Video Footages: ATM Skimming!

Be on the lookout for these four tricks and traps

A Handy Way to Foil ATM Skimmer Scams - Thieves continue to place hidden cameras at ATMs to surreptitiously record customers entering their PINs. This previously reported way to stop from being a victim still works against the hidden cameras.

Pace and Volume of Regulatory Change are the Biggest Factors in Leading to Risk Evaluation Failures

Results of Bank Director’s 2014 Risk Practices Survey

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

• 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
• 63 percent said that a separate risk committee on the board oversaw risks.
• 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren't doing this.
• 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
• Of this 30 percent, less than half actually use it to supply limits to the board and management.
• The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren't getting fully used.
• And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
• 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
• 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
• 53 percent want more understanding of newer risks like cyber security issues.
• Senior execs want the board to have more training in overseeing the risk appetite and related issues.
• 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
• Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Verizon Infographic: Why PCI Compliance has to be a Business-Wife Priority?

In 2013, only 11.1% of companies were PCI compliant on their initial assessment!

Beta Bot: A New Trend in Cyber-Attacks

Beta Bot Malware Blocks Users Anti-Virus Programs

A new warning about malware designed to target payment platforms highlights why anti-virus software is increasingly ineffective at preventing account compromises. And while this new Trojan is not yet targeting online-banking accounts, financial institutions should be aware of the threat. The malware is another example of how fraudsters are increasingly getting around standard modes of authentication, such as usernames and passwords.

The Internet Crime Complaint Center and the Federal Bureau of Investigation recently issued an advisory about Beta Bot, the new malware that targets e-commerce sites, online payment platforms and even social networking sites to compromise log-in credentials and financial information.

When Beta Bot infects a system, an illegitimate but official-looking Microsoft Windows message box named "User Account Control" pops up, asking the user to approve modifications to the computer's settings. "If the user complies with the request, the hackers are able to exfiltrate data from the computer," the advisory states. "Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites."

Beta Bot defeats malware detection programs because it blocks access to security websites and disables anti-virus programs, according to IC3. "This is a good demonstration of how fraudsters' methods are evolving constantly. They are coming up with sophisticated methods that appear so convincing, even people who typically would not fall for their schemes may do so.

Beta Bot's attacks also resemble the ransomware attacks that coupled the banking Trojan known as Citadel with the drive-by virus known as Reveton, which seized consumers' computers and demanded ransom, purporting to be from the FBI.

IC3 and the FBI warn that if consumers see what appears to be an alert from Microsoft but have not requested computer setting modifications from the company, they have likely been targeted for a Beta Bot attack. If infected, running a full system scan with up-to-date anti-virus software is recommended. And if access to security sites has been blocked, then downloading anti-virus updates or a new anti-virus program is advised.

Five Ways To Plump Your Security Program Without Going Broke

Some are quick, cheap and often free! Others require a little more time and critical thinking

Addressing cyber-attacks is not just a technology issue. It requires a holistic view from the entire organization. Today's security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach.

It's easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. Security functions are getting only 70 percent of the resources that they need to do an adequate job" of securing the business, including hardware, software, services and staff. 

The hard stuff is in the next 30 percent." Meanwhile, worldwide spending on security infrastructure, including software, services and network security appliances used to secure enterprise, rose to $60 billion in 2012, up 8.4 percent from $55 billion in 2011, according to Gartner Inc. That number is expected to hit $86 billion by 2016.

Security experts offer five tips for enhancing security that don't cost a lot of cash — and sometimes no money at all — so companies can spend their security dollars on the hard stuff.

1. Patch security holes and identify vulnerabilities

Three of the top 10 botnets reported in February 2013 were more than 8 years old, according to Fortiguard Labs, the threat-researching arm of network security firm Fortinet Inc. in Sunnyvale, Calif. In the most successful attacks, the majority of those threats had been identified and fixed by vendors years earlier, said Derek Manky, global security strategist.

Companies need to keep patches up to date.

2. Install your free firewall and antivirus upgrades

A lot of people don't realize their basic support contracts with most vendors for support, firewalls and antivirus include free upgrades. If you don't have a strategy to revisit what the available technology is that you've already paid for, then you're missing out on a lot of new features and enhancements" that could prevent a security breach. 

Call your vendor and revisit our firewall and antivirus solution contracts.

3. Keep up with BYOD

Personal devices in the business environment are here to stay. Yet 79 percent of businesses had a mobile security incident in the past year, ranging from malicious apps downloaded to a mobile device to unsecure Wi-Fi connections to lack of security patches from services providers, according to a June mobile security report by Check Point Software Technologies.

These mobile security incidents cost companies between $100,000 and $500,000 in staff time, legal fees and resolution processes.

Organizations can improve mobile device security through BYOD agreements with users to ensure they take security precautions. The checklist should include installing available upgrades and patches; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed, according to the Computer Security Division of the National Institute of Standards and Technology.

4. Define a enterprise-wide security strategy

Nine out of 10 big companies lacked defined security strategy and security plans, or they re not tied with business goals and business objectives. There's no way to know if you're supporting business objectives unless you take the time to develop the security strategy and make they're sure they're doing the most important things for overall risk reduction. 

5. Educate Employees

Successful attacks are usually ones that exploit the human mind. Humans are always the weakest link in the chain.

Education can help stop employees from falling victim to phishing attacks or pretexting schemes or careless use of login credentials, which accounted for 3 of the top 10 threat actions performed against large companies, according to Verizon's 2012 data breach investigations report.

New PCI Guidelines for E-Commerce

New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.

The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.

Securing the Payments Chain

• The guidance offers a checklist of security recommendations and reminders, such as:
• Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
• Regularly test software and applications to detect if card data or other information is being stored unintentionally.
• Evaluate risks associated within e-commerce technology.
• Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
• Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
• Define best practices for online payment application security.
• Implement security training for internal staff.
• Establish best practices for consumer awareness.

Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to: 

• Online injection flaws;
• Cross-site scripting, or XSS;
• Online cross-site request forgery, or CSRF;
• Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
• Weak authentication and/or session credentials; and
• Application and software misconfigurations.

Incident Response: Gathering the Facts

Not Knowing Numbers Behind Event Makes Risk Assessment Hard

To know how best to respond to IT and communications failures, organizations first must collect information on such incidents. 

The European Network and Information Security Agency, as reflected in its report that focused on mobile- and land-based networks, is collecting information about incidents so European member nations can improve their response to such events.

Without the data and an analysis of the information, officials in government and industry can't determine the best way to respond. Report author states:

"We could go to any country and ask a politician if they know how many incidents there were in the banking sector and what their social impact was. They don't know the answer. And that is difficult to make policy and even to assess the risks of cybersecurity incidents without knowing the numbers behind it."

Among the major findings of the report:

• Hardware/software failure and third-party failure were the root causes for most outages;
  
• Incidents primarily caused by natural phenomena such as storms and floods lasted, on average, for 45 hours;
  
• A strong dependency exists on power supply of mobile and fixed communication services, noting that battery capacity of 3G base stations is limited to a few hours, and this means that lasting power cuts cause communication outages.

Please refer here to download the report.

What to Do About DDoS Attacks

Security Tips for the Banks

The distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages.

Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore. Banking institutions should: 

• Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;

• Assess ongoing DDoS risks, such as through tests that mimic real-world attacks; Implement online outage mitigation and response strategies before attacks hit; 

• Train staff to recognize the signs of a DDoS attack.

In layman's term, during a DDoS attack, a website is flooded with "junk" traffic - a saturation of requests that overwhelm the site's servers, preventing them from being able to respond to legitimate traffic. In essence, DDoS attacks take websites down because the servers can't handle the traffic.

Most banks have failed to address this vulnerability to high volumes of traffic. Starting in mid-September, DDoS attacks have resulted in online outages at 10 major U.S. banks.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters has taken credit for the hits, saying the attacks are motivated by outrage related to a YouTube movie trailer deemed offensive to Muslims. But security experts say DDoS attacks are often used as tools of distraction to mask fraud in the background.

To reduce their risk of DDoS takedown, banks need to address three key areas: 

1. Layered user authentication at login, which consumes bandwidth;
2. Reliance on Internet service providers not equipped to handle extreme bandwidth demands; and
3. The internal management of Web servers, which limits banks' ability to hand off traffic overflow when volumes are excessive.

Fraud should always be an institution's top concern, meaning addressing DDoS threats should be a priority. "DDoS protections have quickly become a new industry best practice. But DDoS attacks pose unique challenges for banks and credit unions.

The additional layers of security institutions already implement, such as enhanced user authentication, transaction verification and device identification, demand more bandwidth. So when a bank is hit by a DDoS attack, bandwidth is strained more than it would be at a non-banking e-commerce site.

8-Point Data Security Plan for POS Security

Basic Security Steps for Smaller Merchants

To help retailers address some of those common network vulnerabilities, PCATS, the Coalition of Associations for Retail Data Security and the National Restaurant Association are assisting smaller merchants with basic security steps - steps that address risk mitigation rather than security standard compliance, 

They have developed a list of eight points for POS security. The 8-Point Data Security Plan, as the NRA refers to it, aims to simplify POS security. 

Liz Garner, director of commerce and entrepreneurship at the NRA, says the association is working with organizations like CARDS and PCATS to help restaurants look beyond Payment Card Industry Security standards. "We're trying to educate restaurateurs about security," Garner says. "They just need a simple guide that provides the very basics. PCI is too complex."

Download from here.

Real video footage of what skimmers "see"

"Handy" way to foil ATM skimming

Source from Krebsonsecurity:

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code.

Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

 

Skimmers can be alarming, but they’re not the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

Recent Survey Reveals Banks Investing More in Emerging Technologies

2012's Top Anti-Fraud Tech Investments


Banks and credit unions say investments in enhanced fraud detection, monitoring systems and customer and member education top their lists for fighting fraud this year.


That's according to BankInfoSecurity's second annual Faces of Fraud survey. A full report on the survey is now available.


More than half of the more than 200 financial institutions that participated in this year's survey say they have increased funding for new fraud technology and personnel.


Top Anti-Fraud Investments


In addition to enhanced detection, monitoring and education, other top anti-fraud investments for banks and credit unions this year include:

• Improved out-of-band verification;
• Enhanced controls over account activities;
• More internal and external audits;
• Improved vendor management practices;
• More anti-money-laundering tools;
• Enhanced dual authorization through different access devices;
• Improved tracking of high-risk customers and members.

Refer here to download the report.

Criminals hit the jackpot in Victoria with $55K lottery scam

CRIME syndicates are setting up fake lotteries to swindle Australians with promises of windfall jackpots.

A Victorian (Australia) man has become the latest victim, losing $55,000 in bogus administration fees when he tried to claim a supposed $4.5 million fortune. The theft is one of the biggest lottery fraud losses reported to Consumer Affairs Victoria.

The man told the watchdog and police that he transferred the cash after responding to an email sent to his wife advising of the massive win. Sources said there was little hope of retrieving the money because lottery fraudsters were normally based overseas and avoided detection through reinventing themselves.

The man, who declined to be named and has not told all of his family about the theft, was ordered to keep details of the lottery win secret. The scammers later claimed they had transferred the $4.5 million but the International Monetary Fund had stopped the payment and a 3 per cent fee was required to access it.

Con artists siphon at least $3 million a year from Australians through phony lotteries and sweepstake offers that steal cash or bank details, the Australian Competition and Consumer Commission says.

CAV director Dr Claire Noone said people should be suspicious of any texts, emails or mail claiming that they've won or could win a fortune.

"The scammer will inform consumers they've won a large amount of money or a holiday and they need to send money to claim it," Dr Noone said.

"Scammers often say this money is needed to cover the costs of taxes or administration fees. Once you send the payment overseas though, the scammer pockets the fee and the prize never arrives."

CAV received 6770 reports about various scams last financial year, up 44 per cent on the previous year.

TIPS TO AVOID GETTING RIPPED OFF

• Never send money, credit card or bank details, or personal information to someone you don’t know.
• Beware of claims to provide you with instant income or winnings.
• Do not give out information over the phone unless you made the call or know the number.
• If you fall victim to a scam email, change your email address as soon as possible to avoid further contact.

Source: Consumer Affairs Victoria

Insider Scams and Fraud a Growing Trend

Teenager Sentenced for Card Skimming

A 17-year-old was slapped with a 60-day jail sentence after he was busted for skimming credit and debit details while working the drive-thru window at a McDonald's restaurant in Olympia, Wash. This insider scam highlights a card fraud trend the industry needs to watch.

This case highlights just how easy it is for insiders to perpetrate card fraud, especially in a retail environment. Even if we protect the ATMs and POS devices, insider fraud like this will take place due to the ease with which criminals can get their hands on the appropriate devices. This is an industry that clearly needs an elegant and innovative solution (not EMV) that can at least make it an order of magnitude harder for skimmers to succeed.

Transactions Monitored

In the McDonald's incident, the teen's card-fraud scheme was foiled before exceeding $13,000 in losses after transaction monitoring traced the fraud. Detectives connected the dots and linked fraud to the Olympia McDonald's when contacted by the Washington State Employees Credit Union about fraudulent transactions hitting member accounts.

The credit union found one commonality: All of the compromised cards had been used at the same McDonald's. McDonald's management later confirmed the juvenile suspect had worked the drive-thru every time one of the compromised cards had been used.

The teenager used the stolen card numbers, which he collected with a handheld skimming device, to buy gift cards at retail stores such as Walmart and Toys R Us, according to a news report. With the fraudulently purchased gift cards, he allegedly bought about $13,000 worth of merchandise that he later sold on Craigslist and eBay for profit.

The purchases the teenager made included iPads, computers, video game systems and digital cameras, according to the Thurston County Prosecuting Attorney's Office.

The teen has been in custody since Nov. 16, after his parents refused to post bail. On Monday, he pleaded guilty to two juvenile counts of forgery and two juvenile counts of identity theft. As part of his sentence, the court has asked that he pay restitution to the victims whose cards were compromised.

The investigation is ongoing because other suspects may be involved.

How Thieves Steal Your Credit Card Data?

Some tips to avoid Identity Theft and stealing of your credit card.

Background

These days, thieves only need a minute, sometimes a second, to pilfer your credit card data.

This year criminals hacked, phished or skimmed their way into the systems of Sony, marketing firm Epsilon, Citibank and even security expert RSA, among others. In some cases, they only obtained names and emails. In the worst cases, they got credit card numbers.

Identity theft and cyber fraud cost Australia a whopping $8.5 billion every year. One in five Australians will be hit and it's getting worse every day.

The most common schemes are simpler than you think. Let's take a look at the most common ways thieves pilfer your credit card information.

Suspect 1: The Waitress At Your Local Cafe

Mode Of Operation:

When it's time to pay the waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that.

While you're scraping the last of the chocolate cake from your plate, your credit card information has been stored in the device, known as a skimmer. The waitress returns your card and performs the same magic trick on dozens of credit cards in a week.

Known Whereabouts:

The data-stealing waitress has been known to moonlight as a bartender, sales assistant or at any place where she can take your credit card out of sight.

Suspect 2: The Toy Store Trio

Mode Of Operation:

Sally, Simon and Greg walk into a toy store. Sally and Simon roam the aisles, while Greg waits in line to check out. When Greg is at the register, Simon comes running up to the shop assistant, screaming that his wife has fainted.

As Sally and Simon distract the shop assistant, Greg switches the credit card reader at the register with a modified one of his own.

For the next week, the shop assistant unwittingly collects credit card data on the modified reader until the trio returns, takes back the modified reader and restores the original terminal.

Known Whereabouts:

The trio will hit other retailers and restaurants, but sometimes the threesome will instead be a duo or a solo criminal.

Suspect 3: The Petrol Prowler

Mode Of Operation:

The Petrol Prowler parks her car in front of a petrol station off the highway. It's late. There's no one around except a sleepy shop assistant at the register inside. The Petrol Prowler attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to a laptop close by.

The Petrol Prowler pays, heads off to the motel next door and sets up her laptop to receive the data from the compromised pump over the next several days.

Known Whereabouts:

The Petrol Prowler installs skimmers over ATMs, parking meters, vending machines and any other places with unmanned credit card readers.

Suspect 4: Harry the Hacker and Phishing Phil

Mode Of Operation:

Harry the Hacker installs malware - a type of software that damages or infiltrates a computer or network - onto a legitimate website with low security. The malware instantly downloads onto your computer when you visit the site and allows Harry to access your information. In another scenario, Harry puts malware on public computers and gathers the information you share with that computer.

Phishing Phil uses malware to go after your laptop. He sends emails with attachments that promise dancing kittens or some other bait. When the user opens the attachment, malware instantly downloads onto the computer and leaves confidential information vulnerable.

Phil also sends emails from a familiar sender with a link to a contaminated website that installs malware onto your computer. Some malware, called spyware, allows Phil to capture every keystroke including passwords to your financial accounts.

What Happens To Your Information?

Mode Of Operation:

So what happens to these pieces of data when they're in no-good hands? They get sold.

The waitress, trio or Petrol Prowler may be able to sell each swipe for $20 to $40 a pop. Harry the Hacker and Phishing Phil could get $5 to $10 a card and often sell the information online at the eBay of credit card activity.

The person who buys the information verifies it and then sells it to a person who creates fraudulent credit cards with your account information attached to it. The card maker then sells it to other criminals who buy goods such as stereos or baby formula and sells them to regular consumers.

Identity Theft: How To Avoid It

1. Set up mobile alerts for your phone if your financial institution provides the feature. That way, you can be aware of unusual activity as quickly as possible.
   
   
2. Regularly monitor your accounts online, so you can identify fraudulent transactions faster.
   
   
3. Avoid public computers. Don't log onto your email if your bank corresponds with you there. One idea is to set up an email account just for your finances and then only check it from safe locations.
   
   
4. Avoid doing business with unfamiliar online vendors. Stick to established merchants and websites.
   
   
5. If your information has been compromised, notify your financial institutions immediately and also inform the police what has happened.

Mobile users are three times more vulnerable to phishing attacks

As smartphone usage grows exponentially, so does the potential for fraud

A study by Trusteer in early 2011 showed that mobile users are three times more vulnerable to phishing attacks, and a Juniper Networks study published this May shows that instances of malware on Android phones grew 400 percent between summer 2010 and spring 2011. Both banks and consumers need to understand how to detect and prevent fraud so that malware attacks don't grow at the same rate, or exceed the rate, of mobile banking adoption.

Major banks have begun to offer new mobile services in response to this trend. For today's retail banks, mobile banking is seen as table stakes, and new functionality like remote deposit capture is continuously being integrated. There are several touchpoints where mobile banking users are potentially exposed to fraud. Malware and phishing are on the rise.

Transactions can be viewed and intercepted. Fraudulent operating systems and applications can be written for download and used by unsuspecting consumers. And good operating systems and applications can be corrupted.

In addition, wireless networks themselves can pose risks. One particular emerging fraud threat, dubbed a "sidejack" attack, occurs when fraudsters and/or thieves insert themselves into an unsecured Wi-Fi network connection and intercept messages and data that are exchanged.

Consumers also too often conduct mobile banking over insecure networks in places like airports, hotels and libraries. Successful fraud mitigation approaches need to be able to cover consumers at all of these touchpoints.

The key to identifying mobile banking fraud is by understanding consumer usage patterns. In normal activity, for example, banking actions like mobile payments and fund transfers take place on demand, with patterns that appear random.

Fraudulent usage patterns for payments, on the other hand, tend to take place several times in a row; and funds transfers could take place several times after that. Fraud analytics, which can build unique, adaptive profiles based on a consumer's real-time mobile banking activity, are emerging because of their ability to monitor transaction patterns and integrate those profiles into data for wireless access points, banking applications, as well as the time of the day and week when the network was used.

Then banks can compare one user's profile to the entire user base, to evaluate and assess whether the patterns fall outside the norm. If the patterns do fall outside the norm, that could be an indicator of suspicious activity. The behavior of mobile bank customers does change over time, as new apps and features are introduced. New pattern-detection technologies are built in to identify out-of-the-ordinary activity for a particular user.

In order to prevent mobile bank fraud, those fraud analytics identify patterns in milliseconds, which is critical. Speed enables a bank to deny a transaction or ask a user for additional user verification, ensuring intentions are proper. Not only does this help a bank ensure a successful customer experience, it also helps avoid aggravating consumers by incorrectly denying a legitimate transaction.

Most mobile banking applications today don't include these kinds of sophisticated security capabilities, as the focus is more on functionality. As mobile banking continues to grow, security needs to become an integral component of mobile infrastructure planning.

Today's security systems reside in a bank's data center; tomorrow they need to be on mobile devices, wireless hotspots and the like. Security also should be built into mobile apps, so that the apps can monitor usage patterns and self-police a user's own mobile-banking activity.

As the use of mobile banking grows, banks and credit unions also should take steps to educate their customers and members about safe e-banking practices.

Here are some tips banks could share:

• Always use a secured Wi-Fi connection, where you have a unique user name and password, before sending any sensitive information over your mobile phone.
• Download your bank's mobile application from a legitimate app store associated with your phone and use it every time, so you can be sure you are visiting the real bank every time and not a copycat site.
• Install anti-malware technology, and back up data regularly.
• Configure your device to auto-lock after a period of time with a password of six-to-eight alphanumeric characters.
• Keep your apps and device software up-to-date.

Mobile banking technologies will revolutionize the way we handle our money, and they give banks a wonderful way to serve their customers. But just as banks are rolling out mobile banking interfaces, they also need to develop and integrate fraud prevention. It will be much easier to do so now, when the mobile banking trend is still in its relative infancy.

How to combat with ATM skimming fraud?

A Simple Plan to Combat ATM Fraud

The risks of electronic banking are all well known. In fact, the updated FFIEC authentication guidance specifically talks about the need to secure both online and electronic banking. It's important to remember that ATMs are also a target of fraudsters. ATM skimming rings are defrauding cardholders to the tune of tens of millions of dollars. This is a global issue affecting customers in the USA, the European Union, Asia, basically anywhere there are ATMs.

Breaking 2-Factor Authentication

In order to access your account from an ATM you are required to use your ATM card [something you have] and enter a PIN [something you know]. Generally, 2-factor authentication is considered a relatively strong security measure against financial fraud. However, crime rings are using various techniques to capture both the card and the PIN, effectively thwarting these measures.

In the 2011 updated guidance, the FFIEC stresses the importance of not only strong authentication, but also to know your customer. There lies the missing link in combating ATM fraud that fortunately has an eloquent solution.

Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.

Similar to online banking, customers have normal patterns of ATM activity, relatively consistent patterns relating to dollar amounts and frequency of ATM cash withdrawals. Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.

Keeping It Simple

Upon detecting unusual and possibly fraudulent ATM activity, the ATM screen could present the user an out-of-wallet challenge question. Making sure the question has a numeric answer means that current ATM key pads used to enter in PIN information would not have to be modified.

Even with limiting the out-of-wallet questions to those with numeric answers, the list of potential questions is quite long:

• What year was your first child born?
• What was the model year of your first car?
• What year were you married?

Obviously not an exhaustive list, but it does illustrate the fact that there is no shortage of such questions.

It's important that the challenge questions are strictly out-of-wallet. If the fraudster did in fact steal the victim's wallet, with their driver's license, then asking the question "what year were you born" would be inappropriate. Asking what year you graduated from high school would also be a weak question.

The fraudster could simply add 17 to the date of birth on the driver's license and answer that question correctly the majority of the time.

The lesson here is the importance of keeping the challenge questions out-of-wallet.

Eloquent and Effective

Using out-of-wallet questions that are compatible with existing ATM hardware, you can add another layer of security to combat ATM fraud. A low-cost solution that could potentially save customers, and financial institutions, millions of dollars.

To complete the anti-fraud circle, banks can also consider having the ATM machines keep the bank cards when a customer [fraudster] fails to correctly answer the out-of-wallet challenge question. You'd have the card, with fingerprints, as well as photographs of the attempted fraud.

New FFIEC Guidance will help to reduce the increasing security threats?

Final FFIEC Authentication Guidance Issued

The Federal Financial Institutions Examination Council has formally released the long-awaited supplement to its "Authentication in an Internet Banking Environment" guidance, which was first issued by the FFIEC in October 2005.

Formal assessments for compliance with the new guidance will begin in January 2012.

The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.

The official supplement highlights the need for:

• Better risk assessments;
• Effective strategies for mitigating known online risks;
• Improved customer and employee fraud awareness.

In a news release about the official update, the FFIEC says growing sophistication of online threats have increased risks for financial institutions and their customers. "Customers and financial institutions have experienced substantial losses from online account takeovers," the FFIEC states. "Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions' electronic agreements and transactions."

The FFIEC says it will continue to work closely with financial institutions to promote security in electronic banking. Examiners have been directed to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012.

The FFIEC is made up of the following regulatory agencies: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision.

Please refer here to read the changes in the new FFIEC guidance.

Security of Transport Contactless Smart Cards

It is possible to sniff data but what can thieves do with it?

Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too?

Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats.

The pickpocket issue garnered media attention in December, when a CBS affiliate in Memphis, Tenn., followed a man who was able to swipe credit card information from unsuspecting passers-by. Using an off-the-shelf card reader that he bought online for less than $100 and a mini laptop, the man was able to obtain credit card numbers, expiration dates and some cardholder names.

But that is likely as far as a thief will get, experts say. It is possible to use a contactless reader to pick up information from a card on the subway or in an elevator, but it is unlikely that he could use the information to go on a shopping spree.

That is because the account number and other information obtained from a contactless card is not enough to complete a financial transaction. Unlike magnetic stripe cards, most contactless payment cards use a dynamic element to authenticate each transaction.

Things to look out for:

• Transaction security - MAC across the transaction and on data (digitally signed)
• Internal abuse and insider job/attacks
• Mixed modes (used for many things, loyalty, credit card, door access, etc.)
• Design issues e.g. key mgt (not public key) and weak crypto

Encryption levels can also dictate a card’s vulnerability. If a card’s encryption uses a weak algorithm or no encryption at all, the information may be easily read.

Advanced techniques for extracting a card’s encryption key are possible, but they typically require the physical possession of the card and access to highly specialized equipment.

For unencrypted air interfaces, data can be read by off-the-shelf readers and then programmed into a different physical card. Then an attacker could use the stolen card information to perform transactions that are identical to those performed by the legitimate card. In the case of payment cards, however, this process is complicated by the use of additional security mechanisms such as dCVCs.

Known cases and attacks:

• HK Octopus cards
• NETS CashCard

Past demos: Examples

• Virtual pick-pocketing on contactless cards in Paris, on Cartes exhibition in 2005
• Youtube movies
• ePassport attack demos

Interesting countermeasures

There is actually one way to protect against undesired interrogation of a RFID card. Cardlab has a patented RFID jam switch which distort the RFID signal when interrogated. The owner simply taps or bend the card to turn off the jammer and the card is able to communicate. It is effective it's cheap and it gives the consumer just that real feel of security he needs in order for him to trust the technology.

• Response from PayPass
• Protection sleeves e.g. from Identity Stronghold
• PIV cards

If it’s a dual-interface government PIV card, the thief could obtain the cardholder’s unique identifier, or CHUID, a number that uniquely identifies an individual within the PIV system, according to experts with Exponent, a Menlo Park, Calif.-based engineering and scientific consulting firm. The remaining chip information would only be accessible via the contact interface so it is not at risk from such attacks.

Refer here or here to read relevant / further details.

New PCI standard version 2.0 has been finalized

Changes Minor, But Non-Compliant Merchants Won't Get Leniency

Merchants and service provider validation requirements are the still the same. In fact, if you were compliant in the past, there was nothing terribly new. But if you had once sought shortcuts or attempted granular inferences, 2.0 may indeed prove discomforting.

Clarifications in 2.0

First and foremost, the new standard clearly spells out that the cardholder data environment includes "people, processes and technology" that touch the payments chain in any way. That means any entity that stores card data, processes or transmits card data, or touches authentication data must comply with the PCI-DSS.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

If your organization ever sought to escape the stringency of the DSS by theorizing that it was only applicable to electronic cardholder data, the new guidance should clarify that even you must comply.

Secondly, the standard's use of "system components" was given a more inclusive definition. System components include all virtualization components, such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops and hypervisors. Virtualization was further integrated into requirement 2.2.1's limitation to one primary function per virtual server or device, though whether or not DMZ-based and internal network zone devices could be virtualized within the same physical hardware was not clarified.

Among the 314 other clarifications included in the new version and guidance, several other points are worthy of mention:

• The standard applies to issuers and recognition was given to their need to securely store any retained sensitive authentication data.
• Requirement 3.6 allows the use of cryptoperiods, rather than solely annual key rotation. If the impact of annual rotation has proven burdensome and the risk posed by less frequent key rotation is low, this should be a welcomed change. [See NIST Special Publicaiton 800-57 for more information about the standard cryptoperiod.]
• Requirement 3.6.6 was clarified as requiring split knowledge and dual control for manual clear-text cryptographic key management operations only. For those using dynamic key management appliances, this should already be a native function.
• Requirement 6.2 included the use of risk rankings for identified vulnerabilities as a best practice until June 30, 2012, after which it becomes a requirement. To accomplish this, NIST Special Publication 800-30 are suggested resources. Further, most organizations will likely find that documenting all operating system related critical patches as being "high" risk easier than ranking each individual patch.
• Requirement 12.3.10 added the ability to copy, move or store cardholder data on local hard drives and removable electronic media for authorized individuals; presumably, however, many will be challenged by scope implications.

It may sound counter-intuitive, but 53 testing procedures were added to simplify assessment and compliance management. Most of these are breakouts of the requirement verbiage. For instance, what had been listed as bullets under 4.1.a is now broken out into 4.1.a-4.1.e.

Redundancies also found in v1.2.1, which related to internal and Web-based application requirements 6.3 and 6.5, have been consolidated. Now, 6.5 includes the SANS CWE Top 25 and CERT Secure Coding best practice references.

Nevertheless, many hot button items, such as tokenization, remain open to interpretation. Questions surrounding tokenization, virtualization and physical hardware remain unanswered?

For now, and potentially until 2013 when release version 3.0 is expected, we may be left to wonder. In the meantime, for those looking to adopt 2.0, take a look at the PCI Council's tips for understanding the guidance: Navigating PCI DSS: Understanding the Intent of the Requirements.

Hacker breaches the security of Australian Tax Office, Defence and Banks

Cyber Security has been classified as Australian top priority

The security of hundreds of thousands of security tokens (SecurID) used by Australian banks and their customers, the Defence Force and organisations such as the Tax Office to access computer systems is in doubt after a cyber attack.

RSA said yesterday it would reissue an unknown number of the estimated 40 million RSA SecurID fobs used worldwide. SecurID fobs are small, portable devices that generate a digital security code that changes every 60 seconds. They are most commonly used with a static PIN or password to access a computer system.

In March RSA customers were told the company had been the victim of "an extremely sophisticated cyber attack". But it was not until recently that full details were known. RSA's admission follows an attack on the defence contractor Lockheed Martin. The contractor said an attacker had tried to access its network using information about the fobs stolen from RSA in the March attack. But it had stopped the attacker stealing information.

Certain characteristics of the attack on RSA indicated the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related intellectual property.

David Kenny, the deputy secretary of the Department of Parliamentary Services, said the department had 1800 of the SecurID tokens used by staff and MPs. The department was arranging replacement.

The Department of Veterans' Affairs was considering RSA's offer to replace SecurID tokens at no cost. Westpac bank confirmed that it did not see an immediate need to replace its customer fobs as it had not been compromised. The Tax Office was arranging replacements.

The attack meant many organisations would see a need to beef up their security. To be successful an attacker would need certain information from the SecurID token, such as the username and PIN or password.

This can often be swiped by a user handling over their details in an email to a hacker pretending to be from the organisation that issued the fob. Without some of these details it would be difficult for a hacker to gain entry to a network.

Refer here for further details.