The Corliss Group Tech Review: Bank hackers steal millions worldwide

The banking sector has been a frequent target for hackers nowadays. As much as US$1 billion were stolen from banks and other financial companies worldwide in about two years, wherein it is considered as one of the biggest banking breaches known, by a multinational gang of cybercriminals dubbed as the “Carbanak gang” originating from Russia, Ukraine, and other parts of Europe as well as from China.

The gang targeted banks, electronic payment systems, and other financial institutions worldwide with the majority of the targets in Russia, USA, Germany, China and Ukraine. They already infiltrated more than 100 banks in 30 countries, stealing as much as $10 million in each raid.

Kaspersky Lab and authorities from different countries had combine efforts to uncover how the criminals act. On average, each bank cyber robbery took between two and four months from infecting the first computer at the bank’s corporate network to cashing the money out.

The cybercriminals used Carbanak malware to infect the bank’s network giving them access to the employees’ computers, and letting them see and record everything that happened on the screens of staff who service the cash transfer systems. This way the fraudsters got to know every last detail of the bankers work that show them how to mimic the staff to transfer the money and cash out.

Once the time came to exploit on their activities, the fraudsters used online banking or international e-payment systems to transfer money to their accounts.  In the second case, the stolen money was transferred to banks in China and the US.

In other cases, cybercriminals penetrated right into the very center of the accounting systems, inflating account balances before getting the extra money through a counterfeit transaction. For instance, the account has $1,000 and the criminals can change its value to $10,000 and then transfer $9,000 to themselves. The account holder doesn’t suspect a problem because the original $1,000 dollars is still there.

In addition, the cybercriminals can also take control of banks’ ATMs and order them to dispense cash at a specific time. When the payment was due, one of the gang’s underlings was waiting next to the machine to collect the ‘voluntary’ payment.

Kaspersky did not identify the banks affected by the attacks because of a confidentiality agreement. They are still working with law-enforcement organizations to investigate the attacks.

Research says that the first malicious samples were compiled in August 2013 when the cybercriminals began to test the Carbanak malware and the first infections were detected in December 2013. The gang was believed to successfully steal from their first victims during the period of February to April 2014. The peak of infections was recorded in June 2014.

However the campaign is still currently active. Kaspersky urge all financial organizations to carefully scan the network for presence of Carbanak malware and if detected, report the intrusion to law enforcement.

Advertisements

The Corliss Group Latest Tech Review: How secure are payment technologies?

New payment technologies have the potential to make shopping online and in store more secure, but banks, tech companies and shops must first move to upgrade their systems efficiently and correctly, say cyber safety experts.

The payments industry is working to make it faster and more convenient to move money around. Yet, if implemented wrongly, this can make life easier for hackers too, the security experts say.

“Many of these evolutionary or revolutionary changes have been driven by convenience and ease of use, and often accepting a certain amount of risk,” says Amit Mital, chief technology officer of security firm Symantec.

Making the purchase of goods more secure is a priority for retailers, banks and payment companies. In the US, where payment card technology is less sophisticated than in Europe, retailers have recently been hit by massive data breaches, in which hackers have been able to steal tens of millions of customers’ card and personal data.

The highest-profile technology to hit the market is Apple Pay, which works with the iPhone 6s. It lets shoppers store their credit card information on their iPhone and pay for goods by tapping the phone on an in-store receiver. Because of a technology called “tokenisation” experts say it is more secure than current card systems.

With tokenisation, merchants receive data that obscures the shopper’s actual credit card number, reducing the chance that hackers can steal usable data from merchants’ internal systems. Because iPhones use fingerprint recognition to verify shoppers’ identity, it is also nearly impossible for a thief to steal an iPhone and make a purchase.

“We do not see any concern on our side in terms of security,” says Thierry Denis, president in North America for Ingenico, a manufacturer of credit card readers.

But there is a catch. In the first few months after Apple Pay’s launch last year, thieves have been able to take stolen credit cards, load them on to iPhones, and go shopping. They have not compromised the technology, but have got through the banks’ processes for checking — during the Apple Pay set-up — that the customer adding the card to his or her phone is the card’s real owner.

That fraud started showing up within a month of Apple Pay’s launch last year, with the level of fraud seen through the set-up far higher than that seen typically seen in credit cards, according to Cherian Abraham, a payments analyst who wrote one of the first blog posts to call attention to the issue. Given Apple’s sophisticated technology, the fraud was a “surprise to all”, he wrote.

Mr Mital of Symantec said the recent incidents of fraud on Apple Pay were “more of a failure in process than in technology”.

Joe Majka, chief security officer of Verifone, a manufacturer of point of sale terminals where shoppers swipe their cards, says that better encryption on such devices could be a security “game changer”, if widely adopted.

Like tokenisation, encryption means that hackers cannot make as much use of data they might steal if they are able to get into a retailer’s network.

Retailers have been slow to adopt such encrypted systems for various reasons. Regulations in the US are changing later this year and retailers will soon be responsible for the cost of fraud if they do not accept chip-and-pin cards, which make transactions more secure than when users just swipe their card.

But small retailers do not often see fraudulent purchases and so may be reluctant to spend on upgrading, without realising that their older systems mean they could be giving hackers a way to steal their customers’ data, says Mr Majka.

For larger retailers, making the shift takes work.

“When you talk to merchants and [payment] processors,” says Mr Majka, “there are so many changes in their systems, in their coding, that have to be made to accommodate an encrypted transaction.”
Other innovations featuring purely digital mobile payments via apps also face risks.

Cash-transfer app Venmo, which is owned by PayPal, recently faced media reports highlighting how hackers could access the app to transfer money to themselves.

Venmo has since added better email notifications and is adding multi-factor authentication to make logging in more secure. But the fact that this was already standard on services such as Gmail underlines how companies do not always use the most secure solutions available on the market.

Similarly, while US banks have been rolling out the more secure chip-and-pin cards for many months in anticipation of the regulatory changes this year, they are not yet available to all consumers.

Mr Majka of Verifone replaced his card recently and wanted a chip card. His bank, however, said he would have to wait. “It’s a little disappointing,” he says.

The Corliss Group Latest Tech Review – Protect Your Assets By Practicing Common-Sense Cybersecurity

Let’s get the scary stuff out of the way upfront: Cybercrime costs the global economy $575 billion annually, according to reports. The United States takes a $100 billion hit, the largest of any country, according to Politico. A report from former U.S. intelligence officials counted 40 million people whose personal information was stolen within the past year.

 

Online theft is huge, and it only seems to be getting worse. Hardly a week goes by without some story about hackers penetrating a computer system somewhere. Corporations, individuals, even White House servers were hacked last week. I sometimes wonder just how difficult it is for a determined bad guy to access grandma’s checking account or your neighbor’s IRA and grab those assets.

 

I am not the only one thinking about this. New York State Department of Financial Services issued a report on cybersecurity in the banking sector, where more than 150 organizations rely on third-party service providers for critical banking functions. The regulators want the banks to tighten security.

 

So should you.

 

We spend most of our time in financial markets looking at ways to deploy our capital: What assets to buy or sell, how much we should save for retirement, whether we should own more of these stocks and less of those bonds.

 

We don’t spend so much time thinking about the ways we can lose that money — to fraud and to common theft. We should be more vigilant, especially as we move our lives online, with digital access to our checking and savings accounts, our online portfolios, even our taxes.

 

It is impossible to make yourself hack-proof, but you can make yourself less vulnerable.

 

It all starts with some common-sense security steps. Three ways you probably can improve your existing practices: Develop better e-mail habits, beef up password security and (as always) remember that your behavior is the root of most of your problems.

 

Get your e-mail act together

 

Every day, your inbox fills with all manner of junk. Some of it is merely time-wasting nonsense, but let’s not forget about the really dangerous stuff: phishing schemes, malicious viruses and malware. It seems the only reprieve we get are those rare occasions when the main servers in Russia — a.k.a. Spambot Central — gets temporarily knocked off-line.

 

It’s more than a huge productivity killer, it’s a financial hazard. That $100 billion a year we mentioned above comes out of everyone’s pockets. Even if you have not been hacked, you are paying for it in some way. Banking costs are higher as financial firms spend hundreds of millions of dollars a year on security.

 

People have tried a variety of ways to tackle this: Filters, whitelists, e-mail verifiers and trusted ID services; disposable ­ e-mail addresses from sites such as Mailinator; “junk” e-mail addresses from Hotmail, Yahoo or Google. And still the danger keeps coming.

 

I have a few tricks I use to keep the really nasty stuff under control, such as:

 

  • View e-mail as plain text.

 

All of the bad links, embedded viruses and other malware go away when you select “view as plain text.” Sure, you lose all of the graphics and links, but you lose the threats as well.

 

  • Create a primary e-mail address.

 

This is your main address — for colleagues, clients and peers. Never share this e-mail address. Don’t subscribe to anything using this address — no Internet mailing lists, no subscriptions, nada. Use this address alone for your finance- and business-related e-mails. Anything unrelated is junk; treat it that way. Block the domains of senders. Mark junk mail as junk.

 

  • Use an e-mail forwarder.

 

I have been a big fan of Leemail.me. Instead of giving out my e-mail address, I use Leemail to auto-generate an address whenever I want to share my e-mail with an unfamiliar company. It forwards my e-mail from the company to me. When I want to shut that sender off, I flick a button.

 

Tracking the companies that share or sell your e-mail address is invaluable. The basic version of Leemail is, astonishingly, free, and the upgrade is only a few bucks a year.

 

  • Don’t hit “unsubscribe”; get blacklisted instead.

 

There are a number of companies that provide e-mail services to third parties, shops such as Constant Contact, Vertical Response and iContact. They are the middlemen between businesses and consumers. And while they claim to be “opt-in only” and not spammers, in truth, they are subject to whatever bad behaviors their clients engage in. They all have become legal quasi-spammers.

 

On every e-mail these companies send, there is an unsubscribe button. NEVER CLICK THAT. When you do, you are not unsubscribing. Rather, you are verifying that your e-mail address is legitimate.

 

Instead, go to the company Web site and track down the customer service number. Call customer service and insist on having your e-mail or domain “blacklisted.” Thats the only way to ensure you will truly be unsubscribed. If the company refuses, file a Federal Trade Commission complaint.

 

Password security

 

If you were like I was five years ago, you had one simple password that you used for everything — Amazon, Facebook, Wall Street Journal — everywhere. This could’ve been disastrous. Now all passwords are different. Avoid the common errors, such as using birthdays or your kids’ names. Never use sequential numbers. And for goodness sake, don’t use “password” as your actual password.

 

Put all of your passwords on a document named something other than “My passwords.” I find burying passwords somewhere in a spreadsheet to be useful. Print out a copy and place it in your safety deposit box with other important papers.

 

Your biggest risk? You.

 

I have said all too often that when it comes to investing, people are their own worst enemy. Behavioral problems are rife in security as well. Get into the practice of thinking about security, and soon it becomes second nature.

 

The Securities and Exchange Commission has gotten much more serious about personal financial data security. They have informed advisers and brokers that there is a duty to protect client data. When we set up our wealth-management practice, we put into place specific policies and procedures to protect clients:

 

  • All sensitive information is sent by secure e-mail using a third party for encryption.

 

  • We never e-mail Social Security numbers or account numbers or other private data via regular email.

 

  • We went totally paperless. Our file cabinets are empty, everything is cloud based.

 

  • Any documents that arrive are shredded, so even our outgoing garbage is secure with nothing usable to a thief.

 

Most of this is common sense. However, many people are still vulnerable. With smarts and a bit of awareness, you can make your financial assets much more secure.

The Corliss Group: White House Cybersecurity Event to Draw Top Tech, Wall Street Execs

Government to Call on Companies to Help Improve Information Sharing as Breaches Get More Sophisticated

President Barack Obama will convene top executives from Silicon Valley, Wall Street, and a number of other industries on Friday in a first-of-its kind cybersecurity “summit” taking place as the government and corporate executives each struggle to adjust to persistent and sophisticated breaches.
The Corliss Group - White House Cybersecurity Event to Draw Top Tech

Mr. Obama will be joined at the Stanford University event by top officials at the Department of Homeland Security, U.S. Secret Service, and Federal Bureau of Investigation. The officials will call on companies to share more information with the government in an effort to combat future cyberattacks, a plea officials have made for months with limited success.

Mr. Obama’s presence at the event has drawn what has emerged as a Who’s Who of corporate leaders, reflecting a growing acknowledgment that many companies need to rethink their cyberdefenses.

Apple Inc. Chief Executive Tim Cook will deliver remarks about his company’s push toward a more secure payment system, a theme the White House is expected to try to reinforce for other companies throughout the event.

An Apple spokeswoman confirmed that Mr. Cook will be speaking at the summit. He is expected to focus on Apple’s experience with mobile payments. Apple introduced Apple Pay in October, touting a security feature aimed at reducing the chances of credit-card theft.

Mr. Cook will be joined at Stanford on Friday by the CEOs of Bank of America Corp., U.S. Bancorp, American Express, Kaiser Permanente, Visa Inc., MasterCard Inc., and PayPal who also will speak on panels at the daylong event, along with representatives from Facebook Inc., Google, Intel Corp., and a numerous other companies.

Input from these executives is notable, as they collectively hold health, financial, search-engine, and social-media records on tens of millions of Americans. A number of the firms, particularly the technology companies, have sparred with the federal government over privacy concerns in recent years.

To acknowledge those concerns, the White House is expected to make privacy a central theme at the summit, in addition to consumer protection and cybersecurity techniques.

In addition to remarks from Messrs. Obama and Cook, the seven-hour event will include multiple panel sessions, including separate discussions of public-private collaboration, consumer protection, and payment technologies.

The entire event will be live-streamed on the White House’s website.

Senior administration officials see the event as a continuation of two years’ worth of cybersecurity initiatives, but the issue has taken on more urgency in recent months as the number of cyberattacks has increased dramatically. And recent large-scale breaches at Sony Pictures Entertainment Inc. and Anthem Inc. have led to an internal debate among government officials over whether the government should heighten its response to cyberattacks carried out by foreign countries.

Also notably, the White House’s list of panelists and speakers at the summit doesn’t include representatives from many of the large companies that have suffered major breaches in recent years, such as Home Depot Inc., J.P. Morgan Chase & Co., Target Corp., Sony, or Anthem. A senior administration official said these companies weren’t excluded from panels at the event.

Also missing from the list of panelists and speakers are officials from the U.S. intelligence community, such as the National Security Agency and Central Intelligence Agency. Intelligence officials often collect information about cyberthreats, and the White House on Tuesday announced a new office that is meant to collect and analyze their data.

But many technology companies remain skeptical about the operations of these agencies, particularly the NSA. A senior administration official said officials from the intelligence agencies would be at the event but officials from the agencies like the FBI and DHS were tapped to speak because they interact directly with the public to discuss cyber issues.

The Corliss Group Latest Tech Review: Security Experts Offer Online Shopping Tips

As Americans spend billions on holiday shopping this month, online security experts say a little caution can go a long way when it comes to avoiding identity theft.

“In general online shopping is good. It’s safe for the most part, but it’s the safest when you initiate the contact, when you log onto a known website,” said Rick Avery, president of Boston-based Securitas Security Systems.

Directly visiting trusted, reputable online retailers is just one way to attempt to avoid the cyber criminals who try to steal sensitive information from vulnerable computers and unsuspecting consumers.

“There is a risk in commerce …” said Sam Ransbotham, an information systems professor at Boston College. “There is also a risk from walking around with a wad of cash. We’ve got years and years of experience walking around with wads of cash that we just don’t have with these newer mechanisms.”

Purchases at brick-and-mortar stores aren’t immune to data breaches either. Last year, hackers stole data from 40 million credit cards from Target, while cyber thieves got information from 56 million credit cards from Home Depot earlier this year.

To reduce the chances of fraud, Avery advises that shoppers be wary of offers sent via email. Criminals, he said, may send legitimate-looking emails that appear to be from online merchants or banks. Rather than clicking on a link in an email, he recommends directly typing the website address into your browser.

“One of the most dangerous ways people get involved with credit card fraud or theft on the Internet is they get emailed a link offering 50 percent off, or saying it’s from the bank, and it’s actually a false website made to look like the authentic website,” he said.

Cyber criminals can use fraudulent websites to gather financial information from a person or install malware on their computers.

“If you’re shopping around and find an extra, extra really good deal, that might be the online equivalent to buying cheap speakers out of the back of a truck,” Ransbotham said. “If it’s too good to be true, it is.”

Avery also recommends using credit cards or one-time use credit cards instead of debit cards.

“Some banks have protections on a debit card, but not all do at the point of an ATM,” Avery said. “Usually, your debit card is tied to your other banking accounts, and it’s a lot more difficult to get your money back. It may be weeks before you get your money back.”

In some cases, a victim might never get that money back.

The Corliss Group Latest Tech Review: Top tips to stay safe while shopping online on what promises to be one of retail’s biggest days of the year

Cyber Monday is set to be among the biggest shopping days of the year – but how can you avoid becoming the victim of online shopping fraud on Monday?

Experian found that last year saw a huge lift in Black Friday’s significance, with a 19 percent increase in visits to retail websites last year (29 Nov) compared to 2012. Cyber Monday is also increasing, with a 9 per cent increase last year on 2012’s figures.

Meanwhile, the rise of ‘click & collect’ services, and a greater trust in retailers being able to deliver well in time for Christmas, has resulted in a trend for people being more comfortable leaving their Christmas shopping until a Monday later: Manic Monday, you might call it.

A few things to remember if you are doing the bulk of your Christmas shopping online, according to Experian:

  1. It’s best to use websites that you know and trust. Always look for a security padlock icon in the top left hand corner of a page before you register financial or personal information on a website. And if an online deal you find, or have been emailed, sounds too good to be true, it quite probably is.
  2. Use strong passwords, especially if you have stored payment details, and it’s a good idea to change them every now and then. If possible, install the latest anti-virus and firewall software. If you’re out and about, make sure you can’t be overlooked when you make a mobile payment – be especially careful around wi-fi, even at home.
  3. Keep an eye on your bank and credit card account balances. Your credit report can also show you if there are any irregularities, such as suspect applications for credit and rises in card balances. As a CreditExpert member you can get unlimited views of your Experian Credit Report and alerts to credit activity in your name so you can spot potentially fraudulent activity.
  4. Buying on credit can give you protection. If you buy goods or services on your credit card, you have extra protection if things go wrong (clothes don’t fit, unwanted gifts etc.) compared with paying by cash or even debit card, under section 75 of the Consumer Credit Act.

Corliss Tech Review Group provides some tips and reviews on how to secure you through online and technical issue. Our substance is short yet to the point, and intended to challenge you to live in and nurture with IT technologies. For more update, just visit our blog site.

Corliss Tech Review Group: Google Glass barely alive

Two years ago, Google has hyped its Glasses device as the greatest thing since sliced bread — and for a moment, many of us believed it.

During its launch, there was much enthusiasm on the part of the consumers and developers but now people seemed to be losing interest. (Whether that’s because of the $1,500 price tag or the fact that you can’t really find a place to buy it from remains unknown.)

While it may still sound supercool to geeks, Glass might not even reach the hands of the general public as developers are jumping out of the bandwagon. Some of them have felt the lack of support from Google, especially since an official public launch date is yet to be set. When Glass became available for developers in 2012, 10,000 units were reportedly sold. Then last year, it became available to tech lovers and media people but as of now, there’s no news when it would become commercially available.

“It’s not a big enough platform to play on seriously,” said the founder of Normative Design Matthew Milan who discontinued their Glass app supposed to target fitness buffs.

According to Corliss Tech Review Group, out of more than a dozen Glass app developers, 9 have already put their efforts on hold owing to the limitations of the gadget and perceived lack of customers. Meanwhile, 3 of them have instead switched their focus on developing software for businesses.

“If there was 200 million Google Glasses sold, it would be a different perspective. There’s no market at this point,” said Tom Frencel, CEO of a game developer firm that held back its efforts to make a Glass game.

What’s more, in the past 6 months, a number of Google employees responsible for the Glass development have reportedly left. Also, the Glass Collective, a funding consortium by Google Ventures has invested in only 3 startups this year and has taken down its website without notice. A spokesperson from Google Ventures said that the reason for the website closure is for entrepreneurs to come to them directly.

Google insists it’s still committed to developing Glass. Chris O’Neill, its head of business ops said, “We are completely energized as ever about the opportunity that wearable and Glass in particular represent. We are as committed as ever to a consumer launch. That is going to take time and we are not going to launch this product until it’s absolutely ready.”

The formerly proud “Explorers” who go around the streets touting their Glasses are now getting flak for being “Glassholes”. After all, no one really wants such evident threat to privacy hanging around in obvious, or obscure, places. In fact, someone from Google admitted himself that Glass is a perfect example of privacy issues concerning wearable devices.

Experts from Corliss Tech Review Group have already predicted that it’s a tall order for Glass to be a mass-market gadget. It’s more likely to go down the road of Segway; a supposedly cool invention that ended up being used only in professional and industrial settings.

Previous Older Entries