Gone Phishing – Malware Wants your PII Part 2


Part 2 of 2

In our last blog installment, we discussed the rash of data breaches that are hitting all industries, aimed at stealing very valuable Personally Identifiable Information (PII). The current generation of malware attacks faster and is nearly undetectable, deploys more insidious ransomware, and contains far more malicious code than previous versions. Malware can remain undetected in networks for years, waiting for an unpatched computer to exploit. It just takes one employee to click on the wrong link or app to bring these viruses to life. How do you protect your organization and not end up on the front page of Forbes magazine explaining how your organization exposed the PII of your valuable customers? What is the best way to secure your data environment?

Ironically, when I began writing this blog I did not know the foreshadowing that the Forbes comment would have. Forbes recently exposed customer data because they forced their web readership to turn off their ad blockers to access content, resulting in hijacked pop-under ads infecting the site visitors with malware. Don’t get me wrong, the infection was not intentional by Forbes, which relies on its ad network to keep “malvertising” out of their site. But ad blockers are the first line of defense when they are enabled. Forbes is not alone in these attacks, as every industry is now on alert for infected ads.

Malware is not just restricted to traditional infection zones either, they are now infecting mobile apps. The latest malware culprit, called Slembunk, targets Android’s mobile banking apps. Once installed, it runs in the background and mimics specific banking apps while harvesting authentication credentials along with valuable PII.

Malware Continues to Evolve to Avoid Detection

Unpatched vulnerabilities are a massive failure of IT security. Keeping up to date on operating system and browser-related patches is critical to keeping systems secure. Malware authors know this, using known vulnerabilities to create hundreds of millions of malware infections last year alone. Patching is an endless task in a heterogeneous computing environment and it’s easy to leave a server, a whole department, or even just one computer with vulnerabilities. For malware hackers, that’s the target they will eventually find and exploit.

To make matters worse, malware is rigorously designed and tested to avoid detection. One new technique is for the malware to detect if the code is injected into a virtual machine before it executes. Malware authors have developed virtual machine-aware code to avoid activation in an virtual sandbox environment, which security researchers use to observe and detect malware. As a result the virtual testing and entrapment environments in use at many sophisticated organizations provide little security against these forms of malware. So what can you do to actually defend against a malware infection?

Get Rid of PII, PCI, PHI with Tokenization

In reality, for internet-enabled businesses that need to interact with customers, suppliers, and partners, an impenetrable defense is next to impossible. The number one reason for all data breaches is the availability of sensitive data sets—such as PII, PCI, and PHI—that are housed in IT business environments. So if data breaches are inevitable, it makes sense not to leave any type of sensitive data in systems where it can be exposed, putting organizations at serious risk of legal, financial, and public relations ramifications. If you get rid of the sensitive data, you remove the reason for malware attacks and eliminate the risk.

Cloud tokenization removes sensitive data and replaces it with a value that cannot be reverse engineered to obtain the original value, leaving the cyber criminals with meaningless data. The sensitive data is safely stored in secure cloud data vaults, so it is not housed in your environment at all, just the corresponding tokens. The result is you don’t expose your customers or your organization to the very ugly side of data breaches. Fines, angry customers, lost revenue, public relations embarrassment, are a few of the byproducts of a data breach. With tokenization, hackers can’t steal what’s not there.

Detect and Prevent Fraud with Layered Security

Malware is going to exist and evolve for the foreseeable future. As long as organizations continue to store valuable PCI, PII, and PHI in their vulnerable business systems, malware will be able to invade and steal it. Organizations that implement a cloud tokenization platform know that their data is safely stored out of their systems so that even a successful malware attack will not result in lost data. However, other less protected organizations will have their data stolen and sold on the dark web. Now the challenge is to prevent the fraudulent re-use of the stolen PCI and the resulting financial losses for a tokenized organization.

Cobbling together multiple security and fraud technologies may provide limited relief to ad hoc fraud attempts using stolen PCI, but to provide more comprehensive and automated protection, all the detection points need to be united under one system that combines artificial intelligence with human reasoning for accurate and lightning fast decisions that simplify fraud detection and dramatically improve bottom line profitability.

TokenEx Removes Toxic Data

With TokenEx as the integrator between your business systems and payment service providers,
you never have to receive, store, or transmit sensitive data in order to use services such as fraud detection, account refresh, and marketing analytics. TokenEx takes care of passing the values — such as a specifically formatted hash value to represent a PAN — to the other services. For your systems, it’s business as usual, processing tokens instead of sensitive information.

TokenEx is an industry leading cloud tokenization platform that removes PII without hindering your business processes, significantly lowering your risk of losing data and reducing PCI compliance burdens. Follow us on Twitter and LinkedIn to keep up with the latest news on how tokenization can solve your data security challenges.

Click to edit your new post...



Topic(s): data security , PII , tokenization

Keep Up With Our PCI & Privacy Blog