The Hindu: A new bank scam using Google Maps loophole. “Scamsters seem to have stumbled upon a gold mine in the form of a loophole in the Google Maps interface. Taking advantage of the fact that on Google Maps, an establishment’s contact details can be edited by anyone, a group of Thane-based con artists have been putting up their own contact numbers and getting customers who call them into revealing sensitive account details.”
Krebs on Security: SMS Phishing + Cardless ATM = Profit. “A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.”
ZDNet: Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks. “Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks. Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.”
New York Times: Banks and Retailers Are Tracking How You Type, Swipe and Tap. “The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps. Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.”
Ars Technica: In-the-wild router exploit sends unwitting users to fake banking site. “Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday. The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years.”
Ars Technica: Facebook: We’re not asking for financial data, we’re just partnering with banks. “Facebook is pushing back against a report in Monday’s Wall Street Journal that the company is asking major banks to provide private financial data. The social media giant has reportedly had talks with JPMorgan Chase, Wells Fargo, Citigroup, and US Bancorp to discuss proposed features including fraud alerts and checking account balances via Messenger.” I had a comment here but my keyboard melted.
SecurityIntelligence: Penetration Tests Discover All Banks Are Susceptible to Web App Bugs. “A series of penetration tests found that every bank is guilty of web application vulnerabilities and insufficient network security measures. According to a recent report from Positive Technologies, Bank Attacks 2018, 100 percent of banks suffered from these vulnerabilities and inadequacies. The report also found server configuration flaws in all banks — while just over half were found to have improperly managed their user accounts and passwords.”