Tuesday, December 30, 2014


Hass & Associates Online Reviews - Security in 2015: Will you care about the next big breach?

Posted in ,
From Target to Home Depot to JPMorgan, this year was a bad one for massive security breaches. Expect more of the same next year.

Let's face it, 2014 was a terrible year for computer security, leaving everyone feeling a little more vulnerable.

Hackers stole 56 million credit card numbers and 53 million email addresses from Home Depot between April and September. They took contact information for 76 million households and 7 million small businesses from JPMorgan's vaults. And Target started the year on the wrong foot, coughing up 40 million credit and debit cards, and personal information on 110 million people.

"It'd be hard to find anybody in the US who hasn't had a credit card affected," said H.D. Moore, chief research officer at security firm Rapid7. "People are just numb to the fact."

Will 2015 be the year we learn to care about who to trust with our personal data? Experts have some dour thoughts on what's coming, even as US stores begin to support credit cards with more secure computer chips. There's going to be heightened risks from old threats like email phishing attacks, and new threats posed by the Internet of Things, the idea of having appliances, objects, and electronic devices all connected to each other and the Internet. Here's what to expect next year.

Smarter credit cards

Credit cards containing a computer chip and requiring a separate personal identification number are commonplace in many other developed countries, but have been held back in the US in large part because of the costs. Financial institutions have to pay more to make the new cards, and it's expensive for retailers to upgrade their payment terminals to accepted chipped cards. But they are expected to decrease some types of credit card fraud, a problem with current swipe-and-signature cards, because the chips are harder to counterfeit, according to a report from the financial research firm Aite Group. The equipment required to clone a chipped card the way counterfeiters currently fake magnetic stripe cards can cost around $1 million, according to mobile payment company Square.

It's this level of protection that prompted Apple to move forward with its mobile-payments service, Apple Pay, which runs on the same security model as a chip and pin credit card. Next year, retailers will have to accept chipped cards or bear the legal burden of future credit card breaches. The retailers, however, don't have any legal obligation to accept Apple Pay, even as Apple has lined up an impressive group of partners.

The shift in credit card fraud responsibility and tougher security measures will force criminals to refocus their attacks on smaller companies as bigger companies invest their capital in preventing embarrassing, costly breaches, said Andy Daudelin, the vice president of security solutions at AT&T. "Small and medium businesses are going to need to step up in their [physical] place of business and online to protect consumers, and to protect themselves from lawsuits," he said.

Phishing goes mobile

Another risk that could get worse next year are phishing attacks, or malicious emails that try to trick you into clicking on a link, according to Steve Durbin, managing director of the Information Security Forum. "I had a number of [faked] emails allegedly from Amazon on Black Friday and Cyber Monday that said that I had a problem with my Prime account," he said

Had he clicked on the links in the email, Durbin could've been struck by automatically downloading malware, or conned into turning over account credentials. It's not hard to get from there to financial fraud. Emails are a valuable resource for cybercriminals because they're an easy gateway for far greater access. While avoiding emails from strangers may seem like common sense, some phishing sites are effective as often as 45 percent of the time, according to a recent Google study.

Moore also cautioned against trusting anything with an Internet connection, a challenge as connectivity explodes across every kind of device from door locks to thermostats. 2015 will see a rise in connected appliances such as refrigerators, and a broader push for smart home products.

"If you can't update it, it's not going to be secure," Moore said. Free-to-use, free-to-modify software was found this year to suffer from catastrophic flaws like Heartbleed and Shellshock, which could lead to malicious device takeovers -- not something you want in a security camera. They'd be unfixable without a way to update the software.

As an example, he pointed to the 2013 FTC investigation of TrendNet's hacked cameras as a good sign, but said people must research connected devices they want to buy on their own to ensure they're safe. Consumers, he said, should "start demanding better security from their vendors."

That could be said for all areas of tech.


Sunday, November 2, 2014


Hass and Associates Cyber Security: How to Avoid Phishing Scams

Posted in ,
Phishing scams have been around for quite some time now. But not many people are aware of what it is and what it can do to them. It is simply a ploy used by fraudsters to lead you to divulge personal information by pretending to be legitimate online business companies. In fact, they trick you to believe they are popular companies, such as Facebook, in order to get your trust.

Beware! Once they have your information, they will then collect information or money from you through your computer or online bank accounts. Here are some tips on how to recognize phishing emails and also how you can protect yourself:

• Poor grammar and spelling. Often, fraudsters, unlike legit companies, are not (or do not employ) copy editors and post emails that are not well written. So, chances are, if you read an email with grammatical errors, it could be a scam dealer.

• Avoid clicking links in emails. Links included in dubious email messages could be traps. Simply move your cursor (without clicking) on the link and check if the address is the same as the one in the message.
Sometimes, the real web address (that pops up when you move the cursor) is not the same as the company’s supposed web address.

Links could also bring you to .exe files which could infect your PC with malicious software.

• Scammers often use threats. Fraudsters, and swindlers in general, are good at causing their victims to feel guilty or fearful. They will threaten to close your account or say that your security has been compromised in order to cause people to act according to their wishes. Such tactics are not used by professional companies. Get more information on how you can protect yourself from such ploys.

• Copying popular companies or sites. Cybercriminals employ logos, pop-up windows and other graphics that appear to link you to legitimate websites but in reality lead you to fake scam sites. One of the most-often spoofed companies is Microsoft. Protect yourself by getting more information on how scammers do it.

Here are some other tips to protect you from scammers:

• Only make use of dependable security software and set it to stay updated automatically. Moreover, learn standard security practices available on this link: computer security practices.

• Never give out your email personal or financial information. The email is not a protected means of sending out confidential information.

• Post personal or bank information only through a company’s website if you yourself typed in the web address and have checked that the site is secure. A URL that is secure will have this: https (the “s” means secure). This is not totally reliable though, as scam artist have also found a way around it.

• Inspect credit card and bank account statements right after you receive them to see if there are any unauthorized transactions. If your statement arrives a few days late, call to verify the billing address used and check out your account balances.

• Be careful when you click on attachments and downloading files from emails, regardless of who sent them. These files may contain viruses or other malware that can compromise your PC’s security.

The world has suddenly become not just convenient but also complicated. Yes, we can do banking and shopping online; but the burglars have also followed us on the virtual highway and found ways to steal our personal information and our money as well. We can protect ourselves from these criminals by knowing where they come from and how they operate.


Tuesday, September 23, 2014


World first cyber security training centre opens in Bristol: Hass & Associates Online Reviews

Posted in ,
From left, Brian Lord OBE, managing director for cyber at PGI, Karen Bradley, Minister for Modern Slavery and Organised Crime, and Vice Admiral Sir Tim McClement, chairman of PGI, during the live hacking demonstration at the PGI launch of the Bristol training centre

A world-first cyber crime fighting training centre opened in Bristol aiming to help businesses government agencies and even police forces keep ahead of this growing threat.

The centre, run by Protection Group International, was opened by Organised Crime Minister Karen Bradley, who said it was a “major step forward” in the ongoing fight against cyber crime.

She said: “To stay one step ahead of the cyber criminals, we need to ensure enough people in all sectors of the economy have the right skills to understand and take action against the threat they pose.

“PGI’s innovative training facility is an excellent example of how British know-how and capability can help governments and businesses around the world protect themselves in cyberspace.”

The £5-million centre in Aztec West is the first of its kind and already employs 50 people recruited from specialist fields.

Chief executive Barry Roche told the Post Bristol was the perfect site for its new facility.

“Bristol rose to the top of the shortlist very quickly because of the talent pool in the South West,” he said. “Bristol has a long technology heritage as well as fantastic transport links. It is the right place.”

Customers range from large corporate firms to public sector organisations such as councils and police forces and foreign governments.

The 4,000 square metre facility includes three classrooms and a dedicated network, giving people the chance to work in a so-called sandbox – a safe environment where they can play around without fear of damaging their own network.

Barry said training courses for IT and CYBER SECURITY professionals are “very technical”. But there are also courses for chief executives and board members, with facilities to host board meetings on site at the same time.

He said it was often at the highest level of an organisation that awareness and understanding of cyber crime was lowest.

“The need for organisations to protect themselves against cyber crime has never been greater,” he said. “Regulators, customers and employees all expect their data to be kept secure and the burden of accountability rests squarely with those responsible for maintaining that security.

“Whether you’re a board member, IT manager or IT professional, ensuring that you’re not the weak link when it comes to CYBER SECURITY is a business-critical issue.”

Barry is a former Royal Marine while managing director Brian Lord is the former deputy director of Government listening base GCHQ in Cheltenham, where he ran the intelligence and cyber crime operations.

Brian said the threat was as much the people as the technology.

“Attackers exploit human vulnerabilities and the weaknesses inherent in IT systems and infrastructure due to human errors in coding, design, maintenance or procurement,” he said. “Consequently, a strong cyber security programme should also consider human factors from the vulnerability of the systems’ users to the motivations guiding attackers.”


Thursday, September 18, 2014


Hass & Associates Online Reviews: The Naked Truth About Internet Security

Posted in ,
At ProgrammableWeb's API conference next week in London (Sept 24-26), my keynote session will identify patterns in some of the recent cybersecurity transgressions, what could have been done to stop them, and why Internet security is currently a trainwreck.

It Will Fappen To You. It's Only a Matter of Time.

It was apparently a wake-up call for the general public when, in what is now being called the "Fappening," headlines revealed that hackers were able to publish nude photos belonging to celebrities like Jennifer Lawrence that were thought to be both private and secure in Apple's iCloud. Though Lawrence very bravely acknowledged that the photos were indeed of her and not Photoshopped fabrications, make no mistake about it; for her and the other impacted celebrities, it was the ultimate digital violation of their privacy.

For Apple, which was on the verge of announcing Apple Pay -- a means by which iPhone 6 users would be able to make NFC-based contactless payments at supporting merchants -- the timing could not have been worse. When it comes to handling personal payments, nothing matters more than trust. Just ask Home Depot and Goodwill; two big national brands suffering an erosion of trust after hackers gained access to the credit card data of hundreds of thousands of their customers.          

Likewise, thanks to the revelation that the so-called hackers gained unauthorized access to celebrity iCloud accounts, Apple's trust took a hit. But, in the scheme of things for Apple, it's really more like a flesh wound. Compared to other vendors of personal technology, Apple has enjoyed a relatively stellar track record when it comes to security. Meanwhile, fearful that it could happen to them, iCloud users everywhere scrambled to change their passwords, remove any sensitive content from their iCloud accounts, and reconfigure their iOS devices so as not to automatically upload newly taken photographs and video to Apple's iCloud.

But for many of us who are closer to the nuances of Internet and digital security, this was not a wake up call. This was just another successful hack in a long line of transgressions that collectively point to (1) the lengths to which hackers with nefarious intent will go to achieve their objectives, (2) the fundamental problems with the way the Internet is secured, and (3) how APIs are increasing the Internet's vulnerable surface area and what API providers must do about it. After all, while Apple will very likley regain the trust of most of its customers, a transgression of this nature could mean death for a smaller brand. The stakes are not to be underestimated.

While Apple has, in its press release regarding the incident, admitted that celebrity iCloud accounts were victimized by a targeted attack, it has also said that the attack was not a result of a breach in the security of its systems and infrastructure. While the meaning of "breach" is like "beauty" (it's in the eyes of the beholder), Apple, for its part, has not disclosed the exact details of the transgression (transparency is still a major problem in our industry) and so much of what is public at this point still falls into the journalistic bucket of speculation. Nevertheless, if true, the currently prevailing non-Apple account of the celebrity iCloud incident offers some very visceral clues as to the lengths that  hackers will go to achieve their objectives.

Not So Fast Sonny!

Allegedly, at the heart of the incident was a missing safeguard (called a rate limiter) that would have prevented the hackers from employing a "brute force attack" whereby an infinite number of passwords are tried for a given iCloud account until one finally works. By now, most Internet users have bumped into a rate limiter. After several incorrect user ID and password attempts, a Web site starts to treat you with suspicion. Some sites like Google's Gmail will start by using technologies like captcha to prove that you're human and that you're not a computer that's automating repeated attempts in rapid succession. Other sites will disable your account for some period of time like 10 minutes or an hour after which you can come back for another limited round of attempts. Still, other sites, particularly financial institutions, will lock the account until a human makes personal contact with a customer service representative.

In Apple's case, part of the issue has to do with how users typically only have one user ID (an "Apple ID") and password -- called a single sign-on (SSO) ---  for accessing the entire constellation of Apple's online services. From iTunes to iCloud, the keys to the kingdom involve one set of credentials. As far as we know, wherever these credentials can be supplied, Apple had rate limiting in place. Well, all except for at least one (allegedly); where the credentials must be supplied in order to interface with the API for Apple's Find My iPhone service. Going back to Apple's press release and depending on your interpretation of the word "breach," exploiting such a vulnerability may not technically constitute a breach. If, for example, the lack of rate limiting through the Find My iPhone API was a deliberate choice by Apple's engineers, then the hackers simply took advantage of Apple's design decision.

With no rate limiting on that one entry point into the kingdom, the hackers only needed to create a bit of software with no other purpose than to try a nearly infinite number of Apple ID/password possibilities through that entry point. Not only did they create that software. They called it iBrute and made the source code for it public on the site Github.com so that other hackers could try it out or even worse, improve it. With no safeguard in place, it was only a matter of time before several keys to the kingdom -- each for a different Apple account (one of which was Jennifer Lawrence's) -- would be discovered.

Once hackers discover a vulnerability like this one, it's a race against the clock. Sooner or later, if a company like Apple has its security act together, it will discover such vulnerabilities on its own and close them off. So, with the clock ticking, what's a hacker to do? What else but try the most commonly used passwords? For this, the hackers allegedly turned to what's commonly referred to as the RockYou database. It's a publicly available database containing the passwords for over 14 million user accounts of the RockYou social gaming service that were revealed when that service was hacked back in 2009.

If there was ever a time to say "we're only human," this is it. One of the not so dirty little secrets of digital security is how "Password" and "123456" are the two most common passwords. In fact, there's even a list of the top 25 passwords. But with a list of the passwords to over 14 million accounts (a very projectable sample of humans), coming up with a relatively accurate list of the top 500 or 1000 passwords that people use isn't too difficult either. The hackers apparently did this too. By now, if you've read this far, you're asking "What about the celebrities' email addresses (which is what Apple uses for Apple IDs)? How were they discovered?"  My answer, even if for only a moment in time, this information is relatively discoverable, especially for celebrities.

There's no telling how long the hackers used iBrute to dig for the passwords for targeted Apple IDs. But once they had them, it would have been a mountain of work to login to the celebrities' iCloud accounts and pour through all of their photos looking for anything sensitive. With the clock still ticking, they would need something that off-loaded the photos to local storage before any of those IDs and passwords changed. For that, the hackers allegedly turned to the same software that law enforcement agencies use to download photos in bulk; a product called Elcomsoft Phone Password Breaker (EPPB) that Wired referred to as the Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud. According to Wired, "EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com." Once the hackers had all of the images on their own hard drives, there was nothing standing between them and a very embarrassing event for both the celebrities and Apple.

Circumstancial Evidence

Again, it's important to note that Apple has not confirmed the majority of these details nor has it disclosed a technical account of the matter that refutes them. Since the attack, Apple has apparently applied rate limiting to the Find My iPhone API entry point. In an article published on Sept 1, 2014, TheNextWeb.com reported how various developers, using their own Apple accounts, confirmed iBrute's ability to exercise a brute force attack through the Find My iPhone API. According to the report, Apple introduced rate limiting at 3:20am PT that day, effectively neutralizing iBrute's method of attack. In an interview with the Wall Street Journal, the company's CEO Tim Cook suggested that "celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."  The WSJ article went on to say that "Apple will broaden its use of an enhanced security system known as two-factor authentication" and also said that Cook claimed that "none of the Apple IDs and passwords leaked from the company's servers."

In its press release, Apple implored users to activate an optional version of the two-factor authentication that it offers to account holders. More specifically, the release said "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification." As explained in this how to, Apple's, two-step verification (a consumer friendly name for "two factor authentication" or "2FA") prevents everyone but the person in possession of a pre-specified trusted device (the so-called second factor; a phone, an iPad, etc.) from logging into a 2FA-secured account.

But Apple's 2FA advice is problematic for two reasons. First, since API-based interactions are automated interactions that often involve two machines talking to one another, API-based authentications are rarely secured with a second factor. If any forward-looking good comes of the so-called Fappening, perhaps it will be a conversation among API economy stakeholders as to how exactly and when to secure API-based interactions with two-factor authentications.

Second, as noted in an article published by TechCrunch about the Fappening (see Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams), several security researchers have long noted how Apple's 2FA scheme doesn't cover all entry points into the Apple kingdom.

In May 2013, Ars Technica published an article (see iCloud users take note: Apple two-step protection won’t protect your data) referring to research done by the developers of EPPB that said "In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device...In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information."

Circling back to Apple CEO Cook's references to phishing attacks, the company has yet to offer evidence that such attacks took place in advance of the Fappening nor has evidence of such an attack gone viral on any of the social networks (which most likely would have happened). Phishing is a technique whereby hackers with nefarious intent use email to lure unsuspecting users to enter their user IDs and passwords into Web pages that look official, but that are actually impostors. These emails are a form of social engineering that often preys on current events. After news of the celebrity photos struck fear into millions of Apple's customers, it didn't take long for phishers to strike. The email pictured below, received by my wife on Sept 2, 2014, states that "your Apple/iCloud Account has been momentarily restricted until you can validate your Apple and iCloud information." However, when I moused-over the links in the email and inspected the sender's address, my browser revealed that they pointed to a domain other than Apple's; a domain where my wife's Apple credentials would most certainly have ended up in the wrong hands, had she entered them.


Tuesday, September 9, 2014


Fighting Words: Criticism Of Video Games And Gamers Hass & Associates Online Reviews

Posted in ,
The video game industry is still talking about the violent threats made against Anita Sarkeesian, a video game critic, who alerted the police last week and went into hiding, according to her Twitter posts.

In a column, I wrote about the questions Sarkeesian raises in her critiques such as how do video game makers treat female characters at a time when women are playing games more than ever.

Some may be puzzled why Sarkeesian’s critique caused such a stir, as she refers to in her tweet Monday (above) when talking with the police. Sarkeesian received vitriol, and not just from the person who threatened her, for pointing out the obvious, The New Statesman writes.

I’m not a gamer, but I have kids who play. There seems to be an insider culture of mostly young male players who want to keep their game world safe from both female players and any criticism that might diminish their enjoyment.

In reporting the column, I was surprised by accounts of women who feel they have to hide their gender while playing social games or face abuse. Or, if they play as female, they are called on to prove their abilities, something male players do not face.

Sarkeesian connects the content of video games to the behavior of video gamers:

So what will it take to change the video game industry, the games and the gamers? After all, the gaming audience is broadening and becoming more diverse, with women in particular gravitating to MOBILE GAMES. Shouldn’t video game companies want to appeal to this audience?

James McQuivey, an industry analyst at Forrester, told me that it may take awhile for the gaming industry to change:

The best way to break this habit is to promote alternative ecosystems of GAME DEVELOPMENT, which is exactly what mobile gaming is and we do see more diversity in mobile gaming. But so far the industries haven’t collided sufficiently that the more expansive culture of mobile gaming has helped the console gaming business rethink itself.


Monday, September 8, 2014


Hass & Associates Online Reviews: Tips for Safe Online Shopping

Posted in ,
BILLINGS - From major companies like Home Depot, Target and Albertsons -- to everyday people -- data breaches are becoming more and more common. If you are shopping or banking online, experts have a few tips to keep your data safe.

If you're using a phone, start by assigning a passcode, and turn off your Bluetooth and Wi-Fi when you're not at home. Using different passwords for every account is also a good idea, according to CNN Money. Before entering your card details online, make sure there is a lock symbol in the task bar, which ensures the connection is secure.

Stockman Bank Vice President of Operations Rhonda Moore says if fraud is involved in online purchases, with a debit card, the money in your account becomes unsafe, but with a credit card, the money belongs to the credit card company.

"If you're going to be shopping online with your debit card, you should also have online access to your bank account, so you can make sure the charges are all valid and they're all yours," she said.

Staysafeonline.org suggests the following tips:

"Keep a clean machine: Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats.

Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

Unique account, unique password: Separate passwords for every account helps thwart cybercriminals.

When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it's best to delete or if appropriate, mark as junk email

Get savvy about Wi-Fi hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your machine."

If you notice something suspicious on your statement, immediately call your bank or credit card company, Moore said.

Next, delete emails and personal messages with any banking information, and change all of your passwords.


Friday, September 5, 2014


Hass & Associates Online Reviews: Expert Reaction, Business Implications Of The Icloud Hack

Posted in ,

What ramifications will businesses and Apple itself face following the celebrity leaks.

The dust has barely begun to settle following the massive celebrity 'nude photo' leak over the weekend, yet allegations and claims are flying here, there, and everywhere.

Fingers are being pointed at suspect iCloud security despite no concrete evidence of exactly how theimages became public in the first place (that is, apart from the original 'leakers' confession of obtaining the images from iClouds)

Firstly, it has to be unlikely that iCloud itself sustained a large attack, especially as the service is 128-bit encrypted both ways of delivery.

What is much more likely was that this was an attack of social engineering, an exploitation which works by manually deciphering information about the target ie. email addresses, date of birth, secret question answers, to try and attempt a spoof access to an account.

Of course this does raise issues about the surrounding security of iCloud against social engineered attacks, but businesses should have a much higher level of security than your regular Hollywood celebrity.

Steve Jones, head of R&D at UK penetration tester RandomStorm, said: "Although Apple's encryption of the data itself is considered robust, Apple could apply AES 256 bit encryption to the images. This would put the majority of hackers off, or really slow them down.

"However, access to the celebrities' images could have been gained through more indirect means, such as guessing the celebrities' passwords, or by finding their email address and then correctly answering traditional security questions.

"Apple could improve the security of iCloud by enforcing the use of much stronger, unique passwords and by introducing two factor authentication to iCloud accounts, to ensure that access is from the correct device and/or account owner."

Weak passwords could be what is at the heart of this leak, and if your business is not operating at a level where it is creating stronger passwords than a layman then things needs to change.

Paco Hope, Principal Consultant at software security company, Cigital, also argues that iCloud is not in itself risky for businesses if used correctly. "Businesses build security in by using secure software to access their data. The choice of cloud provider is just part of that overall picture. This hack means nothing with respect to the security of iOS: iOS devices were merely the cameras in this situation. No one should change their position on iOS versus Android versus Windows based on this incident."

Furthermore, large firms such as Apple obviously have trained and dedicated in-house security teams which are constantly patching and working around flaws in the armour. Rik Ferguson, VP of security research at Trend Micro, said: "A wide scale 'hack' of Apple's iCloud is unlikely. Even the original poster is not claiming that."

Steve Jones further argues that the security responsibility does not solely lie with the cloud storage provider. He said: "Businesses observing this hack should already understand that any digital asset that is valuable, whether it be employee login details, customer data, patient records, financial details, or intellectual property, is a target for cyber thieves and needs to be protected appropriately.

"This also means that businesses cannot delegate information security to their cloud service provider. If your business is faced with a determined assailant you need to put in place your cyber fire drill: change the rules on your firewall to shut the ports until further notice, move the assets, hide the assets and block access until you have had time to assess which vulnerability was exploited."

Mike Ellis, CEO at ForgeRock, also argues that it is indeed businesses that need to be more aware of cloud security. He said: "Big businesses as well as large, trusted government organisations need to manage vast and growing numbers of employee and customer digital identities.

"Global brands and large organisations that fail to take the right steps to address the growing complexity of identity relationship management risk not just a big dent in their reputation and trust, as iCloud is surely likely to face, but serious commercial or social consequences too as customers switch to more trusted brands or switch off entirely altogether. This example is just the tip of the iceberg and must be addressed sooner than later."

But Egemen Tas, VP of Engineering at Comodo Group, highlights some of the ramifications he thinks businesses with lapsed cloud security face. He said: "Cloud service providers should realise that they are expected to be as liable as a bank would be when it comes to catching fraudulent activities or having security and compliance procedures in place.

"Banks have legal compliancy requirements and regulations hence they have ways to combat similar threats to the cloud. Why shouldn't cloud storage providers have similar legal regulations and liabilities? Just like we are more than one password away from our personal online banking accounts, we should be more than one password away from our cloud storage accounts. Having one password on our cloud accounts is not enough to combat attacks of this nature."

This breach, no matter who to blame, ultimately still alerts businesses to the risk of cloud storage, but this unforunate opportunity should be used to highlight areas where improvements can be made and cloud security awareness can be heightened. Alex Raistrick, from Palo Alto Networks comments: "The recent scandal involving leaked photos of celebrities stolen from Apple's iCloud storage facility serves to highlight that security is still one of the greatest barriers preventing cloud computing from reaching its full potential. However, amid the negativity there are now more opportunities than ever for channel partners who specialise in cloud security to move in and toughen up security, particularly on previously 'trusted' platforms."


Thursday, September 4, 2014


Hass & Associates Online Reviews: FBI Investigates Possible Breach of JPMorgan

Posted in ,
Cnet.com reported on 27th August, 2014 stating that FBI (Federal Bureau of Investigation) of America is investigating a breach of data in JPMorgan and may be in many other banks. According to Forbes, a renowned American financial magazine, JPMorgan is the largest bank in the US and sixth largest in the world.

Sources said that the investigators probing the matter believe that hackers might have breached with the help of malware although reach and timing of the hack is scant and two to five US banks might have been affected.

Cybercriminals have been targeting banks since long who are after financial data of customers. Cnet.com published news on 27th August, 2014 quoting Trish Wexler, Spokeswoman of JPMorgan, as saying "Financial Services Company Fights Hackers Continuously."

Bloomberg.com published news on 28th August, 2014 quoting Wexler as saying "It is unfortunate that companies of our size get cyber-attacks almost every day and so we have many layers of defense to thwart any threats and continuously monitor fraud levels."

In the meantime, security researchers scanning JPMorgan's network found that malicious software on computers in India and Hong Kong is capable of stealing sensitive and banking data. This review was different from the attacks being investigated by FBI.

Bloomberg.com published news on 28th August, 2014 quoting one of the researchers as saying "they found office of JPMorgan in Hong Kong infected in July 2014 with Zeus Trojan horse malware which can steal banking credentials. Also an office in India was found infected in last week (fourth week of August) with Sality malware which can compromise Web servers and steal data."

According to media in the US, Russian hackers are believed to be behind the attacks. Online news website Bloomberg quoted two persons probing the matter as saying "FBI believes that the attacks were in retaliation of sanctions by US against Moscow over its support of secessionist rebels of Ukraine."

Moreover, many US banks were attacked online early this year including J.P. Morgan Chase, Wells Fargo, Bank of America, HSBC (Hong Kong and Shanghai Banking Corporation) and Citigroup and government officials believe that these attacks originated from Iran.


Wednesday, August 20, 2014


Hass & Associates Online Reviews: Banks Often Neglect to Investigate Fraud Claims

Posted in ,

With information theft on the rise, it turns out that banks and lenders almost always compensate their customers for fraudulent charges. However, a full half (52%) of financial institutions do so without conducting any kind of investigation into the issue. In Western Europe, the rate is 54%.

Kaspersky Lab, in collaboration with B2B International, recently conducted a global study which shows that nearly a third of institutions consider the implementation costs of security systems to be more expensive than simply repaying the damage due to internet fraud to their customers.

It’s a theme that also pervades many organizations that manage online payments: 28% of representatives of financial institutions and 32% of employees of online shops who were questioned are convinced that the total damage caused by cybercrime, including the repayment of the stolen money, would not exceed the cost of implementing appropriate security solutions.

Only 19% of financial institutions and 7% of online firms cite the cost of compensating customer losses in the top three most serious consequences of cyber-fraud.

But, the issue is escalating. According to the Kaspersky Security Network, almost four million users of Kaspersky Lab products have faced in 2013 with financial malware software to steal their money (an increase of 18.6% compared to 2012). In December 2013, several US banks have lost more than $200 million due to loss of personal information of their clients or their credit cards. The total damage is probably much higher, the firm noted, adding that it is clear that the continued growth of cybercrime will irremediably lead to a situation where the costs of refunds that institutions pay will be higher than the protection of financial transactions and compensation budgets.

"Financial institutions should not only accrue large sums of money in their budgets to repay the stolen money to their customers, but also to cover the cost of filings by their customers. The most important is that customers, so when the victims are repaid quickly, there may be shall dream twice before using the services of a bank that fails to ensure that their online accounts are safe. It is therefore better to prevent damage and loss rather than compensate,” said Martijn van Lom, CEO of Kaspersky Lab Benelux and Nordic, in a statement. "Customized solutions designed to protect online transactions can reduce the risk of Internet fraud to a minimum. This means that resources earmarked for compensation would be released and could be used in the development of the company. "

Another argument for the use of specialized security solutions is the neglect of clients. A former Kaspersky Lab survey shows that 57% of users take (almost) no account of the security of their online payments, because they think that their bank will do what it takes. This, in turn, increases the risk of becoming the target of cybercriminals. 


Sunday, August 17, 2014


Hass & Associates Online Reviews: Protect Your Identity at All Costs

Posted in ,
Durban - Identity theft is rising in South Africa with thieves costing the economy more than R1 billion every year - and KwaZulu-Natal is providing rich pickings for them.

According to a recent study by credit bureau Compuscan, 1 370 cases of identity fraud had been reported to the Southern African Fraud Prevention Service (SAFPS) by the end of April, with 17 percent of incidents occurring in KZN.

Gauteng, South Africa’s economic hub, has the highest amount of identity theft (48 percent) followed by KZN and Western Cape (10 percent).

And, according to Compuscan, this hike is likely to continue, with the number expected to rise above 4 000 by the end of the year.

Compuscan director, Frank Lenisa, said the trend was worrying.

“What worries us more is that consumers are often unaware that they have fallen victim to such a crime and this could have a negative knock-on effect in their ability to obtain credit in future,” he said.

According to the National Credit Regulator’s latest quarterly publication, Credit Bureau Monitor, there were 20.64 million credit-active consumers in South Africa as at the end of last year.

“Each one of these is urged to pay close attention to the threat of fraudulent activity that could affect their credit records,” Lenisa said.

Consumers usually only find out they have become victims of identity theft when checking their credit report while applying for a home loan or car finance, he said.

Carol McLoughlin, executive director at SAFPS, a non-profit fraud prevention company, said they worked with its members - comprising all the large banks, retail groups and insurance companies - to track fraud trends with the hope of preventing them.

Her organisation also offers free protection to members of the public who have become victims of identity fraud, as their ID numbers are filed on the SAFPS database under the category “Victims of Impersonation” to give them protection against further attempts at fraud.

“A copy of the innocent victim’s ID is scanned in and attached to the record, so that member companies can compare the true victim’s ID against the ID of any future applicants (impersonators/fraudsters) who attempt to use this same ID to open accounts and submit claims,” she said.

In some instances, the details of the actual impersonator can also be uploaded on to the database.

“For example the fraudster might use his or her own cellphone number and ID photo when applying for a loan or opening an account using an innocent victim’s name, ID number and address. These records are filed under the ‘Impersonator’ category on the database.”

McLoughlin could not say why KZN was experiencing the second-highest incidence of identity fraud in the country, but explained that incidents often took place in a different province to where the victim resided.

“Every day we hear about a new type of scam or method being used by fraudsters to gain access to personal information.

“At the end of the day, consumers need to be far more vigilant when giving out their personal information online and must avoid being hoodwinked into clicking on to web links that they receive via SMS and e-mail,” she said.

“They must shred unnecessary documents containing personal information and always make sure that they authenticate websites before they fill in online applications and forms.”

Compuscan urged people to check their credit report regularly, saying that every South African was entitled to one free credit report annually, according to the National Credit Act.

Despite the amount of credit-active consumers in the country, only about 14 000 request a report from Compuscan each year.

Compuscan has launched a personal online credit report portal called My Credit Check (www.mycreditcheck.co.za) that allows users with valid ID numbers to monitor their complete financial history. Continue reading…


Tuesday, August 12, 2014


Hass & Associates Online Reviews: Despite Privacy Concerns, It's Time to Kill the Password

Posted in , ,

I know it is easy to be skeptical of government initiatives, but a burgeoning federal initiative to help us better manage our online identities deserves our attention—and trust.

The White House cybersecurity czar Michael Daniel said in June that he’s on a mission to “kill the password dead.” It’s a laudable goal. The problem with passwords is the false sense of security they provide. In fact, they’re easy to crack—and getting easier every day.

A typical eight-character password has 6.1 quadrillion possible combinations. In 2011, it would have taken a year for a fast desktop computer to crack an eight-character password. Today, thanks to new crowd-hacking technologies, it takes an average of 5.5 hours.

Or less. Any hacker with a decent smartphone can take a seat next to you at the coffee shop and use his phone’s camera to record your keystrokes as you type away on your laptop, capturing all your sensitive usernames and passwords.

That’s why we need to get rid of passwords. And that’s why the White House is implementing an ambitious plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC), which promises to stamp out fraud at government sites by giving users a better way to prove they are who they say they are. The initiative is focused on moving all government sites, and potentially all public-sector sites too, away from usernames and passwords and toward stronger identity management.

As a first step, NSTIC will connect different government agencies with third-party credential providers that will verify certain personal information about their online users and issue secure credentials for them to use in transactions at government sites.

For instance, the system could allow the same person to use a single credential to apply for a driver’s license, fill out a student aid form and file taxes online, all without ever entering a password. The idea is that this secure ID—what some are calling a personal driver’s license for the internet—can eventually be used at other sites around the web not related to government. Because if people have a simple, secure way to prove who they are online, without using passwords, it will be easier and safer for everyone to do business on the internet.

I believe consumers will welcome this proposal, which offers more secure access to important personal websites like banking sites. Passwords are just not good enough. People need stronger proof of identity, like the one envisioned by NSTIC, to better trust authentication—and better trust the internet.

Inevitably, some privacy advocates are crying foul over NSTIC. They fear that if the U.S. government has your ID, it will end up mining that information for its own nefarious purposes. In the wake of the NSA surveillance revelations, critics are concerned that a push toward a single-ID system will enable the government to more closely track citizens online.

That possibility can’t be ruled out, I suppose. But people should realize that the far more immediate threat to their personal information is posed by hackers who crack their passwords—and NSTIC promises to stop them. It’s designed to protect internet users by providing authentication far stronger than can be accomplished by passwords alone.

In fact, those who are most concerned about privacy are the ones who should embrace NSTIC identities, which, like a driver’s license, will come with a reliable vetting process. What’s more, they’ll be based on a cryptographic signature generated by a trusted authority, which for the most part will be third-party certificate authorities.

NSTIC’s goal is not evil. It simply aims to create an “identity ecosystem,” built and maintained by the private sector, in which government agencies can accept log-on credentials issued by nongovernment third-party providers. And in which members of the ecosystem can prove their identity to others who are also in the ecosystem. In this way, NSTIC authentication doesn’t expose your identity, it helps protect it. And you can still choose when and where to use your stronger NSTIC identity—or not.

Furthermore, under the NSTIC guidelines, the service must preserve anonymity around the public data it collects. For instance, personal identifiers like age, gender and address cannot be linked back to their owners. The guidelines also stipulate that activity on government websites cannot be linked to third-party identity providers and vice versa.

Even the Electronic Frontier Foundation, a leading digital rights group, is optimistic about the future of NSTIC. “The NSTIC system is voluntary, run by private companies rather than the government itself and, most importantly, it is decentralized, so that individuals will be able to choose between different providers,” said Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, in a recent interview.

If we want to achieve a higher level of security for internet users, there is no better place start than the elimination of passwords. And NSTIC is a significant step in that direction.


Sunday, August 10, 2014


Hass & Associates Online Reviews: Advertisers Join Forces to Fight Online Ad Fraud

Posted in ,
As marketers grow increasingly concerned about the integrity of the online advertising inventory they are buying, a trade group and 30 well-known marketers are forming a coalition to address the problem.

The group, which is being led by the Association of National Advertisers, has hired ad fraud-detection firm WhiteOps to study and help stamp out so-called bot fraud.”

Bots are computers hijacked by viruses that are programmed to visit sites and mimic human behavior, creating the illusion of authentic web traffic in order to lure in advertisers. Bot traffic costs advertisers because marketers typically pay for ads whenever they are loaded in response to users visiting Web pages — regardless of whether the users are actual people.

The ANA said that some marketers estimate that about half the money they spend on digital advertising is wasted because of “bot fraud.” With digital ad spending around the globe expected to grow 17% this year to $140 billion, according to eMarketer, the stakes are high.

Ad executives blame the rise of fraudulent traffic on advertisers’ increased use of automated software to purchase ads via exchanges, ad networks and other middlemen. Such arrangements, they say, are far less transparent than buying ad space the traditional way by through human salesforces.

The ANA declined to reveal the names of the 30 advertisers participating in the anti-fraud group, but the trade organization’s members include blue-chip marketers such as Procter & Gamble, Johnson & Johnson and General Motors.

Starting next month, WhiteOps will track campaigns of the 30 companies for one month and report back the level of bot fraud occurring across the digital advertising industry, including display, video, mobile and social ads. The ad fraud-detection firm will also give advertisers lists of the sites and exchanges that have fraudulent traffic.

Other marketers will be able to use the study as a benchmark to compare their own data on ad fraud with the industry as a whole.

Fears are mounting that marketers will pull back on some online ad spending because of rampant fraud. In response, some publishers and ad companies are trying to address the problem themselves.

Google, for example, acquired Spider.io, a London-based company that specializes in identifying and blocking online-traffic fraud in February. Meanwhile, ad-buying giant GroupM said recently that it would stop buying online ads from “open” ad exchanges entirely by the end of the year, because it is concerned about the quality of ad inventory that’s available in these marketplaces and their lack of transparency.

Open exchanges are automated marketplaces through which advertisers buy and sell ads from across the web. Private exchanges, on the other hand, allow marketers to link directly to publishers and media companies.

But advertisers “cannot delegate this to be solved by agencies and publishers, they need to be involved,” said Bill Duggan, an executive vice present at the ANA. “Advertisers have the most to lose with bot fraud.”

Visit Hass & Associates for more related articles.


Thursday, August 7, 2014


Hass & Associates Online Reviews: Trends in online-to-offline commerce suggest increased need for mobile fraud prevention

Posted in ,

Online to Offline (O2O) Commerce Signals Demand for Increase in Mobile Payment Security,“ says mobile payments expert Omlis

Digital payments are forecasted to almost double in the next 5 years, with an increase from £2.5 to £4.7 trillion from 2014 to 2019, according to a recent report from Juniper Research. Businesses worldwide are answering this demand, by implementing new business models. Traditional “brick and mortar” businesses are offering product delivery options, creating an onset of “bricks and clicks” companies.

Transactions processed via mobile payments for traditional retailers are expected to grow by 600 percent by the end of 2017, according to a Chinese research firm iResearch. These economic forecasts signal the growing global shift from online-to-offline (O2O) commerce, integrating use of mobile phone technology and E-commerce with traditional business models. This highlights a growing need for innovative mobile payment technology and enhanced fraud prevention techniques, according to Omlis, a leading Global Mobile Payment Solutions Provider.

Online to Offline (O2O) business models reflect the movement of E-Commerce and M-Commerce activity toward integration with physical, offline processes. This is highly due to the growing worldwide adoption of mobile phones and incorporation of digital payment procedures. In commerce, O2O pushes for user interaction through a website, app, or mobile phone allowing customers to virtually reach the physical storefront or services provided by an organization. Through consistent launch of new apps, the internet has become an innovative way to complete tasks, such as monitoring and controlling home appliances. Innovation leaders Apple recently released the Homekit, which allows users to control lighting, thermostats, and even home security via a mobile device.

Consumers in O2O environments gain more efficient services, improved access to goods, and enhanced online shopping experiences, as well as innovative opportunities to get customizable goods, personalized services, and 24/7 service from industries that traditionally relied on physical interaction. This model could prove profitable for businesses who can aim to increase their consumer base with more efficient systems and a much larger geographical reach.

The push back toward offline relationships has initiated through the private sector due growing consumer reliance on online shopping. However, Omlis believes it may also be due to social and cultural implications from widespread internet use. This trend originated in the Asia Pacific, a technologically advanced market that adopted mobile payments early, and now boasts 32 percent of sales attributed to mobile devices according to a recent report from mobile advertising service provider Buzzcity.  Omlis believes that this foretells similar trends across the globe, with the UK following closely behind with twice as many mobile payments than the global average in Q2 of 2014. A recent report from Accenture showed that although UK customers are banking via mobile, visits to bank branches have increased since last year by almost 10%. This could be due to increased O2O business models, or may possibly be attributed to lack of customer service over online portals.

A major concern facing online to offline business models is fraud, due to heightened reliance on mobile payments, an increase in personal data stored on phones, mixed with hackers and no standard security protocol for mobile commerce. The most significant example of fraud activity on mobile devices is credit card fraud according to a report by Iovation, which looked at mobile fraud cases on both Android and iPhone platforms. This fraud occurs most frequently via the mobile web, which still harnesses 60% of global transactions.

“The mobile payments market has key hurdles to clear in fraud prevention, and businesses adopting new models incorporating digital and mobile payments must consider best practices to guarantee consumer confidence, consistency, and convenience,“ said Omlis CEO Markus Milsted. “Online to offline models call for improved security for mobile payments and uncompromised technology which can function effectively on mobile phones.“

Omlis believes businesses must work to ensure consistency within an O2O experience, including a differentiated focus on customer satisfaction and implementation of new techniques for effective and secure customer service.

“It is necessary to anticipate imminent issues that will arise as mobile devices are incorporated further into daily life, and ensure consumer confidence through use of secure systems,“ said Milsted.

The integration of offline and online will continue to change and grow as consumers and businesses find an ideal balance, and security will surely play a large part. Omlis technology offers a powerful and innovative secure payments technology designed to proactively address issues faced by the mobile payments industry.

About Omlis – Omlis is a global mobile payment solutions provider bringing market proven, highly powerful, differentiated and most effective solutions to all mobile commerce security. Providing completely secure, unique and uncompromised technology with 100% fault-tolerant tracking of all payments in real-time for full transaction accountability.

Summary - Online-to-offline commerce, which utilizes mobile phones as an intermediary between businesses and consumers, is a worldwide trend that faces new challenges. Online shopping and innovative apps have created a new consumer environment that encourages new ways of shopping and conducting daily life. Mobile payments are becoming the norm, but must become more secure due to a currently insecure mobile payments market. This article examines current trends in online-to-offline business models, and anticipates the imminent issues in mobile fraud, calling for more secure mobile payment techniques.