After the recent incidents is seems that SMS is not very secure second factor for authentication.
Australian Telcos Declare SMS Unsafe For Bank Transactions. Telcos declare SMS ‘unsafe’ for bank transactions article tells that the lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.
SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor. There are numerous reports of Australians being defrauded via a phone porting scam: With only a few phone calls to a victim’s workplace or home address, a fraudster can gain enough information (date of birth and mobile phone number) to port a victim’s mobile phone number to a new SIM device and intercept one-time passwords sent via SMS for online banking sessions. Banks have said that SMS should be considered part of a “layered” security solution.
Many European banks leverage a two factor authentication approach for logging into their online portals. In addition to a standard password, an SMS message is typically sent to the user providing the required second factor for authentication. SMS text message turns 20 years and world around it has changed. Earlier SMS was received with mobile phones where the software running them was stable and did not change for no reason. Now in the smartphone age different applications and malware can have effect on how the smartphone handles your SMS messages (can easily do something to them without you knowing on that). SMS is not designed to be a secure communications channel. And it is not a very secure channel. Security experts have warned about the inherent lack of security posed by SMS technology for several years. SMS was not designed to act as a second authentication factor but it is used as such.
Last week Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million Euros ($47 million) from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process.
The Eurograbber Trojan employs a feature designed to help users feel more secure about their online banking to rip them off: When you are on banking web site the Trojan requests that the user provides their mobile phone number in order to complete a required upgrade. A user who falls for the ruse and provides the mobile phone number will then receive an SMS on their phone, purportedly from their bank. That SMS directs the user to click a link which downloads a Zeus mobile Trojan. At that point the user is basically owned, and the next time they access their bank account the attack initiates a transaction to transfer money out of the account to the attacker’s account.
For more details how this Eurograbber worked, read How the Eurograbber attack stole 36 million euros. For even more detailed information read a report published by security vendors Versafe and Check Point Software Technologies: A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware.
Article links on Eurograbber:
- How the Eurograbber attack stole 36 million euros.
- Zeus Botnet Eurograbber Steals $47 Million
- Inside Eurograbber: How SMS Was Used to Pilfer Millions
- Miljoonavarkaus Euroopassa: Virus vei rahat tileiltä
- Hakkerit nappasivat 36 miljoonaa nettipankeista
- Virus vei 36 miljoonaa euroa verkkopankkitileiltä
The Eurograbber attack is a dangerous one, but it can be prevented if users take the right steps: Mmake sure they keep everything on their phones and desktops up to date (that includes both the operating system as well as software plugins such as Java and Flash).
Just using normal virus protection does not block sophisticated attacks. User can nowadays get infected also from well known web sites.
Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.
64 Comments
Tomi Engdahl says:
Massive bank cyberattack planned
http://money.cnn.com/2012/12/13/technology/security/bank-cyberattack-blitzkrieg/
Security firm McAfee on Thursday released a report warning that a massive cyberattack on 30 U.S. banks has been planned, with the goal of stealing millions of dollars from consumers’ bank accounts.
RSA startled the security world with its announcement that a gang of cybercriminals had developed a sophisticated Trojan aimed at funneling money out of bank accounts from Chase (JPM, Fortune 500), Citibank (C, Fortune 500), Wells Fargo (WFC, Fortune 500), eBay (EBAY, Fortune 500) subsidiary PayPal and dozens of other large banks. Known as “Project Blitzkrieg,” the plan has been successfully tested on at least 300 guinea pig bank accounts in the United States, and the crime ring had plans to launch its attack in full force in the spring of 2013, according to McAfee, a unit of Intel.
Project Blitzkrieg began with a massive cybercriminal recruiting campaign, promising each recruit of a share of the stolen funds in exchange for their hacking ability and busywork.
The financial industry is accustomed to fending off skilled cyberthieves. It gets hit every day by thousands of attacks on its infrastructure and networks, according to Bill Wansley, a senior vice president at Booz Allen Hamilton who specializes in cybersecurity issues.
Those are just the attacks that get discovered. Not a single financial industry network that Booz Allen examined has been malware-free, he noted.
“If you catch something early on, you can minimize the threat,” Wansley said. “It’s definitely worthwhile to get a heads up.”
The Cyber Fighters are at it again, declaring that they will be launching attacks on banks’ websites this week as part of “Operation Ababil.” The banks are preparing.
“Security is core to our mission and safeguarding our customers’ information is at the foundation of all we do,” said Wells Fargo spokeswoman Sara Hawkins. “We constantly monitor the environment, assess potential threats, and take action as warranted.”
In June, McAfee uncovered “Operation High Roller” — a cyberattack that could have stolen as much as $80 million from more than 60 banks.
copy sms orang says:
copy sms orang…
[...]Banking security and SMS authentication « Tomi Engdahl’s ePanorama blog[...]…
Tomi Engdahl says:
Is Everything We Know About Password Stealing Wrong?
http://research.microsoft.com/pubs/161829/EverythingWeKnow.pdf
Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions.
First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later
be repudiated.
Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones.
This suggests that it is the mule accounts rather than those of victims that are pillaged.
We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cyber-crime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition.
Tomi Engdahl says:
US Web payment enabler Stripe finally comes to Europe, launches beta service in the UK
http://thenextweb.com/uk/2013/03/01/stripe-uk-europe-launch/
Stripe, the fast-growing Web payment enabler from the US, has finally launched its service in Europe, starting with the UK today.
The company allows website owners and developers to begin accepting payments online with little more than the addition of a few lines of code.
Developers simply sign up for a free account and input the code displayed on its website. Stripe handles the full stack of payments — from storing cards, to subscriptions, and direct payouts — and it charges a flat 2.9 percent rate and $0.30 on each transaction.
Tomi Engdahl says:
Mobile Malcoders Pay to (Google) Play
http://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/
An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.
I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece.
Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey
The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.
This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised.
Perkele is designed to work in tandem with PC malware “Web injects,” malcode components that can modify bank Web sites as displayed in the victim’s browser. When the victim goes to log in to their bank account at their PC, the malware Web inject informs the victim that in order to complete the second, mobile authentication portion of the login process, the user will need to install a special security certificate on their phone. The victim is then prompted to enter their mobile number, and is sent an SMS or HTTP link to download the mobile malware.
Of course, there are far more sophisticated mobile malware threats in circulation than anything Perkele could help dream up.
Tomi Engdahl says:
ATM hackers steal $45m from banks across the world in a matter of hours
Lack of chip and pin in the US was to blame, says Kaspersky
http://www.theinquirer.net/inquirer/news/2267430/atm-hackers-steal-usd45m-from-banks-across-the-world-in-a-matter-of-hours
A GLOBAL MOB of hackers stole $45 million from thousands of ATMs in a matter of hours in the second cyber heist of its kind, authorities in New York have said.
“These defendants allegedly formed the New York-based cell of an international cybercrime organisation that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits,” the US Attorney’s office said.
“The eight indicted defendants and their co-conspirators targeted New York City and withdrew approximately $2.8 million in a matter of hours.”
Kaspersky Lab’s director of global research and analysis Costin Raiu explained that the cybercriminals were able to commit the “biggest and quickest thefts we have seen” by replicating real cards with blank cards through programming the magnetic stripe.
Raiu said this is a major problem in the US at the moment because the insecure magnetic stripe is still used when making payments and bank withdrawals with cards, whereas this has been mostly abandoned everywhere in Europe and replaced by the more secure chip and pin security.
Tomi Engdahl says:
Cyber caper: behind the scenes of the $45 million global ATM heist
http://www.theverge.com/2013/5/13/4326336/cyber-caper-behind-the-scenes-of-the-45-million-atm-heist
Hackers coordinated with cells on the ground to carry out a precise, sophisticated attack
The man in the black beanie was part of a sophisticated “Unlimited Operation,” according to prosecutors in New York. Hackers allegedly broke into the computer systems of at least two credit card processing companies, stole prepaid debit card account numbers and programmed them with astronomical balances. Normally, prepaid debit cards are capped according to how much the customer paid for the card; the hackers essentially created infinite cards.
Heist-300-1
Map of Reyes’ alleged route withdrawing money from ATMs on February 19th. The numbers indicate the ATM cameras that allegedly captured him, in order. Source: US Attorney, Eastern District of New York
The account numbers were then emailed or texted to accomplices on the ground, who used a device called a “skimmer” to encode the account numbers onto the magnetic stripes of dummy cards. The groundlings then went on a withdrawal spree, hitting as many ATMs as they could in a matter of hours, while the hackers watched the transactions from behind remote screens, in real time. Between two tightly-coordinated heists, the shadowy criminal ring netted nearly $45 million in cash.
“The cyberattacks employed by the defendants and their co-conspirators in this case are known in the cyber underworld as ‘Unlimited Operations,’”
“They became a virtual criminal flash mob, going from machine to machine, drawing as much money as they could, before these accounts were shut down,” US attorney Loretta Lynch said at a press conference.
The hackers targeted specific financial service providers, according to the indictment, suggesting that they were aware of some security vulnerability.
This isn’t the first time hackers have ripped off ATMs for millions of dollars. Cyberattacks have resulted in hackers taking $2 million from European ATMs in 46 cities and tens of millions of dollars were stolen from 12 European banks just in the last year, according to research by Symantec.
The vulnerability that led to the hacks appears to have something to do with the complicated, fragmented system that relies on many providers to get customers cash on demand.
“There’s an increasing sophistication,”
Tomi Engdahl says:
Nordea IT systems hacked – the bank does not report to the police
Nordea’s information systems broken into last year. Burglar had several months of access to the bank’s payment systems and customer accounts.
The intruder could gain access to the accounts of the underlying assets, as well as a large amount of information about the bank’s customers.
The case is clear from the Swedish police in pre-trial materials relating to the trial starting next week. Information on the Committee to write the week’s Swedish sister publication Computer Sweden .
The trial PirateBay-founder Gottfried Svartholm Wargia and other persons accused of Nordea related to a data breach, fraud, and fraud in the company. They are accused of in addition to IT services provider Logica to hacking.
Wargilla allegedly had access to Nordea’s central computers at the end of April last year until August. Nordea discovered unauthorized transfers themselves, but decided not to notify the police.
Sweden’s Nordea, the police received a tip about a data breach occurred only when the researchers began to find out Warg laptop computer found in the log files. The tracks led to Nordea.
The laptop was seized last fall Wargilta his apprehension in the context of Cambodia.
The intruder gained access to a large amount of information about Nordea’s customers. Bank’s own analysis, the suspects were able to download the databases in which the information on the Bank’s customers, as well as user names and passwords.
Databases included in encrypted form, but Nordea’s own analysis, the cipher was weak.
Swedish researchers found Wargilta police seized a laptop computer over a 400 files and folders, which was consistent with Nordea’s systems with the information.
Source: http://www.tietoviikko.fi/kaikki_uutiset/nordean+itjarjestelmiin+murtauduttiin++pankki+ei+ilmoittanut+poliisille/a901973?s=r&wtm=tietoviikko/-16052013&
Tomi Engdahl says:
Nordea is a serious security breach – that the attackers likely to
Nordea’s key information systems infiltrated last year. The attacker had access to the system at the end of April until August.
Information Week’s Swedish sister publication Computer Sweden that the attack took place in the same central engine, which operates online banking. The PC is also possible to connect to the telnet protocol, the terminal window.
The attackers tried to cover their tracks by using the penetrations of the two hijacked computers. One of them belonged to Iran, a company in the Malmö and one high school.
Swedish prosecutor does not have specific information on how the intruder was initially obtained access to Nordea’s computers. Central equipment is provided by IBM.
Computer Sweden’s interviews with security experts estimate that the infiltration has used information obtained from Logica data breach.
The suspects are Logica upon penetration had access, and broken through the large number of passwords in the database, which is managed by the central machinery of use.
Another possibility is that the attack was carried out by through IBM’s web server vulnerability: It has been possible to carry out the code on computers without logging in.
IBM has fixed two cases of a suitable security slot during the time when data breaches Nordea and Logicaan occurred.
Attackers were able to access the Nordea’s customers data, as well as to make payments on accounts. Nordea he actually found out a data breach, but decided not to inform the police.
Nordea been hacking came from the Swedish police in pre-trial materials relating to the court case, which begins next week. It PirateBay-founder Gottfried Svartholm Warg and other persons accused of Nordea related to a data breach, fraud, and fraud in the company. They are accused of in addition to IT services provider Logica to hacking.
Source: http://www.tietoviikko.fi/kaikki_uutiset/nordeassa+vakava+tietomurto++nain+hyokkajat+todennakoisesti+toimivat/a902138?s=r&wtm=tietoviikko/-17052013&
Tomi Engdahl says:
Tietoturva nyt!
Finanssialan tietoturvakatsaus
https://www.viestintavirasto.fi/attachments/esitykset/Jari_Pirhonen_Vivi-finanssi.pdf
Tomi Engdahl says:
Dutch citizens keep extra cash at hand following DDoS attacks
http://www.virusbtn.com/blog/2013/05_22.xml
Month-long attacks had significant impact.
25% of Dutch citizens have followed advice to keep extra cash at home, following a recent spate of DDoS attacks on Dutch banks.
At the beginning of April, customers of Dutch bank ING reported that the balance of their online bank account wasn’t what they expected it to be, with the difference in some cases running to hundreds of euros. Some customers even reported that they were unable to pay using chip-and-pin as a consequence. Initially, the bank blamed the issue on a technical error, and reassured its customers that no money had disappeared.
While the bank appears to have been right on the latter account, it later changed its statement and revealed that the issues had been caused by a DDoS attack. And that was just the beginning: the attacks spread to other banks, taking down their websites and online payment systems. They also took down iDEAL, a widely used online payments system.
Over the next few weeks, as many other organisations were targeted by similar attacks, DDoS became a prime item on the news – making knowledge of DDoS attacks among the Dutch population more widespread than in any other country (with the possible exception of Estonia).
Although no new attacks have been reported since 8th May, the impact of the attacks on the country – where Internet penetration is extremely high – has been significant. It has led many people to wonder whether they have become too dependent on online services.
Although in the past DDoS attacks have been used to hide theft or to extort money from the targeted sites, the scale, variation and longevity of these attacks make these unlikely reasons.
There have been suggestions that the attacks are a retaliation against the arrest in Spain and subsequent extradition to the Netherlands of Sven Olaf Kamphuis, himself accused of orchestrating DDoS attacks against Spamhaus.
Tomi Engdahl says:
Acting Assistant Attorney General Mythili Raman Speaks at the Liberty Reserve Press Conference
http://www.justice.gov/criminal/pr/speeches/2013/crm-speech-130528.html
Today, we strike a severe blow against a professional money laundering enterprise charged with laundering over $6 billion in criminal proceeds. As charged in the indictment unsealed today, Liberty Reserve was a financial hub for cybercriminals, Ponzi schemers, child pornographers, identity thieves, and other criminals seeking to hide, launder, and use ill-gotten funds.
As charged: Liberty Reserve operated, on an enormous scale, a digital currency system designed to provide cyber and other criminals with a way to launder their profits without leaving a trace. Liberty Reserve was a massive criminal enterprise servicing more than one million users globally – including 200,000 in the United States alone. The company’s very purpose was to launder its users’ criminal proceeds through the U.S. and global financial system.
Tomi Engdahl says:
Forget ‘Information Wants to Be Free’ — So Does Money
http://www.wired.com/business/2013/06/money-wants-to-be-free/
The internet has always conjured utopian fantasies of interconnectedness—a more perfect way for minds to come together freed of the baggage of the physical body.
The capitalist corollary is the internet-enabled dream of the perfectly efficient markets, where supply and demand converge in eternal harmony.
The latest iteration of that ideal is the so-called “share economy,” in which waste—an empty room, a parked car, an idle worker—is eradicated by the ubiquitous interconnectivity made possible by mobile devices.
But to reach its full potential, this economy needs another kind of connectedness that Stripe co-founder John Collison says the internet still struggles to afford.
“I find it so crazy how the internet came along and it was very easy for people to communicate. It was very easy for people to talk to each other,” Collison says. “But it’s still very hard for people to transact.”
In Collison’s version of ideal interconnectedness, money moves across the internet as easily as text.
Collison believes that eliminating barriers to the flow of funds through shared-resource marketplaces frees up these fast-growing startups to focus on building a better product.
Tomi Engdahl says:
Now you can use your phone instead of your wallet at the ATM, too
Blimey, these little paper towels out of the vending machine are really expensive
http://www.theregister.co.uk/2013/06/10/next_years_cashpoint_is_iphone_inspired/
Diebold has been demonstrating its vision for the future of hole-in-the-wall cash machines, and it’s one which replaces the plastic card with a cloudy alternative.
Diebold claims to have “re-imagined the automated teller machine experience for the millennial generation”, but between the buzzwords are a couple of interesting features and a business model migrating from sale and service to cloud rental.
The concept cashpoint was demonstrated recently at tradeshow European ATMs 2013 in London, and boasts an interface clearly inspired by the iPhone and its ilk. Gone are physical buttons, replaced by one of those touch screens which are so popular with the kids these days, but a good deal of the interaction can take place on the user’s phone instead.
A smartphone-wielding user scans a QR Code, or NFC tag, to throw the ATM interface onto their handset – via the cloud naturally. The withdrawal amount is selected using the phone, which acts as an identifying token to replace the plastic card. The PIN is entered in the usual way, completing the transaction.
Equally interesting is the use of a mobile app to send cash to a person, who just receives an SMS bearing a six-digit code which can be entered in any compliant cashpoint to dispense the scratch-window cash.
Tomi says:
A Call to Arms for Banks
Regulators Intensify Push for Firms to Better Protect Against Cyberattacks
http://online.wsj.com/article_email/SB10001424127887324049504578545701557015878-lMyQjAxMTAzMDEwNDExNDQyWj.html
U.S. regulators are stepping up calls for banks to better-arm themselves against the growing online threat hackers and criminal organizations pose to individual institutions and the financial system as a whole
The push comes as government officials grow increasingly concerned about the ability of a cyber attack to cause significant disruptions to the financial system. Banks such as J.P. Morgan Chase & Co., Bank of America Corp. BAC -1.06% and Capital One Financial Corp. COF -2.15% have been targeted by cyber assaults in recent years, including potent “denial-of-service” strikes that took down some bank websites off-and-on for days, frustrating customers. Banks have spent millions of dollars responding to or protecting against such attacks
A banking industry official said the onus can’t just be on banks to combat cyber attacks. “It needs to be collaborative; the industry can’t take on foreign countries alone,” the official said.
The U.S. has increasingly adopted a hard line toward firms whose systems are violated, holding companies more accountable for protecting themselves.
Regulators and the banking industry are coordinating efforts to respond to the growing threat, including a major cyber “war game” exercise slated for later this month
Officials from the Treasury Department and other financial regulators have been conducting regular classified and non-classified briefings with bank officers about the increased likelihood banks of all sizes could come under attack.
The Financial Stability Oversight Council, which Mr. Lew leads, cited cyber security as one of its key “emerging threats” this year.
While no specific incident is behind the focus on cyber security, regulators are concerned that the number of cyber attacks spawned by increasingly sophisticated hackers, criminal organizations, hactivist groups and nation-states is going to rise. The OCC said in its presentation to bankers that cyber attacks overall, including on banks, increased 42% in 2012, ranging from malicious software or phishing attacks, to well-publicized denial-of-service attacks.
Tomi Engdahl says:
Finance CIOs sweat as regulators prepare to probe aging mainframes
Outages compound interest in creaking IT
http://www.theregister.co.uk/2013/06/25/banking_mainframe_legacy_policy/
Could the watchful eyes of regulators soon come to rest on the old and often creaking IT systems that run the back offices of the UK’s leading banks?
Among CIOs in the sector, there’s a palpable concern that they will. It’s no secret, after all, that most retail banks rely on decades-old technology for their core banking systems to manage deposits, loans, credit and customer records.
Last summer’s three-day outage at the Royal Bank of Scotland may have been traced back to human error, but many believe the incident has led to serious questions being asked about the resilience that older core banking systems offer.
“There’s absolutely no doubt in my mind that the RBS incident has raised levels of concern around infrastructure and, in particular, back-office resilience,”
t’s not just a UK issue. Last year, David Pegrem, head of IT risk at the Australian Prudential Regulation Authority (APRA), warned banks in that country that there will be “no tolerance” for service outages at banks and building societies that can be traced back to neglected legacy systems.
“There [will be] no tolerance for known single points of failure, for poorly mapped business processes, for lost or poor knowledge retention, for fixing [with] Band-Aids rather than root-cause solutions,” he said.
Meanwhile, in the US, some 330 banks and credit unions will replace their core banking systems during 2013, according to research from research company the Aite Group. Vendors serving this market include FIS, Fiserv, Temenos, SAP, Oracle and Misys.
But replacement is a “high-risk, high-cost endeavour”, warns Aite Group analyst Christine Barry: “The financial crisis delayed many of these replacement projects and, as a direct result, there’s a much higher level of urgency now – but still a large degree of caution, because core system replacement is probably the largest and riskiest IT investment any bank could make.”
That’s why it’s been so easy for banks to postpone such projects.
“The truth is that retail banking institutions with highly defined business units that budget according to their own profit and loss [P&L] accounts find it very difficult to recognise the need for, and justify, expenditure in maintenance and upgrade of legacy systems. They just do.”
One of the big challenges is getting the skills needed to manage decades-old legacy systems, often written in languages such as PL/1 and Cobol.
“When you’re making changes to these systems, rather than replacing them, you’re dealing with massive size and complexity, as well as criticality,” says former banking systems administrator Frances Coppola
“Very often, the system has no documentation or very poor documentation, too, so the risks you run of making some subtle but disastrous change in function and thus triggering some sort of systems failure are actually pretty high,”
This, incidentally, is exactly the scenario that unfolded at RBS last summer, when an IT administrator attempting to run a routine end-of-day overnight batch cycle managed to erase the entire scheduling queue, as Ovum’s Daniel Mayo points out.
Lynne says:
Today, banks often don. Can you afford to lend the money.
As you may already be aware, personal lines of credit offered by banks and private institutions are usually available to
creditworthy customers.
Tomi Engdahl says:
REVEALED: Cyberthug tool that BREAKS HBSC’s anti-Trojan tech
Browser lockdown method also used by PayPal
http://www.theregister.co.uk/2013/08/06/trusteer_pushes_updates_after_cybercrook_brew_up_browser_lockdown_exploit/
Cybercrooks on an underground forum have developed a technique to bypass anti-Trojan technology from Trusteer used by financial institutions worldwide – including HSBC and Paypal – to protect depositors from cybersnoopers.
Trusteer has downplayed the vulnerability and said it’s in the process of rolling out beefed-up protection anyway. However, independent security researchers who first spotted the exploit warn that bank customers remain at risk.
Trusteer’s Rapport browser lock-down technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK. US customers include ING Direct USA; eBay and PayPal also offer it to their customers as protection against banking Trojans.
An exploit on private cybercrime forums, spotted by digital forensics firm Group-IB, offers a means to bypass the browser lock-down technology.
In a statement Amit Klein, CTO at Trusteer. downplayed the seriousness of the flaw. Klein said the bug only affected one of the protection layers offered to customers by the software.
The patch for this vulnerability is available and is being rolled out automatically to the entire Trusteer Rapport customer base. No action is required from Rapport users.
Tomi Engdahl says:
Goldman puts four on leave after fallout from trading glitch: report
http://www.reuters.com/article/2013/08/26/us-goldman-options-leave-idUSBRE97P01620130826
Goldman Sachs Group Inc (GS.N) put four senior technology specialists on administrative leave after a trading glitch that led to a flood of erroneous options trades, the Financial Times reported
The Financial Times said about 80 percent of the mistaken contracts sent to the New York Stock Exchange were cancelled, limiting losses for Goldman. But the glitch “provoked a strong reaction” within the bank, which takes pride in a reputation for risk management, the paper said.
The system, called a “trading axis”, monitors the Wall Street bank’s inventory to determine whether it should be a more aggressive buyer or seller in the market.
Tomi Engdahl says:
Ex-Googler Gives the World a Better Bitcoin
http://www.wired.com/wiredenterprise/2013/08/litecoin/?mbid=social11374364
Charles Lee was a software engineer at Google, spending his days hacking networking code for the search giant’s new-age operating system, ChromeOS. But in his spare time, he rewrote Bitcoin, the world’s most popular digital currency.
Early one October morning two years ago, Lee unleashed his project, Litecoin,
Government regulation may put the squeeze on Bitcoin — and perhaps Litecoin too. But digital currency will continue to evolve and grow. It’s what so much of the world wants.
Although its dwarfed by Bitcoin’s popularity, people seem to like Litecoin because it’s a more credible alternative to the growing list of Bitcoin imitators, which Lee saw as either technologically challenged or straight up pump-and-dump scams.
He took the basic ideas behind Bitcoin — a currency created by a pseudonymous character who goes by the name Satoshi Nakamoto — and refined them. Litecoin was designed to pump out four times as many coins as Bitcoin, in an effort to keep the digital currency from becoming scarce and too expensive. It processes transactions more quickly, and discourages the kind of high-volume but very small transactions that have become a nuisance on the Bitcoin network. And it lets regular folks more easily “mine” coins — i.e. provide the online currency system with the computing power it needs, in exchange for digital money.
The result wasn’t a Bitcoin killer. But it was something that gave digital currency yet another stamp of approval.
Tomi Engdahl says:
Citadel botnet resurges to storm Japanese PCs
Banking Trojan infects 20,000 IP addresses
http://www.theregister.co.uk/2013/09/04/citadel_wreaks_havoc_in_japan/
Citadel, the aggressive botnet at the heart of a widely criticised takedown by Microsoft back in June, is back and stealing banking credentials from Japanese users, according to Trend Micro.
The security vendor claimed to have found “at least 9 IP addresses”, mostly located in Europe and the US, functioning as the botnet’s command and control servers.
As well as Japanese financial and banking organisations, the botnet has been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro said.
Citadel was the subject of Operation b54, what Microsoft described back in June as its “most aggressive botnet operation to date”. Working with the FBI, financial institutions and other technology firms, Redmond said it disrupted some 1,400 botnets associated with the Trojan, which had nabbed more than $500m from bank accounts around the world.
However, the initiative was slammed by the security community after Microsoft allegedly seized hundreds of domains as part of its swoop which were already being sinkholed by researchers to find out more about the botnet.
Tomi Engdahl says:
Bug victim left the bank’s chief information officer changes
A bug a month ago suffered from investment bank Goldman Sachs to change the CIO.
The company had an embarrassing light in August, when the stock market software did caused my misjudgment and caused disturbance in the stock market.
Initially, computer failure was suspected to have caused up to hundreds of millions of dollars in losses. Current estimates of the disadvantages are the order of tens of millions.
Source: http://www.tietoviikko.fi/cio/bugista+karsineen+jattipankin+tietohallintojohtaja+vaihtuu/a932457
Tomi Engdahl says:
Service went wrong: Nordea’s payment cards and online banking were shutting down
Nordea network cards, and ceased operations on Sunday as planned maintenance break streched.
At 5 from the early hours of service outage that began was due to end at 9 cards for online banking, and at the 13 The opposite has happened.
Nordea no payment cards do not function before noon. Online banking outage made the evening, at 20.
Nordea Communications Information Week, explains that it was a planned service interruption. The bank will generally seek to schedule maintenance downtime in such a way that they are detrimental to customers as little as possible.
So far, Nordea did not know how to specify what caused the service interruption stretching.
Source: http://www.tietoviikko.fi/kaikki_uutiset/huolto+meni+pieleen+nordean+maksukortit+ja+verkkopankki+hyytyivat/a932344
Terrance says:
always i used to read smaller posts which as well clear their
motive, and that is also happening with this piece of writing which I am reading at this time.
Tomi Engdahl says:
Bitcoin’s role in the future of micropayments
http://www.coindesk.com/bitcoins-role-future-micropayments/
Different payment processors have different opinions on the definition of a microtransaction, commonly known as a miniscule payment for a good or service.
Small businesses in the US like to require that customers make at least a $10 transaction on a credit or debit card. That’s because some processors charge more for smaller transactions in order to make money on every purchase.
PayPal, for example, sets its fees higher when payments are below $12, which it considers a microtransaction. Paypal’s normal rate is 2.9% + $0.30, while there is a higher 5% + $0.05 micropayments rate.
Can it really be considered that something below twelve dollars is a microtransaction?
Perhaps that rate is an example of how far there is to go in the payments industry for processing small amounts of money, although it is fair to point out that processors need to generate revenue from each payment made.
Yet something needs to happen, however, because theses activities should at some point require some degree of change to reflect new concepts like digital media.
Publishers, for example, would do well to accept small payments for reading content.
Bloomberg BusinessWeek has to cannibalize its own print business by charging only $2.49 a month for the digital edition of its magazine, available on tablets. That’s because it has to, as most people move from printed content to online consumption.
But what if publishers made a decision to put up microtransaction-based digital currency paywalls for pennies on the dollar to read individual articles?
Conclusion
Small transactions are a wave of the future, but it is going to ultimately require the cooperation of payment processors in order for it to gain traction.
Tomi Engdahl says:
Danske Bank threw a farewell to Java
All Danske Bank’s private customer network services are available without Java, says the company in a statement.
- Danske Bank’s network security solution based on the earlier Java software, which allowed for a flexible and efficient network of threats against terrorism. The network of services now introduced new security solutions will continue to provide strong protection for online transactions, but do not require customers to update any software on your own computer, write Danske Bank in a statement.
The company also says it renewed online banking, and the reforms of online shopping and authentication also made possible by mobile devices.
Source: http://www.itviikko.fi/tietoturva/2013/10/08/danske-bank-heitti-hyvastit-javalle–yhta-paikkaa-lukuun-ottamatta/201313954/7?rss=8
Tomi Engdahl says:
COFFEE AND DANISH HELL: National ID system cockup forces insecure Java on Danes
Enjoy your gaping holes if you wanna bank, email, etc
http://www.theregister.co.uk/2013/10/17/java_causes_problems_denmark/
A bungled IT upgrade has downed Denmark’s universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information.
Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind the system said Danes wouldn’t be able to use both the latest patched version of Java and NemID until Friday.
Java Update 45 was released on Tuesday, bringing with it a whopping 51 security bug fixes for the still widely used platform.
A dozen of these vulnerabilities merited the most severe CVSSv2 score of 10, meaning they could be used “to take full control over the attacked machine over the network without requiring authentication.”
So, the Danes are faced with a conundrum: upgrade and lose access to critical public and private online services, or don’t upgrade and keep their computers open to some potentially very serious security flaws.
Tomi Engdahl says:
Smartphone cameras can give away PIN codes, researchers warn
http://gigaom.com/2013/11/08/smartphone-users-eyes-can-give-away-their-pin-codes-researchers-warn/
Summary:
Researchers at the University of Cambridge have demonstrated an attack that can reveal the PIN codes for sensitive apps, such as those for banking, by tapping into the device’s microphone and camera.
This should be of concern to the developers of banking apps and the like, although there’s not a lot they can do about it. The Cambridge researchers suggested that OS designers implement a whitelist for sensors rather than leaving them all active all the time – this would mitigate the risk by denying access to all shared hardware resources “except those explicitly allowed,” though I’d imagine it would conflict with recent features introduced to smartphones, such as always-on microphones.
Another option, of course, is to stop using PIN codes. Identity could instead be confirmed through the use of biometrics (although that introduces different risks), and the researchers also note that secondary devices such as smart watches could act as secure ID when brought together with the handset.
Tomi Engdahl says:
Microsoft fears XP could cause Indian BANKOCALPYSE
Up to 70 per cent of public banks could still be using ancient OS
http://www.theregister.co.uk/2013/11/13/india_banks_microsoft_xp_migration_miss/
The Indian banking industry could be facing a partial meltdown after Microsoft revealed new research claiming over 34,000 publicly-funded bank branches are still reliant on Windows XP.
The report from Ascentius Consulting revealed that XP penetration in the banking sector is at 40-70 per cent. Some 34,115 branches were singled out as at risk, with just under 100 working days left until the migration deadline.
Ascentius estimated that it will take banks between four and six months to move onto a newer version of Windows, meaning time is getting a bit tight before – the hard deadline being April 8 2014.
Microsoft warned that large numbers of branches could find themselves unable to serve their customers, especially in rural and semi-rural areas.
A few months ago HP reckoned that around 40 per cent of UK businesses were still using XP.
Banking is Broken? Start-ups try to fix it. « Tomi Engdahl’s ePanorama blog says:
[...] is Broken? Start-ups try to fix it. I have written earlier about problems in banking security and credit card security issues. But what about some other banking [...]
Tomi Engdahl says:
How UK banks contain threats from cybercriminals
http://www.bbc.co.uk/news/technology-24568134
The UK’s banks are regularly being caught out by cybercriminals, BBC research suggests.
Data from three sources indicates that spam, viruses and other malicious messages regularly emerge from machines sitting on banks’ corporate networks.
It is likely that the computers were compromised when bank staff and contractors were caught out by booby-trapped email attachments.
They may also have visited sites seeded with code that infected their PCs.
Some of those infected machines are also likely to have been enrolled in a botnet – a large network of hijacked computers that are used by cybercriminals to distribute spam and viruses, attack other websites or as a source of saleable personal data.
But, say experts, banks are doing a better job than most at protecting their machines from malware.
The BBC found that in 2013 there were more than 20 incidents involving UK bank networks indicative of malicious activity. Similar, though lower, numbers were seen in 2012 and 2011.
In addition, sources inside UK banks told the BBC that they deal with up to a dozen incidents a month of employees’ machines getting infected with malware.
James Lyne, global head of security research at security firm Sophos, said evidence of a botnet on a bank network would be “exceptionally concerning”.
“It would give attackers a foothold that they can exploit,” he said.
“There should be no spam coming out of these networks,”
“If they are vulnerable to that you have to wonder what else they are vulnerable to,” said Prof van Eeten.
“The criminal use of cyber-techniques is an integral part of financial crime offending,” he said.
“The challenge in this area is that as banks develop their controls in line with new criminal methodologies, new techniques will emerge,” he said.
Statistics gathered by security firm OpenDNS suggest that up to 900 botnets are active in late 2013. These crime networks typically involve many tens of thousands of machines. The biggest count millions of PCs as victims.
Botnets have become the standard tool of the cybercrime underground, said Mr Lyne from Sophos.
Mr Lyne added that it was not surprising that banks were regularly having to find and flush out infected machines as they typically ran systems serving tens of thousands of users and a similar number of computers. Defending all those people and PCs against the 250,000 novel malware variants produced every day was a herculean task, he said.
“Complexity is the enemy of security,” he said.
“Retail ISPs have infection rates that are several orders of magnitude higher,” he said. “This is peanuts compared to that.”
Tomi Engdahl says:
Android nasty sends your texts to CHINA
Best hope you weren’t messaging your bank manager
http://www.theregister.co.uk/2013/12/17/android_botnet/
Security researchers have discovered an Android botnet that masquerades as a benign settings app for carrying out administrative tasks on mobile devices.
Once authorised by the user, the malicious app surreptitiously steals SMS messages from the infected device and emails them to a command-and-control (C&C) infrastructure hosted in China, operated by unknown cybercrooks.
The so-called MisoSMS has cropped up in 64 spyware campaigns, according to security researchers at net security firm FireEye. Each of the campaigns uses webmail as its primary C&C infrastructure.
MisoSMS’s overall aim is to “intercept online banking or e-commerce details” before using this information in various criminal scams, a FireEye spokeswoman explained.
FireEye reckons the majority of infected devices are in South Korea.
Tomi Engdahl says:
Oi, bank manager. Only you’ve got my email address – where’re these TROJANS coming from?
Santander scratches head over mystery malware barrage
http://www.theregister.co.uk/2013/12/19/trojans_spam_unique_email_address/
Santander customers are continuing to complain about receiving trojans and other junk to email addresses exclusively used with the bank. The reports began last month, prompting promises of an investigation by Santander. It’s still unclear whether email addresses leaked from the bank or one of its affiliates.
Independent experts said that fingering the source of this type of leak can be hard to determine.
Tomi Engdahl says:
Banks’ risk management is in a bad way – the cause is found in IT
Banks will not be able to sufficiently assess the financial risks due to aging its information technology , warns the field supervising the Basel Committee on Banking Supervision Committee.
The Committee released in January of international guidelines , which was supposed to boosts banks to renew their IT systems to contemporary. The Committee believes that the banks are not able to identify the global economic crisis after the threats in sufficient quantities , as information systems do not fall for it.
Banks’ systems are believed to be the level required by the Committee until 2016 .
” Many banks have difficulties in data management , architecture, and processes ,”
The Committee expressed the hope that the banks concentrate their data to control the current. Also, the risk analysis should be used to improve data sources and reporting to improve.
Source: http://www.tietoviikko.fi/kaikki_uutiset/pankkien+riskienhallinta+on+retuperalla++syy+loytyy+tietotekniikasta/a955745
Tomi Engdahl says:
Experts: No need to stress about mobile payment
The smartphone banking application is safer to use than a laptop pc internet banking machine – at least for now , say experts .
The reason is that the mobile phone applications are separated from each other , especially the iPhone , and Windows operating systems.
“Applications do not necessarily communicate with each other. Another application can not connect to the mobile banking application , “says F-Secure security expert Sean Sullivan .
Smart mobile banking is used to separate the application through which each bank is planning for himself .
Notebooks , in turn, is used for online banking through the browser. You may have at the same time, other activities and sites to use.
Browser on the server side of the program is easier to sneak in e-banking context.
” The good thing about mobile banking is the fact that the attacker is more difficult to make a hostile applications,” a senior security consultant Pekka Sillanpää from Nixu says.
Sillanpää to point out that in the world of mobile applications, security can be even worse situation , especially if the key is not used , for example, lists of numbers . Namely, the mobile applications themselves cause new types of threats , if they are not taken into account in the right way.
Android is more vulnerable to attack , as used in the app stores do not test all of the applications , which can be Android phones can be downloaded , as opposed to the iPhone and Windows Phone. Android is an open operating system , unlike its competitors
According to experts, cyber criminals are not currently interested in smartphones , because the use of banking services is low.
Sillanpää to admit that there is also a risk that some banks do not have time to thoroughly test the haste of these new applications, in which case they may remain in security vulnerabilities.
“No bank will not willfully neglect security.”
Source: Kauppalehti
http://www.kauppalehti.fi/etusivu/asiantuntijat+turha+stressata+kannykkamaksamisesta/201401597531
Tomi Engdahl says:
Mobile Banking Apps For iOS Woefully Insecure
http://it.slashdot.org/story/14/01/10/224239/mobile-banking-apps-for-ios-woefully-insecure
“Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings”
Personal banking apps leak info through phone
http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
Tomi Engdahl says:
ATMs Face Deadline to Upgrade From Windows XP
http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-from-windows-xp
When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft (MSFT) cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards.
Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)
Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S
More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software.
“A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”
Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala.
The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, says Stewart, to thousands of dollars if new components are required.
ATMs whose operators ignore the deadline will continue to function, says Dean Stewart, an executive at Diebold (DBD), which makes ATMs. They’ll just become more vulnerable to malware and other attacks against weaknesses discovered over time in Windows XP.
Tomi Engdahl says:
95% of ATMs Worldwide Are Still Using Windows XP
http://news.slashdot.org/story/14/01/16/2323209/95-of-atms-worldwide-are-still-using-windows-xp
“95% of the world’s ATM machines are still running Windows XP and banks are already purchasing extended support agreements from Microsoft. (some of the affected ATMs are running XP Embedded, which has a support lifecycle until January, 2016)”
Tomi Engdahl says:
PoS Malware Targeted Target
http://www.seculert.com/blog/2014/01/pos-malware-targeted-target.html
Dexter was a doozy, but recent Seculert research reveals that it wasn’t the source of the point-of-sale (PoS) attack on Target.
Seculert’s Research Lab ran the sample of the malware and discovered that unlike Dexter, this attack had 2 stages, which is a well known attribute of an advanced threat. First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.
On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period.
Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP.
They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.
Tomi Engdahl says:
Thought mobe banking apps were safe from nasties? THINK AGAIN
Fake SSL certs let cybercrooks hoover up login creds and redirect transactions
http://www.theregister.co.uk/2014/02/14/fake_ssl_cert_peril/
Fake SSL certificates in the wild for Facebook, Google and Apple’s iTunes store create a grave risk of fraud for people who bank online using their smartphones.
Analysis outfit Netcraft said it has found “dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit credentials create a ready means for attackers to run man-in-the-middle attacks against the customers of affected companies.
Tomi Engdahl says:
As Mt.Gox Implodes, Rival Bitcoin Exchanges Remain Surprisingly Stable
http://techcrunch.com/2014/02/16/as-mt-gox-implodes-rival-bitcoin-exchanges-remain-surprisingly-stable/
Watching the gyrations in the price of Bitcoin has been spectator sport the past several days. However, unlike with prior busts and races, the price of Bitcoin has diverged heavily across its several exchanges. This has led to the Bitcoin market itself becoming siloed.
cancan says:
We stumbled over here coming from a different page and thought I should check things out.
I like what I see so i am just following you.
Look forward to checking out your web page again.
Tomi Engdahl says:
IE Vulnerability Exposing Banking Logins, Spreading Rapidly
http://tech.slashdot.org/story/14/02/26/1447222/ie-vulnerability-exposing-banking-logins-spreading-rapidly
“A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly.”
Tomi Engdahl says:
UK regulators: We will be CHECKING UP on banks’ IT systems
‘Major outages… completely unacceptable’ – FCA
http://www.theregister.co.uk/2014/04/02/bank_it_systems_review_regulators/
“The aim is to assess how well firms manage their own exposure to risks, to what extent IT risks are discussed at board level, and whether boards have the skills and expertise to challenge executive decisions,” the FCA said.
Woods said that major IT outages are “completely unacceptable” and that they present a “threat to financial stability”.
Tomi Engdahl says:
Finnish banking applications as users change more slowly than the rest of the world
Things soon as the bank managed primarily on mobile devices. Ireland, for example, this has already happened.
Danske Bank to a survey by the Finns have left the change, the more slowly than the other Nordic countries. Bank of Finland forecasts for mobile banking, the most important way to the end of 2015 onwards.
September at a slower transition is partly historical: the Finns have been using online banking for a long time and are used to treat his case through the browser. Ireland and Estonia jumped this step, directly to mobile app online bank.
The rest of the Nordic mobile applications signups are about half compared to the browser-based online banking. In Finland, the use of mobile applications in January was 28.5 per cent of online banking usage volumes.
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/suomalaiset+vaihtavat+pankkisovellusten+kayttajiksi+hitaammin+kuin+muualla/a979704
Tomi Engdahl says:
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
http://www.theregister.co.uk/2014/04/15/co_op_bank_programming_error_fine/
A programming blunder appears to have landed the cash-strapped Co-op Bank an unexpected bill for £110m.
In its financial report for 2013, which last week revealed a £1.3bn loss, the bank said it had to stump up nine-figure “costs relating to breaches of the Consumer Credit Act”.
loan statements to a group of customers were sent out late –
That gaffe meant the bank had to pay back all the interest on that batch of loans as a result of not following the letter of the law.
Tomi Engdahl says:
Financial services firms are focused on investing in the cyber security protection more than last year, predicts consulting firm PwC.
According to PwC many financial players are now more aware of the risks involved.
Information attacks are caused extensive damage and risks to banks and other financial firmoille in recent years.
Investment companies, 76 per cent said the PwC survey, to increase its security budget.
“Cyber crimes are the biggest threat to Britain’s financial services,”
At the same time, however, the banks reacted coolly to security investments (only 8% planned to increase).
Source: Tietoviikko
http://www.tietoviikko.fi/kaikki_uutiset/finanssiyritykset+akkasivat+tietoturvaan+on+laitettava+enemman+rahaa/a982631
Tomi Engdahl says:
Bank of England seeks ‘HACKERS’ to defend vaults against e-thieves
Report: 20 major cash-holders to be probed by white hats
http://www.theregister.co.uk/2014/04/24/ethical_hackers_drafted_to_probe_banks/
The Bank of England is planning to hire ethical hackers to conduct penetration tests on 20 “major” banks and other financial institutions, it has been reported.
The move appears to be a response to lessons learned during the Waking Shark II security response exercise last November.
“It’s encouraging to see the Bank of England taking a lead on protecting the UK’s critical national infrastructure by overseeing ethical hacking programmes,”
“Looking at the bigger security picture, the majority of serious data breaches use stolen or misused legitimate access privileges. Banks need strong, reliable systems in place to quickly identify any security vulnerabilities and take appropriate actions to prevent a breach and avoid financial and reputational damage,”
Tomi Engdahl says:
Barclays bank heist ringleader jailed for five-and-a-half years
http://nakedsecurity.sophos.com/2014/04/27/barclays-bank-heist-ringleader-jailed-for-five-and-a-half-years/
The man at the head of a gang responsible for a string of thefts and frauds from UK banks, including one haul of at least £1.25 million in a single day, has been sentenced to five years and six months in prison.
multiple fraud and theft operations.
These included accessing bank computers by attaching KVM (keyboard-video-mouse) kit, allowing the fraudsters remote access to the systems.
In one incident at a branch of Barclays this method was used to siphon £1.25 million into accounts set up by the gang. More than half of the haul has yet to be recovered.
device attached to the branch manager’s PC
Tomi Engdahl says:
Kyberturvallisuuskeskus face every day a new scam pages that try to be joking Finnish bank accounts. A month ago started a campaign masquerades as a recovery service , and builds on the previous Customs and Itella scams.
New phishing pages crop up more and more every day as soon as the previous has been switched off . Criminals have adopted text messaging, encrypted network connection and collection service similar to the portal . In addition, they will continue to make use of fake e-mails and false online banking log-in pages.
In practice, the user is sent the first e-mail , which forwards the user to the phishing site. Phishing page is requested from the customer account name, password , and phone number . Customer for its fishing username and password log on to an online bank criminals from their computers . When you ask for changing the password online banking , they care about their online banking password on request by text message we exploit the customer ‘s phone number.
Campaign novelty of the individual text messages , with the aim of online banking as requested by changing the password.
When you suspect an encrypted connection using the web site authenticity, should check the following:
Matches the browser’s address bar to the organization in the domain name (for example, name of the bank ) , which has been dealing with mass .
The site of the certificate matches the information in the address line of the domain.
Both of the above conditions must be met in order to be able to know that you are dealing with the right organization .
The third new feature is the collection service similar to a web portal , which bank ID links that appear to be quite real. Some of them may be, but others may control the clicker phishing sites.
Sources:
http://www.digitoday.fi/tietoturva/2014/05/14/suomi-kalastelun-uudet-kujeet-tekstiviesteja-ja-perintaportaali/20146820/66?rss=6
https://www.cert.fi/tietoturvanyt/2014/05/ttn201405131125.html