Credit cards for sale, cybersecurity trends and the wrong way to alert customers
Welcome to Cyber Security Today. It’s Friday July 26th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
With data breaches reported regularly, ever wonder how many stolen credit and debit card numbers are available for sale? Over 23 million, according to a security company called Sixgill. And of those well over half — 15 million — were issued in the United States. The second-highest number of stolen numbers sold online come from the United Kingdom. Many of these are stolen when criminal install software on e-commerce sites that copy credit and debit card numbers as customers enter them. Or they get numbers from data breaches or compromise point of sale machines in stores, restaurants, gas stations and hotels. To protect yourself make sure your bank or card issuer will send you an alert if it sees suspicious activity. Watch your monthly card statement for suspicious purchases. Be careful when using your card on the phone to make a purchase — is the company legitimate? And don’t give out your card number to someone who phones you and says they’re from the bank and want to check to see if your card has been stolen. Banks don’t do that.
There’s no shortage of cyber attacks and data breaches, which makes you wonder if there are any trends. Yes, says security company Check Point Software. It looked at the data it got for the first half of the year from its products on customer computers, and from that perspective here’s what it saw: There was a sharp increase in what are called supply chain attacks. For example, someone hacked the Asus computer manufacturer and infected the automatic update software it puts on millions of machines. That makes it easier for the attacker to get into them instead of hacking machines one at a time. Another example is the hacking of a small company that sells services to a bigger company to get into the bigger firm’s computers. A third example is hacking commonly-shared pieces of code that developers use to create mobile apps. Then thousands of apps are doorways to victims. The report also notes that email scams, always popular, are shifting. Increasingly common is sextortion, with the attacker claiming to have sexually-related material on the victim, and the business email compromise, where the attacker asks victims to do things like change the bank account regular company payments go to. The report also notes a big leap in mobile banking malware, which either fools you into thinking the new app on your smartphone is the real app to link to your bank, or its secretly stealing your bank password.
What can you do? Make sure software on all your devices are up to date, be careful where you download apps from, use two-factor authentication to protect your passwords and logins.
Finally, in Wednesday’s podcast I gave a reminder not to click on links in email messages that are supposed to take you to a web site for resetting your password. Crooks do that to trick victims into giving away their passwords. That’s why smart companies know when sending out warnings about hacks they advise users to go to their login website the usual way — by typing the address in a browser bar or using a bookmarked link. British Internet provider Sky apparently didn’t understand that. Earlier this week it emailed customers about the need to reset their passwords, and what did the company do? It included a link to the login page in the message. Not only that, the email was addressed to ‘Dear Customer.’ As security reporter Graham Cluley noted, a lot of suspicious people thought it might be a phishing trick and checked with the company. Good for them. The lesson here for businesses is there’s a right way to send out warnings.
By the way, Sky didn’t include the reason for the password reset in its message: Its email system had been hacked. That’s another lesson. You need to be honest with customers
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.