On Monday, the US-CERT (United States Computer Emergency Readiness Team) issued an updated advisory, warning that the ‘Backoff’ Point-of-Sale malware continues to evolve. And just today, UPS confirmed that it is the newest likely victim of Backoff. US-CERT has now seen five variants of ‘Backoff’, each with notable modifications, and the malware has been found in at least three separate forensic investigations. They note that the variants are largely undetected by AV vendors, and recommend that in lieu of such protection, organizations should monitor for ‘indicators of compromise’ (IOCs) to determine if they have been infected. Read more
Over the last two years, we have seen a tremendous increase in mobile malware, which grew 167 percent in the past year, according to the June 2014 McAfee Labs Threat Report.
Here are two major reasons why mobile malware is increasingly the preferred method of attack for fraudsters:
1. As EMV technology is deployed in the US, the amount of fraud attributed to counterfeit cards will decrease.
2. Telecommunications providers will no longer allow premium text message services to bill customers, lowering the volume of fraud via premium SMS messages.
Mobile Banking offers considerable promise for true interaction with customers as well as key differentiators to attract gen Y consumers. Simple and stronger authentication is key to manage risk and to ensure continued success in the mobile market.
The first generation of strong authentication for mobile typically utilized the same authentication factors as the online banking channel. This approach was mostly driven by the need to go to market quickly and also cost considerations. The most common method at that time was to use traditional static challenge questions.
A year after the Twitter-AP event, new security vulnerabilities and breaches (Heartbleed, Target, to name a few) continue to be in the weekly headlines. Organizations affected by those events have taken some measures to prevent them from happening again, and the largest financial services companies are investing heavily in cyber security. JPMorgan Chase, the nation’s largest financial institution, recently announced they are investing in additional layers of security, to the tune of $250 million annually and 1,000 people dedicated to the effort. Other organizations with high-value data and assets should follow that trend, and make a real assessment of their current solutions to see if they really help them combat cyber attacks and fraud in an effective way.
In the wake of the most recent FFIEC guidance published in 2011, many financial institutions and service providers have undertaken very expensive and time-consuming projects to replace the traditional challenge questions and answers that they previously used as a security measure. One of the more popular solutions suggested as an alternative was to provide out-of-band authentication via a second independent device. Mobile phones were the natural fit as that independent device, since the typical consumer’s high usage of SMS texting would make it easy to incorporate into their banking routine.
Mobile banking presents an attractive way for banks to improve their relationships with their customer, serving them wherever they go. But with major security breaches and fraud incidents making headlines, financial institutions are taking steps to address the growing problems of advanced persistent threats and fraud in online and mobile banking channel. Read more