A surge in cybercrime is forcing security vendors to release security updates every 40 minutes, according to security firm Symantec.
Senior manager for Symantec Security Response, Orla Cox, reported the development during a briefing attended by The INQUIRER.
“We’re seeing more sophisticated attacks than ever before and people want security,” she said. “Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They are rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified.”
Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers.
“It’s been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection.”
She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company’s rapid update cycle has increased the risk of pushing out an update with a false positive signature.
“The biggest quality issue we face is the danger of false positive definitions. There’s a risk of detecting something clean as malicious, that’s the big no no in our industry, so it’s as much about building definitions libraries about legit files as malicious,” she said.
False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013, Malwarebytes crippled thousands of its customers’ machines when it issued a false positive update.
Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. “We’ve had to evolve how we work, it’s not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we’ve begun doing intelligence work,” she said.
“We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don’t – that’s the benefit of us being here every day, reverse-engineering malware.
“Doing this over the years we’ve had to develop a number of systems and now we’re trying to understand the individual attacks in the context of who did them and why.”
Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March.
Trustmark National Bank and Green Bank N.A. have filed a lawsuit against security firm Trustwave for damages suffered from the holiday season data breach at Target Corp, accusing the company of failing to identify security gaps, the American Banker reported.
The two banks are seeking damages of more than $5 million and named Trustwave Holdings and Target as defendants, the American Banker said.
The banks allege that the vulnerabilities in the Target system were either undetected or ignored by Trustwave, giving hackers access to millions of card accounts and personal records, the report said.
Some 40 million payment card records were stolen from the discount retailer, along with 70 million other records with customer information such as addresses and telephone numbers, during the 2013 holiday shopping season.
Target missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday.
The report also said Target gave access to its network to a third-party vendor that did not follow accepted information security practices.
Target faces dozens of potential class-action lawsuits and action from banks that could seek reimbursement for millions of dollars in losses due to fraud and the cost of card replacements.
Target spokeswoman Molly Snyder declined to comment on the American Banker report. Trustwave was not available for comment.
Troubled UK supermarket chain Morrisons has been attacked and the personal details of thousands of Morrisons staff including salaries, bank account details and addresses have been stolen and published online.
The hack is believed to have been the result of an internal leak, with data copied onto a portable storage device and taken out of Morrisons’ Bradford headquarters. The data had details of staff from director level to the shop floor, was also sent anonymously to a local paper in Yorkshire, the Telegraph & Argus, by a “concerned Morrisons shopper.”
Morrisons announced a massive profits warning on Thursday, which sent shares diving 12 per cent and the attack came hours after the chief executive, Dalton Philips, boasted that new IT systems would help to turn around Morrisons’ performance. It said it was now “urgently reviewing our internal data security measures,” and was working with UK banks and credit check service Experian to help colleagues secure their bank accounts.
ATMs running XP Embedded are not affected because Microsoft is not cutting off its support until 2016.
The process of upgrading to an alternative such as Windows 7 is both complicated and expensive for ATM operators – with many older machines needing to be altered one by one. Most are not expected to have made the switch within the next month.
JPMorgan has bought a custom one-year tech support agreement from Microsoft and will not begin migrating its 19000 machines to Windows 7 until July, the bank has told Bloomberg. Wells Fargo and Citi say that they are working on upgrading their networks.
It’s not just ATMs that are at risk – Microsoft recently warned that the Indian banking industry’s reliance on XP could put more than 34,000 branches at risk.
In a notice on its site, the PCI SSC is urging firms to take the plunge: “Don’t make yourself an easy target, talk to your technology provider today and make sure your PC and systems are not putting your customers’ confidential payment card data and your business at risk.”
Target Corp’s decision to fast track a $100 million program to adopt the use of chip-enabled smart cards is just a drop in the bucket when it comes to what retailers need to do to defend themselves against future cyber attacks, according to security experts and IT service providers.
The pressure to boost security spending comes at a time when merchants are already spending millions to fend off online retailer Amazon.com and facing an October 2015 deadline set by payment networks Visa Inc and MasterCard Inc to accept new payment cards that store information on computer chips rather than on traditional magnetic stripes.
Target, the No. 3 U.S. retailer, said this week it hoped to finish upgrading its payment card network to the more secure “chip and PIN” standard by early 2015, some six months ahead of its previous plan.
The system, already widely used in Europe and Asia, can accommodate cards carrying tiny microprocessors, which makes it harder for cyber crooks to use stolen data.
U.S. retailers have been so focused on cutting costs and expanding their online presence in the past decade that they have not spent enough of their technology budgets on protecting customer data, security experts and IT service providers said.
While retail spending on overall technology was expected to rise 4 percent annually between 2012 and 2017, U.S. stores spend only roughly 2 percent of their tech budgets on security, with the bulk going to improving their e-commerce, technology advisory firm IDC Retail Insights said.
Unlike their peers in other industries, most retailers still focus on just meeting the basic standards set by the payment card industry rather than substantially beefing up safeguards against increasingly sophisticated attacks, security experts said.
“Retailers have to assume that they are constantly being targeted and actually constantly being penetrated,” said Eddie Schwartz, a vice president at Verizon Enterprise Solutions, who urged retailers to take a more proactive approach.
Pressure from Congress, consumer groups and the banking industry following recent theft of customer data at Target, Neiman Marcus and others may be the turning point to get theretail industry to spend more on security, experts said.
For example, Dinesh Bajaj, the vice president of retail and logistics practice in Americas for Infosys Ltd, expects retailers to spend more in coming months on encrypting credit card data while storing it in multiple systems.
IDC Retail Insights expects spending by retailers in 2014 specifically for security in the United States to be $720.3 million, an increase of 5.7 percent from last year in part because of the recent breaches. Total tech spending by retailers this year is expected to hit $36.34 billion.
“It’s clear that companies need to do a lot more, that they continue to make basic mistakes,” Federal Trade Commission Chairwoman Edith Ramirez said at a hearing on Tuesday looking into massive data breaches at Target and Neiman that affected millions of shoppers.
Launched in July 2012, FIDO, which stands for Fast IDentity Online, is hoping its specifications for security devices and browser plugins will be widely adopted across the technology industry.
Such efforts depend on voluntary adoption by many companies and organizations. So far, those participating in FIDO include heavyweights Google, MasterCard, Lenovo, Infineon, LG Electronics and a variety of smaller companies.
Authentication hardware and software widely varies, with many proprietary clients and protocols. FIDO hopes that standardizing authentication technologies will lead to better interoperability and innovations in biometrics, PINs (personal identification numbers) and secondary authentication technologies, according to its website.
Usernames and passwords underpin most online services but are easy to intercept. Computer security experts have long warned of password weaknesses, such as easy-to-guess ones and people who reuse them across multiple services.
Password replacement technology has a high bar: it needs to be both effective and simple for users.
FIDO envisions a software client that’s installed on computers that employ public key cryptography to authenticate users. All major Web browsers will be supported. The initial focus will be on securing access through Web browsers to Web applications. The group also plans authentication options for Android phones soon and eventually for Windows tablets and Apple products.
When FIDO authentication is used, a user will not need to submit their biometric or personal information to an online service.
The FIDO Alliance will eventually submit its protocol to groups dedicated to Web standards, such as the Internet Engineering Task Force or the World Wide Web Consortium.
MasterCard Inc, one of the largest payment networks, said earlier this year that it plans a new fee for digital wallet operators like PayPal starting in June.
The actual dollar amount PayPal ends up paying may not be that large, analysts say. However, they are worried that this is part of a broader move by payment networks to target PayPal, which has become more of a direct competitor recently.
“Payment networks are taking the gloves off,” Bill Carcache and Brian Nowak, analysts at Nomura Equity Research, wrote in a note to investors on Monday. “The incumbents will do everything in their power to prevent PayPal from riding on their rails without extracting a toll.”
EBay shares slid 0.5 percent to $50.18, on Monday afternoon, leaving them down about 4 percent so far this year.
Since eBay mentioned the MasterCard fee in a regulatory filing on February 1, the company has lost about 12 percent of its market value – while Amazon is down about 1 percent and the Nasdaq Composite is up 2 percent.
Analysts put that under-performance down to this new fee and concern about rising tension between PayPal and the payment networks.
“The fact that PayPal, as the largest digital wallet player, could be singled out by a network like this is clearly a negative,” said Ken Sena, an analyst at Evercore Partners.
PayPal is moving from its online roots into the physical retailer world, where the vast majority of payments still take place. It is a big opportunity for the business and that has driven eBay shares higher in the past year.
However, as a payment option in lots of physical stores, PayPal will be a much bigger threat to network operators like MasterCard, Visa Inc and American Express, analysts say.
Historically, Visa and MasterCard viewed PayPal’s success in the online world cautiously, but they were also happy because the service generated extra e-commerce transactions that ultimately got processed through their networks.
“Now that PayPal has started moving to the physical point of sale, however, competitive intensity levels are rising as PayPal encroaches deeper into what has traditionally been the incumbents’ turf,” Nomura’s Carcache and Nowak said.
At a conference last month, Chris McWilton, president of MasterCard’s U.S. Markets, complained that PayPal “rides for free” on other companies’ business models.
Groupon Inc, the world’s largest online daily deals provider, launched a payment business on Wednesday and jumped into an already crowded field where it will compete aggressively on price with eBay Inc’s PayPal and start-up Square Inc.
The service, called Groupon Payments, lets U.S. restaurants, salons and spas, retailers and other businesses that run Groupon daily deals accept credit card payments at a lower rate than other providers. In a typical local deal, a customer could pay $20 for a voucher worth $40 of goods and services.
Groupon will charge 1.8 percent for MasterCard, Visa and Discover cards, on top of a 15 cent fee per swipe. For American Express cards, it charges 3 percent plus the 15 cent fee.
Groupon’s daily deals competitors include LivingSocial, Google and Amazon.com Inc, which owns part of LivingSocial.
Groupon aims to reach a size where it will become the “operating system” for local commerce, as Chief Executive Andrew Mason put it earlier this year.
Despite skepticism on Wall Street, Groupon has rolled out a slew of new services for local merchants, including a scheduling system, a customer-loyalty program and now payments.
“They are making the right moves, but it’s a highly competitive market,” said Rick Oglesby, a payments industry expert at consulting firm Aite Group.
Groupon shares jumped 13.9 percent to close at $5.34 after the announcement. The stock has shed about three-quarters of its value since the company went public last year.
Isis is an effort by Verizon Wireless, AT&T Inc and T-Mobile USA to provide mobile wallet services that would allow consumers to get rid of plastic cards and instead make payments by simply waving their phone at a check-out terminal.
While Japan has had mobile payment services for years, U.S. development of such services has been much slower. U.S. mobile providers have long said that they are keen to support payments to help improve their customer loyalty but it has taken a long time to forge agreements with card and merchant partners.
The latest delay follows Apple Inc’s announcement of a new iPhone model on Wednesday without support for the near field communications (NFC) short range wireless technology that the Isis service will be based on.
Other phone makers including Samsung Electronics have embraced NFC but some analysts had hoped Apple would give the industry a shot in the arm by putting the technology in its hugely popular iPhone.
Verizon Wireless is owned by Verizon communications and Vodafone Group Plc. T-Mobile USA is owned by Deutsche Telekom AG.
Google announced this week that it would no longer support its branded pre-paid card in Google Wallet on Oct. 17, and asked customers to take steps to ensure they recover all their remaining funds in a timely manner.
The Google Prepaid Card is a virtual MasterCard account created for use with the company’s near-field communication Google Wallet payment app. Users that activated the “card” when it was released in 2011 received a free $10 credit for use with the system.
To prompt users to spend all the remaining money on their pre-paid accounts, Google announced that it would charge a $2 fee for 30 days of inactivity, though the company also noted that no fees would be levied on accounts that had zeroed out their balances by Oct. 17.
This is likely a move by Google to minimize the amount of manual refunds they will have to issue for anyone who still has a balance after the deadlines, as is the company’s announcement that such direct refunds could take eight weeks to process.
All other types of cards will continue to work normally with Google Wallet after the change. Google added support for Visa and Discover last month, though initial reports that American Express had also joined the program turned out to be premature.
NFC technology, once thought to be the next big thing in payment methods, has yet to break into the U.S. mainstream. Although NFC payment is accepted at some major retailers, including McDonald’s, few consumers use it on a regular basis.
EBay Inc’s PayPal online payments service has gained access to millions of stores across the United States through an agreement with Discover Financial Services, expanding its reach beyond the Web and into the brick and mortar world.
Under the deal revealed on Wednesday, PayPal will issue payment cards to its more than 50 million active users in the United States next year, which they can use to buy from merchants that already use Discover Network, which links more than 7 million U.S. retail locations.
Their tie-up is the latest alliance among technology and financial corporations intended to stake out a spot in new forms of retail payment – such as “digital wallets” proposed by the likes of Google Inc that employ smartphones.
PayPal – which accounts for almost half of eBay’s annual revenue – is expanding beyond its popular Internet payments service in search of new opportunities. In the past year, it has persuaded more than 15 retailers, including Home Depot Inc and Office Depot Inc, to accept PayPal payments in their stores.
For Discover – the fourth-largest U.S. credit card issuer after Visa Inc, MasterCard Inc and American Express Co – PayPal’s large user base could generate significant transaction volume for its payments network.
PayPal users will be able to pay at merchants on the Discover Network by swiping their new cards through existing check-out machines and entering a four-digit PIN.
Merchants will not need to buy new hardware or software to accept PayPal, according to Don Kingsborough, the PayPal executive leading the company’s offline push.
“It’s a big step for both companies,” said Ken Paterson, a director at Mercator Advisory Group, a research firm that focuses on the consumer payments industry. “This would provide a ready-made route for PayPal to get into most card-accepting retail establishments in the U.S.”
More that a dozen retailers including Best Buy, Walmart, Target and 7-Eleven have joined forces to create the Merchant Customer Exchange (MCX), a mobile-payments network that will go head-to-head with Google and Isis.
The retailers claim that they are better suited than mobile operators and OS developers to develop a successful mobile-payment system.
No launch date was given for the exchange, which was announced Wednesday, but development of MCX’s mobile application is underway. It will be available through virtually any smartphone, according to a statement from the merchants. MCX is not yet saying which payment technologies it will use, but that information will be provided in the near future, according to a spokesman.
Like their competitors, the retailers plan to combine their mobile wallet with targeted offers and promotions that will be available through smartphones.
MCX will enter an increasingly crowded U.S. market for mobile payments using Near-Field Communications (NFC) and other methods. The two main competitors for MCX are Google Wallet and Isis, which is backed by AT&T Mobility, T-Mobile USA and Verizon Wireless.
Even more contenders are expected to enter the space, including Apple, according to Windsor Holden, research director with Juniper Research.
“There is no question that Apple will come out with some form of contactless payment technology,” Holden said.
It remains to be seen whether the company will opt for NFC or something else, he said.
PayPal, the online payments division of eBay Inc, has sparked a furor in the publishing world by requesting some e-book distributors to ban books that contain “obscene” themes including rape, bestiality or incest.
PayPal sent an email on Feb 18 to Mark Coker, founder of e-book publisher and distributor Smashwords, saying it would “limit” the company’s PayPal account unless Smashwords removed from its website e-books “containing themes of rape, incest, beastiality and underage subjects.”
PayPal sent similar warnings to online publishers and booksellers including BookStrand.com and eXcessica, according to the Electronic Frontier Foundation, a non-profit that supports free speech, privacy and other individual rights in the digital world.
A PayPal spokesman confirmed that the company sent such notifications to companies but declined to identify specific recipients.
EFF and other groups including the Authors Guild, the American Booksellers Foundation for Free Expression and the Association of American Publishers are planning to send a letter to PayPal on Wednesday asking the company to reverse its policy.
PayPal “is now holding free speech hostage by clamping down on sales of certain types of erotica,” the groups said, according to a draft of the letter sent to Reuters. “We strongly object to PayPal functioning as an enforcer of public morality and inhibiting the right to buy and sell constitutionally protected material.”
PayPal said it was acting in part because banks and credit card companies it works with restrict such content, according to an email PayPal sent to Smashwords on February 24. Reuters obtained copies of the emails.
“Our banking partners and credit card associations have taken a very strict stance on this subject matter,” PayPal said in the February 24 email. “Our relationships with the banking partners are absolutely critical in order to provide the online and mobile services we (offer) … to our customers. Therefore, we have to remain in compliance with their rules, which prohibit content involving rape, bestiality or incest.”
The move has caused an uproar in the publishing world, which is concerned that banks and credit card companies may be exerting too much control over what books can be written, published and read.
A PayPal spokesman said the company allows its service to be used for the sale of “erotic” books but added that the company has to draw the line “on certain adult content that is extreme or potentially illegal.”
Boku Inc, a big online mobile payments company supported by venture capital firms including Andreessen Horowitz and Benchmark Capital, debuted a new service on Thursday that allows consumers to pay with any mobile phone anywhere credit cards are accepted.
Boku already provides carrier billing through about 230 wireless carriers, including AT&T Inc, Vodafone Group Plc and Verizon Communications Inc in more than 60 countries. This service lets people pay with their mobile number and get the transactions charged to their monthly phone bill.
Carrier billing is typically limited to smaller online purchases, either through personal computers or within mobile phone apps.
Boku’s new platform, called Boku Accounts, allows purchases in physical stores, a much bigger market. The service will be branded and offered by wireless carriers to customers, with Boku running the system in the background.
The move puts Boku in closer competition with PayPal, which is pushing its popular online payments service into physical stores. Google Inc is also trying to get its Google Wallet service into stores through a partnership with giants such as MasterCard Inc and Citigroup Inc.
PayPal’s in-store offering works with merchants’ existing point-of-sale terminals, but usually requires a software upgrade. Google Wallet works with phones that have Near-Field Communication, or NFC, chips in them and merchants need a terminal that supports this technology.
Boku’s service comes with a sticker that users can slap on the back of their mobile phones, turning any handset into an NFC-enabled device. It also comes with a payment card that can be swiped using existing retailer terminals, without a software upgrade, according to the company.
“We wanted this to be available in any store,” Ron Hirson, co-founder of Boku, said. “You don’t need a new phone or a new terminal.”
Visa comes onboard a “Google Wallet” project already supported by Citigroup, MasterCard, Sprint Nextel Corp and First Data. In May, the group announced a trial of a system that allows shoppers store funds on their phones and pay at checkout.
Rival Isis, a venture between Verizon Wireless, AT&T Inc and T-Mobile USA, has already signed partnerships with all the major card networks, including MasterCard and Visa.
But while Sprint announced the launch of the Google Wallet service on Monday, Isis has said its service will not be ready until early next year.
Google’s system competes with plans by other top U.S. banks and mobile phone companies and employs near-field communication (NFC) technology, used widely in Asia.
On Monday, Google and Visa said the Internet search leader had received a worldwide license to Visa’s “paywave” — similar to Mastercard’s PayPass — enabling its installation on Android smartphones. Customers link their credit or debit bank accounts to Android phones with the Google Wallet app installed.
They can then tap their phones — which come with an NFC chip — at specially installed terminals at checkout to effect a purchase.
“This agreement extends Google Wallet to Visa account holders worldwide,” said Stephanie Tilenius, Google’s vice president of Commerce and Payments.
“This is a crucial step toward realizing our shared vision for the future of mobile commerce.”