Financial Security Guides

For Consumers

2018

All You Need to Know About Securing Your Cryptocurrencies

Securing real-time payments with tokenization

2017

Bank Accounts In UK and Ireland Vulnerable To Hacking

2017-12-15

– Bank accounts at majority of banks in Britain and Ireland are vulnerable to hacking says Financial Times

– Two-step authentication process used by most banks is inadequate

– Vulnerabilities identified similar to those that were used by hackers to steal up to $1 billion across Eastern Europe

– UK regulator says bank customers must be reimbursed, banks are responsible for security

– Highlights risks to deposits and systemic risk should such vulnerabilities be exploited in cyber-warfare or indeed for monetary gain

The vulnerability of banks and the global banking system – reliant as it has become on computer systems, information technology and the internet – was highlighted yet again in an important article in the Financial Times on Tuesday which was largely ignored elsewhere.

The FT reports that it has come into possession of documents and correspondence between the Financial Conduct Authority (FCA) and a cyber security firm, Bronzeye that identify “serious security issues” at British high street banks.

“Britain’s markets watchdog, the Financial Conduct Authority, was warned last July about a loophole in the cyber security of one of Britain’s biggest banks that could give hackers unfettered access to customer accounts,” reports the FT.

Bronzeye identified a weakness in the two-step authentication process used by most banks and reported it to the FCA in July of last year. It is apparently similar to the flaw that allowed hackers to raid up to $1 billion from around 100 banks, predominantly in Eastern Europe.

Bronzeye identified one “large British bank”, the name of which was redacted in the documents, that had “22 critical vulnerabilities”. One of these flaws could “stop the bank in it’s tracks”, according to the firm.

Oddly, the bank refused to work with Bronzeye to fix the problem.

On the surface it would appear that banks customers need not concern themselves with these developments. The FCA has made it clear that banks must absorb the costs of raids on customers accounts by hackers.

“We are focused on ensuring the right outcomes based on our three operational objectives. We expect firms to provide redress for consumers impacted by cyber crime, consumers should not lose out as a result of cyber crime. Management and oversight of the systemic cyber risks lie with the Bank of England and Prudential Regulation Authority supervision,” they said.

While this is encouraging we believe that this story again exposes systemic risks to the banking system. If the accounts of a number of banks were targeted en masse in a coordinated act of cyber-warfare or cyber-terrorism it could severely impact and even disable individual banks and their deposit accounts and indeed the entire western banking system through contagion.

We have covered previously how governments across the world have been infecting the systems of their rivals with malware. Although generally they have not exploited the breaches to date.

It is likely that groups and governments hostile to the West have also identified such simple vulnerabilities in the western banking system but decided it was not in their interest to exploit them … yet.

Recently we pointed out how an international hacking group stole $300 million from bank accounts and how the global digital banking system is not secure . We also pointed out how cyber war poses risk of bail-ins to banks and deposits.

We are not suggesting that readers should dash out and empty their bank accounts. We are simply identifying risks to the system of which people should be aware and that they take reasonable precautions including diversification of deposits and diversification from deposits.

Having all your eggs in a deposit account is no longer prudent.

Academic and independent research and indeed the modern and historical record shows how physical gold is the safest asset-class in the world. An allocation of some of one’s portfolio to physical gold is insurance against technological and systemic risks posed to all virtual wealth today – whether that be digital bitcoin or electronic currencies in deposit accounts.

These risks have never been seen before and yet are largely unappreciated and ignored by brokers, financial advisors and bankers.

Warning! You could now be robbed without knowing it

2017-11-24

What’s the saddest moment you’ve experienced? For me, it was seeing my friend in anguish when she found out that most of her life savings had been stolen from her hacked bank account. It had been several days before she found out about it.

My dear readers, you, too, are susceptible to being robbed by computer experts operating in the unknown shadowy world of hacking, with just a few keystrokes.

In fact, even the reserves of some of the most well established corporations are exposed to financial crimes. This was proven when a group of daring anonymous thieves stole US$81 million from one central bank while using the Philippines as its cashing site. Investigators believe that the cyber thieves were able to install a form of spyware called RAT (Remote Access Trojan), which allowed them to steal the bank’s credentials without the bank even knowing it. They then bypassed controls by using the bank’s credentials to gain unauthorized access to the US$81 million SWIFT network and by setting up four fraudulent bank accounts in a Philippine bank to which they could transfer the stolen money. By the time the Philippine bank read the message from the central bank about the fraudulent transfer, the money had already been withdrawn and eventually laundered through Philippine casinos.

The numerous testimonies I’ve come across with on financial crime motivate me to mitigate these occurrences. Using my combined experience as a former banker and current consultant specializing in financial crime mitigation, I would like to issue this warning that you and your company can be robbed without you ever knowing it. Where I come in is to offer the proper advice and mitigation processes to ensure your financial security and that of your company.

You can protect your money by practicing the four key principles, which can be abbreviated as SAFE: S – Safe-keep your private information, A – Assign strong passwords and routinely change them, F – Find time to check all your financial accounts as frequently as possible, and E – Establish an alert and limit system.

Safekeeping your money starts with safekeeping your information. Take extra precaution in giving away your personal data. The simplest rule of thumb is not to give your personal information, especially your password.

Speaking of passwords, the next important principle involves assigning a strong password. It should not contain obvious information or personal data such as your address or birthday. Be creative and strengthen it by using as many random combinations of letters, numbers and symbols that are not obvious and have no connections to you or your family. You must then routinely check and change your password, which could be every 90 days or less, or whenever you feel your password could have been compromised.

The third principle is to carefully review your bank and credit card statements as frequently as possible. Make sure you check if the total transaction and remaining balances are correct and if any transactions stand out as being questionable or suspect. If so, contact your bank or credit card companies immediately and ask them to initiate the proper safety protocols. You should also establish a real-time notification and limit system with them that would allow them to contact you in the event of a transaction or purchase that is outside your limits. You can instruct them to set limits on amount per transaction or on the location of the transactions, and notify you through text, email, or phone call to validate any transaction that goes beyond your limits.

When I discussed SAFE with my friend, she realized that she failed to safe-keep her private information when she entered her username and password in a fake banking website developed by the cyber thief. I encourage you to apply the SAFE principles.

Furthermore, as company owners or employees, you can protect your company’s money by applying five principles, which are easier to remember using the abbreviation MONEY: M – Maintain an advanced and secured IT system, O – Operationalize a robust ERM (Enterprise-wide Risk Management) program, N – Need to hire the right ethical professionals, E – Establish the proper KYC (Know Your Customer) and AML (Anti-Money Laundering) policies and systems and Y – Yearn to share and learn from others.

Studies estimate that there is a hacker’s attack every 39 seconds. Given that hackers normally attack a company’s IT system, maintaining an advanced and secured IT system becomes the first paramount safeguard against them. Companies can do this by first investigating their current environment, conducting holistic financial crime risk assessments, buying the right secured IT systems, updating these IT systems accordingly, and independently testing these IT systems.

With financial criminals constantly improving their skills, companies can no longer rely upon secured IT systems alone. Companies should operationalize a robust ERM program that integrates cyber, fraud, and insider threat management systems and processes into a centralized enterprise-wide management program. Running that program requires hiring the right ethical professionals, which can be done in two simple steps. First, assign experts to find several professionals with the right skill set and cleared by the National Bureau of Investigation (NBI). Second, assign a different set of experts to conduct comprehensive background checks on these professionals.

Once hired, the right ethical professionals must be able to follow the “need to have” and “whistleblowing” policies.

The “need to have” policy limits the number of people with access to critical systems (such as SWIFT system for banks) to the minimum necessary by evaluating each user’s need and business justification against the guidelines set in the said policy. The “whistleblowing” policy, on the other hand, educates all personnel to detect suspicious behavior of their peers and to anonymously escalate these suspicious behaviors to the right senior management.

With the right ethical professionals, the company can now establish the proper KYC and AML policies and systems, which require multi-layer and complicated client identification, verification checks, and continuous screening systems and processes to be combined with AML management systems and processes. Even though a robust KYC and AML system will result in an additional administrative burden, the Philippines is requiring that almost all companies, including casinos, to implement robust AML systems to further prevent these crimes. If the company or casino does not have the right capabilities now, they can explore the option of hiring an external company that can do all the KYC and AML processes faster and cheaper. For example, PwC’s Center of Excellence can perform the AML process required by Philippine laws and global standards 30 to 50 percent faster and 20 to 40 percent cheaper compared with some companies doing it on their own.

Finally, studies have shown that international cooperation is one of the most effective global policies to limit cybertheft, prevent cyberattacks, constrict money laundering, and thwart financial crime. During the recently concluded Asean Summit, the government has already moved forward with international cooperation by joining the Asean in agreements and declarations that include prevention and combating of cybercrime and laws in AML and Countering the Financing of Terrorism (CFT). The government will just have to take a step further by establishing additional mechanisms that will encourage all companies to share their experiences and learn from each other.

Warning! You and your companies may unknowingly be robbed if you don’t do anything. My dear readers, before it’s too late, share and implement the MONEY principles to your companies. And for yourselves, start applying the SAFE MONEY principles.

This is how your phone’s e-wallet can be hacked

2017-11-23

http://www.channelnewsasia.com/news/cnainsider/how-phone-e-wallet-can-be-hacked-security-9422814

As digital payments grow in popularity, which is more secure – cash or cashless transactions? Talking Point investigates.

SINGAPORE: Some might expect a computer-savvy millennial like Mr Winston Ho, 23, to be an early adopter of electronic payment services on his smartphone.

But the president of the Singapore Management University’s Whitehat Society, a group of ethical hackers, is paranoid about downloading e-wallet apps or any app linked to credit card or bank accounts. He prefers to stick to cash transactions mostly.

His concern, which he and fellow committee member Wan Ding Yao shared with current affairs programme Talking Point, is that untrusted apps and phishing SMSes are giving hackers easier access to phones as e-payments grow in popularity. (Watch the episode here.)

Said Mr Wan:

We were experimenting with some of the e-wallet apps from some of our local banks, and we found out that some of the security measures put in place were not foolproof.

While many people believe that passwords, two-step verification and fingerprint recognition on some e-wallet apps may be enough to stop cybercriminals, the duo are not convinced.
Advertisement

BEWARE FREE CREDITS, MONEY

The problem is that a hacker can fool a user into downloading a modified or disguised version of the e-wallet app – by promising free credits and money – which could be hiding hard-to-detect computer viruses like a Trojan, said Mr Wan.

“Who doesn’t want free money, right?” he added. “If you choose to install the programme and grant it all the permissions that you wouldn’t normally grant it, you’re letting a hacker gain access to your phone.”

The hacker could then retrieve data stored on the phone. And with such computer viruses, security measures such as passwords and thumbprints may be of little use, as hackers would still be able to intercept one’s SMSes, cautioned Mr Wan.

If you receive a one-time password, (the hacker) would be able to go into your phone - maybe at night when you’re sleeping so as not to raise any suspicions - and retrieve the OTP to authenticate (himself).

Installing an app from an untrusted source would usually prompt a warning to pop up on one’s phone – a warning one should heed, he advised, to reduce the risk of such attacks.

(Read: Your phone number is all a hacker needs to track you, steal your info)

CASHLESS VERSUS CASH

Mobile-payments company Liquid Group, however, argues that e-wallets are more secure than credit cards or cash, as they are equipped with features such as a password or a personal identification number.

The company’s chief executive officer Jeremy Tan said: “When you lose your card or cash, it’s essentially gone. Whereas your phone, the first order or the first assumption is that the app in your phone has a certain degree of security.”

He highlighted that consumers can track their transactions, and in the event of a fraud, the mobile payment company can trace the hacking.

Every single transfer is… trackable. So we tend to feel it’s very silly if (someone) tries to hack into a digital wallet and move things around or pay (money into) different accounts.

"For us to find you is, I’d say, instant,” he said.

DBS Bank, which launched e-wallet PayLah! in 2014 and allowed mobile QR code transactions this year, said that to protect its customers’ money, it has introduced biometric verification, the first in Singapore with a Touch ID login that uses a fingerprint to access the e-wallet.

DBS head of cards and unsecured loans Anthony Seow also explained that customers can set a limit to how much money they want their e-wallet to hold.

“Let’s say you set it at $100. Then technically, (if) anybody has sent you, say, $300, only $100 would stay in there. The other $200 would go into your bank account,” he said.

‘FIRE DRILLS’ ON YOUR PHONE

Singapore has a mobile phone penetration rate of 150 per cent, the highest in Southeast Asia. But it seems that users are not doing enough to protect their phones from cyber threats.

According to a Cyber Security Agency of Singapore (CSA) survey, one in three Singaporeans do not have anti-virus software on their phones.

Crammed with personal and financial information, phones today have become a treasure trove of passwords, personal notes as well as credit card and log-on details. And the security stakes are growing.

Cybercrimes here nearly doubled between 2014 and last year, rising from 7.9 to 13.7 per cent of all crimes, according to the inaugural Singapore Cyber Landscape report this year.

The CSA reported that 83 per cent of cybercrimes involved online cheating. Websites for banking and financial services were the most commonly spoofed, forming 31 per cent of phishing websites found last year. E-payment platform PayPal was also a popular target.

Mr Manjunath Bhat, a research director in Gartner’s mobile and client computing group, noted that few people even know what is inside their phones.

He suggests that consumers conduct “fire drills” on their phones so that they know what to do if they lose their device. To prepare for such a situation, one only has to let a partner hold on to the “lost” phone.

“What you do is find out how much of the information that you have on your phone is now accessible to somebody else,” he said.

“Think of it as: Can you cut off access to all the debit cards and credit cards as part of your digital wallet?”

He advises those who do lose their phone to put it in Lost Mode, which effectively disables the payment mechanisms. Alternatively, they could remotely reset the phone in this mode and wipe out the information inside.

DOES THE FACTORY RESET WORK?

But in a world of growing high-level fraud, does this delete all the data on the phone? And is a factory reset to purge a phone’s memory sufficient, given how frequently people sell or trade their unwanted devices?

In an experiment for Talking Point, mobile forensic expert Ali Fazeli took some phones that had gone through a factory reset and managed to extract some information from them, including an SMS, some photos and older apps.

His company Infinity Forensics helps organisations and individuals recover deleted data and conduct tests against cyberattacks.

Yet despite his forensic skills, he could not retrieve any genuinely sensitive material on the used phones, which means that a reset phone may not leave a digital imprint after all.

Still, for consumers, the key to keeping their phones safe is to be smart and vigilant as they move towards a cashless future.

15 Steps to Maximize your Financial Data Protection

Protecting yourself from fraud