alt tag

Posts Tagged ‘identity theft’


A Primer on Phishing Attacks

Wednesday, December 21st, 2016

credit-card-1591492_640

Phishing attacks are a dangerous and devastating method hackers use to steal personal information and accounts—primarily by striking the user instead of the machine. According to the APWG Phishing Activity Trends Report, the first quarter of 2016 saw an explosive 250 percent increase in phishing attacks, meaning both the industry and individuals should be increasingly concerned about these scams.

While security software is getting better at detecting phishing attacks, it can’t stop them all. Here’s the rundown on what you can do to protect yourself and your employees.

What Exactly Is a Phishing Attack?

The goal of a phishing scam is to get a person to hand over private information, usually pertaining to account access credentials, credit card numbers, social security numbers, or other information, that can be used to steal accounts, information, and identities.

According to Indiana University, phishing attacks, or scams, typically present themselves as fake emails masquerading as official sources asking for personal information. Google adds that phishing attacks can also come through advertisements and fake websites.

So, phishing attacks come in several forms. One example of a phishing attack is an email arriving in an employee’s inbox asking them to reset their Gmail account information. Another is an email from “Amazon” saying the account holder’s credit card information didn’t go through for a recent order.

What’s the Best Defense Against Phishing Attacks?

The best thing a person can do to protect themselves from phishing scams is to be wary any time they receive a message asking for personal information. Businesses and organizations can protect themselves by educating their employees and members about what phishing attacks look like, and how to avoid them.

Teach your employees to look for red flags, like an email address that doesn’t correspond to the supposed sender, impersonalized messages, grammatical errors, and/or unsolicited attachments. Equally, watch out for spoofed links that list one URL on the page but redirect to another—and keep an eye out for spoofed URLs that don’t match the real site (e.g., gooogle.com instead of google.com).

Some phishing emails use such highly personalized information that they may appear, on the surface, to be authentic. Don’t let your guard down. Phishing attacks typically use fear to motivate a person into handing over sensitive information with statements like “your order will be canceled” or “your account will be deactivated.” Instead of clicking the link inside the email or responding directly with personal information, go to the real website using a search engine or by typing the URL directly into your browser. If you receive a phishing email related to any of your professional account credentials, report it to IT.

The State of Phishing Attacks

Now that web users are spread out over a variety of operating systems including Windows, Mac OS, Android, and iOS, it makes sense that hackers would divert more effort to scams that attack the user instead of the operating system. Symantec reported a 55 percent increase in “spear-phishing” scams across 2015. In the first quarter of 2016, CSO reported that criminals successfully targeted 41 organizations in a phishing scam aimed at retrieving W-2 data.

If your company is looking to improve its IT security practices against threats like phishing scams, the IT consulting experts at MPA Networks are ready to help. Contact us today.

Where’s Your Company’s WISP? Why You Need One NOW

Tuesday, June 14th, 2016

writing-1149962_640

A WISP is one of the most important documents for any company doing business over the Internet—which, in this day and age, is pretty much everybody. Who’s responsible for drafting and maintaining your company’s WISP? Or are you even sure what a WISP is? If not, your company is already at serious risk for additional legal action—lawsuits and punitive fines—following a data breach, whether the result of external hacking or internal human error.

WISP stands for Written Information Security Programessentially your company’s formal road map for safeguarding the privacy of customers’ Personally Identifiable Information (PII), as well as a response plan after a data breach—including customer notification.

WISPs are already required for companies dealing in financial services (the Gramm–Leach–Bliley Act) or medical health records (HIPAA). Additionally, most states now have their own laws governing data privacy standards for businesses.

Here in California, the California Data Protection Act (Civil Code Section 1798.80-1798.84) requires businesses to “implement and maintain reasonable security procedures” to ensure the electronic privacy of customers’ personal information—their names combined with any of the following:

  • Usernames/passwords for online accounts
  • Social Security/Driver’s License numbers
  • Credit/debit card numbers
  • Medical history/health insurance records

How Much Is “Reasonable”?

The tricky thing here is that the California law doesn’t define what “reasonable security procedures” really are. And if even one of your customers resides out of state, your company is likewise bound by the corresponding data protection laws in that state—such as Massachusetts, where a WISP is a legal business requirement. At a time when new corporate data breaches seem to grab headlines every month, a formal WISP program for any company—large or small—is just good common sense.

Cover All the Bases

What are the elements of a comprehensive, iron-clad WISP? Here are the essential points to cover:

  • The designated person(s) to administrate the WISP
  • An assessment of reasonably foreseeable risks to security/confidentiality of protected PII data
  • Locations where personal information is stored (electronic or hard copies, as well as access from portable devices)
  • Specific measures to safeguard confidential data (encryption, firewalls, security patches, or more)
  • Ongoing employee data security training, with disciplinary policy for WISP violations
  • Monitoring and review of the program’s effectiveness, annually or as necessary
  • Your company’s official breach response plan

The Commonwealth of Massachusetts offers a good WISP template for small businesses here.

Most importantly, if your company is partnered with a managed service provider or other third-party IT services, make sure they’re on board with your WISP program—that they’ll take time to assist in crafting your initial policy in addition to providing regular enforcement and documentation. We certainly will.

Data Breaches: Dark Times in the Golden State?

Wednesday, June 1st, 2016

lock-156641_640

Being the cyber-security geeks we are, we took great interest in combing through this year’s California Data Breach Report, released by the Attorney General’s office this past February. The report tabulates data collected from breach incidents which expose confidential information of 500 or more individuals, reported to the Attorney General as required by California law since 2012.

Over these past four years, there has been a total of 657 reported incidents, affecting over 49 million Californians—from Social Security and driver’s license numbers to financial accounts to health records, logins, and passwords.

By the Numbers: Not Much News to Us

The breakdown of California data breaches came as little surprise to us:

  • Malware and hacking accounted for over half of all breaches (54%), while responsible for a whopping 90% of all stolen personal records.
  • While physical breaches—lost or stolen unencrypted data on computers and mobile devices—came in a distant second (22%), they were the most reported by healthcare providers and small businesses.
  • Other breaches were attributed to human error (17%) or intentional misuse or unauthorized access by company insiders (7%).

After 178 reported major breaches in 2015 alone, the report estimates almost three in five Californians were victims of loss or theft of data.

Plug the Leaks, Block the Hackers

The second half of the report offers multiple recommendations for preventing data breaches in the future. Specifically discussed is the expanded use of multi-factor authentication (as we’ve already recommended) in place of simple, easy-to-guess user passwords such as “qwerty” or “12345” (as we’ve likewise lamented in a previous post). Stronger encryption standards are needed to protect confidential data, particularly within the healthcare sector.

However, the Attorney General’s primary recommendation is that all business and government organizations adopt their own risk management strategy based around the Critical Security Controls for Effective Cyber Defense, a comprehensive 20-point plan developed by the Center for Internet Security.

While a mishmash of federal and state-to-state regulations offer varying effectiveness against data breaches, the California report cites voluntary compliance with the CIS Controls as “a minimum level of information security that all organizations that collect or maintain personal information should meet,” while falling short of the full 20 standards constitutes “a lack of reasonable security.”

We agree the CIS Controls represent a solid roadmap, effectively “covering all the bases” when it comes to data protection. When you discuss security with a potential MSP partner, mention the CIS Controls as a baseline. If they downplay such a structured approach, you’re probably talking with the wrong vendor.

How well is your company meeting California’s data security guidelines? For a few tips on getting better, ask us today.

Cybercrime Begins Over the Phone, Too—Don’t Let Your Employees Forget

Tuesday, April 19th, 2016

phone-388838_640

If you’ve been a regular reader of our blog, you know we’ve spent plenty of time discussing phishing, malware, and other cybercrime. It’s all part of our modern online world, and we know it will never really go away.

We’ve talked about the tricks scammers use, from links in bogus emails to simply visiting the wrong website. But don’t forget crooks are still stalking victims via good old Ma Bell.

Chances are you’ve received a phone call pitching one of these common scams—more than once:

  • The promise of a lower credit card interest rate or a reduced electric bill… provided you give the caller your existing credit card number(s).
  • A call on behalf of one of your family members, requesting wired money to bail them out of a foreign jail. With “people search” sites all over the web, it’s disturbingly easy for a scammer to not only obtain your phone number, but also the names of your loved ones.
  • And perhaps the most devious phone scheme: the service tech from “Windows” who warns that your PC has been detected with a dangerous virus, which he can immediately remove remotely—for a nominal service fee, of course—or guide you in removing via a removal tool download (which is the actual malware)!

Hopefully, you’ve learned to recognize such obvious schemes. But businesses large and small are also targets of sophisticated electronic con artists, and it only takes one employee’s slip-up to rob a company of anything from confidential information to simple cash.

When to Hang Up the Phone

  • Suppose one of your senior executives is speaking at an out-of-town industry conference (information freely available on the conference’s website). Your receptionist receives a call from an “event manager” saying they urgently need their email password changed in order to download their PowerPoint presentation within the next half-hour. If it’s actually a cyber-crook on the other end of the line, they’ll have successfully hijacked that email account—inbox, address book, archives, everything.
  • If your accounting team gets a call from an angry “vendor” demanding payment for a mysterious invoice that’s suddenly 90 days past-due—for something as innocuous as bottled water or toner cartridges—might they be directed to a bogus payment site to collect a quick payment? Banks usually won’t forgive such voluntary gaffes, and if the culprits are outside the U.S., that money is almost surely gone.

We’ve discussed the necessity of a comprehensive employee security training program. Don’t forget to include your employees on the lookout for phone scams as well. Also consider a policy of no password changes without alerting top-tier support of your managed service provider, or supplement usernames and passwords (or even replace them) with two-step verification.

Questions? Contact us today.

The Future of Fingerprint Authentication… Is There One?

Tuesday, November 24th, 2015

fingerprint-150159_640

Earlier this year, the U.S. government revealed a massive cyber security breach which may well bump the infamous Target and Sony attacks down to “small potatoes.” The database of the Office of Personnel Management (OPM)—essentially a central HR department for most federal agencies—was hacked multiple times over several months, exposing the personal records of 21.5 million individuals. Current and former federal employees, job applicants, and contractors who had undergone various levels of security background checks represented most of the victims. The suspected culprits of the attack are the Chinese, in the midst of an ongoing “cyber cold war” with America.

Most of this stolen data includes the usual personally identifiable information—addresses, birth dates, Social Security numbers, and more—routinely trafficked on the international black market, or “dark web.” But a couple months back, the OPM dropped the other shoe: Also compromised were 5.6 million digitally stored fingerprints, dating back to 2000.

Biometrics

Fingerprints are at the core of modern biometric authorization.

If you’ve bought the latest smartphone, you know it scans your thumb to unlock. At least one large health club chain has eliminated barcoded membership cards in favor of electronic fingerprint scanners. If Microsoft had their way, they’d entirely replace your computer’s passwords with biometrics—though the necessary 3D camera/scanner hardware may be slow to market.

Biometrics may still be in its infancy today, but how common will it be tomorrow? Besides logging in to your personal devices, will it become the preferred login option for secured email accounts, online banking transactions, medical records, or other sensitive data? One thing’s for certain: Legions of hackers around the world are obsessed with cracking the latest cyber security measures right now.

Sooner or later, everything becomes vulnerable.

Identity Theft

If you’ve discovered you’re the victim of identity theft, most of the damage can be fixed. A compromised password can be changed in minutes. A new credit card number is a phone call away. At worst, you can go through the painstaking process of wiping fraud from your credit reports.

But it’s biologically impossible to get new fingerprints—the fingertips you were born with are yours for life! Whether they were stolen last week or 20 years ago, once a victim’s electronic fingerprint records fall into the wrong hands, they can never really be “un-stolen.”

We can draw two takeaways from the OPM breach:

  • As we’ve discussed, America’s cyber security still lags far behind hostile threats—from hackers and cyber crooks to perhaps even adversarial governments. As in the Wild West, it’s ultimately up to you to protect yourself.
  • At first glance, biometrics offer the ultimate personal security. But unless we’re assured they will be 101% hack-proof, they may actually go the way of QR codes—a neat idea that just doesn’t catch on in the real world.

For more information on how you can protect yourself personally and professionally, get in touch with us today.