Security Expert Warns about Using App that Emails Money



A service by a company called Square Inc. will allow you to e-mail money to your friends free-of-charge.

But a nationally recognized IT security expert, Stan Stahl, Ph.D., says the concept is fraught with danger.

More on Dr. Stahl’s warning later, as he explains how easily you could lose your money.

Stan Stahl, Ph.D. — www.citadel-information.com


The app, Square Cash, is available for Android and Apple users, according to Walt Mossberg’s  review in The Wall Street Journal (The Money Is in the Email).

You’ll be able to e-mail cash right from your debit card to your friend’s. You can send up to $2,500 a week in either one or multiple e-mails, and you don’t have to login or use a password — just your e-mail on a computer, smartphone or tablet.

“There are other services that allow you to send money from one person to another digitally, Mr. Mossberg wrote. “You can do it via PayPal, or via a newer service called Venmo, which PayPal is in the process of acquiring. But I believe Square is simpler and more private.”

He was satisfied with his test drives of the app:

“I tested Square Cash, sending and receiving money in amounts ranging from $10 to over $1,000, with eight people, and it worked rapidly and flawlessly,” he wrote. “I can recommend it for anyone who needs to pay a small debt, give a cash gift, split a bill, or send cash quickly and easily.”

Mr. Mossberg’s caveat

“If fraud is suspected, the company says it can and will reverse the fund transfer. Still, digital services do get hacked, and email can be manipulated by thieves,” Mr. Mossberg warned. “The service notifies you via email or text that it appears you have sent money, which gives you a chance to cancel a transaction that didn’t come from you or was a mistake.

So, if you don’t trust Square to defeat such things, you shouldn’t use Square Cash.”

Security expert responds

Dr. Stahl, with a stellar record as a security expert, sees potential danger.

“This happens without exploiting any vulnerabilities in Square Cash,” he warns. “It exploits other vulnerabilities in the ‘ecosystem’.”

Dr. Stahl explains how it’s possible to steal money from a Square Cash user (based on The Wall Street Journal account):

  1. A cybercriminal installs malware on victim’s mobile device (it’s easy if on an Android; harder if an iPad. On the victim’s workstation, it’s easy to do.)
  2. Malware emails a debit transfer of $1,000 to a Gmail/Yahoo/MSN email account created for the purpose, by using a money mule with a bank account as the recipient.
  3. Square Cash sends a confirmation email to the user; but the malware intercepts the confirmation email and replies positively.
  4. Square Cash moves the money to a mule’s account in accordance with instructions, which have been confirmed.
  5. The mule cashes out and sends the proceeds to the cybercriminal.

From the Coach’s Corner, here are more security tips:

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. 

BYOD, Mobile-Banking Warnings about Security Prove Prophetic — Not to be gauche, but in 2009 you saw the Internet security warning here first – mobile banking is so risky an IT security guru said don’t do it. The warning was prophetic. 

Tips For Internet Security to Prepare you for New Cyber Attacks — According to a Web security study in 2013, Internet attacks have been impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities. 

Tips to Prevent Hacking of Your Bluetooth — Bluetooth technology, of course, allows you freedom when talking on your cell phone. But you’ll lose other freedoms if you don’t prevent scammers from exploiting your system via a trend called “bluebugging.” 

4 Tips to Defend Against Hackers When Traveling Overseas — The finger-pointing continues over the sources of cyber attacks on the U.S., including the media sites of The New York Times and Wall Street Journal. 

“It’s always better to assume the worst.”

-Bruce Schneier


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional.Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





How Epsilon’s Security Flaw Threatened Millions of Businesses, Consumers



Epsilon, a major email marketing company, annually forwards billions of messages. The firm purports to be the leading op-in marketing company with more than 2,000 global customers.

Epsilon reportedly emails customers for some pretty big players, including Capitol One, Citibank, Disney, Home Shopping Network, JP Morgan Chase, Kroger, and TiVo.

As expected, Epsilon has an attractive Web site, www.epsilon.com. It touts all kinds of cutting-edge services. The site creates a favorable first impression.

ID-10074458 chanpipatBut in my April 4, 2011 visit to Epsilon’s home page and again two years later, an important element was also missing – an unfortunate omen, if you will. You see, appearances in business are important, especially first-impressions about IT security.

However, Epsilon has failed to adequately reassure its site’s visitors that it provides cutting-edge security.

In today’s IT environment, that’s more than just a gaffe. It suggests a catastrophe of monumental proportions waiting to happen. (In 2011, its branding slogan was “Marketing as Usual. Not a Chance.” Most recently, it’s been changed to “Where Intelligence Ignites Connections.”)

Unfortunately, such a security breakdown has already occurred. Indeed, on April 1, 2011, an ominous press release appeared on the company’s Web site. Unfortunately, it was not an April Fool’s joke.

Epsilon published this terse announcement:

Epsilon Notifies Clients of Unauthorized Entry into Email System

IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Security debacle

Epsilon’s notice didn’t please me. You see, the cybercriminals were already at work. Several days prior to the press-release posting on March 30, I became aware that something was amiss – phishing scams trying to entice businesses and consumers to take advantage of so-called offers.

Afterward, Threatpost reported that some of Epsilon’s customers in-turn warned their customers — here’s the warning from Disney Destinations to its customers:

“We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system.  We regret that this incident has occurred and any inconvenience this incident may cause you.  We take your privacy very seriously, and we will continue to work diligently to protect your personal information,” the statement says.

“We want to assure you that your email address was the only personal information we have regarding you that was compromised in this incident. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.”

Two morals

The two salient lessons from this security debacle:

  1. Epsilon and other companies that provide IT services need to make security more of a priority.
  2. Businesspeople and consumers need to stay alert to the dangers lurking on the Internet, and IT in general.

In conclusion, what are the solutions for this situation and to prevent more occurrences? My longtime go-to security expert is Dr. Stan Stahl of Citadel Information Group in Los Angeles. Here’s what he had to say in What You Really Need to Know to Stay Web Safe.

Further, noteworthy management lessons have evolved from the alleged data-management program at Epsilon. Obviously, Epsilon’s data management is an oxymoron. It is not managed properly. Here are Management Lessons from Epsilon’s Email-Breach Scandal.

From the Coach’s Corner, Dr. Stahl’s insights were also quoted in this business portal’s all-time most-read column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

Dr. Stahl’s Web site: www.citadel-information.com. You can also find his informative blog.

“The single biggest existential threat that’s out there, I think, is cyber.”

-Michael Mullen


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Photot courtesy of chanpipat at www.freedigitalphotos.net


What Your Company Can Do to Combat the Malware Epidemic



Arguably, the nation’s leading Internet security expert agrees with published reports that an epidemic of malware has been unleashed on the Web – and he provides solutions.

“There has been a sea change in cybercrime,” wrote Stan Stahl, Ph.D. “Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.”

Dr. Stahl is a principal in Citadel Information Group, and is president of the Los Angeles Chapter of the Information Systems Security Association.

                    Stan Stahl

He says every organization must look critically look at its defenses – everything from policies and employee-awareness training to modern intrusion prevention systems.

“It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical security management domains,” he explained.

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

He said the security-management of domains include:

1. Corporate security management

2. Security management of the IT infrastructure

3. Point-in time security of the IT infrastructure

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

The malware epidemic has regularly prompted Microsoft to issue emergency patches, an event the company calls “Patch Tuesday.”

Dr. Stahl’s Web site: www.citadel-information.com, which has a link to his informative blog.

From the Coach’s Corner, here’s sampling of more critical information from Dr. Stahl:

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records –  Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

Why Many Healthcare Workers Are Alarmingly Responsible for Medical ID Theft — Medical identity theft is skyrocketing. It’s the fast-growing trend in ID thievery, and the data shows it adversely impacted 1.42 million Americans in 2010. That’s according to a 2011 study by PricewaterhouseCoopers (PwC). PwC reports medical ID theft aggregately cost more than $28 billion.

Security Precautions to Take Following Citibank’s Second Reported Online Breach – Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

Has Security Bloom Fallen off the Rose for Macs? – For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics.

Tips For Internet Security to Prepare you for New Cyber Attacks – Do you need more evidence to be diligent in using best practices for security on the Internet? According to a Web security study in 2013, Internet attacks have been impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities.

“Precaution is better than cure.”
-Johann Wolfgang von Goethe 


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.






How CEOs and Boards Can Prevent Cyber-Security Threats


Here’s a comprehensive infographic examining security threats to business plus the top-10 best practice guidelines to prevent cybercrime.



CEOs finally started to deal with cyber-security threats, but only after they learned failure to act will cost them their jobs.

The trend started after Target fired its CEO, Gregg Steinhafel, in May 2014 over a hacker attack on its millions of customers during the 2013 holiday selling season.

It’s one thing to be attacked but it’s another to act too slowly to deal with it. Shockingly,

Mr. Steinhafel learned that Target’s point-of-sale terminals were vulnerable, but he apparently was nonchalant and very slow in dealing with the issue.

Target’s revenue dropped $21.5 billion or 3.8 percent in Q4 2013. That was the hammer that finally got the attention of the suits.

Now, not only are CEOs on notice, but boards of directors are, too. The National Association of Corporate Directors is now mindful of cyber issues.

It’s been too long in coming. Many CEOs had been unaware about the dangers.

Better way

Indeed, two business professors – University of Virginia’s Tim Laseter and Dartmouth’s Eric Johnson – argue there’s “A Better Way to Battle Malware.”

They argued in their lengthy July 2010  article that senior executives could implement production quality controls to conquer cyber security issues.

“Distrust and caution are the parents of security.”
-Benjamin Franklin

USA Today first reported in 2010 that many CEOs were indifferent about the dangers to their firms when it comes to Internet security.

Eighty-one percent of information-technology professionals believed that their companies’ senior managers still do not comprehend the need to take proactive steps to ward off security threats.

That’s according to a study of nearly 591 of IT pros by the Ponemon Institute for NetWitness. Not only did it involve opinions about CEOs, the same fears were attributed to a lack of understanding by government agencies.

In addition to the 81 percent concerning senior executives, the study reports other red flags:

— 83 percent indicated their organization has been a recent target of advanced threats

— 41 percent said they were frequently attacked

Confirmation of data

Is it really possible that senior executives didn’t fully comprehend IT security dangers?

“Our experience confirms the validity of these statistics,” agreed Stan Stahl, Ph.D. “The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.”

Commenting in his blog, Dr. Stahl is a widely known pioneer and consultant in security and the prevention of identity theft.

His qualifications:

— He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions.

— He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information-security professionals and practitioners.

“The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management,” he writes.

Intellectual property thefts

Indeed, the Ponemon study also indicates 44 percent of attacks result in the theft of confidential information, and 45 percent of the cyber strikes result specifically in the “theft of intellectual property.”

“It’s to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association have embarked on an aggressive Community Outreach Program,” writes Dr. Stahl. “Our objective is nothing less than to raise information security awareness.” (The association has local chapters in multiple cities, www.issa.org.)

This portal’s Tech Category contains many Biz Coach articles on cybersecurity with solutions from Dr. Stahl.

Infographic on the importance of network security

From the Coach’s Corner, editor’s picks for related information:

Why Innovation Isn’t Working at 82% of Surveyed Companies — When you make a major investment in innovation, you want a good return on your investment, right? Well, hundreds of senior executives admit to disappointment over their innovation efforts despite making increased investments, according to an Accenture report.

How CIOs Can Get More Respect in the C-Suite — Yes, it’s disappointing to know that senior executives are still in the dark. But IT pros can solve this problem, if they learn how to get recognition for their potential to help their companies.

Thought Leadership — Why Companies Hire Management Consultants — Companies want knowledge. A good idea can be worth $1 million and more. That’s why companies hire thought leaders. It’s also why you see many consultants position themselves as thought leaders and give away free information in how-to articles or studies, which lead to books, seminars and being quoted in the media.

“Distrust and caution are the parents of security.”
-Benjamin Franklin


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.






Seattle business consultant Terry Corbell provides high-performance management services and strategies.