Authentication, Financial Services and Passwords

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. An ad for the OTP interception service/bot “SMSRanger.”

Passwords

Passwords Authentication Phishing Access

NYDFS releases major update to Part 500 cybersecurity requirements for financial services companies

Data Protection Report

NOVEMBER 8, 2023

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) released the finalized amendments of Part 500 of its cybersecurity regulations. c)); – monitor privileged access activity by implementing a privileged access management (“PAM”) solution, and automatically blocking commonly used passwords (500.7(c));

Financial Services

Financial Services Cybersecurity Compliance Government

Attackers Use Bots to Circumvent Some Two-Factor Authentication Systems

eSecurity Planet

SEPTEMBER 30, 2021

Underground services are cropping up that are designed to enable bad actors to intercept one-time passwords (OTPs), which are widely used in two-factor authentication programs whose purpose is to better protect customers’ online accounts. By using the services, cybercriminals can gain access to victims’ accounts to steal money.

Authentication

Authentication Phishing Financial Services Passwords

How Multi-factor Authentication Can Benefit Your Industry

Rocket Software

AUGUST 17, 2020

Financial services organizations typically experience the most data breaches and hacks, which makes security a priority. For almost every industry, multi-factor authentication can be beneficial. What is Multi-factor Authentication? It isn’t a specific means of confirmation, but it can include various password components.

Authentication

Authentication Financial Services Passwords Insurance

Recycle Your Phone, Sure, But Maybe Not Your Number

Krebs on Security

MAY 19, 2021

Many online services allow users to reset their passwords by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over one thanks to a divorce, job termination or financial crisis can be devastating.

Authentication

Authentication Passwords Financial Services Risk

U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

Data Matters

JANUARY 28, 2022

These recommendations are further detailed below, but two to note in particular: The Advisory recommends that organizations “require multi-factor authentication for all users, without exception.” Require multi-factor authentication (MFA) for all users.

Cybersecurity

Cybersecurity Financial Services Authentication Government

GUEST ESSAY: 7 tips for protecting investor data when it comes to alternative asset trading

The Last Watchdog

JULY 11, 2023

Enforce a culture of strong passwords, two-factor authentication and responsible data access practices to foster a security-conscious culture. He has over 25 years of global leadership experience within the financial services industry, having spearheaded development across Electronic Trading, OMS, Risk, Compliance and Data.

IT

IT Encryption Risk Financial Services

NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches

Hunton Privacy

JULY 1, 2022

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. Since Carnival was licensed by the Department to sell insurance in NY State, it was treated as a covered entity under the Cybersecurity Regulation.

Cybersecurity

Cybersecurity Insurance Phishing Financial Services

New York SHIELD Act $600,000 settlement

Data Protection Report

FEBRUARY 8, 2022

According to the settlement agreement, the AG concluded that EyeMed’s security practices did not meet the requirements of the SHIELD Act with respect to four requirements: authentication, password management, logging and monitoring, and data retention in the email account. SHIELD Act.

Passwords

Passwords Financial Services Authentication Insurance

UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services

Data Matters

FEBRUARY 25, 2021

This follows the FCA’s announcement in its 2020-21 business plan that payment services were one of its main supervisory priorities 1 and its temporary guidance of July 9, 2020, on prudential risk management and safeguarding in light of the COVID-19 pandemic ( Temporary COVID Guidance ). Authentication code. Transaction risk analysis.

Authentication

Authentication Paper Risk Insurance

How Can We Secure The Future of Digital Payments?

Thales Cloud Protection & Licensing

JANUARY 10, 2022

The financial services ecosystem has evolved tremendously over the past few years driven by a surge in the adoption of digital payments. Security is paramount; digital payments are not only authorized but they must be authenticated as well. How Can We Secure The Future of Digital Payments? Tue, 01/11/2022 - 06:35.

Retail

Retail Security Financial Services Authentication

NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations

Hunton Privacy

OCTOBER 24, 2022

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 According to the consent order, the mailbox containing sensitive consumer information was protected by a weak password that was shared by nine employees.

Cybersecurity

Cybersecurity Financial Services Risk Phishing

Episode 247: Into the AppSec Trenches with Robinhood CSO Caleb Sima

The Security Ledger

DECEMBER 21, 2022

Paul speaks with Caleb Sima, the CSO of the online trading platform Robinhood, about his journey from teenage cybersecurity phenom and web security pioneer, to successful entrepreneur to an executive in the trenches of protecting high value financial services firms from cyberattacks. As Mobile Fraud Rises, The Password Persists.

Financial Services

Financial Services Cybersecurity Data breaches Authentication

Microsoft warns of multi-stage AiTM phishing and BEC attacks

Security Affairs

JUNE 11, 2023

Microsoft discovered multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attacks against banking and financial services organizations. The proxy server allows attackers to access the traffic and capture the target’s password and the session cookie. .”

Phishing

Phishing Financial Services Authentication Passwords

Disneyland Malware Team: It’s a Puny World After All

Krebs on Security

NOVEMBER 16, 2022

financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is [link] [brackets added to defang the domain], which displays in the browser URL bar as ? For example, one domain the gang has used since March 2022 is ushank[.]com com — which was created to phish U.S.

Phishing

Phishing Authentication Financial Services Access

Avoslocker ransomware gang targets US critical infrastructure

Security Affairs

MARCH 19, 2022

. “AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors. hard drive, storage device, the cloud).

Ransomware

Ransomware Passwords Encryption Financial Services

What is credential stuffing? And how to prevent it?

Security Affairs

MARCH 29, 2022

In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. And, there remains general bad hygiene surrounding the creation of usernames and passwords, with many being reused over multiple websites. Good password hygiene and password managers. “If

IT

IT Passwords Authentication Data Privacy

Ragnar Locker ransomware group breached at least 52 organizations across 10 critical infrastructure sectors

Security Affairs

MARCH 8, 2022

. “As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors,” reads the FBI’s flash alert.

Ransomware

Ransomware Passwords Financial Services Manufacturing

Catches of the Month: Phishing Scams for October 2023

IT Governance

OCTOBER 13, 2023

EvilProxy phishing campaign targets Microsoft 365 accounts via indeed.com A phishing campaign identified by Menlo Security has been targeting senior executives in various industries – most notably banking and financial services, property management and real estate, and manufacturing – since July.

Phishing

Phishing Financial Services Manufacturing Personal data

Billions of FBS Records Exposed in Online Trading Broker Data Leak

Security Affairs

MARCH 24, 2021

comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Despite containing very sensitive financial data, the server was left open without any password protection or encryption. Plain Text (base64) Passwords.

Passwords

Passwords Phishing Authentication Access

Microsoft: Russia-linked SolarWinds hackers breached three new entities

Security Affairs

JUNE 26, 2021

Threat actors carried out brute-force and password spraying attacks in an attempt to gain access to Microsoft customer accounts. The hackers also targeted non-governmental organizations and think tanks, as well as financial services. In all, 36 countries were targeted.” ” reads the post published by Microsoft.

Financial Services

Financial Services Access Authentication Passwords

Mysterious custom malware used to steal 1.2TB of data from million PCs

Security Affairs

JUNE 11, 2021

These included logins for social media, online games, online marketplaces, job-search sites, consumer electronics, financial services, email services, and more. Most of the stolen files (50%+) were text files, some of them containing software logs, passwords, personal notes, and other sensitive information.

Computer and Electronics

Computer and Electronics Archiving Encryption Passwords

Scary Fraud Ensues When ID Theft & Usury Collide

Krebs on Security

JANUARY 25, 2022

Although he didn’t technically have an account with MSF, their authentication system is based on email addresses, so Jim requested that a password reset link be sent to his email address. ” According to the Native American Financial Services Association (NAFSA), a trade group in Washington, D.C.

Financial Services

Financial Services IT Data breaches Authentication

Credit Union Sues Fintech Giant Fiserv Over Security Claims

Krebs on Security

MAY 3, 2019

Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers and email addresses.

Security

Security Passwords Financial Services Sales

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

The Last Watchdog

DECEMBER 6, 2022

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure. Consider that some 80 percent of hacking-related breaches occur because of weak or reused passwords, and that over 90 percent of consumers continue to re-use their intrinsically weak passwords.

Authentication

Authentication Passwords Artificial Intelligence Financial Services

NYDFS Proposes Updated Second Amendment to Its Cybersecurity Regulation

Hunton Privacy

JULY 5, 2023

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period.

Cybersecurity

Cybersecurity IT Compliance Financial Services

Multi-Factor Authentication Best Practices & Solutions

eSecurity Planet

OCTOBER 5, 2021

Passwords are the most common authentication tool used by enterprises, yet they are notoriously insecure and easily hackable. But even when passwords are secure, it’s not enough. Recently, hackers leaked 87,000 Fortinet VPN passwords , mostly from companies who hadn’t yet patched a two-year-old vulnerability.

Authentication

Authentication Passwords Access Computer and Electronics

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

The Last Watchdog

NOVEMBER 9, 2020

Hacking collectives are very proficient at “exploiting weak authentication schemes to gain persistence inside of a targeted network,” Sherman says. The infamous Mirai botnet self-replicated by seeking out hundreds of thousands of home routers with weak or non-existent passwords.

IoT

IoT Passwords Artificial Intelligence Risk

Marriott Breach: More than 500 Million Guest Affected

Adam Levin

NOVEMBER 30, 2018

If you prefer a more laid back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or subscribe to a credit and identity monitoring program, 3. Minimize your exposure. Monitor your accounts. Manage the damage.

Financial Services

Financial Services Encryption Passwords Communications

50 Ways to Avoid Getting Scammed on Black Friday

Adam Levin

NOVEMBER 17, 2020

Mobile payment platforms, like Apple Pay and Google Pay, use advanced technology, like fingerprint authentication and tokenization (in which credit card account numbers are replaced by randomly generated numbers) to provide brick-and-mortar shoppers with an added layer of security. Create long and strong passwords. Lock your devices.

Retail

Retail e-Delivery Passwords Phishing

New Trickbot module implements Remote App Credential-Grabbing features

Security Affairs

FEBRUARY 18, 2019

The new variant is being spread via spam emails that pose as tax-incentive notification purporting to be from the financial services company Deloitte. Using the settings the module could retrieve an array of useful information, including host name, user name, and the private key files used for authentication.

Passwords

Passwords Financial Services Encryption Authentication

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

Adam Levin

SEPTEMBER 5, 2019

Once the number has been transferred, the criminal has control of any accounts that are identified by caller ID (including many financial institutions) as well as any accounts protected by two-factor authentication. It is believed this was the method used to recently hack Jack Dempsey’s Twitter account. . What You Can Do.

Mining

Mining Authentication Financial Services Privacy

In Case You Missed It: Money 20/20 Conference Highlights

Thales Cloud Protection & Licensing

NOVEMBER 2, 2017

The conference features a variety of topics and sessions regarding all aspects of financial services, from cryptocurrency to banking. Three topics that piqued my interest at the 2017 show included authentication, blockchain and digital payments. Authentication.

Blockchain

Blockchain IT Authentication e-Delivery

NYDFS settles with EyeMed for $4.5 million

Data Protection Report

OCTOBER 24, 2022

On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement requires EyeMed to pay $4.5 million, among other things. Background.

Cybersecurity

Cybersecurity Personal data Risk Financial Services

NYDFS Requires COVID-19 Plans by April 9

Data Protection Report

APRIL 2, 2020

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic.

Risk

Risk Communications Authentication Financial Services

What’s Good IAM? The Answer may depend on your Industry

The Security Ledger

JUNE 23, 2020

» Related Stories As Cyber Attacks Mount, Small Businesses seek Authentication Fix New LastPass report finds consumer behavior affects the workplace With Remote Work: MFA Makes Everyone Happy. The post What’s Good IAM? The Answer may depend on your Industry appeared first on The. Read the whole entry. »

Authentication

Authentication Access Security Financial Services

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Krebs on Security

NOVEMBER 19, 2021

In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member. To combat this scam Zelle introduced out-of-band authentication with transaction details.

IT

IT Passwords Authentication Phishing

Why CISA is Warning CISOs About a Breach at Sisense

Krebs on Security

APRIL 11, 2024

New York City based Sisense has more than 1,000 customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. ” “We are taking this matter seriously and promptly commenced an investigation,” Dash continued.

Encryption

Encryption Passwords Access Financial Services

Top 12 Cloud Security Best Practices for 2021

eSecurity Planet

SEPTEMBER 10, 2021

What authentication methods does the provider support? Additionally, multi-factor authentication (MFA) can further reduce the risk of malicious actors gaining access to sensitive information, even if they manage to steal usernames and passwords. What are the results of the provider’s most recent penetration tests?

Cloud

Cloud Security Encryption Risk

What is a Cyberattack? Types and Defenses

eSecurity Planet

JUNE 16, 2022

However, basic cybersecurity tools and practices, like patching , strong passwords , and multi-factor authentication (MFA), “can prevent 80 to 90% of cyberattacks,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies, during a White House press conference in Sept. Other methods.

Ransomware

Ransomware Cybersecurity Phishing Encryption

Popular apps left biometric data, IDs of millions of users in danger

Security Affairs

JANUARY 27, 2022

Onfido, a London-based company, offers photo-based IDV services for businesses. Financial service providers, car rentals, and many other suppliers that need to confirm customer identities employ similar third-party services. Consider using a password manager to create strong passwords and store them securely.

Personal data

Personal data Phishing Data breaches Passwords

Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs

Hunton Privacy

AUGUST 15, 2022

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) posted proposed amendments (“Proposed Amendments”) to its Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulations”). As part of the “access privileges” requirements under Section 500.7

Financial Services

Financial Services Cybersecurity Risk Passwords

New York’s Breach Law Amendments and New Security Requirements

Data Protection Report

OCTOBER 1, 2019

Biometric information that is used to authenticate or ascertain the individual identity. Private information” is also separately defined to mean user name or e-mail address in combination with the password or security question and answer—without any need for “personal information.”.

Security

Security Financial Services Passwords Risk

The Hacker Mind Podcast: Going Passwordless

ForAllSecure

JANUARY 19, 2022

Passwords are everywhere, but they probably weren't intended to be used as much as they are today. Maybe you are at an organization that requires you to change your passwords every 90 days or so, and so you have password fatigue -- there are only so many variations you can do every 90 days or so. I must have the password.

Passwords

Passwords Authentication Access Data breaches

The Rise of One-Time Password Interception Bots

NYDFS releases major update to Part 500 cybersecurity requirements for financial services companies

Trending Sources

Attackers Use Bots to Circumvent Some Two-Factor Authentication Systems

How Multi-factor Authentication Can Benefit Your Industry

Recycle Your Phone, Sure, But Maybe Not Your Number

U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

GUEST ESSAY: 7 tips for protecting investor data when it comes to alternative asset trading

NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches

New York SHIELD Act $600,000 settlement

UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services

How Can We Secure The Future of Digital Payments?

NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations

Episode 247: Into the AppSec Trenches with Robinhood CSO Caleb Sima

Microsoft warns of multi-stage AiTM phishing and BEC attacks

Disneyland Malware Team: It’s a Puny World After All

Avoslocker ransomware gang targets US critical infrastructure

What is credential stuffing? And how to prevent it?

Ragnar Locker ransomware group breached at least 52 organizations across 10 critical infrastructure sectors

Catches of the Month: Phishing Scams for October 2023

Billions of FBS Records Exposed in Online Trading Broker Data Leak

Microsoft: Russia-linked SolarWinds hackers breached three new entities

Mysterious custom malware used to steal 1.2TB of data from million PCs

Scary Fraud Ensues When ID Theft & Usury Collide

Credit Union Sues Fintech Giant Fiserv Over Security Claims

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

NYDFS Proposes Updated Second Amendment to Its Cybersecurity Regulation

Multi-Factor Authentication Best Practices & Solutions

MY TAKE: Why companies and consumers must collaborate to stop the plundering of IoT systems

Marriott Breach: More than 500 Million Guest Affected

50 Ways to Avoid Getting Scammed on Black Friday

New Trickbot module implements Remote App Credential-Grabbing features

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

In Case You Missed It: Money 20/20 Conference Highlights

NYDFS settles with EyeMed for $4.5 million

NYDFS Requires COVID-19 Plans by April 9

What’s Good IAM? The Answer may depend on your Industry

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Why CISA is Warning CISOs About a Breach at Sisense

Top 12 Cloud Security Best Practices for 2021

What is a Cyberattack? Types and Defenses

Popular apps left biometric data, IDs of millions of users in danger

Proposed Amendments to NY Financial Services Cybersecurity Regulations Impose New Obligations on Large Entities, Boards of Directors and CISOs

New York’s Breach Law Amendments and New Security Requirements

The Hacker Mind Podcast: Going Passwordless

Stay Connected