Do you know to how to play Chess, if not, do not worry you can still beat a chess grandmaster. Trick is to apply relay attack where you invite two Chess GMs online to play the game and copy ones piece movement against the other. The same relay attack is beautifully demonstrated to extract details of the contactless card here in the link. There have be improvements in control design around contactless cards but outside secure environments (like Singapore) probably it should still be a concern.
I recollect when I first used the contactless card to make a purchase I literally freaked out however to provide comfort the countermeasure was restriction on the value of allowable transaction on a single instance happens to be less than $100
Few idea I came across in last RSA summit was how to inculcate good security habits amongst our users, the solution it seems is part of human psychology for e.g. users often leave their workstation open and attended. One needs to drill the user to press ctrl+alt+del when they stand up to leave the workstation, this then becomes an automatic reaction. Human brain needs hundreds of repetition to form a habit. Military does it very well , Does this make case for a daily morning drill to our users with enhanced privileges working in DC, in my mind it does.
Game based test can be supplied to senior management to be a better judge of a phishing email. Attackers are really good as they devote considerable time and testing at their own end before launching a spear phishing attack targeting the COO, CFO s etc. therefore it’s all about your own team’s practice and preparedness to counter the attack.
In the same session based on Human behavior there was a good suggestion asking bilingual users to develop passwords in their first language like Bengali, Chinese or Korean. User can design a password in English as phonetically spoken in their own first language. Such password is highly unlikely to be listed in attacker’s English dictionary deployed as part of an attack. However there is still a fair bit of debate whether organisation should be suggesting user about password/passphrase writing or we feel traditional technical control in form of mandatory use of at least one character in upper case, capital plus numerical is good enough. Popular password uncovered is: pASSWORD$999 (so lazy)