Phishing and GDPR compliance
By Paul Brennecker, Principal Consultant, CISM | PCI QSA | PCI PFI | PCIP
There is a saying that a chain is only as strong as its weakest link. This, unfortunately, is true. When a company manages and handles sensitive customer data it does not matter how robust the security measures if one unsuspecting employee inadvertently opens up the system to hackers. Yet the danger this presents is sometimes underestimated.
Failure to protect customer data adequately already results in serious sanctions and fines under the current Data Protection Act (DPA) legislation. In 2016 twenty-one fines were levied in the UK totalling £2.1 million. When the General Data Protection Regulation (GDPR) comes into effect next May, however, things will become even tougher. With a theoretical maximum fine of up to £500,000 or 4 per cent of global turnover, these sanctions alone have the potential to bring a company down.
A common data security breach is through what is known as phishing. Defined as an attempt to obtain sensitive information such as usernames, passwords, and credit card details for malicious reasons, by disguising as a trustworthy entity in an electronic (or telephone) communication. They mislead unsuspecting individuals into giving hackers a foothold in a corporate system.
Typically, they will appear to come from a popular, well-known or reputable-sounding company. Microsoft, LInkedin and Google Drive have been subject to their names being hijacked for fraudulent purposes. Then the cybercriminal will set out a fictitious issue with a user account, threaten that action will be taken if it is not remedied and provide a link to click. At first glance the corporate branding, email address and link will look genuine. This type of phishing email is indiscriminate in its approach and is out to catch any unwary soul who takes the bait.
A more worrying trend is the ‘Spear Phishing’ attack, where a specific individual or number of individuals is targeted within an organisation. These people are often in positions where they will have access to company sensitive information or records, such as the finance or marketing teams. With a little research, the source of the spear phishing attack can ascertain the name of a senior member of staff within the company and trick the recipients into believing it has originated from the boss. These emails will be positioned to members of the team further down the chain in order to gain further information or even to directly ask for payments to be made. Once you understand the anatomy of a spear phishing attack, you can see why having an organisational chart and email book becomes invaluable data to the attacked. This may have been gathered as part of the initial phishing attack, through the use of malware injected onto email or active directory servers.
So – If an unsolicited email of any type appears, it should not be opened. If it is, it is worth checking the spelling and grammar. Unlike professional companies who use copy editors to check their content, cybercriminals are not known for written English. Links should also be checked. By hovering a mouse over the link (while not clicking through) an entirely different web address may appear. All requests which lead to requests for sensitive account information should be treated as phishing attempts. Genuine companies never request password or bank account information online. Yet, if an employee has got to this stage it is likely that a malicious attack will already be underway.
Training staff how to recognise and deal with suspicious emails is just one element of a robust information security plan. SRM’s specialist consultants have the experience and expertise to manage all elements of information security from employee training to forensic investigations; from penetration testing to preparing for GDPR compliance. To discuss any aspect of information security please contact us.
This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
2. The trigger is executed every time a new order is made.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.
If you are in doubt, contact the SRM team who can arrange to run a check for you!
Ransomware – Could it be you?….
Complacency has always been the enemy of safety; in today’s world, we are all vulnerable!
The digital (cyber) environment may sometimes be opaque and difficult to understand, but it is a contested environment. If we seek to operate within it, and exploit its advantages, we must actively engage or expect to become a victim.
As I write a number of organisations worldwide, are reeling under the hammer of what appears to be a thoroughly industrialised Cyber Attack. Many of these affected organisations have (or claim) a reputation for strong governance. There is no-one, reading this, who doesn’t have actions that they should have taken or should be taking now.
Whilst it is tempting to view this sort of event as spectators, anyone reading this is unlikely to be invulnerable, whether we are part of an organisation or an individual. There are steps we should all be taking to reduce risk to ourselves or our organisations. We ignore these responsibilities at our peril.
Those who are responsible for the safety of organisations will have already taken actions to ensure that they are as safe as possible. This is part of baseline governance needed in today’s world and no organisation can claim to be competently run if it doesn’t have an effective Information or Cyber Security Management System. If you have one – you will probably know about it!
If you haven’t – then now is a good time to start – and if necessary get in touch with someone who can help you. (if you can’t think of anyone specific or are worried, www.srm-solutions.com is a good place to start!) There are a number of excellent schemes and established practices that you can use to raise the bar for attackers. If you have done nothing else yet – at least look at the Cyber Essentials Scheme as a first step.
If you don’t know who is responsible in your company – check – it could be you!
As individuals, however, we are still potential victims of attacks like this, but if we practice basic Cyber Hygiene we dramatically reduce the risks to ourselves and those around us.
Make sure our defences are strong:
Ensure our Anti Virus (even on a mac!), firewalls and software are all up to date and switched on.
Scan our systems with Anti Virus, and do this regularly when attacks are going on.
Stay alert to any suspicious emails, messages and don’t open anything suspicious. If someone sends you something suspicious. Contact them separately to check it is legitimate.
Check that we are using difficult to guess passwords, and that we are not exposing the password protecting our “crown jewels” on untrusted internet sites or unprotected devices.
Check our bank and card statements – Regularly!
Think it through from an attacker’s perspective.
Make sure we are resilient:
Ensure our information is backed and kept somewhere where it isn’t connected to the internet or our main system (e.g. a CD or a Backpack Drive).
Ensure we keep all backup data safe – and if possible encrypted. Ideally under lock and key.
Ensure that any critical information is held safely so that it will be available in the event that our main system is unavailable.
Make sure we know what to do if we are compromised:
Write down a simple plan – stick it on the fridge or the filing cabinet – somewhere we can find it!
Don’t pay ransoms – we shouldn’t need to!
Know who we are going to contact for further advice in emergency.
Don’t Assume – Check that you are as safe as you think you are. Do this periodically and when the risk rises:
Check our Backups are being taken (and that your drive is not full). Check that we can restore them and that they are not corrupted.
Check that you can access your critical data and files if your main system is down.
If you don’t know how to do any of this – learn now – these are basic survival skills! If you have friends or family members who may not be able to do this – it may be worth contacting them to check they are not exposing themselves inadvertently.
Whether we are acting as individuals or are responsible for the safety of an organisation, this is no longer something for someone else to do – we all have a part to play, and must play it to the best of our ability.
Changes to the Issuer Identification Number (IIN) standard
The numbers on payment cards are going to become longer. This is because of changes which are being made to the international standard (ISO/IEC 7812) under which Issuer Identification Numbers (IINs) are issued. The changes have come about because of the increasingly dwindling number of IINs that remain open for registration.
IINs currently appear as the first six digits on payment cards. The leading digit is the major industry identifier (MII), followed by five digits, which together make up the IIN. But due to an increasing demand for these unique identifying numbers, the International Organization for Standardization (ISO) is expected to publish revised standards which will change IINs from six to eight digits. The overall Primary Account Number (PAN), which is generally understood to reflect the IIN plus the unique number assigned to an individual or company, may consequently increase in length to reflect this change.
Visa announced in July 2015 that it expected that they would continue to support a PAN length of 16 digits. This was after stakeholder consultation within the industry. A change that is seemingly as minor as this turns out to have some significant ramifications to any entity that accepts payment cards in that the application are generally designed to expect card numbers of certain lengths, depending on the card issuer. Changing these values would require updated software in all devices or systems that accept a payment card – no small task.
So what about the security implications of this change? If the IIN is increased to 8 digits and the PAN remains 16 digits, the unique value assigned to the card has in effect been reduced from 10 to 8 digits. Does this pose a potential security weakness to card numbers? This point has not been missed by the industry and discussions are afoot to try and counteract this change.
The draft of the revised standard has been approved by ISO members and is due to be published in early 2017. Businesses and organisations which require IINs should be aware of these imminent changes and should begin a process of planning and analysis to identify any potential system and process impacts. At the moment it is all conjecture, but it seems likely that something will have to change at a standard level before vendors start to make updates to their software and merchants start rolling these changes out.
The main points of the revised version of the ISO/IEC 7812 standard are:
- The Registration Authority (RA) will start assigning eight-digit IINs to any institution applying for a single IIN or block of IINs.
- Issuers with eight-digit IINs will be required to issue a minimum PAN length of ten digits. The maximum will continue to be 19 digits in length, (with Visa supporting the current standard of 16).
- Existing six-digit IINs will be converted into a block of a hundred eight-digit IINs. As the majority of issuers are unlikely to need all one hundred of these, they are encouraged to return any unused eight-digit IINs to the RA.
- Any ISO/IEC standards referencing ISO/IEC 7812-1 should be reviewed for potential impacts.
All users of ISO/IEC 7812-1 are strongly advised to begin planning and analysis to identify any potential system and process impacts associated with their plans to adopt the new standard.
The security implications of the extended IIN lie in the detail. Visa are currently undertaking systems analysis and development, which they expect to be complete by 2019, three years ahead of the proposed change. Currently the PCI standard is only built to accommodate the masking of the first six and last four of the sixteen digit card number. It may be that the PCI council will have to have a look at changing the standard to accommodate this new field length without altering the security posture of the masking.
FFA 2015 Annual Review Reveals UK Card fraud worth £479 million
by Brian Fenwick, Operations Director
Financial Fraud Action UK (FFA UK) has published its 2015 Annual Review. The organisation, which is ‘responsible for leading the collective fight against fraud in the UK payments industry’ and has banks, credit, debit and charge card issuers and card payment acquirers in its membership, reveals that fraud losses on UK cards reached £479 million in 2014.
This figure is up 6 per cent on 2013 (£450 million) and up 40 per cent on 2011 (£340 million). This must, however, be seen in context. According to the Dedicated Card and Payment Crime Unit (DCPCU) figures, there has been an overall fall in card fraud of 78 per cent since Chip & Pin was introduced in 2004. This equates to 7.5p for every £100 spent, compared to 12.4p in 2008.
The area that is now seen as being most at risk is those termed as “cardholder not present” transactions. These are online and telephone based transactions which, in 2014, accounted for £330.5m of UK card fraud. That is 69% of the total.
The solution is to take card data out of the IT environment by removing personal card data to a secure off-site store. Adhering to the data security standards laid down in the Data Protection Act and PCI DSS will ensure that compliance is achieved.
Taking these standards a step further by adopting the ISO 27001 framework is, however, the most effective way to ensure data security. More and more organisations are now asking for help in securing ISO 27001 certification because within its framework there is not only a comprehensive data security protocol but it also brings with it an inherently inbuilt flexibility. Used as a basis, it is possible to use its methodology to manage several compliance programmes and to build security into each layer of an online or telephone sales operation.
There are many potential pitfalls when dealing with data security compliance in general. The main one is selecting the wrong product; but others include not specifying correctly or misinterpreting the intent of the standards. Using a consultant experienced in all aspects of data protection and standards reduces these risks while improving the chances of a successful integrated and cost effective strategy.