Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Anything under the umbrella of IT Security, Computer Security, IT Controls
As if withdrawing money from an ATM wasn’t dangerous enough, researchers discovered that Russian-speaking Skimer group forces ATMs to assist them in stealing users’ money. Instead of installing skimmer devices onto an ATM, they could turn the whole ATM into a skimmer itself. Main window of the infected ATM Discovered in 2009, Skimer was the first malicious program to target ATMs, and now, the cybercriminals have resurfaced, reusing the malware.
Read the full article here.
A security researcher could have stolen as much as $25 Billion from one of the India’s biggest banks ‒ Thanks to the bank’s vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim’s current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
If this wasn’t enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender’s account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else’s account.
Read the full article here.
Last year, credit card issuers finally introduced “chip” credit cards to the United States. It’s been a painless process for the most part, but now Walmart is suing Visa over the technology, claiming it’s not secure for customers.
EMV is meant to be more secure, and while it will incorporate PINs in the future, for now, chip-enabled credit and debit cards will work just fine with a signature.
Last year, Walmart tried to require debit card customers to pay the old way: with their PINs. Visa came back and demanded they allow signatures for those cards via the new chip technology. Walmart spokesperson Randy Hargrove explained the issue:
PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers. Visa has acknowledged in many other countries that chip-and-pin offer greater security. Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.
Walmart’s outrage probably has less to do with security and more to do with money, though. It’s cheaper for Walmart to verify via PIN than signature. According to the Wall Street Journal, signature verification costs about five cents more per transaction. In other words, the new technology encourages customers to use their bank cards as credit instead of debit, which is more expensive for Walmart.
It’s easy to see why Walmart is upset—this new technology is costing them money, and the credit card companies still haven’t rolled out cheaper, more secure PIN technology. Their suggestion that customer security is at risk, however, is a little misleading.
Walmart’s statement suggests Visa puts customers’ security at risk by allowing signatures instead of PINs for debit card transactions. It does kind of suck that we’re still waiting for full blown “chip and PIN” technology, which is supposed to be even more secure, but the new credit cards aren’t any riskier than your old ones.
Read the full article here.
To assist in the reporting and analysis of card data compromise devices, and to set a common standard for describing their placement, the European ATM Security Team has developed a “glossary of terms” of sorts for the industry and law enforcement.
The new document, “Standardization of Terminology for locations of Card Data Compromise devices at ATMs,” was compiled by members of the EAST Expert Group on ATM Fraud.
Read more here.
Kroll Ontrack has released its most recent list of common IT administrator errors that can lead to data loss and network downtime. The findings indicate that the complexity in storage environments and sheer growth in data volume can result in serious data loss when human error strikes, leaving many organizations vulnerable to security risks and financial implications if they do not properly invest in and adhere to technology risk management policies.
Read more here.
The PCI Security Standards Council has published an appendix to the PCI Data Security Standard to help organizations make payment security part of everyday business practice.
“PCI DSS Designated Entities Supplemental Validation” provides additional criteria for demonstrating how PCI DSS controls are being applied continuously to protect payment data from compromise, a press release from the organization said.
Read more here.
The White House’s Office of Management and Budget (OMB) has finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.
Read more here.
Shiela USB Shield is a free security program for Windows operating systems that protects PCs from USB threats.
The free Windows software Shiela USB Shield offers real-time protection against threats coming from removable devices using USB connections.
Read more here.
The National Institute of Standards and Technology (NIST) has issued the second revision to its Guide to Industrial Control Systems (ICS) Security. It includes new guidance on how to tailor traditional IT security controls to accommodate unique ICS performance, reliability and safety requirements, as well as updates to sections on threats and vulnerabilities, risk management, recommended practices, security architectures and security capabilities and tools.
The guide can be downloaded from here.
Read more here.
Visa said in the announcement that its new Digital Enablement Program builds on the company’s secure token technology and adds a turnkey, toll-free commercial framework accessible to more than 14,500 Visa financial institution clients and leading technology partners around the world. Google, with its Android Pay payment solution, is Visa’s first international program partner.
Read more here.