Unfortunately, we have more “breaching” to report this week: As Reuters reports, “hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld.”
Of the 272.3 million stolen accounts, a majority were from users of Russia’s own Mail.ru service, their most popular one. But, “smaller fractions of Google, Yahoo, and Microsoft email users” were also hacked. Still unfolding, it’s already “one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.”
TechRadar says that while it’s not clear “how recent the username and password combinations are… the stolen credentials could be abused multiple times by hackers. If you’re on Gmail, Yahoo or Hotmail then the best course of action is to change your password.”
The email breaches have another connection to some security writing in the news. We’ve talked about ACH here, of course. As our own tutorial has it, “basically, ACH allows a merchant to accept payments by check without having to have a paper check in hand. This means that even an online business can offer their customers the flexibility that comes with paying for products and services by check.”
We’ve also told you about the push from the government to institute “same day ACH,” so the payments would “clear” faster. As Pymnts.com is reporting “same Day ACH is slated to see its first rollouts among U.S. banks and FIs this September.”
The article talked about some of the “operational challenges” the stepped-up payments will face, working “with three windows a day now, instead of one… Fraudsters will pick up the opportunity to jump transactions right before window closure,” meaning there’ll be less time to review them.
One of the specific issues raised with this kind of fraud was… “business email compromise,” which brings us right back to our unfolding “breach” headlines. The problem, according to one security expert they talked to, is “when an employee is looking to authorize a payment under the instructions of someone posing as a CEO or CFO, that means banks have to be vigilant about blocking fraudulent transactions — even when an employee is convinced it’s legitimate.”
So the combination of stolen business “credentials” — email logins, and more — combined with the shortened window for verification presents more opportunity, in the near term, for additional fraud.
Meanwhile, there are other, ongoing, anti-fraud initiatives in the works. A new set of standards for PCI has been issued (that’s “Payment Credit Industry.”)
One of the biggest changes is that “with the PCI DSS 3.2 standard, all personnel with non-console administrative access to the cardholder data environment are required to have multifactor authentication.”
In other words, the chain of who needs to “authenticate” will grow. We’ll have more about that next week.