IS YOUR ORGANIZATION UP TO DATE ON DIGITAL ADA COMPLIANCE?

Businesses interested in growth don’t generally turn away customers and set out to incur government fines. But non-compliance with the Americans with Disabilities Act (ADA) can lead to exactly that. Since ADA was enacted in 1990, it has grown to embrace our changing national landscape, and that covers the Internet and digital access.1 If your institution hasn’t made accommodations across its digital offerings, awareness of the penalties should incentivize you to take steps now.

Department of Justice (DOJ) civil penalties have jumped to a maximum of $75,000 for a first violation, with additional accrued expenses in damages and legal fees ranging in the thousands to hundreds of thousands.2 This is clearly trouble best avoided. Beyond that, think of the clients you are bypassing by not providing a means through which to work with you. You and your board of directors wouldn’t think of denying movement disabled patrons access to your facility via a wheelchair ramp. Shouldn’t all disabled patrons be welcomed with accommodating digital offerings?

While the DOJ’s binding rules for ADA compliant websites are expected in 2018, the Web Content Accessibility Guidelines (WCAG-2.0) include a broad range of recommendations for accessibility relating to visual, auditory, speech, cognitive and movement limitations, photosensitivity, and learning disabilities, as well as combinations of these.

Taking steps to comply with the ADA will empower your clients and your institution. As one senior citizen commented, “As people age, they lose patience. So the easier any financial transaction is, such as paying a credit card bill, the faster it is, the more seniors will use that company or service.”

Here are some ways that specific disabilities may easily be accommodated within your company’s website and mobile app.

  • For individuals with hearing loss, audio content may not be perceived. Therefore captioning and transcripts are essential. Your public webinars can embrace more users when the transcript is posted along with a captioned video or audio cut.
  • Screen readers and/or voice dictation software may be the needed bridge for individuals with cognitive impairments, such as dyslexia or ADHD. Challenges with understanding instructions or distractions can be assuaged with these tools. Screen readers are also valuable for blind and low vision patients, as are Braille display and screen magnification software.
  • Those who are mobility impaired may have difficulty entering information. Pinching or zooming on mobile devices, along with using a computer mouse, may also be beyond their reach. Eye tracking or voice dictation software may be their key to accessing your website.

Best practices as related to the above include:

Visual & Audio Accommodation:

  • Include descriptive captions to identify an image, or alt text within the code. Without the added text, a blind person’s screen reader would not know if the image is a logo, link to another page, or a stock photo.
  • Don’t rely on color as your site’s navigational tool; colorblind users and screen readers will not be able to differentiate based on color alone.
  • Ditch the pdfs. Image based formats cannot be read by screen readers or text enlargement programs.
  • Avoid including content that flashes more than three times, including flashes within videos, as this may cause seizures for the photosensitive.
  • Where there are sound prompts, include a visual message.
  • Allow font size and color adjustments throughout the site and app. High contrast color settings or very large fonts may be necessary for the visually impaired.
  • Don’t set videos to play automatically; include text captions for the deaf, as well as narration and transcripts for the blind.

Mobility:

  • Provide keyboard shortcuts for all website functions.
  • Design tabbing order to be smooth and logical.
  • Make sure that pages relying on plugins return to the parent page or offer exit instructions.
  • Present content in multiple ways.

Online Forms – Be sure code is executed thoughtfully:

  • Make instructions easy to find.
  • Clearly label fields, and indicate required fields.
  • Provide visual and audio error messaging that explains which fields need to be fixed and why.
  • Extend session timeouts.

As you steer your company toward full digital compliance, it is wise to identify individuals who will be tasked with overseeing and ensuring web accessibility, and to include training for web and content development staff.

Want to know if your site is ADA compliant? Click here for a free assessment.

 

 

 

LET YOUR EMPLOYEES BE YOUR FIREWALL AGAINST CYBER ATTACKS

It’s happening: unskilled hackers are accessing sophisticated systems easily, and more often. And antivirus software can’t keep pace with advanced phishing attacks. Unintentional clicks from a single workstation can usher in ransomware, bring on a data breach or even a cyber heist. What would happen if your site went down for several days? Or if your company were fined by the government for non-compliance? Or, even more seriously, what would happen if you lost the trust of your clients?

It’s likely that your business has suffered a data breach in the past twelve months. If your clients’ personal information, including social security and credit card numbers, was not stolen, call it luck. But if easy-to-use programs are taking down Twitter, Spotify, Netflix, and so on, imagine the catastrophe when hackers turn their sites on your financial institution.  Is there anything you can do about it?  You bet there is.

It starts with education. Your employees are your most vulnerable entry point, but also your first line of defense – and your star foot soldiers. Keep them aware, compliant, and always up to speed. Send the message that you depend on them to defend the system, and they’ll become your human firewall. What’s the best tactic for delivering this information? Professional, comprehensive awareness training. Live demonstrations of actual attacks are the fastest way to familiarize employees with the latest social engineering hacker tricks, and how to respond to them.

It can be applied in day-to-day situations. You already have quality products in place: filters, firewalls and antivirus software. But you need a strategic tool that works in an in-depth capacity when attacks make it past those first-level defense mechanisms. Spam, phishing, spear-phishing, malware, ransomware, and social engineering are all now in use by hackers, but they can be conquered. With effective training, your employees will be aware of the most important current attack vectors, and will know how to defend your system while they’re doing their job.

It’s easy to get started, and affordable for businesses of all sizes. Our cloud-based service makes scheduling automated training campaigns and simulated phishing attacks quick, and the free engineering tools we give you keep your employees’ skills sets sharp. Ready to learn more? Click on:  https://www.spccompanies.com/free-technology-consultation

And remember:

It only takes one infected computer on your system to spread malware to all of your other connections, without your even knowing it’s happening.

WHAT’S YOUR COMPANY DOING TO SECURE ITSELF AGAINST A CYBER ATTACK?

Your business isn’t huge, but is chugging along nicely. And as it matures, so is the Ransomware designed to attack it. That means the odds are getting stronger that your company is going to get hit. Symantec’s 2016 Internet Security Threat Report states that phishing campaigns alone target small businesses 43% of the time.1

  • 50% of  SMBs have been breached in the past 12 months 2
  • Of the  SMBs who claim to have suffered a breach, 60% of employees use the exact same password for everything they access, while 63% of confirmed data breaches leverage a weak, default or stolen password. 3
  • 60% of small companies that suffer a cyber attack go out of business within six months. 4

JP Morgan Chase made news with their $500M budget for cybersecurity in 2016, in step with Bank of America’s Davos announcement that cybersecurity spending would not be constrained.5  And your smaller organization has about $680,000 – $1M6 set aside to make it through a cyber attack, right? Oh, no – are you shaking your head? It’s time to enact a strong plan for cyber preparedness. Here’s what you can do:

  • Stay up to date! This means everything – your security software (antivirus and antispyware), web browser, operating system, email accounts and the many, many passwords scattered across your business’ cyber doorways. If an employee moves on, immediately cancel their log-in status; this includes external accounts where they had access, like your company’s LinkedIn, Facebook, or project management accounts. (This may seem obvious, but is so easy to slip through if departments haven’t informed IT of the existence of these accounts.)
  • Lock ‘em up! Every device, company-wide, should have a strong, one-of-a-kind private password assigned to it. Find tips on strong passwords here. Mobile devices and computer screens should automatically revert to passcode access when not in use. Electronic devices that have Internet connections should have their factory-generated passwords replaced. One overlooked port of access to your system could be your company’s printer. Make sure it isn’t the weak point in your otherwise secure network.
  • Encrypt it! More companies are migrating from physical to virtual servers for data storage. But do they encrypt it first? The cloud gives the illusion of total security, but to truly take advantage of that, encryption before storage is the way to go. Back on the planet you need to continue using a firewall and encrypt your information.
  • Cultivate the culture! It’s all about awareness. Even if you don’t have a CSO on your team, everyone at your business should be aware that security is a top priority. Provide employees with comprehensive training on how overall security, and specifically the handling of sensitive information, is part of their job.7
  • Plan ahead! Create a business continuity and incident response plan.8 If a breach happens, your team can leap into action.  First, acknowledge that an attack to your business is likely. Next, set up the right team to deal with an attack, and be sure everyone is aware of their responsibility in such an event. Third, and this is essential, keep your plan up to date! Be sure that key players are updated as people exit your company; run readiness drills to catch technology issues and human errors ahead of time.9

Even if you have enough cash to pay a ransom fee and clean up the mess, will you be able to recover your company’s reputation, and your clients’ trust? Rather than waste time worrying about what hasn’t happened, make the move now to ensure it never does.

 

 

 

 

PROTECT YOUR COMPANY’S DATA: BUILD A BETTER INFRASTRUCTURE

The words “spend wisely” hover above any well-thought budget. And no budget is ever enough. IT division needs rise while the line numbers stay flat, meaning most CISOs are expected to deliver more from less.  Zeroing in on infrastructure best practices that boost value will improve data protection without breaking the bank.

Consider these six steps to building a more secure infrastructure and ensuring its longstanding success.

GET THE MACRO VIEW.

Provide the security team with a normalized, comprehensive view of the network, including: routing rules, access rules, NAT, VPN, etc.; hosts, including all products (and versions), services, vulnerabilities, and patches; as well as assets, including asset groupings and classifications. With this comprehensive network view, security teams can view hosts in the network, as well as configurations, classifications and other pertinent information. This serves both as a useful visualization tool and a diagnostic tool, providing analysis that is only possible when considered from the macro perspective. An example of how this would work: security and compliance teams can use this overall view to see how data would move between points on the network. It also highlights information that is missing, such as hosts, access control list (ACL) data, etc., and quickly and accurately conducts sophisticated analytics without disruption of the live network. Access path analysis helps to validate changes, and can troubleshoot outages or connectivity issues, enhancing visibility and improving security processes.

TAKE THE MICRO VIEW ON DAILY DEVICE MANAGEMENT.

Although a macro view is needed to see how all the pieces of the network fit together, network administrators must be able to drill down into the details for a particular device, easily accessing information on rules, access policies, and configuration compliance. This information must be considered within the framework of the broader network, including context such as segments or zones, routing, routers, switches, intrusion prevention systems (IPS), and firewalls. The network components that impact the device will undoubtedly come from various vendors, creating data of different vendor languages that must be deciphered, correlated, and optimized to allow administrators to streamline rule sets. For example, administrators need to be able to block or limit access by application and view violations of these access policies. Daily or weekly reviews of all devices on the network is unattainable with a manual process, and reviewing device configurations less frequently puts network security and compliance at risk. Automating policy compliance helps ensure compliance and consistency, and preserves IT resources.

OPTIMIZE YOUR NETWORK SECURITY AWARENESS AND CONTROL THROUGH INTEGRATION OF MANAGEMENT FUNCTIONS.

Coordinate workflows across functional categories to improve accuracy and efficiency, including configuration management, fault/availability monitoring, performance monitoring, and troubleshooting. From a management tools perspective, this either requires close integration and sharing of data between tools to ensure seamless and accurate handoffs from one to another, or a unified management system that supports multiple functions of a single core database and/or management data model.

IMPLEMENT HYPER-CONVERGENCE FOR AN INTERNAL, CLOUD-LIKE EXPERIENCE.

The convergence of virtualized servers, storage, and networking using software can significantly simplify data center provisioning and maintenance tasks, and reduce long-term costs. “Hyper-convergence changes all your internal processes because most of them were originally built around the separation of the network, storage, and compute layers. Hyper-convergence allows you to operate all three under a single stack.”

PLAN A RISK MANAGEMENT APPROACH THAT INCLUDES SIMULATED ATTACKS FOR CONTEXTUAL ASSESSMENT.

Include the ability to identify near-, mid-, and long-term risks and their likelihood, through “what-if” scenario planning. Today’s attacks often incorporate multiple steps that cross several different network zones, and an isolated view of any of these steps could appear innocuous. Attack simulation technology automatically looks at the holistic network – business assets, known threats, and vulnerabilities – and identifies what would happen if the conditions were combined. Attack simulation can also evaluate potential options to block an attack, providing intelligence for decision support. Understanding the likelihood of an attack and its potential impact against valuable targets is the key to assessing which vulnerabilities and threats pose the most risk.

IMPLEMENT A NEXT-GENERATION FIREWALL (NGFW) AT YOUR ORGANIZATION’S PERIMETER AND KEY INTERNAL CHOKEPOINTS.

The ability to quickly detect and implement automated security response mechanisms is a valuable asset. The tight interaction between traditional firewall rules, Intrusion Prevention System (IPS) signatures, deep packet inspection, application awareness, and global threat intelligence creates a far more secure network edge compared to traditional security architectures. Do also keep in mind: the more deep-inspection or rules the perimeter firewall is expected to process and enforce, the more horsepower and resources required. In other words, choose requirements wisely to reduce the risk of traffic slowdowns.

“A security-centric, programmable infrastructure that detects and responds to emerging threat vectors is essential for organizations to thrive in our hyper-connected era.”

 

 

 

Darlings of the Dark Web: Who is Selling Your Data?

“I am Oz, the great and powerful” – the ominous words of a weak wizard foretold our future. And who was Oz? A regular guy posing as the leader of a land that does not exist. But the Emerald City was no Dark Web. And even though it exists in technological space alone, the Dark Web is real. With people using code names wielding their power within it. What people, you ask? All types of people.

But back up a bit. What is the Dark Web? And how does it differ from the Deep Web?  This is easy. It goes like this…

When you step onto the web in your daily life, you’re most likely going right to the Surface Web, also know as the Visible Web or Indexed Web. This is the web that is available to the general public.1 Here you find all of your Google searches and the portals to your varied accounts. Now log on to your email. BAM! You’re in the Deep Web, also called the Invisible Web. It’s where the privacy curtain falls, which is a good thing. The Deep Web contains the coded content not indexed by search engines.2 It is password-protected for members – you wouldn’t want everyone reading your email, right? – or subscribers, like anything behind a paywall – let’s keep that Amazon or Netflix account locked. Even a web page that requires typing a query within a search box, such as one for court records, is Deep Web travel.3

Okay, you’ve got that, right? Right. Moving on.

When you’re talking about the Darknet, you’re talking about the Dark Web. Your standard browser (Chrome, Safari, Firefox…) won’t take you there. The most likely portal is via Tor software, from the Tor Project4 – a government-funded nonprofit created in the mid-1990s by the U.S. Naval Research Laboratory, and publicly launched in 2003.5 Once you’re on the Tor network, information is encrypted, so your browsing remains anonymous. Created for anonymity, Tor offers many positive uses, (like free speech without government firewalls – i.e. China; even Facebook provides Tor access for safety and security6), and most Tor browsing is entirely legal and legitimate. “Visits to those dark web sites account for only 1.5 percent of all Tor traffic, according to the software’s creators at the non-profit Tor Project.”7

Tor’s “hidden services” – special websites that may only be accessed through Tor –

are the most popular darknet sites. Cloaked in Tor’s anonymity, it is difficult to track who visits them.8 This is where the trouble begins. Information you thought was secure, your personal or your company’s information, is being traded down there. Dark sites sell stolen credit cards, social security numbers, lists of user information collected off of Yahoo, LinkedIn, Twitter, Tumblr, MySpace9 and so on, forged documents, counterfeit currency, and much more.

But who’s behind this? Where are they coming from?

The most high profile take down of dark web activity happened in 2013 with the FBI arrest of Ross Ulbricht, founder of the notorious criminal-traffic Silk Road site.10 When Ulbricht’s uneventful background11 is considered, it’s clear that most anyone can don the cloak of criminality, and perhaps convince themselves that they are doing it for the greater good. Ulbricht was an American, hailing from Texas, with Libertarian leanings. Other recent arrests have involved entire rings, like the FBI’s Operation Shrouded Horizon which charged, arrested or searched 70 hackers globally on the Darkode site in 2015. They were hit with wire fraud, money laundering and conspiring to commit computer fraud. Their trail of crimes included compromising Microsoft and Sony, as well as swiping data from more than 20 million victims.12

Then there were those who brought down Dyn with distributed denial-of-service (DDoS) attacks in October, 2016. The networks of zombie computers that hurled astounding amounts of terabits per second of data at the Dyn-managed servers, ultimately disrupting Twitter, Spotify, Netflix and Airbnb, were controlled by a collective called the New World Hackers. Members identifying themselves as “Prophet” and “Zain” claimed on Twitter that more than 10 members participated in that attack. They also mentioned that about 30 people have access to their Twitter, with 20 members in Russia, 10 in China, and “Prophet” identifying as being in India. One additional New World Hacking member, “Ownz”, came forward, claiming to be in London, and 19 years old. 13

Russia and China are repeatedly identified as ultimate sources of major attacks. Security technologist Bruce Schneier (called a “security guru” by The Economist) noted the two nations in a September, 2016 article.14 It’s the nature of the attacks that has him wondering. Probing attacks in addition to DDoS style are “testing the core defensive capabilities of the companies that provide critical Internet services,” he claims. Schneier goes on to state “It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes—and especially their persistence—points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar.”15 It’s either that or one of these scenarios: A request for money is denied, so the extortionist unleashed extreme force, or hacktivists decided to exhibit the bite behind their bark.16 No one knows just yet.

There is one consistent factor that calls to be addressed: age and knowledge. We have seen that these powerful perpetrators are seasoned cyber players by puberty. James Kosta was convicted for hacking banks, military computers and more at 14; Jonathan James was the first juvenile in the US jailed for hacking; he was 15.17 Ownz, of New World Hackers, is presumably 19. Another notorious name to have arrived on the dark web in 2016 is Tessa88, a Russian woman who also appears to be young.18  Should this surprise anyone? Not at all. The kids are in the game now, with elementary-school the jumping-in point. In 2014 the MIT released a free iPad app that teaches children from 5-8 to learn to code.19 And “code literacy” is a new way of looking at advancements in learning.20 Soon growing up coding will be as much a component of understanding the worlds as the transition from analog to digital clocks. It’s where we are as a society. The most important thing we can do is teach them responsibility, that they’re part of the greater picture, even if that picture seems distant through a screen.

 

 

 

TOP CYBERSECURITY THREATS FOR 2017 & TIPS TO AVOID THEM

Like Dracula’s ship full of rats heading for the English coast, 2017’s cyber threats are on their way. Recent menaces will increase in scale, older tactics will return in revised, more robust versions, and medium and smaller businesses will be targeted more often. Some threats appear on every expert’s list, while others are making their way out of the shadows. Awareness of all is essential when planning an agile strategy for defense.

Not going away:

  • IoT (Internet of Things) – businesses will have an increasing problem with IoT security, as all devices from thermostats to security cameras are integrated into a company’s internal network. One of the challenges with IoT devices is that, by default, they are open and available to the Internet, and come protected with default passwords, making it easy for hackers to integrate malware into networks.1

 

The number of these attacks will rise because most users don’t know how or that they even need to change the security controls on their devices.2

“IoT is the weakest link into the home, and thousands of consumers are going to find their accounts compromised and their bank accounts pilfered just because they thought it would be fun to automatically dim the lights in their bedroom,” states Phil Dunkelberger, CEO of Nok Nok Labs.3

The good news is that ongoing IoT threats will force manufacturers to tighten security layers, including patchable firmware/software, secured authentication, and controlled privilege access. Regulations will be pushed forward for vendor responsibility around IoT device software updates.4

  • Ransomware is predicted to grow by 25% in 2017, and looks likely to spread into IoT devices, PoS systems, and ATMs. If you want your files back after a successful ransomware attack, you’re probably going to have to pay the ransom, which is what the FBI actually suggests you do.5

 

But there are less expensive options than paying  a ransom. The ransomware must be installed before it can do its work encrypting your files. Simple, precautionary steps can drastically reduce the risks:

  • Install reputable anti-virus and anti-malware software
  • Don’t open an email attachment without knowing what it is
  • Don’t follow links in emails; close the email and use your browser

to go directly to the website

  • Use strong passwords and never reuse them
  • Check that all of your system software and browsers are patched automatically with security updates
  • Apply all of these rules to all devices: smartphones, tablets and Macs are not immune!
  • Have solid back-ups for all of your data.6
  • Spear phishing continues, with hackers duping the recipients into believing they’re receiving a personalized message. The cyber criminal will research their target before crafting the message, then possibly even masquerade as a friend or colleague to get the victim to either give up sensitive information, or click on a link containing malware.

Though more advanced technology solutions will help to keep the hackers out, it’s important to consider the human element in regard to phishing scams. Mistakes may be avoided if employees are taught to recognize these potential hazards. A good start is with training sessions designed to ensure workers know how to avoid dangerous situations.7

Back for more:

According to Stephen Gates, chief research intelligence analyst at NSFOCUS, self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan.

 

As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks will rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure.8

What medium and smaller businesses need to know:

Although the larger enterprises may be targeted first, where there is money, the criminals will appear. Smaller businesses and startups are easier to penetrate because they don’t typically have cybersecurity budgets on the scale that big corporations do. “Even if your ‘IT infrastructure’ only consists of a couple of laptops, cybersecurity should be a top priority.” Adopting these strong security habits will ensure that you’re running a tight ship…

Nothing unwanted gets in if you:

  • Maintain firewalls on all machines. Make sure everything is up to date.
  • Regularly update your company’s operating system – keep on top of new security patches and check to make sure that machines are automatically updated.
  • Secure all mobile devices connected with your company. Do not store important passwords on any mobile device. Learn how to enable “remote wipe” capability on phones and tablets, and how to activate a “kill switch” that allows only the device owner to reboot.
  • Use a virtual private network (VPN) to encrypt your web connection and ensure data shared online is not viewable to third parties. Secured data connections are available between remote workers and your network, which is especially valuable when workers are in the field.
  • Keep virus protection current on all devices. Update whenever a new patch is released.
  • Adopt a strong password policy for all company employees.
  • Make a cross-company rule for no unknown downloads. If the recipient doesn’t know the sender, the download should not be executed.
  • Educate your employees against cyber threats. Even when you stay up to speed on all counts, you can still be at high risk if your employees aren’t in the know. Make training them an integral element of your company’s cybersecurity strategy.9

Steps taken now to protect your business and personal accounts from potential cyber threats will give you peace of mind in the year ahead, and stave off the potential danger sailing toward you. Don’t wait to take action; take it step by step.

 

 

 

5 WAYS TO BE SURE YOUR GIFT CARD ISN’T HACKED

When holiday shopping, or shopping for really any gift during the year, when you find the perfect gift, it can be so elating. As delightful as it sounds to find and give the perfect gift, the National Retail Federation reports that more than 60% of consumers would rather you gave them a gift card.1 And nowadays you can find racks and racks in retailers ranging from megastores to minimarkets, as well as online sites catering specifically to this style of streamlined gift-giving. It’s all so easy, right?

Most of the time, everything runs smoothly, but exceptions are edging into public awareness. Retailers from Starbucks2 to Nordstrom3 have had their cards hacked, with fraudsters exploiting any weak link in the chain of purchase. The end result is awkwardness at checkout when the pre-scammed recipient innocently attempts to pay with the card, the possibility that the hack could drain funds beyond the reach of the amount placed on the card, and a potentially drawn-out shuffle in acceptance of retail responsibility. But all of it is avoidable. There are ways to prevent the potential of fraud before a penny is placed on the plastic.

Current scam tactics range from those used by skilled criminals, to simple tricks at the point of sale. But a little knowledge is insurance against risky purchases.

  1. Skimming

A fraudster takes a gift card off the rack and uses an electronic reader (aka skimmer) to read all the data, go home and make a counterfeit card. The perpetrator then waits for that particular card to be loaded in the store, then uses the fake card to make purchases. It’s estimated that 13% of gift card fraud is due to counterfeit or skimmed cards.4 Alternately, they could steal cards, do the reading at home, and then return the stack of cards as if they were as fresh as the day they were delivered, or simply write down serial numbers while hanging out in the aisles.

How does the scammer then know which gift cards have been charged up? Every few days he simply calls the gift card phone number and enters the card’s unique numbers to find out if money has been added, and the remaining balances.5 What makes it easy is that most of these systems do not have second level security– in other words: no password is required.

How to avoid it:

Purchase cards kept in locked cases without access to the public. Purchase in the retail store or on the secure website of the retailer that issues the gift card.

  1. Stickers –

Most gift cards that are displayed on sales racks are just blank cards. A dollar value is added to the card upon card activation during purchase. In this scheme, a thief steals an inactive gift card and duplicates its barcode on a sticker. He then applies the sticker over the genuine barcode of another gift card in the store and waits for an unsuspecting customer to buy the altered card. When the sticker containing the barcode of the stolen gift card is scanned, it activates the previously stolen card instead of the gift card that the customer is buying.6

How to avoid it:

Carefully examine the gift card before purchasing. Check that the sticker looks the same as those you are accustomed to seeing on credit and other account cards. If there is a PIN number, make sure that it is not visible. Don’t purchase any card that appears to have been tampered with.

  1. Switched at Checkout –

This gift card scam only works when a store employee is part of the plan. As the customer hands a gift card to the cashier for activation, the cashier activates a different card and hands the original back to the customer. (Or the opposite is true. The cashier activates the first card, but hands an inactive card to the customer.) In either case, the cashier racks up activated gift cards while handing out blanks.7

How to avoid it:

Keep your eye on the gift card at all times and ask to have it handed back to you as soon as the card is activated. Check the gift card number listed on the activation receipt to ensure it matches the number on the card you just received. If the employee acts distracted or tries to distract you during gift card activation, it could be a scam.8

  1. Shutdown of Register –

An employee rings up a gift card and activates it at the point of purchase. Before tendering the transaction, they unplug or conduct a hard shutdown of the register. In this instance the gift card most likely did not activate, and the transaction may not even have been recorded.9

How to avoid it:

Stay alert to the steps the cashier is taking while ringing up the card. If you notice the register being shut down, request your method of payment be handed back to you, and that any sale be immediately canceled.

  1. Sketchy Auction Sites –

Cheap/discounted gift cards available from online auction sites may be stolen, counterfeit, or credit from returns for stolen merchandise.10 While all gift cards on these sites will be offered at some discount, with 10% less than the value of the card being common11, be wary of deeper deductions on these e-gift cards and physical gift cards.

How to avoid it:

If you are purchasing online, be sure the site is secure and look out for discounts too good to be believed, or buy directly from the retailer issuing the card.

In addition to the pointers above, it is important to realize how thieves can easily convert the value of a gift card into money or merchandise. If an account is hacked and the card’s auto-load feature is turned on, the fraudsters can quickly drain the attached bank account.12

Additional steps to take whenever you invest in a gift card:

  • Ask the cashier to scan the gift card in front of you. This will guarantee that your card is valid when you buy it, and that it reflects the balance you just charged it with.
  • Keep your receipt as proof of purchase as long as there is money stored on the gift card. Many retailers can track where the gift card was purchased, activated and used. If the card is stolen, some retailers will replace the card so long as you present a receipt.
  • Register the gift card on the store’s website. Although not all stores offer this option, if it is available, you will be able to uncover any misuse of your gift card sooner and quickly report it.
  • Never give your personal information, such as Social Security number, Date of Birth, or any other unneeded private information, when purchasing a gift card. No reputable company will ask for this.13

By all means, don’t give up on gift cards. By taking these precautions, you’ll be able to sidestep the scams, and give or receive a gift without concern.

 

 

 

KEEP CALM AND MIND THE GAPS – HOW FINANCIAL INSTITUTIONS CAN STOP CYBER BREACHES

Mind the gap. If you’ve ever been to London, you probably know the gap you’re supposed to mind: it’s old school – you can drop right into it. If you’re a bank or credit union, the gaps you need to be minding aren’t as easily spotted. Searching for them is a bit like the quest for Pokemon – they exist where you didn’t think to look. Though unlike the essentially meaningless pursuit of Pokemon, the gaps in your financial institution’s security could cost its competitiveness if not tracked down.

Banks and credit unions are on high alert for signs of suspicious behavior on their networks; we know that. But the hackers know it too, and that isn’t going to stop them. To get to the money, cyber criminals are taking advantage of the areas where financial firms lack the insight to anticipate a vulnerability, with small and mid-sized firms at the greatest risk.1 Even the heavy-duty defense systems brought in by the big banks do not preclude them from security fissures. “Many financial institutions have not yet implemented proactive customer protection that focuses on root-cause prevention,” says Ross Hogan, global head of Kaspersky Lab’s fraud prevention division.2

For an institution to enjoy thriving longevity, cyber security must be at the core of its plan for sustained resilience. Beyond the hardened devices, encryption and protection surrounding systems, “an intelligence-focused approach will be required to create a comprehensive strategy. You cannot defend against what you do not know. True cyber security…is not simply purchasing the latest cyber security product. It requires a new mindset, as well as a new skill set.”3

Speaking at the Boston Fed’s 2016 Cybersecurity Conference in April, Counselor to the Secretary and Deputy Assistant Secretary for Financial Institutions, U.S. Treasury Anjan Mukherjee stated that banks and other financial institutions should adopt best practices “to reduce the probability of an event happening, and if it does, minimize the cost,”4 and counseled taking these steps:

 

  • Use the NIST (National Institute of Standards and Technology) framework. “It is not a technical document,” he said. “It is a powerful tool that provides a common lexicon to facilitate communication within organizations and with outside third parties.”
  • Know and catalog all vendors that have access to your systems and data.
  • Make sure those third parties have appropriate cyber security practices, and conduct ongoing monitoring of them to remain sure.
  • Join FS-ISAC (Financial Services Information Sharing and Analysis Center). “Be mindful of privacy, but this is a group with 7,000 members, and it leverages knowledge of threat indicators.”
  • Practice response and recovery, to contain and mitigate. “Have an internal team and coordinate with external teams. Have a playbook and exercise it regularly.”
  • Have backup plans and work-arounds to make critical payments and deliveries manually if necessary.5

At this same 2016 Cybersecurity Conference, Peter Kruger, a partner at high-tech venture capital firm In-Q-Tel, warned that “the human element remains the weakest link in the security chain, stating: ‘77% of intrusions are through email. That’s the attack surface.’ And described situations like an employee being offered $20,000 to place a malicious USB thumb drive into a system.”6

Bolstering the philosophy that all assets must be accounted for, and everyone must become alert and engaged, securityintelligence.com recently advised all organizations to “take and maintain inventories of all their assets on the network and…assess the risks that different classes of assets face. They should also ensure employees are adequately trained in security awareness since they are on the front line and can be helpful in spotting potential vulnerabilities before they become a major problem.”7

With digitalization racing to meet the ever-growing demand for constant, simplified access, a shift in focus toward accompanying deadlocked security is essential to combatting future vulnerabilities. Closing up the gaps is not a task of Herculean proportions. It will indeed take longer than the time between tube stations, but it ensures that your financial institution won’t find itself at the end of its line.