The draft, Master Directions on Cyber Resilience and Digital Payment Security Controls for PSO, proposes a governance mechanism for the identification, analysis, monitoring, and management of cybersecurity risks.
RBI confirms that these norms will be implemented from April 1, 2024, for large non-bank-PSOs. For medium-sized non-bank PSOs, the norms will be implemented by April 1, 2026, as for the smaller ones, the deadline is April 1, 2028.
The key responsibility of the draft circular will be designated to a sub-committee of the board that must meet at least once every quarter.
"The PSO shall formulate a board-approved Information Security (IS) policy to manage potential information security risks covering all applications and products concerning payment systems as well as management of risks that have materialised," the draft note said.
“The directions will also cover baseline security measures for ensuring system resiliency as well as safe and secure digital payment transactions[…]However, they shall endeavour to migrate to the latest security standards. The existing instructions on security and risk mitigation measures for payments done using cards, Prepaid Payment Instruments (PPIs) and mobile banking continue to be applicable as hitherto,” the RBI noted.
As per the proposed norms, the PSO will define relevant key risk indicators (KRIs) to identify possible risk events and key performance indicators (KPIs) to evaluate the efficacy of security controls.
According to the RBI, the PSO must conduct cyber-risk assessment exercises pertaining to the launch of new products, services, and technologies along with initiating innovative changes in infrastructure or processes of existing products and services. The central bank is seeking feedback on the draft norms by June 30.
In order to manage potential information security risks involving all applications and products related to payment systems, the PSO has been asked to develop an Information Security (IS) policy that has been authorized by the board.
According to the proposed norms, the PSO was required to create a business continuity plan (BCP) based on several cyber threat scenarios, including the most unlikely but conceivable occurrences to which it might be subjected. To manage cyber security events or incidents, the BCP should be evaluated at least once a year and include a thorough response, resume, and recovery plan.
Moreover, a senior-level executive like the chief information security officer (CISO) will be in charge of implementing the information security policy and the cyber resilience framework as well as continuously reviewing the overall IS posture of PSO. According to the draft norms, the PSO must implement safeguards to keep its network and systems safe from external assaults.
The PSO must also implement a thorough data leak prevention policy to ensure the confidentiality, integrity, availability, and protection of business and customer information (both in transit and at rest), in accordance with the importance and sensitivity of the information held or transmitted.
Hackers promoting "full access" to Netflix for a mere 190 Indian rupees (approximately $2.30 or €2.15) on Telegram channels caught the attention of cybersecurity experts. However, the discounts offered were too good to be true.
Check Point researchers discovered instances where users either failed to gain access or had their permits revoked after a short period. These cybercriminals exploited the compromised accounts they had hijacked, leaving unsuspecting users disappointed and potentially susceptible to further cybersecurity threats.
Taking advantage of the confusion and vulnerability among Netflix users, cybercriminals launched social engineering attacks. Phishing emails with deceptive subjects such as "Your suspension notification" or "Update required — Netflix account on hold" flooded inboxes, originating from email addresses impersonating Netflix.
Omer Dembinsky, data group manager at Check Point Software, warned that users lured by these scams might unwittingly divulge their credentials on fraudulent websites, subsequently enabling attackers to resell their compromised accounts on the Dark Web.
Ironically, the researchers from Check Point suggested that adhering to Netflix's new guidelines could help prevent the trafficking of secondhand Netflix accounts. They recommended that users implement the very measures that Netflix had previously criticized: restricting shared access to their accounts.
While it remains uncertain whether Netflix's ban on password sharing will ultimately enhance or hinder security in the long run, this episode highlights the unintended consequences that businesses may face when implementing policy changes affecting their users.
Netflix's attempt to combat password sharing has inadvertently opened the door to cybercriminals and undermined user trust. The migration of disenchanted users to Dark Web offerings, coupled with an increase in phishing attacks exploiting the confusion, showcases the unintended consequences of this policy change.
This scenario serves as a reminder to businesses that policy alterations can have unforeseen cybersecurity implications. As the dust settles, it remains to be seen whether Netflix's measures will indeed enhance security or inadvertently compromise it further.
As per the National Privacy Test carried out by one of the most acclaimed VPN services, NordVPN, The Holy See topped, with eight other top ten nations all being European. On the world leaderboard, the UK came in at number 35.
NordVPN says the test is "designed to evaluate aspects of an individual's online life, including their understanding of cybersecurity in theory and their ability to recognize online threats and react accordingly."
Vatican City respondents received 72 points in the test, the highest of any other country, according to data accumulated since 2020 with nearly 140,000 respondents from 192 countries answering to 20 questions.
The residents "demonstrated an excellent awareness of digital risks and how to avoid them," notes NordVPN. However, the firm also criticized the residents’ digital habits, mentioning that they need to up their online services and privacy tools in order to maintain their security.
The second place was secured by Finland, followed by the Czech Republic. As per the reports, when compared to Vatican City, both countries have poorer results in areas pertaining to the test, namely digital habits, digital privacy awareness, and digital risk.
Singapore was the only non-European country making it in the top ten, ranking seven with 69 points. The other Asian countries followed were Malaysia and the UAE, both scoring 67 points. Moreover, the US ranked 21st globally with a score of 67, leaving behind Canada in all the test aspects.
New Zealand took first place in the Oceanic region with 68 points, while Australia came in second with 63 points. New Zealand outperformed other nations in every category. Meanwhile, with 67 points, Brazil took first place in Latin America, two points ahead of its closest competitors, Argentina and Colombia. However, Colombia outperformed Argentina in terms of digital dangers (84 to 80) and behaviors (49 to 47).
Moreover, the global average score turned out to be 65, with respondents performing their best when identifying and avoiding digital dangers, scoring an average of 82 points. The average score for knowing how to avoid malware was 69 points, while only 47 points were awarded for knowing how to properly secure data utilizing privacy tools and internet services.
Anonymous Sudan, a hacktivist group with potential Russian connections, has been targeting SAS Airlines for several months. In their latest campaign, they have subjected the airline to a series of DDoS attacks, causing significant disruptions to SAS's website and mobile app. Initially demanding a small ransom of $3,500, the group has now increased its demand to $3 million. Shockingly, Anonymous Sudan has stated that the motive behind their attacks is to highlight the airline's poor customer service.
As a result of the ongoing cyber attacks, SAS customers have experienced difficulties accessing the airline's online services. Frustrated travelers have turned to social media platforms to express their dissatisfaction. Many have complained about the unavailability of the website and app, which has impacted their ability to check flight status, manage baggage claims, and obtain boarding passes. Customers are demanding answers from the airline, questioning the security of their personal information, and expressing their disappointment with the lack of transparency regarding the situation.
Despite the name "Anonymous Sudan," it is unclear whether the hacktivist group actually originates from Sudan or has any direct affiliation with the country. Speculation suggests possible connections to Russia. Surprisingly, Anonymous Sudan has not cited any political motivations for their attacks on SAS. Instead, they claim to be targeting the airline due to its inadequate customer service. The group has expressed a willingness to intensify their attacks until their demands are met, as evidenced by their significant increase in ransom amount.
SAS Airlines, one of Scandinavia's leading carriers, has suffered significant disruptions as a result of the ongoing cyber attacks. With its website and mobile app intermittently going offline, the airline has apologized for technical difficulties but has not provided specific details about the cause. Anonymous Sudan's relentless campaign has further exacerbated the situation, leading to frustrated customers and a growing negative sentiment surrounding SAS's ability to deliver satisfactory customer service.
Scandinavian Airlines' ongoing battle with Anonymous Sudan highlights the increasing threat of cyber-attacks faced by companies in the aviation industry. The hacker group's demand for a $3 million ransom serves as a reminder of the potential financial and reputational damage that cybercriminals can inflict. SAS Airlines must prioritize the security of its online infrastructure and customer data to mitigate future risks. Additionally, enhanced customer service measures are necessary to restore trust and ensure a seamless experience for travelers.
Passkeys have become a popular method for authentication, offering an alternative to traditional passwords. However, despite their advantages, there are several key issues that need to be addressed. This article explores the problems associated with passkeys and the need for further improvements in authentication methods.
Passkeys, often referred to as passwordless authentication, aim to provide a more convenient and secure way to access accounts and devices. Unlike passwords, which can be forgotten, stolen, or easily guessed, passkeys utilize unique characteristics of the user's device, such as biometrics or hardware-based keys, to grant access.
One of the primary concerns with passkeys is their reliance on specific devices or platforms. For instance, a passkey that works on an Android device might not be compatible with an iOS device or a different operating system. This lack of cross-platform compatibility limits the usability and convenience of passkeys, as users may need multiple passkeys for different devices or services.
Additionally, passkeys are vulnerable to potential security risks. While they eliminate the need for passwords, which are often weak and prone to hacking, passkeys are not immune to threats. If a passkey is compromised, it could lead to unauthorized access to the associated account or device. Furthermore, if the passkey is stored insecurely, such as in the cloud or on an easily accessible device, it could be accessed by malicious actors.
Another challenge is the adoption and support of passkeys across various platforms and services. Although major tech companies like Google have introduced passkey support, it requires widespread adoption from service providers and developers to offer a seamless experience for users. If passkey support remains limited, users may still need to rely on traditional password-based authentication methods.
To address these issues, further advancements in passkey technology and authentication methods are necessary. First and foremost, there should be greater collaboration between tech companies and service providers to establish standardized protocols for passkey implementation. This would enable interoperability across different platforms, making passkeys more accessible and user-friendly.
Enhancing the security of passkeys is also critical. Additional layers of protection, such as multi-factor authentication, can be integrated with passkeys to add an extra level of security. This could include biometric verification, device attestation, or behavioral analysis to ensure the legitimacy of the user.
Furthermore, educating users about the importance of passkey security and best practices is crucial. Users need to understand the risks associated with passkeys and be encouraged to store them securely, preferably using hardware-based solutions or secure vaults.
As per the reports, around 65% of the companies surveyed in the enterprise sector experienced a cyberattack in the previous 12 months, which is very identical to the figure of 68% of businesses of all sizes. Some of the most frequently occurring cyber security incidents includes phishing, ransomware and user account invasions.
However, larger firms are more frequently the target of ransomware or other malware attacks: 48% of enterprises reported such a security incident on site, compared to 37% of all organizations. In the cloud, malware attacks are less frequent with only 21% of respondents in the enterprise sector reported having encountered one in the previous year.
In regards to this, Dmitry Sotnikov, Vice-President of Product Management at Netwrix says “It is no surprise that the enterprise sector suffers malware attacks at a higher rate than smaller organizations. After all, ransomware operators want to maximize their profits, so they consider which organizations are most able to pay a ransom to reduce business downtime — and the larger an organization is, the costlier an operational disruption will be[…]On the other hand, larger organizations have more tools to spot the attack that might stay unnoticed for SMBs. In addition, enterprises have bigger infrastructure with more endpoints that statistically increases the chance of the security incident.”
Moreover, it has also been reported by the enterprise sector that, in comparison to their small peers, they claims higher costs as a result of cyberattacks. In fact, 28% of businesses reported that cyberthreats had cost them $50,000 or more in lost revenue, compared to just 16% of all organizations.
Dirk Schrader, Vice-President of Security Research at Netwrix says, "Smaller companies often underestimate their risk of attack, reasoning that cybercriminals tend to target enterprises because they store more intellectual property (IP) and other sensitive data. But our survey shows that organizations suffer cyberattacks with a similar frequency regardless of their size[…]Every organization has valuable data, such as customer and employee information, and is therefore a target for attackers. What's more, SMBs are not only a target on their own but as a way into the larger enterprises that consume their services."
According to reports, in year 2022 alone, around 236.1 million ransomware attacks have been detected globally. Cyber criminals have evolved into using innovative tactics malware, cryptography and network infiltration to prevent companies from accessing their data. As a result of these emerging ransomware attacks, companies are required to strengthen their security and data backup procedures which compel companies to financial constrains in exchange for the release of their systems and backups.
Systems compromised with ransomware can be swiftly restored with the right backups and disaster recovery techniques, thwarting the attackers. However, Hackers now know how to lock and encrypt production files while simultaneously deleting or destroying backups. Obviously, their targets would not have to pay the ransom if they can restore their computers from backups.
The 3-2-1 backup policy has been in place for many years and is considered the "gold standard" for guaranteeing the security of backups. Three data copies must be produced utilizing two different types of storage media, with at least one backup occurring offsite. The backup should ideally also be immutable, which means that it cannot be deleted, altered, or encrypted within the time period specified.
The "two diverse media" has typically indicated one copy on traditional hard drives and the other copy on tape for the past 20 years or so. The most popular methods for achieving immutability involved physically storing the tape in a cardboard box or destroying the plastic tab on the tape cartridge, which rendered the tape unwritable. While most often done by replicating the backup files between two company data centers to create the offsite copy.
The cloud has grown in popularity as a place to store backups in recent years. Since its launch, the majority of businesses have reconsidered the conventional 3-2-1 policy. The majority of firms are using a mixed strategy. Backups are first sent to a local storage appliance because the cloud has a limited amount of bandwidth, which is typically faster than backing up directly to the cloud. In the same way, restoring from backups works. Always, restoring from a local copy will be quicker. However, what if the local backup was deleted by the hackers? in that case, one may have to turn to the copy stored in the cloud.
Today, the majority of cloud storage providers offer "immutable" storage, which is secured and cannot be changed or deleted. You actually need this immutability to prevent hackers from eliminating your backups. Additionally, since the cloud is always "off-site," it satisfies one of the key demands of the 3-2-1 backup scheme. one may still have the cloud backup even if there is a fire, flood, or other event that damages the local backup. People no longer see a need for two different types of media, especially the third copy.
Replicating the cloud copy to a second cloud site, preferably one that is at least 500 kilometers away, is the practice used most frequently nowadays. The two cloud copies ought to be immutable.
In comparison to on-premises storage systems, cloud storage providers typically offer substantially higher levels of data durability. Amazon, Google, Microsoft, and Wasabi have all chosen the gold standard of 11 nines of durability. If you do the arithmetic, 11 nines of durability indicates that you will statistically lose one object every 659,000 years if a user offers you one million objects to store. Because of this, you never hear about cloud storage providers losing client information.
The likelihood of losing data due to equipment failure is nearly zero if there are two copies spread across two distinct cloud data centers. The previous requirement of "two different media" is no longer necessary at this level of durability.
Moreover, alongside the added durability, the second cloud copy considerably improves backup data availability. Although the storage system may have an 11-nine durability rating, communications issues occasionally cause entire data centers to fall offline. A data center's availability is typically closer to 4 nines. If one cloud data center goes offline, one can still access their backups at the second cloud data center since they consist of two independent cloud copies.
One may anticipate that the local copy will be lost during the course of a ransomware attack, thus they would be depending on cloud restoration. A company may as well shut down until the backups are accessed if the cloud goes offline for any reason. This thus makes two having two cloud copies a good investment.