by nurazaliah | Feb 20, 2020 | HowTo
While ransomware and leaky or completely unprotected databases dominated headlines in 2019, e-skimmers quietly made a killing. A major e-skimming compromise was discovered on Macy’s website at the start of the holiday season in which hackers captured the payment information of several online shoppers. The retailer wasn’t alone. American Outdoor Brands, Puma, Ticketmaster UK, British Airways, Vision Direct, Newegg, and many, many others were also infected by e-skimmers.
The best way to avoid getting skinned by e-skimming is standard issue: We all need to monitor our accounts, avoid using debit cards (because they are a direct money funnel), keep our password games strong, and generally practise good cyber hygiene. On the business side of things, it’s crucial that software patches are applied as soon as they’re released, and that employees are trained to recognize the signs of compromise.
As with many cyber threats, the best solutions are cultural. We need to get in the habit of putting security–which includes constant vigilance–first, second, and third in our online activities.
But while this is all perfectly sound advice, it’s not going to solve the e-skimming problem, which is that e-commerce sites are increasingly complex and because of that more difficult to defend. They have an ever-expanding attackable surface in an environment where reducing that surface is the watchword.
E-Skimming 101: Cyber Pilot Fish
E-skimming is a hack. A small piece of code is added to an e-commerce website that intercepts payment information. The code can be added by compromising a website’s server, via a phishing attack, exploiting a known software vulnerability, or luring a developer into using what seems like a legitimate plug-in or module for a website that includes the malicious code.
It doesn’t matter if the site is encrypted or you see the green padlock by a URL. E-skimming doesn’t intercept information in transit. It lives on the targeted website and records payment information and other sensitive identifying information as it is entered by the consumer during the checkout process.
Typically, the e-skimming software just sits there accumulating payment information and transmitting it to the hacker who put it there until it is discovered–something that often takes months. From there, the hacker can sell the stolen information in bulk or cherry-pick a few payment cards to turn a profit.
In the high-turn world of online shopping, e-skimmers are like pilot fish getting a good meal by hitching a ride on super-predators at the top of the retail food chain.
Too Many Coders in the Kitchen
E-commerce websites are composed of huge shoals of code written and developed by hundreds, if not thousands, of people.
The Magento open-source shopping cart served as the namesake for the e-skimming group (or groups) known as MageCart. It has more than 4.5 million lines of code with edits and additions made by more than 500 developers. WooCommerce, another open-source solution, has a less unwieldy 175,000 lines of code, but still plenty for a hacker who wants to hide something.
That is just the dorsal fin. The core code of these platforms, while sprawling, is at least maintained by companies constantly searching for new vulnerabilities and patching them. The bigger problem is that e-commerce sites often implement a wide variety of plug-ins, extensions, widgets, and added bits of software, all of it introducing more code and expanding the site’s attackable surface.
A single line of code added to a Magento extension infected at least 200 online e-commerce sites with e-skimming software last year. Inconspicuous, it was added via an account on a Microsoft-owned code repository. A quick search shows sites are still running the compromised version of the extension months after it was identified.
The issue isn’t unique to Magento or WooCommerce. Other e-commerce platforms, including OpenCart, OsCommerce, and Shopify, have been targeted and compromised by similar attacks. While poor data hygiene is the cause of some attacks, many are detected by accident, or because a hacker gets greedy and a credit card company zeroes in on an affected site.
The solution is to be had not in a lab or working group. It is cultural. E-skimming is a double threat: to consumers and businesses, and they are both parts of the solution. A vigilant retail environment reduces everyone’s attackable surface.
by nurazaliah | Feb 17, 2020 | HowTo
Here are my simple tips in writing the abstract. Just follow this table, and walla your abstract is completed.
It is the simplest way so far and yet very structured (in my opinion)
| Motivation |
|
| Problem |
|
| objective |
|
| Method |
|
| Result |
|
| significant |
|
example:
| Motivation |
Recent studies show that tax compliance is closely related with tax return process. If the electronic tax system can provide an efficient and fast tax return process, the tax compliance rate will significantly be improved. |
| Problem |
However, the existing tax systems were designed solely with tax functional requirement and lack of tax strategy and business considerations. Hence it become a passive transactional system that serve as the end-point tax payer data that finally lead to tax payer non-compliance. |
| objective |
Therefore, this paper shall investigate how EA approach can be a potential solution in managing the income tax compliance rate issues in Malaysia. |
| Method |
This study proposed to create a hybrid EA framework influenced by TOGAF, Ishikawa Diagram and MyGovEA. |
| Result |
As a result, a ‘To-Be’ Architecture of Malaysian Tax Return Process is proposed based on five considerations obtained from ‘As-Is’ analysis earlier on. |
| significant |
This paper concludes that the tax compliance rate can potential be improved if the tax agency able to align the strategy, business process and tax systems together |
by nurazaliah | Feb 15, 2020 | HowTo
One of the most daunting but critical tasks for business owners is to balance the many sources of data that can help guide decision-making. Irrespective of the size of a company, understanding what matters to your long-term success, and what’s dragging down your growth, is essential.
For early-stage businesses, data may be scarce and expensive to attain, but businesses must make informed decisions. No one likes leaving money on the table, but worse is not knowing to change it.
Balancing Costs With Returns
Simple mistakes happen to every business owner. Because we’re constantly saturated with data, it’s hard to know what to pay attention to, or how to measure tradeoffs like payment-processing costs and cardholder behaviour.
For instance, if I’m an American Express cardholder, and business owners tell me all the time, “We don’t take AmEx; the processing fees are higher.” That seems like a straightforward cost-saving measure, except for potential AmEx customers you’re turning off or turning away. Any form of payment you don’t accept could be money walking out the door. The question is, how much?
Even if they buy from you anyway, AmEx cardholders spend statistically more when they use their preferred card. They’re more likely to pay a convenience premium, more likely to buy higher-margin “unlimited” plans and monthly subscriptions. With your attention focused on saving in processing costs, you might be sacrificing some of your most lucrative potential customers.
Know What to Measure, and Then Measure It
For a brief period, Kabbage paid for more seat licenses for our CRM than we had employees who talked to customers. The company was scaling so fast that different teams bought separate licenses or bought more for new hires, and no one had noticed. No one was able to check the vendor costs against what we were using. Only once we hired someone to go through the mountains of vendor data did we see how much we’d been overpaying. Consolidating just that set of CRM licenses saved us more than that individual’s salary.
There were other things we could have learned and money we could have saved if we had been regularly reviewing the data. We launched several time-consuming, tech-intensive partnerships that didn’t pay off for us, but at the time no one was analyzing the return on investment. We were too busy to sift through it with any precision. We have since moved on to some even more meaningful opportunities, but those earlier projects improved how we measure initiatives today.
I see young salon owners and restaurateurs who are determined to have a sparkling social media presence. They hire professional photographers, invest in splashy ads, spend hours replying to every review and comment with diligent cheer. They don’t have a clear idea of whether that platform is reliably bringing in new and repeat business. Knocking yourself out on something that doesn’t improve measurable outcomes is worse than useless: It’s wasteful.
If you could ask that earnest socially-focused entrepreneur if their efforts are paying off, you can ask the right questions about every part of your business. What data could tell you if the investment is paying off? Do you have it? Can you get it? Is someone reviewing it? Once you know, are you acting on it?
Too Much Input? Focus on Outcomes
You might not be ready to hire a data guy–at least not yet–and information is coming at you fast. So stick to your core concerns. Your high-level task is to monitor outcomes: the real-time health of your business.
Compare the distribution of your costs (where you’re spending time and money) over the distribution of your revenue (money coming in). Is it worth it to stay open on Saturdays? The data will tell you. Are a few clients always demanding your time but not building your bottom line? They’re not worth it. Let them go.
Every business is different and you know yours best. But when the data shows you distractions and diversions–big costs that aren’t improving outcomes–it’s time to invest in change.
Accepting the extra point on AmEx processing fees, reviewing vendor license contracts for savings, scaling back on social: These small choices might not seem like they would impact the long-term outcomes of your business, but they do. When you’re deluged with data stories and feedback, you must compare new information against your core goals, and then be willing to follow those findings to improve your business’s health. Data-driven insights can tell you what’s working toward your goals and what’s holding you back.
by nurazaliah | Feb 11, 2020 | HowTo
Phishing scams that infect a computer and potentially allow hackers to invade bank and other accounts are highly preventable — but it takes eternal vigilance on the part of computer users.
Even small business owners or employees who think they’re careful about clicking on links and attachments in emails — the tools phishing scammers use — can be tricked and find their computers have been invaded. They may also have given cyber thieves access to bank and other accounts. Cybercriminals have become increasingly crafty and sophisticated with emails that look realistic.
Owners need to educate and keep reminding staffers about the dangers of clicking on the wrong things.
Some tips to avoid getting caught in a phishing scam:
Be wary of any link or attachment.
Unless it’s clear from the context of an email that the link or attachment is OK — for example, your attorney has sent you the sales contract you expected in a Microsoft word document, or a staffer writes, “here’s the link to the website we discussed at our meeting this morning” — assume that clicking could get you in trouble. Be particularly suspicious of emails about package shipments, invoices or that ask for personal information, logins and passwords. An unexpected email from the IRS is a scam; the agency does not initiate contact with a taxpayer via email, phone calls, texts or social media.
Check the email address.
Even if the email comes from someone you know, double-check the address it’s from. Cybercriminals can take an email and make subtle changes — for example, replacing an “m” with an “r” and an “n” that you might not notice unless you look closely at it.
Confirm with the sender that they sent you a legitimate email.
If you get an unexpected email with a document or a link, check with the sender. But don’t click on “reply” or copy the email address — call or send a separate email, using an address you know is correct.
Consider restricting staffers’ use of personal email browsers on work PCs.
A staffer who clicks on a link or attachment in a personal email can infect the company machine or system. If staffers can’t read their email, it can reduce a company’s vulnerability.
by nurazaliah | Feb 9, 2020 | HowTo
Many CEOs live in fear that their companies will suffer a data breach. That’s for good reason: In 2019 the average breach of U.S. companies cost $73,000. And the cost of the attendant reputational damage with vendors and customers can be far greater.
It’s probably no surprise, then, that in a recent Inc. survey, senior executives said their two greatest worries on a wide-ranging list of technology-related developments were having sensitive data stolen and being the victim of a ransomware attack. Some respondents know the pain firsthand–8 per cent said their company has experienced a breach within the past two years, while 12 per cent say they’ve experienced one in the past five years. With that in mind, Inc. spoke with cybersecurity experts to find out the latest when it comes to company breaches.
The first thing they made clear is that the 12 per cent figure is probably low since there is likely an increasing number of breaches that companies aren’t aware of and don’t report. Something that might play into that: hackers’ new methods of choice.
More than half of all breaches last year were not performed using malware, according to a January report from cybersecurity firm Crowdstrike. That’s important because malware often is easily detectable. Increasingly, hackers are finding ways to access your company’s network using its existing systems, like logging on with an employees’ stolen credentials, says Shawn Henry, Crowdstrike chief security officer.
“More time undetected means more success for them,” Henry says, noting that the average adversary spent 95 days in an organization’s network before being detected, up from 85 days a year ago. “It’s similar to why you go for a colonoscopy, or you go to the dermatologist to be checked for unusual marks. It’s preventive maintenance. If something is there for months or years undetected, you’re in trouble.”
Gone phishing
Hackers can find their way into your system in several ways, with phishing scams being one of the most prevalent. These attacks are becoming more sophisticated, according to Joseph Steinberg, author of Cybersecurity for Dummies and a former Inc. columnist.
In some cases, a hacker might spoof the email address of an executive, send a note telling employees they’ve been laid off, and instruct them to log onto the network as soon as possible to fill out a form to receive their severance. The employees then click a link to their company’s network and, not realizing it’s a fake, enter their usernames and passwords. Suddenly, the hackers have a working set of login credentials–or many of them.
What’s more, now hackers are more often studying a company’s personnel and learning their manner of speaking by email before spoofing them, Steinberg says. They’ll glean personal information through the social media accounts of executives or their family members to find out, say, that they’re about to head off on vacation.
“Then they send a message to the CFO that sounds real and say, ‘I’m getting on my flight to Disneyland, so don’t bother calling me. Just take action.’ ” Suddenly, an employee is sending sensitive information–or even a wire payment–to a bad actor.
“Phishing 10 or 15 years ago was a shotgun,” Steinberg says. “I’m going to fire out hundreds of shells and hopefully some of them hit the target, whereas this is much more like a rifle. I’m trying to get this one person, but I’m hitting with a much more accurate and stronger attack.”
Shifting your mindset
Though it’s detectable once it’s in your system, malware is infiltrating more discreetly than ever before. Last year saw a trend away from the use of malware in email attachments–which many employees have learned to recognize as a red flag–and toward links instead, according to cybersecurity firm Proofpoint. “The increasing prevalence of cloud applications and storage means that we are all conditioned to click through links to view, share, and interact with a variety of content,” the company wrote in a December report.
Adversaries increasingly are using URL shorteners to make links in emails appear legitimate, the firm says. Hackers sometimes use URLs that are just one character different than the real thing, like a letter with a line under it, which is tough to spot in the hyperlinked text, according to Steinberg.
The best ways to combat hackers
So how to prevent against all this? While companies need to make sure they invest in cybersecurity measures, of course, the experts offer additional tips.
1. Make sure all employees are properly trained and educated.
Have procedures in place for everything, Steinberg says. “And those procedures don’t go away just because the CEO is getting on a flight to Miami,” he says.
2. Get help from your rivals.
Share information about attacks to competitors in your industry with the hopes that they’ll do the same, Henry advises. “It’s understanding that if they targeted my transportation company this week, they’re going to target your transportation company next week,” he says. “Let’s share this intelligence with you so that you can better protect yourselves.”
3. Never think you’re immune.
Perhaps most important is understanding that your company can become a target, no matter how small or how secure, Steinberg says. “When that mindset changes from, ‘Nobody would be interested in hacking me’ to ‘I’m sceptical about everything that comes to me because I know criminals are targeting me,’ it changes the way you react,” he says. “It changes the way you do lots of things so that these types of attacks become a lot less likely to succeed.”
Recent Comments