- Details
- Category: Security News
Hackers have been draining ATMs of cash across Europe after compromising the networks of banks and planting malicious software on the machines, the security company Group-IB says. But the Russian company's report is being cautiously reviewed by some in the financial services industry.
See Also: Secure Access in a Hybrid IT World
The gang, nicknamed Cobalt after a software tool it employs, uses hacking techniques that are strikingly similar to another group called Buhtrap, Group-IB claims. Some individuals allegedly affiliated with Buhtrap were arrested in May. The group is believed to have stolen more than $25 million from banks, Group-IB says.
The attacks do not involve any physical interventions with an ATM itself, but rather software modifications made after a bank's network is compromised, which Group-IB calls a "logical attack."
"To perform a logical attack, hackers access a bank's local network, which is further used to gain total control over ATMs in their system," Group-IB says. "Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease."
Video footage of one theft showed someone approaching an ATM with a mobile phone. The individual made a call and then prepared a bag. A few minutes later, the ATM began dispensing cash. The thief made a call before leaving the ATM, which was then rebooted, Group-IB says.
As of September, Cobalt struck banks in Russia, the U.K., the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia, according to Group-IB, which did not name affected banks.
Accurate Report?
Diebold Nixdorf, one of the largest manufacturers of ATMs, says that while it's aware of the type of attacks described by Group-IB's report, it was not aware of the incidents mentioned. "There are no indications to us that this group of fraudsters is active in Europe or the Americas," says Ulrich Nolte, a Diebold Nixdorf spokesman.
NCR, another large ATM manufacturer, says it's also familiar with the attack vectors and has been implementing applications and strategies to counter them. "We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks," says spokesman Rakesh Aulaya.
The European ATM Security Team, which studies ATM crime and fraud, is looking into Group-IB's report, says Lachlan Gunn, its executive director.
EAST, along with ATM manufacturers, banks and law enforcement, published a guide last year for how the financial services industry can counter ATM malware and logical attacks. The guide is only available to those in law enforcement and the banking and payments industries.
Aging Software
Security experts have long warned that ATMs, which often are stripped-down Microsoft Windows computers, have many avenues for potential compromise. In 2010, the late researcher Barnaby Jack showed he could exploit software vulnerabilities and command the machines to spit out cash.
This year, cybercriminals have carried out some jaw-dropping attacks. In July, suspected Russian nationals withdrew a total of $2.2 million from dozens of ATMs in Taiwan belonging to First Bank. A few weeks later in Thailand, three groups of men working in six provinces commanded 21 ATMs to disgorge a total of 12 million baht ($350,000) (see 'Ripper' ATM Malware: Where Will Cybercriminals Strike Next?).
ATMs are expensive to upgrade and replace, and more than 90 percent of those deployed around the world still run Windows XP. Although Microsoft stopped supporting the consumer version of the operating system in April 2014, it continued to support the "embedded" version, which is inside ATMs, through this year.
The machines are networked with the bank's other systems, and if those systems have weaknesses, it provides opportunities for attacks. Group-IB says the point of entry into the European banks was a tried-and-true method: spear phishing.
Jackpot
Spear phishing is the practice of targeting key individuals with carefully crafted emails designed to trick people into opening malicious attachments or links.
Group-IB says emails purporting to be from ATM manufacturer Diebold Nixdorf, the European Central Bank and other local banks were sent containing malicious attachments or password-protected archives containing executable code.
Once inside the network, the attackers used tools usually reserved for penetration tests, such as Cobalt Strike and Mimikatz, to gain access to domain controllers, which manage authentication credentials and network access. Eventually, they reached the ATMs.
The cybercriminals have mastered manipulation of a set of APIs known as XFS or Extension for Financial Services, Group-IB says. The software acts as a middleman between an ATM's hardware, such as displays and PIN pads, and the host Windows system.
"To make ATMs give out cash, criminals launch malware using Extensions for Financial Services (XFS) standard," Group-IB says. "On command from the bank's internal network, the program starts dispensing notes until machines are empty."
After a theft is complete, the attackers cover their tracks. They use a Microsoft utility, SDelete (Secure Delete), to get rid of any trace of malware.
To also make the intrusions more difficult for investigators to detect, the cybercriminals have targeted banks' internal servers with MBRkiller. That malware wipes out a computer's master boot record, which is the first sector of a PC's hard drive that the computer looks to before loading the operating system.
- Details
- Category: Security News
Anti-Malware , Fraud , ID Theft
Security Vendor Looks for New Areas of Growth
In a move to expand its consumer offerings, Symantec plans to acquire identity theft protection services company LifeLock for $2.3 billion.
See Also: Avoid Theft of Your Privileged Credentials
The move will give Symantec an offering in a market area that it hasn't successfully tapped: the estimated one in four Americans that have been hit with identity theft-related fraud. Symantec, a stalwart of the security industry, for years has faced stiff competition in the consumer anti-virus market, which made growth challenging.
In a conference call with analysts, Symantec CEO Greg Clark said consumers will pay two to three times more for identity theft protection services than what they'll pay for malware endpoint protection. Symantec hopes to be able to cross-sell its identity theft protection service to Norton anti-virus customers and vice versa.
"Identity protection and really protecting people's digital lives and digital personas is something that we expect to be a long-term growth tailwind for our consumer business," Clark said.
The deal is expected to close in the first calendar quarter of 2017, pending the approval of LifeLock shareholders. The acquisition price values LifeLock shares at $24.
The services LifeLock offers are lucrative because consumers buy subscription packages, which means recurring revenue. But the company has a troubled history and has faced close scrutiny by regulators over its sales practices.
Product Plans
Tempe, Ariz.-based LifeLock will be integrated into Symantec's Norton line of products under what it calls a "digital safety platform," which includes desktop and mobile anti-virus products, parental control, internet of things, VPN and backup services.
LifeLock says it has nearly full visibility into the credit history and actions of every adult in the U.S. On the consumer side, the company uses third-party data to closely monitor actions such as when someone opens a new account or applies for credit. Notifications are sent to its members when LifeLock detects such an action. If it's unauthorized, LifeLock helps investigate what happened and with remediation. The company's enterprise business focuses on helping companies vet customers to judge whether they're a good risk.
LifeLock has 4.4 million members, with average monthly revenue of $12.25 per user. The total target market is estimated at 78 million. Symantec expects the revenue growth for LifeLock to be in the low-to-mid single digits, with an operating margin of more than 40 percent.
FTC Troubles
LifeLock has repeatedly clashed with the U.S. Federal Trade Commission over its sales practices, advertising and claims made to consumers. For starters, the FTC alleged that LifeLock convinced consumers to sign up for subscriptions by claiming it could prevent identity theft.
In a misguided marketing stunt, then-LifeLock CEO Todd Davis included his Social Security number in billboards and advertisements. He ended up experiencing identity-theft related incidents 13 times, according to an investigation by the Phoenix New Times. Davis later claimed the incidents were countered by using his own service.
LifeLock settled the case with the FTC for $12 million. But in July 2015, the FTC alleged that LifeLock had violated the 2010 agreement and contended that the company was continuing to make false claims to consumers.
The agency also charged that LifeLock failed to maintain a comprehensive information security program to protect its users' sensitive personal data, including credit card, Social Security and bank account numbers. The company settled that case in December 2015 for a whopping $100 million, the largest monetary award obtained by the FTC in an enforcement action (see LifeLock Settles FTC Case for $100 Million).
- Details
- Category: Security News
Soltra Edge, the automated threat intelligence sharing platform that had been slated to be phased out, has been rescued by NC4, an El Segundo, Calif.-based cyber threat intelligence firm that has purchased of the platform (see Plug Pulled on Soltra Edge Threat Info Sharing Platform).
In an exclusive interview with Information Security Media Group on Nov. 23, Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, revealed the sale of the platform to NC4, an FS-ISAC business partner for the past 10 years.
FS-ISAC and The Depository Trust and Clearing Corp., which partnered to develop Soltra Edge, had announced on Nov. 17 that the platform would no longer be supported or available for renewal after March 31, 2017.
Nelson says the last-minute acquisition by NC4 ensures the continued availability and support of Soltra Edge.
"Even though we announced the wind-down of Soltra last week, there has been ongoing, really diligent efforts to find the right place for Soltra Edge technology to be maintained and supported," Nelson says. "NC4 has agreed to acquire the technology, including the source code, assets, the development staff and support agreements that our customers have signed - everything associated with Soltra Edge. And the acquisition has been completed, as of Nov. 22, and we're all working toward a smooth and rapid transition."
Neither the FS-ISAC nor NC4 has disclosed the sale price for Soltra Edge.
"If you look at FS-ISAC, we're really not a software company, and neither is DTCC. We really wanted to try to make it work, but it looked like we couldn't do it," Nelson says. "So we had been looking for a buyer for really all of this year. And when it didn't look like that was going to happen, we decided it was time to wind it down."
Two Versions Offered
Soltra Edge 2.8 will remain available for free. Next month, NC4 plans to release an advanced version of the platform known as Soltra Edge 2.9, which will be fee-based. Soltra announced plans to release Soltra Edge 2.9 in October. In addition to the financial services sector, the platform has been used in other market segments, including healthcare.
In this interview (see audio link below photo), Nelson also discusses:
How NC4's acquisition will help to ensure the ongoing adoption and promotion of open-source standards, such as the Structured Threat Information eXpression, STIX, and the Trusted Automated eXchange of Indicator Information, TAXII; What the acquisition means for the FS-ISAC's Threat Intelligence Respository; and Why the ownership transition for Soltra Edge is expected to be seamless.Before joining the FS-ISAC, a not-for-profit association dedicated to protecting financial services firms from physical and cyberattacks, Nelson was elected vice chairman of the ISAC Council, a group dedicated to sharing critical infrastructure information. From 1988 to 2006, he served as executive vice president of NACHA - The Electronic Payments Association. While at NACHA, Nelson oversaw the development of the ACH network into one of the largest electronic payment systems in the world.
- Details
- Category: Security News
The latest ISMG Security Report leads with HealthcareInfoSecurity Editor Marianne Kolbasuk McGee discussing how to protect patient data should President-elect Donald Trump and the Republican-led Congress follow through with their pledge to dismantle Obamacare.
In the Security Report, you'll also hear (click on player beneath image to listen):
The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Nov. 15 and Nov. 18 reports, which respectively analyzed how the Trump administration will address health IT security and privacy and a new way to build secure, trustworthy IT systems. The ISMG Security Report will not be posted on Friday, Nov. 25 because of the Thanksgiving holiday in the United States. The next ISMG Security Report will be posted on Tuesday, Nov. 29.
Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.
- Details
- Category: Security News
After complaints from merchants and an update from the Federal Reserve, Visa on Nov. 22 clarified and modified debit routing rules, noting that merchants can route U.S. EMV debit transactions through any of more than a dozen available networks, and not just Visa's.
See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short
Visa's action could help support merchants' push for more widespread use of chip-and-PIN, even if only for EMV debit.
In its statement, Visa notes that it "modified and clarified existing debit network routing rules to help merchants and acquirers better understand implementation options related to the adoption of EMV."
With Visa chip cards, debit routing and processing are enabled by two payment application identifiers (AIDs) on the chip - the U.S. Common Debit AID or the Visa Debit AID, Visa notes. "The Common Debit AID can support any of the more than one dozen domestic debit networks that issuers can choose to offer in addition to Visa Debit. This provides merchants with the ability to select the network over which a debit transaction is processed or routed. ... Merchants can continue to automatically ask, or prompt, a Visa cardholder to enter a PIN on in-person transactions, provided the cardholder can still use their card without a PIN if they prefer."
The announcement comes just days after retail groups sent a letter to Visa, criticizing the card brand for taking steps to "circumvent merchants' legal right" to choose the network over which a debit transaction can be routed.
The Merchant Advisory Group and other retailer associations claimed that Visa's policies before Nov. 22 violated the Federal Reserve's rule on how debit transactions can and should be routed. In essence, MAG contended Visa was breaking the law (see Why Merchants Object to Visa's EMV Debit Routing Rules).
On Nov. 2, the Fed clarified that no card network can inhibit merchant routing choices, even by requiring technical specifications - such as those needed for EMV deployment - that could inhibit merchant routing options.
The PIN Debate
Since the onset of EMV in the U.S., merchants have argued that requiring PIN entry for all EMV chip payments, whether credit or debit - as has long been the practice in established EMV markets such as the U.K. - is the best way to prevent fraud.
Issuers and the card brands, in an effort to deploy EMV more quickly, pushed back on that idea, claiming requiring PINs for credit payments would only confuse customers and complicate EMV rollouts.
On the debit side, the argument for signature over PIN has been more challenging to make, because U.S. cardholders are accustomed to entering PINs for debit purchases, especially when using the cash-back option.
But the EMV debit rollout in the U.S. has been much more complicated than the credit rollout because of the sheer number of debit routing options available in the U.S. - a complication that doesn't exist in other EMV markets.
To route an EMV transaction through a domestic debit network, that network has to be certified by the card brands and equipped to process EMV transactions. And because the U.S. has more than a dozen debit card networks, getting all of those networks prepped and certified has been a long, drawn-out process.
To speed EMV adoption, merchants claim Visa limited merchants' options to run debit transactions through the Common Debit AID and was challenging merchants' right to require PIN entry on debit purchases.
Visa declined to comment beyond what was included in its statement about its debit routing modifications.
In light of Visa's modifications and the Fed's recent guidance, it's clear that merchants can require PIN entry for EMV debit purchases, contends Liz Garner, vice president of the Merchant Advisory Group, which represents 108 of the largest U.S. merchants, says. "But I think that's going to be contentious," she adds.
That's because, while Visa points out in its modifications statement that merchants can discourage the use of signature verification for debit purchases, they cannot completely eliminate signature as an option. "Where merchants automatically prompt for PIN on card-present transactions, they must minimally ensure that a cardholder presenting a Visa Debit card for payment can originate a transaction using a signature," Visa says.
The language is still "loose," Garner points out. But in the coming days, we may receive clarification from Visa or the Fed.
More Articles …
Page 3535 of 3545