SEATTLE – A new touchscreen payment system – designed to frustrate data thieves — should start appearing in hundreds of restaurants across the nation over the next few months.

The system, called RAIL, introduces a novel way for restaurant patrons to pay for a meal using a proprietary mobile device designed expressly to frustrate data thieves.

“RAIL allows you to self-swipe your card, which is really important for security, and, just as importantly, the system encrypts each transaction so the restaurant never sees or stores your credit card number,” says Joe Snell, co-founder and CEO of Viableware, the Seattle start-up that raised $6 million in funding to develop this new technology over the past 2 years.

Storage of unencrypted payment card data remains a common practice. It represents a major security weakness that cyber gangs feast on. The latest high-visibility example: an alleged international gang of cyberthieves managed to steal $45 million from thousands of ATMs in multiple countries using stolen account data to create counterfeit payment cards.

Financial, hospitality and retail industries account for an estimated 55% of unencrypted payment card data stored by commercial businesses, according to a SecurityMetrics analysis.

RAIL instantaneously encrypts data from each restaurant sale in real time. It is being used at two restaurants here, Bar Cotto and Rione XIII, and is undergoing trials at several large national chains, Snell says. He expects several large national chains now testing RAIL to introduce the system chain-wide through the course of this year.

However, improved security isn’t what will wow consumers who encounter RAIL for the first time. After self-swiping, you use a stylus to complete the transaction on a digital representation of the bill. This set-up enables you to calculate tips, split the bill and answer survey questions.

You may use PayPal or a digital wallet application to pay for the bill, and you can choose to have a copy of the receipt printed off at the restaurant or emailed to your personal e-mail account.

“RAIL is about security — and convenience,” Snell says. “You can split the bill up to nine ways, or, if you like, you can choose the items you’d like to pay for, then hand it off to the next person and they can choose their items.”

Seattle restaurateur, Ethan Stowell, ran trials in his trendy Bar Cotto and Rione XIII establishments before switching over completely to RAIL in mid April.

“By incorporating the RAIL devices into our service, our wait staff can spend more time attending to guests,” says Stowell. “Additionally, our guests can have the peace of mind that their card information will never be compromised.”

Case in point: Silicon Valley-based risk management integrator Agiliance recently announced a 65% increase in sales for the first quarter, including a 415% boost in revenue from financial services clients.

LastWatchdog asked Torsten George, chief product strategist for Agiliance, for his perspective riding this wave.

George

LW: So companies now suddenly get it that they’re under cyberattack?

 George: Many organizations are realizing that you can schedule an audit, but not a cyber-attack. This change in behavior is being driven by stricter enforcement of existing regulations, mounting new legislation and SEC guidance, evolving case law propagating a higher standard of care, as well as pressure from corporate board rooms where the impact of a breach on a company’s stock price is now a real concern.

LW: What’s the corporate sector’s biggest worry with respect to potential new regulations?

 George: Opponents of legislation that would mandate information sharing about cyber-threats claim it would be too burdensome to implement and threaten civil liberties and privacy. However, it appears that many businesses would welcome information sharing, as long as it is done in a bi-directional manner and with strong liability protections for those operating within the framework.

LW: What’s most concerning to your customers about emerging privacy regulations in Europe?

 George: While Europe operates as a common trading community, each member state has the right to interpret and apply European Directives on a national basis. As a result, global organizations most likely will face a multitude of different regulations, resulting in a variety of burdensome data breach disclosure and notification practice. Our customers are concerned about how to address the increased compliance reporting and audit workloads.

LW: Meanwhile, aren’t the bad guys still well ahead?

 George: Yes, even though many organizations spend millions of dollars each year to maintain their IT environment and implement some of the most sophisticated computer defenses available today. It’s clear we have to find new ways to improve security.

LW: What progress do you anticipate the good guys will make, going forward

 George: Many organizations rely on a multitude of best-of-breed, silo-based tools. This only adds to the complexity of data feeds that must be analyzed. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software or network configuration flaw

Mobile technology companies focus first and foremost on consumers rather than the corporate market. As such, most mobile operating systems lack many of basic security features. What’s more, with so many models from myriad manufacturers running on different versions of a platform such as Android, there is a glaring lack of consistency and basic security protocols.

Cyber criminals are targeting mobile devices more than traditional PCs, and, astoundingly, companies continue to let these devices run rampant and unmanaged on their networks.

No employee wants to be the one to unlock the door and let cyber criminals in. That, however, doesn’t stop it from happening. New research also shows that an estimated one million high-risk Android applications will get introduced into corporate networks this year.

Another recent study analyzed 2 million currently available Android apps, from both third parties and the Google Play store, classifying 293,091 as outright malicious and an additional 150,203 as high-risk. When you factor in iOS, Windows Mobile, BlackBerry and any other mobile platforms, the IT landscape is no longer centered on securing an exclusively Windows-based ecosystem.

Mobile security is a systemic problem, largely due to the business world’s inability to either comprehend or acknowledge that the status quo will no longer suffice. The only way to safely approach the use of smartphones, tablets and other mobile devices in the corporate sphere is to proactively manage how they are used.

Enterprises also cannot afford to continue the tried-and-no-longer-true practice of operating siloed security systems that react to attacks after they have already been hit. By then, it is too late. Instead, they need to bring together and connect the best of the best from all corners.

IT departments need to break these siloes open, integrate critical technologies with one another and educate the workforce in order to build in-depth mobile threat defense and response protocols. It has taken people far too long to connect the dots between mobile attacks in the last two years and how companies view IT security. If we are to stem the tide of mobile attacks, we’ve got to build a better dam.

By Tim Francis

There is little doubt that small businesses face a growing cyberthreat – and hackers are not showing any signs of letting up. Through even more sophisticated means, hackers are finding ways to attack businesses, sometimes forming syndicates of like-minded criminals to share information and new techniques.

Knowing the most common ways data breaches can occur and learning how to mitigate those risks can go a long way in deterring cyber criminals. Here are some general guidelines to help small businesses get ahead of cybercriminals and safeguard against cyber attacks:

 Train staff.  All employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business. This includes everything from locking up customer records to keeping passwords strong and confidential. Employees should also be taught how to handle a breach if one occurs.

 Defend your network. Use appropriate firewall and antivirus technology and make sure that security software patches are updated in a timely fashion. Evaluate the security settings on software, browser and email programs, and select system options that will meet your business needs without increasing risk.

 Monitor mobile devices and Wi-Fi access.  Establish usage policies for employees and be sure they are clearly communicated. For example, employees should be instructed to use public Wi-Fi only in very limited circumstances. Any data that shouldn’t be made public, such as proprietary business or customer information or credit card numbers should not be transmitted or accessed through public Wi-Fi.

 Derive an emergency plan. If a breach occurs, there should be a clear protocol for which employee is managing the situation, and what action should be taken, such as informing the insurance provider, etc. Whether it is a large or small company, this business continuity plan can help an organization manage a breach while helping to ensure that the business is still meeting customer demands.

 Consider insurance coverage. Liability protection is available for when customers or other individuals who have been affected hold a company responsible for information stolen during data breaches or other network intrusions. A cyber policy can also include coverage for a forensic investigation, litigation and remediation expenses associated with the breach. In addition, a cyber program may include coverage for regulatory defense expenses and related fines, crisis management or public relations expenses, business interruption and cyber extortion coverage.

By following these guidelines, small businesses can take some smart steps to ensuring proper risk management steps early on in order to better thwart potential attacks by cyber criminals.

So you’ve clicked on a link that now seems very suspicious. You’re concerned that the bad guys may be in control of your computing device. Or perhaps you’ve typed some account information into a web form , and you’re having second thoughts about the authenticity of the form.

Recovering will require work. Here are three things you can do if you believe you’ve fallen prey to a phishing scam delivered by e-mail, a social media posting or even a phone call, according to Adam Levin, Chairman of IDentity Theft 911.

Update and scan: If you have clicked on or downloaded anything that might infect your system, then make sure you install or update anti-virus software and run a full scan of your system. Here is helpful guidance from ID Theft 911.

 Contact credit agencies. If you have disclosed any personal information or you’re worried your account may have been accessed, you can place an alert with any one of the three major credit bureaus signals to potential creditors that you could be a victim of identity theft.

 Update account logons. If you have reason to believe that any of your email or social media accounts are compromised make sure you change the passwords immediately. See tips here.

USA NOW

By Jim Reavis

For several years, it has seemed as though computers have played a role in virtually every part of our lives. However, we stand upon the precipice of a truly profound explosion in the growth of computing. From iPhones to tablets to self-driving cars (!) to the electrical grid, conservative projections peg the number of Internet-connected devices to rise from 8 billion today to over 100 billion by 2020

Controlling these devices and managing our information are the massive server farms at Amazon, Google, Microsoft and elsewhere, creating a global compute utility called cloud computing, or more simply, the Cloud, which is expanding at a similar pace. It is impossible to predict all of the good and bad that will result from this massive growth, but it is possible to orient ourselves around a technology-friendly, global point of view to manage the problems as they emerge.

Cloud Security Alliance (CSA), an international not-for-profit organization with over 44,000 members, is building an ecosystem to create trust and confidence in the cloud based upon vendor-neutral best practices research conducted by a global constituency.

Like a utility, the Cloud is always on and available. Also like a utility, nations around the world are scrambling to understand how to regulate the Cloud. While much of this is well meaning and some of it is quite good, it is simply impossible to adequately govern an entity that is changing itself by the nanosecond by regulations alone.

Cloud certainly needs to be governed by the rule law, even though the problem of writing technology-friendly laws that do not become obsolete will become increasingly difficult. The desire to make these massive data centers that potentially store everything about us accountable to the citizens is certainly laudable. CSA believes that a major part of the solution lies in the words that US Supreme Court Justice Louis Brandeis wrote exactly 100 years ago in pursuit of greater transparency in the United States, “sunlight is said to be the best of disinfectants”.

One of the fascinating changes in our consumption of news is how fast events get reported in social media or Twitter. While they are often forums for incorrect information initially, the weight of the community seems to always get it right in the end. We think this dynamic and transparent force is the ideal means to help police the cloud.

CSA created a voluntary program for cloud providers called STAR, which stands for the Security, Trust and Assurance Registry (www.cloudsecurityalliance.org/star). All we ask is that cloud providers publish their compliance to our security best practices and publish this information in our registry for all to see. While still in its infancy, we have many of the major cloud providers already listed.

Many relayed to us that they sweated this process out more than a typical audit, because they knew the information would be made public. Indeed, the legal counsel at some cloud providers has prevented their appearance in this voluntary registry entirely over concerns about the liability of public disclosure. Public pressure will make that a losing proposition.

We think that curating social media’s response to how cloud providers use STAR to post changes in security practices, privacy policies, user terms and conditions is an ideal way to police the cloud in real time instead of waiting for the next government action. We can learn from the community and use it directly to issue new guidance that is appropriate and timely.

Massive cloud providers have potential for great power. To see government regulation as the only check to that power is misguided. Let’s tap into the potential of the community. Not only do we see this as effective, but it is the right thing to do. Consumers have a right to some of Justice Brandeis’ “sunlight” shining on the cloud providers that hold so much of our personal information.

Phishers rely on social engineering to trick Internet users into quickly clicking on a tainted attachment or infected web link.

The anonymity built into the Internet continues to be leveraged by phishers with two primary motives. You have the garden-variety Walmart scammers, out to make a quick buck, and spreading phishing lure indiscriminately. Then there are the nation state-backed spies who go through elaborate lengths to corrupt the computers of specific individuals at targeted organizations.

Global losses from phishing in 2012 hit a record $1.5 billion, 22 percent increase over 2011, according to RSA 2013 Fraud Report. The total number of phishing attacks in 2012 was 59 percent higher than in 2011, reports RSA.

Meanwhile, the number of phishing sites disguised as social networking sites has grown by 125 percent, reports Symantec in its 2013 Internet Security Report.

This week, Visa and the Consumer Federation of America (CFA) announced a new public awareness campaign, “Slam the Door on Phishing Scams,” to help plug the dike. What’s clear is that consumers continue to bear the largest burden for avoiding phishing hooks. LastWatchdog asked Jennifer Fischer, Visa’s Head of Americas Payment System Security, to explain why.

LW: Why has phishing persisted at such a sustained high level?

 Fischer: As technology has evolved, so have criminals. Phishing scams originally perpetrated by mail or phone are moving to newer channels. Email phishing is prevalent, and increasingly scammers are also using social media and text messages to reach consumers. Scammers are also getting more sophisticated. Phishes don’t necessarily have the tell-tale misspellings or bad grammar that used to give them away, so people may fall victim to them more.

LW: To what degree has usage of social media and mobile devices increased the burden on consumers to become more vigilant?

 Fischer: There is no doubt that advances in technology have opened opportunities for criminals to reach consumers. But the Internet can also make it easier for consumers to monitor their accounts through online statements and tools like transaction alerts, which can help consumers to quickly flag unusual financial activity.

LWMany phishing scams make use of the existing payment card infrastructure. What more could the payment processing industry being doing more to curtail phishing scams?

Fischer: Consumers are being targeted directly through their devices, so it is important to make them aware of the trends and the steps they can take to help keep their information secure. Industry partnership is also important. The payments industry must continue working closely with anti-phishing organizations and law enforcement to track trends and successfully shut down these types of attacks.

LW:Anything else?

Fischer: Posting personal information could be an invitation for scammers to target your payment accounts. One of those dangers is “spear phishing,” a tactic where scammers will try to determine which bank or credit card company you use before sending their bogus emails. This targeting—or “spearing”—increases the apparent legitimacy of the request, making the phishing harder to spot by the consumer. So before posting, pause to consider the sensitivity of the information you’re making public.

The U.S. Departmentof Homeland Security’s National Cyber Security Division has updated its standing alert, specifically recommending that IT organizations implement ways to detect propagation of viruses like Shamoon. LastWatchdog  asked Gord Boyce, ForeScout Technologies’ CEO, to frame the go-forward concerns:

 CT: Why does concern remain heightened about Shamoon?

 Boyce: A decade ago, we used to see viruses that were destructive like Shamoon. But by 2004, the people who write viruses shifted their intentions from notoriety to profit. Since then, most viruses have been designed to remain undetected and unobtrusive. The viruses quietly do their work, such as using your computer to send hundreds of spam messages without your knowledge. Shamoon is a huge departure.

 LW: Is there a consensus about who likely was responsible?

 Boyce: No. Most security experts believe that the author of Shamoon was politically motivated. Strong anti-American sentiment was evident within the Shamoon code. For example, there was an image of a burning American flag. Some say that the author of the virus intended to send a message to the Saudi government for supporting controversial American foreign policy in the Middle East.

LW: Should the public be concerned that Shamoon’s creators/controllers are likely still active?

 Boyce: Yes. After a terrorist event that makes an apparent change in the threat landscape, it is natural and prudent to have a heightened awareness and to exercise defense procedures designed to reduce the risk of a similar event. Shamoon is highly destructive and an organization infected with this type of malware could experience operational impacts including loss of intellectual property and disruption of critical systems.

LW: What about copycats?

Boyce: Computer forensic experts who have inspected the Shamoon code have stated that Shamoon was not an especially difficult virus to create, so copycat viruses are quite possible.

 LW: How would you summarize the go-forward concerns?

Boyce: Organizations have to assume copycat similar attacks might take place and protect against them. The concern is that from a single computer the virus infection can spread internally from computer to computer. And perimeter defenses like firewalls and network intrusion prevention cannot prevent the spread. Organizations need to upgrade their internal network defenses to ensure even previously unknown malware cannot spread undetected.

 LW: Anything else?

 Boyce: Traditional measures such as antivirus are not enough to prevent 100 percent of fast-spreading infections. The main thrust of cyberthreats is continuously shifting inside organizational networks; IT security needs to follow suit, and deploy technologies that effectively address those threats over their internal network.

By Gurbaksh Chahal

The hallowed halls of social media are no longer safe. Not when the operators of botnets like Chameleon are able to systematically steal $6 million per month from advertisers in the form of payments received for clicks from infected PCs, not real consumers.

Similarly, highly publicized hacking hoaxes that bedeviled the Twitter accounts of Burger King and Jeep demonstrate just how vulnerable brands can be on social media.

And then there is pixeljacking. This refers to the introduction of malicious code that highjacks consumer web browsers so as to push fake Internet traffic through that identity.

This type of fraudulent traffic poses a threat to consumer privacy and wreaks havoc on advertisers and agencies that rely on accurate ad data to run their businesses.

At latest count, RadiumOne has verified over 1,000 distinct domains used by botnet operators involved in “pixeljacking.” We estimate the existence of over 10,000 such sites across the web. This relates to a potential fraud spend of $324 Million each year, about 5.4% of all display ad spend.

With a virtually unlimited supply of online ads to choose from, nefarious hackers have the potential to inflict greater losses for specific brands as well as the industry as a whole, driving up the cost of display advertising. Not to mention the loss of credibility that occurs when visible security threats like Twitter hacks are targeted at specific brands.

The use of social media as a platform to inflict damage and emphasis on the advertising industry as a target is unique. We are living in a time where there are now dunes of important data that can easily be accessed and used against us if it falls into the wrong hands. The complexity, frequency and scope of hacking attacks have increased exponentially as both business and technology collide in the digital age.

The good news is, there are ways of preventing these forms of attacks. Recently, the advertising tech industry has been abuzz, searching for new ways to address this drastic rise in online security and privacy threats. One approach to solve this problem would be to introduce human challenge and response tests like Captcha in order to ensure that real people are responsible for clicking on ads and driving traffic.

With the alarming progression of computer hacking and virus creation, consumers and the advertising industry at large must understand the potential exposure, and arm themselves with actionable steps to combat impression fraud

The Gulf Breeze, Fla.-based messaging security firm found “RedKit” to be one of the most prevalent malicious programs circulating on websites in April.

RedKit and a similar tool, the so-called “Blackhole” exploit kit, have emerged as a cybercriminal’s indispensible Swiss Army knife. CyberTruth earlier reported on analysis from firewall vendor, Palo Alto Networks, revealing that the vast majority of malware seeping into company networks arrives via drive-by download.

So now, we’ve asked AppRiver senior analyst Fred Touchette to drill down on how exploit kits, like RedKit and Blackhole, are helping cybercriminals circulate nasty infections all over the Internet.

LW: What makes exploit kits so worrisome?

 Touchette: An exploit kit is essentially a software package that makes the exploitation of vulnerable websites simple for cyber criminals. They’re easy to configure, and automated. You just click a button. The user needs very little technical knowledge. And if he requires some help, some toolkit authors even offer a one-year support license included in the price of the kit.

 LW: What’s distinctive about kits such as Blackhole and RedKit?

Touchette: The prevalence of these kits is what sets them apart from other threats. The kits remain effective over and over again. The ease of their use in addition to their effectiveness means we also end up seeing large botnets being created as a result.

LW: What are the bad guys who use exploit kits typically after?

 Tocuhette: The goal of these attacks is to make or steal money. They cast a net and drag in whatever is found. They’ll take all of the identities and bank account information they can get their hands on. It’s important to realize that Web threats are real and the need to stay protected makes good sense.

LW: What else is important about how website-borne infections are evolving?

 Tocuhette: The big take away is that most attacks are specific to the initial “drive-by” attack. Exploited websites redirect your browser to a second, and sometimes third, website where the initial exploit resides and attempts to take over the victim’s computer. The best way to contain these attacks is to recognize such malicious redirects and shut them down before a victim’s browser is able to make it to the point where the malware is delivered.

 LW: What should the average Internet user understand about website – borne threats?

 Touchette: It’s important to realize that most of these attacks are automated and capable of seeking out vulnerable websites, exploit them and use them to spread malware. It’s not just the back alley websites where malware is kept anymore; it can reside on every day, seemingly innocuous sites. In fact, even reputable sites accidentally serve up malicious software from time to time. That’s why it is important to use a layered security approach and remain vigilant while online