These Financial IT Security links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.
These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.
80% of Mobile Banking Apps Could Have Security Flaws
According to Neal O’Farrell, Executive Director of the nonprofit Identity Theft Council, “There were more data breaches than US residents last year and more cases of identity theft than just about all other crimes combined.”
O’Farrell further indicated that “Eight out of ten mobile banking apps have security flaws” – implying that a large segment of businesses and consumers are at risk. Users are advised to encrypt their devices, lest their personally identifiable information (PII) be readily pilfered.
Even Mac users can have their PII stolen, especially if their mobile phone, iPad or laptop falls into the wrong hands. Identity theft via online banking services likewise is clearly on the rise, but almost none of the crimes are actually investigated by police.
Banks will lose customers very quickly if they are unable to keep hackers from compromising their mobile and online banking services. Meeting the escalating threat of financial identity theft while meeting consumer demand for convenience and accessibility is vital to competitive success.
BEWARE! Fake Google Chrome Installer Will Pilfer Your Banking PII
Looking to install the Google Chrome browser? Beware of the file “ChromeSteup.exe” that’s out there to be downloaded on any number of websites. Posing as legitimately hosted on Google, MSN and Facebook domains, this executable won’t install Google Chrome – instead, it unleashes a Trojan sneak-thief called “Banker” (TSPY_BANKER.EUIQ).
Once the malware is running, it sends your IP address and operating system version to either of two “command-and-control” servers, from which it downloads a configuration file. Next time your infected PC visits any of a number of banking websites (mostly in Brazil and Peru to date), Banker intercepts the HTTP request, redirects you to a bogus banking page and directs you to install new security software. Instead, it uninstalls plugins designed to protect customers performing online banking transactions, and scoops personally identifiable information via the malware site. Though believed to be still “under development,” improved versions could be launched in the future.
While consumers need to beware of any software they download from the web, banks and other financial services organizations need to ensure that their online and mobile banking systems are secure and customers are advised of the latest threats.
Banking Malware Hijacks Webcams to Defraud Consumers Using Online Banking
A new version of the Trojan Horse malware SpyEye allows cyberthugs to observe potential victims of online bank fraud by using Flash Player to take control of their webcams and microphones.
The malware injects the malicious Flash content into targeted online banking websites when these sites are opened in a browser on the infected computers. The pirated cameras and microphones can then be used to view keystrokes, scoop secret codes sent by banks to mobile phones, or overhear legitimate conversations initiated by banks to confirm transactions. Intruders can then call the bank pretending to be the client whose sensitive data has been eavesdropped. Once phone and/or login data is updated by the criminals, they have full control of the victim’s account.
Consumers are advised to thwart infection by following security best practices for their PCs, such as keeping their antivirus program up-to-date, checking out links before clicking on them, and avoiding installing software from questionable sources. Banks likewise need to keep up-to-date on the threat posed by organized crime and its use of malicious software.
Financial IT Security
Arguably, beyond the government itself, no industry has a greater impact on the health of our economy than financial services. And nothing has a greater impact on a financial entity than to lose the confidence and trust of its customers. Your Financial IT Security concerns can and should be addressed by an independent and objective Information Assurance firm. Pivot Point Security can help your Financial Organization to know you’re secure and prove you’re compliant. See how we can help.
MAY
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Techno Blog
In The News
RSS Feed
About the Author:
John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.