March 12, 2010
Update covering Mar 5 - 11, 2010
Welcome to Tech Talk! In this edition, Tech Talk Editors Andy Zavoina and John Burnett write about online fraud losses, more Heartland fallout, good and bad security practices, and more.
Our selections from this week's tech news:
- Online fraud losses hit $120M
- Heartland keeps on taking
- Good advice for banks and customers
- Poor bank practices expose data
- A sucker born every minute
- Twisted passwords, anyone?
- Are patch requirements unreasonable?
|
- U.S. extradites alleged Malaysian hacker
- Keep Adobe Reader outdated?
- Cell phone espionage
- Attacks via IE6 and IE7
- Breaking bad habits
- Set those clocks ahead!
- One bad bunny
|
Get the details below.
|
Join
Paul Carrubba
and
Dan Fisher
in a 2-hour
LIVE Webinar
Wednesday,
March 24th
Corporate Account Take-Over and Securing your Internet Banking Site!
Account takeovers can mean significant losses for your customer or your bank. You need to know how to best protect the bank from liability when a customer's account is compromised. Get information you can use to minimize your bank's exposure to account takeover losses in this important presentation.
Can't attend?
Order the CD ROM of the program now.
|
Payment Card Industry Data Security Policy Template
|
On the lighter side ...
We can't think of a more appropriate time than this weekend for viewing this short comedy sketch on Daylight Saving Time, on YouTube.
|
FDIC - online fraud losses $120M
At the recent RSA Conference in San Francisco, the FDIC reported that computer scams targeting small businesses succeeded in stealing $25 million in the third quarter of last year, and online banking fraud totalled $120 million in that period. Read more details in CIO.
Banks offering Internet banking, especially to commercial customers, need to start training staff on talk offs. How does a new accounts rep respond when customers ask if they are covered for e-thefts from their accounts? Do you distinguish between consumer and commercial accounts? How will you respond to your deposit customer who has read this article in Computerworld?
Interested in more details on the FDIC's RSA presentation, including a breakdown of thefts from banks? Check out this article at KrebsOnSecurity.
Heartland: the gift that keeps on taking
The Heartland data breach may well be over a year old, but that doesn't mean the threat is gone. The First National Bank of Durango, CO has confirmed that lesson. Last week some of their customers began seeing fraudulent charges on their debit cards. There are almost 20 claims now and it turns out 5,000 cards are at risk. Read more at The Durango Herald.
Good advice for banks and customers
If you're a regular Tech Talk reader, you know there have been recurring warnings about compromises of online business account customers' computers and fraudulent wire or ACH transfers. We've repeatedly suggested that banks alert their online customers of the threat, and offered some suggested countermeasures. For an article with recommendations both for your customers and for your bank, read Computerworld.
Poor practices expose data at FIs
The Poneman Institute surveyed security officials at 80 financial institutions and found some disturbing practices. 83 percent use valid data such as real account numbers when testing applications. 88 percent still use Social Security numbers as the primary identifier. More on this story can be found at eSecurity Planet.
A sucker born every minute
Mad Security principals Mike Bailey and Mike Murray are good guys, thankfully. They recently discussed penetration testing at the BSides security conference in San Francisco. They point out that the human element can't be patched and that even with training, people are often the weakest link. Suppose that your employee receives an email that reads "Our bank is testing the strength of passwords and each employee is asked to follow this link to the test site and enter their logon credentials." Hey, it works. Read The Register.
Twisted password tracker
Germany's Fraunhofer Institute for Secure Information Technology is offering a password protector unlike others. This one, MobileSitter, installs on a cell phone and holds the user's passwords, PINs, etc. Common? Yes. Risky? Maybe, but this app has a twist. If a hacker enters the wrong password for the app, the app displays hidden passwords, PINs and the like, but bogus ones generated based on the erroneous password. Without a warning that the master password was incorrect, the hacker has no idea if they cracked the master password or not. CIO has more details.
Are patch requirements unreasonable?
Secunia, a security and vulnerability research company, studied the average home PC user. They found that Windows users have 66 or more programs, from 22 or more vendors. These programs require a patch to be applied once every five days and Secunia believes it is unreasonable to expect this to be done properly. Would a better program assist your banking customers to keep their machines safer? What can be done to make patch management easier for the average user? Read more at NetworkWorld.
U.S. extradites alleged Malaysian hacker
Thai authorities have approved the extradition to the U.S. of alleged Malaysian hacker Gooi Kokseng, a suspected member of a crime ring that caused more than $150 million in losses in the U.S. and Southeast Asia. It's another case in which international cooperation has aided in the apprehension and prosecution of major cyber criminals. For further information, see the short article in CIO.
Keep Adobe Reader outdated???
Fiserv is telling its banking customers NOT to update older versions of Adobe Reader, according to Brian Krebs. Fiserv believes that newer versions of Reader may not be compatible with some of their products. The advisory was not public, but a copy of it and more details are at KrebsOnSecurity, where you'll see why this sort of advice might be a problem.
"Cellspionage"
Corporate espionage via a cell phone is easier than you think. This printed and video report is on the personal dangers of having your cell phone "bugged," but the target could just as easily be a bank-owned phone sitting on the table during a loan or board meeting. ABC News has the story.
IE 6 & 7 being exploited
Tuesday Microsoft announced that there was a vulnerability in Internet Explorer versions 6 and 7 that was already being exploited. The bug allows a hacker to inject malicious code into the computer. You'll find more on this vulnerability and read which browser versions are not susceptible at NetworkWorld. Knowing about the problem says you should look at fixing it if you are susceptible. But knowing the exploit code has been published tells you to do this soon! CIO has this story.
You can also read about the patches released this week by Microsoft. There were fewer than in February, but the March updates are still important. Eight vulnerabilities in the Windows operating systems and Microsoft Office were plugged. NetworkWorld has this as well.
Breaking bad habits
This article is a bit of a refresher, although even seasoned PC users may learn something here. Breaking Seven Bad Habits may be used to remind your employees and customers to work smarter when it comes to backing up data, shutting down properly, storing passwords and a new one on us, opening program with Windows+1, 2, 3, etc. Find out more on these topics plus others at PCWorld.
|
Time to Spring Forward
 If you're working the midnight shift Saturday, work fast. You'll have an hour less on the clock. March 14th is the date to set your clocks ahead an hour, with the beginning of Daylight Saving Time. Don't forget desktops, laptops, PDAs, cell phones, cameras, security VCRs and most devices with a clock, that don't have the new DST automatic adjustment capabilities. Don't forget the vault timers! Set them to open one hour earlier. This is also a good time to change smoke detector batteries.
Need to remind someone of the time change? Send a BOL e-Card.
|
One bad bunny
The Energizer DUO is a USB-powered battery charger. You wouldn't think it could be much of a threat with that cute bunny that keeps going and going as a symbol. But the software that ships with this device includes a trojan. It has the capability of executing programs, sending files you have on that computer and editing the Windows registry. US-CERT is urging users to uninstall the software. Read more on the trojan and the problems in Computerworld.
|
Print Friendly Version!
Email This Article!
Discuss NOW!
