US carrier Verizon has now produced its Data Breach Investigations Report for seven years, and in 2014, it had over 50 contributors.
The report, which is a compilation of over 10 years’ worth of security data, allows carriers and companies in the market the chance to share information on cybersecurity threats and establish trends together.
Araceli Gomes, manager of cybersecurity solutions, engineering, at Verizon says that such industry reports and member organisations are becoming commonplace in the market because “the security industry is learning the hard way”.
She tells Capacity: “This is a cyberbattle of good and evil and the bad guys are winning. They are collaborating and innovating, and are sharing tools and techniques and goals that they have in common. The call to action for the security community is for the good guys to gang up too and to share information and ensure that the main priority is to defeat these adversaries.”
Verizon security researchers claim that 92% of the 100,000 security incidents analysed over the past 10 years can be traced to nine basic attack patterns that vary from industry to industry.
These nine breaches include point-of-sale intrusion, web application threats, insider and privilege misuse, physical theft and loss, miscellaneous errors, crime ware, payment card skimmers, cyberespionage and DDoS attacks.
Gomes tells Capacity that Verizon compiled data to indicate that there were 63,437 reported incidents since the last report, of which 1,357 were confirmed data breaches.
This is more than double what it had last year (627), and it meant the company structured the report differently to how it had done so previously.
The fact that the number of contributors rose to 50 – from 18 in 2013, and just five in 2012 – was also a key factor in the amount of information that went into the report.
“We decided that because we had more information to work with, and with over 10 years of data, we had determined trends to make this report more meaningful,” says Gomes. “This led to analysing internet data trends, and all incidents have theories of non-specific attributes that can be used to shape responses, shore up defences and teach the security industry how to better respond to these attacks.”
Of some of the key findings from the report, Verizon and its 50-strong group of contributors found that cyberespionage was up threefold from 2013, with 511 incidents reported, and they were the most complex and diverse of all nine categories.
China still leads the way for the most cyberespionage activity, but eastern Europe was also well represented, with more than 20% of attacks. DDoS attacks also became more prevalent in the financial services, retail, professional, information and public sector industries, while stolen or misused credentials, (usernames and passwords) continues to be the number one way to gain access to information.
“There are four basic components within the Verizon framework, and it breaks incidents and breaches into four basic components,” says Gomes.
“There is an actor, an attribute, an action and an asset involved. We then look at them in terms of patterns and tune it in that way to provide a more useful look into the number of breaches, the number of incidents, which are all related to patterns and then make some collective determinations in to how best to mitigate and better manage the threat per industry.”
As a national Tier-1 telecoms carrier, Verizon has always invested in critical network infrastructure, and the issue of cyberespionage has always been its most dominant threat.
“Telecoms falls into a hybrid and some of the categories are the most prevalent,” says Gomes. “Hackers have found ways of disrupting consumer reach, but critical infrastructure breaches have always been the biggest issues.”
The report has now developed as the data breaches become more intelligent, and contributing organisations include emergency response teams, law enforcement teams and foreign government agencies. “This report, among its key goals, is the facilitation of information sharing through a rich and comprehensive data set,” adds Gomes.
Key contributors: Verizon, McAfee, Australian Federal Police (AFP), Deloitte
The Telecommunications UK Fraud Forum (TUFF) promotes itself as “the forum of trust”, and true to its word, the organisation is very reluctant to divulge any information of the projects it presently working on.
“There are people out there that will use public data to defeat us,” says TUFF CEO Ian Smith. “We have to exercise caution in divulging information on what the organisation is tackling at the moment.”
TUFF operates as an industry member body that is predominately committed to fighting mobile security crime.
It is a non-profit organisation, and serves as a forum to exchange information and promote a united effort against telecoms fraud through collaboration. It is UK based, and has a membership portfolio that includes some of the world’s largest operators.
Smith says one of the key aims of the association is to promote an open and co-operative environment. It also strives to establish working relationships with other similar fraud forums in the UK and overseas.
“Our overall mission is to form strategic alliances with consumer bodies and intermediate service providers, to identify fraud risks and to identify and define fraud methods,” says Smith.
TUFF claims to take a methodical approach in tackling the escalating issues of fraud by generating appropriate documentation to raise awareness of tools and tangible methods to manage fraud more effectively. It has also published two open presentations on countering fraud through data analytics and a guide on protecting ID.
While the organisation tackles telecoms fraud, Smith says that TUFF “is aware of the frequent overlaps of fraud into other sectors”.
When asked on the benefits of joining an organisation like TUFF, Smith drew on a recent example from one of its members. “As effectively demonstrated, the ability to share information leads to organisational learning and shaping of responses,” he says.
“One group of members benefitted from this approach when dealing with a prolific fraudster, with the result that there is a wider and deeper body of knowledge about this particular case, which is shared for the benefit of all.”
Smith does not reveal the specific types of fraud that TUFF is tackling, but the association has a presence in numerous events and training days, including the Pricing Mobile Data Next Generation conference, and the Enterprise Mobility World event later this year.
Key Members: Three, BskyB, British Telecom, Everything Everywhere, Fujitsu
David Huras, the Communications Fraud Control Association’s president, says there are two types of customers operating in the telecoms market.
“There are those customers that have been hit by fraud and those that will be,” he claims.
Now approaching its 30th anniversary, the CFCA was initially formed after AT&T decided to take action against the burgeoning fraud problems affecting the market in 1984.
Back then, telecoms carriers had to deal with basic hacking and subscription issues, which saw fraudsters attempting to gain access to fixed-line networks without paying the relevant charges to make overseas calls.
AT&T worked to recruit a range of other carriers in the US, including MCI, Network One and Sprint, to lay the groundwork for the CFCA. As Capacity went to press, the association has 85 members, which includes 60 carriers and 25 vendors.
“Telecoms fraud actually began in the late 1960s, but started to get a lot more complex in the 1980s, when AT&T formed what blossomed into the Communications Fraud Control Association,” says Huras, who is also manager of toll fraud and voice operations at MTS Allstream.
“When it started, there were not too many cell phones, so it was more focussed on fixed-line hacking. Now it is morphed into an organisation that covers pretty much all branches of telephony fraud, and not just on the technical side.”
Roberta Aronoff, the CFCA’s executive director, describes it as an education organisation with a primary mission to work towards countering fraud in the industry. “We work on educating carriers and the vendor community constituency about what is going on today in terms of fraudulent activity,” she says.
The CFCA conducts three educational events per year in the US, in addition to two fraud loss survey events every two years, with the next one due to be completed in 2015. It also works with larger organisations like the GSMA, and has representation at external events to share information and utilise member data to publish reports on fraudulent activity.
Aronoff says that with three events per year, one of the biggest advantages for a carrier to join the CFCA is the ability to network amongst its peers and allow for discussions, in addition to sharing information on the latest breaches and issues.
Huras says that, in its 30 years, the association has seen the same principles of fraud taking place, but it’s become a lot more complex to deal with. “We went from old technology to new SIM cards and now to network development, meaning we have to deal with fields like International Revenue Share Fraud (IRSF). They are still doing things like hacking and subscription fraud, but it has moved on with IP technology.”
Key members: AT&T, Comcast, Cable & Wireless, Level 3 Communications, MTS Allstream
At ITW 2014 in Chicago, Capacity exclusively revealed that three of the world’s largest carriers had signed an agreement to promote collaboration on voice and data networks across the world’s largest regions.
European carrier Orange, Middle Eastern operator Ooredoo and India’s Bharti Airtel formed an association as three founding carriers to implement a set of industry principles across a range of services.
The companies pledged to also tailor the collaboration towards combatting fraud by sharing best-practice tools available between them. The agreement will see the three carriers work together on numerous platforms, including improved technical reach interoperability in roaming signalling, transport, SMS and IPX.
With carriers now at the mercy of fraudsters – particularly on services that are based primarily on the internet – the operators said it had become essential to implement a set of initiatives designed to tackle data breaches.
“The three telcos involved have highly complementary coverage in a range of areas and we will deliver reliable and seamless services across this combined footprint while avoiding intermediate carriers,” says Yousuf Abdulla Al Kubaisi, CEO at Ooredoo Global Services. “Over the long term, we will work to find additional synergies that will be beneficial for all parties.”
The companies pledged to collaborate in other areas of the industry, including international voice. And as it gains more members, the Chicago Agreement aims to send all of its traffic through direct routes to optimise network use and fight against growing fraud threats across infrastructure.
The pioneering agreement is open to global carriers around the world to join. The only specification for other operators is to indicate similar ambitions towards collaboration.
Although there have been no further announcements on the partnership since May, the Chicago Agreement is expected to gain traction and grow its membership base. Airtel, Orange and Ooredoo are intent on sharing knowledge towards fighting fraud across a number of continents, while enhancing voice and data solutions for customers.
Alexandre Pébereau, EVP international carriers at Orange, claims that such an association is the industry’s necessary response to an increasingly complex ecosystem that is being driven by IP convergence.
“As international carriers, our contribution resides in the interconnection and interoperability we deliver for our customers,” he says. “We decided to strengthen it together, to optimise network reach and QoS, fight fraud and eventually enhance the experience of end-users. We welcome all carriers who share the same ambition to join us in this initiative.”
Founding members: Orange, Bharti Airtel, Ooredoo
Fast Identity Online (FIDO) is another non-profit organisation, which was formed in 2012 by six founding members and launched officially in 2013.
It is mainly designed to address the lack of interoperability on strong authentication devices. Market research data indicates that authentication of networks and devices and issues of remembering multiple users and passwords is one of the biggest problems facing the anti-fraud industry today. The FIDO Alliance pledges to change the nature of authentication by developing specifications, and to promote open and scalable solutions to reduce the reliance the industry has on passwords to authenticate online users.
Unlike other fraud industry organisations, the FIDO Alliance focusses on one particular type of threat and looks to create new standards for security devices and browser plug-ins. This is then intended to allow website and cloud applications to interface with a variety of devices.
Paypal – the online payment system that is used by eBay customers – first launched its innovative Security Key in 2007, a standardised One Time Password (OTP) token which is only valid for one login session or transaction. The company quickly found that there was user friction with the initiative, and it resulted in low adoption rates. Take-up of the payment service was only generated mainly from those that were already victims of fraud and more security conscious customers.
Its initial impact was limited, but FIDO claims that end-user reluctance towards OTP illustrates one of the major value propositions of the alliance. The industry is keen to develop stronger authentication, but fails to take into account that stronger authentication means it is more difficult for the end user. FIDO was formed to develop an ecosystem that enables “better authentication”, that is simultaneously stronger and easier to use.
After securing high-profile members in the financial services and technology space – including Blackberry, Bank of America and Microsoft – the alliance was handed a major boost after Google joined in 2013 and pledged to support authentication through its technology.
“Joining the FIDO Alliance is a great way to increase industry momentum around open standards for strong authentication,” says Sam Srinivas, product management director for information security at Google and a member of the FIDO Alliance board. “We look forward to continuing our current development work on strong, universal second-factor tokens as part of a new FIDO Alliance working group.”
FIDO conducts a testing programme that provides companies with a confidential environment to test their implementations against the alliance’s standards and specifications.
The overall strategic goal is to provide participants of the ecosystem the assurance that products have completed the certification programme before being implemented in the market.
Key members: Google, MasterCard, Microsoft, Blackberry