Posts Tagged ‘Banking Information Security’

« Older Entries

Network-Based IDS/IPS and Their Value and Challenges in the Current Market

Thursday, June 3rd, 2010

I was recently asked to answer some questions for a magazine article about network-based IDS/IPS and their value and challenges in the current market and environment.  These were some of my responses:

What are the greatest challenges now?

  • Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
  • Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective.  If the hacker can get malware on the internal system, it renders IDS/IPS systems useless.  This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods).  Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks.  IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.

Which industries are most/least vulnerable?

  • Any industry that houses valuable data is always a greater target.  These include anything that can assist in identity theft or fraud for the hackers.  Usually this means companies that house financial data or personally-identifying data.  So, banks and healthcare providers are at the top of the list.

What are myths and realities about some of the current strategies and solutions?

  • Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out.  A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.


What are the key points you want to make in this interview?

  • See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system.  Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect.  It can protect it at a much higher level than traditional network-based solutions.  It combines signature matching capabilities to behavioral techniques.  When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries.  And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.


Tags: , , , ,
No Comments »

Thieves Flood Victim’s Phone with Calls to Loot Bank Accounts

Wednesday, May 19th, 2010

We often talk about the multipronged attacks that hackers use.  There is a new one that I saw recently that I thought was kind of interesting.  Criminals are clogging the telephone lines of financial institutions at the time they are attempting to initiate transactions.  Combining a denial of service (DOS) attack with their transaction offers the cyber thieves some advantages.  For transactions that would normally initiate a call to the individual for verification, that outbound call is not blocked or otherwise disrupted.  Additionally, the fraudsters can call and complain that they have been having telephone problems which may change an employee’s behavior to not follow strict policies and procedures.  If nothing else, this is something financial institutions should be aware of.


Tags: , ,
No Comments »

Phishing Attacks via Social Networking Sites Reach All-Time High

Tuesday, April 6th, 2010
p

MarkMonitor put out a new report that shows that phishing attacks are at an all time high, up 62 percent from 2008. It was also interesting to see that only 33 percent of victims of phishing attacks had never been phished before. So it would seem that the phishers are going after the tried and true targets.

One of the biggest increases noted in the report is the use of social networking for phishing attacks which rose 376 percent from 2008 to 2009. Keep in mind that this still only constitutes about 2 percent of all phishing attacks. However, those that get phishing attacks from a social networking site are about 10 times more likely to fall prey to it.

Attackers are still primarily going after financial institutions and financial services companies.


Tags: , ,
No Comments »

Business Beware: Banks Not Responsible for Some Cyber Theft

Monday, March 22nd, 2010
b

Dave Nelson is a FDIC examiner that reported on March 5 that malware on customer computers cost banks more than $40 million each month during the last full quarter (July – September 2009). In these cases the hackers trick people into opening “weaponized” emails or tricking them into visiting malicious or compromised websites where their systems can be infected.

I thought this was interesting because this is the first time I have heard the regulators say that business accounts do not receive the reimbursement protection that consumer accounts have. That means the business is left holding the bag…which in these cases they should. The bank shouldn’t be held liable for a business customer allowing malware to get installed on one of their systems, hackers capturing login credentials from a business customer employee, and then using it to steal money. The incident had nothing to do with the bank or their security policies or processes. But there is still this prevailing notion that the bank should be responsible for everything.

I think that financial institutions should invest heavily of a marketing campaign to their business customers letting them know this is the policy and that they should take appropriate precautions to protect their systems.


Tags: , , ,
No Comments »

Massive Mariposa Botnet Shut Down with Arrest of Administrators

Wednesday, March 17th, 2010

A very large botnet named “Mariposa” was recently shut down with the arrest of 3 of the main administrators. More arrests are expected in other countries.

Mariposa is said to have as many as 12.7 million compromised computers (Zombies) worldwide. The software acted as a Trojan horse and captured login credentials for online bank accounts. Following the arrests, police recovered personal information of more than 800,000 people. Zombies were in many of the Fortune 1000 companies as well as in 40 major banks. The Mariposa Working Group, which is a coalition of security experts, academics and law enforcement, were the ones who got it shut down.


Tags: , , ,
1 Comment »

Texas Bank Sues Own Customer after Cyber Theft

Thursday, February 4th, 2010
a

Yesterday I posted a blog about a potential tipping point in consumer liability for fraud where RBS was holding consumers liable for some cases of fraud. Well, there appears to be more evidence that this is a growing movement. PlainsCapital Bank in Texas is suing one of its corporate customers Hilary Machinery Inc., after cyber thieves tried to steal $800,000 from Hilary Machinery’s account. The bank was able to recover $600,000 of the stolen funds. Hillary Machinery was suing the bank for lack of adequate security measure for the remaining $200,000. The bank is suing the company as well as getting audit verification that proper security measures were in place.

In my opinion, this is where companies are getting greedy. They expect the bank to hold all the liability, but that simply isn’t realistic. If someone breaks into your company based on your lack of security, captures account credentials, and then uses those valid account credentials to steal your money, then you should be held liable. Mark my words, it will be cases like this that begin swinging liability back to the customer/consumer and it will ruin them.


Tags: ,
No Comments »

Consumers Held to Higher Level of Liability for Online Purchases

Wednesday, February 3rd, 2010
Online payment system isn't as secure as we believe

“Verified by Visa” and “MasterCard SecureCode” is a process that is designed to have fewer chargebacks for merchants due to greater security when individuals make purchases online. What I found interesting is that some banks, such as the Royal Bank of Scotland, are now holding consumers to a higher level of liability as a result. The liability for fraud and consumer credit issues have been moving further and further away from consumers until this. Security will take a dramatically different approach when individuals are held responsible.


Tags:
1 Comment »

Experts Warn SMBs: Use a Dedicated PC for Online Banking

Tuesday, January 12th, 2010

After a year or so of ACH (Automated Clearing House) hacking, the ABA (American Bankers Association) has issued guidance to businesses telling them that they should use a dedicated PC to do their online banking transactions. Malware (software that can infect a system and allow a hacker to remotely control it) is so prevalent that it is often used to hijack online banking accounts and withdraw money. They say the computer that should be used should not have access to other websites or things like email where malware often comes from.

Read more here and here.


Tags: , ,
No Comments »

Lack of ATM Regulation in U.S. Means Nearly Anyone Can Buy Them

Monday, December 7th, 2009

The US has no restrictions on who may own or operate ATM machines. ATM’s can be purchased through eBay and Craigslist any day of the week. There are known incidents where a hacker has taken a machine, set it up at a public location, and simply collected the credit card numbers and pins. There was even one of these types of systems at Defcon security conference last year in Vegas. I know guys that won’t wear a watch to Defcon because they fear it will get hacked.


Tags:
No Comments »

SMB’s Targeted in Online Banking Fraud Scheme

Tuesday, November 17th, 2009

The FBI has sent a warning regarding a fraud scheme that utilizes the ACH (Automated Clearning House) system. The fraudsters have stolen more than $100 million from small and medium sized business, municipal governments and school districts. The fraudsters commonly use social engineering techniques to trick users into installing malware on their computers which monitor and capture financial transactions. The criminals then gain access to the financial accounts and transfer money out to what are known as “money mules” (people who agree to forward the money to overseas accounts for a small fee). These transactions are always under $10,000 to avoid triggering red flags.

Read More:


Tags:
No Comments »

Sophisticated Trojan Horse Malware Extracting Money from Bank Accounts

Thursday, November 5th, 2009

Some new malware is making it more difficult to detect when fraudulent online transactions are taking place. The URLZone Trojan horse program communicates with a command and control server to find out exactly how much money it can extract from an account without being detected. In other words, if the threashold for a particular bank system is $50, it will extract $49.99 so the fraudulant transaction doesn’t show up. It will also hide the transaction by forging online bank statements.  The Trojan exploits vulnerabilities in Firefox, Opera, IE 6, 7, and 8.


Tags: ,
2 Comments »

Bank Files Restraining Order on Google to Avoid Data Breach

Thursday, October 29th, 2009

So here is something that interested me. A Rocky Mountain Bank employee inadvertently sent an email with sensitive data to a google email account. In an attempt to get it back, the bank obtained a temporary restraining order (TRO) that demanded that Google deactivate the unknown user’s account, delete the message, etc. Google determined the email had not been opened or read and did delete it.

The reason I think this is interesting is because this bank realizes just how big of a deal a data breach can be. A single email, even with a single customer’s account information, would constitute a data breach. In an effort to keep from having to disclose it, they went directly after Google. They were smart. Because they were able to get Google to delete it, they don’t have to go through the pains and often times class action lawsuits that often accompany data breaches. Financial institutions are starting to take this data breach stuff very seriously…especially now that laws require the disclosure in nearly every state.


Tags: ,
No Comments »

Bank Sued by Couple for Failing to Secure Account Information

Tuesday, October 6th, 2009

An Illinois couple is being allowed to sue their bank on the grounds that it failed to sufficiently secure their account. A criminal was able to obtain a $26,500 loan using their account credentials and information. The claim states that the bank failed to provide “state-of-the-art” security measure to protect their account. The court is allowing this novel case to continue through the system.

It sure seems like financial institutions are losing the game of “who is left holding the check.” Regulators are coming down on them harder and more often than ever. Consumers are rightfully expecting their personal information to be protected, but usually unwilling to pay any more for these measures. Criminals are getting better and better about effectively compromising systems in more diverse, complex, and innovative ways. FI’s vendors and partners are often the source of issues and breaches and yet the FI still has to pay the bill and do the clean-up…not to mention the reputational impact. It is tough to be a FI these days.


Tags: , ,
No Comments »

Social Engineering Attack Actually an Authorized Engagement

Monday, September 28th, 2009

You may have read in the news or on my blog about a report issued by the NCUA regarding a social engineering attack seen by a credit union where CD’s were mailed to them in hopes that someone would launch them and get malware installed. As it turns out, this was a social engineering enagement the CU had authorized. While I am not sure of the breakdown in communication that allowed it to be reported to the NCUA, they are pretty PO’d. They are citing unathorized use of their logo which was on the packaging of the CD’s. This makes me think of a few things. First, if you are going to do penetration testing with a vendor, you need to be sure someone at the top is the right stop gap if your people discover the attempt and begin an escallation and reporting procedure (by the way good job to the employees of the CU). Second, fraudsters would use the NCUA logo as well so we just need to be prepared for that. The NCUA reacted properly but I wouldn’t doubt if this leads to specific types of authorization or conformance when penetration testing occurs.  While this turned out to just be a test, I think it is good to make CU’s aware that they shouldn’t just plug in CD’s that are sent to them…no matter what logo is on them. Good still came from this.


Tags: ,
No Comments »

Video: Thief Installing an ATM Skimmer at Bank

Monday, September 14th, 2009

The Consumerist posted a video today of a man in Brazil installing a skimmer on an ATM in a bank.  Of course, the man had to return to the ATM to retrieve his device where he was greeted by the authorities.  At the end of the video you see real footage (not surveilance video) of the authorities removing the skimming device.  This device seemed to be cleverly fashioned specifically for this ATM.  Even when installed, the ATM still resembled the ATMs on either side of it.

Remember, try to avoid any suspicious looking ATMs. If an ATM in a bank looks suspicious, alert an employee of the bank. If you must use it, push and pull on various areas of the ATM, like the card scanner or any items that appear like the don’t belong. Thieves are getting better and better at making it difficult to distinguish the real from the fake.


Tags: ,
No Comments »

Bank Failures Continue to Rise in US

Friday, September 4th, 2009

We are now well over 70 bank failures in the U.S. this year alone. That is more than the last two decades combined! They are still estimating that we will top 100 before the end of the year.


Tags:
No Comments »

NCUA Reporting Possible Scam Utilizing Malware Infected CDs

Monday, August 31st, 2009

Here is a recent scam reported by the NCUA and others.  It uses a shipped CD to financial institutions with instructions to load them. The CD’s and letter are supposidly from the NCUA, but are not.

————————-

Malware-Infected CD Mailing was Part of Pen Test

The malware-infected CDs that were mailed to some credit unions may have been part of a penetration test designed to gauge whether an employee would run the software. The SANS Internet Storm Center says it was notified by a representative from Microsolved that the mailing was part of an authorized pen test.

The alleged scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. Of course, the CDs are loaded with malware rather than training programs.

Read more here at Threatpost.com >>>


Tags: ,
No Comments »

Bank Closings and Cyber Criminal Activity

Friday, July 17th, 2009

Banks are closing at a very fast pace.  Still a lot of fall-out to come.  Cyber criminals are taking advantage of this in a variety of ways.  Creating phishing emails and pharming redirections are just the beginning.  It isn’t difficult to create targeted attacks towards the customers of a bank that has recently gone under.  These lures can be very effective in routing these unsuspecting end users to false websites where their information can be captured.

http://www.fdic.gov/BANK/HISTORICAL/BANK/index.html

To put it into perspective, here is what the history of bank closings has been:

2009 – 43 closed banks
2008 – 24 closed banks
2007 – 3 closed banks
2006 – 0 closed banks
2005 – 0 closed banks


Tags: , ,
No Comments »

Financial Data Breach Sources

Tuesday, April 21st, 2009

In the study we just released on financial institution data breaches between 200 and 2008 we analyze the breach sources.

Hacking accounts for 42 percent of incidents but 55 percent of records compromised.  This is the largest percent of incidents and records which is why financial institutions have and continue to work hard to mitigate their exposure to hackers.

Theft constitutes 30 percent of incidents but only 3 percent of records compromised.  The lesson to be learned here is that you will still have to disclose a breach even if few records are compromised.  This is where encryption products are valuable. If the data is encrypted and gets stolen, data breach notification laws usually do not require disclosure (only 4 of 45 states require it).  To see the individual states that have these laws and which ones require disclosure even when the data is encrypted, see the list in the study.

Malicious Insiders accounted for 15 percent of incidents but 24 percent of records compromised.  This could be a bit misleading as well because often in the cases of theft, it could be a malicious insider and not known.  So in reality this number could be higher, but is already quite staggering.  Malicious insiders come in many varieties, however IT Admins are one of the leading causes.

3rd parties accounted for 8 percent of incidents and 11 percent of records lost.  This (in my opinion) is a very high number.  This can include malicious individuals employed by the 3rd party.  It can be data disclosure by untrained or careless partner employees.  It can also be hackers or other outsiders that compromise the 3rd party network and then gain access or compromise company systems through the access granted to a 3rd party.  This is why 3rd party due diligence is so important right now and has been harped on by the regulators for the last couple of years.

Careless and untrained insiders account for a very small percentage of incidents and records compromised.  Keep in mind that all these statistics are based on KNOWN data breaches (which some estimate at 11% of the total) and we only learn the number of records compromised in about two thirds of incidents.  The number of incidents involving careless and untrained insiders is quite small (in my opinion) for a couple of reasons.  First, financial institutions have some of the best policies, procedures, guidelines, and training of any vertical tracked.  Second, they have been regulated, and actively audited for many years (unlike healthcare with HIPAA who has a higher percentage of these types of breaches). Third, companies are still sweeping incidents under the carpet…especially when there was a breakdown on internal processes.  So we aren’t seeing the whole story here.  As a result, they have fewer of these types of instances then any other vertical.


Tags: ,
No Comments »

Compromises of Financial Services Companies

Monday, April 20th, 2009

On page 15 of the financial data breach study we released recently, you can see the incidents by breach category.  This is where you get to learn the breakdown of what caused the data breach incidents.  We learn that half of financial services breaches are caused by hackers, malicious insiders, social engineering attacks and theft.  Truthfully, these are more difficult to stop than other types of attacks.

Stolen laptops accounted for 21 percent of breaches.  While it is hard to top the theft of these devices, you can encrypt the sensitive data on them which would reduce the chances that you have to disclose it.  There are only 4 states (of the 45 or so) states that have data breach disclosure laws that require you to publicly announce a data breach if the data was encrypted.  So that 21 percent is within our control to reduce.

15 percent were due to “data exposure” which can also be reduced.  This is usually where an employee makes a mistake and inadvertently discloses, sends, or makes available sensitive information.  This is also easier to control (through policies, procedures, training, etc.) than a hacker breach.

Media loss (which accounts for 11 percent) can also be significantly reduced.  Using encryption (as I mentioned above with laptops) is one way.  Additionally, when the media is backup tapes, which it often is, using a remote backup and recovery service (rather than magnetic media and backup drives) can completely eliminate that risk.

So to sum up, there are always things to reduce your risk of a data breach.  Threats from hackers, malicious insiders and the like are certainly more difficult than other types to avoid.  But the approximately 50 percent of breaches that aren’t caused by malicious activity but rather careless and untrained insiders can be significantly reduced through the adoption of some simple technologies and training.

What we have to remember is that this is just incidents we have been talking about, not records.  Data breaches of hackers, malicious insiders may account for 50 percent of incidents, but 83 percent of records compromised.  This is a double edge sword because most organizations have to report a breach whether it is 100 records or a million records compromised.  So to protect your companies good name, reduce liability, etc. you may implement one type of solutions.  To better protect your customers, members, and employees information, you may implement different strategies.  Obviously the best thing is to do both, but when budgets are tight and you have to choose, which will you pick?


Tags: , , ,
No Comments »

« Older Entries