Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
October 25, 2021
Should We Throw in the Towel When It Comes to Data Breach Prevention?
Cybersecurity Awareness Month, observed in October, reminds us of a post we ran two years ago. We're rerunning it today because it is just as relevant now as it was then, and perhaps even more important. This year's Data Breach Investigations Report, for example, found that 85 percent of breaches involved a human element. As the Risk Forum has often said, the human element is the weakest link when it comes to cybersecurity. So the closing question posed by my colleague and the author of that post is as imperative today as organizations consider that human-caused breaches are inevitable: "What approach has your organization taken to adopting threat prevention and response preparedness?"
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
August 2, 2021
Ransomware: To Pay or Not to Pay?
Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?
Law enforcement and cybersecurity professionals almost all say "no.” A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom—but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35–44 age group, at 65 percent, were most likely to pay.
Arguments against payment are threefold:
- It encourages further attacks because the victim has already shown willingness to pay.
- It rewards criminal behavior and provides funds for additional attacks.
- It may not result in 100 percent recovery of files.
Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.
As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.
May 17, 2021
Common Learnings from Fishing and Phishing
As a youngster growing up in Southeast Georgia, one of my favorite summer pastimes was fishing with my older brother at the local creek using cane poles and some corn niblets or, if we really hit the bait treasure box, pieces of beef hot dog. There is a reason they call it fishing and not catching as most days we barely got a nibble. But there were those days when we would land a nice-sized bluegill.
As I grew older and my fishing opportunities expanded, I began to learn more about the science and techniques of fishing. To increase the catching, there was a level of knowledge needed as to what type of bait (artificial or live) and what fishing technique (bottom, slow, or fast retrieve) to use to target the species of fish I wanted.
I reviewed the FBI's 2020 Internet Crime Report recently and learned that there were more than 240,000 phishing/smishing/vishing/pharming incidents in 2020—an increase of 110 percent over 2019 (and these are just those that were reported). Losses from these incidents were estimated at $54 million. Reading about this made me flash back to my fishing learnings. I reflected that in phishing, as in fishing, there are those people who simply throw out a baited hook to see what bites they get. They blast out a generic email to tens of thousands of email addresses they bought or otherwise acquired illegally, promising fortunes if you only pay, in advance, a finder's fee or the taxes, with gift cards or cryptocurrency. (These messages have advanced over the years to eliminate the poor grammar and misspellings and provide a more believable scenario about the money that belongs to you.)
It has become obvious to me from my research, from seeing the attacks firsthand, and from listening to my colleagues that criminals are becoming more sophisticated in their messages. They are quick to take advantage of current health or natural disaster crises, sending links to “breaking news” that contain malware or links to false websites to capture your personal information or other credentials. They have become very skilled in identifying a target and researching that individual's hobbies or life events through social media, which allows them to craft a message that appears legitimate and appeals to the target's interest.
My colleagues and I are constantly trying to better educate the public about these threats through our posts, webinars and other publications. Just when we think we've seen it all, the criminals come up with a new twist on an old scheme, such as what we saw over the last year regarding the stimulus payments. The bad guys are always going to be out there hoping they can get a nibble from you so they can try to set the hook and reel you in. Don't let yourself be the catch of the day.
January 25, 2021
Resolve for Better Data Privacy
On the heels of a year that saw, among other things, ransomware attacks occurring about every 11 seconds and a significant supply chain breach affecting 18,000 public and private entities, better data privacy should top our collective list of New Year's resolutions. But if this wasn't among our resolutions, we still have National Privacy Day on January 28 to remind us of the need to be vigilant.
Frank Sinatra sang to us in "Love and Marriage" that you can't have one without the other. Likewise, you can't separate data privacy from data protection. Organizations that place a high value on data privacy implement strong data protection measures. Without doing so, privacy can't be assured.
The National Cyber Security Alliance, sponsor of National Data Privacy Day, has created calls to action employing a few basic privacy concepts that individuals and businesses can follow to keep data safe online.
For individuals: Own Your Privacy
- Personal info is like money: Value it. Protect it. Beyond personally identifiable information, this extends to e-commerce purchases, IP address, and location.
- Keep tabs on your apps. Don't just click "OK" on those pop-ups asking to access your location, contact lists, photos, and other personal data. Consider why it is needed and how it will be used and stored. Also, closely examine links and attachments in text messages and emails to keep malware and viruses off your mobile device.
- Manage your privacy settings. Revisit the data access permissions on your apps and web services.
For businesses: Respect Privacy
- If you collect it, protect it. Consider the data your business collects, the business purpose it serves, the way it is stored (such as data encryption), and the length of time it is stored.
- Adopt a privacy framework. Establish a privacy culture in your organization that manages risk and promotes transparency.
- Conduct an assessment of your data collection practices. Evaluate their adherence to applicable privacy regulations.
- Remember that transparency builds trust. Promote transparency with customers in the collection, use, and sharing of their personal data.
- Maintain oversight of partners and vendors. Ensure that third-party service providers share your priority for data privacy and protection.
As many of us will likely continue to work remotely well into 2021—and will likely continue our heavy use of the internet and e-commerce adopted last year—the new year provides a good opportunity to examine apps and behaviors that could put your data privacy at risk. For me, this includes reviewing locations where my payment information and other personal data are stored.
How will you resolve to better protect your data in 2021?