Credit Card Hacking: 10 Things You Should Know About Smart Cards

The United States likes to think of itself as a technology leader yet has not adopted smarts cards as a replacement for magnetic strip credit cards. Smart cards are easy to identify because of the small electronic chip found on each card. The U.S. has fallen behind in this area and is using old technology. Americans deserve better! The loss of personal information and credit card data has been too great. If this is not reason enough for the U.S. to consider upgrading its credit card infrastructure, consider the following:

  • Magnetic credit cards are an old technology – It’s not hard to find the equipment to steal the information encoded in your credit card.
  • Credit cards are easily cloned – It’s an easy process for hackers to clone most of the credit cards that are in your purse or wallet.
  • Skimmers are widely available – Anyone with basic search skills can find and buy this equipment.
  • Underground markets sell blank cards – Once a hacker has your credit card information, there are websites that sell blank or pre-embossed credit cards.
  • Many places in Europe do not accept them – Thinking about traveling to Europe? If so, you may be surprised to discover that many European retailers will not accept magnetic strip credit cards. These retailers accept “pin and chip” only.

Smart Cards - Pin and Chip Credit Cards

Europe has fully adopted smart cards. Smart cards started to become more popular in Europe in the 1990s. The ones used in Europe use the Europay, MasterCard, and Visa (EMV) standard. This standard is used to make sure that smart cards, point of sale (POS) terminals, and automated teller machines (ATMs) authenticate all credit and debit cards using these cards. Smart cards have been tremendously successful in preventing fraud worldwide and makes it much harder for hackers to clone smart credit cards. EMV cards have the ability to securely store information in the chip on the card to send and receive sensitive financial data in a secure manner. While the technology is not perfect, it is better than what we currently use in the U.S. With this in mind, why hasn’t the U.S. moved to this technology?

  • Smart cards cost more than magnetic strip cards – Smart cards are expensive. They can cost as much as five times the cost of a traditional credit card.
  • Smart cards require new technology – Remember replacing that old TV years ago and getting your first flat screen? Much the same is required here; for smart cards to be supported, retailers will need to buy new technology. This is not the kind of stuff retailers buy every day and in today’s tight economic market, no one is in the mood to spend money on infrastructure.
  • It is not just the retailers that will need an upgrade – For smart cards to truly work, consumers will need to replace the old plastic cards with new ones. Someone will need to pay for that, too!
  • No one likes change – Sure, you left MySpace and moved on to Facebook, but smart cards are foreign to many consumers and people don’t always easily embrace change.
  • Smart cards are not the only game in town. Smart cards are competing against digital wallet technologies which many industry insiders see as the next big thing. Picking the winner is much like placing bets on VHS or Betamax.

While smart cards do address some of the problems with credit cards, they are not perfect. Point of sale payment systems are still the Achilles’ heel of all credit card technologies. Whatever your view of smart cards may be, you will be seeing more of them in the future. New credit card standards that will be introduced in 2015 will begin to reshape how most customers pay for goods and services and smart cards will start to be mandated at that point.

Posted in Cyber security, Ethical Hacking, IT and Computer Security | Tagged , , , , , , , , , , | Leave a comment

Research Shows Businesses are Prime Targets for Cybercrime

High profile security breaches such as Target, Snapchat, and Neiman Marcus often make headlines. However, research shows that both large and small businesses are targets of cybercrime.

Verizon published a data breach investigations report that looked at 621 confirmed incidents of cybercrime among their customers in the 2012/2013 time frame. Close to half of the cyber attacks occurred at smaller companies with the rest affecting larger firms. While larger firms have the resources to perform penetration testing, code review, and vulnerability testing, smaller firms typically just don’t have those kinds of resources.

Cybercriminals are also using small businesses as pathways to larger companies. Small businesses that are partners or suppliers of large corporations often offer an easy path into the larger company’s network. Attackers frequently design malware that uses the smaller company’s website as bait to break into their larger partner’s SQL database. One technique that is on the rise is ram scraping. Cybercriminals also employ the tactic of “lying in wait.” While many used to attack quickly, they are now more prone to waiting until the moment is right. As an example, waiting until the busiest shopping season.

However, small businesses are not always the stepping stone. They have valuable information as well. They often store customer credit card information (PCI data), intellectual property, and vital data about their own finances.

Don’t become complacent in thinking that you do not have anything a cybercriminal would want. Follow the basic principles of security including technical, physical, and administrative controls. Even basics like using good passwords and updating your anti-virus software shouldn’t be overlooked. Prevention is key. Superior Solutions has a team of professionals trained to recognize vulnerabilities. Let us evaluate your security and lower your chances of becoming a victim. Contact us about your cybersecurity strategy.

Posted in Cyber security, Hacking, IT and Computer Security, Training and Education | Tagged , , , , , , | Leave a comment

Everyone Needs to be Responsible for Cyber Security

The threat of cyberspace attacks are a significant concern for businesses and individuals. The Internet is a great resource for finding information and to make a purchase. However, the use of personal data when online is a valid concern for cyber security initiatives. There are many risks that are present when using the Internet for business or pleasure.

One risk that is a constant presence online is phishing, SMiShing, and/or spear phishing. This risk involves the use of email or SMS messages and web pages that attempt to trick users into providing personal information. Remember that no bank, credit union, a government agency and all major businesses do not send emails asking for personal information.

A second risk to online users is the installation of spyware. This can occur when a user visits a website that runs a script to install a software program. Protection from spyware is provided with antivirus and anti-spyware. Ransom-ware has been one of the big attack vectors this year.

A third risk is the use of social media. Users of social media sites need to be aware of information posted online that may compromise their identity. Information can also be used by hackers to break into a computer system.

A fourth risk to business and home users is password protection. Users need to use strong passwords that others cannot easily guess. Passwords are needed for many secured sites online, such as banks and cloud computing companies. Passwords should be sufficiently long, not written down, and unique for each website or URL.

Three important aspects of security that need to be remembered each time the Internet is accessed. One will be to stop before you open your web browser. The second is to think about how personal information is being provided online. The third is to connect online and be responsible with online data. If you have a small business, then proper IT security training for all staff is needed.

Finally, make sure that you have a backup of personal data and ensure that your systems are protected against a cyber security breach. If you have any questions about cyber security and how you can protect yourself or your business, then contact us for more information.

Posted in IT and Computer Security, Training and Education | Tagged , , , , , , , | Leave a comment

Grammar Undercuts Cyber Security When Using Long Computer Passwords

Certain long computer passwords may not provide as much cyber security as previously thought. A new study reports that passwords based on grammatical structure give away vital clues that make them more vulnerable to being cracked.

Researchers at Carnegie Mellon University developed a grammar-aware algorithm that outperformed other leading methods when tested on passwords that were grammatically structured and contained 16 or more characters. The algorithm alone was able to crack ten percent of the more than 1,000 passwords studied. The authors concluded that password strength cannot be determined by the number of words or characters present when grammar is involved.

The effects are based in part on the way grammar reduces the options for combining words or using them in sequence. Also relevant is the fact that different parts of speech exist in very different numbers, declining from nouns to adjectives to verbs to pronouns. As an example, the study discovered that the five-word phrase “Th3r3 can only b3 #1!” is easier to figure out than the three-word phrase “Hammered asinine requirements.”

The findings are interesting given that much of the general advice about creating strong passwords tends to place the greatest emphasis on length. While Facebook still specifies only a 6-character minimum, many security professionals now advocate for 12 or more.

Other common guidelines still hold true for creating robust passwords. Use upper and lower case letters. Combine letters with other characters such as numbers, symbols and punctuation marks. Avoid making references to your name, birthday, social security number or other personal information. Make up a different password for each website you visit. It is also important to change passwords frequently.

Superior Solutions, Inc. focuses on network security services and cyber security training. Contact us for more information on security audits, network vulnerability assessments, IT security training and other security solutions.

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Did “Russian speaking operatives” create the Red October malware to invade specific organizations’ computers, networks and smartphones?

Last October, a world-name in IT anit-virus security and research, Kaspersky, revealed the workings of five-year old malware program hitting on networks throughout “diplomatic, governmental and scientific research organizations,” according to a post on SecureList.org, “The Red October Campaign…An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies.”

The spree has include siphoning data from our smartphones, computers and network hardware by concentrating mainly on targets throughout Eastern Europe, but with ongoing successes, too, within North America and Western Europe.

“Rocra” (Red October) is still up and running without any proven identify that might tie it to a particular organization or government. What is known, is that the “malware modules” were actually developed by “Russian-speaking operatives.”

“The information stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states. Such information could be traded in the underground and sold to the highest bidder, which can be of course, anywhere.”

Besides ‘government’ targets, the malware program remains far-reaching into research entities, commerce and trade organizations, nuclear/energy research; other infections have been found throughout oil and gas companies, aerospace and the military.

Finding its way into Microsoft Excel and Word, the malware uses three variations and uses a trojan dropped in the network to scan to see if other portals are open to the same “security flaw.”

We always follow those best practices underlying in our industry, beginning with a professional assessment of your security needs by our team of IT experts.

Contact Superior Solutions Inc., if you want more information about our consulting and digital forensic services…or how you can implement a ‘penetration testing’ scenario to identify the vulnerabilities within your networks.

Posted in Cyber security, Hacking, Smart Phone Hacking | Tagged , , , , , , | Leave a comment

Ramping up cyber security means shutting down Botnets

It’s no wonder today’s cyber criminals can continue to gorge themselves on our vulnerable networks: It’s just plain easy, according to a post by Brian Prince, “Cybercrime Inc.: The Business of the Digital Black Market.”

For example, cyber criminals can rent a botnet program that can send out over 20,000 infected emails at a cost of $40.

In the past, we seemed to take note when an occasional ‘thief’ penetrated the gateway of a few major corporations and stole passwords or account information; worse, successful attacks encompass the stealing of much more, like hard dollars from man-on-the-street bank accounts.

Today, it’s happening so often, and with such “sophistication,” that we continue to fail on may cyber security fronts to keep the bad guys away.

Sometime ago, we might’ve been concerned with the organized crime links like RBN (Russian Business Network), noted Derek Manky, a senior researcher at Fortinet’s FortiGuard labs.”Nowadays, there are more organizations, thanks to crimeware, crime services, existing source code, etc.”

How does the money move in and around this criminal network? “Money mules” are openly sought after through advertisements, and their anonymous service ensures that the bucks go from “one country or bank account to another;” the most popular route is via wire transfers like Western Union or Webmoney, to name a few.

Shutting down botnet enterprises is paramount, but going after the money is also important, Manky noted.

Let our professional team of IT experts assess and implement the best practices your organization needs to keep it safe and viable.

Contact us to learn more about our penetration testing, consulting and digital forensic analysis services.

Posted in Cyber security, Ethical Hacking, Hacking, Training and Education | Tagged , , , , , , , | Leave a comment

Your Social Media Is Being Attacked! (Part 2)

In our last article, we talked about how having a social media account can leave you exposed to potential hacks from cybercriminals who are looking to take advantage of your friends and followers for scams and spam.  Now, let’s examine how the material you post online can be used against you by these same cybercriminals.

Many social media sites have a section for you to share your basic personal information.  Facebook is the most guilty when it comes to this because, unless the user specifically sets their account to keep this information private, their email address is posted along with other information including home address and phone number and even birthdate.  Many people make the mistake of using this (particularly their birthday) in their passwords that, again, gives criminals a possible inroad into your personal accounts.  If your password doesn’t have this information, then your password reset security question just might.  Oftentimes the question will be something like, what street you grew up on or your mother’s maiden name.  If your mother happens to have a Facebook account (and with almost one billion accounts odds are she does) then criminals can mine her account for this information that can give them access to the answers to your security questions.  Hackers aren’t the only ones who can put you at risk.  Posting pictures of your children online may seem great as a way of sharing information with friends and family, but it also leaves things open for predators who can learn your child’s schedule and personal information which may make them appear to be a trusted friend and not a total stranger.

No one is saying that social media networks should be completely avoided.  Like anything on the internet, you have to use common sense and, in some cases, think like a hacker to avoid being the victim of cyber crime.  Putting a little time and effort into securing your account up front will go a long way in giving you peace of mind in the end.

Posted in Cyber security, Hacking, IT and Computer Security, Uncategorized | Tagged , , , | Leave a comment

Your Social Media Is Being Attacked! (Part 1)

It’s seems that almost everyone online today has some form of social media account, be it Facebook, Twitter, Instagram, or Google+.  A lot of time and energy has been put into warning people about the dangers of posting controversial or negative things to these sites.  Many employers are now surfing the web looking at employees or prospective employees to see what they are saying on the internet and some people have actually found themselves fired because of what they have posted.  But what most people don’t realize is that there is also a great danger in just being a part of these sites because of the danger of being hacked.  In this first of two articles, we will take a look at how your social media can be used by hackers and why it is so vulnerable.

At one point, having your Facebook or Twitter account hacked was something that your friends did as a practical joke to try to embarrass you.  But cybercriminals can hack your account just as they hack email accounts using a “brute force tool” which cycle through common passwords to find the right one.  Once they have a hit and gain access to your account, then the headaches start.  A hacker can use your account to send spam to everyone on your friends list or to send emails to them in your name requesting money for an emergency.  Since you are already in their network of friends and family, there is a level of trust and some may give the money without realizing it is going to a criminal instead.

Other problems occur once the hacker has your password because, unfortunately, many people reuse the same passwords for all of their accounts including email and banking.  This is a huge mistake as it potentially allows someone who hacks your social media account to also have access to all of your online information.  In our next article, we will also see how some of the information that you innocently post openly on social media sites can put your security at risk.

Posted in Cyber security, Hacking, IT and Computer Security, Uncategorized | Tagged , , , , | Leave a comment

What To Do When You’ve Been Hacked?

It’s a moment that can make your stomach drop faster than the word “audit”—the moment when you realize that your network system has been hacked.  Unfortunately, with the way the current world of cybercrimes is going, the odds of experiencing such a hack are becoming more likely.  With this in mind, it is imperative that you know exactly how to deal with a hack attack on your system.  Having a plan in place ahead of time will prevent fumbling and confusion in the event that a hack does take place.

  • The first major step is to bring together all of the members of the IT department to determine exactly what has happened.  It may be necessary to hire an outside company to do an analysis of your network system to determine the cause of the breach.   Whether you work in house or with a cyber security expert , it is absolutely necessary to get an idea of what has happened so you can determine how to proceed.
  • Once the breach has been assessed, determine if there has been an actual loss to the company (either data or monetary losses).  If this is the case, then you need to alert the proper authorities so that the appropriate legal action can be taken.
  • Next up, you need to repair whatever hole in your security allowed the hacker to gain access to your network.  If other issues are revealed as you go, fix them as well, but definitely make sure that the original point of entry is closed so that a similar hack can never happen gain.
  • After you have fixed the holes in your system, take care of a few maintenance issues.  Change all of the system passwords as those will have probably been compromised.  If data has been lost or corrupted, restore these from the most recent system backup.
  • Once you have updated your passwords and data, sit down with the IT department to take stock of what has happened.  Discuss ways that this can be fixed so that it never happens again.  Also, discuss other possible areas of vulnerability in the network that may need to be addressed.  The idea here is to not lay blame on any one individual, but instead to think outside of the box and look at multiple possible solutions to ensure the safety of the network.
  • If customer data, such as individual passwords or credit card numbers, were compromised in the breach, it will also be necessary to communicate this aspect with your clients to alert them of what has been done and what they should do to prevent monetary losses or identity theft.
  • Finally, run a full scan of your network to ensure that the new security measures you have put in place are working.  Make sure that everything is going smoothly and that any problem areas can be taken care of now before another attack occurs (because again, unfortunately, the chances are high that there will be another attempt to attack your system).

Getting hacked may feel like a disaster equivalent to the end of the world, but it doesn’t have to be.  Simply follow these guidelines and you will ensure that you can take care of the damage done and prevent any future attacks from occurring.

Posted in Cyber security, Hacking, IT and Computer Security, Uncategorized | Tagged , , | Leave a comment

Hackers and Tax Scams

It’s tax season again and as millions of Americans rush to their computers to get those last-minute returns in, hackers around the world are looking to cash in as well.  Those who are too hasty in trying to get those final returns in can find themselves easy prey of these cyber-criminals if they are not careful.  The key is to be diligent, observant and keep these tips in mind:

  • This first tip should be a complete given, even when it’s not tax time, but hold on to your social security number like it is your life.  Do not give this information out except to a trusted source like the Internal Revenue Service and only then when you see that the website you are on begins https instead of http.  This add “-s” indicates that the site is secure.  Once a hacker gets a hold on your social security number, you can be the victim of identity theft.  Your number can be sold to dozens of other people, some of whom could try using the number to file tax returns.  And if that’s the case, don’t be surprised if you hear from the IRS about an audit coming up.
  • If your information is compromised, report it immediately and then do everything necessary to make sure you are not the victim of identity theft.  Even the IRS is not infallible, as shown last year when the computers of the South Carolina branch were hacked.  The government quickly provided those affected with assistance to prevent their identities from being bought and sold on the open market.
  • Be wary of web sites that aren’t from reputable companies.  If you aren’t sure if a company is to be trusted, use a search engine to look for reviews.  If they are legitimate, you should be able to find multiple sources confirming this.  But, unfortunately, many web sites are set up promising quick returns and guarantees of big refunds when in fact they are designed by hackers to get your personal information including your bank account.
  • If it’s not a fake website, you also have to worry about fake software.  Installing it may install a Trojan virus that then gives the hackers backdoor access into your computer, your bank account, and your life.  That is why it is so important to keep all of your virus software up-to-date.
  • We’ve said it before and we have to say it again.  Don’t click on strange emails.  If that email comes in saying it is from the IRS with information about your refund, ignore it.  The IRS doesn’t work that way.  Clicking on one could wind up installing a dangerous Trojan virus such as Zeus, a nasty little program which will lie in wait until you go to your bank website to do some online banking and then hijack all of your financial information.

The bottom line is, even when it is tax season, not much changes about online security.  Computer users should simply be more diligent about how they conduct their business and be more careful about avoiding viruses and other criminal traps and tricks.  If you do receive one of these emails, the important thing to do is report it as soon as possible to the IRS so that they can shut them down.

Posted in Uncategorized | Leave a comment