Bank: Are you having dinner in London tonight?
You: No! I am in New York City having dinner!
Bank: Your credit card has been stolen.
The United States experiences 47% of credit card fraud in the world. The largest and fastest growing type of credit card fraud occurs on-line, and is also known as a “card-not-present” (CNP) transaction. Card-not-present transactions represent more than 85 percent of all transactions, and this percentage is growing as more and more commerce moves online. From our own experience, and that of the industry experts we’ve spoken with, there have been many changes in the payment card industry in the last two years, but a common theme across our conversations is a “shift of risk” to the merchants, card issuers, and banks.
When it comes to credit card fraud, more and more of the liability is being shouldered by the merchants and merchant banks. When a card is presented for a transaction, the merchant bank and card issuers are responsible for the fraudulent charges. However, when a card is not presented (such as in an online purchase), the merchant bears full responsibility, including the merchant’s loss of revenue, fines, and penalties from the banks for the cost of processing fraudulent transactions.
The Digital Black Market: Turning Sensitive Data into Money
To make money or obtain a new identity, more and more criminals turn to markets on the dark web. The Dark Web is a data and documentation resource for criminals, where they can acquire or sell credit cards, passports, drivers’ licenses, and social security cards (to name a few) in both digital and physical forms.
Regardless of the way that sensitive data was obtained (by malware, social engineering, backdoors, etc.), the goal of the information thief is the “cash out” from selling stolen data. Converting information to cash is not a simple process, but requires multiple steps, such as advertising the data, identifying a buyer, creating a secure escrow and dead drop to support the transfer, receiving bitcoin, and converting the bitcoin to the local currency or into physical goods.
There are many criminal teams involved in this process, and the process may involve many parts, or networks, on the Dark Web. The whole “cash out” process may take a while, so the sooner exfiltrated data can be identified, the easier it is to stop the thief from “cashing out” and for the merchant, bank or credit card issuer from experiencing losses.
Security experts consider credit card data to be the most commonly traded commodity in the Dark Web economy. LemonFish can find stolen credit card data, a type of Personal Credit Information, on the Dark Web using advanced data behavior analytics.
In a recent data breach case, LemonFish identified a specific source of credit card data leakage, and within a week of discovering the breach, helped to close the backdoor that was installed by a web developer. Specific details about the breach show how responsive LemonFish’s Dark Web Analytics are:
How did the Dark Web Analytics shut down a breach in less than Seven days?
Using a fully automated form of Common Point of Compromise (CPC) analysis, multi-lingual chatter on Dark Web forums was analyzed to identify credit card numbers, posting dates, authors, forums, and the relational structure of this text. The relational structure of these posts was represented as a graph and temporal heat map. Using advanced graph analysis combined with temporal analysis, LemonFish identified a pattern where non-Dark Web entities were discussed in conjunction with statistically abnormal levels of credit card data. This automated analysis can also be applied to social security numbers, phone numbers, passport numbers, and any other type of Personally Identifiable Information (PII). In this specific case, the credit cards were found within two areas of the Web: (1)invitation-only Dark Web sites, and (2) open web data. LemonFish then created a Credit Card Threat Intelligence report that stopped the breach before more customer data was leaked.
LemonFish Dark Web analytics is forging new territory with its data partners and its clients in discovering fraud, PCI, and data breaches using data behavior analytics. To learn more about LemonFish’s Dark Web Analytics read our solution paper at: www.Lemon.Fish
Q&A Interview: How Did You Get Hacked? Finding Better Protection by Fishing in the Dark Web - By Greg Wirth
Topics: Client Relations, Cybersecurity, Data Analytics, Efficiency, Law Firms, Legal Innovation, Q&A Interviews
As news of data breaches and hacker break-ins continue to make headlines, many companies and law firms may feel helpless as hackers continue to get more sophisticated and cybersecurity defenses, even the best of them, become outdated quickly. Indeed, many breach victims don’t even realize their data has been compromised until long after hackers have broken into their systems.
Legal Executive Institute recently spoke with Mary Beth Borgwing, Chief Strategy Officer of LemonFish, a data behavior analytics firm that works with companies, law firms and other entities both before and after a data breach or cyberattack.
Legal Executive Institute: When Lemonfish comes in after a data beach has happened, what can they learn and how does it help the company that’s been hacked?
Mary Beth Borgwing: Let me give you an example. In a case we recently worked on, a company had a PII [Personal Identifiable Information] breach, and they didn’t even know it until they were contacted by the FBI. The FBI came in and took the information and the server it was on, and held onto it for eight months. This company eventually got the data back, and they contacted us.
We took the 500,000 documents that were in there, indexed them, and found the PII data that had been exposed using our data detection platform. Once we found the exposed PII information, then the company could accurately report it and begin work on their insurance claims.
So, we are working with the client’s legal, insurance and management teams. We’re giving them a breach report that details what was breached, where it was found, and how the breach happened. We are going to take the data that’s been in that file, and we are going to build search queries on it with our analytic engine. Then we take it out to the Open Web and the Dark Web, and find what has been exposed. That all goes in the data breach report.
LEI: How do you search the Dark Web and find out what’s been exposed? I’m guessing there’s no equivalent of Google there.
Mary Beth Borgwing, Chief Strategy Officer at LemonFish
Borgwing: Right. Almost 70% of the information out on the World Wide Web is not indexed. If you think about that much information missing from any search ability, then you see the Dark Web as basically a black market. But we are able to put a graph analysis together of that marketplace, so people can visualize what their exposure is, without compromising their data or security. We are able to see what the company looks like from a document capability perspective, how they speak and how they communicate within their company. Then if one of those documents is compromised, we can do similarity analysis and go out and do a search, and see if somebody is chatting about them, has stolen some of their documents, is selling them or thinking about selling them. We do this all through an analytic engine that we call External Data Detection, or Dark Web Analytics.
We also do a process called query salting, which is secure and safe, for us and the clients. It’s really the ability to make searches in both the Open and the Dark Web that masks the real intent of the search so that criminals or hackers don’t really know what you’re searching for. And we do seven or eight query salting exercises like that, which only make sense if seen in whole. Then we bring that information back, and we have a variable to create a relativity and frequency and relevancy about the match. We look for a 90% accuracy of the match, so that we know that your document has been taken and used or sold on the web.
LEI: How do you work with a firm that has not yet had a breach? Are there ways to keep the worst scenario from happening?
Borgwing: It’s really about knowing your data. Our mantra is: Know your data, know your risk, and reduce the impact. If you know what your risk tolerance is, and you know what is important to your company, then you can create protocols around that. And if you continuously monitor where your critical data is, you can reduce the impact of any hacker attack.
Nobody wants to air more dirty laundry than they have to. And this is something their attorneys should be telling them. If you don’t want your laundry aired, you should be looking at your exposure on an ongoing basis. The information that’s out there is not going to change. People are always going to be trying to expose your data. How can we stop the exposure?
There’s a realization in cybersecurity now that exposure isn’t going to stop, and that’s why we have to know what clients want to protect the most.
LEI: What do you think is the biggest problem that corporations and law firms have in terms of maintaining and continuously monitoring data security? Is it cost fears? Or an overwhelming sense of not understanding cybersecurity and how to address it?
Borgwing: Think about quantifying the cost of the security a company does have in place. How many more tools does the company need to buy? And what return on investment will it get by buying more tools? There are always going to be more and more security tools coming out. So what happens is the company puts together a data loss prevention system that will have a lot of gaps in it because it’s not an airtight system.
But now there’s a shift going on in the industry and people are realizing that this approach isn’t going to make it. They want to change and look at data analytics. They want to know: How can I take in more data and analyze what’s going on in my environment so I can better utilize the security that I currently have? This is where operational risk meets security.
I think security, as we think of it today, is going to go away. It’s going to become part of the enterprise. People have to be accountable at the board level on down, and to do that you have to bring security completely into the operational risk management platform.
The 2016 Insurance Perspective on Cyber
Part 1: State of the Cyber Union
Thousands of handshakes and smiles later, I am back at my workstation digesting the wealth of information shared with me at the 2016 RIMs Conference in San Diego. This event was a thought provoking conference focusing on the various facets of global risk. Everywhere I looked, the one area in risk that is rapidly gaining traction is Cyber.
With the increase in dependency on technology comes a wide-‐ranging set of risks to businesses. Revenues are not the only targets for cyber criminals; threatening business reputations and disrupting services are just as enticing a way to attack a valuable business asset. Conference attendees heard that gross premiums are averaging $2.5 billion but are expected to grow to $7.5 billion by 2020. Additionally, it was estimated that a single data breach costs, on average, $3.79 million. If nothing else, it was made clear that the Cyber market is still very immature, resulting in inconsistent governance and policies. The insurance market is missing proper risk assessments and competent actuarial data to truly put a value on a client’s cyber hygiene.
With data breaches on the rise across every industry, there is a real need for sophisticated tools to help with prevention, protection and response. Brokers, carriers, and risk managers all need ways to identify and place value on potential risk pain points. Furthermore, they need to know not only if their clients have enough coverage to protect their crown jewels, but what aspects of their insurance policies provide the necessary protection should a breach occur.
In the coming weeks I will be speaking to thought leaders in the global risk and insurance industry to (hopefully) get answers to some tough questions. Given the intricacy and evolution of breaches today, we will talk about what specialized knowledge is essential before a policy can be created. We will also talk about where additional resources are needed to provide adequate cyber coverage, what areas are most at risk, and how cyber is changing the roles of carriers, brokers and insureds alike.
Jennifer Travis, Business Development Manager
The goal of cyber security is to allow for an open, secure, and reliable Internet that allows for free commerce. Conventionally, the United States has seen itself as the defender against anything that would hurt or harm the value of the internet, and the U.S. has taken different approaches to fulfill this role. During the Bush administration, the U.S. used intelligence information to combat cyber threats. In the beginning of the Obama administration, this shifted to a militarized approach whereby the Cold War doctrine of deterrence was used. But as we’ve seen, both approaches have shortcomings. The Edward Snowden leaks highlighted the vulnerabilities of the intelligence-approach, and the military-approach can’t deter cyber criminals. Today, U.S. Cyber Policy has not been clearly defined by the Obama administration, leading to unclear national policy messages. Where does that leave the state of the internet when it comes to cyber security?
What has developed is a private-sector approach, where companies are responsible for their own protection, and the government supports these efforts and corrects market failures, but assumes no responsibility for security. A 2015 issued Department of Defense cyber strategy suggests that the United States faces persistent data breaches, including threats of attack designed specifically to steal U.S. intellectual property. However, it is now the responsibility of each company (private or public) to secure their own networks, and develop strategies to conduct forensic analyses that determine how breaches happened, how to recover from breaches, and what needs to be done to protect themselves moving forward. The Obama administration’s position is clear: the U.S. government will only enforce laws after an attack, not take over the Internet’s security. In short, anytime you interact on the internet you are solely responsible for protecting your network, and dealing with the consequences of a breach.
A CISO’s nightmare: Your engineering manager comes to you with a source code listing one of his engineers found on Git. It’s identical to your company’s proprietary SCADA code your clients rely on to ensure infrastructure availability, but missing the copyright statements you use as company policy.
Later in the day, a technical sales lead shows you a company presentation marked ‘Proprietary & Confidential’ that he found posted on a popular file-sharing site. Finally, the HR manager is very concerned because employees have been increasingly reporting that they are receiving suspicious emails at their company address containing details that should be private. Your data is leaking, and you are only finding out about it when it’s arrived at the open Internet. Where did this stuff come from? Who is responsible for the leaks? Where has the data traveled since its departure? LemonFish Technologies has unique capabilities and expertise to answer these questions – and more often than not, they point to the mesh of anonymized networks and protocols known as the “Dark Web.”
What is the “Dark Web” actually?
As with any controversial, frequently changing and non-standardized community, it is impossible to pin a persistently accurate definition on an entity like the Dark Web. Some sufficient conditions seem to be:
These characteristics of the Dark Web make it an ideal place to initiate a data breach’s public lifecycle. There are two broad, non-mutually-exclusive categories behind most breaches: monetary gain and notoriety. Both of these require the quality of “not getting caught,” which the Dark Web enables by its very nature.
Despite these bad actors, there are many uses of the Dark Web that have no nefarious component to them – it is an important community resource for marginalized populations such as dissidents of repressive governments. It is also a valuable platform for whistle-blowers to bring illegal activities to light with less fear of reprisals. Unlike many “all-or-nothing” cyber security providers, LemonFish appreciates this distinction and incorporates ethical behavior within the Dark ecosystem into our analysis.
Data Breach on the Dark Web
So how do data thieves use these Dark technologies, and how can this knowledge be employed to reduce the time to discovery of breaches? From detecting and observing examples of data breaches across diverse industries, LemonFish has come to some conclusions:
How Would I Get to the Dark Web?The largest Dark network in the world is based on The Onion Router (Tor) technology. This network relies on passing communications across multiple ‘hops’ between requestors, relays and providers, just like the Internet. The key difference is that each hop in the communication is cryptographically protected from any of the other hops. Paths are negotiated and encrypted in a way that assures software can only decrypt and understand enough of the message to pass it to the next point. The primary user-facing client on this network is the TorBrowser, a variant of Firefox that knows how to use this protocol and also has much stricter default privacy settings than vanilla Firefox.
Understanding the Dark Web’s role in the lifecycle of a data breach is key to taking the correct steps in early detection of a breach. This in turn allows the affected parties to coordinate appropriate security, legal and public relations responses well before the all-too-usual “caught unawares” situation. LemonFish Technologies is uniquely positioned to address Dark Web data breach detection with a combination of advanced technologies, analytic practices and domain knowledge. Talk to us about helping you build a better defense against data breach and creating a ready response to when it happens to you.