FINANCIAL INFOSECURITY NEWSLETTER

January 2017

‘Alice’ Malware Loots ATMs

Jai Vijayan, Darkreading.com, December 21, 2016

Malware samples these days often pack a bewildering array of functions and have an almost Swiss army knife-like quality about them. One exception is Alice, a new ATM malware family that security vendor Trend Micro discovered recently.

Read More

Mobile Banking Trojans Adopt Ransomware Features

Lucian Constantin, Networkworld.com, December 19, 2016

Cybercriminals are adding file-encrypting features to traditional mobile banking trojans, creating hybrid threats that can steal sensitive information and lock user files at the same time.

Read More

New York’s Cybersecurity Regulations May Seem Burdensome, but They’re Necessary

Christopher Ensey, Thehill.com, December 16, 2016

In recent years, more and more companies across a range of industries have fallen victim to cyber attacks, including Sony Pictures, Yahoo!, and LinkedIn; however, we have yet to see a successful large scale breach of a major U.S. financial institution.

Read More

Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accounts

Darkreading.com, December 19, 2016

The numbers are in, and they don’t look too good.
Confidential financial data worth tens of millions of about 350 Ameriprise clients were exposed unwittingly by one of its financial advisors while taking a back-up on an Internet-connected drive at home, reports ZDNet. The discovery, by security researcher Chris Vickery of MacKeeper during a random scan with Shodan search engine, has raised questions about the security practices followed by the company’s franchise operators across the US.
That translates to 4-5 new malware samples every second of every day.

Read More

EBA’s Proposed Guidelines Call for 2-Hour Notice of Data Breach

Paybefore.com, December 13, 2016

The European Banking Authority (EBA) working with the European Central Bank (ECB) recently released a consultation paper on guidelines for payment service providers (PSPs) to follow in the event of security breaches. Among the suggested mandates is notifying authorities of an incident within two hours from the moment the breach is detected—that’s significantly faster than the breach notification requirements set to go into force next year under the General Data Protection Regulation (GDPR), which requires notice within 72 hours of breach detection. The GDPR also applies to U.S. companies that process information and intend to offer products or services to people in the EU, or monitor people in the EU, according to legal experts at Bryan Cave.

Read More

Attackers Use Hacked Home Routers to Hit 5 Russian Banks

Lucian Constantin, Computerworld.com, December 9, 2016

Botnets made up of hacked home routers were used to launch distributed denial-of-service attacks against the five largest financial organizations in Russia.

Read More

Dyn DDoS Attack: Lessons Learned for the Financial Services Industry

Rich Bolstridge, Blogs.akamai.com, December 12, 2016

In the first of this two-part blog, I reported the impact that the Dyn DDoS attack had on the financial services industry. Banks, insurers, credit cards, and others had two waves of impacts on Oct. 21, with many websites clocking in with 60 second page response times, and others with outright failures, not able to service their customers.
In Part 2, we’ll dig into some details to better understand the technology risks of financial services websites, and extract some lessons learned for the industry.

Read More

‘Frighteningly Easy’ Hack Guesses Full Credit Card Details In 6 Seconds

Jai Vijayan, Darkreading.com, December 5, 2016

Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork — six seconds flat.

Read More

Reports: Hackers Steal $31 Million from Russia’s Central Bank

Jeremy Kirk, Bankinfosecurity.com, December 5, 2016

Hackers apparently stole 2 billion rubles (US $31 million) from accounts that banks keep at Russia’s central bank in a series of cyberattacks this year, according to several news reports. The news comes as the country’s security service also claims to have fought off broader attacks against the financial services industry.

Read More