10 Steps to Safer and Secure(r) ATM Transactions


The advent of Europay | Mastercard | Visa (EMV) cards in North America has caused a whole bunch of confusion regarding the security of credit and debit card transactions. The ability to further secure a transaction with encryption, PINs and other controls has reduced risk for some transactions, but done little for others.atm

And many EMV cards in the United States still have a magnetic stripe, which makes them vulnerable to the sale old-fashioned fraud and theft we’ve been dealing with for years. Much of this is made possible with skimming devices.

ATM “skimmers” have become cheap, effective and highly available. These criminal devices has created new risks for those of us who try to minimize direct, face-to-face human interaction or prefer to deal in cold, hard cash.

The reality is, you can’t always avoid using an ATM or point-of-sale device.

Most people don’t realize it, but using an ATM can still be a risky activity. And while it’s true that more banks are robbed online than in-person today, there are some simple steps you can take to make your banking transactions safer and more secure.

  1. Select an ATM at a bank, in a well-lit area. Do not use ATMs in hotels, convenience stores, malls or remote areas. Make your ATM trips during the day during high traffic periods. Use a drive-through is possible, your vehicle provides additional security and an effective escape route.
  2. If access to the ATM requires unlocking a door with a card, use a different card than what you’re about to use at the ATM. Any card with a magnetic stripe will work – use your library card or something with no value. Don’t use a card that stores your personal information in the magnetic stripe.
  3. Before swiping or inserting your card – check the ATM. Wiggle the card reader and the pin pad – they should not move at all. Look for anything else that looks out of place, like attachments, unidentified boxes or cameras or other modifications.
  4. Insert or swipe your card. Use your hand to cover the keypad when you enter your PIN. The idea is to block visibility by people behind you or cameras near the ATM.
  5. Make sure your PIN is random – not your birthday or anything else you’ve posted on social media. Change it once per year, or whenever you think it may have been compromised.
  6. Conduct your transaction. Know what you want before you get there so you don’t have to waste time at the ATM. Avoid multiple, time-consuming withdrawals that could keep you there longer than necessary.
  7. “Get off the X.” Don’t count your money at the ATM – even if there is an error you can’t do anything about it there anyway. Check your surroundings and maintain situational awareness. Move with a purpose.
  8. Report any problems to the bank that owns the ATM.
  9. Check your bank statement – it should match your receipts and ATM activity.
  10. Remember that gas pumps, car washes and other payment terminals are just as vulnerable to compromise as ATMs! Use these same steps – and some common sense to reduce your risk of problems.

If you’re curious about what’s actually stored on your credit cards, drivers licenses and other cards with magnetic stripes, check out Wikipedia for more information.

Don’t Get Sacked, Don’t Get Hacked

The NFL’s biggest game – and one of the largest sporting events on the planet – is just days away, offering millions the chance to be entertained for a few hours. Fans will be glued to their television sets to experience the drama, the competition and the footballshowmanship. Will they be thinking about cyber threats? Probably not. But, surprisingly, business owners can learn some valuable lessons about cybersecurity from the Super Bowl.

The NFL is a business. And like many businesses, it works with a massive ecosystem of outside companies to deliver its product to the people. Thousands of third-party vendors – from the rented stadium, ticket sellers and HVAC-system providers, to the retailers and halftime show techs – are required to produce the show. Unprotected third-party vendors provide a path of least resistance for cybercriminals to sneak through the digital back door, potentially compromising safety, leaving data unprotected and creating havoc for organizations.

While 71 percent of companies feel confident their security activities are effective, only 32 percent require third parties to comply with their policies, according to the most recent PwC Global State of Information Security Survey. Furthermore, the study found that third-party security incidents are on the rise. In the past two years alone, the number of companies attacked rose from 20 to 28 percent.

Having a plan to deal with vendors is important, but it’s just one of the lessons to be learned from the Super Bowl. Here are five takeaways about cybersecurity every business owner can score from the big game:

  1. Offense is easier than defense: Defense has an impossible job on the field. It can’t possibly prepare for every play the offense runs. As the old adage says, “The best defense is a good offense.” Business owners that arm their companies with a strategic offense will be less vulnerable to cyber attacks than those who are constantly trying to play defense against a multitude of threats. Remember: the bad guys only have to be right once to take down their targets.
  2. It’s a people game: Technology takes center stage in the big game. Massive video walls, anti-concussion helmets and interactive capabilities allowing fans to order a hot dog from their seats are all part of the experience. But the reality is, the game is won or lost by people. Companies that become distracted by cyber defense technologies may erroneously believe they are safe from an attack. As long as the human element is involved, risk exists.
  3. Winning takes continuous effort: Like football, cybersecurity requires work. While the Super Bowl is the punctuation mark on the season, both teams traveled a long, tough road to reach the championship. You have to play well for all four quarters. In business, it’s tempting to believe that purchasing a firewall on any given Sunday and throwing it in a rack provides adequate protection. The fact is, cybersecurity and the management of cyber risks is never done.
  4. Protect your assets: In a football game, there are only two things worth protecting: the quarterback and the football. The team that does the best job safeguarding these two assets wins. Likewise, in the business world, companies must identify their “quarterbacks and footballs.” Bank accounts, credit cards, identities, intellectual property and reputation are the five critical assets that need protection, and should be where all the energy is focused.
  5. Teamwork: Businesses typically focus on their core competencies and outsource functions like payroll, banking, logistics and other specialized skills. As mentioned earlier, these third-party relationships can unwittingly pose a cyber threat by leaving the digital backdoor wide open. Organizations working with third-party vendors should clearly spell out their position on cybersecurity in all contracts and require regular audits for compliance.

Unfortunately, cyber attacks are not a matter of “if,” but “when.” Like quarterbacks, all companies will eventually get hit. The key to survival is being able to mitigate the damage and recover. Technology alone, like helmets and padding for players, is not enough to protect you on game day.

Now about those $12 hot dogs.

Check out the original article I wrote for Security magazine here: http://www.securitymagazine.com/articles/87777-cybersecurity-lessons-learned-from-the-super-bowl

Wireless Reindeer and the Miracle of Connected Eggnog

CyberMonday: the term is synonymous with Amazon deals, record-breaking technology sales and Christmas wish list fulfillment. While it may be a contemporary “holiday,” many consumers don’t remember a time without it. But in this world of identity theft and credit card fraud, security warnings are as commonplace as the annual cyber holiday itself. But what if I told you hackers aren’t in it for your credit card info?

Enter the “Internet of Things”.

From Fitbits and smart thermostats, to connected children’s toys and baby monitors, consumers are actively looking for the latest and greatest technology. Each of these devices are connected via the “Internet of Things,” allowing people to track everything from stairs climbed to monitoring their children in the other room via a smart phone. And Cyber Monday is often where they are finally able to get their hands on this new technology.

The “IoT” business is growing rapidly and we are estimated to have over 34 billion connected devices by 2020. Cyber Monday purchases are only helping to fuel this growth.
But what does this have to do with security?

As connectivity grows, so do our risks. Just last year, Cyber Monday brought us the VTech hack where cybercriminals gained access to the customer database, rife with personal information such as addresses, birth dates and passwords. Not only can such information be a physical threat (think children’s addresses), children are at risk of having their identities stolen without it being discovered for upwards of a decade while they’re still living at home.

On the wearables front, Garmin just recently introduced an activity wearable just for kids that parents can monitor from their smart phones – and connected toys are notorious for lax security.

So what’s the solution?

This holiday season, I challenge you to take a closer look at what is in your shopping cart and remember: any connected device, including wearables, can be hacked and exposed long before the user or manufacturer becomes aware of it.

There is no such thing as a hack-proof device. Anywhere. Ever.

Find out how to protect yourself in my recent Forbes article. http://bit.ly/2fkubPq

Why I Hate Flying


If you’re like me, you hate flying.

It’s not the baggage fees, overpriced ham sandwiches or smelly feet that bother me. IMG_2744Now that I’m a parent I don’t even mind three hours of screaming babies. No, I hate flying because the system doesn’t consider Return on Investment (ROI).

And it’s getting worse. Out of my last 20 flights I can’t think of more than 2 that went off without any problems. Any other business that served up that kind of abuse and disservice would never survive.

Unless you’re the TSA.

Try to imagine for a minute that the TSA was actually effective in preventing contraband and malfeasants from getting on planes. Perhaps then we could excuse the acne-faced, socially awkward teenage screeners, the constant re-scanning of a backpack just because it’s camo and the Disney-esque lines (minus the magical scenery).

The airport in Albany, NY, where I’m from, is now considering taking this to another level. The Sheriff and legislators in my town now want to make it illegal for any would-be passenger to exit the security line before screening.

Forgot your phone in the car? Have to use the restroom? Want that irresistible onesie in the Hudson News down the hall? Better take care of that stuff before you get in the security line or you could be arrested. I’m not making this up.

REFERENCE: Times Union

The intent, of course is to help reduce or deter terrorists and other criminals from probing our defensive measures, a tactic that Homeland Security believes has helped adversaries plan previous attacks. Proponents suggest that this would be mitigating one more airport vulnerability, particularly in the wake of several high profile attacks.

You don’t have to spend much time in a TSA line to know that this won’t work. Like software piracy protections and gun control, these measures will only impact law-abiding participants. We call criminals criminals because they commit crimes. They don’t honor our laws. Not to mention how many TSA agents and tax dollars it would take to monitor these lines for “criminal exits”.

At the root of this issue is ROI, which is missing from most security conversations. No one is asking the right question about this, mainly, is it worth it?

Most organizations get their security priorities from TV. We’re all human beings which means ugly headlines are more motivating than heuristics and actuarial data. Emotions drive decision-making, for good or bad. This issue is highly present in corporate America, where there are countless places to spend your security dollars, only a few of which make sense.

There are only three elements in this decision-making process. Similar to other business justifications where your options are fast, good and cheap – you can only pick 2. In security it’s convenience, freedom and security – pick any 2.

So the next time you’re faced with an important security decision, think about the tradeoffs. Ask yourself it the changes will be worth it. Think about security ROI.

Some free peanuts would be nice, too.

The Future of Ransomware

The current state of ransomware is more proof that our adversaries keep getting smarter. It may not be the case for long, but right now ransomware is like baby Einstein. Not because it’s overly sophisticated or stealthy, but because it’s simple and clever. And it’s got lots of room to grow.

Consider this; no longer must a criminal navigate your corporate plumbing, popping boxes, injecting code and passing hashes. All the work these bad actors used to waste time on, you now do for them. Why spend hours (OK minutes) forcing your way into an investment or payroll account when you can have your victim wire the funds for you?

The payoff for these types of attacks is unknown, despite the daily headlines outing compromised hospitals, colleges and restaurants. This is mostly true because it’s so pervasive (we’re working 7 cases from Boston to Dallas as I write this).

This trend has been particularly alarming because for the first time in corporate America, malware has become life or death. At best it’s disruptive, but at it’s worst it has directly affected a victim organization’s ability to conduct business. Including patient care.

Ransomware has also opened up a whole host of new opportunities for cybercriminals. No matter what you do – a dollar is always worth a dollar, assuming the same currency. With ransomware, a dollar can be worth a lot more.

What I mean by this is – if I steal your dollar, it’s pretty much only worth a dollar. No matter how good my negotiating skills, it ain’t never going to be worth more than one dollar.

Now, if on the other hand I steal your priceless Picasso, it’s worth is priceless. The value of that asset is incalculable, or can be better defined as “whatever I can negotiate for it”. Forget about the emotional value, which will generally only increase the multiplier. All this despite the fact that the acrylic paint and wood that the painting is on is worth a couple of bucks.

Compound this with the reality that with ransomware, criminals do less work for the same dollar. This further increases the ROI.

Even more exciting is where this is all going. One of the greatest new opportunities is in confidentiality’s ugly little sister – integrity.

Confidentiality is basically the cybersecurity prom queen – popular, well-known and attractive to the masses. Integrity on the other hand, is less understood even by the most serious of security pros.

As it turns out, integrity may grow up to be the rich sister.

Imagine coming in to work on a Monday morning, grabbing a protein bar and a steaming cup of your favorite joe and heading to your desk. You check the logs from the weekend, scan the monitoring dashboard and the SecureWorks alerts – nothing. A quick check of an IDS report and uptime status and you conclude that it’s been an uneventful weekend. Fantastic, now you can finally get to those Board reports you’ve been putting off.

Here’s what you missed: your data is there, it’s just all wrong. That’s right – all of your data has been changed. In subtle, random ways. No patterns. No canaries. No nothing. All of it.

If you think losing good data is bad – try keeping bad data.

Your doctors amputate the wrong leg. Professors hand out the wrong grades. Exchanges trade stocks at the wrong rate. Airplanes fly the wrong routes. You get the picture.

Now – what’s it worth to get it fixed?

I can’t answer that question, but I can tell you from a response perspective it’s a nightmare. We’re experts at telling when data has been encrypted or exfiltrated, we’re not so good at knowing when it’s off by a tenth of a percent.

The good news is that the intrusion (today at least) would look basically the same. One of the rare cases where prevention might be easier than response.

In my next update I’ll talk more about what you should be doing to fight it.

And About This Apple Thing

It’s been 3 years since I wrote.

Not for lack of trying, I assure you, but it’s literally been 3 years since I blogged. Time is fleeting, so they say. I do hope those of you that used to follow here missed the occasional rant, I hope to get back to this regularly starting now.

This Apple thing has dragged many of us Monday Morning Quarterbacks out of our comfortable shells, partially because it’s fascinating and partially because the downstream effects of this issue impact us all.

Here are the parts of the story that haven’t gotten the publicity that they should:

  1. We all remember the utter shock we felt back when Snowden first exposed the government’s surveillance program. We can’t overstate the sheer horror and humiliation of it, and the helplessness of seeing all of the major tech giants who were [forced to be] in on it. Fast forward a few years – if you think the FBI doesn’t already have people on the inside at Apple that can crack this thing open, you haven’t been paying attention.
  2. Apple has gotten great publicity out of this, but let’s not forget that Apple does not give a crap about our privacy. They use our data with and without our consent in ways that we don’t approve. They are one of the biggest privacy violators on the planet. To suggest that they are in this for the good of their customers is a farce. This is the same Apple that stuffed our iPhones full of U2 MP3s without our knowledge or consent.
  3. Time will tell if Cellebrite has figured out how to compromise the iPhone just as the FBI wanted. I have no doubt, however that this is a diversionary tactic, and that the FBI has had access to this device for some time now. They carried this out “by the book” to get attention, either because they wanted to earn some good will or they were doing something even more nefarious behind our backs while we were distracted with this story.
  4. This is a legal issue as much as it is a technical issue. Who does Apple think they are to refuse a Federal warrant? How is Tim Cook not in jail? The law is the law and $34B in cash shouldn’t change that.
  5. The problem with #4 is that the law is vague, obtuse and outdated. Legislation does not keep pace with cybersecurity or technology. The law basically says that if you have desirable assets, and the Feds present you with a warrant, you have to hand them over. The catch is – Apple doesn’t really “have” the data without creating a new product, which the Government cannot force you to build. Sticky.
  6. The “back door” that Apple claims they’d have to build is already available – just not from Apple. If Apple really wanted to protect our privacy and security they would make a more secure device and stop “acquiring” our personal information.

All this said – if there’s anyone I trust less than Apple, it’s the Feds. With the NSA and other blanket surveillance programs that were (and probably still are) in place, they probably already have all of this terrorist’s data – they just don’t know where to look for it. And even if Apple handed over the data on this device, the Feds probably wouldn’t prevent much crime with it anyway. Let’s not forget – the NSA had wholesale, blanket surveillance in place for years – of the 255 (now 256) domestic terrorism cases since 9/11 it has prevented exactly 1.

If Apple were smart they would tell the Feds that they would get the data off the phone (and any other phone for that matter), but it will cost $10M per phone to do it.

After all, who couldn’t use another billion.

Learning From Boston

The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.

While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.

  • Were we prepared?
  • Who did this?
  • Why did this happen?
  • Could this have been prevented?

As the world puts its cities on high alert, many people revisit other dramatic and horrific crises, BostonMarathonBombreminded that it wasn’t long ago that we were in a situation just like this.

Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.

And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.

  • Is what we’re doing to protect ourselves really worth it?

At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.

This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.

But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.

So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.

But if we don’t learn from our mistakes it is all for nothing.

The Secret to Great Passwords

Another day, another breach.

We haven’t received details yet, but we’re sure to hear that poor passwords were at least partly to blame in this week’s massive Evernote breach. And Bank of America’s. And [insert company name here]’s.

It seems that we may never get passwords right.

There are many reasons for this.

First, passwords may be the most targeted of all security controls. They are, after all the keys to the kingdom. If you hit something hard enough, long enough, it’s going to break. Even the toughest passwords can be cracked.Password

Second, passwords may be the most numerous of all security controls. I have 200 times as many passwords as I do firewalls, access control procedures or data classification policies. A typical organization may have 10,000 passwords for every other security control they possess.

Third, passwords may be one of, if not the most dynamic of security controls. Think about how often you create new passwords or change existing passwords. You don’t see this level of volatility in other areas of security.

Last, passwords are often designed, implemented and administered by the unwashed masses. Unlike other controls, they may not be reviewed by a committee, subject to monitoring or in the worst case – even required.

So what’s the secret to solving this problem?

Lowering our expectations.

Lowering our expectations? That’s the secret? Yes, don’t be alarmed. Because as sad is that sounds, expecting less of passwords (and the people who create and enforce them) should give us pause about the controls that compensate for these historically weak protections.

Remember that the goal of your security program is not to create one impenetrable wall, but rather to create a system of defenses that together are strong enough to withstand the threats that you are likely to encounter. Your passwords are just one piece of the puzzle.

Spending too much time on developing the ultimate password scheme, training your workforce on developing perfect passwords and monitoring for 100% password compliance may potentially distract you from the job at hand – protecting the crown jewels.

Good generals know it’s not about winning every battle, but winning the war.

Many organizations recognize this and are moving towards requiring or recommending multi-factor or other out-of-band authentication mechanisms to support passwords. Certificates, biometrics and other controls are becoming more popular for this reason, as well.

Take a look at what you’re doing with passwords and decide how practical and effective your efforts are. Don’t make excuses – you can’t lower your expectations so far that passwords offer no protection.

But lowering your expectations may just increase your defenses.

You’re the Next President

Sounds awesome, doesn’t it?

Unfortunately, I’m not talking about getting you elected to the highest, most powerful office in the world.

No, sadly I’m talking about the likelihood that your e-mail will get hacked and pictures of you in the shower will show up on the Interwebz.

Ask yourself when was the last time you sent an e-mail that you didn’t want anyone else to see? It may have been complaints about your boss, or sweet nothings to your girlfriend. It could have been tax or financial information, or perhaps something about a medical issue.Bush

And you probably keep e-mail around forever, right?

I’ve seen people with thousands of e-mails still in their Inbox. They didn’t think to move them to another folder or delete them after they read them.

Receipts from online purchases. New account registrations and password changes. They just sit there like little gold nuggets, waiting for a miner.

The reality is, we all do it. Just like Ashton Kutcher, Sarah Palin and Lindsay Lohan, we normal people use e-mail for just about everything. And few truly think about or understand just how sensitive, or critical e-mail has become.

Until their undergiblets show up in a Google images search.

So take a moment today to manage that risk down a little. If your e-mail is compromised it probably exposes a whole pile of other things.

Make sure you have a good password. If your e-mail service offers multi-factor authentication (SMS, token, etc.), consider it. Delete e-mail that you don’t need anymore. Think about the things that you send through e-mail before you send them – if they ended up in the wrong hands would you be OK with it?

Because it may sound awesome, but you don’t want to be the next President.

Rethinking Security – Part 1

Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.

The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.

Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.

Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.

Enter the VIPR Team.

TSA VIPR Team Inspects Amtrak Station

TSA VIPR Team Inspects Amtrak Station

The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.

During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.

Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.

Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.

Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.

If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.

I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.

And this goes for any organization.

How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.

So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.

Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.

%d bloggers like this: