Fighting Phishing Email Scams: What You Should Know

phishing email scams

Phishing email scams are more effective than you may think. 

Read our infographic Don’t Let Phishing Emails Hook Your Employees.

By: Brand Barney
When you think of social engineering, you may think of someone walking into your business and stealing data from servers, computers, etc. But companies aren’t just getting socially engineered in person; it’s happening online too. Many employees fall victim to phishing email scans, which can lead to potential data breaches and loss of important information.

What is a phishing scam?
phishing email scams

Phishing is a type of Internet-based social engineering. Cybercriminals use legitimate businesses and situations to email and convince their victims to give them their personal information such as social security numbers.

Some phishing emails will have the victim click on a link, which introduces malware to the user’s device. The malware can then grant access to the attacker, leaving them free to steal sensitive data. Other emails will state that an item you purchased online can’t be shipped because the credit card number wasn’t correct, or the billing address was wrong, etc. They then have you click on a link to a spoofed website and ask for updated payment/shipping information.

SEE ALSO: Top 10 Types of Phishing Emails

Why do phishing email scams work?

With all the online scams that are happening, you’d think we’d be more wary of phishing email scams. Yet, these types of scams are responsible for a lot of lost data in companies.
Here are some reasons why phishing scams still work:
We’re trusting
We’d like to believe the people emailing us are genuine. It’s human nature to want to trust others, especially those that reach out to us. Unfortunately, social engineers take advantage of that and use it to steal from companies.

Good phishing emails look official
Some emails can recreate a company logo and make the email look convincing. Just like a social engineer in person looks like they belong in your company, phishing emails look like they are part of the company contacting you.
They prey on our fear
When we’re scared, we tend to not act logically. Some phishing emails take advantage of that, using scare tactics to cause us to make an impulsive decision. For example, you may receive an email stating that you have had a breach of your personal banking information, and you need to click on a link to log in and change your online banking password. The attacker is banking (pun intended) that you will want to quickly protect yourself or check your online balance to ensure you still have money after the “breach.”

SEE ALSO: 7 Ways to Recognize a Phishing Email

How do you combat phishing email scams?

  • Be skeptical: Always verify everything with the company you are working with, especially if it involves sensitive information. If a banking institution emails you, asking for credit card information, call them from their business phone to verify. Avoid giving important data over email when possible.
  • Train employees: Make sure your employees are aware of phishing emails and what to do if they suspect they’re receiving one. Hold quarterly training meetings, if not monthly.
  • Have policies: Establish procedures employees should follow should they receive a phishing email or anything that seems suspicious. This could include how to verify if an email is legitimate, who to notify, and how to deal with such an email.
Let us help you train your employees against phishing!

Phishing is easier than you think

Phishing email scams are more of a danger than many companies realize. And it doesn’t take a particularly skilled attacker to create a successful phishing campaign.

Similar to social engineering, phishing targets the company’s weakest link in security: the employees. An untrained employee can inadvertently cause a lot of damage to their company if they fall victim to a phishing campaign.

Remember, when it comes to emails, be smart and be careful with sharing your data.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Want to learn more about spotting phishers? Check out the infographic below!

How Much Credit Card Data do You Store? (It’s More Than You Think.)

See the latest unencrypted storage results from SecurityMetrics’ PANscan 

Check out the infographic, What’s Causing You to Store Unencrypted Payment Cards?

credit card dataDid you know you could be storing unencrypted payment card data? According to SecurityMetrics’ latest PANscan reports, 61% of merchants store unencrypted card data, and 10% store magnetic stripe data. Because of this lack of security, many merchants can be held liable in a data breach. The more unsecured data you store, the more people you have to pay after a data breach.

What kind of data are you storing?

You’d be surprised how much data you store from a credit card. There are two main types of data hackers go after on a credit card:
  • Primary Account Numbers  (PAN): These are the account numbers on the credit card itself.
  • Magnetic stripe data: This can include PIN numbers, CVV codes, service code, expiration dates, and cardholder names. 
All of this data is sensitive information and valuable to customers. If you’re not securely storing this kind of data, it’s free game for data thieves.

SEE ALSO: A Hacking Scenario: How Hackers Choose Their Victims

Why is storing this data bad? 

Keeping unsecured credit card data makes you more liable in a data breach. An attacker can get access to your servers and steal any unencrypted data. If that data is a bunch of credit card numbers, you’re facing a huge data breach, which is costly to your business and your customers.

SEE ALSO: Unencrypted Data: A Security Plague

Another issue is storing unencrypted credit card data is a violation of PCI DSS requirement 3, which requires companies to protect stored cardholder data. This includes keeping cardholder data storage to a minimum and properly securing any cardholder data you do store.
If you want to become PCI compliant, you need to stop storing unencrypted credit card data.

How do you find and secure card data?

Many merchants don’t even realize they’re storing this kind of data. The key to addressing the problem is properly tracking and securing credit card data your business handles. Here are some tips to find and secure payment card data:
  • Interview employees: Find out how your departments deal with card data: where do they store data, how do they process it? 
  • Make a card flow diagram: You can’t secure your data if you don’t know where it is. Make a diagram to see how credit card data is entered, stored, and transmitted in your company.  
  • Consider data storage: How much do you need to store card data? If it’s not crucial to your business, don’t store it. 
  • Limit access: Only authorized personnel should have access to systems that store sensitive data. 
  • Use tokenization: Tokenization can help you get rid of storing credit card data altogether by using tokens instead of Primary Account Numbers.  
  • Use P2PE validation: Encrypting your data will keep it safe from attackers. Implement a P2PE process. 
  • Have network segmentation: Keep systems that store, process, and transmit credit card data separate from other systems.  
SEE ALSO: Do You Know Where You Store Card Data?

Are we improving? 

Merchants are slowly getting better at securing credit card data. (The number of merchants storing unencrypted card data has gone from 63% in 2013 to 61% in 2015.)

However, compared to the growth of cybercrime, we’re not improving fast enough. If merchants want to be secure and PCI compliant, finding and securing unencrypted credit card data is crucial.

Today, hackers are getting smarter and quicker. You can’t afford anymore to not know where your business is storing credit card data.

Want to see more data from SecurityMetrics’ PANscan? Check out the infographic below!

Configuring Your Remote Desktop Connection: What You’re Doing Wrong

remote desktop connection

Learn what you need to know about securing remote access

Read the white paper Securing Your Remote Desktop Connection. 

remote desktop connection
Did you know remote access applications are one of the top avenues attackers use to gain access into merchant systems? In 2014, SecurityMetrics PCI forensic investigations found 80% of investigated merchants were attacked through insecure remote access.

So, why all the focus on remote access?  It’s the easiest avenue for hackers to find and steal data. By using stolen remote access credentials, hackers can bypass difficult firewalls and more easily gain access to sensitive data.

SEE ALSO: Infographic: Cybercriminals Love When You Use Remote Access

Configuration is the culprit

It’s not necessarily the remote access application itself, but the way it’s configured that creates vulnerabilities.
What are we doing wrong with remote access?
Here are a few ways configuring your remote desktop connection incorrectly can make it vulnerable to cyber attacks:

Using default passwords
When a remote desktop connection is installed, it uses default passwords. Often these passwords will continue to be used even after installation because it’s easier for future maintenance and use. It’s definitely more convenient for users and vendors to not have to remember a new password, and it makes the work go faster.

Unfortunately, these passwords aren’t secure and can easily be used by attackers, making your whole software and data vulnerable.  Most default passwords and settings are well known by hackers and are easily found via an Internet search. So having a password will do you no good if it’s not a secure one.

Having default usernames
Hackers want to find the easiest way to steal data. For them, an easy way is gaining credentials of remote access. By gaining the credentials, hackers can bypass firewalls. Which is easier, going up against a heavy duty firewall, or finding the password to slip by it?

Similar to the password dilemma, by not changing default usernames with security in mind, you’re leaving your remote access vulnerable to attacks
Relying on third party providers
Many companies will often assume the third party provider of their remote access will configure the application properly. They may also feel the third party provider will be at fault should a breach happen. Not so.

Even if your third-party provider fails to configure the application properly and a data breach happens, the merchant is at fault. Making sure the remote desktop connection has secure passwords and usernames is the merchant’s responsibility.

SEE ALSO: Remote Access Attacks: How to Protect Against Malware

Keep your remote access secure! 

While remote access is one of the top avenue for hackers to steal data, there are ways to secure it. Here are some tips to make sure your remote desktop connection is secured properly:
  • Use two-factor authentication: This is a PCI requirement. You must use a combination of three things to provide authentication: something you know, something you have, or something you are. 
  • Keep firewalls updated: this helps ensure adequate internal and external protection. 
  • Store and monitor logs: monitoring log activity can help find suspicious activity, like someone logging in at 3 am over 100 times. 
  • Run vulnerability scans: these scans can help you find and fix internal and external vulnerabilities.
  • Don’t allow guest accounts: guest accounts allow anonymous computer and system access. 
  • Limit login attempts: set the application to lock out the user if they try to login after a number of failed attempts. 
  • Use limited access: only provide remote access to those who need it. It keeps credentials from falling in the wrong hands. 
  • Train employees: make sure everyone knows the procedures with remote access so employees aren’t accidentally giving credentials to unauthorized users. 
Remember, your remote desktop connection is only as secure as you configure it. If you don’t secure it properly, your company is at risk for data theft.

Insecure remote access is a simple problem to fix, and yet many companies fail to do it. Don’t fall into that trap. Secure your remote desktop connection and protect your data!

Want to learn more about making your remote access secure? Check out our white paper, Securing Your Remote Desktop Connection.

 Integrate 2fa Tech To Correctly Comply with PCI Req. 8.3

2 factor authentication

2 factor authentication: It’s easier to incorporate than you think.

By: Gary Glover
We have reached a point where passwords are pretty much pointless. According to a LaunchKey survey, 84% of people support the idea of getting rid of passwords altogether. Indeed, weak passwords are to blame for nearly every recent hacking incident. That’s probably why they’ll start to become obsolete in the coming years.

2 factor authentication2 factor authentication (also known as 2fa) is the answer to the authentication issues that plague the security industry. In addition to adding an extra layer of security during the user confirmation process, 2fa is a key compliance necessity in the Payment Card Industry Data Security Standards (PCI DSS). It’s outlined specifically in requirement 8.3:

“Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).”
There's really no better security control for remote access than 2 factor authentication.
Because 2fa makes it very difficult for attackers to infiltrate and escalate to admin privileges, it’s also an extremely powerful tool for privileged internal accounts as well.

A lot of system admins have trouble knowing exactly how to comply with requirement 8.3, and aren’t sure which technologies qualify, or how to implement them. Many already think they’ve complied with 8.3 but haven’t implemented the principles correctly.

Here are some 2fa options for complying with PCI requirement 8.3.

First, understand the 2 factor authentication requirement

Before we can talk about the technology behind 2fa, I must clear something up. It doesn’t matter who I’m talking to, or how long they’ve been an IT admin, some people simply don’t understand the principles behind 2fa.

Unlike many believe, having two passwords is not the same as two-factor authentication, and doesn’t count towards PCI compliance. Two independent methods of authentication are required to access an application, network, or computer. The key word here is independent.

To qualify for PCI 8.3 compliance, two-factor authentication must contain two of the following factors:
  1. Something you know
  2. Something you are
  3. Something you have
Read more about it in this two factor authentication summary.

Now that we’ve got that out of the way…

Which 2fa technology should you use and how will it integrate within your environment?

Luckily, the PCI Council clarifies which 2fa processes are acceptable in PCI DSS version 3.1:

“Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.”

If you’re not familiar with RADIUS, it’s an open-source client/server Authentication, Authorization, and Accounting (AAA) protocol that allows an organization to manage a master database of user profiles, enabling servers to authenticate remote users.

TACACS+ (the upgraded version of TACACS) is similar, with a few key differences. TACACS+ is proprietary and owned by Cisco, which means some 2 factor systems do not support it. TACACS+ uses TCP instead of UDP, and fully encrypts the entire packet including the username (something RADIUS does not do.)
Nick Owen, President of WiKID, an on-premises solution that supports RADIUS and provides 2 factor authentication, recommends RADIUS for most enterprise deployments because it’s well supported and simple.

Says Owen, “If the system you’re thinking of securing via 2fa doesn't have RADIUS, it’s ok! Just put the system behind something that does! For example, if you have a web app that needs 2 factor authentication, put it behind Apache and use mod-auth-RADIUS. For RDP, you need RDP Gateway, which also supports RADIUS.”

2fa
When discussing the actual implementation of 2fa, there are a few different ways. Owen says, “You can use a cloud-based SaaS system or an on-premises system like WiKID.  Many people choose on-premises solutions like WiKID for additional control and the inclusion of additional features, such as TACACS, Radius attributes and native AD two-factor.”

This is how the technology works: Your networking and critical infrastructure talk to a RADIUS server such as a Cisco ACS or Microsoft NPS. The RADIUS server performs authorization in the directory based on the username. If the user has permission, the server passes the credentials to the authentication server. If the authentication server passes, then the user is granted access.

Most enterprise-class remote access solutions support RADIUS for authentication, so integration should be pretty easy. Check out the WiKID how-to guide for a more in-depth guide on how to add 2 factor authentication in your corporate network.

2fa: the future data security

Technically, to comply with the PCI DSS, an organization must implement 2fa for remote access technologies. That’s it. However, for those looking toward the future of data security, I recommend replacing all authentications with 2 factor throughout your entire environment.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Biometrics: The Future of Payment Data Security?

biometrics

Will recent data breaches spur new forms of authentication?

David Ellis, QSA CISSP
By: David Ellis
The payments industry is always on the lookout for new options to secure payments, both electronically and in person. Proven by recent credential-stealing attackers, passwords aren’t durable, and even though EMV is a great step, it’s no long-term solution.

The use of biometrics, although seemingly futuristic, is an avenue the industry appears to be actively pursuing. A biometric is any way to identify a person via their unique and individual body characteristics, and then compare that data to a pre-established data set in order to prove or disprove an identity match. The use of biometrics (vs. knowledge-based identifiers like passwords) provides a powerful and distinct link between a user and their identity.

Simply put, when compared to today’s authentication methods, biometrics more accurately associates a specific individual to a device or system, and may be considered more secure.

biometrics Biometric variants

There are many ways biometrics are implemented in security settings, although some may be more realistic or practical than others. Examples include:
  • Fingerprint scanning: This is the most common biometric option in use today. But fingerprint scanning has some weaknesses.  If a smartphone is successfully hacked, the hacker could obtain the owner’s fingerprint when they log in, using the fingerprint scanner. (Gummy Bears have even reportedly been used to fool a fingerprint scanner.)
  • Iris/retina scanning: Iris scanners examine eye features such as color, patterns, and how they’re shaped around the pupil. Retinal scanning looks at the pattern of blood vessels in a retina.
  • Facial imaging: Scanning technology takes a picture and analyzes the distinctive peaks and valleys on an individual’s face. (Facial recognition technology is how Facebook can correctly guess the people in your uploaded pictures.)
  • Vein patterns: Humans have unique blood vessel configurations, and by scanning the back of a hand, often by using infrared light, the unique vascular pattern becomes visible for comparison.
  • Finger/hand geometry: This type of scan analyzes human finger length, and how digits are positioned on the hand.
  • Implants: An RFID implant under the skin, or a swallowed RFID-enabled decomposable pill could act as a temporary biometric identifier.
  • Voice recognition: This method digitalizes the voiceprint of a person, and then compares the user’s voice to that voiceprint.
  • DNA matching: DNA sampling is pretty intrusive (requiring a blood sample, cheek swab, or skin scraping), but it’s one of the oldest methods of biometric identification.
  • Ear recognition: This method measures the tubular structures of the ear canal.
  • Gait recognition: The way you walk can be used to identify you, but it’s one of the least accurate biometric measures. Your gait is affected by your clothes, the walking surface  and your emotional state.
  • Odor recognition: Chemical patterns in your unique body odor can identify you 85% of the time, and are apparently unaffected by daily activities. (Let’s hope the body odor capture and analysis is an automated process.  Volunteers might be few.)  
Obviously, some of these options, such as odor recognition and implants, will probably never be used for payments identification, but it's interesting just knowing they exist.

Biometrics security issues

As James Bond-y as it sounds, biometric identification isn’t without its flaws.
Here are a few reasons why using biometric identification in the payments industry should be approached with caution.
Technology isn’t foolproof
Researchers discovered iPhone’s first fingerprint readers could be fooled by using a fake finger. That issue has since been resolved, but the underlying problem remains. Biometric technology isn’t a silver bullet. The increased use of biometrics also means more sophisticated attacks against biometric technology, courtesy of the hacker underworld.

Digital copy security
In order to function, biometrics technology must have a pre-recorded digital template of an individual’s specific biometric. My question is, where is this template stored and how is it secured? If the digital version of this biometric identifier isn’t protected, attackers could hack into the digital version and use it as hackers currently use stolen (conventional) administrative credentials. They could also add their own biometric template features to the master list of approved persons.

To be fair, cracking biometric technology isn’t an attack against the low-hanging fruit. It requires a heightened level of sophistication that puts it out of reach for most cybercriminals, but it’s not impossible. The most likely scenario where hackers could successfully attack biometric security would be stealing stored credentials.

Biometrics Are Permanent
Similar to Social Security Numbers, once a fingerprint has been supplied as an identifying factor, it can’t merely be reissued (like a compromised credit card) in the event it is compromised or misused.

I like what Ryan Wilk, anti-fraud expert at NuData Security, says about this topic.

“You only have 10 [biometric] passwords - if you're lucky to have all of your fingers - and you only have 20 passwords, if you count all of your toes. It's one of the risks of using active biometrics: you run out of options if they start to get breached."

Today’s realistic biometric payments solutions

payment data securityApplied Digital Solutions tried to get Americans to embrace chip implants in 2003. A bit ahead of their time, but it’s obvious the biometric trend will continue on into the future. What other futuristic biometrics uses does the future hold for the payments industry?
  • PayTangoIdentifies payees by their index and middle finger. No credit card required.
  • Zwipe: Plastic credit card embedded with a fingerprint reader for NFC authentication.
  • Paypal: Plans for heartbeat recognition, wearable tattoos, and glucose level detectors as unique identifiers.
  • Samsung Iris on the Move: Iris recognition technology exclusively for the Samsung Galaxy.
  • Biyo: Combines palm vein data with data from three fingerprints.
  • Quixter: Reads palm vein patterns and finalizes authentication with the last four digits of a phone number.
  • Alipay Smile Pay: Analyzes selfies through facial recognition technology.

How to effectively use biometrics

Most security professionals agree the authentication technology currently used to identify individuals must undergo an overhaul to keep up with cybercriminals. Knowledge-based authentication, such as passwords, passphrases, and the like, are subject to sophisticated password cracking utilities that are adept at breaking even reasonably complex passwords.  Additionally, passwords and passphrases as security measures are only as reliable as the technology that protects them. The use of biometrics could add an effective layer of security to outdated knowledge authenticators.

As Alan Woodward, cybersecurity advisor to Europol, said,

“Just having the biometric per se is not good enough. They have to show that they're actively attached to a human being who's alive."

I agree with Alan. Biometrics shouldn’t be used in place of passwords, but as an additional layer of a multi-factor authentication-based security strategy.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.