jm + banking   46

Cashing in on ATM Malware - A Comprehensive Look at Various Attack Types
rather unnerving report from Trend Micro / Europol.

'As things stand, it looks like different criminal groups have already graduated from physical to virtual
skimming via malware, thanks to the lack of security measures implemented by commercial banks
worldwide. This is common in Latin America and Eastern Europe, but these criminals are exporting the
technique and have started to victimize other countries.'
atms  banking  security  trend-micro  banks  europol  exploits 
7 weeks ago by jm
Online security won’t improve until companies stop passing the buck to the customer
100% agreed!
Giving good security advice is hard because very often individuals have little or no effective control over their security. The extent to which a customer is at risk of being defrauded largely depends on how good their bank’s security is, something customers cannot know.

Similarly, identity fraud is the result of companies doing a poor job at verifying identity. If a criminal can fraudulently take out a loan using another’s name, address, and date of birth from the public record, that’s the fault of the lender – not, as Cifas, a trade organisation for lenders, claims, because customers “don’t take the same care to protect our most important asset – our identities”.
cifas  uk  passwords  security  regulation  banking  ncsc  riscs  advice 
may 2017 by jm
That thing about pwning N26
Whitehat CCC hacker thoroughly pwns N26 bank -- there's a lot of small leaks and insecurities here. Sounds like N26 are dealing with them though
ccc  hacks  exploits  n26  banks  banking  security 
march 2017 by jm
In praise of cash
'The battle to protect cash is one full of ambiguities - it feels somewhat
like trying to protect good ol' normal capitalism from a Minority Report
surveillance-capitalism'
cash  payment  contactless  surveillance  banking  banks  credit-cards 
march 2017 by jm
Banks biased against black fraud victims
We raised the issue of discrimination in 2011 with one of the banks and with the Commission for Racial Equality, but as no-one was keeping records, nothing could be proved, until today. How can this discrimination happen? Well, UK rules give banks a lot of discretion to decide whether to refund a victim, and the first responders often don’t know the full story. If your HSBC card was compromised by a skimmer on a Tesco ATM, there’s no guarantee that Tesco will have told anyone (unlike in America, where the law forces Tesco to tell you). And the fraud pattern might be something entirely new. So bank staff end up making judgement calls like “Is this customer telling the truth?” and “How much is their business worth to us?” This in turn sets the stage for biases and prejudices to kick in, however subconsciously. Add management pressure to cut costs, sometimes even bonuses for cutting them, and here we are.
discrimination  racism  fraud  uk  banking  skimming  security  fca 
january 2017 by jm
PayWave & PayPass deletion via RFID antenna kill
remove RFID from a payment card with a single drilled hole
rfid  banking  cards  debit-cards  credit-cards 
november 2016 by jm
Tesco Bank: 20,000 customers lose money - BBC News
"Any financial loss that results from this fraudulent activity will be borne by the bank," Mr Higgins said. "Customers are not at financial risk."


Well, that would be surprising....
tesco  banking  fraud  security  hacks  uk 
november 2016 by jm
the Wire-Wire fraud
'Researchers learn about wire-fraud scam after Nigerian scammers infect themselves with their own malware.'
The researchers observed Wire-Wire scores of $5,000 to $250,000 with the average between $30,000-$50,000 from small- and medium-sized businesses. The scammers themselves were "well-respected and admired" in their communities.


I've heard about this scam -- it's nasty, and worst of all, banks won't reimburse the losses.
scams  fraud  wire-wire  nigeria  malware  banking 
august 2016 by jm
100 thieves steal $13m in three hours from cash machines across Japan
'Police believe that as many as 100 people, none of whom have been apprehended, worked together using forged credit cards containing account details illegally obtained from a bank in South Africa. The culprits used the fake cards at 1,400 convenience store automated teller machines on the morning of 15 May, according to police. Each made a single withdrawal of 100,000 yen – the maximum allowed by the cash machines.'

1,600 forged/stolen credit card credentials from a single bank, then a synchronised attack made possible by the eventually-consistent ledger model of ATM accounting.

(via William Gibson)
atms  banking  japan  fraud  security  credit-cards 
may 2016 by jm
​Why I Hate Security, Computers, and the Entire Modern Banking System | Motherboard
I am honestly amazed the US banking system still works this way, after over a decade of rampant identity theft:
I cannot count the number of times I’ve freely given out my routing and account numbers—in emails, in webforms, in paperwork. This is because it’s necessary for other people to know my routing number and account number in order for them to send me money. But apparently, with that same information, they can also snatch money straight from my account. What kind of insane system is this? There’s two factor authentication, there’s one factor authentication, and then there’s this, which I think I can call zero factor authentication.
identity-theft  phishing  banking  banks  usa  authentication  2fa  0fa  security 
may 2016 by jm
Exclusive: SWIFT bank network says aware of multiple cyber fraud incidents
"SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network," the group warned customers on Monday in a notice seen by Reuters.


Ouch. They seem to be indicating that they're all phishing/impersonation-based attacks.
phishing  swift  banking  hacks  exploits  banks  security 
april 2016 by jm
£25,000 stolen online. But even more shocking: Barclays washes its hands of it | Money | The Guardian
UK banks are getting press for evading liability and screwing the customer when scams and phishing occur
scams  phishing  uk  banking  banks  liability  terms-and-conditions  barclays 
march 2016 by jm
ECB forcing Ireland to pay the bondholders was like a hostage situation | David McWilliams
At the time, many of us citizens thought the State was being craven in the face of the EU but it is now clear that Trichet’s ECB was prepared to let the Irish banks go to the wall, prompting a new bank run in 2010. This is like a hostage situation. The ECB was saying to the Irish government: you managed in September 2008 to prevent a bank run with the guarantee (which should always have been temporary and conditional) but now we are going to threaten you with another bank run – because we are still funding your banks and you must pay all the bondholders and add the cost to the national debt of the country. So the implicit threat was: “We will close the banks, cause a bank run and you will be left to pick up the pieces politically, socially and economically.”
banking  ireland  politics  ecb  eu  bondholders  jean-claude-trichet  economics 
january 2016 by jm
NUMBER26
A German bank offering a worldwide(?) bank account, using your smartphone (with push notifications etc.) as the main UI
banking  germany  number26  banks  phones 
december 2015 by jm
How the banks ignored the lessons of the crash
First of all, banks could be chopped up into units that can safely go bust – meaning they could never blackmail us again. Banks should not have multiple activities going on under one roof with inherent conflicts of interest. Banks should not be allowed to build, sell or own overly complex financial products – clients should be able to comprehend what they buy and investors understand the balance sheet. Finally, the penalty should land on the same head as the bonus, meaning nobody should have more reason to lie awake at night worrying over the risks to the bank’s capital or reputation than the bankers themselves. You might expect all major political parties to have come out by now with their vision of a stable and productive financial sector. But this is not what has happened.
banks  banking  guardian  finance  europe  eu  crash  history 
september 2015 by jm
How your entire financial life will be stored in a new 'digital vault' - Telegraph
In a move to make it easier to open bank accounts and Isas, people will be asked to share all of their accounts, tax records and personal details with a central service.
To check someone's identity, a company would then ask potential customers a series of questions and check the answers against the information in the vault. The checks would replace the current system in which new customers must send by post copies of their passports, cross-signed by a friend, along with bank statements and utility bills.


hahahaha NO FUCKING WAY.
bills  banking  uk  tax  privacy  digital-vault  accounts  authentication  identity-theft  bad-ideas 
august 2015 by jm
WereBank | Were Bank Energy for the People
The Freeman-On-The-Land movement is starting a bank. lols guaranteed
freemen  funny  werebank  banking  money  on-my-oath  maritime-law 
july 2015 by jm
Security theatre at Allied Irish Banks
Allied Irish Banks's web and mobile banking portals are ludicrously insecure. Vast numbers of accounts have easily-guessable registration numbers and are thus 'protected' by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters.
A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking.
Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately.
aib  banking  security  ireland  hacking  ifso  online-banking 
june 2015 by jm
Bank of the Underworld - The Atlantic
Prosecutors analyzed approximately 500 of Liberty Reserve’s biggest accounts, which constituted 44 percent of its business. The government contends that 32 of these accounts were connected to the sale of stolen credit cards and 117 were used by Ponzi-scheme operators. All of this activity flourished, prosecutors said, because Liberty Reserve made no real effort to monitor its users for criminal behavior. What’s more, records showed that one of the company’s top tech experts, Mark Marmilev, who was also arrested, appeared to have promoted Liberty Reserve in chat rooms devoted to Ponzi schemes.


(via Nelson)
scams  fraud  crime  currency  the-atlantic  liberty-reserve  ponzi-schemes  costa-rica  arthur-budovsky  banking  anonymity  cryptocurrency  money-laundering  carding 
april 2015 by jm
Exclusive: Chopra says ECB's threats to Ireland were 'outrageous' - Independent.ie
The letters urged the then-government to commit to structural reforms and restructuring of the financial sector.
"That is not their job," Mr Chopra said. "Their mandate is to meet inflation. And if you lecture the ECB as to how they might go about that, they talk about their independence.
"But when it comes to lecturing others about fiscal policy or structural policy, they're not at all hesitant. I'm not surprised that the people in Ireland were very upset about these letters from [Jean-Claude] Trichet."
trichet  banking  ireland  politics  ajai-chopra  ecb  history 
april 2015 by jm
Chip & PIN vs. Chip & Signature
Trust US banks to fuck up their attempts at security :( US "chip-and-signature" cards are still entirely forgeable because the banks fear that consumers are too stupid to use a PIN, basically.
BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip [and signature] cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.
magstripe  banks  banking  chip-and-pin  security  brian-krebs  chip-and-signature 
october 2014 by jm
How A Spam Newsletter Caused a Bank Run in Bulgaria
According to the Bulgarian National Security Agency (see here, for a reporting in English), an investment company that “built a network of associated companies for marketing services” that was used to diffuse panic by means of an alert, uncomfortably titled “Information Bulletin of on the Risk of Deposits in Bulgarian Banks”. The “bulletin” claimed – Bloomberg reports – KTB was undergoing a liquidity shortage. The message apparently also said that the government deposit guarantee fund was under-capitalised to meet possible repayments, that banks could go bankrupt and that the peg of the currency with the euro could be broken. Allegedly, the alert was diffused by text, email and even Facebook messages, thus ensuring a very widespread outreach. In a country that in 1997 underwent a very serious banking crisis featuring all these characteristics – whose memory is still fresh – this was enough to spur panic.
spam  banking  bulgaria  banks  euro  panic  facebook  social-media 
july 2014 by jm
Ask AIB - Boards.ie
AIB now have a dedicated customer-support forum on Boards.ie. That is a *great* idea
aib  banking  support  forums  boards.ie  banks 
march 2014 by jm
Why dispute resolution is hard
Good stuff (as usual) from Ross Anderson and Stephen Murdoch.

'Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic systems are truly awful for courts to deal with. Why?
The main reason, we observed, is that their dispute resolution aspects were never properly designed, built and tested. The firms that delivered the main production systems assumed, or hoped, that because some audit data were available, lawyers would be able to use them somehow.
As you’d expect, all sorts of things go wrong. We derive some principles, and show how these are also violated by new systems ranging from phone banking through overlay payments to Bitcoin. We also propose some enhancements to the EMV protocol which would make it easier to resolve disputes over Chip and PIN transactions.'
finance  security  ross-anderson  emv  bitcoin  chip-and-pin  banking  architecture  verification  vvat  logging 
february 2014 by jm
BitCoin exchange CoinBase uses MongoDB as their 'primary datastore'
'Coinbase uses MongoDB for their primary datastore for their web app, api requests, etc.'
coinbase  mongodb  reliability  hn  via:aphyr  ops  banking  bitcoin 
december 2013 by jm
European Parliament passes a vote calling for the EU/US SWIFT agreement to be suspended
"the European Parliament has today sent a clear message that enough is enough. The revelations about NSA interception of SWIFT data make a mockery of the EU's agreement with the US, through which the bank data of European citizens is delivered to the US anti-terror system (TFTP). What is the purpose of an agreement like this, which was concluded in good faith, if the US authorities are going to circumvent its provisions?

"The EU cannot continue to remain silent in the face of these ongoing revelations: it gives the impression we are little more than a lap dog of the US. If we are to have a healthy relationship with the US, based on mutual respect and benefit, EU governments must not be afraid of defending core EU values when they are infringed. EU leaders must finally take a clear and unambiguous stance on the NSA violations at this week's summit."
swift  banking  data  eu  us  nsa  interception  surveillance  snooping  diplomacy 
october 2013 by jm
Intellectual Ventures' Evil Knows No Bounds: Buys Patent AmEx Donated For Public Good... And Starts Suing
The problem with software patents, part XVII.
So you have a situation where even when the original patent holder donated the patent for "the public good," sooner or later, an obnoxious patent troll like IV comes along and turns it into a weapon.
Again: AmEx patented those little numbers on your credit card, and then for the good of the industry and consumer protection donated the patent to a non-profit, who promised not to enforce the patent against banks... and then proceeded to sell the patent to Intellectual Ventures who is now suing banks over it.
intellectual-ventures  scams  patents  swpats  shakedown  banking  cvv  american-express  banks  amex  cmaf 
october 2013 by jm
What would you do: Part 2, the Island of Surpyc
Amazing. 'Cyprus Bailout Choose Your Own Adventure', basically
cyoa  adventure  dice  games  cyprus  politics  eu  bailouts  ecb  banking  troika 
march 2013 by jm
Chip and Skim: cloning EMV cards with the pre-play attack
Worrying stuff from the LBT team. ATM RNGs are predictable, and can be spoofed by intermediate parties:

'So far we have performed more than 1000 transactions at more than 20 ATMs and a number of POS terminals, and are collating a data set for statistical analysis. We have developed a passive transaction logger which can be integrated into the substrate of a real bank card, which records up to 100 unpredictable numbers in its EEPROM. Our analysis is ongoing but so far we have established non-uniformity of unpredictable numbers in half of the ATMs we have looked at.

First, there is an easier attack than predicting the RNG. Since the unpredictable number is generated by the terminal but the relying party is the issuing bank, any intermediate party – from POS terminal software, to payment switches, or a middleman on the phone line – can intercept and superimpose their own choice of UN. Attacks such as those of Nohl and Roth, and MWR Labs show that POS terminals can be remotely hacked simply by inserting a sabotaged smartcard into the terminal.
atm  banking  security  attack  prngs  spoofing  banks  chip-and-pin  emv  smartcards 
september 2012 by jm
an ex-RBSG engineer on the NatWest/RBS/UlsterBank IT fiasco
'Turning over your systems support staff in a wave of redundancies is not the best way to manage the transfer of knowledge. Not everyone who worked the batch at [Royal Bank of Scotland Group] even knew what it is they knew; how, then, could they explain it to people who didn’t know there was knowledge to acquire? Outsourcing the work from Edinburgh to Aberdeen and sacking the staff would have exposed them to the same risks. [...]

I Y2K tested one of the batch feeder systems at RBS from 1997 - 1998, and managed acceptance testing in payments processing systems from 1999 - 2001. I was one of the people who watched over the first batch of the millennium instead of going to a party. I was part of the project that moved the National Westminster batch onto the RBS software without a single failure. I haven’t worked for the bank for five years, and I am surprised at how personally affronted I am that they let that batch fail. But I shouldn’t be. Protectiveness of the batch was the defining characteristic of our community. We were proud of how well that complex structure of disparate components hummed along.
It was a thing of beauty, of art and craft, and they dropped it all over the floor.'
systems  ops  support  maintainance  legacy  ca-7  banking  rbs  natwest  ulster-bank  fail  outsourcing 
june 2012 by jm
UK Channel 4 News Demo – Contactless Payment Cards – viaForensics
'During an interview with the Channel 4 correspondent we were able to touch his wallet with an Android phone while he was distracted and capture his credit card details.' ... 'viaForensics found that there are many cards in circulation, including recently issued cards, which are giving up the full card number, expiry, surname and initials.' Barclays security fail hits the headlines (via Tony Finch)
via:fanf  channel-4  news  barclays-bank  uk  banking  nfc  wireless  android  via-forensics  contactless-cards 
may 2012 by jm
Ireland banking crisis: is the worst really over? | Business | guardian.co.uk
still a disaster, and the new government are proving disappointing. Pimco CEO says fail: '"The creditors most of the creditors so far have not gone through any burden sharing, it is remarkable; it is inadvisable; but it is a political decision that has been taken. It surprises me. What they are hoping for is by maintaining the credits intact, that they creditors they are going to rush back in with new money. What they haven't read is the history of debt crisis and the history of debt crises is very simple. Whenever you have a debt overhang, whenever you have this big cloud of debt no new creditor will come in in a big way."'
bailout  banking  ireland  disaster  bank-runs  from delicious
april 2011 by jm
Eric Cantona's call for a bank run
a French campaign to "bring down the banks" by engineering a massive consumer bank run, tomorrow, Dec 7th. I can see this happening in Ireland if we don't get an election soon
ireland  france  banking  bank-runs  economy  bailout  eric-cantona  from delicious
december 2010 by jm
All About Skimmers — Krebs on Security
photos of the current state-of-the-art in ATM skimmers via Brian Krebs
brian-krebs  atm  skimmers  security  photos  banking  fraud  from delicious
october 2010 by jm
Chip and PIN is broken
Ross Anderson's lab demo an attack on TV whereby any Chip-and-PIN debit card can be used in conjunction with a MITM device, with a PIN of "0000", verified online, and producing a receipt saying "PIN Verified". thoroughly hosed
security  banking  money  chipandpin  crypto  ross-anderson  from delicious
february 2010 by jm
Ross Anderson and Steven J Murdoch rip into Verified By VISA
'this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.'
verified-by-visa  security  phishing  web  banks  banking  money  authentication  finance  visa  3dsecure  papers  from delicious
february 2010 by jm
Malicious App In Android Market
phisher creates a banking app for Android phones which relays the authorization details to another site, possible because of insufficient app vetting (via Mulley)
apps  iphone  android  smartphones  phones  mobile  phishing  security  banking  fraud  from delicious
january 2010 by jm
Excellent animated treemap dataviz
"How the Giants of Finance Shrank, Then Grew, Under The Financial Crisis". but the data is less interesting than the excellent dataviz technique used to display it
data  dataviz  visualization  economy  animation  nyt  infographic  infographics  treemap  design  flash  banking  nytimes  bailout  from delicious
september 2009 by jm
bank-trojan fraudsters use Twitter to control botnet
next in a long line of one-to-many communication systems used by bad guys
twitter  botnet  security  upd4t3  banking  fraud 
august 2009 by jm
The Irish Economy blog
features mainly posts from NAMA-sceptic economist Karl Whelan
economy  karl-whelan  ireland  nama  politics  property  banking 
august 2009 by jm
UCD Economist Karl Whelan pours cold water on the Irish Government's NAMA plans
'What we now know is that the banks have been actively working to keep development properties off the market, so that their true values are kept out of the public domain. However, to work through our current problems, these property assets are going to have to be dealt with – either sold at a reasonable price or else demolished or returned to agricultural usage.' oh dear
nama  ireland  economy  banking  property  liam-carroll  zoe  accbank  karl-whelan 
august 2009 by jm
Security Fix - Clampi Trojan: The Rise of Matryoshka Malware
'[Joe] Stewart said the sophistication and stealth of this malware strain has become so bad that it's time for Windows users to start thinking of doing their banking and other sensitive transactions on a dedicated system that is not used for everyday Web surfing.' it's that bad
joe-stewart  secureworks  malware  reverse-engineering  clampi  trojans  banking  security  danger  risks  windows  microsoft  fraud 
august 2009 by jm

related tags

0fa  2fa  3dsecure  accbank  accounts  adventure  advice  aib  ajai-chopra  american-express  amex  android  animation  anonymity  apps  architecture  arthur-budovsky  atm  atms  attack  authentication  bad-ideas  bailout  bailouts  bank-runs  banking  banks  barclays  barclays-bank  bills  birthday  bitcoin  boards.ie  bondholders  botnet  brian-krebs  bulgaria  ca-7  carding  cards  cash  ccc  channel-4  chip-and-pin  chip-and-signature  chipandpin  cifas  clampi  cmaf  coinbase  comerica  consistency  contactless  contactless-cards  costa-rica  crash  credit-cards  crime  crisis  crypto  cryptocurrency  currency  cvv  cyoa  cyprus  danger  data  databases  datavis  dataviz  date-of-birth  debit-cards  design  dice  digital-vault  diplomacy  disaster  discrimination  ecb  economics  economy  emv  eric-cantona  eu  euro  europe  europol  eventual-consistency  exploits  facebook  fail  fca  finance  flash  forums  france  fraud  freemen  funny  games  germany  guardian  hacking  hacks  history  hn  identity-theft  ifso  infographic  infographics  insurance  intellectual-ventures  interception  iphone  ireland  japan  jean-claude-trichet  joe-stewart  karl-whelan  lawsuits  legacy  liability  liam-carroll  liberty-reserve  logging  magstripe  maintainance  malware  maritime-law  microsoft  mobile  money  money-laundering  mongodb  n26  nama  natwest  ncsc  news  nfc  nigeria  nosql  nsa  number26  nyt  nytimes  on-my-oath  online-banking  ops  outsourcing  panic  papers  passwords  patents  payment  phish  phishing  phones  photos  pins  plainscapital  politics  ponzi-schemes  privacy  prngs  property  protest  racism  rbs  regulation  reliability  reverse-engineering  rfid  riscs  risks  ross-anderson  scams  secureworks  security  shakedown  skimmers  skimming  smartcards  smartphones  snooping  social-media  spam  spoofing  support  surveillance  swift  swpats  systems  tax  terms-and-conditions  tesco  the-atlantic  transactions  treemap  trend-micro  trichet  troika  trojans  twitter  uk  ulster-bank  upd4t3  us  usa  verification  verified-by-visa  via-forensics  via:aphyr  via:fanf  visa  visualization  vvat  web  werebank  windows  wire-wire  wireless  zoe 

Copy this bookmark:



description:


tags: