Krebs on Security: SMS Phishing + Cardless ATM = Profit. “A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.”
ZDNet: Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks. “Over 100,000 routers have had their DNS settings modified to redirect users to phishing pages. The redirection occurs only when users are trying to access e-banking pages for Brazilian banks. Around 88% of these routers are located in Brazil, and the campaign has been raging since at least mid-August when security firm Radware first spotted something strange.”
New York Times: Banks and Retailers Are Tracking How You Type, Swipe and Tap. “The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps. Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.”
Ars Technica: In-the-wild router exploit sends unwitting users to fake banking site. “Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday. The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years.”
Ars Technica: Facebook: We’re not asking for financial data, we’re just partnering with banks. “Facebook is pushing back against a report in Monday’s Wall Street Journal that the company is asking major banks to provide private financial data. The social media giant has reportedly had talks with JPMorgan Chase, Wells Fargo, Citigroup, and US Bancorp to discuss proposed features including fraud alerts and checking account balances via Messenger.” I had a comment here but my keyboard melted.
SecurityIntelligence: Penetration Tests Discover All Banks Are Susceptible to Web App Bugs. “A series of penetration tests found that every bank is guilty of web application vulnerabilities and insufficient network security measures. According to a recent report from Positive Technologies, Bank Attacks 2018, 100 percent of banks suffered from these vulnerabilities and inadequacies. The report also found server configuration flaws in all banks — while just over half were found to have improperly managed their user accounts and passwords.”
BuzzFeed: Australia’s Largest Bank Lost The Personal Financial Histories Of 12 Million Customers. “The Commonwealth Bank lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia. BuzzFeed News can reveal that the nation’s largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016.”