Data Breach: Two Words You Don't Want to Hear

LETTER FROM THE PRESIDENT

Data breach! Stomachs churn, blood pressures rise and knees quiver when organizations hear those two words.

On Dec. 18, 2014, Brian Krebs was the bearer of bad news when he broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. The next day, Target confirmed to Krebs, the author of KrebsOnSecurity.com, that cybercriminals had stolen more than 40 million debit and credit cards from the retailer's stores throughout the U.S.

Management at Home Depot, Kmart, P.F. Chang's and many others also reached for the Pepto-Bismol when Krebs revealed that they were data breach victims, too.

Why do these huge breaches keep happening? Well, first of all, the largest ones make the splashiest news, no doubt. But any organization that's connected to the Internet is at risk. Cybercriminals can creep into companies via outside vendors (like the Target breach), email attachments, bogus websites or some adept social engineering.

"Stolen credentials and passwords, in particular, are some of the most intractable problems in cybersecurity today," Krebs, an award-winning investigative journalist, says in the cover article of the March/April issue of Fraud Magazine. "It's bad enough that many banks do not even offer their customers the ability to authenticate themselves with anything more than a user name and password which, when phished, lost or stolen, can be used to impersonate that person. However, the lack of two-factor authentication within organizations for employees with access to sensitive customer and employer data is a recipe for disaster."

Krebs says that most companies spend "ridiculous percentages" of their security budgets on hardware, software and services that alert them when suspicious activity occurs on their networks that might indicate breaches. "Unfortunately, these systems generate so much noise and false alarms that it becomes a challenge whittling down the alerts to a few that you really need to read and act on," Krebs says. "This is a constant struggle because organizations are producing lots more data each day, and more devices are being added that generate alerts."

Read Krebs' interview so you can help your organizations (plus family and friends) protect themselves against breaches and data theft. Better yet, come to the 26th Annual ACFE Global Fraud ConferenceJune 14-19 in Baltimore, Maryland, to hear Krebs, a keynoter speaker, in person.

I'm looking forward to seeing all of you as we compare notes on the latest fraud-fighting techniques. See you in Baltimore!

Top Fraud Predictions for 2015: Technology will shape the fight

GUEST BLOGGER

Scott Patterson, CFE
ACFE Senior Media Relations Specialist

Technology will give fraudsters an edge in 2015, but it will also provide new tools for organizations and investigators. Three of our experts weighed in on digital currencies, information security and other issues that will help shape the effort to prevent and detect fraud in the new year:

  • Technology will increase the sophistication of fraud schemes. This is an existing trend that will accelerate in 2015, according to ACFE Regent Gerard Zack, CFE, Managing Director – Global Forensics for BDO Consulting. “More and more we are reacting to reports of fraud with, ‘how did they do that?’” Zack said. “It’s a reflection of schemes becoming more complex and capitalizing on technology, including some of the new technology deployed by companies in the interest of improving efficiency. While simple frauds still exist, we are seeing a distinct proliferation of more complex fraud schemes.”
  • But technology (like data analytics) will also help catch tomorrow’s frauds. Zack is quick to note that for fraudsters, technology is a double-edged sword – as it will also be leveraged by the professionals trying to catch them. “There will be more breakthroughs in the use of technology to detect fraud – particularly in the use of visual analytics and also in the use of tools to mine unstructured data.”
  • Improving information security will be a major priority. More massive data breaches, like the ones that have stricken Home Depot, Target Corp. and other large retailers over the past two years, are likely to occur in 2015, according to ACFE Vice President and Program Director Bruce Dorris, J.D., CFE. “These breaches have exposed widespread vulnerabilities among organizations that store and maintain personal information, putting millions of individuals at risk,” Dorris said. “Considering that storage of data continues to grow at an exponential pace, more trouble lay ahead – and there is an increasing need for information security and protecting against data breaches.”
  • Digital currencies will shake up fraud risks for retailers and consumers. An increased acceptance of bitcoin and other digital currencies among merchants will signal a shift in fraud risk, according to Jacob Parks, J.D., CFE, Associate General Counsel at the ACFE. “Vendors/sellers face reduced fraud risks from ‘friendly fraud,’ where customers fraudulently cancel credit card or bank payments after receiving an item,” Parks said. “Digital currency transactions are generally permanent, which makes this scheme untenable. However, consumers face an increased risk of fraud by dishonest sellers, since the transaction is often not insured or protected by an agreement with a financial institution. Additionally, consumers using digital currencies have a reduced identity theft risk because the transactional data stored by the seller cannot be used by malicious parties to charge the customer (this also means vendors have a reduced risk of data breaches involving these customers).”
  • With protections for whistleblowers increasing, more people will step forward to report fraud. Dorris said that a decade ago, few countries had whistleblower protections. However, increased awareness about the harm caused by major frauds at organizations has led to legislators looking to whistleblowers to prevent or mitigate such crimes. “France, South Africa, South Korea, Australia and other countries have all taken substantial reforms to protect whistleblowers, particularly those who identify crimes in the public sector,” Dorris said. “U.S. policy has moved beyond simply protecting whistleblowers; it now has several programs that financially incentivize whistleblowing regarding bribery, tax evasion and corporate accounting fraud. The programs are largely still in the beginning stages, but have already had major payouts.”

With a new year also comes new threats. But, as many anti-fraud professionals know, just as the fraudsters think of new techniques to wreak havoc, the fraud fighters standing on the other side are armed and ready to prevent and detect it. 

Want more? Visit ACFE.com to find two more fraud predictions for 2015.