Monthly Archives: October 2015

Cisco Beefs Up Security with $453M Lancope Acquisition

Looking to give its systems a security boost, Cisco said it’s acquiring network behavior analytics and security intelligence company Lancope Inc. for $452.5 million. The deal is part of Cisco’s “Security Everywhere” strategy to develop a more tightly integrated network security infrastructure that extends through every device on a network.

“As enterprises digitize, security challenges rapidly evolve. Real time visibility and understanding of the behavior of every machine or device on the network becomes critical in adapting the ability of enterprises to identify and respond to the next wave of cyber threats,” said Rob Salvagno, vice president, Cisco Corporate Development, in a statement. “Our combined solutions can help turn a customer’s entire network into a security sensor.”

More Connections, More Problems

Cisco said that the acquisition of the privately held, Alpharetta, Georgia-based company will augment its ability to provide advanced threat protection before, during and after an attack by offering additional network behavior analytics. Lancope’s StealthWatch system identifies suspicious traffic patterns inside the network to detect a wide range of attacks, allowing enterprises to respond to security threats more quickly.

Cisco cited the rapid growth in the number of connected devices as a reason for the acquisition. “The more things become connected, the more opportunities exist for malicious actors as well,” Scott Harrell, vice president of product management for Cisco’s Security Business Group, said in a blog post. “We are now dealing with a new world where more and more devices are creating a broader and more diverse attack surface that can be exploited.”

As more devices are connected to the Internet, cybercriminals have access to a wider variety of attack vectors when targeting a network. According to Salvagno, the deal compliments Cisco’s other recent acquisitions of security companies such as OpenDNS, Portcullis, and Neohapsis and will be added to its portfolio of security solutions.

Embedded Security Everywhere

The company is making its push for better network security at an opportune time. According to its 2015 Annual Security Report, there has been a 66 percent compound annual growth rate in detected security incidents since 2009, with the malware behind the attacks becoming increasingly sophisticated and elusive.

Cisco’s strategy is to embed security technology into intelligent network infrastructure and across the extended network from the service provider to the enterprise network infrastructure, data center, IoT, cloud and endpoint, according to Harrell. “This is essential to protect today’s wide array of attack vectors while positioning security to act as a growth engine to enable companies to seize new business opportunities,” he said.

That involves essentially turning entire networks into security sensors. Lanscope’s network traffic monitoring technology will help Cisco’s clients keep an eye on their networks on a near-constant basis, the company said. The deal is expected to close in the second quarter of 2016, at which time the Lanscope team will join the Cisco Security Business Group.

Via: enterprise-security-today

New Copyright Exemptions Mean You Can Hack Your Own Car And Jailbreak Your Tablets

U.S. regulators today announced new exemptions to a provision of the Digital Millennium Copyright Act (DMCA) that will make it possible for nerds to tinker with cars and gadgets without breaking copyright laws.

The ruling reined in the controversial 1201 provision of the DMCA, which prohibits the circumvention of Digital Rights Management technologies — no matter what your intention for circumventing the barrier is. This particular provision made it illegal to share your HBO GO password or unlock your smartphone from its carrier.

The exemptions will take effect next year.

Last year, Congress passed legislation making it legal to unlock your phone from your service provider. Today’s ruling is the first time that same right has been extended to tablets and other third-party portable devices. It also made it legal to rip content from DVDs and Blu-rays for the purpose of fair use remixes and preserve video games after publishers have abandoned them. The Library also made it legal for you to circumvent access restrictions in cars in order to make repairs and do security research.

The Electronic Frontier Foundation called the move a big victory for fair use.

“We hope each of these exemptions enable more exciting fair uses that educate, entertain, improve the underlying technology, and keep us safer,” the EFF wrote in a blog post. “A better long-term solution, though, is to eliminate the need for this onerous rulemaking process.”

Though many in the digital community applaud the exemptions, they’re using today’s announcement to spotlight reform efforts to copyright laws that they believe are either outdated or have been fundamentally flawed since they were passed more than a decade ago. These exemptions also are not permanent and must be renewed every three years.

One bill the EFF supports in this arena is the Unlocking Technology Act, which would limit companies from using the DMCA to go after individuals circumventing Digital Rights Management to repair their devices or use copyrighted material for fair use. Instead companies would only be allowed to prosecute those who circumvent DRM to infringe on copyrighted material.

Via: techcrunch

12 New Malware Types Discovered Every 60 Seconds

How rapidly is malware spreading? Researchers at German security firm G Data said that the first half of this year saw 12 new malware families a minute. Yes, that’s every 60 seconds

That means 3,045,722 new strains of malware were identified in the first half of 2015, slightly lower than the second half of 2014 but 64.8 percent higher than the first six months of last year, according to the researchers.

“We expect that the number of new malware strains will be well above the level of 2014,” G Data said in its report. “The total of all malware strains since 2006 is now 22,393,098.”

Over 43 percent of all “evil” Web sites are located on servers in the U.S., about the same level as in the previous six months, according to the report. But China has become more attractive as a host country and is now in second place, with 9.5 percent, while France (8.2 percent) has dropped to third place.

Banking Trojans Rising

More health care Web sites (26.6 percent) contained malware than any other in the first half of 2015. Meanwhile, the “personal advertising and dating” category is new to G Data’s top 10. Malicious Web sites in this category offer to install paid premium services or launch expensive phone calls.

The number of attacks carried out by banking Trojans is expected to rise in 2015 for the first time since 2012, according to the report. The Swatbanker family caused repelled attacks that reached an all-time high in March 2015 in the wake of successful e-mail campaigns. Its main targets were bank customers from Germany, Austria, and Poland.

“Previously, waves of attacks by e-mail had not been unusual for this Trojan, but this wave was so successful that in March 2015 the highest number of repelled banking Trojan attacks since records began was measured,” G Data said. “Also unusual was the fact that the wave did not stop within a few weeks as usual, but carried on until mid-June. Also, shortly before the wave of attacks ended, there was another unusual occurrence: the attackers apparently were targeting computers in the German Parliament’s intranet7.”

What’s More Concerning?

We caught up with Tim Erlin, director of IT security and risk strategy at advanced threat protection firm Tripwire, to get his take on the report. He told us the increase in banking Trojans is more concerning than the specific number of malware strains discovered.

“There’s a big difference between an unwanted, but harmless, application and one designed to steal money from your bank account,” Erlin said. “The increase in malware is an indicator of the growing cybercrime industry.”

As the potential for profit increases, there’s a corresponding investment in tools, which is often malware — and malware use increases because it’s successful, Erlin noted.

“Relying only on antivirus or a network-based tool to detect malware simply isn’t enough,” Erlin said. “Organizations have to take a more complete and more sophisticated approach to protecting their endpoints.”

Via: enterprise-security-today

Facebook Begins Rolling Out Revamped Notifications Tab On Mobile

So Facebook did something new with notifications. That little tab plagued by a tireless numeric red badge that led to an endless feed of social happenings is getting a much-needed upgrade that really heightens its utility.

The notifications tab is now more of a you-centric newsfeed than ever, sucking in some of the best widgets from the Facebook sidebar on desktop and giving notifications on mobile a much more structured appearance. In look and feel Facebook’s notifications tab now feels a lot more like a Google Now competitor.

The groupings of notifications, similarly called cards, give the feed some much-needed content and UI/UX upgrades. You can enable cards for items like Events or Birthdays, as well as new widgets like sports scores or tonight’s TV programming.

If users have Location History enabled in the app, you’ll be able to get the most out of the tab and add a lot of interesting cards that are hyper-localized.

The blog post detailed a few of the location-aware cards that will be available to users:

  • Things happening around your community, like local events and news that is popular in the city you live in
  • Weather updates, like current conditions and severe weather alerts
  • Movies playing in theaters near you
  • A list of nearby places to eat, with links to the places’ Facebook Pages and reviews

Also notable is that Facebook’s Trending news topics now has a much better place to live on mobile. Rather than being hidden in Search, trending news stories now have their own card in notifications.

Thankfully, users won’t be receiving any more “red badge” notification than usual within the app unless they specify to do so. Each card will include its own notifications settings.

A customizable notifications feed is an interesting step for Facebook. Previously customization in the FB app, whether in regards to notifications or privacy, has focused more on checkboxes of what is and what is not included. Here Facebook is actually allowing users to arrange cards in a hierarchical way based on their preferences.

These changes will be gradually rolling out to iOS and Android users.

Via: techcrunch

Why IoT Security Is So Critical

Twenty years ago, if you told me my phone could be used to steal the password to my email account or to take a copy of my fingerprint data, I would’ve laughed at you and said you watch too much James Bond. But today, if you tell me that hackers with malicious intents can use my toaster to break into my Facebook account, I will panic and quickly pull the plug from the evil appliance.

Welcome to the era of the Internet of Things (IoT), where digitally connected devices are encroaching on every aspect of our lives, including our homes, offices, cars and even our bodies. With the advent of IPv6 and the wide deployment of Wi-Fi networks, IoT is growing at a dangerously fast pace, and researchers estimate that by 2020, the number of active wireless connected devices will exceed 40 billion.

The upside is that we are able to do things we never before imagined. But as with every good thing, there’s a downside to IoT: It is becoming an increasingly attractive target for cybercriminals. More connected devices mean more attack vectors and more possibilities for hackers to target us; unless we move fast to address this rising security concern, we’ll soon be facing an inevitable disaster.

IoT Vulnerabilities Open Up New Possibilities To Hackers

Some of the more frightening vulnerabilities found on IoT devices have brought IoT security further up the stack of issues that need to be addressed quickly.

Earlier this month, researchers found critical vulnerabilities in a wide range of IoT baby monitors, which could be leveraged by hackers to carry out a number of nefarious activities, including monitoring live feeds, changing camera settings and authorizing other users to remotely view and control the monitor.

In another development, it was proven that Internet-connected cars can be compromised, as well, and hackers can carry out any number of malicious activities, including taking control of the entertainment system, unlocking the doors or even shutting down the car in motion.

Wearables also can become a source of threat to your privacy, as hackers can use the motion sensors embedded in smartwatches to steal information you’re typing, or they can gather health data from smartwatch apps or health tracker devices you might be using.

Some of the most worrisome cases of IoT hacks involve medical devices and can have detrimental — perhaps fatal — consequences on patients’ health.

What Is being Done To Secure The IoT?

The silver lining is that IoT security, previously ignored, has now become an issue of high concern, even at the federal government level. Several measures are already being taken to gap holes and prevent security breaches at the device level, and efforts are being led to tackle major disasters before they come to pass.

After the Jeep Cherokee hack, automaker Fiat scrambled to have the problem fixed and quickly issued a safety recall for 1.4 million U.S. cars and trucks to install a security update patch. The whole episode also served as a wakeup call for the entire IoT industry.

Now security firms and manufacturers are joining ranks to help secure the IoT world before it spins out of control. Digital security company Gemalto is planning to use its experience in mobile payments to help secure IoT devices. Gemalto will be offering its Secure Element (SE) technology to automotive and utility companies. SE is a tamper-resistant component that gets embedded into devices to enable advanced digital security and life-cycle management via encryption of and access-control limitation to sensitive data.

Microsoft also is entering the fray, and has promised to add BitLocker encryption and Secure Boot technology to the Windows 10 IoT, the software giant’s operating system for IoT devices and platforms such as the Raspberry Pi. BitLocker is an encryption technology that can code entire disk volumes, and it has been featured in Windows operating systems since the Vista edition. This can be crucial to secure on-device data. Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer. Its implementation can prevent device hijacking.

The IoT security issue has also given rise to new alliances. A conglomeration of leading tech firms, including Vodafone, founded the Internet of Things Security Foundation, a non-profit body that will be responsible for vetting Internet-connected devices for vulnerabilities and flaws and will offer security assistance to tech providers, system adopters and end users. IoTSF hopes to raise awareness through cross-company collaboration and encourage manufacturers to consider security of connected devices at the hardware level.

“The opportunity for IoT is staggering,” said John Moor, a spokesperson for IoTSF. “However, there are ever-real security challenges that accompany those opportunities.” Moor stressed the importance to address security from the start. “By creating a dedicated focus on security,” he promised, “our intention is simple — drive excellence in IoT security. IoTSF aims to be the home for providers, adopters and beneficiaries of IoT products and services.”

Other companies are working on setting up platforms that will enable large networks of IoT devices to identify and authenticate each other in order to provide higher security and prevent data breaches.

There also is research being conducted to enhance IoT security through device and smartphone linking. The effort is being led by experts at the University of South Hampton, who believe smartphones can help overcome IoT devices’ limits in user interfaces and complexities in networking.

What More Needs To Be Done?

While the effort to tackle security issues regarding IoT devices is laudable, it isn’t enough to ensure that we can leverage the full power of this new technology in a secure environment.

For one thing, the gateways that connect IoT devices to company and manufacturer networks need to be secured as well as the devices themselves. IoT devices are always connected and always on. In contrast to human-controlled devices, they go through a one-time authentication process, which can make them perfect sources of infiltration into company networks. Therefore, more security needs to be implemented on these gateways to improve the overall security of the system.

Also of concern are huge repositories where IoT data is being stored, which can become attractive targets for corporate hackers and industrial spies who rely on big data to make profits. In the wake of massive data breaches and data theft cases we’ve seen in recent years, more effort needs to be made to secure IoT-related data to ensure the privacy of consumers and the functionality of businesses and corporations.

There also must be a sound plan for installing security updates on IoT devices. Each consumer will likely soon own scores — if not hundreds — of connected devices. The idea of manually installing updates on so many devices is definitely out of the question, but having them automatically pushed by manufacturers also can be a risky business. Proper safeguards must be put in place to prevent updating interfaces from becoming security holes themselves.

What is evident is that the IoT will become an important part of our lives very soon, and its security is one of the major issues that must be addressed via active participation by the entire global tech community. Will we be able to harness this most-hyped, emerging technology that will undoubtedly revolutionize the world, or will we end up opening a Pandora’s Box that will spiral the world into a new age of mayhem and chaos? Let’s hope for the former.

Via: techcrunch

Mozilla Adds Instant Messaging to Firefox Hello

Mozilla has given users another reason to consider its Firefox Web browser — the latest update, announced yesterday, adds instant text messaging capabilities to Firefox Hello, the desktop VoIP client it introduced last fall.

In October, Mozilla partnered with Telefónica to launch the Hello voice-calling and video-calling service to Firefox beta users. At the time, Mozilla touted the system as a way for users to communicate online in real time without having to hand over their personal information to a third-party service provider. This week’s addition of instant messaging could also boost Hello’s appeal as a Skype alternative, especially in light of the global service problems Skype suffered on Monday.

The new update to Firefox 41.0 enables people using Hello for video calls to also send and receive instant messages during those calls. The service is available in the desktop browser for Windows, Mac and Linux.

Other Updates Just Minor Tweaks

Most of the other changes rolled out with the latest Firefox update are minor tweaks in the browser’s personalization capabilities. For example, users can now set profile photos for either their desktops or Android Firefox accounts, and can use SVG images as favicons.

Another change means that Firefox’s WebRTC (for “real-time communication”) feature now requires perfect forward secrecy. Perfect forward secrecy is a cryptographic feature designed to prevent a compromise in one WebRTC session from leading to additional compromises.

The Firefox Hello service works with any browser that is WebRTC-enabled, which means that Chrome and Opera also support the voice and video feature. Users can start conversations with a few clicks, generating unique URLs that they can send to anyone with a WebRTC-enabled browser. Once the recipient clicks that link, that person will hear an audio alert, see the Hello icon turn blue and be taken to a live, online video chat with the sender.

Skype Outage Prompts Searches for Alternatives

Telefónica used WebRTC technology from its 2012 acquisition of TokBox to develop Hello in partnership with Mozilla. “The use of TokBox’s technology is a part of our strategy to partner, disrupt and innovate to offer digital services that are truly reflective of a modern digital telco,” the Spain-based telecommunications firm said when it announced the service last fall.

Based on search terms used on Google earlier this week, interest in Skype alternatives peaked dramatically during the day on Monday after a reported network problem left many users of the Microsoft-owned service unable to log in or update their statuses. Complaints were heaviest across Europe and the eastern half of the U.S., according to the Web site Outage.Report.

Google Trends’ “interest over time” charts show that both the search terms “Skype” and “Skype alternatives” spiked during the middle of the day Monday, and continued to see higher-than-usual interest for several hours afterward.

Via: enterprise-security-today

Companies Lack Security Controls for Accessing Enterprise Applications

Despite Breaches, Alarming Number of Companies Lack Security Controls for Accessing Enterprise Applications, According to Latest Research — Independent Study Respondents Recognize Need for More Stringent Access Controls, Yet 60 Percent of Organizations Do Not Require Multifactor Authentication for Non-Employees Accessing Enterprise Applications

Vidder Inc., the inventor of precision application access, announced the results of the Enterprise Application Security Market Research Report, an independent study conducted by King Research to understand the current state of controls for enterprise application access; which stringent access controls are deemed useful; and to what extent these access controls are being implemented. The survey of more than 400 InfoSec professionals reveals that despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.

Survey respondents also ranked as “highly useful” those solutions that enforce multifactor authentication (MFA) across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation. These solution descriptions are all characteristics of the Software Defined Perimeter (SDP) model for secure connectivity. The highest ranked solution is one that does all of the above, according to respondents.

While MFA was indicated as a “highly useful” solution, those surveyed said 60 percent of their organizations do not require MFA for non-employees to access enterprise applications. In addition, while 57 percent of respondents’ organizations allow Bring Your Own Device (BYOD) for access to enterprise applications, 42 percent do not require non-employees to adhere to the corporate BYOD policies.

“This survey is unique in gathering information around enterprise application access, stringent controls, and the usefulness of solutions InfoSec professionals believe would best protect their organizations from becoming tomorrow’s headline,” said Ross King, Principal Analyst of King Research. “For example, we found that more than half of respondents (57 percent) said they have long-term contractors who need access to company information, and these contractors may or may not reside on-premise. But when asked which authentication type is typically used when providing non-employees access to enterprise applications, nearly half (42 percent) responded that simple passwords are used.”

For a copy of the study, see:

Other key findings of the research include:

• Sixty-three percent of respondents said that 10 percent or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees.
• When asked to score criteria importance for selecting enterprise security products and services on a scale of 1 to 10, respondents scored “Compliance” the highest with a near 7.6 score. The second most important criterion was “Security Advantage by Using Superior Technology,” with a score of 7.5.
• One-third of the respondents said they have heard of the new Software Defined Perimeter (SDP) model.
• The respondents also said their top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6), phishing (7.3), server misconfigurations (7.3), and denial of service attacks (6.9).

“Executed properly, multifactor authentication is very secure,” said Anna Luo, Senior Director of Marketing at Vidder. “But highly stringent controls have proven to be too complex for users to adopt. This complexity is likely the reason why so many organizations do not have the controls needed in place, and why the research findings reveal that characteristics of software defined perimeter are seen as ‘highly useful’ in these areas. SDP’s built-in transparent multifactor authentication executes for every user, every connection, every time. It has no impact on user experience. The attackers have no ability to simultaneously compromise both the device and user, and it is extremely effective to counter the threats of credential theft.”

This independent research project was underwritten by Vidder, Inc., and the research was wholly and independently conducted by King Research. Administered from June through August, the research consisted of an online survey, with a total of 408 people responding. More than 16 percent of respondents identified themselves as working in the technology industry, followed by financial services at more than 10 percent, and government at more than 8 percent.

Via: enterprise-security-today

Could Fitbit Tracker Be Vulnerable to Quick Hack?

The fitness bracelet on your wrist might be doing more than just counting calories. At least if it’s a Fitbit model, according to new findings by researchers at security firm Fortinet. A vulnerability in the device’s Bluetooth radio could allow a hacker to both manipulate code on the tracker itself, and theoretically deliver code to a computer.

Speaking at the Hack.Lu conference in Luxembourg, Fortinet security researcher Axelle Apvrille said she had developed a proof of concept attack that would allow a hacker to penetrate the device from anywhere within range of its radio’s Bluetooth. Even worse, the hack only takes 10 seconds to execute.

Spying Through a Bracelet

Apvrille disclosed the proof of concept during her “Geek usages for your Fitbit Flex tracker” talk. In her presentation, she discussed how hackers could use the devices to gather private information on the users through the tracker. For example, by hacking the accelerometer’s data, hackers could gather information on a user’s sexual activities.

But even in the case of less prurient data, the Fitbit vulnerability could be profitable for thieves. Since Fitbit incentivizes users to exercise more by offering rewards through partner organizations, hackers could exploit the vulnerability to create fake exercise data, generating as many rewards as they wanted.

Spying on users and manipulating exercise data might be the least of the problems the vulnerability presents, though. Apvrille reported that she had also been able to deliver code. In fact, she said she was able to successfully deliver commands to both the tracker and the dongle that connected to a user’s computer.

Beyond merely executing code on the tracker, Apvrille said she was able to use the tracker as a stepping-stone to infecting other machines. An attacker could, in principle, propagate an attack by initially injecting malicious code into the device. Then, when the tracker connected to a computer to synchronize its data, it could install a Trojan or set up a backdoor on the victim’s system.

Not So Bad?

Before throwing your Fitbit in the trash, there are some important caveats to the announcement. Apvrille emphasized that the vulnerability she discovered represented only a proof of concept. At the moment, no exploit using the vulnerability has been discovered active in the wild, and no malicious code has been written yet.

Furthermore, the bug only allows attackers to deliver a limited amount of code, up to 17 bytes. That’s not enough to allow a hacker to hijack the Fitbit for an advanced botnet, although it may be large enough to deliver other kinds of viruses. Apvrille said she alerted Fitbit to the exploit in March.

Fitbit Responds

In a statement, a Fitbit spokesperson told us, “On Wednesday, October 21, 2015, reports began circulating in the media based on claims from security vendor Fortinet that Fitbit devices could be used to distribute malware. These reports are false.”

In fact, the Fortinet researcher, Axelle Apvrille, who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible, the spokesperson said. “Fitbit trackers cannot be used to infect users’ devices with malware. We want to reassure our users that it remains safe to use their Fitbit devices and no action is required,” she added.

The spokesperson said Fortinet first contacted Fitbit in March to report a low-severity issue unrelated to malicious software. “Since that time we’ve maintained an open channel of communication with Fortinet,” the spokesperson said. “We have not seen any data to indicate that it is possible to use a tracker to distribute malware.”

According to the spokesperson, Fitbit has a history of working closely with the security research community and always welcomes thoughts and feedback from researchers. “The trust of our customers is paramount,” the spokesperson said. “We carefully design security measures for new products, monitor for new threats, and rapidly respond to identified issues. We encourage individuals to report any security concerns with Fitbit’s products or online services to”

Via: enterprise-security-today

Scottrade Data Breach Hits 4.6M Customers, Contact Info Targeted

October is National Cyber Security Awareness Month and it kicked off with the wrong kind of bang as Scottrade announced a security breach. The investment accounts and brokerage services firm published a report about a hack that exposed 4.6 million clients to cybercriminals.

A federal investigation revealed that illegal activity involving its network occurred between late 2013 and early 2014, and targeted client names and street addresses, according to a Scottrade statement. Social Security numbers, e-mail addresses and other sensitive data were stored in the breached system, but it appears that the contact information was the hacker’s main focus.

“We have no reason to believe that Scottrade’s trading platforms or any client funds were compromised. Client passwords remained fully encrypted at all times and we have not seen any indication of fraudulent activity as a result of this incident,” the company said in the statement. “We have secured the known intrusion point and conducted an internal data forensics investigation on this incident with assistance from a leading computer security firm. We have taken appropriate steps to further strengthen our network defenses.

This Is Mindboggling

We turned to Mark Bower, global director of product management, enterprise data security for HP Data Security, to get his reaction to the data breach. He told us it’s almost mindboggling that yet another major data breach has been revealed in less than a week. He was referring to news of last week’s Experian data breach that exposed 15 million T-Mobile customers to hackers.

“In this case, while the passwords may remain safe, one has to ask if the customers’ personal data was protected in the same manner,” Bower said. “With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive databases to protect consumer trust and satisfaction.”

Bower said it’s important that businesses follow best practices of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data at rest, in use and in motion. He said this is especially urgent in the financial services industry and with data processors.

New Table Stakes ‘Take’

Casey Ellis, CEO of Bugcrowd, a firm that helps organizations like Pinterest, Telsa and Western Union run crowdsourced security programs, told us he’s watching one thing closely: a trend away from credit card data — or the table stakes “take” of the cybercriminal — toward personal data.

“There has been a shift in targeting, which to me signals a shift in the way criminals are calculating their return on investment in these hacks,” Ellis said. “It also indicates that criminals are becoming more efficient in capitalizing personal data, which is interesting, too. Extracting a gain from personal information at scale is far more cumbersome than pulling money from a stolen credit card.”

Via: enterprise-security-today

Apple Pay To Begin Rolling Out to Starbucks, KFC, Chili’s Soon

Nearly one year after its debut, Apple Pay could see a boost in usership with the addition of Starbucks to the roster of retailers that support Apple’s contactless payment system. Apple Pay is also expected to roll out to two other chains — KFC and Chili’s — starting next year.

Apple executive Jennifer Bailey, the company’s vice president of Internet services, Apple Pay, announced the program’s expansion yesterday at re/Code’s Code/Mobile conference in California.

Launched in the U.S. last October, Apple Pay uses near field communication (NFC) to handle transactions at a number of brick-and-mortar and online retailers. The payment system — which also became available in the U.K. this summer — is supported on Apple’s latest devices, including the iPhone 6 family, the Apple Watch and recent models of the iPad.

New Support for Loyalty Programs

Beginning later this year, an unspecified number of Starbucks stores across the U.S. will begin a pilot program to accept payments via Apple Pay, Bailey said at the Code/Mobile conference. The retailer has committed to bringing the system to all 7,500 of its corporate-owned stores in 2016, she added.

A representative of Apple told us today that Apple Pay would also be coming to KFC and Chili’s outlets across the U.S. next year. In the case of Chili’s, the rollout is expected to start in the spring and eventually extend to all 1,000 or so corporate-owned stores.

Bailey noted that the recent iOS 9 mobile operating system update will now enable Apple Pay users to also add their loyalty cards for participating retailers. That “super-simple” capability will ensure that users can get loyalty-program credit for their purchases, she said.

Once loyalty program data is saved on an Apple device that information will be automatically presented during a transaction. “It can be a single-tap experience,” Bailey said.

The ‘Magic’ Needed: Repeat Use

The expansion of Apple Pay to a retailer with the popularity of Starbucks could give the payment system a much-needed shot in the arm, Greg Weed, director of card research at market research firm Phoenix Marketing International, told us.

Phoenix has been studying adoption rates of Apple Pay since the system was launched last year, and its most recent research indicates that uptake has slowed, Weed said. In February, the percentage of all U.S. payment-card users who had linked a card to Apple Pay stood at 11 percent and rose to 13 percent in July, he said. That percentage is now at 14 percent, according to the latest data.

“[T]he rate of growth is decreasing, statistically,” he said. “The magic of Starbucks is the repeat use.” If Apple can integrate its payment system with Starbucks’ loyal customers — and with the chain’s loyalty program — that could speed up Apple Pay’s slowing adoption rates, he added.

Another challenge will be ironing out the many problems with “friction” that Apple Pay users have reported at checkout, Weed said. Even at retail outlets listed as accepting Apple Pay, customers often report problems with payment due to equipment difficulties, employees unfamiliar with the system or other issues.

If Apple can overcome those issues and make it easy for Apple Pay customers to pay as well as earn loyalty points, the program’s expansion could be “a very good move in terms of solving one of the key problems with repeat use,” he said.

Apple Pay is currently accepted at more than one million locations, according to the most recent information from Apple. The company said it is on track to reach 1.5 million locations by the end of the year.

Via: enterprise-security-today