The Bankwatch

Tracking the consumer evolution of financial services

Archive for the ‘Security’ Category

The laws of unintended consequences | AML data mining


While the data collected by governments was intended to capture Anti Money Laundering and terrorists, it is providing many other results, including the recent debacle with Elliott Spitzer.

globeandmail.com: Anti-laundering software casts wide net to catch big fish

The software looks for subtle patterns that indicate odd activity, and when a transaction is  flagged, a human evaluates the findings. More often than not, the anomaly is explained and  dismissed. For example, someone whose banking consists of bi-weekly deposits may suddenly  show an influx of $15,000 that turns out to be profit from the sale of a car.

But when investigators do find something — like chunks of money transferred from the account of a state governor into the account of a shell corporation — they flag the information and forward it to the authorities. In the United States, the U.S. Treasury’s Financial Crimes Enforcement  Network looks at almost five million suspicious activity reports a year. In this country, The  Financial Transactions and Reports Analysis Centre of Canada in 2007 investigated 193 cases  involving close to $10-billion in financial transactions.

Written by Colin Henderson

April 17, 2008 at 14:33

Posted in Security

Customers don’t want authentication devices | Abbey


Finally someone stated the blindingly obvious point that people do NOT want to carry separate devices. Banks need to provide the required security in other ways. I blogged about these devices last year, and have been amazed by the extent of deployment by European Banks, that could turn out to be wasted investment.

See here for my thoughts last year, and how two factor authentication is not well understood.

Finextra: Customers don’t want authentication devices, says Abbey

Despite continuing security concerns, two thirds of customers do not want their bank to provide chip and PIN-style authentication devices, according to UK high street bank Abbey.

The bank says a survey of 1000 of its own customers found that just one-in-three people (32%) want to be supplied with a security device to further secure online transactions.

Written by Colin Henderson

March 25, 2008 at 23:37

Posted in Security

Thanks for multi-factor authentication | Bankwide


Good article on security here at Bankwide.  It appears to be a new site, with coverage on compliance, security, and the impact on trust in Banks.

A Letter From Hackers: Thanks for Multifactor Authentication | Security | Articles

“Attackers aren’t getting in by guessing, they’re getting in by stealing the credentials or tricking the end-user into giving away the credentials.” So adding more credentials won’t make sites more secure.

Written by Colin Henderson

December 22, 2007 at 16:44

US Department of Defense sponsors Open Source conference


Note for all Bank CTO’s – US DoD are looking carefully at Open Source with suggestions that they are already using it.  Matt’s comments are illuminating for Banks.

U.S. Department of Defense announces open-source conference | The Open Road – The Business and Politics of Open Source by Matt Asay – CNET Blogs

It should be fascinating to see how much open source is being used in the world’s most finicky IT buyer. If open source can meet the performance and security demands of the U.S. Department of Defense, surely it can enable more pedestrian uses of technology…like selling widgets or managing CRM systems.

Technorati Tags: ,

Written by Colin Henderson

November 13, 2007 at 15:13

Posted in Security

China’s ambitions extend to crippling an enemy’s financial, military and communications capabilities


Military intelligence is not normally for this blog, there is an undercurrent in this new military front, that is directly aimed at Banks and financial services. No doubt our side is developing those same capabilities, but the prospect of being pawns, and the customer disruption prospect is real.  All the more reason, for Banks to develop multiple channels, and have a mobile strategy, that might be their main customer contact point in a crisis.

“China’s ambitions extend to crippling an enemy’s financial, military and communications capabilities early in a conflict”

The extent of the work in this area is astonishing, and this article provides the background.

China’s cyber army is preparing to march on America, says Pentagon – Times Online

The blueprint for such an assault, drawn up by two hackers working for the People’s Liberation Army (PLA), is part of an aggressive push by Beijing to achieve “electronic dominance” over each of its global rivals by 2050, particularly the US, Britain, Russia and South Korea.

The impact is real, as Estonia found out earlier this year.

In February a massive cyber attack on Estonia by Russian hackers demonstrated how potentially catastrophic a preemptive strike could be on a developed nation. Pro-Russian hackers attacked numerous sites to protest against the controversial removal in Estonia of a Russian memorial to victims of the Second World War. The attacks brought down government websites, a major bank and telephone networks.

Technorati Tags: ,

Written by Colin Henderson

September 8, 2007 at 11:31

HSBC investigates ‘out of band’ authentication for Web users


I applaud HSBC and Abbey National for not being lemmings on the European push to chip and pin for online banking.  Its actually not just Europe, with some Canadian examples I am familiar with thinking the same way. 

Finextra: HSBC investigates ‘out of band’ authentication for Web users

HSBC and Abbey have so far opted-out of the national banking industry push to supply online account holders with Chip and PIN-style home banking technology. Such systems are considered vulnerable to man-in-middle attacks and require the consumer to carry a personal card reader at all times.

Written by Colin Henderson

September 7, 2007 at 20:35

Unparalleled onslaught against online banking taking place


In what is described as an unparalleled onslaught against online banking, criminals are attacking Italian web sites, in an effort to steal online banking identities.

Trojan attacks are not new, but experts say the scale of the latest onslaught is unparalleled, as is its focus on established websites to steal banking identities.

“This is a paradigm shift. We can expect to see this kind of thing being replicated now for the next five or six months,” said David Perry, a director of another west coast web security firm, Trend Micro.

Source: Guardian

The attacks involve downloading a keylogger onto customers computers.

Using an attack tool kit available for £350 on the internet from Russia, the attackers implanted codes that download a “keylogger” onto the computer of anyone opening up those sites. The keylogger allows the hackers to monitor any activity on the infected machine

Technorati tags:

Written by Colin Henderson

July 1, 2007 at 08:01

Posted in Security

Lloyds breaks one of the taboos of Banking


Lloyds admits one of the secrets no-one wants to talk about. Most fraud and stealing occurs from employees and internal sources.

The bank has bought a new generation of super-smart computer software that will enable it to keep better tabs on its 67,000 staff. The computer program will monitor 75 million transactions a day by branch and call-centre staff in an attempt to identify suspicious patterns and nail the culprits.

Source: The Times

In particular, the matter of criminal gangs integrating into call centres is a fact of today, and Lloyds are choosing to go public with their efforts to combat those gangs.

In banks, insiders are responsible for 50-70 per cent of all fraud, according to research by Celent. Identity theft in particular is a growing menace.

Technorati tags:

Written by Colin Henderson

June 9, 2007 at 17:02

Posted in Security

Cyber war – Estonia shut down, including focus on Banks


Estonia is a highly evolved internet marketplace including Government services, tax filing and various forms of ecommerce.

A political situation involving the taking down of a Soviet statue, has resulted in mammoth cyber attacks, which sound like denial of service attacks against the Estonian internet infrastructure. The cause is allegedly inside Russia, who has denied involvement, but the results involved computers from around the world.

The Russian government has denied any involvement in the attacks, which came close to shutting down the country’s digital infrastructure, clogging the Web sites of the president, the prime minister, Parliament and other government agencies, staggering Estonia’s biggest bank and overwhelming the sites of several daily newspapers.

Source: NY Times

This situation has gathered interest from others as a potential window into future warfare and terrorism in this space.

Computer security experts from NATO, the European Union, the United States and Israel have since converged on Tallinn to offer help and to learn what they can about cyberwar in the digital age.

“This may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society,” said Linton Wells II, the principal deputy assistant secretary of defense for networks and information integration at the Pentagon. “It has gotten the attention of a lot of people.”

Some information is avaialble on the nature of the attacks.

The bulk of the cyberassaults used a technique known as a distributed denial-of-service attack. By bombarding the country’s Web sites with data, attackers can clog not only the country’s servers, but also its routers and switches, the specialized devices that direct traffic on the network.

To magnify the assault, the hackers infiltrated computers around the world with software known as bots, and banded them together in networks to perform these incursions. The computers become unwitting foot soldiers, or “zombies,” in a cyberattack.

The attackers used a giant network of bots — perhaps as many as one million computers in places as far away as the United States and Vietnam — to amplify the impact of their assault. In a sign of their financial resources, there is evidence that they rented time on other so-called botnets.

The Banks were visible in the defence activities.

The attacks on Estonia’s systems are not over, but they have dropped in volume and intensity, and are aimed mainly at banks.

Mr. Aarelaid huddled with security chiefs at the banks, urging them to keep their services running. He was also under orders to protect an important government briefing site. Other sites, like that of the Estonian president, were sacrificed as low priorities.

Written by Colin Henderson

May 29, 2007 at 07:06

Posted in Security

A frightening new account attack


This attack method is frightenly simple. The bad guys ping account numbers until they are successful in making contact with a legitimate account. Upon successful identifaction of an account the bad guys can debit the account. This highlights an apparent flaw in the US ACH system.

the scammers appeared to be taking advantage of validation weaknesses among businesses using the automated clearinghouse (ACH) system, a private electronic payment network that links banks with one another via the Federal Reserve.

The network is used by banks to process large volumes of payroll, credit and debit card transactions, but it also facilitates direct payment of consumer bills such as mortgages, loans and utility bills, as well as business-to-business and federal, state and local tax payments.

Source: Washington Post

This came to light when a member of American Air Force personnel noticed his account was less than it should be,

More specifically, the account balance was $124.90 less than it should have been. A business named “Equity First” had made the debit. The toll-free number listed on the transaction led to dead ends — none of the options would allow Airman A to speak with a human. So he went online.

Source: Air Force Link

Read through the two links above; this is a new one to me, and although I am appalled at the implications here, when I put my mind into that of the criminal, I can see how easy it is. This could euqally easily happen with the Candian EFT (Electronic Funds Transfer) system. All that is required is to open a business account, and purchase EFT access. I assume the US circumstance is similar.

Written by Colin Henderson

May 19, 2007 at 21:49

Posted in Security

%d bloggers like this: