Bit by Bit - Technology Solutions

Symantec put it all in perspective recently - cyber crime is now surpassing the drugs trade. So it's time to get serious, for the criminals who are after your data have better financing than you do. Unlimited, in fact, for it's so easy to raise more.

We are doing out part by offering a new Webinar with StrikeForce CEO Mark Kay on 10/5/2011 at 2 PM EST on Data Theft, ACH Fraud, and Key Logging - what it is, what it means to you, and how to prevent it.

You can register here: Webinar Registration 10/5/2011 2 PM EST

Meanwhile... it helps to realize that "security" even in the narrow sense of "it security' is not about your computers, but about your data, your business information, and your money. Simple as that.

It is therefore a problem of Internal Control in businesses, and not a technology problem that is sort of relegated tot the optional extras in the budget cycle.

Recent developments in the financial industry means that the lack of preventable security solutions will quickly become a fireable offense in companies who have their bank accounts plundered due to stolen credentials. Simply put, key logging is the number one preventable cause of stolen banking credentials, and data theft in general. Somehow it is too technical and abstract if we talk about "ID Theft" or "Data Theft," and the banking industry proudly reports that they are now quicker to stop ACH fraud, if multiple fraudulent transfers are done. But it still often means that businesses are out the money. To them you're a statistic, to you it's your money.

 As has been argued on this site, prevention of key logging must primarily happen on the customer side. We are all vulnerable, and to a degree banks are right if the reject claims based on account access with valid credentials. If the credentials are stolen from the customer it is essentially the same case as failing to lock your house, and having a burglary. Your insurance company won't think so, arguing you left the door open. If the door was open, it's not a burglary.

Accordingly, if you banking credentials are ever compromised, but you were deploying Guarded ID® at the time, you have dramatically reduced the chance that the credentials were stolen from you, and therefore you have now shifted most of the burden of proof to the bank.

In security, few things are black and white, but this one is. Either you locked the door, or you didn't, either you prevented key logging or you didn't.

Footnote: Article in the Register of September 7th, on Symantec report that cyber crime is now surpassing the drugs trade:cyber crime is now bigger than the drugs trade.

Amidst the ongoing reports over data breaches, data theft, account takeovers, and ACH fraud, there are several interesting stories that have some educational value, for example the recent appointment of a new CISO at Sony which highlighted the issue that security is not an IT issue.

At first apparently this gent was to report to the head of IT at Sony, but this was changed, and he reports straight to the top. From a standpoint of corporate control, this is the only way to address the issue, because the assumption that security is limited to IT security is deadly, and even within IT security, security would be seriously compromised if it had to compete with any number of other issues that affect the popularity of IT in an organization far more than security. Security is not a popularity contest. IT needs to be told what it should do in security.

Among the other interesting observations of Mr. Reitlinger is the idea that online security basically isn't. The fact is that technology has moved and continues to move faster than anybody can keep up with and the greatest threat to security at all levels is to assume that it is somebody else's problem. IT in turn can be part of the solution, but they should be given direction in the context of overall internal controls, and the implementation of security policy. From a liability standpoint every organization needs a security policy, as well as uncompromising enforcement. Directors of public companies will see their liability insurance go through the roof if this is not done.

A careful reading of various lawsuits and settlements between banks and their customers in account takeover cases, and other security related problems, make it very clear that the courts are starting to realize that good enough is no longer good enough, and that in security the minimal 'compliance' with regulatory requirements may in fact be unsatisfactory and inadequate.

Businesses are also finding out that they are responsible for knowing what they are doing. Some banks promote zero risk for their debit cards, but not infrequently the large print giveth and the small print taketh away. Too often the zero liability does NOT apply to pin transactions. Be that as it may, as a business it is important to know that you are expected to know what you are doing, and the banks tend to treat businesses differently than consumers. So best practices applies to the business customers of a bank even more so than it does to consumers. Ignorance is not a defense against irresponsible practices and inadequate security.

As I have argued elsewhere, see: Why this time is different  -- in security very few things are black and white, but one is, and it makes a perfect example of the meaning of best practices. GuardedID® has been on the market for 5 years, and even if we allow that nothing is 100%, it is in essence a completely off/on, black and white situation. Either you are blocking key logging or you are not. Since it is well documented that keylogging is a very prevalent threat, and figures in most of the major security breaches that you read about (and in most of the breaches you don't hear about), there is every reason to stop it outright. So why didn't you.

This is black and white. Something like backing up your data - either you did, or you did not, and if that's your job, and you didn't, we should get someone else to do your job. Key logging is the same, every since it became prominent in 2004 or so, no one in the industry can claim ignorance, and it is now an every day occurrence, and the logic is powerful. The amateur malware of yesteryear was mostly an annoyance, a business disruption perhaps, but not much more. The well targeted attacks of today are designed to be smooth. They do not want your computer, in fact, they don't want to cause you any inconvenience, as long as they can get your data. Any data will do, login credentials for financial accounts preferred.

So now back to best practices, and granted that there are other ways to steal your data aside from key logging, the comparison now is that some anti-virus software claims to defend against key loggers - to the extent that it is signature based, that means elimination of a good percentage of known threats, and zero against unknown threats (zero day risk), and it generally protects your computer, and keeps it operational, and safe from disruption by malware, but... it only detects key loggers some small percentage of the time. Usually 20% or less according to some reports. But data theft is the objective, not computer disruption. So, once you realize that your DATA is the assets that is targeted, should you focus first on protecting your computer from disruption, or protecting your data from theft? And if you know (and if you didn't, you know now), that there is a choice between 20% protection, and complete blockage of key logging, the largest single methodology used for data theft - would you take the 20% or the 100%? 

It is these kinds of considerations that are coming to the surface in these court cases - having installed some protection that nominally meets requirements, in the face of a far superior and well known alternative is not a defense. Just like ignorance of the law is no defense. The security game is changing.

 A friend in the professional services industry landed himself in a classic spear phishing attack, and it took him half a day to realize his error, particularly because his bank contacted him to ask why he wanted to know his balance. Thank God for small favors, as the saying goes - it appears no real damage occurred, sofar.

Although some of the technology used is pretty sophisticated, it is most amazing how simple and effective most of these schemes are. Equally amazing is how primitive security technology is, everything from firewalls, to anti-virus, to IDSs, and so on provide only relative assurance. One good thing about GuardedID® is that it simply disables a certain class of activity, in this case the copying of keystrokes. So it is a very black and white sort of protection compared to most security solutions.

Personally I have known Strikeforce since shortly after it started, and have always known they were on the right track... and of course recently they are getting a lot more attention, because suddenly they have the right products at the right time, solving authentication issues and key logging, two very central issues in the crisis of online business that is currently going on.

As much as some people may say the media exaggerates the crisis, I think it remains under-reported, and widely underestimated. Computer crime has become so easy and so lucrative, and as a society we are still so complacent, that people are still slow to take action. However among professionals in the financial services sector awareness of the seriousness of the problem is certainly growing. We are well past the stage where we can pretend it is just " isolated cases."

And in the middle of all of that, with regular media reports on the latest security breach, Strikeforce recently entered into an agreement with an IR firm to raise awareness of their shares, because they've been public for years now, and harvest time is finally here.

Today a research report was published, which is excellent. It provides both good market analysis for those who are so inclined, but it also provides very good basic explanations of the technology. You can find it here: http://www.research2zero.com/sample-research.html

As if on cue an accountant friend of mine had his email account hacked, and now he is suddenly buying GuardedID® - previously his eyes glazed over at the mere mention of it. Par for the course, unfortunately in the majority of cases, people still close the gate after the horse has left the barn.

While there are of course forms of key logging that are arguably beneficial and desirable, such as KVM to be able to work on multiple machines from the same keyboard and monitor, we are here concerned with the malicious kind. And if you do have the need for that type of configuration, realize that you're dealing with a security weakness, and at the very least don't do your banking from the same machine. Alternatively disable GuardedID®, before you do KVM, and enable it before you do banking or access any other confidential data.

And there are a constant stream of stories of the experiences that people have in this area. During one installation of GuardedID® we found out that the person had been involved in a court case testifying against Western Union, based on an incident that most likely started with key logging.

One day his username and password to his yahoo account were hacked, and all his friends received messages that he was stuck overseas and needed money. Some people sent money, not being aware that he was safe at home in New York. The remittances were picked up in his name, and evidently no one ever bothered to check ID on the person picking up the money.

 Chances are high that the way the username and password were ripped off was through key logging. A very large number of cases start that way. These are the types of scams that are going on all the time, and they are entirely preventable with the simple program called GuardedID®

Thanks to some feedback from a colleague at work, I learned that recently keyloggers played a starring role in a tv drama - where a law firm lost a case because their information was syphoned off with help of a keylogger. Not too far fetched, and it does not only happen on TV.

Going by the reports from FBI etc. businesses have lost serious money due to these programs, that can sneak up on you, because they are hard to detect. We and/or our clients and associates have experienced these painful situations, and the banks generally do not honor any claims if your account was accessed with valid credentials.

Or if you want it from the horse's mouth:

Card Issuer Liability- sample of non-liability of issuer. Comments on liability under one bank’s prepaid Master card program- Major US bank “Capital One Bank”
http://www.capitalone.com/prepaid-cards/?linkid=WWW_1010_CARD_TGUNS12_CCMAIN_L1_09_T_PRECAR
Note the zero liability benefit to card holders does NOT apply to PIN-based transactions…
“Zero Liability does not apply to PIN-based transactions”
Accepted everywhere Debit MasterCards are accepted
² Terms and conditions may apply. In the event of unauthorized use of your Capital One® issued Prepaid Card you will get the benefit of Zero Liability if the following apply: you have exercised reasonable care in safeguarding your card and you have not reported two or more events of unauthorized use in the past 12 months. However, Zero Liability does not apply to PIN-based transactions. Unauthorized use means that you did not provide, directly, by implication or otherwise, the right to use your card and you received no benefit from the “unauthorized” purchase.

To the banks, you're a statistic. To you, it's your money.

The fact of the industry remains that often times security is ignored until it's too late. This is one area where you do not want to wait until it's too late.

Prevention is the key, and that means out and out stopping the possibility of keylogging:

One of our vendors, Strikeforce Technologies, has developed the perfect, and perfectly simple defense against keyloggers, called GuardedID(R). The company currently has an infomercial running, starting Saturday August 13  on Fox NY at 1:30 PM, and at various times and different channels after that.

This is the simplest security measure you really don't want to do after the fact. Individual licenses are available at our site www.guardyourdatanow.com