Posts

Sad Scary State of Bank Security

Who needs guns, threatening notes to rob a bank when you can do it with just your fingertips inside your home?

1SA hacking ring in the eastern portion of Europe may be the most successful team of bank robbers to date, having purportedly robbed $1 billion from multiple banks. This can only be done by infecting computers with malicious software (malware) and sucking out all the money.

Obviously, these hackers aren’t dumb criminals, but they also play on poor security measures of the banks. Apparently, the success of the hackers’ attack was contingent upon an employee clicking on a malicious link in an e-mail or opening a malment in the e-mail (“malment” = malicious attachment).

And that’s exactly what happened; someone fell for the oldest cyber trick in the book. This could have been prevented by not only having Microsoft updates done on a regular basis and having updated antivirus, but educating employees.

The next step in the chain reaction was the triggering of Carbanak, a virus that installs software that logs keystrokes…figuring out passwords this way. But Carbanak also captured screenshots.

How could banks let something like this happen?

Let’s Dissect this Robbery

The thieves sent out phishing e-mails—those containing malicious links or attachments—that are designed to trick people into clicking on them because the messages look legitimate. The crime ring just sat back and waited, knowing it was only a matter of time before someone clicked on one of their malments.

The keylogging gave the thieves all the information they needed to drain the banks. Boy, they sure broke in easily! All because the banks didn’t keep their devices security updated, leaving an unpatched opening—and perhaps the employee(s) who fell for the ruse were doing banking business on the same device they use for personal use—big huge mistake.

And whose fault is that? The bank’s; we can’t expect the run-of-the-mill employee to have built-in knowledge about how hacking rings work and that it’s a gateway to cyber theft if one mixes business activities and personal activities on the same computer. Learn from their mistakes. Update your devices and don’t click links in emails.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

What happens when a Bank Account is hacked?

Who’d ever think that 50 years ago, your money was safer in your bank account than it is today in this “modern” age: remote theft. If you bank with a large or small bank, your account may be at risk by hacking rings.

7WHowever, most of the time, but not always, if your account is drained by a cyber thief, the bank will cover it for you.

The latest information is that a big attack is planned in the spring, but it’s the “It’s easier to get one dollar from a million people than it is to get a million bucks from one person” type of attack plan. The apparent hacking plan involves stinging mass numbers of banking customers via the customers’ computers.

Because banks are a favorite target for cyber thieves, financial institutions are always improving their cyber security. However, criminals get into bank accounts by suckering customers into revealing personal information; we’re talking thieves who don’t directly hack the bank, but hack YOU.

  • Never click links inside e-mails—including those that SEEM to be coming from PayPal, Chase or whatever institution you use.
  • Typically, these scam messages are constructed by thieves posing as your bank. They tell you your account is about to be compromised, or there are suspicious withdrawals or something else to grab your attention, and that to correct the problem, you must visit their site and enter some information. This is a scam to get your login information! The phony site that the link goes to is constructed to look exactly like the authentic bank sites.
  • If you’re not convinced these scammy e-mails you got have gone to a million other people, then phone your bank and inquire about the message.
  • Never use the “remember your computer” option that banks offer. Forget the convenience; just deal with the login hassle every time for better security.
  • Don’t hide your savings in your house because you figure they’re safer there. If you follow the aforementioned rules, your money will be far safer in your bank than hidden inside your toddler’s teddy bear.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Hackers and Banks win, Clients lose

Don’t blame the hackers; don’t blame the bank; apparently it’s the victim’s fault that a Missouri escrow firm was robbed of $440,000 in a cybercrime, says a report on computerworld.com.

11DThe attack occurred in 2010, but the appeals court’s March 2013 ruling declared that the firm, Choice Escrow and Title LLC, can’t hold its bank accountable. The victimized firm might even have to pay the bank’s attorney fees. The court says that the firm failed to abide by the bank’s recommended security procedures.

BancorpSouth Bank was sued by Choice Escrow following a cyber assault in which the password and username to the firm’s online bank account was stolen.

The victim asserted that the bank failed to implement sufficient security measures, allowing the attack to take place. The firm also insisted that the bank should have detected that the wire transfer of the money to Cyprus was fraudulent because it was initiated outside the U.S.—an unprecedented type of transaction.

BancorpSouth’s defense was that Choice Escrow failed to instill the security precautions for wire transfers that the bank recommended.

At first it seems like the bank here is bucking culpability, but according to the bank:

  • It had controls in place for Choice Escrow to use.
  • The bank requested that the firm use a dual-control process for wire transfer requests that would require two people to sign.
  • The bank asked the firm to enforce an upper limit on wire transfers.
  • Choice failed to follow these two recommendations.

The bank also points out that the wire transfer was started by someone who used the firm’s legitimate banking credentials, along with a computer that seemed to belong to the company. Had the company followed the bank’s recommendations, the crime may not have occurred.

Stealing legitimate banking credentials and using them to initiate criminal wire transfers to overseas accounts is nothing new to cyber criminals. This crime causes disputes between banks and their customers and heightens awareness over how much responsibility each entity should carry.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Bankers on the Front lines of Cyber Defense

There was once a time when the only threat to a bank’s security was when that innocent-looking man hands a note to the bank teller that makes her face go ashen. And the only security, save for video surveillance, was the armed guards and the silent alarm that the teller triggers.

2DNowadays, terms like firewalls, encryption, anti-virus and cloud providers are just as important to a bank’s security as are the armed guards, huge windows, security cameras and steel vaults. No longer is the masked robber who says “Hand over the money” a bank’s biggest threat. ATM skimming, where nobody is ever shot at, is at the top of the list.

The Three Directions of Banking Security

  • Analyzing big data and assessing potential threats
  • Banks joining forces by sharing information relevant to protection against cybercrime
  • Focusing more on fast recovery and less on prevention of crime

That last point is because breaches are always going to occur no matter how thick the security is, and there’s a lot of room to improve in terms of recovery speed. So it makes sense that this shift in attention is developing at an increasing rate.

A New Breed of Locks

Banks require many layers of protection, and this includes keycards, which allow select employees through specific doors at specific times. Just stick the card in a slot and the door opens (a common device also used in hotels).

Keycards are also used by extraneous service people. A lost card can be immediately turned off, and cheaply replaced, whereas traditional locks would cost a bundle.

Customized badges are another way that financial institutions have improved security measures, replacing keys and keycards. Employees can be “add onto” a badge, and a lost and found badge can be deactivated and activated, respectively.

Anti-Skimming Devices

Anti-skimming devices can significantly reduce this crime, when a thief puts a phony reader over an ATM device to capture a customer’s card data. The volume of skimming crimes is enormous, yet many ATMs still have no anti-skimming protection.

Cloud Storage for Data

More and more financial organizations are relying upon cloud computing, though this technology also brings with it some concerns, since the cloud involves a third-party provider—which can turn bank data over to the government without the bank’s permission.

A way around this is for the bank to encrypt data prior to placing it in a cloud, and to keep encrypting it even when at rest, and retain the encryption keys.

Biometrics

Fingerprint swiping to withdraw money is one of the latest security tactics: multispectral imaging (MSI). Who can possibly “skim” that? This is biometric technology and is already in thousands of ATMs. This “inner fingerprint” is immune to breakdown from grime, wear or moisture, making it very tamper resistant.

Look for even more progress in the multilayered security of financial institutions in the years to come—technologies that right now we can’t even comprehend.

For more information about this shifting industry, visit:

securitymagazine.com/articles/print/85356-banking-battlegrounds-cyber-and-physical-security-risks-today

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

10 Simple Tips to Bank Safely Online

One of the issues I’m passionate about, as an online-security analyst, is that of banking safely online; so I recommend the following simple tips to help ensure your security in cyberspace.4H

  1. Wired ethernet link. This offers more security than does a powerline or Wi-Fi network. In fact, the powerline carries your data via electrical wires—not secure at all. Data from wires can leak into adjacent homes, and Wi-Fi signals are out in the open, literally. An ethernet attack, however, may require a home break-in by the crook, and then he has to set up his device.
  2. Nevertheless, powerline and Wi-Fi do come with encryption capabilities; encryption scrambles data for safer online banking. Any attacker would need your password to infiltrate. But remember this: Wi-Fi’s WEP, which is obsolete, can be hacked into, even though it’s still offered as an option for router setup.
  3. Do not leave a router on its default password. Otherwise, crooks can get in and redirect your traffic to who knows where.
  4. Never trust third-party Wi-Fi hotspots.
  5. Make sure that the financial site you visit has a padlock icon and “https” before the URL address; this means it’s secure and legitimate. “Http” (no “s”) is not secure.
  6. Keep up to date on security updates for your browser and operating system. This will protect against a crook who uses a keylogger to track your keystrokes. With a keylogger, a hacker can get your keystroke pattern and will figure out your passwords.
  7. Never click on links in e-mails. Even if it’s supposedly from your bank. Never.
  8. To really beef up online banking security, use a separate computer just for online banking.
  9. Enable your financial institution’s two-step verification. This is typing in a password that’s one-time, that gets texted to you. Unfortunately, many banks don’t have this tactic. But if you’re concerned with banking safely on the Internet, see if your institution does. If you can’t find this information on their web site, call them.
  10. One more simple tip about safe online banking: Hotspot Shield VPN service guards your entire online experience when you’re using unprotected networks, such as at coffee houses, hotels, airports, etc., be they wired or wireless.

You can have peace of mind that your web sessions (downloads, filling out forms, shopping, banking) are safe and secure with the https-protected tool. With Hotspot Shield, all mobile data is encrypted. Hotspot Shield also has a mobile version, and it compresses bandwidth so that you can download nearly double the content at the same cost. This VPN service has saved 102.9 million megabytes.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Banks and Retailers fight it out over Who’s at fault

The duking out between banks and retailers was launched this past December when a credit card data breach occurred to an estimated 110 customers of a big retail store.

1CIs the retailer responsible? Should the credit card issuers or banks take the brunt of preventive action? What about the consumer? Lawmakers are trying to figure out what can be done to keep the consumer’s data safe from hackers.

The 110 million breach aside, the generality is that the big tripod (banks, retailers, credit card issuers) doesn’t seem to grasp the concept of shared responsibility when it comes to protecting consumers’ data.

James Reuter of the American Bankers Association points out that banks tend to take the brunt of the responsibility with data breaches, way more than what banks are even accountable for. Banks “are making customers whole,” he says.

Meanwhile, retailers are all banding together saying that the customers have zero liability. Retailers know that the banks will swoop in and bear much more financial burden than they’re actually responsible for.

Reuter believes whichever entity—be it a retailer, card company or even bank—is responsible for hacking due to lame protection strategies, should take full responsibility.

Banks really want retailers to step up to the plate too. Forty-six states already have standards for businesses to inform customers of data breaches. However, banks would like a federal standard. Senators Tom Carper and Roy Blunt have introduced such a bill.

After a breach may be too late:

The customers of the breached retailer in December didn’t just have their credit card numbers taken, but other data such as e-mail addresses and phone numbers. Once hackers have these, they have more tools with which to drum up identity theft schemes—something they can’t do with just a credit card number.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Banking and Brokerage Accounts vulnerable to “Account Takeover”

It wasn’t pretty: those fairly recent credit card breaches at a few big-name retailers. As newsworthy as these were, they’re actually not the greatest risk for wealthy folks; a bigger foe is a money management firm lacking sufficient checks and balances.

3DAttack schemes:

Another type of attack can hit an organization hard: some cyber punk getting into your clients e-mail account, then using their stolen information to rob money from the clients financial accounts. E-mail related fraud is booming.

Perhaps the biggest scheme is when an employee gets an e-mail in which someone is requesting money—and urgently. Often, the employee is lured into clicking on a link inside the e-mail, and the end result is that the employee ultimately reveals personal data, allowing the system to get hacked.

Another common realm of infiltration is via unsecured public wireless networks, such as at an airport or hotel. Fraudsters will set up hot spots—fake, of course—that yield Internet access but will ensnare employee data.

Employees can also expose their accounts to hacking by using their e-mail address to log into their own financial accounts. This makes the job easier for cybercriminals.

Protect Your Business

Here are some ways to add protection:

Revamp how employees wire money for clients (one way to do this is to require that the recipient’s authenticity be verified with a phone call).

Clients should verify any and all wire transfers from their accounts.

If a client’s computer is not recognized or has an unfamiliar IP address, the client should be called with a code that completes the transaction.

Incorporate multifactor authentication in the login process and when transfers of any substantial amount are made.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Consumer Banking Security Products & Services

Today’s banks aren’t your “Dads’” bank. Having been around for hundreds of years, banks are a significant part of our everyday lives. Traditionally, banks haven’t been known for their “thought leadership” in technology, but today’s banks have to be cutting edge to compete, and stay secure.

All the conveniences of digital banking have its set of risks which requires upgrades in card technologies and authentication. In response banks have provided numerous methods for protecting your personal information and also making your banking experience more secure domestically and internationally.

Multifactor authentication: This is generally something the user knows like a password plus something the user has like a smart card and/or something the user is like a fingerprint. In its simplest form, it is when a website asks for a four digit credit card security code from a credit card, or if our bank requires us to add a second password for our account.

Key chain fobs: Some institutions offer or require a key fob that provides a changing second password (one-time password) in order to access accounts, or reply to a text message to approve a transaction.

Travel credit cards: Americans who travel abroad are finding that many smaller merchants and most unattended kiosks overseas won’t take their American based credit card leaving them high and dry and making cash a necessity and credit cards useless in these situations. Travelers can use their old magnetic stripe cards, but will often find resistance or outright refusal of acceptance.

In response big banks are issuing new EMV cards also known as “Chip and Pin” or smartcards.

SMS Banking: Banks know you are going mobile and have built secure infrastructure to accommodate banking on the go. One option might include receiving notifications of various banking transactions for security purposes. SMS banking is also handy when the consumer wants to check an account balance before heading to an ATM.

Ask your bank what they offer to keep you safe and secure. You’d probably be surprised at how much they have evolved with technology.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures