sound like an ideal solution, there are some drawbacks. The biggest one is that you can’t use your virtual card for purchases like hotel room bookings or rental cars, because those companies will request to see your credit card upon arrival, and if the virtual number you used doesn’t match your real credit card number, it’s not going to end well for you.

Another problem with virtual card numbers is that using them makes returning purchases difficult, and when you top that off with the hassle of having to generate a new number every time you buy something online, it’s easy to see why many consider using this service a royal pain in the behind.

Pre-paid cards


Pre-paid cards are built along a similar concept to virtual credit cards and eWallet solutions. You may set up a rechargeable pre-paid card and charge it up periodically with just enough of a limit to cover your regular online spending activities. In a worst case scenario, you’ll be losing only a limited amount of capital. No need to worry about the adverse effects of having a large credit card limit.


The same limitations and hassles apply- No points/rewards system, and the frequent need to continuously top-up your card.

Many newfangled security methods seem to be catered for the data security equivalent of hypochondriacs. Research has shown that consumers are becoming increasingly jaded regarding data breaches (as shown in this blog post), leading us to believe that the average person probably isn’t all too worried about being the victim of a hack. Since your associated bank will (hopefully) pay you back for whatever you lose in a data breach, it almost seems like more hassle to stay secure than it is to simply lose your personal information and deal with the aftermath as it comes. In short, in this case, cure seems to be easier than prevention. Although, why not both?

Good consumer data security habits will never let you down. Keeping a vigilant eye on your credit card statements is something everyone should be doing, regardless of whether your wallet blocks radio waves or not.

Consumers aren’t the only ones with brand new tools to play with- keep an eye out for a follow-up blog post on what new toys hackers are playing with coming soon.

(Image sources: 1, 2, 3, 4, 5)

3 New Year Resolutions for Security You Can Actually Keep

New year resolutions are infamous for being hard to stick to, but that’s because people usually pick things that require changes way too drastic. Here’s 3 new year’s resolutions for Data security that you all can easily follow (and more importantly, stick to) that will immediately put you in a stronger posture to defend against a wide range of attack methods.

1. Lets fix passwords once and for all.

It’s an old movie and yet so easy to fix. Stop making excuses and download a password manager immediately.

Your master password doesn’t h@v3 t0 b3 s0 d1Ff1cU1t that you need to write it down. Simply take 4 random words you can remember and put them in sequence, e.g. “cupboard beagle pathway painting”. Why? Let this simple comic explain:

2. Lets actually install those software patches!

Zero day threats are real, but they aren’t the main reason why data breaches happen. Often it’s much older vulnerabilities going unpatched for months (or longer!) that contributed to a breach occurring.

Malware is one of the most common ways being used right now to steal data. Malware preys on unpatched software. Yet, many of us continue to use software that’s several patches behind. No wonder Malware is so effective.

So, when you’re asked to install a security update from a reputable vendor, do it straight away.

And if you’re a larger environment, setup a central notification mailbox for all vendor security alerts (or purchase a specialised platform to filter what’s relevant to your business) and assign responsibility to review vendor notifications every day with deployment follow-through and signoff. The key is for a skilled team member to take responsibility for each escalation to ensure it gets done right.

3. Let’s finally understand our data.

Most hackers don’t care who you are or what you do. What they’re interested in is what you’re storing and how they can profit from it.

It’s a quote we heard at every data security conference we attend, whether its Visa, Mastercard or the PCI Councils own events – Find out what you have that could pose a risk, where it all is, and who wants it.

A list of American credit card details up for sale on the black market

Are you inadvertently storing your customer’s credit card information? Is one of your employees storing unencrypted company passwords in a plain text file on his/her computer? Or maybe you have emails going back and forth with sensitive information that hackers might be interested in acquiring.

A simple risk assessment is not as difficult as you might imagine. Once you’ve found the problem, only then can you actually decide what action to take – delete it, encrypt it or redact it and start minimizing your risk.


While of course the deluxe suite of security requires a lot more effort and resources to ensure you’re as safe as you possibly can get, laying down the basic groundwork with these 3 steps should provide you with a good foundation on which to remove your organisation from the top 50% of likely victims.

As far as new years resolutions go, these are well within reach, and well worth the effort. In fact, why don’t you start right now?

This is by no means a definitive guide to data security – for clearer guidance on securing sensitive data, read the PCI DSS 3.0 and treat it as the minimum baseline.

What can we Learn from Sony’s Repeated Data Breaches?

By now, anyone with an internet connection or access to a newspaper knows that hackers are bringing the rain down on Sony. Multiple hacker groups are making wild threats to Sony’s management, and they have the bargaining chips to back up their demands.

The details aren’t important here- there are a million other articles out there which give very detailed play-by-plays of this data breach. What we are going to cover in this post is ways you can ensure that your company doesn’t have to suffer the way Sony is now.

One common saying in regards to data security is that getting hacked is inevitable- it’s going to happen to every organisation eventually, it’s simply a matter of when. What you do have control over is whether you can fix the vulnerabilities you had to prevent future hacks, and how much data you lose in the breach. Sony has suffered on both counts, and have found themselves falling victim to hacking multiple times.

A big IT security budget isn’t the solution.

Executives apologising publicly for the data breaches

Gizmodo reports that Sony was hacked repeatedly with the exact same attack methods in different divisions and network sectors. Hackers love going for easy targets, and as demonstrated multiple times, if the same organisation has multiple entry points, Hackers will gladly take a second and third bite of the apple if there is more to gain. However the alarming issue to consider here is, if Sony – a large global company with over 60 billion USD in annual revenue, 40,000 employees and a sizable IT security budget still suffered a breach: what does that mean for the rest of us?

The common theme were seeing across all breaches whether publicly reported or those known only within closed forensics industry circles is that spending large sums of budget on the latest and greatest technologies doesn’t prevent a data breach. Far more can be gained by getting the basics right first.

Its a case of understanding where to focus your efforts, and where you’re simply wasting your time, and you’re (often limited) budget.

Reducing Data Loss

nothing to steal

Breaking into a system is only half of a hacker’s job- they still need to be able to find the data they are looking to steal, assuming there is any. The Sony breach was reported to be incredibly easy for hackers to find the sensitive data they were looking for – apparently thousands of passwords were kept in a folder named “password”.

So what can we all learn from this? Well for starters, having an inventory of all the data you have that hackers might want to get their hands on is a big step in the right direction. This includes employee data, credit card numbers, and any other kind of sensitive data. After which, take measures to ensure that unnecessary data is properly disposed of, and sensitive data is encrypted. It sounds very troublesome, but we can assure you that it’s a lot less troublesome than dealing with a large-scale cleanup in the event you suffer a data breach.

It’s a hard knock life- Sony Pictures movies like Annie were leaked by hackers after yet another data breach

In this regard, Ground Labs’ Data Discovery Tools offer an easy and rapid way of reducing the likelihood of a data breach should intruders breach your defenses. For larger environments, Enterprise Recon helps prevent data loss by searching across your entire network for stored sensitive data including emails, databases and many more locations.

The entire process is quick, thorough, and not labor-intensive, leaving you time to run the many other important facets of your business.

Don’t just take our word for it- try out Enterprise Recon for free, and see for yourself how easy it can be to find and safeguard sensitive data on your own network.

Password Managers Now Hackable: Is Anything Sacred?

Passwords- what a hassle.

All the things that make a great password also make them a chore to type in- lots of characters, a mix of upper and lower-cases, strange symbols, and barely legible codes that are impossible to remember- plus I’m not supposed to use the same password across multiple sites? What?

Of course, just like how cup holders in cars were invented to meet a very real first world problem of drivers having nowhere to place their coffee or sodas while driving, password managers were created to take all of the fuss out of entering your password. But do they take all the safety out of it, too?

According to IBM Trusteer Researchers, a new configuration of the classic Citadel malware allows hackers to bypass your password manager’s defenses using a targeted approach.

When the malware detects the system is running password manager programs, it immediately begins keylogging. It does this in order to acquire master passwords which are required to view all the passwords stored in the programs. And the rest- including you- are history.

The new malware strain is designed to target password managers like Keepass.

As we like to say, safety and convenience are on entirely different poles. Easy (yet the most commonly used) passwords like abc123 are the least safe, and storing important files on the cloud is convenient but risky. Similarly, there’s no way that hackers wouldn’t notice that users are putting all their passwords in a single location, ripe for the picking.

This poses a huge security risk for organizations. Hackers could potentially send phishing emails to company employees, and by infecting their systems with the malware, acquire passwords used to access all kinds of databases, including the cloud, where companies are storing 33% of their data.

This really highlights the potent threat spear phishing continues to pose to organizations around the world. It doesn’t matter how many millions of dollars you spend on building a strong defense- spear phishing slips hackers right past those defenses. And it’s not even difficult to do so- on average, only 20-30 malware-infected emails have to be sent to a achieve a successful phish.

It’s easy to get caught up in trying to stay breach-free, what with the constant flow of news about the latest data security threats, and the frequent reminder that suffering a data breach is inevitable. However, it’s important to remember that you have other business priorities, and that there is a very basic step that you can take to defend against these threats: understanding your risk.

It’s about knowing what you have that hackers want, where it is, and who wants it. It sounds simple enough, but it really isn’t- shadow IT is becoming a large problem in many organizations, where employees are handling data in the most unsafe of ways.

The staff of a modern office in 2014 require data security awareness, and we’re not just talking about ground level staff, either- board members should be part of this too. 75% of companies surveyed had not trained their board members, which is a big problem. Now more than ever, board members must have a strong understanding of the importance of data security in order to be capable of asking the tough questions to C level executives about their corporate security initiatives.

Another effective measure recommended in the Verizon Data Breach Report 2014 is the implementation of two-factor authentication. 2FA stops this type of attack dead in its tracks, because a password without an accompanying OTP isn’t much good. A password attached to an account with 2FA is also worth nothing on the black market.

As for knowing what you have that hackers want and where to find it, that’s where Ground Labs fits into the picture. Our data discovery tools are designed to find the same things hackers want, with a slice of the effort required.

Data Recon can find over 95 types of sensitive data, including credit card numbers, health care records and personal information. It searches for all of that in a wide range of storage spaces, so you can efficiently cover all bases and know exactly what you have that hackers want, and where it all is.

Don’t just take our word for it: take Data Recon for a free trial and start understanding your risk.

Can You Make a Million Dollars a Second? Hackers Can, Thanks to a New Chip-n-PIN Flaw

Halloween has just come and gone, but news of a flaw recently found in Chip-n-PIN credit cards is enough to turn anyone pale as a ghost.

Imagine this: a hacker, armed with nothing more than a mobile phone, can steal up to a million dollars from you, simply by bumping into you for less than a second.

Unfortunately, this flaw is all too real. Researchers at Newcastle University in the UK have discovered that chip-n-PIN cards can be tricked into approving transactions made in foreign currencies, with a max limit of 999,999.99.

Worse yet, these cards allow for contactless transactions, and mobile phones turned into makeshift POS systems can scan and approve transactions just by being near a victim. Your credit card could be in your wallet which is tucked away in your back pocket, but a hacker would only have to bump into you lightly to get the transaction approved.

Researchers found that a contact time of less than a second is enough for hackers to siphon your simoleons, so they won’t even have to resort to strange means of maintaining a long contact time, such as pretending to give out free hugs.

For a long time, the US has been racing to implement chip-n-PIN technology in their own credit card systems. Data breaches are taking place left and right because outdated magnetic-stripe credit cards are still widely used across the US, and consumer data is much easier to steal off a magnetic-stripe card than a chip-n-PIN one (for more information, check our this earlier blog post). It’s somewhat ironic that the very technology thought to save the US from data breaches is now proving perhaps even more vulnerable. It’s like finding an oasis in a desert and getting closer only to find that it was a mirage all along.

New exploits and flaws are always being discovered, and hackers are always ready to take advantage of them. For example, a new criminal software, “Voxis Platform”, allows criminals to launder money and bypass the fraud detection systems of popular payment providers like PayPal, WorldPay and Stripe. And recently Lucas Zaichkowsky at Black Hat 2014 stated “People think that if we switch to EMV, these breaches will go away, but that’s not true”, highlighting the hidden truths behind EMV technology in a presentation on POS system architecture and security.

Even two-factor authentication, which is so widely regarded as being a much needed layer of security over passwords, is not foolproof. A teenage whitehat hacker managed to bypass PayPal’s two-factor authentication system “easily”, by simply spoofing a browser cookie set when users link their eBay and PayPal accounts.

The point is this: data security is like a sandcastle built on the seaside. “Secure” is but a temporary state; technology is always changing, and hackers are always looking for new ways to get into secure systems to cash in big.

While technology is constantly changing, data security methods have not. The conventional wisdom still largely applies, whether you’re out to protect yourself or an entire organisation: stay informed, patch everything, monitor your data, and don’t store anything you don’t need and encrypt what you have a business justified reason to store.

For the people tasked with protecting sensitive data like credit card or social security numbers, one extra level of security Ground Labs offers is the scanning and securing of sensitive data from data systems. By taking the very data that hackers are trying to steal out of the equation, even if you do suffer a breach you’ll be much better off than if you were storing countless records of sensitive data.

Free trial licenses for Card Recon, Data Recon and Enterprise Recon are available on the Ground Labs website, and if you’re looking for that something extra to make yourself that much more secure, give our products a shot.