Hackers use browsers to get credit card info

Does filling in web forms sap all your browsing energy? Do you find it especially taxing to shop or register online using a mobile device? Google’s Chrome alleviated this dilemma when it introduced the Autofill feature in 2011, which made filling in forms much faster and making credit card purchases online more convenient. Unfortunately, it didn’t take that long for cyberthieves to find a way to take advantage.

How do they do it?

By concealing other fields in a sign-up form, users are tricked into thinking they only have to fill out a few fields. The trickery at work is that upon auto-sign up, other fields, which could include your billing address, phone number, credit card number, cvv (the 3-digit code used to validate credit card transactions), and other sensitive information, are auto-filled with the user none the wiser.

This sinister trick is nothing new, but since there hasn’t been any countermeasure since it was first discovered, the threat it poses is worth emphasizing. Finnish whitehat hacker Viljami Kuosmanen recently brought to light how users of Chrome and Safari are particularly vulnerable, and he even came up with a demonstration of how this phishing technique is perpetrated. The technique is so sneaky, it’s enough to make one give up online shopping forever.

Using plugins and programs such as password managers is also fraught with the security risk, as having access to such a utility empowers cyberthieves to do more than just obtain your credit card info; it opens them up to a great amount of personal details.

Preventing an autofill-related theft

So what can you do to avoid falling prey?

Using Mozilla Firefox is one of the easiest available solutions. As of today, Mozilla hasn’t devised a mechanism that affords its users the same convenience that Chrome and Safari users enjoy with autofill. When filling web forms on Firefox, users still have to manually pre-fill each data field due to a lack of a multi-box autofill functionality – a blessing in disguise, given the potential for victimization in autofill-enabled browsers.

Another quick fix is disabling the autofill feature on your Chrome, Safari and Opera (for Apple mobile devices) browsers. This would mean that when filling out web forms, you’d have to manually type responses for every field again, but at least you’d be more secure.

It’s not exactly the most sophisticated form of online data and identity theft, but complacency can result in being victimized by cyber swindlers. Take the first step in ensuring your systems’ safety by getting in touch with our security experts today.

Published with permission from TechAdvisory.org. Source.

New year, new cyber-threats

Have you had to deal with security issues in the past year? Brace yourself, as there are more to come. For this reason, security experts have become indispensable members of society, who guard tech-dependent individuals and businesses against malicious attacks that pose threats to their privacy and livelihood. As you ring in the new year, make sure you’re well armed against the following predicted cyber-crimes.

Increased threats on cloud technology

Cloud service has numerous benefits to businesses. They make data storage, collaboration, and processing more efficient; they enable employees to work faster; and they help operations flow smoother. Cloud technology’s popularity is expected to rise well into the next few years, but as demand increases, so does the dangers presented by cyber attackers.

Ransomware will be more complex

Ransomware incapacitates computer systems by locking down files and preventing access for ransom. In its 2016 Threat Predictions report, security software company McAfee predicts a peak in ransomware attacks next year. Although they also predict it to recede by mid-year, damages to vulnerable cloud-dependent infrastructures can be great and costly. Most alarming in the prediction, however, is that in the coming year ransomware attacks will be more complex due to new elements.

Ransomworms, which use advanced victimization techniques to mine further data within an already compromised network, are expected to put an even crueler spin to an already formidable malware. Doxing, on the other hand, affects avenues such as social media and any place where sensitive, easily identifiable information can be extracted to serve the ultimate purpose of extorting money. Yet another wicked ransomware to watch out for is Backup Deletion, which destroys the very mechanism that can otherwise help you recover from a compromised system or files: your backup data.

More threats to IoT (Internet of Things)-enabled devices

It is also predicted that 2017 will see attacks made on IoT-powered devices, which will make life harder for those who depend on technology that makes life easier. It targets medical devices and Electronic Medical Records, “connected cars”, basic domestic tools, and tech-driven wearables, such as smartwatches and fitness trackers. The danger posed by this intrusion is fully capable of corrupting information stored in your devices.

Advanced cyber espionage

Cyber espionage is by no means a novelty. In 2017, it’s expected to hold sway in cyber-threat prevention measures as it becomes even more complex. It encompasses all sectors of society, including individuals, private organizations, government institutions, and entire countries. Perpetrators will have the means to bypass networks by attacking firewalls and wreak havoc in their victims’ network. Fret not, for there will be measures in place to detect this threat also in the coming year.

Hackers are one of the most cunning criminals to have ever existed. While the cyber-police and the defenses they put up are no slouches, threats to security systems can still make technology-dependent individuals and businesses quiver. Although damaged networks can be repaired, compromised privacy restored, and stolen data returned, the amount of damage that hackers can cause might be irreparable and/or result in a significant dent in your IT infrastructure and budget. The value of a network security system makes itself known when you least expect it, which is why security should be a top priority.

Are your systems protected from these predicted remarkable feats of hacking? Call us if you want to discuss security services that are best for you.

Published with permission from TechAdvisory.org. Source.

Is two-step authentication the only way?

With all the recent hacking scares all over the world, you know and understand that your cyber security and your business’s cyber security are extremely important. However, when it comes to authentication processes, you may not be sure what the real deal is. There are two seemingly similar types of authentication that are often confused. Those are, of course, two-step and two-factor authentication. Find out more about the differences between the two here to ensure your cyber security will always be top of the line.

If you are seeking out a way to improve your business’s cyber security, both for your business itself as well as for your customers, you are likely looking at your authentication process. Two-step and two-factor authentication are two of the most commonly used options in cyber security. And in current cyber security, many businesses use the terms two-step and two-factor authentication interchangeably.

There are, however, subtle differences between the two. A two-step authentication process requires a single-factor login (such as a memorized password or biometric reading) as well as another of the same type of login that is essentially sent to the user. For example, you may have a memorized password for your first step and then receive a one-time-use code on your cell phone as the second step.

Two-step authentication does function to add an extra step in the authentication process, making it more secure than a single-step authentication (i.e. just the password). However, if a person or business is hacked, it will do only a little to stop hackers from getting a hold of whatever they are looking for.

On the other hand, there is two-factor authentication (sometimes referred to as multi-factor authentication), which is significantly more secure. This type of authentication requires two different types of information to authenticate. For example, it could be a combination of a fingerprint or retinal scan as well as a password or passcode. Because the types of information are different, it would require a hacker a great deal more effort to obtain both forms of authentication.

In essence, every two-factor authentication is a two-step authentication process, but the opposite is not true. With this information in mind, you can be certain that you are using the right type of authentication in your business to keep your business and customer information as secure as possible.

Your network needs the best security technology has to offer. What type of authentication that results in is just one of hundreds of choices that must be made to achieve that end. To take the stress out of securing and protecting your network, call us today for all the help you could ever ask for.

Published with permission from TechAdvisory.org. Source.

Cyber-crime and social engineering

For as long as there have been cybercriminals, there have been social engineers, or people who use tricks and scams to force other people to volunteer sensitive information. There are several ways to use social engineering to acquire valuable information like account passwords and bank accounts, but avoiding these scams comes down to one thing: training. Let’s take a look at some of the easiest ways for your employees to avoid one of these scams.

As more and more of our information moves into the digital realm, criminals are turning to social engineering to trick people into trusting them with their delicate information. People often trust others too easily and make themselves the targets of easy attacks from criminals. These attacks may come in the form of messages, baiting scenarios, fake company responses, and many others.

Most often, messages are sent to users in the form of an email that might contain a link or something to download. Although they may look legitimate, these emails often contain viruses; once the link is opened or you attempt to download it, a virus latches onto your computer, giving its creator free access to your email account and personal information.

Emails such as these can also come with a compelling story about needing help, winning the lottery, or even paying taxes to the government. Under the veil of legitimacy, criminals will ask you to trust them with your account details so they can either reward you or help you avoid fines and punishments. What you actually get is a bad case of identity theft.

In another scenario, criminals will bait their targets with “confidential information regarding their account.” This may come in the form of fake company messages that appear to be responses to your claims, which are followed up by a request for login details. While victims believe they are slamming the door on a crime by providing their information, they’ve actually provided their attackers with the keys.

There are several ways people can avoid becoming victims of social engineering. First, always ensure that you delete all spam from your email, and thoroughly research sources before responding to claims from a company — even if it seems like the one you normally use.

The same applies for links. Confirm the destination of any link before clicking on it. Sites like bit.ly are often used to shorten long and cumbersome links, but because users have grown accusomted to them they are often used to hide malacious misdirections.

Never give out sensitive information that includes your password, bank information, social security, or any other private details. No respectable financial institution will request this type of information through email or a site other than their own. If you’re unsure, navigate away from the page you’ve been sent to and visit the page you believe to be making the request. If the address doesn’t have the letter ‘s’ after ‘http,’ it’s likely a scam.

Last but not least, check that all your devices are protected by the most recent antivirus software. While the strength of social engineering lies in the fact that it’s people-driven rather than technology-driven, antivirus software can help detect and prevent requests from known cybercriminals.

Cyber security is essential to the success of any modern business. Don’t let yourself become victim to criminals who have mastered the art of social engineering. While we’re proud of our extensive experience as technology professionals, we also have more than enough expertise to keep your business safe from those who are using people-based exploits. Get in touch with us today for all your security concerns.

Published with permission from TechAdvisory.org. Source.

9 cybersecurity terms everyone must know

Everyone, from doctors to lawyers, needs to continue learning to stay ahead of the times. Business owners might have it worst of all, oftentimes needing to stay on top of several industries to keep their company running. Keep reading for a refresher on all the latest trends and buzzwords used in the cybersecurity sector.

Malware

For a long time, the phrase ‘computer virus’ was misappropriated as a term to define every type of attack that intended to harm or hurt your computers and networks. A virus is actually a specific type of attack, or malware. Whereas a virus is designed to replicate itself, any software created for the purpose of destroying or unfairly accessing networks and data should be referred to as a type of malware.

Ransomware

Don’t let all the other words ending in ‘ware’ confuse you; they are all just subcategories of malware. Currently, one of the most popular of these is ‘ransomware,’ which encrypts valuable data until a ransom is paid for its return.

Intrusion Protection System

There are several ways to safeguard your network from malware, but intrusion protection systems (IPSs) are quickly becoming one of the non-negotiables. IPSs sit inside of your company’s firewall and look for suspicious and malicious activity that can be halted before it can deploy an exploit or take advantage of a known vulnerability.

Social Engineering

Not all types of malware rely solely on fancy computer programming. While the exact statistics are quite difficult to pin down, experts agree that the majority of attacks require some form of what is called ‘social engineering’ to be successful. Social engineering is the act of tricking people, rather than computers, into revealing sensitive or guarded information. Complicated software is totally unnecessary if you can just convince potential victims that you’re a security professional who needs their password to secure their account.

Phishing

Despite often relying on face-to-face interactions, social engineering does occasionally employ more technical methods. Phishing is the act of creating an application or website that impersonates a trustworthy, and often well-known business in an attempt to elicit confidential information. Just because you received an email that says it’s from the IRS doesn’t mean it should be taken at face value — always verify the source of any service requesting your sensitive data.

Anti-virus

Anti-virus software is often misunderstood as a way to comprehensively secure your computers and workstations. These applications are just one piece of the cybersecurity puzzle and can only scan the drives on which they are installed for signs of well known malware variants.

Zero-day attacks

Malware is most dangerous when it has been released but not yet discovered by cybersecurity experts. When a vulnerability is found within a piece of software, vendors will release an update to amend the gap in security. However, if cyber attackers release a piece of malware that has never been seen before, and if that malware exploits one of these holes before the vulnerability is addressed, it is called a zero-day attack.

Patch

When software developers discover a security vulnerability in their programming, they usually release a small file to update and ‘patch’ this gap. Patches are essential to keeping your network secure from the vultures lurking on the internet. By checking for and installing patches as often as possible, you keep your software protected from the latest advances in malware.

Redundant data

When anti-virus software, patches, and intrusion detection fail to keep your information secure, there’s only one thing that will: quarantined off-site storage. Duplicating your data offline and storing it somewhere other than your business’s workspace ensures that if there is a malware infection, you’re equipped with backups.

We aren’t just creating a glossary of cyber security terms; every day, we’re writing a new chapter to the history of this ever-evolving industry. And no matter what you might think, we are available to impart that knowledge on anyone who comes knocking. Get in touch with us today and find out for yourself.

Published with permission from TechAdvisory.org. Source.