Authentication and Banking - Cyber Security Informer

Passwordless Authentication without Secrets!

Thales Cloud Protection & Licensing

OCTOBER 11, 2024

Passwordless Authentication without Secrets! This highlights an increasing demand for advanced authentication methods like passkeys and multi-factor authentication (MFA), which provide robust security for most use cases. Similarly, in retail and manufacturing, delays caused by authentication procedures reduce overall efficiency.

Authentication

Authentication Retail Healthcare Manufacturing

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication.

Engineering

Engineering Phishing Banking Authentication

Fooling a Voice Authentication System with an AI-Generated Voice

Schneier on Security

MARCH 1, 2023

A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.

Authentication

Authentication Banking Artificial Intelligence

ToxicPanda Android banking trojan targets Europe and LATAM, with a focus on Italy

Security Affairs

NOVEMBER 5, 2024

The ToxicPanda Android malware has infected over 1,500 devices, enabling attackers to perform fraudulent banking transactions. Cleafy researchers spotted a new Android banking malware, dubbed ToxicPanda, which already infected over 1,500 Android devices. ” reads the report published by Cleafy.

Banking

Banking Malware Accountability Authentication

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Last Watchdog

MAY 24, 2022

Perhaps not coincidently, it comes at a time when enterprises have begun adopting passwordless authentication systems in mission-critical parts of their internal operations. Fortifications, such as multi-factor authentication (MFA) and password managers, proved to be mere speed bumps. “Our One bank in the U.S. Coming advances.

Authentication

Authentication Passwords Banking Digital transformation

The Risk of Weak Online Banking Passwords

Krebs on Security

AUGUST 5, 2019

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Image: Hold Security.

Banking

Banking Passwords Risk Accountability

DOGE as a National Cyberattack

Schneier on Security

FEBRUARY 13, 2025

This approach, known as “separation of duties,” isn’t just bureaucratic red tape; it’s a fundamental security principle as old as banking itself. When your local bank processes a large transfer, it requires two different employees to verify the transaction.

Government

Government Artificial Intelligence Banking Software

Sperm bank breach deposits data into hands of cybercriminals

Malwarebytes

MARCH 19, 2025

California Cryobank (CCB) is a sperm donation and cryopreservation firm and one of the US top sperm banks. The information potentially involved varies by customer but includes names and one or more of the following: Drivers license numbers Bank account and routing numbers. Enable two-factor authentication (2FA).

Banking

Banking Data breaches Computers and Electronics Passwords

How to Offer Secure IVR Banking and Authenticate Callers

Tech Republic Security

AUGUST 8, 2024

Discover how to safeguard IVR banking from hackers and implement secure authentication methods for customer protection. Find out how these digital alternatives benefit both customers and agents.

Banking

Banking Authentication Software Network Security

Banks, Arbitrary Password Restrictions and Why They Don't Matter

Troy Hunt

SEPTEMBER 17, 2019

Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway. for my *online banking*. 6 characters.

Banking

Banking Passwords Accountability Authentication

When Bank Communication is Indistinguishable from Phishing Attacks

Troy Hunt

NOVEMBER 18, 2019

You know how banks really, really want to avoid their customers falling victim to phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security best practices? Very convincing but banks will never send texts like these. banks will never do things that look like a phish?

Banking

Banking Phishing Scams Accountability

Experts warn of the new sophisticate Crocodilus mobile banking Trojan

Security Affairs

MARCH 29, 2025

The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey. ThreatFabric researchers discovered a new Android trojan called Crocodilus, which exploits accessibility features to steal banking and crypto credentials. ” ThreatFabric concludes.

Banking

Banking Mobile Identity Theft Malware

Threat Modeling and Logins

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. The bank unexpectedly sent me a temporary password to sign up, and when I did, the temporary password had expired. But then, after I went to reset the password, the bank emailed me a one time code.

Banking

Banking Passwords Password Management Authentication

PIN-Stealing Android Malware

Schneier on Security

JANUARY 9, 2024

The malware captures any PINs and passwords the victim enters to unlock their device and can later use them to unlock the device at will to perform malicious activities hidden from view.

Malware

Malware Banking Passwords Authentication

Change Healthcare Breach Hits 100M Americans

Krebs on Security

OCTOBER 30, 2024

” But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account. Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.)

Healthcare

Healthcare Insurance Computers and Electronics Data breaches

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

Krebs on Security

NOVEMBER 19, 2021

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle , a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. “Members don’t have to request to use Zelle.

Scams

Scams Banking Passwords Authentication

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

The Last Watchdog

DECEMBER 6, 2022

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure. Underscoring this trend, Uber was recently hacked — through its authentication system. The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Authentication

Authentication Healthcare Artificial Intelligence Passwords

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. OTP Agency took itself offline within hours of that story. .

Passwords

Passwords Mobile Authentication Banking

Credit Card Fraud That Bypasses 2FA

Schneier on Security

SEPTEMBER 20, 2022

And bank cards can be stopped. Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. That verification passcode is sent by the bank to the stolen phone. Once accepted, they have control of the bank account.

Banking

Banking Accountability Passwords Authentication

Not All MFA is Equal, and the Differences Matter a Lot

Daniel Miessler

MARCH 10, 2022

People are starting to get the fact that texts (SMS) are a weak form of multi-factor authentication (MFA). It might have been a text, or it could have been something “strong”, like a mobile authenticator app like Google Authenticator or Authy. It completely changes how authentication is done.

Authentication

Authentication Phishing Passwords Accountability

Disneyland Malware Team: It’s a Puny World After All

Krebs on Security

NOVEMBER 16, 2022

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode , an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. Bank customers. Bank customers.

Malware

Malware Banking Phishing DDOS

Many Public Salesforce Sites are Leaking Private Data

Krebs on Security

APRIL 27, 2023

A shocking number of organizations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. Huntington Bank has disabled the leaky TCF Bank Salesforce website. ”

Banking

Banking Government Information Security Authentication

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

SEPTEMBER 24, 2024

Rather, we should treat SSN as just another piece of personally identifiable information (PII) like an email address – confidential information but not a sensitive one that unlocks your bank accounts. Governments can create a digital identity at birth to replace SSN in its current use. That identity is tied to specific vendors.

Authentication

Authentication Identity Theft Banking Data breaches

How Phished Data Turns into Apple & Google Wallets

Krebs on Security

FEBRUARY 18, 2025

“This is much bigger than the banks are prepared to say.” Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Phishing

Phishing Mobile Scams Retail

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Malwarebytes

MAY 16, 2024

More and more websites and services are making multi-factor-authentication (MFA) mandatory, which makes it much harder for cybercriminals to access your accounts. A type of phishing we’re calling authentication-in-the-middle is showing up in online media. That’s a great thing. Consider passkeys.

Authentication

Authentication Phishing Password Management Scams

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

The Hacker News

JULY 15, 2024

Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. Customers who have activated their digital

Banking

Banking Retail Phishing Passwords

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Troy Hunt

AUGUST 30, 2023

The advice to impacted individuals is as follows: Get a digital password manager to help you make all passwords strong and unique If you've been reusing passwords, change them to strong and unique versions now, starting with the most important services you use Turn on multi-factor authentication wherever it's available, especially for important (..)

Phishing

Phishing Password Management Passwords Banking

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Malwarebytes

NOVEMBER 5, 2024

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up. Here’s how it works. Most of us don’t think twice about checking the “Remember me” box when we log in.

Accountability

Accountability Authentication Malware Banking

Truist bank confirms data breach

Malwarebytes

JUNE 14, 2024

On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant amount of data allegedly stolen from Truist Bank for sale. Truist is a US bank holding company and operates 2,781 branches in 15 states and Washington DC.

Data breaches

Data breaches Banking Passwords Phishing

Turn on MFA Before Crooks Do It For You

Krebs on Security

JUNE 19, 2020

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account.

Authentication

Authentication Accountability Passwords Mobile

Would You Have Fallen for This Phone Scam?

Krebs on Security

APRIL 28, 2020

But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Scams

Scams Banking Accountability Financial Services

Phishing evolves beyond email to become latest Android app threat

Malwarebytes

FEBRUARY 11, 2025

Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called multifactor authentication, by prying into basic text messages sent to a device. With multifactor authentication, a username and password are no longer enough to sign into an account.

Phishing

Phishing Passwords Mobile Authentication

BingoMod Android RAT steals money from victims’ bank accounts and wipes data

Security Affairs

JULY 31, 2024

BingoMod is a new Android malware that can wipe devices after stealing money from the victims’ bank accounts. Researchers at Cleafy discovered a new Android malware, called ‘BingoMod,’ that can wipe devices after successfully stealing money from the victims’ bank accounts.

Banking

Banking Accountability Malware Mobile

Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack

Security Affairs

NOVEMBER 10, 2023

The Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack that disrupted trades in the US Treasury market. The Industrial and Commercial Bank of China (ICBC) announced it has contained a ransomware attack that disrupted the U.S. ” reported the Financial Times. ” reported the Financial Times.

Banking

Banking Ransomware Marketing Financial Services

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

eSecurity Planet

NOVEMBER 6, 2024

This data reportedly includes everything from names and addresses to Social Security numbers and bank account details. The stolen data reportedly includes highly personal information — names, dates of birth, Social Security numbers, bank account details, and even records of residents’ interactions with city services. With over 6.5

Ransomware

Ransomware Authentication Identity Theft Penetration Testing

Passkeys and The Beginning of Stronger Authentication

Thales Cloud Protection & Licensing

FEBRUARY 1, 2024

Passkeys and The Beginning of Stronger Authentication madhav Fri, 02/02/2024 - 05:23 How passkeys are rewriting the current threat landscape Lillian, an experienced CISO, surveyed the threat landscape. Lillian knew that a shift in authentication couldn't wait. FIDO is an overarching framework for secure and passwordless authentication.

Authentication

Authentication Passwords CISO Password Management

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Troy Hunt

APRIL 26, 2021

This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Turn on 2 factor authentication wherever available. Change your email account password. Keep operating systems and software patched.

Malware

Malware Passwords Banking Password Management

Anatsa Android banking Trojan expands to Slovakia, Slovenia, and Czechia

Security Affairs

FEBRUARY 19, 2024

The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia. In November 2023, researchers from ThreatFabric observed a resurgence of the Anatsa banking Trojan, aka TeaBot and Toddler. ” concludes the report. ” concludes the report. .

Banking

Banking Malware Mobile Authentication

Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

Cisco Security

NOVEMBER 2, 2022

Going beyond the hype, passwordless authentication is now a reality. Cisco Duo’s passwordless authentication is now generally available across all Duo Editions. “ Cisco Duo simplifies the passwordless journey for organizations that want to implement phishing-resistant authentication and adopt a zero trust security strategy.

Authentication

Authentication Passwords Phishing Mobile

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Krebs on Security

JULY 12, 2024

AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). For its part, Snowflake says it now requires all new customers to use multi-factor authentication. In a regulatory filing with the U.S.

Data breaches

Data breaches Passwords Authentication Accountability

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

SecureList

FEBRUARY 8, 2024

The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil.

Banking

Banking Encryption Malware Technology

Federal Reserve “breached” data may actually belong to Evolve Bank

Malwarebytes

JUNE 26, 2024

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. And it’s a lot of data.

Banking

Banking Data breaches Passwords Phishing

International law enforcement operation dismantled RedLine and Meta infostealers

Security Affairs

OCTOBER 29, 2024

Change passwords : After malware removal, update passwords for key accounts (email, banking, work, social media) and enable two-factor authentication. Monitor financial accounts : Check bank statements and report any suspicious transactions promptly. Report stolen data : Notify relevant parties if sensitive details (e.g.,

Identity Theft

Identity Theft Passwords Malware Banking

Warning over free online file converters that actually install malware

Malwarebytes

MARCH 17, 2025

Financial information, like your banking credentials and crypto wallets. Other passwords and session tokens that could allow the scammers to bypass multi-factor authentication (MFA). Email addresses.

Malware

Malware Adware Education Phishing

Passwordless Authentication without Secrets!

Crooks bank on Microsoft’s search engine to phish customers

Trending Sources

Fooling a Voice Authentication System with an AI-Generated Voice

ToxicPanda Android banking trojan targets Europe and LATAM, with a focus on Italy

MY TAKE: Businesses gravitate to ‘passwordless’ authentication — widespread consumer use up next

The Risk of Weak Online Banking Passwords

DOGE as a National Cyberattack

Sperm bank breach deposits data into hands of cybercriminals

How to Offer Secure IVR Banking and Authenticate Callers

Banks, Arbitrary Password Restrictions and Why They Don't Matter

When Bank Communication is Indistinguishable from Phishing Attacks

Experts warn of the new sophisticate Crocodilus mobile banking Trojan

Threat Modeling and Logins

PIN-Stealing Android Malware

Change Healthcare Breach Hits 100M Americans

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

The Rise of One-Time Password Interception Bots

Credit Card Fraud That Bypasses 2FA

Not All MFA is Equal, and the Differences Matter a Lot

Disneyland Malware Team: It’s a Puny World After All

Many Public Salesforce Sites are Leaking Private Data

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

How Phished Data Turns into Apple & Google Wallets

Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

68k Phishing Victims are Now Searchable in Have I Been Pwned, Courtesy of CERT Poland

Warning: Hackers could take over your email account by stealing cookies, even if you have MFA

Truist bank confirms data breach

Turn on MFA Before Crooks Do It For You

Would You Have Fallen for This Phone Scam?

Phishing evolves beyond email to become latest Android app threat

BingoMod Android RAT steals money from victims’ bank accounts and wipes data

Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack

Columbus Ransomware Attack Exposes 500,000+ Residents’ Data: How to Stay Safe

Passkeys and The Beginning of Stronger Authentication

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Anatsa Android banking Trojan expands to Slovakia, Slovenia, and Czechia

Still Using Passwords? Get Started with Phishing-Resistant, Passwordless Authentication Now!

Hackers Steal Phone, SMS Records for Nearly All AT&T Customers

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

Federal Reserve “breached” data may actually belong to Evolve Bank

International law enforcement operation dismantled RedLine and Meta infostealers

Warning over free online file converters that actually install malware

Stay Connected