Hackers are increasingly taking advantage of new technologies, including analytics and artificial intelligence, to launch more sophisticated attacks and commit cybercrimes, says Bill Fox, a former federal prosecutor.

"What is most disturbing is that whatever innovations are made in analytics and artificial intelligence, they'll be used by hackers in the same way they'll be used by cybersecurity experts," he warns in an interview with Information Security Media Group.

"Hackers will begin using AI, and once they get in, and can see email, they can begin drafting phishing emails that really sound like they're coming from people that you know and are about subjects [on which] you get email," says Fox, who now serves as a vice president at MarkLogic.

The more advanced phishing schemes often are portrayed as messages from colleagues seeking assistance - such as help building a slide deck for a conference presentation, he says. "You open it, and that's it, [the attackers] are in," he says. The methods phishing schemes are now using are "much subtler" than some of the cybercrime tactics that were common back when Fox was prosecuting these kinds of cases earlier in his career, he notes.

Identifying Anomalies

Identifying anomalous behavior plays an important role in helping detect and defend against cyberattacks, he says. "You have to assume you've already been hacked and then understand how to recognize that anomalous network activity."

Another emerging risk, Fox says, is criminals who pay an organization's employees who have authorization to access certain data to conduct illegal exfiltration activities leading to various cybercrimes, such as ID theft and fraud, he says.

"You have to be able to track [employee] network activities and be able to identify those kinds of trends," he says.

In the interview (see audio link below photo), Fox also discusses:

Fox is vice president of healthcare and life sciences at enterprise database software vendor MarkLogic. He also serves on the board of directors of the Medical Identity Fraud Alliance. Previously, Fox was a cybersecurity consultant at Booz Allen Hamilton, and he also held healthcare leadership positions at Emdeon and LexisNexis. He also was the deputy chief of economic and cybercrime at the Philadelphia District Attorney's Office, special assistant U.S. attorney for the Eastern District of Pennsylvania and a law firm partner.

How much time and effort will consumers put into protecting themselves from ID theft and financial fraud? That was the question posed by Aite Group's Julie Conroy in researching the new Global Security Engagement Scorecard. And the answer might just surprise you.

For instance, would you have guessed that out of seven countries surveyed - Australia, Brazil, Canada, India, South Africa, Spain and the United States - Indian consumers are the most concerned about identity theft and payment card fraud? And that No. 2 on the list for security engagement is South Africa? Canada claims the bottom spot, by the way, with the U.S. weighing in next-to-last.

What is comes down to, says Conroy, a research director at the consultancy, is this: There is a direct correlation between the level of security engagement and the extent to which consumers believe they have skin in the game.

"As you look at countries like India and South Africa, where the concept of zero-liability for fraud is not well established, we found dramatically more engagement and willingness to engage in fraud prevention and security," Conroy says in an interview with Information Security Media Group. "At the end of the day, the consumer has a vested interest because they have actual financial exposure in the case of fraud."

But in the U.S. and Canada, where consumers are legally protected from feeling the full burden of fraud losses, the consumer engagement is significantly lower, the study finds.

"In the U.S, market, it's a beautiful thing that we have Reg E and Reg Z that protect us [from fraud losses]," Conroy says. "But at the same time, it makes bringing a more interactive fraud prevention and security experience very challenging. We don't have a lot of consumers who would be willing to put a dongle into their computer and stick an EMV card into it to do a [card not present] transaction. There just would not be that level of tolerance because it would be a complete inconvenience."

Achieving a Balance

Organizations are going to continue to struggle with the question of balancing security versus a frictionless customer experience, Conroy says. But as both fraud and regulation evolve in different markets, she expects the Global Security Engagement Scorecard will shift, too.

In this interview about her latest research (see audio link below photo), Conroy discusses:

At Aite Group, Conroy covers fraud and data security issues. She has more than a decade of hands-on product management experience, working with financial institutions, payments processors and risk management companies, including a number of years managing the product team at Early Warning Services.

Data Breach

In the latest sign that when it comes to data, absolutely nothing is sacred, hackers have set their sights on fans of Kentucky Fried Chicken.

See Also: Secrets to a Simpler Security Incident Response

KFC, a Yum Brands chain, is warning 1.2 million members of its loyalty program in the U.K. and Ireland that their login credentials may have been compromised by attackers attempting to guess usernames and passwords. It's sent an email to all program members urging them to change their passwords.

"We take the online security of our fans very seriously, so we've advised all Colonel's Club members to change their passwords as a precaution, despite only a small number of accounts being directly affected," Brad Scheiner, Head of IT at KFC UK & Ireland, tells Information Security Media Group. "We don't store credit card details as part of our Colonel's Club rewards scheme, so no financial data was compromised."

The loyalty program, known as the Colonel's Club, involves using an Android or iOS app - or else a physical card - to earn virtual "stamps" every time customers spend a preset amount which they can later exchange for free food.

In a frequently asked questions section on KFC's website, the chain promises: "Please don't worry, your information is safely locked away with us and will not be shared with anyone."

KFC says it has more than 20,000 outlets in 125 countries and territories around the world. But Colonel's Club only works in the United Kingdom and Ireland, meaning the breach is restricted to just those geographies.

In its email to customers, the chain says that it's "monitoring systems" helped spot that "a small number of Colonel's Club accounts may have been compromised as a result of our website being targeted."

A spokesman tells me: "As a result of automated software attempting to guess Colonel's Club members' passwords, we have implemented changes to our back-end and front-end systems. One thing customers may notice is the addition of reCAPTCHA on the website which is used to distinguish between human and software login attempts."

KFC believes that only about 30 of its 1.2 million members had been targeted.

Loyalty Programs Under Fire

The breach, of course, is the latest reminder to users to never reuse the same password on different sites. Instead, many security experts recommend that everyone always employ a password manager to keep track of unique passwords for every site they use. Password managers can be used as standalone apps on laptops, desktops or mobile devices, as well as via services with an online component (see Why Are We So Stupid About Passwords? Yahoo Edition).

This isn't the first time that fraudsters have targeted a chain's loyalty program (see Fraudsters Drain Starbucks Accounts).

But Colonel's Club users may be getting off easy, vis-à-vis many other types of hack attacks.

Since the Colonel's Club program doesn't give customers the ability to tie payment cards to the account or charge them up with virtual cash, the only thing at risk is that users might lose a free "Flamin Wrap" or two.

Data Breach , Fraud

A third suspect alleged to be responsible for the 2014 JPMorgan Chase data breach, which resulted in the compromise of data linked to more than 83 million customers, was arrested Dec. 14 after voluntarily returning to the U.S. from Russia, according to The Associated Press and other news media reports.

See Also: Bank Payment Clearance Vulnerabilities: Faster Payments, Faster Fraud?

Joshua Samuel Aaron, 32, who also goes by the alias "Mike Shields," was arrested at JFK International Airport after waiving extradition and asylum in Russia "to responsibly address the charges," Aaron's attorney, Benjamin Brafman, told AP.

Aaron, a U.S. citizen, had been living in Moscow, the U.S. Attorney for the Southern District of New York announced Wednesday. Now he, along with co-defendants Gery Shalon and Ziv Orenstein, who were both arrested by Israeli authorities in July 2015 and extradited to the U.S. in June 2016, face charges that include securities fraud, wire fraud, market manipulation, identification document fraud, aggravated identity theft and money laundering (see Israel to Extradite Alleged Chase Hackers).

Aaron and Shalon also have been charged with computer hacking.

If convicted on all counts, all three men could be sentenced to more than 100 years in prison.

Waging Cyberattacks

All three were charged last November, accused of orchestrating and waging cyberattacks between 2012 and mid-2015 that compromised Chase and 11 other U.S. banks and financial services firms. The Chase breach resulted in the compromise of contact information, including names, addresses, phone numbers and email addresses, linked to 76 million households and 7 million small businesses.

"Joshua Samuel Aaron allegedly worked to hack into the networks of dozens of American companies, ultimately leading to the largest theft of personal information from U.S. financial institutions ever," says U.S. Attorney Preet Bharara. "For pursuing what we have called 'hacking as a business model,' and thanks to the efforts of the FBI and the U.S. Secret Service, Aaron will now join his co-defendants to face justice in a Manhattan federal courtroom."

Tracking Down Hackers

One cybersecurity expert says the arrest reflects law enforcement's increasing effort to track hackers and more swiftly bring them to justice.

"The investigative techniques and abilities of law enforcement to sniff out the trail of cybercriminals these days, despite obfuscation techniques, continues to get better, and it only takes one mistake to get caught," says Chris Pierson, general counsel and CISO at payments and invoicing provider Viewpost.

Still, many cybercriminals continue to elude justice, he adds. "While we see many notable arrests with larger incidents, the abilities of most cybercriminals to avoid arrest and prosecution remains the biggest hurdle for ecommerce," Pierson says. "Cybercriminals are always looking for the easy targets and exploits to penetrate a company. These opportunities that allow entry can come quickly."