While attending the Payments 2011 (NACHA for the nostalgic) conference earlier this week, news broke on the details of what some folks including Mike Lennon from Security Week tag as a massive breach at Epsilon . As we were swamped with conference activities, I didn’t have time to dig into any details but in the evening I hopped onto my personal email account and my eye immediately tweaked on a new email “ Important Notice from <a leading hospitality company> . Well, I’m no rocket scientist but I’ve seen my share of phishing emails in my day – but, in this case I recalled the Epsilon headlines and figured the email might be related. Sure enough, the email provide an apology, high level details on the breach and went on to say that “in all likelihood this will not impact me” – Hum, I’m not so sure. As I scan the rest of the email and was then blown away to see that in a closing sentence they indicated if I wanted more details to click on the following link to “learn more”. PAUSE. How can I be sure this email didn’t come from the criminals who just stole the email list from Epsilon and the included link won’t take me to a webpage that contains malware or proceeds to sucker me into revealing additional personal information? I really can’t be sure – and that, I believe it was makes this breach quite serious indeed.
With the information the criminals have obtained – namely the company name and the customer email address – they can now execute highly targeted spear-phishing attacks. “Spear-phishing” attacks are more likely to succeed than generic attacks as phishing expert Jason Hong, a computer scientist at Carnegie Mellon details in a recent Fast Company article covering the story. He agrees with Lennon and rightly points calls this “the most worrisome” possible outcome. Spear phishing targets specific users and relies on a very convincing premise to lure in the victim – think about it, millions of apology emails will be going out over the next few days and weeks from some largest companies in the US and, the recipients of those emails will A – be expecting those emails and B- believe they are coming from a valid organization with whom they do business. Luckily, some of those organizations such as Citi have taken proactive measures to help protect their online consumer with email authentication features that help assure the sender identity.
You know, there has been all kinds of chatter about upcoming FFIEC guidelines and supposed backlash from some organizations that the FFIEC is becoming too prescriptive – I am not convinced; the frequency and sophistication of fraud attacks continue to grow exponentially and at the end of the day, its online customers like you and me who will bear the pain of these breaches and resulting fraud attacks.