An unsecured Amazon Web Services bucket holding personal information and scans of IDs of some 119,000 US and international citizens has been found sitting online by Kromtech security researchers earlier this month. The stored data had been stockpiled by Bongo International, a company that specialized in helping North American retailers and brands sell online to consumers in other countries. Bongo was acquired by FedEx in 2014, relaunched as FedEx Cross-Border International, and ultimately shuttered in April 2017.
The AWS bucket, access to which was not secured by a password, contained unencrypted information and ID scans of customers from many different countries around the world. ZDNet trawled through the documents and found scans of drivers’ licenses, national ID cards, work ID cards, voting cards, utility bills, vehicle registration forms, medical insurance cards, firearms licences, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division. To complete the picture about each customer there were US Postal Service forms, holding information such as name, home address, phone number, zip code and handwritten signatures.
Read more about the exposed information and how it was found sitting online in an unsecured Amazon Web Services bucket on Help Net Security.
Cryptocurrency marketplaces, designed to facilitate trading on the full range of digital currencies, are experiencing a range of fraudulent activity. The world of cryptocurrency has moved from being the playground of the criminal underworld to be a prime target for attacks on legitimate transactions, according to the Q4 2017 Cybercrime Report by ThreatMetrix.
Fraudulent new accounts are created using stolen or synthesized identities to set up mule accounts to launder money. Additionally, legitimate accounts are being hacked to make fraudulent payments and transfer cryptocurrency balances out when at their highest value.
The report also revealed an increased volume of attacks originating from Russia, using both automated bots and location spoofing tools. In fact, for the very first time, Russia emerged as a top attack originator, with the majority of incidents targeting ecommerce retailers in the U.S. Key shopping days in Q4 over the holiday season saw up to 2 million bot attacks coming from Russia alone.
Read more about the findings of the Q4 2017 Cybercrime Report by ThreatMetrix on Help Net Security.
A new study by 250ok has revealed that 87.6 percent of the root domains operated by top e-retailers in the United States and European Union are putting their brands and consumers at risk for phishing attacks.
Phishing and spoofing attacks against consumers are most likely when companies don’t have a published Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) policy properly in place. SPF is an email validation system that detects spoofing attempts, or a third party disguising itself as a certain sender using a counterfeit email address. DMARC is considered the industry standard for email-validation to prevent such attacks.
The report, which analyzed 3,300 domains of the top 1,000 US internet retailers and top 500 EU internet retailers by revenue, reveals that the majority of retailers currently use some level of email authentication on their domains. However, many are inconsistent in their approach across all the domains they control and only 11.3 percent of top US retailer domains and 12.2 percent of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel by publishing SPF records for all domains; ensuring SPF records are valid and without errors; and publishing a DMARC policy for all domains.
Online fraud attempts and general retail transaction volumes increased substantially during the 2017 holiday season, according to new benchmark data from ACI Worldwide. Fraud attempts in the period from Thanksgiving Day to December 31 increased by 22 percent, while the number of overall transactions increased by 19 percent.
Fraud attempt rates were highest on Thanksgiving Day (1.94 percent, up from 1.26 percent in 2016), Christmas Eve (1.78 percent, up from 1.48 percent) and December 21 – the cutoff date for express shipments – (1.67 percent, up from 1.49 percent). The trends driving these peak fraudulent days include shipment cut-off, consumer traffic and buy online pick-up in-store transactions.
Read more about the ACI Worldwide data indicating a significant increase in online fraud during the 2017 holiday season on Security Magazine.
Read Brad Allen write about the clear divide between online adopters and skeptics and how it raises challenges for the retail and financial services industries on Star Tribune :
When Pat Alexander read about the Equifax data breach, the 58-year-old former computer programmer from Roseville was not surprised. She had seen enough in her 15 years of coding both mainframes and PCs to convince her that nothing online is totally secure. “Technology doesn’t confound me. It just doesn’t impress me,” she explained.
With cybercrime on the increase, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) is there to help businesses that take card payments protect their payment systems from breaches and theft of cardholder data.
Read the findings from the Verizon 2017 Payment Security Report (2017 PSR) demonstrate a link between organisations being compliant with the standard, and their ability to defend themselves against cyberattacks on The C-Suite.
Read why Alison DeNisco says that payment system of retailers are still vulnerable to cyber attack on Tech Republic :
As cybercrime rates continue to rise, firms must pay attention to payment card security to avoid a potential breach and the theft of cardholder data. Enter the Payment Card Industry Data Security Standard (PCI DSS), which was created to help businesses that take card payments protect their systems from cyberattacks.
Enterprises are complying with the Payment Card Industry Data Security Standard (PCI DSS) more, but the number of organizations in compliance is still low enough to leave the door open for cyberattacks, according to Verizon.
Read abou the new Verizon report which highlights that more organizations are compliant with PCI DSS, but companies still struggle with security controls on ZDNet.
The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC. The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.
Read about the new report by RPC which reveals that United Kingdom retail data breaches have doubled in 2017 on Infosec Magazine.