More stories

  • in

    How can I keep my credit card details from being stolen online? [Ask ZDNet]

    As you’ve discovered, the inconvenience associated with being the victim of credit card fraud is significant. Thankfully, for cardholders in the United States, protections in the Fair Credit Billing Act mean your actual losses are limited to $50, provided you notify the card issuer as soon as you become aware of any theft or unauthorized use. Most card issuers have fraud detection capabilities that will alert you immediately in the event of a suspicious transaction and protect you from any loss. One important caveat here: These fraud protections do not apply to debit cards, even if the card has the logo of a major credit card issuer. The Electronic Fund Transfer Act offers similar protections if you report an unauthorized transaction within 48 hours, but after that you’re on the hook for $500 in losses, and the limit vanishes completely if a fraud goes unreported for 60 days. (For details, see this FTC page: “Lost or Stolen Credit, ATM, and Debit Cards.” Even with those protections, there’s always a risk with any online transaction. How do you minimize your risk? Be vigilant about sites where you use your card. Make sure the page is secure and that the merchant is trustworthy. If you don’t recognize the merchant or the site seems suspicious, think twice before entering your card details. Avoid storing your card details unnecessarily. You can probably waive this precaution for top-tier merchants like Amazon and Apple, but it’s really not that inconvenient to re-enter a card number for smaller merchants that you do business with occasionally. (Obviously, you can’t avoid this for recurring payments.) Use Apple Pay, Google Pay, Samsung Pay, or other digital wallets whenever possible. Those systems use virtual account numbers tied to your device, which means in the event of compromise, your actual card number is not revealed. (For details on virtual card numbers, see these support documents from Google and Apple.) Create your own masked card. The free Privacy.com service, for example, lets you create virtual credit cards for specific merchants. You can assign per-transaction limits or set an overall maximum charge for one of these cards, making it impossible for an unscrupulous merchant to turn a small charge into a larger one without your consent. We’ve used this service and can recommend it enthusiastically.  More

  • in

    What is an ethical hacker? Why one of the most intriguing jobs in cybersecurity could be a good bet

    Image: Getty While more companies are investing in beefing up their IT security, most cybersecurity practices are still reactive in their nature, relying on software tools to identify when a breach has happened – or been attempted – and then responding accordingly. But as cyberattacks continue to increase in frequency and sophistication, it is clear […] More

  • in

    This tiny botnet is launching the most powerful DDoS attacks yet

    Image: Getty Images/Jetta Productions Inc Content distribution network (CDN) firm Cloudflare says the botnet behind the biggest distributed denial of service (DDoS) attacks it has recorded has targeted nearly 1,000 of its customers in the past few weeks.  The botnet – which Cloudflare calls Mantis and which is named after the small, razor-legged prawn – […] More

  • in

    The industrial internet of things is still a big mess when it comes to security

    Engineer wearing a white helmet while standing in a heavy industrial factory. Getty Images/iStockphoto Critical infrastructure is increasingly targeted by cyber criminals – and while those responsible for running industrial networks know that securing operational technology (OT) and the Industrial Internet of Things (IIoT) is vital, they’re struggling, resulting in networks being left vulnerable to […] More

  • in

    Singapore talks up OT security, looks to add medical devices to labelling scheme

    Singapore is looking to expand its cybersecurity labelling programme to include medical devices, specifically, those that handle sensitive data and can communicate with other systems. It also reiterates the need to safeguard operational technology (OT) systems and build up the necessary skillsets to do so. OT systems traditionally were designed as standalone infrastructures and not connected to external networks or the internet. The need for better efficiencies and functionalities, however, had driven the convergence of IT and OT systems. Remote monitoring and data sharing for insights, for instance, brought about more efficiencies, but these also came at a cost as they widened the attack surface, said David Koh, Singapore’s cybersecurity commissioner and chief executive of Cyber Security Agency (CSA).  Once in a safe air-gapped operating environment, OT systems now were open to potential cyber attacks and breaches could have real-world impact, noted Koh, who was speaking at ISC2’s Secure Singapore conference held Wednesday. To mitigate such threats, he underscored the need to build up the necessary skilsets to manage the convergence of IT and OT systems. With both sides traditionally run and managed separately, these teams now would need to understand how IT systems were deployed to support essential services, such as water and power plants. Such skillsets also should encompass knowledge of business processes and interdependencies that went beyond the technical aspects, he said. Zachary Tudor, associate laboratory director of Idaho National Laboratory’s National and Homeland Security, concurred, pointing to the need for managers who understood the security risks from the convergence of IT and OT. C-suite executives also needed to be educated about the business risks and consequences of the interdependencies between the two realms, said Tudor, who also is ISC2’s board chairperson. Koh said Singapore tweaked its cybersecurity strategy in recognition of the convergence, embedding an OT security masterplan that focused on bolstering processes, infrastructures, and talent to address potential risks. Its OT Cybersecurity Competency Framework provided guidelines of cybersecurity skills and technical competencies required for OT industry sectors, which included those in critical information infrastructure (CII) markets such as water, healthcare, maritime, and energy.CSA earlier this week unveiled a scholarship programme for up to 80 qualified candidates enrolled in the Singapore University of Technology and Design’s Master of Science in Security by Design. The initiative was part of the government’s efforts to drive OT cybersecurity skills development. Plans to expand labelling scheme to healthcareKoh also pointed to the need to help the general public make more informed choices with regards to security, in particular, in purchasing Internet of Things (IoT) devices. He noted that consumers would buy such products without much awareness because the device’s security posture typically was opaque, with little information provided, and the spotlight placed instead on its features and price. CSA launched a Cybersecurity Labelling Scheme (CLS) to address this and adoption had been better than expected, with a range of manufacturers expressing interest in participating in the voluntary programme, he said. First introduced for home routers, the initiative later was expanded to include all consumer IoT devices, such as smart lights and door locks. Koh revealed that plans now were underway to further expand the CLS to medical and healthcare devices. Security was critical here as such devices could affect one’s health and potentially result in personal injury, he said. According to a CSA document detailing the pilot CLS for medical devices, such devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to “collect, store, process, or transfer data”. They also would be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually. Singapore in May announced plans to set up a SG$19.5 million ($13.99 million) centre to facilitate vulnerability assessment of software and hardware products, physical hardware attacks, and security measures. The centre would work with CSA and Singapore Accreditation Council to develop relevant accreditation programmes, including IT testing programmes that facilitated initiatives such as CLS.According to CSA, as of end-April, more than 200 products had been submitted for labelling under the programme. Koh added that countries such as Germany, Australia, the US, and the UK had approached Singapore to establish mutual recognition of similar labelling and certification schemes in the respective global markets. Such bilateral recognition would reduce the need for duplicated testing, he said.Singapore and Finland last October inked an agreement to do so for each country’s IoT cybersecurity labels.RELATED COVERAGE More