Ransomware: Now Aiming At Banking Apps

Ransomware: The very word is unpleasant, turning up the seamy underbelly to hardware and software. But it is a real thing, and it’s gotten immensely popular. And now, it’s crashing our party.

Of course, ransomware is still basically malware in that it restricts access to the system it infects. However, it goes further than rival strains by specifically demanding a ransom in order go away. Like other viruses its specific origins are dubious, but there’s no question that this bit of capitalist skullduggery initially gained traction in Russia. True to form, it didn’t stay there long—according to anti-virus vendor McAfee, it doubled in scope in one year to 250,000 unique samples in the first quarter of 2013.

Those with memories of Soviet-era paranoia and Cold War hysteria might remember that there were constant fears of Russian spies sabotaging the U.S. infrastructure. One supposed threat was that those sneaky Russkies would infiltrate the banking system and undermine it, bringing the economy to a screeching halt. Well, it’s a few decades later, and the latest ransomware may not be quite such a problem, but there’s a whiff of those old fears anyway.

So, meet Svpeng. Kaspersky Labs first shed a light on this nasty piece of work last year, when it was still in mother Russia. But in June, a particular breed arrived here in search of Android devices. More specifically, it takes direct aim at mobile banking apps running on those devices and uses them to shut down the phone or tablet. The ransomware then emerges to ask for money to unlock it.

All this is bad enough, but there’s another milestone of sorts here. By some accounts, this is the first major virus to systematically target mobile banking apps. And given that there are more than 100 million mobile banking users in the country, that’s potentially very bad news.

While these are early days and there will surely be other variants, here’s how the scenario currently plays out. Svpeng gets into the device through a coordinated social media campaign, then seeks out apps from a list of blue-chip vendors, such as American Express, Citigroup, Bank of America, Wells Fargo and JPMorgan Chase. And once it’s in there it’s almost impossible to scrub.

The ransomware takes the form of a fake FBI letter that asks for $200 in the form of to be paid through Green Dot MoneyPak cards. (It helpfully suggests outlets where those cards can be bought.) So far the malware doesn’t seem to be stealing bank credentials, but that’s what it did in Russia, so it will likely happen here soon enough.

That fact that malware has become so targeted and proficient is not a surprise, but it’s unfortunate nonetheless. The bigger worry may be that the financial services providers developing and distributing those for the public to use can’t really do much about it—they can perhaps exert some control over customers’ interactions with those apps, and that’s about it.

We’ve known all along that the unbelievable growth of mobile banking would give rise to a new generation of cyber criminals, and it’s happening now. There will be more such attacks not less, and we can’t put the genie back in the bottle, any more than we can take control of our customers’ phones.

There’s no magic bullet here. What we can do, over and over again, is urge our customers to practice greater caution in downloads and communication with strangers. Most consumers still fail to exercise basic security procedures, and a little goes a long way. Otherwise, we’ll all end up paying the ransom.

This Week’s Reads: Security, Mobile Banking Malware, ATMs

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

Are You Protecting Your Bank and Your Customers?

For the average banking customer, little attention is paid to the security aspect of public wireless networks at banks. Today’s users are so accustomed to attaching to free, public Wi-Fi services that they inherently trust that financial institutions are protecting their data and confidential information.

Contributor, James W. Gabberty

Contributor, James W. Gabberty

However, that is not always true. Often times, financial institutions do not regularly monitor and update their routers which put their wireless networks at risk. As routers are the devices that handle network connectivity, they are susceptible to many of the same anomalies as tablets and personal computers, such as performing sluggishly, occasionally locking up, and much worse, becoming infected with malware. Just like their computer counterparts, routers are usually shipped with an operating system that has been installed by the manufacturer which needs to be occasionally refreshed with an updated version, begging the questions: “how often do banks actually perform this upgrade?” The answer, simply put, is that while some do, others don’t. Why is this so?

One of the primary reasons that financial institutions are loathe to update their routers’ operating systems has to do with the sheer number of routers deployed by mid- and large-sized banks and the common sense notion that when one router is updated, all the rest must likewise be updated, which requires substantial planning and attention to detail (not to mention significant time and money).  While upgrading routers periodically is certainly a nuisance, not performing them en masse would be akin to individual users running disparate versions of the Microsoft operating system and office suites within a company – a seriously problematic proposition since the number of security vulnerabilities would skyrocket.

Many banks also simply don’t have an accurate, updated list of all the routers in their organization, not to mention each router’s individual IOS level and almost certainly, it’s configuration.  Asset management has long been a problem for all companies and banks are no exception.  Corporate policy is frequently bypassed and end-users often connect their own devices (USBs, smartphones, and even routers) into the corporate backbone. While there are security awareness techniques designed to stem the rush of employees connecting non-corporate devices to the company’s IT infrastructure, insider activity is still the number one vector of information security breaches within all corporations. Moreover, since keeping track of all infrastructure equipment is a monumental task – especially since proper change management policies are often by-passed, many firms don’t perform as good a measure of due diligence in terms of patching routers as they should.

Still another reason why router upgrades are problematic for financial institutions is tied to the configuration that many routers have been specifically tuned, or set at.  Internet-facing ports are a time-tested invitation for exploitation from outside the firm and significant time and effort must be expended to ensure that these ports are all closed while simultaneously enabling only those ports that are critical for the firm to operate.  Each time a router is updated, the configuration is lost and must be set again to match corporate policy guidelines; failure to reset the proper configuration causes vulnerabilities inside the firm to reappear.

Understanding some reasons why financial institutions do not invest the proper time needed for router software updates, here are some simple questions for IT security management to simplify the process and ensure protection for wireless networks: (1) Do you have a list of all routers in your organization, the IOS level and the configuration? (2) Have you validated the authenticity of the vendor you purchased your routers from? (3) When was the last time you checked your routers’ configuration and does it match policy? (4) Have you checked that it hasn’t been modified on a daily or weekly basis? (5) Are you logging improper events and staying vigilant? (6) Are you continuously making sure that there are no open ports facing the internet?

Due diligence on the part of maintaining your bank’s many routers can go a long way in ensuring that your customers – and their trust – remain loyal.

Gabberty is a professor of information systems at Pace University in New York City. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels and holds numerous certifications from SANS & ISACA.

Security and Compliance in the Interconnected Age – Webinar

*Disclosure: Banking.com is powered by Digital Insight

 

The Internet of Everything (IoE) is here, and with it your users will be connecting within a new online ecosystem of devices, networks and services. But with the new interconnected age of IoE comes new risks for cyber attacks and other fraudulent activity. How are you protecting your customers?

On  Tuesday, June 24th, Digital Insight will host a free webinar,  “Security and Compliance in the Interconnected Age,” as part of their 2014 Momentum Webinar Series.

The webinar will include insights on optimizing the benefit of your mobile channel and help you:

  • Learn about best practices for maintaining security and privacy across the interconnected ecosystem.
  • Rethink about maintaining compliance with FFIEC layered-security requirements.
  • Understand the types of tools you need to avoid a cyber attack and mitigate fraudulent activity.

Do you know what you need to keep your end users protected? Join Digital Insight for the second segment in our 2014 Momentum Webinar Series as we take a dive into security and compliance in this new era of banking. We’ll be attending, following along and sharing insights via Twitter with the hashtag #DICompliance.

You can register for the webinar by clicking the image below. See you there!

DI Webinar Banner_June

 

 

Preventing Banking Errors: Q&A with Charley Rich of Nastel

As anyone in banking knows, the slightest error can result in catastrophe. Recently, Banking.com spoke with Charles Rich, vice president of product management and marketing at Nastel, an application performance monitoring company, about how the company works to help mitigate issues for financial institutions and where the biggest challenges lie.

Charley Rich, Nastel

Charles Rich, Nastel

Banking.com: What do you see as the biggest issue for financial institution’s data transfers?

Charles Rich: The biggest issue for data transfers is to ensure that they arrived on-time and accurately.  Often, there is a bottleneck in performance that prevents on-time delivery.  The challenge is building a performance monitoring culture that finds these problems before the issue impacts the transfer.

Banking.com: How does Nastel work?

CR: Nastel provides real-time monitoring and analysis of messages and transactions. Nastel’s product, AutoPilot is built on an analytical engine using Complex Event processing.  This analytical engine enables AutoPilot to utilize pattern matching of events from multiple sources along with algorithms to detect anomalies. AutoPilot is very effective at reducing the frequency and duration of incidents and at reducing false alarms.

Banking.com: What is the most common error that Nastel works to correct?

CR: Delivering visibility to IT where they were previously unable to detect problems before impact or unable to determine root-cause.

Banking.com: Is there any advice outside of adopting the Nastel technology you have for financial institutions?

CR: It is important to have requirements for applications that include performance expectations.  These should be appropriately tested in QA.  It is surprising how many times testing only looks at individual functions and does not adequately test performance.  It can be challenging to improve performance late in the application’s lifecycle.  It is better to design it in and test it before provisioning into production.

Banking.com: Which industries are the most successful or innovative right now in their data management?

CR: Healthcare is moving into the forefront as they begin to handle the loads of data from both claims and electronic health records.

How are you mitigating risk with data transfers?

 

From Heartbleed to Heartburn

Briefcase with lock

Information security is a constant game of catch-up. We get new technology capabilities, the bad guys find new vulnerabilities. They devise new forms of malicious assault, we come up with new defensive strategies. And so it goes. We know it, they know it, everyone knows it.

Why, then, is the bug known as Heartbleed getting so much attention?

Sure, no disputes that it’s at least potentially a very big deal. But one week into the discovery, Google turns up more than 530 million hits on the subject. The Electronic Frontier Foundation, among others, has labeled it “catastrophic,” and some have gone so far is to describe it as the worst vulnerability to be identified since commercial traffic began on the Internet. Is it really that bad?

Hype aside, here’s what we do know. Over the years, the open source community—basically, thousands of

Heartbleed, the big bad bug in the room, takes advantage of a feature within OpenSSL known as heartbeat, and essentially steals the security certificates that verify a site’s and/or user’s authenticity. The bug has been present but quiet for the past two years, during which time it has potentially undermined security measures for password encryption in a range of environments, from search engine and social networking services to Android devices.developers not beholden to any corporation in particular—have worked together to create much of the software many of us use today. One such program that most people with a life actually know nothing about is OpenSSL, which is very important, since it provides a means for security on web servers all over the world. With this technology, sites can offer encrypted information to visitors, ensuring that the data can’t be seen anyone else when it travels between the user’s device and a particular site.

After that the details get more technical and, sadly, far more murky. On the one hand, we’re being told that despite considerable scrambling on the part of security specialists at companies everywhere, the potential for major damage is very real. It potentially affects hundreds of thousands of Web sites, from Google and Yahoo to Twitter and Dropbox, along with hundreds of millions of users. By that measure, the level of effort needed to truly fix the problem is nothing short of monumental. On the other hand, it’s far from clear just how many sites or users have actually been affected. Challenges issued by security companies to steal information using the vulnerability—basically crowdsourcing digital theft—have so far come up mercifully short, indicating that the concerns, while valid, could be overblown. On the third hand, of course, we just don’t know.

One thing is certain: The old adage about regularly changing passwords, and not using the same one for multiple functions and services, applies now more than ever. The buzz over this recent episode has apparently prompted many users to rapidly change their passwords for all the online services and devices they use, and that’s good. But it would be even better if that became a habit rather than a reaction to much-publicized fears.

There’s a larger question here as well. The ubiquity of technology in every aspect of daily life, from social media to mobile banking apps, has perhaps seduced consumer sensitivity to the issue of information security. And that’s definitely not good.

Making technology capabilities ever more user-friendly carries with it a potentially steep price tag; the easier a service is for everyone to use, the easier it might be for the bad guys for to hack. On a related note, many of the more common services, from email to mobile apps, are free. That carries with it fewer guarantees of rock-solid security.

Many financial technology vendors are already stepping into to the breach to implement fixes for the Heartbleed bug. For their part, numerous commercial banks and other financial services institutions are raising awareness of the threat and running tests to ensure that their communities are not left unprotected.

But somewhere in this environment, consumers have a critical role to play too. Regularly changing passwords is a good start. As digital currency in all forms becomes more embedded in the mainstream, it would be wise to be more aware of security threats and more proactive in taking security precautions.

Bribery, Corruption, Money Laundering: Banks in the Crosshairs, Part 2

This is Part 2 of a two-part series from FTI Consulting. Read the first part here.

Governments and regulatory bodies increasingly expect financial institutions to man the front lines in the war against international corruption and bribery, levying significant fines against banks that have been used by criminals or have conducted business with sanctioned regimes. To survive in this environment, firms must up their game by implementing risk-based controls to account for both front-end client acquisition and back-end transaction risks.

This effort must be led from the top. Senior management must set the tone and be fully engaged in building the internal controls that can make their organizations less vulnerable both to missteps and the depredations of criminals.

However, given the complexities of global finance, and the cunning of criminals, these defenses need to be risk-based, with the institution’s finite resources devoted appropriately to businesses and jurisdictions with inherently higher risk profiles or weaker control environments.

Mitigating client risk
Client-onboarding rules and processes more be made rigorous before accounts are activated. This requires assessments that can indentify:

  • Politically exposed persons.
  • People with criminal backgrounds or connections.
  • People conducting business in sketchy jurisdictions and geographies.
  • Individuals acting as proxies for hidden players.

Criminals are continually changing their strategies, using opaque structures to hide the true sources and destinations of funds. It is therefore critical to employ experienced investigators to establish the identities of high-risk individuals and entities, especially when they come from countries where this data is difficult to verify.

Mitigating transaction risk
Banks should deploy technologies to filter suspicious transactions. There is a vast array of commercially available tools that can flag unacceptable transactions (such as identifying sanctioned country codes on transfer receipts). They can trigger alerts and automate watch lists for suspicious persons and transactions, and can also produce reports that are critical when an institution finds itself in the regulator’s crosshairs. But all these tools are only as good as the people who use them. Firms must acquire skilled staff to fine-tune the systems as well as to assess and act upon the alerts and reports they produce.

Taking these actions is a statement of good faith. Using up-to-date processes and tools, and staffing the risk-management function as diligently as possible will make regulators less inclined to punish firms that make the occasional, unavoidable mistake.

It’s Never That Simple
Because it’s nearly impossible to define the scope of the problem – that is, how much money is being laundered or moved around the globe by criminals and terrorists – it is hard for institutions to measure the effectiveness of their programs or assign an ROI to their investments. Consequently, they should be measured by what doesn’t happen – fines, reputational damage, remediation costs, and lost business – not what does.

Ultimately, it is unrealistic to think that the financial industry can take on the bad guys by itself. One hopes that the future will bring greater levels of cooperation between governments and the financial sector. Ultimately, that’s the only way to de-fund criminal interests, terrorists, and others who would seek to sabotage the world’s financial system and use it to further their own anti-social ends.

 

Peter Brooke and Christine Moran are Managing Directors in the Governance, Risk and Regulation team at FTI Consulting, based in London.

Peter Brooke is an experienced Risk and Regulation Consultant at FTI Consulting, based in London. With a unique blend of in-house and consulting experience, Mr Brooke has worked in financial services for more than 24 years.

As a highly experienced Group Head of Compliance, Christine Moran is an energetic consultant at FTI Consulting. Based in London, Ms. Moran has a highly collaborative, grounded and commercial approach. She has a proven track record of building enhanced and effective compliance and regulatory risk arrangements in both retail and institutional businesses.

What We’re Reading: Retail Banking Myths, Security, ChaseNet

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • 43 retail banking myths—busted!

ABA Banking Journal

With the financial services industry changing so quickly, it should come as no surprise that many assumptions banks and credit unions believed to be true for years could actually be rendered obsolete.  Myth 1. Banks must embrace big data to be successful. Reality: Most banks and credit unions have not fully leveraged insight that is currently available within their firewalls. Account ownership, demographics, product use, and other behavior data should be used for offers and communication before adding unstructured data from outside the organization.

Read more

  • Holidays Drove High Use of Mobile Banking Apps

American Banker

December was a busy month for mobile banking, as on-the-go holiday shoppers actively logged into their accounts to check balances or see if purchases went through. In American Banker’s monthly survey of mobile banking activity, more than 65% of respondents said that volume was up in December from a month earlier, while just 2% said activity declined. The rest reported that activity was roughly the same month to month. Several respondents attributed higher activity to the fact that their mobile banking app is relatively new.

Read more 

  • Mobile Banking: Making Security and Convenience a Package Deal

Bank Systems & Technology

The key to mobile security success is a multi-layered approach that enables companies to verify who their customers are and what they are authorized to do. The clash between convenience and security has been in motion as the world has shifted to mobile devices, but this is only the beginning. While highly-connected companies have been managing these challenges for years, the speed, scale, and scope of the ongoing business transformation are enormous.

Read more

  • Chase’s Quick Checkout: Leveraging the Power of ChaseNet

Celent Banking Blog

A digital wallet, which stores customer’s payment credentials and shipping details, and pre-fills them at checkout. Like other digital wallets, Quick Checkout is “open” – i.e. customers can register their non-Chase cards. However, their Chase cards will be automatically available and kept up-to-date in the wallet when they get replaced in case they expire or get lost or stolen.

Read more 

  • Capital One Ups the Punching Power of ClearXchange

Javelin Strategy & Research Blog

Person to person (P2P) payments are quickly becoming a regular feature of today’s banking industry. ClearXchange, the P2P payment platform that developed as a partnership between Bank of America, Chase, and Wells Fargo, has announced that it has added Capital One to its list of owners. Capital One is the second FI to join clearXchange (the first institution was the regional FI FirstBank) and is scheduled to go live with the service later in 2014. According to Javelin data, the addition of Capital One now gives clearXchange the capacity to reach 40% of all U.S. banking adults and 53% of all adult credit cardholders.

Read more

  • It’s Time to Uncork Commercial Relationship Revenue

Gonzo Banker

There is a brutal feeding frenzy occurring in the banking industry today: the complete commoditization of mainstream commercial and commercial real estate lending. Like a pack of vultures picking at the flesh of a potential new mini-perm deal or term loan, liquidity-rich banks are feverishly bidding down pricing into the zone of shareholder destruction. We see fixed-rate deals for 7 to 15 year terms that carry coupons lower than many banks’ net interest margins. Despite calls for sanity from every senior loan committee across the country, the brinksmanship continues. Business customers have grown savvy, and even the most loyal now send their credit needs out onto the street for competitive RFP bids. Loyalty these days seems to buy about 10 basis points for the banker.

Read more  

  • Banking Trojans emerge as dominant mobile malware threat

ZDNet

Kaspersky Lab’s latest mobile threat landscape report portends more ominous news for mobile device users as the number of new malicious programs tailored for smartphones and tablets more than doubled to nearly 100,000 malicious modifications in 2013. The vast majority of the most damaging mobile malware targeted users’ money and bank cards, according to the security software firm’s latest data, and more than 2,500 attempted infections by banking Trojans were blocked last year alone.

Read more 

Bribery, Corruption, Money Laundering: Banks in the Crosshairs, Part 1

Contributor Christine Moran

Contributor Christine Moran

This is Part 1 of a two-part series from FTI Consulting. Read the first part here.

The volume and pace of transactions in global financial markets – magnified and accelerated by new technologies – is mind-boggling. It has been estimated, for example, that every day there is $2.9 trillion worth of stocks, bonds and derivatives traded in U.S. financial markets.   It’s easy to see how this makes monitoring both client onboarding and financial transactions monumentally difficult.

For instance, in recent months an internal Vatican Bank investigation found that it had not been adequately vetting account holders, allowing criminals to launder money and transfer large sums via proxies. Last summer, German regulatory agency BaFin found Deutche Bank, with over €2 trillion in assets, laggard in reporting suspicious transactions to police due to inadequate internal controls.

Governments and regulatory bodies are well aware of the difficulty of policing transactional activity, as well as violations of international sanctions against countries with ties to terrorism, or with poor human rights records. Understaffed and underfunded, these bodies would like to shift their burden to the financial institutions, seeing that as the only way to keep ill-gotten money out of the financial system and to de-fund criminals and terrorists. And they are driving this agenda with a flurry of fines.

Contributor Peter Brooke

Contributor Peter Brooke

U.S. enforcement authorities, flexing their regulatory muscles, recently have imposed fines for sanctions breaches on Lloyds Banking Group ($350 million), Barclays ($298 million), and Standard Chartered ($327 million).  In the UK, the Financial Services Authority imposed a fine of £5.6 million on RBS for similar transgressions.

The U.S. Department of Justice and the Securities Exchange Commission are using the Bank Secrecy and Foreign Corrupt Practices acts to demand greater due diligence from all parties involved in transactions, holding them responsible for both sins of commission (such as facilitating money laundering or committing sanctions breaches) and omission (failing to implement sufficiently strong internal controls against either or both). In short, governments are making it clear that they will not tolerate what they deem to be reckless conduct on the part of financial institutions, or what they see as a weak commitment to abiding by international rules regarding sanctions and money laundering.

Financial institutions argue that the expectation that they can act as a branch of law enforcement is unreasonable. They cannot, they say, monitor every transaction or client with 100 percent certainty or make their businesses risk-free. They say the investment they must make in people, processes and technology to attempt to comply with regulations and avoid being implicated in financial crime places a massive strain on their resources. And, they point out, there is a limited pool of experienced people they can draw upon to lead, manage and run anti-money laundering and sanctions compliance programs.

In this debate, financial institutions are bound to lose. They have no choice but to get smarter about both client and transactional risk, and do more about them.

This will require top-level leadership, and a risk-based approach to mitigating financial and transactional risk. In part two of this article, we will discuss how financial institutions can do this.

 

Peter Brooke and Christine Moran are Managing Directors in the Governance, Risk and Regulation team at FTI Consulting, based in London.

Peter Brooke is an experienced Risk and Regulation Consultant at FTI Consulting, based in London. With a unique blend of in-house and consulting experience, Mr Brooke has worked in financial services for more than 24 years.

As a highly experienced Group Head of Compliance, Christine Moran is an energetic consultant at FTI Consulting. Based in London, Ms. Moran has a highly collaborative, grounded and commercial approach. She has a proven track record of building enhanced and effective compliance and regulatory risk arrangements in both retail and institutional businesses.

Are You Creating a Safer Internet for Your Members and Customers?

As more banking customers interact with their financial information online, it becomes ever more important that they know how to conduct themselves responsibly online.

Tomorrow, on Safer Internet Day, February 11th, ConnectSafely.org is asking Americans to spread an epidemic of kindness and share the #OneGoodThing  they’ve done, or seen somebody else do, to make the Internet a better place. Safer Internet Day (SID) is a global campaign to promote safe, effective use of the Internet and mobile technology. Hosted in the United States by ConnectSafely.org, Safer Internet Day is commemorated each year on the second Tuesday of February.

SID is a great opportunity to take the time and think about how you’re educating customers and members to be safe online, and reflect on the positive ways technology impacts the way we bank and interact with our finances.

Share your #OneGoodThing on Twitter, Facebook or submit here to spread kindness and celebrate the ways that the online world helps us every day so we can create a better internet together.

ogt-slight-left