Thursday, February 7, 2019
"Not all data incidents are categorized as a breach – this includes incidents of misuse," researchers wrote. "We have found the need to include the existence of these incidents, but not necessarily include them in our reporting. Case in point, this year was the Facebook/Cambridge Analytica incident, which we currently categorize as data abuse and not a breach since users provided permission to the entity originally collecting the information."
ITRC researchers also suggested that data breaches and data abuses have reached an inflection point and urge payments industry stakeholders to take action and help stem the rising tide of malicious activities. "Thieves upgrade, update, communicate and leverage technology to perpetrate their schemes – why aren't we?" they wrote.
Several security analysts who reviewed the report noted that automated attack schemes are helping bad actors scale. Franklyn Jones, chief marketing officer at Cequence, described data breaches as gifts that keep on giving long after news headlines fade away.
"Millions of these stolen credentials find their way to the dark web, where they are acquired by other bad actors who then orchestrate automated bot attacks targeting other websites where those credentials might give them fraudulent access to private accounts," Jones said. "Without proper security safeguards, those automated attacks can be quite successful because people tend to use the same login credentials on multiple sites."
George Wrenn, CEO at CyberSaint Security, agreed, noting that cybercriminals have shown that they are capable of evolving at the pace of technical innovation. "Due to the complexity of our day to day lives and the technology, processes, and people involved in them, the question of a cybersecurity incident is no longer a matter of 'if,' but 'when,'" he added.
Wrenn recommends taking a metrics-driven approach that incorporates leading-edge cybersecurity such as the NIST Cybersecurity Framework to tangibly track and communicate program effectiveness. "The only way we can continue to keep up and, more importantly, get better at keeping up with the bad guys is if we have an efficient cycle of best practice adoption, measurement, analysis and remediation that is easily communicable and measurable, like any other business function," he said.
Rod Simmons, vice president of product strategy at STEALTHbits Technologies, said system administrators must do more to enforce strong passwords and stop users from being careless. For example, when an email address is used as a primary logon method or recovery method, attackers who have access to that email address can request password resets, he stated.
"Single sign-on using technologies like Microsoft Account, Google Account or Facebook are great for users, as it means there's one less credential to manage poorly," Simmons said. "The problem is once that credential is [stolen], not only can a bad actor assume your identity any place you have used it, they can use it in new places you are not aware of to assume your identity."
A full copy of the report is available at: www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_2018-End-of-Year-Aftermath_FINALWEB-V2-2.pdf .
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
