“In my nine to ten years investigating cyber, the one thing I can tell you is, it’s evolved,” Ellis said. “The cyberthreat is constantly changing. Things I talk about today will be different next year. Things I talk about next year will be different the year after that.”
Cybercriminals are trying to create full profile on you. Ellis noted that they are no longer just attempting a breach for debit and credit card fraud; they’re taking things a step further. “Bad guys are specifically targeting you; they want to pull the websites that you go to. They want to get your user ID, your password, your PIN numbers, etc. They’re also launching spearphishing attacks; directly targeting victims with emails, links, and going after professionals with access to Lexis Nexis and credit reports.
Why go after all this data? “We found out that now the bad guys are creating workups on us,” Ellis said. “They don’t just want your name and your social security number. They want every credit card that you have. They want to know your rental history, where you moved to, whether you’re married, how many dependents do you have. Because if I know everything about you, I can practically be you.”
Prepaid card fraud is skyrocketing. While all card fraud are increasing, the trends show prepaid card fraud rising at an alarming rate.
Ellis said he worked a stolen identity case recently in Texas. “You had this group of individuals and they intercepted people’s information,” he said. “They took it and went around to retailers and purchased Green Dot prepaid cards. After they purchased these cards, they downloaded and issued tax returns. They would direct the tax return they filed in your name, straight to that card. They were using these prepaid cards like virtual bank accounts. They had mules that would go out to automated teller machines (ATMs) and cash out all this money.”
Ellis added that this particular group was connected to groups in Cincinnati, Atlanta and Florida. “But at the end of the day, we found out that these cyber criminals had attempted US$100m loss. Actual losses totaled US$56m.”
To mitigate this threat, the FBI is analysing purchases, trying to determine what the criminals are doing with these prepaid cards; what they are purchasing with them. The FBI is also working closely with retailers to find out whose personally identifiable information (PII) was used to determine if a breach occurred. The agency is also looking at the addresses these crooks are making when they make online purchases with these cards.
Mobile malware is becoming an even bigger threat to mobile payments. The FBI has strong partnerships in the telecommunications industry, and also works with the Wireless Association and the Communications Fraud Control Association (CFCA) to analyze different types of mobile malware.
“Malware today steals contact information from your phones,” Ellis said. “It steals your call logs and your address books. It’s tracking your websites. It’s trying to pull your passwords. We use smartphones now like we use computers. We can check our bank accounts and make payments, and there’s malware that specifically goes after that. You also have malware that takes components of your mobile device and takes it over.”
The FBI provides the following tips for protecting yourself against mobile malware.
- Be careful about the links that you click on in a text or email.
- Read permissions on apps. What exactly are you allowing when you download an app?
- Update your device regularly.
- Passcode protect your devices.
Underground forums are the place to be if you’re a cybercriminal. Fully 95% of cybercriminals are active on underground forums. Ellis noted that he has been undercover on some of these boards. “You should hear the things they’re talking about,” he said. “They’re talking about ways that they can extort your data. They’re talking about who has a vulnerability. They’re talking about ways that they can take this information and use it come after us, because we’re the victims.”
Ellis stressed that the bad guys are talking; they’re game planning. Treasury and finance professionals then, have to do the same thing. “Gone are the days when, if something happens, you don’t talk about it with other organizations; we need to be sharing,” he said. “There could be something that you see, that someone else doesn’t. And unless we’re talking, we don’t know. So we have to use venues like this, we’ve got to have work groups and task forces, we’ve got to have public service announcements. We have to be sharing information with our communities.”
The UK’s Prompt Payment Code will have a significant impact on the relationship between large businesses and their suppliers. What does the Code mean for your business? And how can you navigate this change effectively?
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.
Accidental data breaches are causing almost as much concern as the steady rise in ransomware attacks, reports insurer Beazley.