Accountability, Authentication and Banking

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Malwarebytes

NOVEMBER 5, 2024

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up. Cybercriminals could use your account to spread spam and phishing emails to your contacts.

Accountability

Accountability Authentication Malware Banking

Passwordless Authentication without Secrets!

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! This highlights an increasing demand for advanced authentication methods like passkeys and multi-factor authentication (MFA), which provide robust security for most use cases. Similarly, in retail and manufacturing, delays caused by authentication procedures reduce overall efficiency.

Authentication

Authentication Retail Healthcare Manufacturing

ToxicPanda Android banking trojan targets Europe and LATAM, with a focus on Italy

Security Affairs

NOVEMBER 5, 2024

The ToxicPanda Android malware has infected over 1,500 devices, enabling attackers to perform fraudulent banking transactions. Cleafy researchers spotted a new Android banking malware, dubbed ToxicPanda, which already infected over 1,500 Android devices. ” reads the report published by Cleafy.

Banking

Banking Malware Accountability Authentication

The Risk of Weak Online Banking Passwords

Krebs on Security

AUGUST 5, 2019

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Image: Hold Security.

Banking

Banking Passwords Risk Accountability

Sendgrid Under Siege from Hacked Accounts

Krebs on Security

AUGUST 28, 2020

Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. “And I just am not seeing anything this egregious in terms of viruses and spams from the other email service providers.”

Accountability

Accountability Hacking Authentication Marketing

DOGE as a National Cyberattack

Schneier on Security

FEBRUARY 13, 2025

Meanwhile, only partially redacted names of CIA employees were sent over an unclassified email account. This approach, known as “separation of duties,” isn’t just bureaucratic red tape; it’s a fundamental security principle as old as banking itself. After that, Medicaid and Medicare records were compromised.

Government

Government Artificial Intelligence Banking Software

Change Healthcare Breach Hits 100M Americans

Krebs on Security

OCTOBER 30, 2024

” But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account. Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) Mark Warner (D-Va.)

Healthcare

Healthcare Insurance Computers and Electronics Data breaches

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Last Watchdog

MAY 24, 2022

Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. One bank in the U.S. Adoption scenarios.

Authentication

Authentication Passwords Banking Digital transformation

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Krebs on Security

NOVEMBER 9, 2024

The Federal Bureau of Investigation (FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based based technology companies.

Hacking

Hacking Accountability Government Social Engineering

Sperm bank breach deposits data into hands of cybercriminals

Malwarebytes

MARCH 19, 2025

California Cryobank (CCB) is a sperm donation and cryopreservation firm and one of the US top sperm banks. The information potentially involved varies by customer but includes names and one or more of the following: Drivers license numbers Bank account and routing numbers. Enable two-factor authentication (2FA).

Banking

Banking Data breaches Computers and Electronics Passwords

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

SEPTEMBER 17, 2019

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. for my *online banking*. Any thoughts? 6 characters.

Banking

Banking Passwords Accountability Authentication

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

Krebs on Security

AUGUST 6, 2020

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S.

Accountability

Accountability Identity Theft Hacking Insurance

When Bank Communication is Indistinguishable from Phishing Attacks

Troy Hunt

NOVEMBER 18, 2019

You know how banks really, really want to avoid their customers falling victim to phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security best practices? Very convincing but banks will never send texts like these. banks will never do things that look like a phish?

Banking

Banking Phishing Scams Accountability

Threat Modeling and Logins

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. But then, after I went to reset the password, the bank emailed me a one time code.

Banking

Banking Passwords Password Management Authentication

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Krebs on Security

NOVEMBER 19, 2021

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle , a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family.

Scams

Scams Banking Passwords Authentication

Turn on MFA Before Crooks Do It For You

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. Both are avid gamers on Microsoft’s Xbox platform, and for years their father managed their accounts via his own Microsoft account.

Authentication

Authentication Accountability Passwords Mobile

Credit Card Fraud That Bypasses 2FA

Schneier on Security

SEPTEMBER 20, 2022

And bank cards can be stopped. Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. That verification passcode is sent by the bank to the stolen phone. Once accepted, they have control of the bank account.

Banking

Banking Accountability Passwords Authentication

Experts warn of the new sophisticate Crocodilus mobile banking Trojan

Security Affairs

MARCH 29, 2025

The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey. ThreatFabric researchers discovered a new Android trojan called Crocodilus, which exploits accessibility features to steal banking and crypto credentials. ” ThreatFabric concludes.

Banking

Banking Mobile Identity Theft Malware

BingoMod Android RAT steals money from victims’ bank accounts and wipes data

Security Affairs

JULY 31, 2024

BingoMod is a new Android malware that can wipe devices after stealing money from the victims’ bank accounts. Researchers at Cleafy discovered a new Android malware, called ‘BingoMod,’ that can wipe devices after successfully stealing money from the victims’ bank accounts.

Banking

Banking Accountability Malware Mobile

How Phished Data Turns into Apple & Google Wallets

Krebs on Security

FEBRUARY 18, 2025

Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. “This is much bigger than the banks are prepared to say.” “Who says carding is dead? .

Phishing

Phishing Mobile Scams Banking

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. ” .

Passwords

Passwords Mobile Authentication Banking

Would You Have Fallen for This Phone Scam?

Krebs on Security

APRIL 28, 2020

But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Scams

Scams Banking Accountability Financial Services

Why we’re no longer doing April Fools’ Day

Malwarebytes

MARCH 31, 2025

Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. If your bank gives you an unexpected phone call, ring them back on a number you know is theirs. Use a different password for every account.

Scams

Scams Passwords Accountability Password Management

Phishing evolves beyond email to become latest Android app threat

Malwarebytes

FEBRUARY 11, 2025

Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called multifactor authentication, by prying into basic text messages sent to a device. With vigilance, safe behavior, and some extra support, you can avoid Android phishing apps and protect your accounts from cybercriminals.

Phishing

Phishing Passwords Mobile Authentication

Disneyland Malware Team: It’s a Puny World After All

Krebs on Security

NOVEMBER 16, 2022

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode , an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. Bank customers. Bank customers.

Malware

Malware Banking Phishing DDOS

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). It might have been a text, or it could have been something “strong”, like a mobile authenticator app like Google Authenticator or Authy. It completely changes how authentication is done.

Authentication

Authentication Phishing Passwords Accountability

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Troy Hunt

AUGUST 30, 2023

The advice to impacted individuals is as follows: Get a digital password manager to help you make all passwords strong and unique If you've been reusing passwords, change them to strong and unique versions now, starting with the most important services you use Turn on multi-factor authentication wherever it's available, especially for important (..)

Phishing

Phishing Password Management Passwords Banking

International law enforcement operation dismantled RedLine and Meta infostealers

Security Affairs

OCTOBER 29, 2024

Change passwords : After malware removal, update passwords for key accounts (email, banking, work, social media) and enable two-factor authentication. Use a password manager : Simplifies managing strong, unique passwords across accounts. Report stolen data : Notify relevant parties if sensitive details (e.g.,

Identity Theft

Identity Theft Passwords Malware Banking

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Troy Hunt

APRIL 26, 2021

This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Change your email account password. Turn on 2 factor authentication wherever available. Keep operating systems and software patched.

Malware

Malware Passwords Banking Password Management

Many Public Salesforce Sites are Leaking Private Data

Krebs on Security

APRIL 27, 2023

A shocking number of organizations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. Huntington Bank has disabled the leaky TCF Bank Salesforce website. ”

Banking

Banking Government Information Security Authentication

Why & Where You Should You Plant Your Flag

Krebs on Security

AUGUST 12, 2020

Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. ” In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. .”

Accountability

Accountability Mobile Banking Passwords

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Krebs on Security

JULY 12, 2024

AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). For its part, Snowflake says it now requires all new customers to use multi-factor authentication. million current AT&T account holders and roughly 65.4

Data breaches

Data breaches Passwords Authentication Accountability

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Malwarebytes

MAY 16, 2024

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. That’s a great thing. Consider passkeys.

Authentication

Authentication Phishing Password Management Scams

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

The Hacker News

JULY 15, 2024

Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. Customers who have activated their digital

Banking

Banking Retail Phishing Passwords

FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers

Krebs on Security

APRIL 4, 2023

When Genesis customers purchase a bot, they’re purchasing the ability to have all of the victim’s authentication cookies loaded into their browser, so that online accounts belonging to that victim can be accessed without the need of a password, and in some cases without multi-factor authentication.

Marketing

Marketing Passwords Cybercrime Banking

Troy Hunt on Passwords

Schneier on Security

NOVEMBER 5, 2018

No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that. He rightly points out that biometric authentication systems -- like Apple's Face ID and fingerprint authentication -- augment passwords rather than replace them.

Passwords

Passwords Authentication Banking Accountability

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

SEPTEMBER 24, 2024

Rather, we should treat SSN as just another piece of personally identifiable information (PII) like an email address – confidential information but not a sensitive one that unlocks your bank accounts. Governments can create a digital identity at birth to replace SSN in its current use. That identity is tied to specific vendors.

Authentication

Authentication Identity Theft Banking Data breaches

Expert used ChatGPT-4o to create a replica of his passport in just 5 minutes bypassing KYC

Security Affairs

APRIL 6, 2025

Musielak warned of the rising threat of mass identity theft, fraudulent credit applications, and fake account creation, which are now more scalable with generative AI. If you’re running KYC in banking, insurance, travel, crypto, or anywhere else its time to upgrade your process. ” added the expert. “ @authologic.

Identity Theft

Identity Theft Insurance Banking Authentication

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

eSecurity Planet

NOVEMBER 6, 2024

This data reportedly includes everything from names and addresses to Social Security numbers and bank account details. The stolen data reportedly includes highly personal information — names, dates of birth, Social Security numbers, bank account details, and even records of residents’ interactions with city services.

Ransomware

Ransomware Authentication Identity Theft Penetration Testing

How Coinbase Phishers Steal One-Time Passwords

Krebs on Security

OCTOBER 13, 2021

It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail.

Passwords

Passwords Phishing Accountability Mobile

Experian, You Have Some Explaining to Do

Krebs on Security

JULY 10, 2022

Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts.

Accountability

Accountability Passwords Authentication Password Management

Cybercriminals attack banking customers in EU with V3B phishing kit – PhotoTAN and SmartID supported.

Security Affairs

JUNE 4, 2024

Resecurity uncovered a cybercriminal group that is providing a sophisticated phishing kit, named V3B, to target banking customers in the EU. “Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts. .

Banking

Banking Phishing Social Engineering Engineering

Man accused of using keylogger to spy on colleagues, log in to their personal accounts and watch them at home

Malwarebytes

APRIL 9, 2025

The lawsuit claims that this gave Bathula login credentials for the victims’ personal accounts and systems, including bank accounts, emails, home surveillance systems, Dropbox accounts, Google Drives, dating applications, Google Nests, and iCloud accounts. Use multi-factor authentication.

Accountability

Accountability Spyware Passwords Password Management

Warning over free online file converters that actually install malware

Malwarebytes

MARCH 17, 2025

Financial information, like your banking credentials and crypto wallets. Other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA). Work with them to take the necessary steps to protect your identity and your accounts. Email addresses.

Malware

Malware Adware Education Phishing

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Passwordless Authentication without Secrets!

Trending Sources

ToxicPanda Android banking trojan targets Europe and LATAM, with a focus on Italy

The Risk of Weak Online Banking Passwords

Sendgrid Under Siege from Hacked Accounts

DOGE as a National Cyberattack

Change Healthcare Breach Hits 100M Americans

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

FBI: Spike in Hacked Police Emails, Fake Subpoenas

Sperm bank breach deposits data into hands of cybercriminals

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

When Bank Communication is Indistinguishable from Phishing Attacks

Threat Modeling and Logins

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Turn on MFA Before Crooks Do It For You

Credit Card Fraud That Bypasses 2FA

Experts warn of the new sophisticate Crocodilus mobile banking Trojan

BingoMod Android RAT steals money from victims’ bank accounts and wipes data

How Phished Data Turns into Apple & Google Wallets

The Rise of One-Time Password Interception Bots

Would You Have Fallen for This Phone Scam?

Why we’re no longer doing April Fools’ Day

Phishing evolves beyond email to become latest Android app threat

Disneyland Malware Team: It’s a Puny World After All

Not All MFA is Equal, and the Differences Matter a Lot

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

International law enforcement operation dismantled RedLine and Meta infostealers

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Many Public Salesforce Sites are Leaking Private Data

Why & Where You Should You Plant Your Flag

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers

Troy Hunt on Passwords

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

Expert used ChatGPT-4o to create a replica of his passport in just 5 minutes bypassing KYC

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

How Coinbase Phishers Steal One-Time Passwords

Experian, You Have Some Explaining to Do

Cybercriminals attack banking customers in EU with V3B phishing kit – PhotoTAN and SmartID supported.

Man accused of using keylogger to spy on colleagues, log in to their personal accounts and watch them at home

Warning over free online file converters that actually install malware

Stay Connected