Analysis

2018

Android malware steals money fast via PayPal

The Role of Blockchain in Data Security

Professional cybercriminals put the heat on fintech Danger skulks everywhere in EPC's latest report on threats and fraud.

The Fed’s Fraud Study Reveals the Expected and Unexpected

Banks Should Cash In On Cybersecurity

Black Markets, Fraud, and Money Laundering: How Much Are Cryptocurrencies Used

The Biggest Security Threat, Mobile Payments and Beyond, Is Internal

A Closer Look at Biometrics and Mobile Payment Security

Mobile fraud reaches 150 million global attacks in H1 2018 attack rising 24%

Former Anonymous Superhacker Talks Fintech Cyber Security

Cryptocurrency Exchanges Share the Mobile Payments Nightmare: Lax Security

The cyberattack on banks in Mexico: The challenges posed to cybersecurity

Mobile Payment Security Software Primed for Hefty Growth

Cyber security development in fintech

2017

Top 10 Cybersecurity Trends in Financial Services and FinTech

1. Artificial Intelligence and Machine Learning

2. Blockchain

3. Biometrics

4. Electronic identification and authentication

5. Cryptography

6. Cloud security

7. Open Banking

8. Government regulation

9. Financial/ technical education

10. Cyber Threat Intelligence

Cyber threat corners banks

2017-12-01

Wake up or wither

Use of pirated software is quite rampant in financial institutions in Nepal. This has prevented them from installing new patches to upgrade the software, making them vulnerable to cyber attacks.

Dec 1, 2017-On a chilly Thursday morning, Anil Shah, president of Nepal Bankers’ Association, the umbrella body of commercial banks, walked to the podium during a conference and warmed up the audience by asking a sort of “don’t-ask-don’t-tell” question. “Tell me honestly, how many of us use genuine software at our offices?” the CEO of Mega Bank asked.

The audience was made up of over 150 bankers. They were there to attend the conference on ‘Cyber Security and Swift Hacking’ organised by the National Banking Institute, a national-level banking and finance academy.

As soon as the question dropped, guilty smile appeared on faces of bankers. This was an acknowledgement that many were using pirated software, including operating systems such as Microsoft Windows and applications like Microsoft Word.

This set the tone for the conference.

Use of pirated software is quite rampant in financial institutions in Nepal. This has prevented these institutions from installing new patches developed by IT companies to upgrade the software, making them vulnerable to cyber attacks.

“Banks spend quite a lot to purchase cash vaults for offices. But physical banknotes stored in these vaults account for a tiny fraction of the total cash stock. Meanwhile, a big portion of our cash can be accessed electronically. Yet we hesitate to spend money to purchase genuine software and build a robust IT infrastructure,” Shah said.

His comments come at a time when memories of the biggest cyber heist in Nepal are still vivid in the minds of many bankers.

NIC Asia Bank became the victim of the biggest-ever cyber heist in Nepal in October, with cybercriminals issuing fake instructions to steal a little over Rs460 million. A total of 31 fake instructions were issued at that time via Swift, the global interbank payment system, to steal the money.

NIC Asia was hit by cybercriminals because of severe breaches of security protocols, like use of personal e-mails on computers attached to servers meant for Swift transaction. This enabled hackers to infect the bank’s IT system with malware. A source of the bank said hackers were watching the activities of the bank for two months before launching the final attack.

It is not exactly known how the malware entered the bank’s IT system. But NIC Asia Bank had found that some of the software it had purchased from “reliable vendors” were pirated.

Although the bank did not suffer huge losses from this episode, it is yet to retrieve all the money that was stolen.

The experience of Bangladesh shows that recovery process of money stolen by cybercriminals is not simple.

Bangladesh’s central bank came under the attack of cybercriminals in February 2016. Like in the case of NIC Asia Bank of Nepal, cybercriminals infected the computer of Bangladeshi central bank prior to making illegal payments of $101 million via Swift.

“Till date, we have not been able to recover $66.4 million, although we are still trying [even after almost two years],” Debaprosad Debnath, consultant at Bangladesh Financial Intelligence Unit at Bangladesh Bank, the central bank, told the conference.

All of the money that the bank is yet to recover had disappeared after reaching the Philippines, which was one of the two countries, including Sri Lanka, used by cybercriminals to illegally transfer the funds.

Fortunately, Bangladesh and the Philippines have entered into mutual legal assistance agreement. “Otherwise, we would have to spend quite a lot of money to hire lawyers to fight the legal battle,” Debnath said.

The biggest lesson that Bangladesh Bank has learnt from this episode is that “cost of compliance is generally high, because building a proper IT infrastructure is capital-intensive, but the cost of non-compliance is even higher.”

This should serve a lesson to Nepali banks and financial institutions that generally hesitate to invest in IT infrastructure and building a team of quality human resources that can thwart attempts to bring down the entire system.

It is said that around 84 percent of cybercrime, knowingly and unknowingly, occurs because of human factors. Many have the tendency to become complacent after installing anti-virus software on computers and servers. But these software may not be of much help, according to Debdulal Roy, general manager of Information System Development Department of Bangladesh Bank.

Right after Bangladesh Bank found out about the heist, the “signature” used by cybercriminals to break into the system was sent to McAfee, a US-based computer security software company. “But it took 45 days for McAfee to identify the signature as a threat,” said Roy. “So, the only way to tackle the problem is by investing in IT infrastructure and making human resources capable enough to remain vigilant about possible threats and risks.” It is high time Nepali banks buckle up because McAfee has said ransomware outbreaks of 2017 offer just a taste of what’s to come, as hackers are developing “new strategies and business models”.

The security firm has predicted online attackers to become even more destructive in 2018, as “attackers dramatically innovate and adjust to the successful efforts of defenders”.

“Considering the latest developments, banks should start conducting cyber stress test, as IT security risk is posing as big a threat to the banking sector as credit risk,” said Laxmi Prapanna Niraula, NBI chairman and head of the Currency Management Department at the Nepal Rastra Bank, the central bank.

http://kathmandupost.ekantipur.com/news/2017-12-01/cyber-threat-corners-banks.html

Banks warned on cyber heists as hack sophistication grows

2017-11-29

SWIFT, the global messaging system used to move trillions of dollars each day, warned banks on Wednesday that the threat of digital heists was on the rise as hackers use increasingly sophisticated tools and techniques to launch new attacks.

Brussels-based SWIFT has been urging banks to bolster security of computers used to transfer money since Bangladesh Bank lost $81 million in a February 2016 cyber heist that targeted central bank computers used to move funds. The new warning provided detail on some new techniques being used by the hackers.

"Adversaries have advanced their knowledge," SWIFT said in a 16-page report co-written with BAE Systems Plc's cyber security division. "No system can be assumed to be totally infallible, or immune to attack."

SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public.

Taiwan's Central News Agency last month reported that Far Eastern International Bank lost $500,000 in a cyber heist. BAE later said that attack was launched by a North Korean hacking group known as Lazarus, which many cyber-security firms believe was behind the Bangladesh case.

Nepal's NIC Asia Bank lost $580,000 in a cyber heist, 2 Nepali officials told Reuters earlier this month.

The new report described an attack on an unidentified bank. Hackers spent several months inside the network of one customer, preparing for the eventual attack by stealing user credentials and monitoring the bank's operations using software that recorded computer keystrokes and screenshots, the report said.

When they launched the attack in the middle of the night, the hackers installed additional malware that let them modify messaging software so they could bypass protocols for confirming the identity of the computer's operator, according to the report.

The hackers then ordered payments sent to banks in other countries by copying pre-formatted payment requests into the messaging software, according to the report.

After the hackers ended the 3-hour operation, they sought to hide their tracks by deleting records of their activity. They also tried to distract the bank's security team by infecting dozens of other computers with ransomware that locked documents with an encryption key, the report said.

While SWIFT did not say how much money was taken, it said the bank quickly identified the fraudulent payments and arranged for the stolen funds to be frozen.

The Truth About The Global Hacking Industry

2017-11-27

The Internet is the global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link devices worldwide. It is a network of networks that consists of private, public, academic, business, and government networks of local to global scope, linked by a broad array of electronic, wireless, and optical networking technologies. It is right now under a global attack.

The Internet has brought unprecedented change to societies across the world in just the last decade and it is no wonder when you consider the following statistics: Google now processes over 40,000 search queries every second, which translates to over 3.5 billion searches per day or 1.2 trillion searches per year worldwide. Facebook now has over 2 billion monthly active users, and 1.15 billion of them use it every day whilst Twitter has 328 million active users, generating over 500 million tweets every day or nearly 200 billion a year. There are 1.3 billion YouTube users watching 5 billion videos every single day and 300 hours of video are uploaded every minute of every day.

Two years ago the most traded global commodity was oil, today it is data. The oil industry has dominated the global commodity market for a hundred years one way or another. In that time it has also been the cause of considerable geopolitical conflict – hardly surprising when you consider than more than four billion metric tons of oil is shipped worldwide every year.

The world’s largest internet company by revenue is Amazon. It now has a revenue of $136 billion. Its founder, Jeff Bezos is today reportedly worth $100 billion.

In 1991 the very first website went live. In 2014, an internet milestone was achieved when one billion websites were active. Today that number is 1.3 billion and rising at the rate of nearly 275,000 a day. Demand is increasing. Today there are 3.74 billion users plugged in to the internet worldwide, roughly half of all of humanity.

Internet advertising revenue has rocketed exponentially. With a projected $205 billion Internet ad spend compared to a projected TV ad spend of $192 billion, global internet advertising spend is expected to exceed TV advertising spend in 2017 for the first time ever. In the meantime, the internet attracts over $2 trillion in online sales with no decline in sight. And don’t forget that whilst reading this particular article, it is just one of two billion published every single day.

There’s a downside though. There always is.

A report from security firm Imperva found that for the first time, bots had overtaken human driven activity on the Internet. That report from October this year stated that 52 percent of online activity is now automated. However, it also found that nearly a third of this activity was driven with nefarious intent i.e. pushing political messages, propaganda and fake news.

And if you think that is bad, what comes next is much, much worse.

An unprecedented crime wave is now striking at the internet. Actually, this would be better described as an epidemic of criminality.

IBM Corp.’s Chairman, CEO and President, Ginni Rometty, recently said that cyber crime may be the greatest threat to every company in the world.

****************************************
One example or corporate cyber-crime is the use of stolen financial information to undercut an acquisition target’s market value in order to later acquire the company at a fire-sale price.
****************************************

“If they are successful, they could drain the full value of the company — that’s easily in the millions,” said Rich Mason, president and chief security officer of cybersecurity consulting firm Critical Infrastructure.

In the past few years more and more interest has been shown towards cyber-crime. And like oil, it’s a dirty business, which is also being increasingly recognised as a tool to destabilise not just organisations, but entire countries and regions. Just three years ago the Wall

Street Journal estimated that the cost of cyber crime in the U.S. alone was approximately $100 billion.

That estimate was quickly disputed as other reports came forward that thought it was many times higher.

In 2015, the British insurance company Lloyd’s estimated that cyber attacks cost businesses worldwide as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. However, that report was also criticised for being conservative.

In the years 2013 to 2015, the actual cost of cybercrime attacks to business quadrupled and by all accounts, estimates and new trend analysis found it looks set to quadruple again by 2019.

What is statistically amazing here is that the best estimates now conclude that in just another two years the cost of data breaches will rise to $2.1 trillion globally by 2019.

An entire industry that almost matches that of global online sales will have emerged to defend it. But what is alarming is that the total amount of data that is hacked and subsequently either used directly for crime or sold to criminals is rapidly rising as well. The World Economic Forum Global Risk report of 2016 estimates that hackers will make off with $445 billion a year and if their success matches that of cyber-security, by 2020 it is reasonable to assume over $600 billion worth of data will have been stolen worldwide through hackers.

The World Economic Forum says a very significant portion of current cybercrime goes completely undetected, particularly industrial espionage where access to confidential documents and data is difficult to find. Those crimes would arguably move the needle on the cyber crime numbers much higher than thought. For instance, we now know that nearly 30,000 websites are infected with some type of malware each and every day.

On an individual basis this type of crime is thoroughly depressing. Nearly three quarters, 73 percent, of all Americans have fallen victim to some type of cyber crime, and 47% have had their personal information exposed by hackers. Over 27 million Americans have fallen victim to identity theft over the past five years and 86 percent of them had either a credit card or bank account raided with an average loss of nearly $8,000 per loss. That is $216 billion of direct losses in just one country with one type of hacker activity.

In 2014, it was estimated that over a billion personal data records were compromised worldwide by cyberattacks. Last year, there was a recorded 40 percent increase in data breaches caused by hacking. The year before, there was an increase of …. 40 percent on the year before – you can see where this is going.

****************************************
Identity theft recovery process is long and arduous, and you could end up losing much more money in the process than you thought. You could lose money to: legal fees, added insurance, late payment fines, not least the distress and time to sort, which 7 percent state took more than a year.
****************************************

Looking into the future we have other extreme threats that are already with us. Apple TouchID, a biometric identification system using your fingerprint has now gone mainstream. (Even three-year-old kids’ fingerprints are being captured when they visit Disney World.) Hailed as being safer than digit-based passwords, biometric security data presents a truly explosive opportunity in hackers’ hands.

In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints may be a big problem in the future if biometric technology is used to verify bank accounts, home security systems and even travel verifications. You always have the option of changing your password, but you can’t change your fingerprints. Recovering from compromised biometric intel is very hard indeed, at best.

Roman V. Yampolskiy is a tenured associate professor in the department of computer engineering and computer science at the Speed School of Engineering, University of Louisville. He is the founding and current director of the university’s cybersecurity lab and has created a report for the Harvard Business School on the matter. He reports that in future:

****************************************
“The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars.”
****************************************

According to that report an AI system can potentially have any combination of intelligence and goals. Such goals can be introduced either through the initial design or through hacking, or introduced later, in case of an off-the-shelf software — “just add your own goals.” Consequently, depending on whose bidding the system is doing (governments, corporations, sociopaths, dictators, military industrial complexes, terrorists, etc.), it may attempt to inflict damage that’s unprecedented in the history of humankind — or that’s perhaps inspired by previous events.

This AI arms race has a dimension that many of us have not considered yet. The risks are clearly real, as evidenced by the fact that some of the world’s greatest minds in technology and physics, including Stephen Hawking, Bill Gates, and Elon Musk, have expressed concerns about the potential for AI to evolve to a point where humans could no longer control it. And as the Harvard report goes on to say, such an event “has the potential to damage human well-being on a global scale.”

So here is a tiny hint on protecting yourself. A 6 digit or letter password takes hacker software about 10 minutes to crack. Adding two more digits or letters is reported to take 83 days and a mix of 10 letters, numbers and characters would take decades. However, recent hacker tools that can be bought on the internet make claims to be able to crack those 8 digit passwords in just 6 hours. So be vigilant.

Passwords should be at least eight characters long, free of consecutive identical characters. Don’t use all numbers or all letters and avoid reusing or recycling old passwords.

Cryptocurrencies Are at Greater Risk of Being Hacked

2017-11-21

https://www.thestreet.com/story/14397153/1/cryptocurrencies-are-at-greater-risk-of-being-hacked.html

Survey Reveals Fraud Schemes Too Sophisticated and Evolve Too Quickly to Stop

2017-11-07

https://blog.vasco.com/application-security/faces-of-fraud-survey/

FinTech Security: Under the Hood with NetFoundry & Dispersive Technologies

Verizon 2017 Payment Security Report Demonstrates a Link Between Payment Card Security Standard Compliance and the Ability to Defend Against Cyberattacks

Hacking Capitalism 301x: How to Steal from Banks, Rich People, and the Government

“Dad, Uncle Joe – you’re right. I should take my future seriously — that’s why I’m incorporating a business, selling a service/stuff, and applying for business credit and venture capital. Then, when my business declares bankruptcy in a few years, I can keep the money, declare a loss and pay less taxes — just like the President! Isn’t this great time in leadership for our country!? Want to invest in my company?” — you, at Thanksgiving with your right-wing family.

Usually I like to talk about regular small-business tactics, but here I share an especially pernicious tactic: how to straight up rip off banks and the government. No, it’s not just an anarchist life goal: it’s the way business is done. Not only is this method perfectly legal, it’s celebrated. Our current president and plenty of other business owners do it. You, if you want to pay less taxes and bird off banks in the upcoming years may do it, too. Here’s how.
VERSION 1: How to steal from the government.

Start a business. For this version, any format of business will do: a sole proprietor, a partnership, or an LLC or incorporation.

Next, actually run the business. Try to grow it. Charge people money for goods or services.

It won’t be all business lunches and golf courses – I mean make some damn money and run your business. It kind of doesn’t matter what you do, but you’ll need to generate income and track it cleanly so as not to look shady and get audited (more likely when you make over 200k annually).

In the course of doing business, you’ll need things. Things that life might have had you needing anyway: a cell phone, internet, supplies, entertainment and networking leading you to have to travel and go out. Keep all your receipts, and pay for things only using your business account.

Often, you need to buy things for your business that you also need for life–a bonus! Here’s a list of all the things the IRS is ok with you claiming are for a business: https://www.irs.gov/publications/p334/ch08.html

HACKING CAPITALISM WIN #1: When you pay for things you use for a business purpose, you don’t pay taxes on the money you used to buy them. This means you pay less tax overall on your money that comes in. If your business spends small amounts (a few grand), the savings are small. If your business is a fancy project, your spend — and your tax savings — are large.

When tax season comes, if you spend more than you make, your business has a loss. You as an owner of this business will have a loss. This goes on your taxes as a negative, thereby reducing your income more. If you lose enough money, you can spread the loss over several years of taxes. If you REALLY lose a lot of money, you could potentially pay no tax for years, all while living on money you hustled and potentially having really nice things around you.

This can save you a LOT of money. And, this can also ensure that you aren’t sharing back via taxes. Taxes fund wars. Taxes build roads and schools and fund social security. No matter what you think of any of this, if you made $100k but have an $80k deductible spend, you’re only paying taxes on $20k this year.
VERSION 2: How to steal from banks and people

Don’t start your business any old way: For graduate-level hacking, it needs to be an LLC or a C-Corp or S-Corp.

As our friends at NOLO Legal point out, “When you incorporate your business or form an LLC, it becomes a separate legal entity” (from you).

As a distasteful side note, the origin of the ability of an incorporated business to be its own entity resides in the 14th constitutional amendment. Yes, the same one that abolished slavery.

Now, your job is to get access to money that’s not yours and not in your name, but rather is in the business name:

Get investors if possible. Think of a plan to “disrupt” some existing business model with technology and go for VC. Whatever.
Get a business line of credit or credit card. This might take a few years, but you’ll want to end up with a line of credit or card that you don’t co-sign on or put collateral up to get. Essentially, you want only the business to own the debt, not you. Learn about the difference here.

Buy a lot of things that are specifically for the biz, like say fancy carpets or fixtures or electronics or consultants. Spend more than you make. Here, you can go with spending money you made otherwise from a different job or business, but ideally the investor’s money or on a business credit card is fine.

So far so good–capitalism! Don’t forget about the part where you’re spending money on your business and tracking it and getting your tax game on. Because…
ADVANCED VERSION OF HACK 1+2: Steal from fucking everyone

Now: your legitimate business you’ve run for a couple years is in the red. You can’t declare a loss for years on end, generally only up to 3. At some point, you can consider business bankruptcy. Just like for individuals, Chapter 7 clears all the debts and Chapter 11 creates a payment plan.

If you’ve set it up right: used incorporation, have borrowed money that you haven’t personally cosigned for – this is also not your bankruptcy. It’s your business’s. Paid yourself (an employee) a hefty salary last year and need to declare this year? Oh well. Taxes are very tied to a calendar cycle.

Borrowed and the business can’t repay? Doesn’t matter if you personally could: the individual entity that is the business cannot and that’s what matters. You have to do this cleanly–that’s the part of running the business like you meant to run one.

And here’s the rub: the people you borrowed from, the banks? They just put the money they don’t get back on their loss line, and it reduces their business income and therefore taxes.
It’s all a game, people.

A game some folks are really good at, right or wrong.

This tactic, friends, like all my work, is not limited to political allegiance. Anyone can take these ideas and do well for themselves with them — and, folks who strategically start businesses and then declare bankruptcy already have.

How Hackers Stole Up to $1 Billion from Over 100 Banks in More Than 30 Countries