Various mobile banking apps vulnerable: Study

May 3, 2014. At a time when lenders have been encouraging consumers to go for mobile banking, a survey by Japanese security firm Trend Micro reveals that 15 bank related mobile apps and 39 online payment gateways, among several others, stand the risk of being exposed to cyber criminals. According to the study, social networking sites, shopping and health care apps used by Indian users are vulnerable.

Apart from mobile apps, 611 websites with the .in domain in the country were also found to be vulnerable, the Trend Micro survey reveals.

The report comes days after the Heartbleed bug put the cyber world on its guard. Now, it has been found not only websites, but also mobile apps are equally vulnerable to this bug and similar ones. This is because mobile apps connect to vulnerable servers and services to complete various functions and thus, they too are exposed to the risks.

Dhanya Thakkar, managing director, Trend Micro (India & SEA), the security firm that carried out the survey, explained how bank details stand the risk of being decoded by cyber criminals. “Suppose you’re about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cyber criminals can take advantage of the Heartbleed bug (or something similar) to target that server and milk it of information (like your credit card number).”

In order to protect the consumers from online frauds, the Reserve Bank of India had mandated banks to have a two-factor authentication process to strengthen the online payment system.

The discovery of the Heartbleed bug, which essentially is a vulnerability in the code for the OpenSSL encryption standard, caused havoc in the online community because it showed servers, previously thought to be very secure, could be hacked.

Prashanth Susarla, VP — Engineering and Products at PayU, a payment gateway based in India, said several websites and companies which have their own apps have issued clarifications that their system is secure and has not been affected by the bug. “In case you have not received any such notification from your bank or any other app that you transact through, it is best you clarify or stay away or be on your guard by checking the transaction history of your credit/debit card.”

Experts add that as a practice, consumers must change their password at least once a month to reduce the possibility of their data being stolen. Apart from this, users should also take some time out to read the security safeguards the company they are choosing to transact through is using and ensure the security certificate is valid and has been authenticated.

Web apps and point-of-sale were leading hacker targets in 2013, says Verizon

The telco’s annual data breach report incorporates data from more sources than ever before
By Lucian Constantin
April 22, 2014 12:06 AM ET

IDG News Service – Web application attacks, cyber-espionage and point-of-sale intrusions were among the top IT security threats in 2013, according to Verizon’s annual report on data breach investigations.

The leakiest industry by far, in terms of confirmed incidents where data was exposed, was finance with 465 breaches. But the public sector suffered 175 such incidents, retail had 148 and accommodation dealt with 137 breaches.

The vast majority of breaches were driven by financial motivations, even though they represent a smaller portion of the total caseload compared to previous years. Meanwhile, the number of breaches attributed to cyber-espionage has been on the rise over the past few years, the report shows.

Hacking, malware and social engineering remained the top threats associated with data breach incidents. The use of stolen credentials, which Verizon classifies as hacking, was the leading threat action in 2013 and contributed to 422 breaches. It was followed by malware-based data exfiltration, phishing, the use of RAM scrapers and use of backdoors.

The company’s 2014 Data Breach Investigations Report covers 1,367 confirmed data breaches, as well as 63,437 security incidents that put the integrity, confidentiality or availability of information assets at risk. Fifty organizations from around the world including law enforcement agencies, computer emergency response teams (CERTs), industry groups and private information security companies contributed to the total caseload, which covers victims from 95 countries.

The data shows that while organizations have only slightly improved the speed at which they are able to detect breaches, attackers are getting better and faster at compromising their targets.

“A lot of attackers simply look for vulnerable victims on the Internet and deploy automated attacks,” said Paul Pratley, an investigations manager with the RISK Team at Verizon. Often it will take seconds to minutes before a network is compromised, but it can take a really long time for an organization to discover it — weeks to months or even a year, he said. “That’s something we’d really like to see change.”

On a positive note, data breaches discovered by organizations themselves outnumbered those discovered by external fraud detection systems for the first time in the history of the DBIR report. The data also shows that law enforcement agencies and other third-party organizations like computer security incident response teams (CSIRTs) are playing an increasingly important role in discovering breaches and notifying victims.

Web application attacks were the leading cause of security incidents with confirmed data disclosure last year — 35 percent of breaches — and were primarily driven by either ideological or financial motives.

Ideological attackers acting for political or social reasons or hackers acting for fun are more interested in compromising the whole platform and using it for their own purposes, rather than digging for the most sensitive data. They usually target websites built with content management systems like Joomla, WordPress and Drupal, and exploit vulnerabilities in those platforms or their

Meanwhile, financially motivated attackers go after online banking accounts using phishing and other credential theft methods, or they exploit vulnerabilities like SQL injection and remote file inclusion in retailers’ websites in order to steal payment card information.

Breaches that result from Web application attacks are usually discovered by external parties, the report data shows. In the case of financially motivated Web application breaches it’s usually the customers who notice the problem first; only 9 percent of victim organizations discovered such incidents internally. In the case of ideological attacks, the situation is even worse, with 99 percent of notifications coming from external parties who notice compromised hosts belonging to the victims being used in other attacks.

Cyber-espionage was the second-most-common cause of confirmed data breaches last year, accounting for 22 percent of all such incidents covered by the report. New information sources added to the report this year might have increased the number of cyber-espionage-related breaches in the data set. But organizations have also become more aware of this type of attack and there’s undoubtedly more cyber-espionage activity happening, which is reflected in Verizon’s own caseload, Pratley said.

The majority of cyber-espionage attacks — 87 percent — were attributed to state-affiliated actors, but organized crime played a role too, accounting for 11 percent of incidents. The most common attack vectors for this type of breach were malicious email attachments and Web-based drive-by downloads launched from compromised legitimate websites visited by the intended targets.

The largest number of cyber-espionage-related breaches were in the public, manufacturing, professional and technical sectors since the attackers responsible were primarily interested in stealing internal corporate data, trade secrets and classified information.

Eighty-five percent of breaches that resulted from cyber-espionage attacks were discovered by external parties, not the victim organizations, and in 62 percent of cases the breach discovery took place months after the compromise.

Point-of-sale (POS) intrusions were also a significant threat and resulted in 14 percent of all breaches. However, their number has actually declined compared to previous years, in particular 2010 and 2011.

While large, well-publicized payment card data breaches involving compromised POS systems were reported over the past five months at Target and other retailers, such incidents have affected small and medium-sized businesses for years.

POS attacks are driven by financial motives and most of them can be attributed to organized criminal groups operating out of Eastern Europe, Verizon said in the report. “Such groups are very efficient at what they do; they eat POSs like yours for breakfast, then wash ’em down with a shot of vodka.”

Brute forcing remote access connections and using stolen credentials remained the primary vectors for POS intrusions in 2013 according to the report, but an interesting development last year was the resurgence of RAM-scraping malware.

RAM scrapers were the fifth-most-common threat action in 2009, but then fell to the bottom of the top 20 list until last year, when they rose to the number four position.

Once installed on a POS terminal, RAM-scraping malware programs monitor the system’s random access memory (RAM) for transaction data in clear text, before such information is processed and encrypted.

In almost all cases of POS-related data breaches in 2013 the intrusion was reported to the victim organizations by third parties, with notifications by law enforcement and external fraud detection systems being the leading causes of discovery. This means organizations typically learn about POS breaches after attackers begin exploiting the stolen data for financial gain.

Compared to previous years, the new edition of Verizon’s Data Breach Investigations Report is more actionable. The company has included recommended security controls for each of the nine major incident patterns it has identified: POS intrusions, Web application attacks, insider misuse, physical theft and loss, miscellaneous errors, crimeware, card skimmers, denial-of-service attacks and cyber-espionage. This could help organizations in different industry sectors prioritize certain defenses depending on the attacks they’re more likely to face.

For example, companies from the accommodation and retail sectors will learn from the report that they’re likely to be the target of POS intrusion attempts and could focus on the recommended controls for that threat. Those include restricting remote access to POS systems and enforcing strong password policies; prohibiting Web browsing, email and social media use on POS terminals; installing antivirus programs on POS systems; monitoring network traffic to and from POS terminals, and using two-factor authentication for authenticating third-party and internal users to such systems.

International Cyberlaw 2013: Some Highlights

Pavan Duggal
Thursday December 26, 2013, 12:56 PM

The year 2013 at the global level has been a remarkable year as far as growth of Cyberlaw jurisprudence is concerned. The year was dominated by certain developments which fuelled other distinct events.

One of the most profound events of 2013 having an impact upon the evolution of Cyberlaw jurisprudence relates to the revelations by Snowden. The said revelations not only demonstrate how the online sovereignty of countries have been prejudicially impacted but also how data resident on computers, computer systems as well as data pertaining to individuals were being taken away with ease.

The year 2013 once again reconfirmed at a global level, how governments of the world are increasingly concerned about you, your own data and your own digital existence. From the perspective of governance and governments, individual subjects are no longer subjects, they are mere data entities, who are generating, producing and transmitting data and as such state actors are increasingly more and more interested in the kind of data being produced by such data entities.

As per Google’s latest Transparency Report, the U.S. made a total of 10,918 data requests to Google during January-June 2013, followed by India’s 2,691, Germany’s 2,311, France’s 2,011 and the UK’s 1,274, all in a group of top five nations which made over a 1,000 user data requests.

However, with increased governmental interest in personal data as also data generated by its data subjects, the protection and preservation of privacy will become an increasingly important challenge as far as global Cyberlaw is concerned

The Snowden revelations have woken up a large number of nations out of their slumber to the new dangers of an online connected world, a world which has not only made geography history but a world where certain activities, as the ones revealed, can have a detrimental impact upon the sovereignty of other nations.

The NSA revelations have initiated the process of fragmentation of the Internet. Different countries of the world are working towards setting up with their own secure networks which can be relatively secure or insulated from such unauthorized intrusions of data. How and in what particular manner, such fragmentation will work is a question that is too early to answer. However, the coming of national secure networks is going to lead to further significant and important legal, policy and regulatory challenges.

One of the most significant challenges that 2013 Cyberlaw jurisprudence has faced is that the world is going to be a very complicated place to live, if each and every country starts asserting its national sovereignty in respect of data or information flowing through computer systems and networks, physically located within their boundaries. This will not only make Internet corporations liable for compliance in each country, but more significantly could give rise to an amorphous situation. Snowden revelations have demonstrated in crystal clear terms that there is a need for doing more work and coming up with international common agreements on how to deal with complicated challenges impacting cyber jurisdiction and Internet jurisdiction.

The year 2013 has also been a year dedicated to cybercrime where cybercrime reached new levels and heights as its continued occurrence became a rapid prevalent phenomenon. There was increase in incidences of cybercrimes, both in terms of the actual number of instances reported as also in terms of the costs.

Cybercrime and cyberspying are costing the US economy $100bn a year and the global economy perhaps $300bn annually. Globally, the cost of cybercrime has risen to US$113 billion, or just under US$300 per victim.

The increased adoption of mobile phones across the world has accelerated the growth of Mobile Law. Mobile-cellular penetration rates stand at 96% globally; 128% in developed countries; and 89% in developing countries. In 2013, there are almost as many mobile-cellular subscriptions as people in the world, with more than half in the Asia-Pacific region (3.5 billion out of 6.8 billion total subscriptions).

The 2013 has seen the emergence of a variety of mobile apps. As more and more mobile apps were engaged into collecting personal information pertaining to their users, there have been growing concerns pertaining to protection of privacy, given the blatant use and misuse of such information by certain apps.

Appification of society today is growing at a very rapid pace. “Appification” is the process of providing apps to do the things that would otherwise be done manually. The emergence of appification of society has brought forward the need to address various legal issues and aspects brought forward by such a phenomenon.

Another important Cyberlaw challenge of 2013 relates to the growing popularity of Bitcoins, a virtual currency, and its use in the black market and the numerous attacks by cybercriminals on the Bitcoin exchanges. There has emerged a need for having in place an effective enabling legal regime to promote the adoption of as also prevent the misuse of such virtual currencies.

The year 2013 also saw ‘hacktivism’ as a form of political or social protest where stealing money or private documents had not been the motive, and such attacks were launched to undermine the reputation of the company being targeted, as seen by hacking group Anonymous and the Syrian Electronic Army.

The aforesaid are some of the important significant Cyberlaw events that have emerged across the world in the year 2013. The aforesaid list of events is by no means exhaustive, but is only a mere illustrative list of the significant events.

The year 2013 has made a definitive impact on the growth of cyberlaw jurisprudence across the world. Henceforth, Cyber legal jurisprudence would be viewed as belonging to two different eras, whether in the pre Snowden revelations era or in the post Snowden revelations era. 2013 cyberlaw events are going to provide the fertile ground for the further growth of cyberlaw jurisprudence in the succeeding year.

The author Pavan Duggal is Asia’s leading Cyberlaw expert and authority. He can be contacted at his email addresses pavan@pavanduggal.net, pduggal@vsnl.com and pduggal@gmail.com.