Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.

Infected ATMs gave away millions of dollars
http://blog.kaspersky.com/tyupkin-atm-malware/

What do you need in order to withdraw cash from an ATM? First, you need to have a debit or credit card, which acts as a key to your bank account. Second, you must know the PIN code associated with the card; otherwise, the bank wouldn’t approve the transaction. Finally, you need to have some money in your account that you can withdraw. However, hackers do things differently: they don’t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software.

Infected ATMs give away millions of dollars without credit cards
http://www.net-security.org/malware_news.php?id=2880
Posted on 07.10.2014
Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software. Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,”

The predictions were made financial tech expert Gi Fernando
He claimed that credit scores could soon be based on Facebook friends
Banks could also move into coffee shops and supermarkets
Payment technology will become wireless and be based on biometric data
And Mr Fernando claims this could happen within the next decade

After Breach, JPMorgan Still Seeks to Determine Extent of Attack
http://www.nytimes.com/2014/09/13/technology/after-breach-jpmorgan-still-seeks-to-determine-extent-of-attack.html

The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon.

Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.

They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.

The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.

Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.

BARCLAYS BANK AND HITACHI have unveiled a biometric security device that scans the unique vein patterns in fingers to prevent fraud.

The Barclays Biometric Reader consists of a SIM card that holds the unique vein structure information of a single user and a small infra-red scanner. Using Hitachi’s VeinID technology, the reader captures the image of the vein pattern in a user’s finger, which, like a fingerprint, is unique to each individual.

Unlike fingerprints, the internal structures of veins are very difficult to reproduce artificially and the scanner only operates if there is a constant blood flow to the finger, meaning the severed finger of a finance officer could not be used to bypass the device’s authentication.

In 2015, the reader will be offered to corporate banking clients who will be able to access their bank accounts and authorise payments without the need for PINs, passwords or other authentication.

Both companies believe there is a wider potential to use the biometrics scanner in the consumer sector and integrate it with mobile devices.

The group, known as the Financial Services Information Sharing and Analysis Center, or FS-ISAC, includes all major U.S. banks and dozens of smaller ones along with some large European financial institutions.

“There are no credible threats posed to the financial services sector at this time,” the group said in an email to its members.

“Banks are getting attacked every single day. These comments from FS-ISAC and its members indicate that this is not a major new offensive,” said Dave Kennedy, chief executive officer of TrustedSEC LLC, whose clients include several large U.S. banks.

“While we should remain diligent and active in monitoring, it doesn’t appear there is a major offensive,” said Kennedy.

Computer hackers targeted JPMorgan Chase & Co. (JPM) and at least four other banks in a coordinated attack on major financial institutions this month, according to a U.S. official.

The attack led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement.

The whopping 70 per cent of retail and 69 perc ent of financial services apps are vulnerable to data breaches.

That’s according to an analysis of 705 million lines of code as used by 1,316 enterprise applications carried out by software analysis and measurement firm CAST. The firm reckons a growing number of data breaches and security incidents can be directly linked to poor code quality, which can be attributed to tightening project deadlines and other factors.

He added: “Businesses handling customer financial information have a responsibility to improve software quality and reduce the operational risk of their applications – not only to protect their businesses, but ultimately their customers.”

Input validation errors gave rise to the infamous Heartbleed bug and are among the most common class of coding error more generally.

The research also revealed that the financial services industry has the highest number of input validation violations per application