10 Big Ideas for Banking in 2015

From American Banker

“From the brain drain to cyber threats, the revenue squeeze to regulatory pressure, the challenges banks face are absolutely daunting. But we're here to help with some interesting ideas for thwarting hackers, winning new customers and making more money. Get ready for a busy year.”

Read more>>

Mobile Pay Security Risk is too Large to Manage Internally

From Payments Source –

“The Sony Pictures web attack may have led you to question whether your own business was secure and if the information your clients provide via different payment methods can be breached, causing mistrust between business owner and vendor.

With mobile payments becoming one of the hottest markets in tech, is this method of payment secure? In the last few months, we have seen Apple vie for this growing market with Apple Pay, as well as Snapchat’s Snapcash. There are also rumors that Facebook will soon offer a service for users to send money to each other.

How do you know if this method of payment is safe? You don’t without entrusting your business to a third-party IT professional. If it isn’t, you could compromise a client’s customer record, and you can be open to legal exposure.”

Read more>>

Nasdaq Hack Attribution Questioned

From Bank Info Security

“Two zero-day vulnerabilities were exploited by the attackers who hacked NASDAQ's systems in October 2010. A senior U.S. legislator claims the hackers had "nation-state" backing. That claim aside, however, security experts say it's still not clear who hacked NASDAQ or why, although there's still no indication that attackers accessed or altered the systems running the NASDAQ stock exchange.

Bloomberg Businessweek reports (also see our previous post) that two different zero-day vulnerabilities - previously unknown code bugs - were used to compromise NASDAQ. The in-depth report on the breach is based on interviews with more than two dozen people who have knowledge of the attack details or related digital forensic investigation. Despite their collective input, however, the only thing that remains clear about the motive or identity of the attackers is how unclear they still remain. Indeed, even the duration of the hack remains unknown, with investigators saying it began by October 2010, but may have started earlier. Likewise, it's not clear exactly what the attackers accessed or stole.”

read more>>

How Russian Hackers Stole the Nasdaq

From Bloomberg Businessweek

“In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq. It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.

As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq.”

read more>>

Bitcoin trader loses $70,000 worth of digital currency after hacker acquires passwords

From ABC News

“A Melbourne bitcoin trader says he was targeted by a hacker and tricked out of about $70,000 worth of bitcoins after the US Marshals Service accidentally leaked his email details.

The CEO of Bitcoins Reserve, Sam Lee, registered his interest to bid in an auction of 30,000 bitcoins confiscated by the US Marshals when it shut down the online marketplace Silk Road last year.

Mr Lee said his contact details were made public after the addresses of all interested investors were copied (CC) into an email, rather than blind copied (BCC).

"Unfortunately there was a stuff-up on the US Marshal Service's end where they CC'ed everyone instead of BCC'ing everyone and that meant everybody who got the email knew who all the other bidders were," Mr Lee said.”

read more>>

Text message command makes infected ATMs spew cash

From PC World

“A group of enterprising cybercriminals have figured out how to get cash from a certain type of ATM—by text message.

The latest development was spotted by security vendor Symantec, which has periodically written about a type of malicious software it calls “Ploutus” that first appeared in Mexico.

The malware is engineered to plunder a certain type of standalone ATM, which Symantec has not identified. The company obtained one of the ATMs to carry out a test of how Ploutus works, but it doesn’t show a brand name.

Ploutus isn’t the easiest piece of malware to install, as cybercriminals need to have access to the machine. That’s probably why cybercriminals are targeting standalone ATMs, as it is easy to get access to all parts of the machine.

Early versions of Ploutus allowed it to be controlled via the numerical interface on an ATM or by an attached keyboard. But the latest version shows a remarkable new development: it is now controllable remotely via text message.’

read more>>