The 5 New Ways In Which Your Android & iOS Devices Are Being Targeted

 

Well, happy weekend everybody!!!  It’s hard to believe that in another week it will be Memorial Day Weekend, and soon, half the year will be over.  Honestly, this year has gone by the fastest than I ever remember. 

But speaking of the halfway mark, in June I will be releasing my midyear Cyber Report. Just to pique your curiosity somewhat, the topic will be about the true cost of Security Breaches that have occurred here in the United States.

Everybody talks about it; nobody has really put a firm dollar value to it.  This is where I am hoping this report will have.  One of the other objectives of it is to hopefully raise some alarm bells as well.  I could have written about other topics, but last year I covered Ransomware, and at the beginning of this year, I covered Phishing.

Anyways, as we hit June, there is yet another form of threat vector out there that has not received the attention it should be getting.  We are all so obsessed with the Cyber impacts from Russia invading the Ukraine, that this one has totally faded out. 

What am I talking about?  It is attacks to our mobile devices, whether there are notebooks, tablets, laptops, smartphones, etc. 

Luckily, I came across an article which covered some of the major avenues in which your device can be attacked.  Some of them I never even thought of before.  So, here we go:

1)     Conducting Fraud:

When one thinks of an attack to a smartphone, the immediate thoughts that come into mind are that of the Cyberattacker taking 100% control of the device, or implanting some kind of Malware on it in order to gain access to the information that is stored on it.  But now, hackers can use your smartphone as a way to conduct fraudulent based activities.  This is technically known as “On Device Fraud”, or “ODF” for short.  This kind of attack first hit the mobile apps that were created for the customers of the major banks, but now it is being used anywhere fraud can be carried out. Two of the most notorious threat variants are that of Octo and Teabot.  They both allow for the hijacking of video conferencing and screen sharing on your Android device.  More information about these two can be seen at these links:

https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html

(FOR OCTO)

https://www.zdnet.com/article/teabot-android-banking-trojan-continues-its-global-conquest-with-new-upgrades/

(FOR TEABOT)

2)     Redirecting phone calls:

Think Smishing attacks and Robocalls are annoying enough?  Well, here is something that is even scarier.  Placing a call on your smartphone with a legitimate phone number, the Cyberattacker intercepting it, and instead rerouting your call to another receiver.  In this entire process, you do not even know what is happening until the person picks up on the other side.  This trend started to happen with a rogue mobile app Trojan Horse known as “Fakecalls”.  During the installation process of this app, the Cyberattacker overwrites all of the permissions on your smartphone.

More information about this nasty Trojan Horse can be seen at this link:

https://usa.kaspersky.com/blog/fakecalls-banking-trojan/26354/

3)     Taking over push-notifications:

This is when you receive a direct notification, such as a One Time Password (OTP) in which you have to respond to.  For example, many financial institutions now require some sort of 2FA, and using an OTP fits this bill perfectly.  But now, there is a new piece of Malware called the “FluBot” that directly targets the push notification functionalities of Android based devices.  This Malware will reply automatically to any sort of push notification that you may receive, even without you knowing about it.  Even worst, it can even hijack the address book in your Android device, and spread itself like a worm to infect other wireless devices to your contacts.  This kind of attack is known technically as “Push Message Phishing”.  There is another variant of this which is known as “Sharkbot”, and information about both can be seen at these links:

https://www.darkreading.com/threat-intelligence/flubot-malware-s-rapid-spread-may-soon-hit-us-phones

(FOR THE FLUBOT)

https://www.darkreading.com/endpoint/google-removes-dangerous-banking-malware-from-play-store

(FOR THE SHARKBOT)

4)     The creation of new domain names:

A new trend that started to occur when COVID-19 hit was the registration of many domain names by the Cyberattacker.  While one intent of this was to create phony and fictitious websites, the other has been used to create multiple command and control centers hosted on VMs.  For example, when a Cyberattacker launches an attack, he or she may not specifically target the victim. Rather, they will issue remote commands through one of these servers to in target the victim, in an effort to disguise themselves.  But keep in mind that tracking these kinds of ill-used domains has been a target of law enforcement, such as that of the FBI.  So to avoid further detection, the Cyberattacker will shut down the VM on which a domain has been used, and create a new one, to host a new domain to be used for these malicious purposes.  The Sharkbot variant has been used for this very purpose, in an effort to stay covertly inside your wireless device for extended periods of time.  In a way, this can also be compared to that of an Advanced Persistent Threat.

5)     Getting through Google and Apple:

Apple has one of the most stringent requirements when it comes to uploading of new apps to iTunes, and Google not so much. But even despite these tight requirements, Cyberattackers have found ways to bypass all of this and deploy the rogue mobile apps.  These kinds of apps are technically known as “Droppers”.

My Thoughts On This:

There are numerous ways in which to lessen the odds of becoming a victim of a smartphone attack:

1)     Limit mobile app usage.  I know life is a lot easier with a mobile app for everything, but the more you put on, the more you are increasing your attack surface.  Try restricting how many mobile apps you put on to those that are really only necessary.  As for myself, I hardly ever use mobile apps.  I only have two of them.

 

2)     Always read the reviews of a mobile app you want to use.  If they are any good, then it just gives that mobile app more credibility. But take this with a grain of salt.  Even a Cyberattacker can put up fake reviews.

 

3)     Always confirm the authenticity of the mobile app. By this, I mean actually try to call the creator of it.  Any legitimate mobile app designed by a real company should have a distinct website, with real contact information.

 

4)     Always keep your wireless updated with the latest versions and software patches/upgrades.

 

In the end, for the sheer lack of a better term, you have CYA.  In other words, trust your gut.  If it doesn’t feel right, then download it.

Wanna Be An Awesome CISO? Follow These 4 Cardinal Rules

 

I have a new book that is coming out in the early part of August.  The thrust of the book is how to actually create and launch a new Cyber business.  But it is not from the standpoint of the recent college graduate or a seasoned IT professional, but rather it is from the viewpoint if the burnt out or even terminated CISO who is looking for greener pastures. 

One way that this goal could be accomplished is to start a consulting gig, focusing around offering vCISO services, which is a hot ticket item right now.

But unfortunately in the end, whether it is right or wrong or fair, it is the CISO that usually takes the fall for everything.   After all, they are the easiest person to be blamed and put in the firing line.  The CISO has a lot to deal with, ranging from how well the lines are beefed up to dealing with the Board of Directors.

But one area that they are often faulted for is the lack of communication from them to others in the company, or if they do at all, the communication is sparse and confusing at best.  So, what is a CISO to do in this regard?  Here are some tips to help with that communication breakdown:

1)     Understand thy audience:

As a CISO, you will be asked to talk to different people that are a part of your organization.  These include both the internal and external stakeholders.  Not everybody is going to understand Cybersecurity the way you do, so you need to angle the content to that specific group you are talking to.  Take these cases:

*For the Board of Directors:  Keep things in dollars and cents.

*For employees in your company:  Keep things simple to understand, avoid any and all kinds of techno jargon.

*For the IT Department and your team:  You can get all geeky you want.

*For shareholders:  Keep the topic centered around how all Cyber efforts are going to impact the Earnings Per Share (EPS).

Get the idea?

2)     Start with the business objectives first:

In any form of presentation that you may give, it is always key that you never first start talking about metrics, and KPIs.  Why so?  Well, first your audience will probably have no idea what you are talking about, and second, you need to provide some kind of reference point for these metrics that you eventually want to point out.  One of the best ways is to first talk about your business objectives from the standpoint of Cyber, focusing in on what has been accomplished so far and what hasn’t.  It is equally important to provide a roadmap as to how plan to finish those objectives whose goals have not been met yet.  Then once you have laid all of this out, you can then get into some of these metrics and KPIs.  Nobody likes quotas and such, but you and your IT Security team need to be judged against something that is quantitative and measurable.  Sure, you can even throw in some qualitative aspects as well.  For example, of the key metrics that you can talk about is the meantime to detection.  This describes how long it takes a company to detect a security threat that resides in their organization.  So far, the average is a long period of time, so point out how you plan to shorten down that time frame for your organization.    Another key point to remember in these types of presentations is that you should keep them only 30 – 40 minutes in length, tops.  Beyond that, you will probably start to have people nodding off in the audience.

3)     It takes everybody:

Traditionally, IT Security teams have taken an isolationist role in what they do, because everybody else in the company thinks that if anything breaks down, these are the guys that should fix it.  While this might be true in a theoretical sense, they can only do so much. They should not at all be finger pointed or isolated by any means.  What I am trying to get at is security involves everybody in the company, all the way from the Board of Directors down to the overnight cleaning crew.  The CISO can foster this kind of thinking by visiting each department on a personal level, and tell them directly that they are a part of the security chain as well, and that their input is highly valued.  But the CISO first needs to take this mentality with their own IT Security team.  There are still many complaints that CISOs often ignore their own employees, and don’t even make the time to listen to them.  Then, the gap between effectively communicating with other members of the C-Suite and especially the Board of Directors needs to improve as well.  The view that the other members of the C-Suite take is that Cyber is a CISO only effort, and that they take no part in it.  But guess what?  With the data privacy laws that are out there today, even the C-Suite and the Board of Directors can be held both personally and financially liable as well if there ever is a security breach.

4)     Establish the layers of accountability:

Once you have demonstrated that everybody has some sort of “teeth” in the defense game for their company, the next step is establish some sort of accountability.  In other words, if other employees have agreed to what you have said is correct, then they need to be held accountable for their own roles and actions to help protect the digital assets.  For example, employees should be held accountable if they click on a Phishing email.  Another area where accountability is going to be of grave importance is in the creation and implementation of the Incident Response/Disaster Recovery/Business Continuity plans.  This really cannot be outsourced to an outside third party, the employees in your organization have to be responsible for this.  In other words, as these plans are being crafted, you need to take certain employees that you think you can trust and make them part of the process, and give them assignments in these plans.  Therefore, you should rehearse these plans on a regular time period in order to make sure that all employees know their assignments and are ready to act out in a very quick fashion should a security breach actually happen.

My Thoughts On This:

Improving the lines of communications in any organization is not an easy task, and in many instances, it can take a long to time to fully accomplish.  Although timing is critical given the way the Cyber threat landscape is unfolding in front of us, take the needed time as well to make sure that whatever you trying to communicate is being heard and understood.

Always ask for a feedback.  After trying to change your ways for some period of time always ask a sampling of employees to see how are you doing.  This is the only that you will know what is working and what is not in terms of communications improvement.  Remember, this should be a very honest and transparent process.

To The eCommerce Merchant: 3 Proven Tactics To Combat Fraud as a Service

 

As we keep paying attention to those threat variants that are making the news headlines, it is also very important to note that there are other attack vectors out there that are just as much damaging, if not even more. 

One such thing that you need to be aware of is Fraud.  While there is nothing new about this, the way it has precipitated been mind blowing.  It’s not just matter of having your wallet or purse stolen, now it is about your Digital Identity that is at stake.

With everybody working at home and even fewer people yet visiting the traditional brick and mortar stores, most of the American population are now shopping online.  Heck, depending upon where you live, you can even have your groceries delivered to you.  But making sure that you remain safe in the digital world, especially as it relates to eCommerce, is a difficult thing to do.

But to make things even more complicated, the Cyberattacker of today is now resorting to a new thing called “Fraud as a Service”.  I think in the past I wrote something about “Ransomware as a Service”, and this is where the Cyberattacker can essentially hire a professional from the Dark Web and have the deploy the malicious for pennies on the dollar.  Now is the same with Fraud.

In this regard, the Cyberattacker can make use of two attack vectors:  Bots and Brand Impersonation.  With the former, the hijacking of One Time Passwords (OTPs) is now the norm.  In this scenario, the hacker already knows your login credentials, but they need that OTP to continue to complete the authentication process. 

With the latter, you are redirected to a phony eCommerce site which looks like the real thing.  This is often done through Phishing attacks or Domain Name Heisting (this is where the actual domain of a legitimate business is hijacked, or a an almost similar one is registered by the Cyberattacker – for example, target.com could become targett.com).

But combatting Digital Fraud is a two-pronged effort.  What do I mean by this?  It rakes both the online vendor (the one that is hosting the eCommerce store), and YOU, the customer.  In today’s blog, we will focus upon the former.  A future blog will deal with how you can better protect yourself.  So, what can the online vendor actually do?  Here are some key steps that can be followed relatively quickly:

1)     Keep track of how many purchases are being made:

I am actually an online vendor myself to a certain degree, and of course we all want tons of sales and transactions coming through our retail sites.  But guess what . . . it can also be a bad sign as well.  How so?  Well this is where the bots come into play.  They can load up shopping carts and literally make hundreds of purchases in a just a matter of a few minutes.  Heck, they will even use brute force methods in order to detect the proper login credentials of the unsuspecting victim.  So on a daily basis, take a look at your transaction history and see if there is any unusual ordering.  If there is, then this could be a telltale indicator that you have bots, and not real customers hitting your online store.  To mitigate this, perhaps you should put restraints on how many times customers can purchase items from your store in a pre-established time period.  While you could make some customers about this, tell them that it is for their own online safety.  Always being open and upfront in this regard will always win in the end.

2)     You may have to screen every order:

This is where keeping track of malicious behavior (as eluded to in the last section) will come into play.  It may come to the point where each and every transaction will have to screened to make sure that there no bots that are entering into your system.  For example, you may have a customer that just purchased an item from their iPhone, from a certain location.  Then they drove a few miles away, to visit a friend, and then made yet another purchase at your online store, but this time from a Samsung, and a different location.  Would this considered to be fraud?  To you, the business owner, it could look that way, when in reality it was never the case.  Therefore, with the help of automated tools such as that of AI and ML, you can easily up profiles on your customers in just a matter of minutes and set up various baselines.  Those that fall outside of this threshold should be flagged for possible malicious intent.  And remember, you do not have to manually do this. The AI and ML tools that are available today can very easily do this for you, and present everything in one dashboard.  You should even consider  running various types of batch analyses against other customer profiles, to make sure that the same credit card number is not being used over and over again.  But keep in mind that once you start using AI and ML tools for these purposes, it will be your job to make sure that they are fed with the most recent data on a real time basis.  This is the only way that the algorithms will continue to learn about your customers, in an effort to also stop any false positives from filtering in (this is where a legitimate customer is flagged for malicious behavior). 

3)     Try to avoid automatic declines:

Credit card companies are pretty good today at detecting fraudulent purchases, and even if just one or two are made, the card will be automatically declined.  In this case, they will call the customer, confirm the orders, or in a worst-case scenario, issue a new card to the victim.  But this is not the cut and dry scenario with an online merchant. For example, using that old saying, it can take years to get a new customer, but only seconds to lose one, using automatic declines may not be best suited here. Therefore, you may want to let purchases go through, but only stop them if there is any unusual activity that has been detected.  This is where keeping your AI and ML tools up to date with the latest data and having them run on a real time basis becomes absolutely critical.  Then at the end of the day, after you scour through the files that have been outputted, you can always reach out to that particular customer to confirm their order in case they have purchased an extraordinary amount which falls outside of their baseline.  In fact, taking this approach will show to the customer that you are proactive about keeping their data safe, and in turn, this could bring in more repeat business.  In fact, according to recent study, 40% of online customers will not return back to the same vendor if their purchase has been declined.

(SOURCE:  https://www2.clear.sale/consumer-behavior-intro-unlocked)

My Thoughts On This:

Notice that this blog put a heavy emphasis on using AI and ML tools.  This may sound fearful at first, but it should not be.  In this regard, your best bet is to probably hire an MSSP to install these tools for you.  That way, they can also do a Dark Web scan to make sure that none of your customers PII datasets are down there, but also nobody has heisted your domain name in an effort to create a phony website. 

In other words, apart from keeping your customers protected from Farud as a Service, you also need to make sure that your IP is also equally protected.

Who Is Managing Your Business Operation Ecosystem Cyber Risk?

 

One of the big buzzwords that we hear of today is called “Cyber Risk”.  But unfortunately, there is no clear cut definition of this, and a lot depends upon a number of key variables that are unique to your own environment.  For example, risk may mean the financial loss that your company goes through after suffering a cyber breach, or it may be the damage that could potentially be placed on key digital assets after you have conducted an assessment.

But generally put, risk can be thought of as the amount of “pain” your business can bear in terms of downtime without incurring damaging costs.  For example, suppose you are hit with a Ransomware attack.  How much downtime can you take until the permanent financial losses start to mount?

There are numerous ways to calculate risk, there is no established standard for this.  Because of this, it is highly recommended that you seek the help of a cyber vendor that specializes in this.  One such company is known as Opora, based out of Israel, with office in NYC as well. In this podcast, we have the honor and privilege of interviewing Joel Blaiberg, the Director of Sales Engineering.  Find out how they calculate risk, and how you can benefit from it.

You can download the podcast at this link:

https://astcybersecurity.podbean.com/e/who-is-managing-your-business-operation-ecosystem-cyber-risk/

Should You Outsource Your Mobile App Development?

 

In a previous blog, we had mentioned that there could be times when you may want to actually outsource your mobile app development.  Of course, the conditions under which you do that will vary, but there are pros and cons to doing this.  We review these in more detail.

The Pros Of Outsourcing

1)     It is budget-friendly:

If you want to develop an app, controlling costs and preserving cash flow of your business is probably at the top of your mind.  When you develop a mobile app in-house, you will need to have a team that is dedicated to this task.  When this approach is taken, you will have to pay for salaries, benefits, time off, bonuses and more. But by outsourcing to a third-party agency, the costs are obviously much lower.

2)     You get access to a broader range of talent:

When you hire an exclusive mobile app development agency, that is all they do day in and day out.  This means that you will have a wide breadth of experience that you can utilize to build your project according to the needs of the client.  Also, this will save you time in trying to find and recruit the talent that you would need if you were to do this in house.

3)     You will have a team that is available on call whenever you need it:

If you outsource your work to an agency located in a different part of the world, you will be able to access them reasonably quickly after business hours.  For example, if you do have a team of mobile app developers here in the United States, you can augment them by hiring an agency, say in India, that can work well after business hours locally until the next day.  That way, you have a staff that is working on an almost 24 X 5 X 365 basis to get your project done on time for your client. 

4)     Your in-house team can be focused on accomplishing different tasks:

If you have a lot of projects coming down the pipeline, you will want to keep your existing team focused on whatever they are working on the present time, and whatever workflows that you may have planned for them in the future.  With hiring a mobile app development agency, you can pass on work to them to get done so that none of your existing processes will need to be altered or affected in any way.

The Cons of Outsourcing

Of course, with the pros, come the cons, which are as follows:

1)     The risk of data privacy and loss:

Whenever you outsource any type of project to a different entity, there is always a much greater chance that the confidential information/data that you share with them could be leaked out to others either intentionally or non-intentionally.  Here in the United States, as well as the European Union, both data loss and data privacy are being taken extremely seriously these days, backed up by the compliance powers of the CCPA and the GDPR, respectively.  If anything like this ever does happen, you will be held primarily responsible for any security breaches, not the agency that you hire.  This means that you could face some severe financial penalties.  Also, the testing of the source code is on your shoulders, not on the agency.  This means that you will have to do some sort of penetration testing or threat hunting to make sure that the code is secure and that any unknown vulnerabilities have been wholly discovered and repaired.

2)     You will have less control over the development process:

If you have an in-house team create the mobile app, you can always ask for updates whenever you want to, or feel it is necessary, and get a response almost immediately.  But if you outsource, you will have less oversight in this regard, which could result in considerable lag time in getting a needed response.  Also, the agency will not want to divulge all of their “secret sauces” as to what goes on in the way they develop mobile apps so that it will not get leaked out to competitors.

3)     Changes can be expensive:

Mobile app development is always a continuous proposition; it never changes, especially when it comes to updating the source code and making any changes the client requests.  Obviously, your in-house team can do these quickly, without any extra charges incurred.  But, if you outsourced your project, and if there are changes to be made after the fact, you will be charged extra for it by your agency, and it will not be cheap by any means. 

4)     Stark cultural differences:

Depending upon the country in which you hire the agency, there could be significant differences in terms of communication, work style, and even language barriers.  In the end, this could prove to be very frustrating for you, especially if you are spending more time explaining what needs to get done versus getting the tasks accomplished.

One More Key Benefit

Overall, the decision whether you want to outsource your mobile app development project is a choice that you will have to make based on your needs.  This is going to be driven primarily by the budget you have and the time constraints that you are under to deliver the app to the client.  But when outsourcing, there are fewer administrative headaches involved, which is illustrated in the diagram below:

(SOURCE: 1).

Sources

https://www.hyperlinkinfosystem.com/blog/8-pros-and-cons-of-opting-for-a-mobile-app-development-company

Another Reason Why Not To Pay That Cyber Ransom: There Is No ROI

 

I don’t know if I have been naïve lately or not, but I have been finding that the news headlines regarding Russia and the Ukraine starting to dissipate somewhat in the headlines.  Heck, even the Cyber headlines have slowed down about being aware from Cyberattacks coming in from Russia. Or maybe its perhaps inflation and the raising of interest rates took the headlines?

Well whatever is happening out there, let’s have some good news out there next, we could all use some for sure.  But when it comes to the Cyber world, at least nothing has too much changed there either, which I guess could be a positive. 

The only thing I really keep seeing anything about are the number of Ransomware attacks that are happening, but by now, in a sad way, we all are getting used to it.

But I did come across a news headline late last week as to how although the total number of attacks are still continuing, the total number of companies having the capability to recover that data is actually slowing down. 

This could be for a number of reasons, such as the Cyberattacker is not making good on its promise to send over the decryption keys, or that the encryption algorithms that were used to scramble the data in the first place are so powerful that they cannot be broken.

Sophos, a leading Cybersecurity company, just came out with its recent report about the state of Ransomware attacks.  The report is entitled the “State of Ransomware 2022”.  The report can be downloaded at this link:

https://www.sophos.com/en-us/whitepaper/state-of-ransomware

One of the key findings is that the total number of Ransomware attacks increased by at least 43% in 2021, which is not surprising.  IMHO, that was probably the year in which Ransomware groups truly made their mark. 

But on the downside, the report also found that the impacted companies simply could not recover the data that they lost.  Another reason for this that needs to be included is that many companies in Corporate America, even despites the lessons that have been learned from COVID-19 simply do not have the right data backup strategies and policies in place yet.

Here are some other noteworthy findings from the report:

*The total number of Ransomware as a Service incidents are growing at a very rapid pace. These are groups that are formed by professional Cyberattacking groups, and have some of the stealthiest and most covert techniques on hand in order to launch devastating Ransomware attacks.

*The average cost of a ransom payment is now pegged at $812,000.00.

*So far, it has been the energy and manufacturing industries that have amongst some of the hardest hit by Ransomware attacks.  This is illustrated in the diagram below:

(SOURCE:https://www.darkreading.com/attacks-breaches/ransomware-crisis-deepens-data-recovery-stalls)

*On average, it took a business one month or even greater to recover from a Ransomware attack, at a cost of over $1.4 million.

Now, comes the question is it really even worth to pay the ransom?  The reason I say this is that victims are now facing even much higher costs for recovery, including paying the ransom.  If you factor all of this in based upon the number I have presented in this blog, the total cost could be well over $2.2 million.  Consider these statistics also from the Sophos Report:

*While 99% of the victims could recover some of their data, only 61% of them could recover those datasets that were encrypted.

*46% of the total respondents actually paid a ransom, and out of that, only 4% were able to make a full data recovery.

Possibly another reason why companies in Corporate America still don’t have the right back up strategies in place could be is that they have become lazy about it all, because they have a comprehensive Cyber Insurance Policy.  But even here, things are starting to get tight.  Getting a Cyber Insurance Policy is not getting the same as car insurance.  Consider these stats:

*94% of the respondents have found that it is much more difficult to get a comprehensive plan;

*97% have had to increase the total amount of their security controls just so that they qualify as an applicant;

*Only 40% of the total number of Cyber policies actually paid for the ransom payment.

My Thoughts On This:

In the end, no matter how much we do to protect our businesses and the valuable data that resides in them, we all are prone to becoming a victim of Ransomware.  So, the key here is how to mitigate the odds in that happening to you. 

I have to be honest here, and I think that the best solution now is just simply move what ever you have On Prem to a Cloud based solution.

I am sure that there will be a lot of resistance to this at first, because it can be very daunting and nebulous at first.  But remember, you are not alone in this process.  There are a ton of Cloud Service Providers (CSPs) that you can hire that can take care of the entire migration process for you. 

Not only that, but you can also work with them in the long term in order to make sure that all is up to speed with your Cloud deployment.

Also, go with a very reputable Cloud provider, such as that of Microsoft Azure.  They have all the tools you need to protect your datasets.  Another reason why I say to use something like this is that redundancy is a quick and easy process here.  For example, you can easily replicate your Cloud deployment across multiple data centers literally around the globe. 

So in case you are hit, your failover will be very quick, without any disruptions experienced.  Also, by using the Cloud, any VMs that have been hit by a Ransomware attack can quite honestly be deleted, and rebuilt again, in just a matter of five minutes or so.

So really, there is no reason anymore not to have a good data backup plan in place, when a business owner now as all of the tools and technologies available to them to make it happen.

An Astonishing View Of How Visa Is Fighting Credit Card Fraud

 

As I mentioned in yesterday’s blog, AI and ML are some of the terms in Cybersecurity that have been thrown about carelessly in the last couple of years.  My fingers point especially to the vendors out there that claim their products and solutions contain AI and ML, and are at the forefront for any customer when it comes beefing up the lines of defenses.

While it may be true there could be some basic algorithms that have been incorporated into it, it is nothing of rocket science that the vendor has invented.

They are simply overextending their definition of AI and ML (I would actually like to use the word “lie”, but that might be going a little too far with it), in order to woo customers to purchase whatever they have to offer.  And of course, they will fall in hook, line, and sinker, and get it, because they think they are getting the “best in breed” solutions.

Heck, even I have used AI and ML many times before, but I try to be careful in the context as to how it is used, and I am also conscious as to what it can and cannot do.  In other words, I try not to overstate anything to the best that I can. 

In this regard, I have only given very generic examples as to where they could be used in the best.  One area that could be best suited for AI and ML in Cyber is in task automation and threat modeling.

But as I think about it further, I don’t think I have ever seen any concrete case studies where AI and ML have really been used, with hard core numbers to actually prove the results.  In fact, as much as I read the news headlines every day, I don’t ever remember a vendor even talking about a case study. 

Well, that is until today, where I finally found an article which gives a glimpse as to how they are using AI and ML, and some of the benefits that they have derived from it.

Remember the one thing that Cyberattackers are after primarily is money.  They will get it at whatever way they can, whether it is draining your bank account with compromised credentials, or launching ID Theft attacks, etc. 

Because of this, the major credit card companies now have their guards up to the highest levels possible in order to not only protect their customers, but to minimize credit card fraud as much as possible.  With the sheer volume of electronic based transactions that occur on a daily basis around the world, there is no that human beings would be able to comb through all of that data to find any evidence of fraud or malicious behavior.

Therefore a leading credit card company, VISA, has embarked upon a massive program to incorporate AI and ML into their IT and Network infrastructures, for these very purposes.  They have finally released some of their numbers, and they will, frankly, quite astonish you:

*They have invested over $9 billion in AI and ML technologies;

*The have over 60 Petabytes of information and data that reside in their databases;

*AI and ML have been deployed in over 60 different technological components of VISA;

*One of their in-house tools, which is known as the “Visa Advanced Authorization” (aka “VAA”), can determine if a credit card transaction is fraudulent or not in just 300 milliseconds.  Because of its quickness, over $26 Billion of credit card fraud attempts were blocked in 2022;

*Visa has also developed a new tool called the “Visa Behavioral Analytics” to examine the qualitative aspects of credit card fraud.  In this regard, over 400 million authentication requests were compared against 12 million unique devices over a two-year time span.  Because of this, Visa was able to block over $2.2 Billion in credit card fraud.

While these numbers are truly astounding, there is always a flip as well.  For example, technology can make mistakes also, especially when it comes to flagging a fraudulent transaction, when actually, it was a legitimate one.  These are technically called “False Declines”, and a credit card company could lose business very quickly if this happens too often.

In fact, studies have even shown that after one False Decline, a customer will leave and get a new credit card, and this happens about 89% of the time.  To avoid this, and to keep their existing base, Visa has also invested heavily into Deep Learning technology to further understand the purchasing behaviors of their customers.  So far, this effort has proven to be successful, with the total number of False Declines declining as much as 30%.

But Visa has not forgotten about using the traditional tools of Penetration Testing and Vulnerability Scanning, and according to them doing these tests has prevented over $31 Million in fraud attempts from taking place.

My Thoughts On This:

Well, there you have it, a solid case study which points out the good that AI and ML can do.  But keep in mind also, that equally important is the human side of this all.  While it would be nice to have all of this automated, we are still not yet at that point.  Visa is full cognizant of this, because of that, they have launched various “Cyber Fusion Centers”, which is much like a SOC.

In fact, they even have acknowledged the fact that AI and ML works best when it used in conjunction tools and technologies that have been designed to detect fraudulent activity.    Honestly, it is quite refreshing to see that they take this stance.  Not many companies that I have written about have taken this viewpoint, it is either an all or none proposition.

If you want to get a deeper dive of using AI and ML in preventing financial crimes, you should download this eBook here:

https://www.pymnts.com/tracker/preventing-financial-crimes-playbook-august-2020/

Banks are also getting into the AI and ML game, and those with over $100 Billion in assets are going to be key players here as well.  To get more insight into this, check out this article here:

https://www.businessinsider.com/ai-in-banking-report

Finally, the source of this posting and the numbers presented come from:

https://www.darkreading.com/edge-articles/a-peek-into-visa-s-ai-tools-against-fraud