You see phishing attacks - that's well what the PH - where emails constantly been
used to try to trick people into clicking on things they shouldn't click
o. But the sophistication of the new email attacks are quite different and
very difficult actually to detect and to respond to. Welcome to FOCUS, a podcast
dedicated to the business of higher education.
I'm your host, Heather Richmond, and we will be exploring the challenges and
opportunities facing today's higher learning institutions. In today's episode,
I caught up with Tom Arnold co-founder of payment and security experts to
discuss new trends in security threats for universities, including the business
email compromise which is a tricky new method of defrauding large transactions
between the institutions and vendors. Thanks for joining us today, Tom. Thank
you very much for having me. I appreciate it. Well I know that you've been in the
security and fraud detection business for some time no, can you tell us a
little bit about your experience and really educating on payment security and
data protection? Certainly, my experience goes way back in the industry from the
earliest days of the internet e-commerce and fraud. Where the rule of thumb was on
the internet nobody knows you're a dog is the bottom line. So early days we were
seeing everything from auctions where you know the phony baseball was being
sold into all sorts and tricks; and those have evolved over the years into rather
significant issues that relate to fraud or they relate to theft of information
that has been sold elsewhere. So that's a little bit of my background. Well, I
know in particular that payment technology and security have really
evolved pretty rapidly over the last decade. Can you tell us how this
evolution has offered more secure payment methods on one hand, but also
expose some payment methods for fraud and others? Yeah, that's exactly correct.
Recently over the past few years, we've seen the inclusion of
chips on credit cards and specifically what is called EMV chips. And EMV chips
have greatly reduced the fraud that was caused by bad guys stealing data and
creating fake cards, if you would. But that has just caused a lot of the frauds
to evolve towards electronic commerce. It's caused fraud to evolve in the
skimming and things like automatic teller machines where they're stealing
data and trying to steal the PINs as they're entered on the ATM devices. So
the creativity of the bad guys can never be underestimated is really the bottom
line. As to what they're capable of doing and how they're capable of stealing by
tricker device, which is what fraud is actually defined as the theft of
property from another by tricker device. And that's the what the
evolution caused. So is there an end to all fraud? No, definitely not.
Yeah, that's really interesting, and I know that data breaches in general
continue to make headlines and colleges and universities have really become a
target for these bad guys. What are some of the latest security trends that
you're seeing? Well we're seeing a variety of trends related to the
electronic commerce side of things, especially related to institutions. And
we're seeing some very, very troubling trends out of our forensics team,
specifically that are evolving and are actually noted by the FBI and the Secret
Service as being some of the most intense issues if you would, or the most
troubling issues that are occurring out there. So we see basically on where
third-party content is added to websites and calls are being made out to
third-party content providers, which means the target for a compromised a lot
of times is the third-party content provider. Then injects you know to a
consumers browser a script that's capable of
capturing the card data as its entered. That's just one type and the more
troubling trend right now we call business email compromise. Because email
systems to a large extent the security standards - let me explain - the security
standards focus on PII, they focus on protection of credit card data, on
payment data. So everyone's real concerned about that. And a lot of times
the email servers themselves don't receive the same level of scrutiny and
the same level of protection, which causes a potential for a bad actor to
step in between something like a transaction that is from a university to
a vendor who's supplying them, and an invoice to that vendor specifically or
to the university that ends up getting paid out to the bad guy instead of being
paid to the actual vendor, is a good example. And the email server is the
primary target for that sort of action. That's really interesting and I'd say
generally from a PCI scope perspective, email systems really are normally in
scope, are they. No, they're not and they're left very much to just having a
username and password. Somebody logging in via the web to
collect their email and that's it. And you see phishing attacks - and that's spelled
with the PH - where emails constantly been used to try to trick people into
clicking on things that they shouldn't click on, but the sophistication of the
new email attacks are quite different and very difficult actually to detect
and to respond to when a loss actually occurs. Yeah I know we were talking before
it sounds like the bad guys really getting in the middle and spoofing
both sides as both the vendor and the payer for instance, right. Yes and as a
matter of fact they go to the extent of even registering domains on the network.
As people may know when you're sending it to
an email to my school-dot-com or whatever the university might be or university-
dot-edu, they register a domain that might be close and have only one
character - a good example is it it might have an underbar character instead
of a space or a dot and that might be in there - they'll do things like that that
will make it very difficult unless somebody's very, very diligent looking at
it to understand what's happening. So let me give you an example of a case that we
recently worked where the attackers gained access to the Office 365 email server
and they sat on the server just watching email for about six months as the
institution was exchanging information from say the accounts payable department
from a member for services rendered. Watching at that point they create
basically a site and a mail server that mimics the vendor and also a site and
mail server that sort of mimics the institution at that point. And then when
they actually make the attack, they begin making messages and sending messages
that look like they're coming from the vendor saying, here you need to pay this
invoice and they may change basically the mechanism of payment specifically
that says the payment should be routed to somewhere else. And meanwhile while
the vendors sitting there going why haven't I been paid and they're sending
messages saying, hey here you know you usually pay your invoices in 30 days or
very quickly, why haven't you paid me the bad guys actually answering on behalf of
the person in the accounts payable department - and saying yes, we've got it
we're a little behind. We've had a system failure type situation. Their objective -
the bad actors objective - is to try to get the payment sent to an account that
they're under control of - instead of the vendor being in control of specifically -
and then spend basically five to seven days because that's what it would take
for a wire transfer to be reversed, if the feds got involved within the first
five to seven days of the loss. Once they passed the five to seven days, they just
disappear. And the losses can be staggering. The case that we worked on
was a single transaction of 97 approximately 97 thousand dollars in one
throw, basically. And if you look at the cost that the bad guys had to perform
the act they probably spend 1500 bucks for domains and other things to make
themselves in the middle basically of the email threads themselves. Plus, since
they're monitoring all the internal emails at that point they're watching to
see if they've been detected. And if they've been detected, they'll back out.
Is classically what they'll do. So they're monitoring what's going on at
the time that they're actually committing the criminal act, basically.
And that's what makes these things so difficult to respond to and so difficult
to find. Oftentimes the victim may be the university or swing it around where the
university has an invoice that there's something to someone else they become
the victim and losing the funds. And it's very hard to detect them in that five to
seven days to try to reverse the transaction. So that's basically what's
going on and that was difficult to explain. It's fairly complex, but at the
bottom line it's about securing the email server, training the staff and
learning basically how to begin to detect any of these sorts of anomalies.
And specifically if accounts payable receives a statement that says hey you
need to change to do this. What out-of-band method is going to be used
to approve that that change is actually legitimate, is the other third thing I
would say. Wow, so that does sound like a whole different level of complexity of what
was originally called the phishing scheme, right. So any tips on
to look for it sounds like again Accounts Payable they're told do
something different any other tips of what to look for on that to see if the
bad guys are trying to get in? Well the major things, there's there's sort of two
ways to look at this. There's a question of prevention and then there's a
question of detection. So let's look at those two topics separately. On the
prevention side you have people who are accessing their email via smartphones,
via you know tablet devices, via laptop computers, logging in from a coffee shop,
or logging in from home, or desktop machines logging in from inside the
network. It's extremely important that the user is logging in to the email
server actually be authenticated, and one of the only ways to actually really do
this is using a mechanism that in the industry we refer to as multi-factor
authentication. It's a little bit of a pain in the butt for the users, but when
you log in you have to then provide a code from your your smartphone that says
here's the six digit code that goes along with my log in. That will go a long
ways to protect the mail environment itself, specifically. If someone's logging
in from inside the local network of the University and you know the machine is
inside the local network of the university, you can make it a little
easier, but still you should monitor it. The second thing is if they're outside
or using a smartphone or using any sort of device like that it's really, really
important that when they these people log into their systems that they
actually get something that is proving to the fact that they are the person
logging in. That's an important feature on the prevention side of things.
The other key thing on the prevention side, if instructions are received from
someone that says, hey we've changed our bank account, we've altered something and
we want you to do this. There needs to be an out-of-band. And when I say
out-of-band I mean a telephone call, specifically, that says call to validate
it. You're never wrong to check if you get something and you go you know did
you actually send me this. I'm going to make a phone call
off to the Accounts Payable department and say, did you actually send me this? Or
the Accounts Payable Department is making a phone call to the person with
the invoice saying, is this true? Did you send me this? The next thing is if you're
changing a payment method and you've been paying by check or ACH - Automated
Clearing House - is what that stands for but that's sort of think of it as an
electronic check. And you suddenly get instructions that you're now supposed to
do a wire, instead. Then had a second validation point where that has to pause
and be revalidated by yet another person within the organization. We call this
dual control. In the sense that one person one accounts payable person acting
on their own doesn't just change the system right then and there to make the
change, because they think it's valid. Another set of eyes look at that change
and validate that change as being okay to actually do. And that's probably one
of the most important sort of defenses that's out there. On the detection side
of things, if a payment goes out and you get basically some sort of query or some
sort of follow-up, basically the accounts payable Department - and I hate to say
this because there can be a large volume of these - but for any
transactions say that's over $10,000 as a sort of a ceiling limit; basically that
there's a follow up that's saying did you receive this, and this is coming to
you. Basically and you need to expect it but that follow-up has to go absolutely
to a trusted person, and possibly should be done out of band as well. If there's a
detection that you've fallen victim to one of these or you call the vendor and
the vendor says we never sent you instructions to change that. We're just
expecting to see the check as always is the answer you get. It is extremely
important that you reach out the law enforcement as fast as you can at that
point. A lot of organizations and a lot of universities and a lot of
organizations as a whole don't want to admit they're a victim; and don't want to
make the police report right away. It is extremely important that the FBI gets
notified that you've fallen victim to something. Especially if it involves a
wire transfer because the clock is ticking. You have five to seven days for
them to act, basically, and to stop the transaction, and potentially recover the
funds. It's the important piece of that versus just being a victim and now
having to file insurance claims and all that sort of thing. So that's the other
piece of prevention and detection together have to work together. Yeah
that's great because you have that really short window that you have to
work within. So you have to have that awareness always happening for sure.
And it sounds like also that many of the threats are happening to the
actual network infrastructure. Can you expand on how the bad guys are getting
in there? Well that was infrastructure side which
is still becoming a challenge and this goes back to the prevention side of
things specifically. A lot of times they're going to mix sort of techniques.
I talked about techniques where elements of a website or a web interface are
modified so that they'll communicate with the bad guys specifically and that
there's potentially third-party content coming into play, as well. So in these
situations a lot of times the point of infiltration where the bad guys will
actually try to achieve access to the mail server or they'll try to achieve
access to something, involves a step that is very similar to the theft that we see
right now in ecommerce sites, where a malicious script that will be added to a
system and then passwords will be taken. And then you'll see login attempts and
you'll potentially even see a classic example we refer to it the
industries that dot forward, but it's a Ford then is added to the account. So I
steal your credentials using a router, using a technique that's been altered
basically, and by stealing your credentials, I then log in and tell your
mail server, oh by the way, duplicate every message to this account and
forward it to me and Russia; as a good example. Now I just get everything you
get and I'm monitoring the server - yes I have access to it - but I'm not actually
on there reading your email at the same time because that's slightly dangerous.
And what might be detected. This way all the mail's coming my direction, and I can
now monitor and begin the attack is what I can actually do as the bad guy. So in
those situations again, we fall back to the prevention of using multi-factor
authentication and definitely changing the passwords on a frequent basis and
having good complex password. It's not just the word my school one, my school two,
my school three. It's not just something like - believe it or not - the word password
or the word secret code. We've seen all these as passwords. We've seen passwords
or mail servers that are so old, they date back years since they were last
changed. So unfortunately changing the password becomes an important piece of
this if you can't use multi-factor authentication for certain areas
especially financial and accounting areas. Password should be changed 30 to
45 days, which is much tighter than what you see within the the PCI standard. The
other key detection point is looking at the logs and scanning the logs for the
locations that are coming in to attach to the accounts. Frequently users we are
all beings of habit. We go to the same coffee shops, we are at home we have an
IP address for home. It's when you see out of country or out of area IP addresses now accessing the email server for a given account that's definitely a
red flag to watch for. And especially if you see simultaneous logins to the email
servers themselves. Those are important to work watch for as well. So it sounds
like our IT departments have a lot on their hands to be looking at and making
sure not only having multi-factor authentication, but really having that
awareness and checking to see if anything's off. Is that something they
should do obviously probably on a daily basis, right? Well that's correct. I would
hope that the IT departments of most institutions would use a security
monitoring tool on the network that's monitoring the logs. And this is a matter
of crafting some rules that say this is sort of the location and geography that
we would expect , you know, Mary in the Accounts Payable department to be
logging into. And now let's look at what IP addresses are coming in, what failed
logins are occurring through the mail server itself. Now this assumes that
you're running the mail server. When it's a cloud server like office 365 - and
I'm just using as an example - we could use Gmail. We can use any of the Google
Docs systems as well. It's much more difficult for the IT department to watch
those environments. So when it comes to utilizing the cloud environments really
using multi-factor authentication is the major item to do; because you frequently
don't have access to those logs to be able to feed those to your security
information system to figure out, hey, what's going on here. So there's you know
different approaches for prevention depending on the environment that you're
dealing with. Yeah, so there's so much going on and you know so much time I
have to ask, how do you pay or do you feel comfortable paying at all/
Absolutely it's not a problem. As a consumer you know I could give some tips
to the consumer side of things, but absolutely a consumer, absolutely should
you know kind of know the site you're dealing with. Use the credit card
because there's laws that protect the credit cards. And debit cards are a
little more difficult but there's still laws that protect the transactions for
those, as well as, your online specifically. Unsolicited things that
sound too good to be true, are too good to be true. So don't fall for that.
You know, don't trust any anything that basically comes unsolicited; and the next
major item is to make certain that your, computer's, your smartphones, your tablets
are all kept up to date. Patching is extremely important and that is
extremely important for the IT department on the server side and on the
e-commerce server side as well. To maintain that patching regime. Patching
not only the server's themselves and the operating system, but patching the
applications as well is another extremely important thing. And I think
educating your family members and educating your children on safe browsing
and shopping, and not loaning your payment card out the even family members
to use when they're trying to do things, whether it's a PayPal account or
otherwise. You know when it comes to somebody using one of your accounts like
if your kids going to do it, you finish the transaction for them. Basically is,
you know, what I suggest out there, but absolutely, I feel comfortable using my
card. working with it. Because I know at the end of the day that if somebody
breaks into the site that I was at steals the card and starts using it
fraudulently, I have the absolute right as a consumer to to challenge that, to
charge it back, to dispute the transactions, to notify the card issuer
that I need a new card, that my cards been taken. And I can tell you that the
banks and the banks on the merchant side that is along with the credit card
companies do a lot of work to watch for bad transactions as they're taking place.
So as a consumer I feel very, very comfortable. Absolutely so along
the lines of payments, are you a mobile wallet guy? I am as far as you know I I
trust and use my Apple pay all the time. Basically I use it overseas as
well and so when it comes to transactions like that, yes. I think more
importantly versus on an e-commerce front instead of using a mobile wallet I
will utilize tools that will track my passwords. I will have complex passwords
that are unique to each site. I will track those passwords in a password
vault as I log in to the accounts themselves as I use them. And I am very
religious about changing my passwords as well. The devices and tools that I use to
track my passwords also contain the credit cards and payment card
information and I will use those devices to fill in the forms, basically, as well.
So yes, I am what you would call a mobile wallet user specifically. That's great it
sounds like really the responsibility of paying attention to potential fraud
protecting is really on both sides. The consumer side as well as our IT
departments; and a lot of times I think we try to push that off to somebody else.
So what else do our listeners need to know about new trends and security threats
and and how to be prepared. Well obviously one of the largest things to
do out there you if you're considering the standards. Standards are created at a
specific point in time and they may age. So the current PCI data security
standard right now is about two and a half three years old, but it's looking at
and you know as it was crafted it's over three years old it's probably
three-and-a-half years old when they were calculating the threats at that
period of time. So just as as a university and you're running the
e-commerce site or you're allowing students to pay the tuition online, you
have to realize that things like the payment card industry standard are
fairly old. So the one of the biggest things to understand is how to do threat
research and understand what the current threats are specifically that are
attacking institutions. One good example of that right now would be what's
referred - as mage card; and mage card really if
you think three-and-a-half years ago was quite different than it is today.
And so to keep abreast of what's going on,
to adjust your detection and your protection or prevention mechanisms, you
end up having to keep current with the threats and understand what types of
issues might be confronting both your student and your student population, as
well as, your staff at the universities themselves. And how you need to react to
those specifically to defend your system better. That's probably one of the major
items out there is keeping current on what the current threats are to the
environment that you're dealing with. Most institutions do not spend nearly
enough time understanding what the current threats are and how they have to
adjust to them. Larger institutions do this that the smaller institutions can
have serious challenges. Thanks, Tom, so much for all your insights. You're more
than welcome and just remember on the internet nobody
knows you're a dog. That's great. Well it sounds like there will always be new
data security threats that colleges and universities need to be aware of to help
protect their campuses. Thanks for tuning in to this episode of FOCUS. Don't forget
to subscribe, so you can stay up to date on the business of higher education. For
more information check us out at touchnet.com.