An annual survey on cyber-crime tendencies found that computer hackers dedicated to accessing computers, stealing information and causing problems are more technologically advanced than those in charge of stopping them. The survey was sponsored by the consultancy firm PwC of San Jose California, the Secret Service, Carnegie Mellon University’s Program Engineering Institute and the specialized magazine CSO.
The survey of 500 business executives, police forces and US government agencies revealed that 75% of respondents had detected a security breach during the previous year, and each organization suffered an average of 135 intrusions. “Despite significant investments in cyber-safety technologies, cyber-criminals keep finding ways to bypass these technologies to obtain profit-generating susceptible information,” said Ed Lowery, chief of the Secret Services’ criminal investigation division.
Lowery said companies and the government should adopt “a radically different approach on cyber-safety,” one that transcends antivirus programs, employee training, close collaboration with contractors and the installation of more strict processes.
The five most frequent attack methods, according to the survey, are “phishing,” or mass email with fake senders to steal information and passwords, malware, network interruption, espionage software and service denial attacks. 28% of respondents said hackers were members of the organization, whether contractors, providers, employees or former employees.
When it comes to banking, technology has been used several ways, especially with transactions, transfers or opening accounts. Things are easier now.
The comfort of being able to check or transfer funds from your home or office using a Tablet, a smartphone or a computer has been very useful for many people, but has also brought new risks of identity theft and high-scale robberies.
There’s a large variety of “channels” to become victims of this kind of robbery, with two of the most frequent being “social engineering” (being deceived by people devoted to extracting information from someone in particular), and “employee fraud,” where employees take clients’ information and use for their own benefit.
For Helcio Beninatto, expert in the subject, the two most widely used examples of “electronic robbery” are:
Man in the middle: “The attacker uses a program to “trick” the server pretending to be the client, and tricks the client as well by simulating to be the server. This type of program can be used to obtain a client’s access credentials or to allow the attacker to modify the message before sending it, allowing him/her to steal funds.”
Man in the browser. “A variation of the man in the middle in which malware intervenes between the user and the browser to modify the transaction information”.
Ways to prevent electronic robbery
One of the best ways to prevent this type of event is by getting effectively informed on how not to risk your bank account information, contact numbers, funds or transactions.
Another way is to avoid overexposing your account passwords; attackers often pose as your bank. In these cases it’s best to call your bank to verify the call you just received.
As the owner or manager of a company working with clients required to provide banking information, you should establish strict policies with your employees, trying as much as possible to keep them from having contact with the customers’ database.
A group of cybercriminals developed a system to rob ATMs by sending them an SMS that activates a malware inside them so they spit bills out, reported the firm Symantec.
The attack is based on the malware Ploutus, which was detected in ATMs in Mexico. This malware takes advantage of a vulnerability of Windows XP, which is in 95% of ATMs in the world.
To load Ploutus in an ATM they need to access the CD-ROM unit or a USB port, something attackers have previously done by breaking the locks or simply drilling holes in the box to get to the computer and then covering them.
In this modified version, it is necessary to connect a mobile telephone to the ATM using tethering USB, which allows the machine to share internet with the mobile device, and also keeps it charged. Then, the criminals send commands via SMS to the phone connected to the ATM, activating the malware Ploutus. With this activation, the ATM instantly spits out the amount of money previously setup in the virus.
Criminals operate this way with several people that go withdraw the money they ordered via SMS, with no need to learn numerical codes or anything special. This type of robbery does not involve card cloning or accessing people’s accounts, but it will affect the banks0 funds.
Symantec has indicated several measures to stop this type of attack, although the most efficient one would be to update the operating system.
Kaspersky Lab, the largest endpoint protection firm, recently presented its latest platform Kaspersky Fraud Prevention during the Mobile World Congress 2014 in Barcelona, Spain. Designed to protect electronic payments made from computers and mobile devices, the solution is targeted at financial institution and e-commerce companies.
According to a study carried out by B2B International and Kaspersky Lab, 98% of consumers use online banking or online shopping services, and 38% do it on their mobile devices. The global penetration of electronic payments has made electronic money robbery a profitable business for criminals. The same study revealed that over the last 12 months of 2013, 62% of users had found cyber-threats that had targeted their accounts.
Current techniques (temporary passwords, SMS confirmations, tokens, single-use password generators) used by Banks and e-payment systems to protect their clients become obsolete quite rapidly. This is the reason why the market needs innovating solutions to ensure safe transactions.
The new platform Kaspersky Fraud Prevention incorporates tools capable of protecting online transactions in several devices, server solutions for the detection of fraud operations during the e-payment process, and a set of additional services.
Kaspersky Fraud Prevention’s client applications work on devices running on Microsoft Windows and Apple OS X, as well as Google Android and mobile devices based on Apple’s iOS. These applications, encompassed under the global name Kaspersky Fraud Prevention for Endpoints, are designed to protect users’ devices from financial cyber-threats aimed at specific operating systems.
ESET Research Lab in Latin America has warned that the known virus Zeus, one of the most dangerous trojans out there, has changed strategies and now instead of using Facebook to infect its victims’ devices, it’s been using the popular application Whatsapp to fulfill its goals.
Users are now getting an email, apparently from Whatsapp, with a compressed folder called “missed-message.zip”. The text assures the document is a voice message sent by a contact to the instant messaging application. Opening this file will result in the virus infecting our computer and compiling all of our banking services’ access information and passwords.
If you receive this or any similar email with Whatsapp as the sender, you should delete it even before opening it. The texting app does not send reminding emails, messages or other notifications, so you should always distrust them.
To stop getting these emails, experts recommend users to get in touch with their operators or use applications or features built into some devices to block communications from this sender.
The Spanish International Police, in collaboration with the US National Security Agency (NSA) has dismantled a group of hackers specialized in robbing ATMs worldwide. The group is responsible for extracting over 60 million USD in a simultaneous ATM attack to 23 countries back in February of 2013.
The network was dismantled as they prepared for a similar attack in Japan. Six members of Romanian citizenship and two Moroccan have been arrested in Spain. The IT expert and group leader was arrested in Germany.
The criminals were still following their leader’s orders, capable of violating bank databases to disable their security measures. They managed to get USD 400,000 in a single night, by targeting 446 ATMs in Madrid.
In the police raid in Spain’s capital, Madrid, the agents intercepted € 25,000 in cash, two credit card reader/recorders, over one thousand virgin cards with a magnetic band, IT materials and a large number of jewels.
A recent study conducted in Venezuela about the tendencies regarding credit and debit cards fraud after the inclusion of electronic chips, showed a 60.53% decrease of such crimes for credit cards, while for debit cards it showed was a decrease of 61.30%.
Said study conducted to 1,547 Venezuelan users of both credit and debit cards, determined that in the year 2009, 36% of users had cards that were cloned, while in 2010 said percentage decreased to 22.3%; in the year 2012 it decreased to 7.40%.
Even though this type of fraud has decreased, there have been reports regarding such crimes due to the lack of caution or care from users. It is important to be cautious and to bring attention to the security in order to prevent becoming a victim of criminals. Applying any of the preventive measures expressed below, can save your finances from being taken away by delinquents. Many of those measures are more related to common sense, others are warnings to be considered when making a transaction, whether at ATMs, restaurants or commercial shops.
Some the foregoing measures are as follows:
Be careful with your pin code
Cover the keyboard when typing the numbers.
Never let anyone know your pin code.
Do not write or record your pin code in your cell phone or in pieces of paper thrown inside your bag.
Change your pin code periodically.
Any time you get a new card, sign it at the moment of reception, check frequently that the card actually belongs to you (sometimes cards are switched in some stores).
Never use the same pin code for different products like savings and checking accounts, credit cards, or means of transaction such as audio, Internet, and ATMs.
Never loose sight of your credit card
Never give your card to strangers.
Never allow your card to be slid through devices different than the ones set for such purpose like ATMs and points of sales.
Always check that your card is slid in front of you and only one time (do not loose sight of it, especially in bars and restaurants).
Always cancel your card in case of theft, loss or if it has been retained by an ATM.
Use a safe network for Internet transactions
Do not use your card’s data through public networks (Internet cafes).
Always type your bank’s web site address.
Always search for the safe log out in the official web sites of your bank.
At the ATMs
Use ATMs that you are familiar with or use ATMs located under very good lighting and safe places.
Take a good look of the surroundings of the ATM and do not use it if you notice people that might look suspicious.
Do not open your wallet or purse while waiting on the ATM’s queue.
Be ready with your card at hand when approaching the ATM.
Check if there are any strange objects in the openings or keyboard of the ATM.
Avoid being helped by strangers.
Do not follow the instructions located next to the ATM that order you to type your card’s pin code more than once.
Follow only the instructions that appear on the ATM’s screen.
Do not type your pin code until requested by the ATM.
If you think the ATM does not work, press the ‘Cancel’ key, take your card, and find another one.
Never force your card in the card slot of the ATM.
If your card gets stuck, is retained, gets lost or someone cuts you out at the ATM, report it immediately to your bank or to the police.
Always make sure that you have completed the transactions by pressing the CANCEL key before leaving the ATM.
Do not rush while doing the transactions and put your card and cash carefully inside your wallet or purse before leaving the ATM.
Always wait until the ATM indicates that the transaction has been completed.
Check your account balance, as well as statements often, and report any discrepancies immediately to the bank.
At the bank office
Identify all the workers of the bank.
Deliver you money only at the cashier’s window.
If you notice anything irregular inside the bank, let one of the workers duly identified know immediately.
If you withdraw cash, avoid counting it in front of other people and put it on a safe place.
After leaving the bank or ATM
Avoid walking long distances by foot or window shopping for a long time or speak in the street.
If you have to make transactions with large sums of money, ask someone you trust to go with you. However, always use the electronic banking platforms.
Make your personal transactions using personal equipment. Do not use Internet cafes, system halls or public sites.
Always type the name of your banking institution directly on your browser (www.nameofthebank’swebpage.com).
Never log in through a link written on an email, even though the email comes from someone you know. Do not believe any messages that suggests you to log into your account or to give card information. This is known as ‘phishing’, an illegal and fraudulent practice in which the delinquents design web pages similar to the ones of the banking institutions in order to steal your pin codes and then steal the money in the account.
Any time that you access a web page to make a transaction regarding your account, check that the web address shown on the upper side of the page starts with “https://” instead of “http://”, and that the browser shows the symbol of a locked lock on the lower side of the page.
Avoid using templates included in emails requesting your financial information.
Prevent theft or identity theft
Always check the state of your accounts to identify any potential balance in red.
Report the loss or theft of your identification documents to the police.
Do not deliver personal or commercial information through phone surveys or other means.