Financial Services Cybersecurity Weekly Briefing 8-04-2017

Weekly FS Cybersecurity Blast

Weekly FS Cybersecurity Blast

The Finance Sector – Rhythm Section for the Drumbeat of Regulation

The finance sector has remained largely untouched by direct DHS intervention (as opposed to chemical manufacturing, for example), and there are two reasons for that. First, the Finance Sector took it upon itself to create an information sharing and analysis center (ISAC) that set the standard for all others. […] The second reason is well-known to the financial sector: the number of audits, examinations, and assessments is a never-ending train of requests for documented controls. Along with shareholder pressure (for publicly-traded institutions) and customer expectations, banks have multiple sets of similar requirements that are routinely audited by third parties.

Bank Heists Possible Due to Flawed Code 

Most online banking applications (71%) contained flaws in their implementation of two-factor authentication. 33% of online banking applications had vulnerabilities that made it possible to steal money, and in 27% of applications, an attacker could access sensitive client information. Mobile banking applications also have issues with an attacker able to intercept or brute force user credentials to one in three apps. Banking apps on iOS remain more secure than their Android equivalents. The real problems in protection lurk on the server side: Positive Technologies’ researchers found dangerous server-side vulnerabilities in every application tested.

Cyber-crime ‘Undermining’ Financial System Warns Black Economy Boss

Banks and the private sector must unite with federal and state agencies to develop an incorruptible, biometric barrier – using retina scans, facial recognition and electronic finger print recognition – against sophisticated cyber-crooks exploiting gaping holes in the nation’s financial, welfare and security systems, the powerful taskforce is expected to tell the federal government. Michael Andrew, former global chairman and chief executive of professional services giant KPMG, said: “The controls and practices that we have are being subverted by systemic, illicit, unlawful behaviour being operated locally and from overseas.

Bank Cybersecurity May Need a New Mindset 

“Our chief information security officer is ultimately responsible for the security of the bank’s information and our customers’ information, [but] he works in partnership with our IT staff, lines of business, vendors, and customers to make sure that we mitigate risks efficiently and effectively,” Selnick said. “It is essential to design security in from the start of every project, even before implementation starts — security needs to be a partner from the moment the business starts to define its needs for any new system or process.”

Report: 71% of SMBs Are Not Prepared for Cybersecurity Risks

With the threat landscape growing, 94% of IT decision makers said they plan to increase their annual IT security budget in 2017 compared to 2016. “Small- to medium-sized businesses face just as many threats as larger ones, but are often at a disadvantage because of their lack of resources,” said Charlie Tomeo, vice president of worldwide business sales at Webroot. “Given the recent spate of ransomware attacks, it is crucial for these companies to shore up their security.”

Invisible Man Malware Targets Banking Services On Android Devices

The malware dubbed Invisible Man is a keylogger that lurks in the Google Play Store as a bogus update for Adobe’s Flash Player. Once downloaded, Invisible Man exploits permissions to accessibility settings whereby it then gains control over functions such as creating invisible overlays on banking apps and setting itself up as the default messaging app. With such access the malware can suck up usernames and passwords by intercepting keystrokes.  Invisible Man also pops up an overlay on the Play Store to trick users into inputting their credit card details, which it then snatches.



Stay up to date on the Financial Services Information Security news that you need to know by signing up for our Financial Cybersecurity Briefing at:


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.