Category: banking

Now more than ever, banks and financial institutions are facing unprecedented challenges in combating the increasing onslaught of cybercrime. As the digital landscape continues to evolve, hackers are becoming more sophisticated and even geopolitical in their tactics as they relentlessly target the systems, websites and applications within the financial ecosystem. Despite hefty regulations, the industry continues to be categorized as a high risk target. This is largely due to ever-increasing digital dependence and the wealth of stored private data that can be available at a hacker’s fingertips. The opportunities for financial gain from a breach are significant for a cybercriminal, making it a tantalizing victim for repeated attacks. A successful phishing scam or breach can not only damage the trust and reputation of an institution, it can also expose customers to identity theft, fraud and other forms of exploitation. 

The High Stakes of Digital Dependance

As a global system that’s interconnected in various ways with a heavy reliance on digital access, a single breach within the financial sector can cause far-reaching chaos involving fellow banking partners, customers, shareholders and the economy as a whole. With society continuing to lean toward a cashless approach to everyday transactions and becoming more reliant upon online transactions, banks have no choice but to increase their levels of innovation. The rapid digitalization of such banking services has not only expanded the attack surface for security threats, but it has also increased the need for the prioritization of physical and cybersecurity solutions. 

Unfortunately, the manual processes, difficulty in retaining top talent, and the complexity of tools, many organizations find themselves with an inability to properly mitigate and respond to incidents. This lack of readiness can leave the entire financial ecosystem vulnerable to threats, especially as security challenges become more nuanced and elaborate in nature. As Q2 arrives, adopting a more holistic approach to security over traditional methods is crucial to protecting not only assets but valuable customer relationships. 

Compliance Is More Than a Box Check

Placing cybersecurity at the core of a financial institutions risk management framework involves identifying and assessing cybersecurity risks, implementing mitigation controls, and continuously monitoring and updating these controls as the threat landscape evolves. It also includes maintaining a variety of regulatory standards and guidelines aimed at safeguarding customer data and ensuring the overall integrity of financial systems. But while compliance requirements such as PCI DSS, SEC, and OCC guidelines provide a foundation for cybersecurity within the financial industry, relying solely on these mandates can create a false sense of security. 

Customers expect and rely on their financial institutions to prioritize the security and protection of other sensitive information with effective security measures. With the notable increase in attacks targeting the financial sector, it is no longer a matter of “if” banks or credit unions will be attacked, but “when” this will occur. Because of this, assessing response times and testing through routine simulation how each organization will respond to a breach is important in preventing human errors during a real attack. A fast response to a detected threat is key to mitigating the damage it can cause to the business. An effective incident response plan that maps out and allows the organization to practice its responses before being placed under the pressure of an active compromise is imperative to finding gaps in cybersecurity defenses. 

Live Patching Is at the Core of a Secure Framework

One of the bigger challenges that financial institutions face when trying to establish stronger security measures is the lack of available adequate IT staff, not to mention maintaining ongoing, effective training. For example, meeting specific cybersecurity regulations for PCI DSS requires implementing certain patching timelines, or risk hefty financial penalties. But traditional methods of patch management can be highly disruptive to a business, requiring extensive downtime for online systems and hours of work for busy IT teams. This not only jeopardizes customer satisfaction and daily operations, it also causes delays in productivity for security teams. As a result, the patching process gets pushed to the back burner more often than not. Instead of immediately applying a security patch to an open vulnerability, security personnel may delay it by weeks or even months until it better fits into the maintenance schedule. 

Delaying the process of patch management only makes vulnerabilities more accessible to cybercriminals and can cause notable damage to internal systems. Live patching offers a solution to this problem by directly applying security patches as they become available without any reboots or scheduled downtime needed. By automating the process, code can be updated in memory without causing any disruptions to operations around them and patches can be applied quickly and efficiently. When vulnerabilities are closed as soon as they are discovered, not only does risk become greatly reduced, but it also helps firms meet the tight patching deadlines set forth by compliance mandates. 

Given these challenges, the financial sector’s future security posture hinges on their ability to embrace innovative security measures that go beyond basic traditional defenses. The complete integration of technology like live patching can be one of the most versatile and useful tools in the security toolbox of an organization. By choosing to invest in robust security measures and demonstrating a commitment to safeguarding sensitive information, institutions can not only mitigate the risks associated with cyber attacks but also strengthen their reputation and competitiveness in the marketplace for years to come.

Joao Correia serves as Technical Evangelist at TuxCare (www.tuxcare.com), a global innovator in enterprise-grade cybersecurity for Linux.

The post Enhancing Cyber Resilience in Banking: Leveraging Live Patching to Combat Rising Threats appeared first on Cybersecurity Insiders.

In October, the Consumer Financial Protection Bureau (CFPB) proposed a set of rules that if implemented would transform how financial institutions handle personal data about their customers. The rules put control of that data back in the hands of ordinary Americans, while at the same time undermining the data broker economy and increasing customer choice and competition. Beyond these economic effects, the rules have important data security benefits.

The CFPB’s rules align with a key security idea: the decoupling principle. By separating which companies see what parts of our data, and in what contexts, we can gain control over data about ourselves (improving privacy) and harden cloud infrastructure against hacks (improving security). Officials at the CFPB have described the new rules as an attempt to accelerate a shift toward “open banking,” and after an initial comment period on the new rules closed late last year, Rohit Chopra, the CFPB’s director, has said he would like to see the rule finalized by this fall.

Right now, uncountably many data brokers keep tabs on your buying habits. When you purchase something with a credit card, that transaction is shared with unknown third parties. When you get a car loan or a house mortgage, that information, along with your Social Security number and other sensitive data, is also shared with unknown third parties. You have no choice in the matter. The companies will freely tell you this in their disclaimers about personal information sharing: that you cannot opt-out of data sharing with “affiliate” companies. Since most of us can’t reasonably avoid getting a loan or using a credit card, we’re forced to share our data. Worse still, you don’t have a right to even see your data or vet it for accuracy, let alone limit its spread.

The CFPB’s simple and practical rules would fix this. The rules would ensure people can obtain their own financial data at no cost, control who it’s shared with and choose who they do business with in the financial industry. This would change the economics of consumer finance and the illicit data economy that exists today.

The best way for financial services firms to meet the CFPB’s rules would be to apply the decoupling principle broadly. Data is a toxic asset, and in the long run they’ll find that it’s better to not be sitting on a mountain of poorly secured financial data. Deleting the data is better for their users and reduces the chance they’ll incur expenses from a ransomware attack or breach settlement. As it stands, the collection and sale of consumer data is too lucrative for companies to say no to participating in the data broker economy, and the CFPB’s rules may help eliminate the incentive for companies to buy and sell these toxic assets. Moreover, in a free market for financial services, users will have the option to choose more responsible companies that also may be less expensive, thanks to savings from improved security.

Credit agencies and data brokers currently make money both from lenders requesting reports and from consumers requesting their data and seeking services that protect against data misuse. The CFPB’s new rules—and the technical changes necessary to comply with them—would eliminate many of those income streams. These companies have many roles, some of which we want and some we don’t, but as consumers we don’t have any choice in whether we participate in the buying and selling of our data. Giving people rights to their financial information would reduce the job of credit agencies to their core function: assessing risk of borrowers.

A free and properly regulated market for financial services also means choice and competition, something the industry is sorely in need of. Equifax, Transunion and Experian make up a longstanding oligopoly for credit reporting. Despite being responsible for one of the biggest data breaches of all time in 2017, the credit bureau Equifax is still around—illustrating that the oligopolistic nature of this market means that companies face few consequences for misbehavior.

On the banking side, the steady consolidation of the banking sector has resulted in a small number of very large banks holding most deposits and thus most financial data. Behind the scenes, a variety of financial data clearinghouses—companies most of us have never heard of—get breached all the time, losing our personal data to scammers, identity thieves and foreign governments.

The CFPB’s new rules would require institutions that deal with financial data to provide simple but essential functions to consumers that stand to deliver security benefits. This would include the use of application programming interfaces (APIs) for software, eliminating the barrier to interoperability presented by today’s baroque, non-standard and non-programmatic interfaces to access data. Each such interface would allow for interoperability and potential competition. The CFPB notes that some companies have tried to claim that their current systems provide security by being difficult to use. As security experts, we disagree: Such aging financial systems are notoriously insecure and simply rely upon security through obscurity.

Furthermore, greater standardization and openness in financial data with mechanisms for consumer privacy and control means fewer gatekeepers. The CFPB notes that a small number of data aggregators have emerged by virtue of the complexity and opaqueness of today’s systems. These aggregators provide little economic value to the country as a whole; they extract value from us all while hindering competition and dynamism. The few new entrants in this space have realized how valuable it is for them to present standard APIs for these systems while managing the ugly plumbing behind the scenes.

In addition, by eliminating the opacity of the current financial data ecosystem, the CFPB is able to add a new requirement of data traceability and certification: Companies can only use consumers’ data when absolutely necessary for providing a service the consumer wants. This would be another big win for consumer financial data privacy.

It might seem surprising that a set of rules designed to improve competition also improves security and privacy, but it shouldn’t. When companies can make business decisions without worrying about losing customers, security and privacy always suffer. Centralization of data also means centralization of control and economic power and a decline of competition.

If this rule is implemented it will represent an important, overdue step to improve competition, privacy and security. But there’s more that can and needs to be done. In time, we hope to see more regulatory frameworks that give consumers greater control of their data and increased adoption of the technology and architecture of decoupling to secure all of our personal data, wherever it may be.

This essay was written with Barath Raghavan, and was originally published in Cyberscoop.

This is an old piece of malware—the Chameleon Android banking Trojan—that now disables biometric authentication in order to steal the PIN:

The second notable new feature is the ability to interrupt biometric operations on the device, like fingerprint and face unlock, by using the Accessibility service to force a fallback to PIN or password authentication.

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

In today’s digital age, online banking and services have become invaluable tools, especially for disabled and senior citizens who can now access essential services from the comfort of their homes. However, as the world becomes increasingly digital, cybercriminals view these individuals as potential targets vulnerable to sophisticated cyber-attacks, such as phishing. To ensure the safety and security of disabled and senior citizens online, here are some important tips:

1.) Stay Informed: It’s advisable for individuals in this group to stay informed about the current cyber landscape. They can achieve this by reading newspapers and other relevant materials. Additionally, they can subscribe to Google newsletters or other print media sources. This not only helps them stay updated with societal developments but also educates them about what precautions to take when faced with cyber threats.

2.) Protect Your Information: Never disclose sensitive information such as CVV numbers, OTPs, bank account details, or passwords to online banking services. Hackers can exploit this information to gain unauthorized access to your bank account and cause financial harm.

3.) Beware of Suspicious Links: Avoid clicking on links in emails or messages from unknown senders. These links may contain malware that can compromise your online activities and privacy. Always exercise caution when interacting with unfamiliar online content.

4,) Seek Trusted Financial Advice: Encourage seniors and disabled individuals to discuss their financial plans and goals with trusted sources. This helps them gain a better understanding of the offerings from different financial institutions and how they can cater to their specific needs.

5. ) Install Anti-Malware Solutions: Protect your PCs and mobile devices by installing anti-malware solutions. These tools are crucial in safeguarding against cyber-attacks and keeping your online experience secure.

6.) Prepare for Potential Fraud: Seniors and disabled individuals should pre-plan their response to potential fraud. This includes keeping contact numbers for law enforcement, as well as instructions on how to report fraudulent activities to their banks or the ombudsman. Such preparations can prevent financial losses and help educate others about fraud prevention.

7.) Beware of Tempting Offers: Stay cautious of online traps such as enticing gifts and rewards that seem too good to be true. These may be attempts to obtain sensitive information. Additionally, never trust unsolicited calls claiming that your bills are overdue or account details need to be updated. Instead, contact your financial institution or customer service to verify any such claims.

8.) Use Two-Factor Authentication: Enhance your online security by enabling two-factor authentication when conducting transactions through online banking services. This extra layer of protection helps safeguard your financial activities.

9.) Keep Software Up to Date: Regularly update your phone and PC operating systems to benefit from security patches and enhancements. Always use devices with genuine operating systems like Windows, Android, or iOS.

10.) Monitor Bank Statements: Continuously monitor your bank statements and report any discrepancies or suspicious activities to your financial institution promptly.

By following these safety measures, disabled and senior citizens can enjoy the benefits of online banking and services while protecting themselves from potential cyber threats.

The post Ten 10 ways Senior Citizens and Disabled can stay cyber safe and secure online appeared first on Cybersecurity Insiders.

Another example of a large and influential state doing things the federal government won’t:

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has “sufficient resources” to function.

In a new addition, companies now face significant requirements related to ransom payments. Regulated firms must now report any payment made to hackers within 24 hours of that payment.

Who has been warning Italian criminals that their phones are wiretapped? Can you trust your voice to protect your bank account? And why is TikTok being singled out by investigators? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dinah Davis.