- Survey features US and UK employees' online holiday shopping plans
- Additional results available at www.isaca.org/online-shopping-risks
Employees plan to spend less time shopping online from a work-supplied computer this holiday season than they did a year ago, but more of them are engaging in risky behavior, according to ISACA’s annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey”, which includes responses from 365 workers in the UK and 638 workers in the US.
Employees are expecting to spend an average of 6 hours shopping from a work computer or mobile device, with a quarter planning to spend 9 hours or more (20% USA and 33% UK). But, there is an increase this year in the number of employees who take risky actions online, such as clicking on an e-mail link or providing their work e-mail address when shopping online, and 45% report accessing social network sites from their work-supplied computer or mobile device (42% USA and 49% UK).
“Employees who shop online not only reduce productivity—especially in late November to mid December, when 71% in the US and 65% in the UK make their purchases—but also open the door to social engineering and phishing attacks, malware, and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data, and severe damage to their reputation,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC.
Shopping on Company-issued Mobile Devices
This year’s survey also found that almost half (47% in the US and 49% in the UK) of those who will be shopping online with company devices will do so using an employer-issued portable device, such as a notebook computer, tablet or smart phone. This increases a company’s security risk because these devices are often used on wireless networks outside of a protected corporate network. They also are more easily lost or stolen, and contain corporate data that are typically not encrypted.
“The number of portable computers and mobile devices in the workplace is only going to increase, so companies need to create a realistic security policy that lets employees stay mobile without compromising the company’s intellectual property. The IT mantra should be ‘embrace and educate’ to balance productivity and security,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.
Security Not a Major Concern, Especially Among Digital Natives
Employees say the top three reasons for shopping at work are that it is a convenient use of lunch/break time (38% in the US and 25% in the UK), they are working long hours and don’t have time to shop from home (17% in the US and 26% in the UK) and they are bored at work (11% in the US and 5% in the UK). Security is not a major worry for survey participants, with only 3% in both the US and UK citing “better security” on their work computer as a reason for shopping online using a work computer, and just under two-thirds reporting that they do not use secure browsing technology on work-supplied devices. Forty-one percent in the US and 50% in the UK assume that their IT department keeps them up to date on security patches.
This attitude is especially common among digital natives, the generation that has grown up with the Internet. Young adults (ages 18-34) in the survey are less likely to use secure browsing technology. They also are the most likely to shop online at work and have the highest laptop use among all age groups.
“Digital natives are comfortable with blurring the lines between work and play, which poses new and interesting management challenges for their employers,” noted Robert Stroud, CGEIT, international vice president of ISACA and service management and governance evangelist at CA Technologies. “This generation is happy to use their own tablet computer at work or a work-supplied smart phone for shopping or updating Facebook, so they need a new kind of IT security policy—one that balances access and control.”
Shopping on the Job Costs UK Companies UK £3,000 or More per Employee
A separate global survey of 834 business and information technology (IT) professionals who are members of ISACA, conducted during the same time period, shows that that a third of European correspondents believe their organization loses £3,000 or more per employee as a result of an employee shopping online during work hours in November and December.
For mobile devices, an overwhelming majority (68%) ranked the risk of using a mobile shopping application on a work-supplied device as high or moderate. Despite that, 51% allow employees to use work-supplied mobile devices for personal use and 37% let employees use their own mobile devices for work.
- Real time man- in -the middle phisihing attacks:
Trusteer’s research group has found that 30% of attacks against websites that use two-factor authentication are now utilizing real-time man-in-the-middle techniques to bypass this trusted security mechanism. These findings are based on monitoring of thousands of Phishing attacks.
According to Mickey Boodaei, Trusteer's CEO, in a real time phishing attack the user enters details onto a phishing website which captures the banking credentials and authentication information; the stolen credentials are then immediately used to open a session on the real bank website to commit a fraud. Authentication information typically captured and used by criminals in real time phishing include: One Time Passwords (OTP) ; tokens; SMS authentication; Card and Readers, rendering them ineffective against this type of attack.
Most phishing attacks to date have been completely static. In traditional phishing attacks the victim reaches a phishing website, submits login credentials, and these credentials are stored for later use by e-criminals. The introduction of strong two-factor authentication systems, especially one time passwords, rendered these attacks useless as fraudsters could not use static stolen credentials to commit fraud. With strong two factor authentication the user is required to provide a OTP as part of the login process. There are many OTP approaches, some of them are based on token devices that users carry along with them, others are sent to the user's phone as an SMS text or voice call each time the user tries to log on. OTP’s are limited in time. Even if the fraudsters managed to capture OTP data there is only a short period of time in which this data can be used. For some time, websites that used strong two-factor authentication reported a significant drop in phishing attacks. The e-criminals, however, have not given up.
Man-in-the-Middle Phishing
“Recently Trusteer have noticed an increase, on 3 different continents, of a type of attack called man-in-the-middle phishing or, real-time phishing. This tactic allows fraudsters to completely bypass two-factor authentication. The concept is not a new one and is well known in the security world; however, up until now, we haven't seen too many attacks like this. The recent escalation of websites now experiencing this type of attack is a cause for immediate concern,” said Boodaei.
In a man-in-the-middle attack the phishing website is connected, in real-time, to the bank website. The credentials that the user submits to the phishing site, including OTPs, are stolen and used immediately by the fraudsters to initiate a fraudulent session with the bank website. It doesn't matter if the website is using a dedicated OTP token, SMS authentication, Card and Reader, or any other type of two-factor authentication.
At first glance, real-time phishing seems just like any other phishing attack. On closer examination of the malicious website, however, one can determine that it is, in fact, connected in real-time to the bank. This enables any information submitted to the fake web page to be immediately posted to the bank website.
Many organizations that used strong two-factor authentication were dismissive of phishing attacks as they assumed that they were incapable of bypassing their security controls. This is no longer the case. Using phishing kits with real-time capabilities fraudsters have improved their operations to conduct fraud in real-time.
“With real-time phishing, OTPs are becoming useless. There is no update or improvement to OTP that can defeat real time phishing. The best form of defence is to implement dynamic layers of security, including browsing security, that can adapt to and block new threats,” said Boodaei.