Search This Blog

Showing posts with label Data Safety. Show all posts

Dark Data: A Crucial Concern for Security Experts

 

BigID recently released a research paper that examines the current problems that businesses face in safeguarding their most critical information. A number of important findings emerged from the research:
  • Dark data is extremely concerning to 84 per cent of businesses. This is data that businesses aren't aware of, but which accounts for more than half of all data in existence and can be extremely sensitive or vital. 
  • Unstructured data is the most difficult to manage and safeguard for eight out of ten businesses. Unstructured data generally comprises a variety of sensitive information and is challenging to scan and identify due to its inherent complexity. 
  • More than 90% of businesses have trouble implementing security standards involving sensitive or important data. Data policy reach and enforcement are crucial for proper data asset management, remediation, and security. 
Data is an organization's most valuable asset, relying on it every day to make critical strategic and operational choices. Unfortunately, most of this data is highly sensitive or critical, and it can be exposed accidentally or maliciously in some instances. 

Dimitri Sirota, CEO of BigID stated, “Data is the fuel that drives a company forward. However, a lot of this data is personal and as it accumulates, so does cyber risk. You owe it to your customers, partners, and employees to keep this data safe, let alone to keep your business running. This report reinforces the fact that most continue to struggle to confidently protect their most valuable data.” 

Sensitive or essential data is being spread throughout the environment at unprecedented rates, thanks to the rapid rise of public, private, hybrid, and multi-cloud models. As the scope of this type of data grows, so does the risk to the organisation. 

The research looks into the most significant security issues, the core causes of these problems, and practical ways to improve data security so that teams can protect their most valuable data assets.

Payment Fraud Attack Rate Across Fintech Increased by 70% in 2021

 

The index based on a global network of over 34,000 sites and apps and a poll of over 1,000 consumers, reveals that payment fraud attacks across fintech increased by 70% in 2021, the greatest increase of any category in the network. 

Payment fraud has increased in tandem with a whopping 121 percent year-over-year increase in fintech transaction volumes on Sift's network, making this industry a tempting target for cybercriminals. These escalating attacks, as per this data, were mostly focused on alternative payments such as digital wallets, which witnessed a 200 percent increase in payment fraud, as well as payments service providers (+169 percent) and cryptocurrency exchanges (+140 percent). 

These approaches were targeted towards buy now/pay later (BNPL) providers, which showed a 54 percent increase in fraud attack rates year over year. Sift's Trust and Safety Architects discovered a rising number of fraud schemes on Telegram in late 2021, providing unlimited access to BNPL accounts via fake credit card numbers and compromised email addresses, demonstrating the wide range of methods fraudsters use to target the whole fintech sector.

Along with a 23 percent increase in blocked payment fraud assaults in 2021, Sift noticed a network-wide rise in daily transaction volumes across all industries. Similarly, 49 percent of poll respondents indicated they've been a victim of payment abuse in the last one to three years, with 41 percent of those who have been victims in the last year alone. Financial service websites were regarded as the sites that pose the most risk by 33% of the victims, which could have a detrimental impact on the customer’s trust. 

Jane Lee, Trust and Safety Architect at Sift. stated, “Many brands fail to realize that the damage of payment fraud goes beyond the initial financial impact. The vast majority of consumers report abandoning brands after they experience fraud on a business’s website or app, diminishing customer lifetime value and driving up acquisition costs. Further, potential customers who see unauthorized charges from a particular company on their bank statements will forever associate that brand with fraud. In order to combat these attacks and grow revenue, businesses should look to adopt a Digital Trust & Safety strategy—one that focuses on preventing fraud while streamlining the experience for their customers.”

Facebook has Exposed a 'God Mode' Token that Might be Used to Harvest Data

 

Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued." 

Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data. 

Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug. 

According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai. 

As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it. 

According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions. 

This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.

Swiss Army Bans WhatsApp at Work

 

A spokesman for the Swiss army announced Thursday that the use of WhatsApp while on duty has been prohibited, in favour of a Swiss messaging service regarded more safe in terms of data security. 

Using other messaging applications like Signal and Telegram on soldiers' personal phones during service activities is likewise barred. 

Commanders and chiefs of staff got an email from headquarters at the end of December advising that their troops switch to the Swiss-based Threema. According to army spokesman Daniel Reist, the recommendation applies "to everyone," including conscripts serving in the military and those returning for refresher courses. 

Switzerland is known for its neutrality. However, the landlocked European country's long-standing position is one of armed neutrality and has mandatory conscription for men.

During operations to assist hospitals and the vaccination campaign in Switzerland's efforts to prevent the Covid-19 pandemic, the concern of using messaging apps on duty came up, as per Reist. The Swiss army will bear the cost of downloading Threema, which is already used by other Swiss public agencies, for four Swiss francs ($4.35, 3.85 euros). 

Other messaging services, such as WhatsApp, are governed by the US Cloud Act, which permits US authorities to access data held by US operators, even if it is stored on servers located outside of the nation. Threema, which claims to have ten million users, describes itself as an instant messenger that collects as little data as possible. It is not supported by advertisements. 

The company states on its website, "All communication is end-to-end encrypted, and the app is open source." 

According to an army spokesman mentioned in a Tamedia daily report, data security is one of the reasons for the policy change. As per local surveys, WhatsApp is the most popular messenger app among 16- to 64-year-olds in Switzerland.