Wednesday, March 5, 2014

Citi Faces SEC and Mexican Probes Over $235m Banamex Fraud 

Rising online fraud pushes banks to seek insurance cover - - 4 March 2014

MUMBAI: Indian banks are increasingly seeking insurance cover against fraudulent online transactions, including those involving credit cards, as a rising use of plastic money and the ease of Internet business potentially increase lenders' exposure to cases of data breach.

Data from insurance companies show that large banks are opting for policies worth Rs 500 crore to shield against fraud, including online, while mid-sized banks are going for policies in the range of Rs250-300 crore. "Demand for insurance policy against phishing, skimming and Internet hacking has gone up in the last one year," said TR Ramalingam, head of underwriting at Bajaj Allianz General Insurance. "Enquiries have gone up and we are working on how to price the product and working on the wording."
 Earlier, insurance policies did not include computer-related frauds, but now insurers expect it to be big in coming days. The premium, which depends on several factors, ranges between 1% and 2% of liability the bank is looking to insure. 

In 2012-13, domestic banks lost Rs17,284 crore on account of fraud, according to information obtained through the Right to Information Act. During the period, 62 banks filed a total of 26,598 cases related to online frauds. The situation has compounded the woes of the bank sector where lenders are facing huge non-performing assets. "The policy covers cyber extortion and breach of data privacy," said M Ravichandran, president, Tata AIG General Insurance. 

"There is a lot of talk around cyber insurance and people are actively looking to secure these exposures."
While companies like Tata AIG have underwriting capabilities for these policies, for others, it is reinsurance driven. Cyber extortion policy pays a ransom to a person who has hacked into the bank's website with a threat to divulge, destroy or steal confidential information. Last year, ATM cards of a leading private sector bank's customers were skimmed and about Rs15.48 lakh stolen from accounts. 

By Shilpy Sinha

Tuesday, March 4, 2014

The 'biggest ever' cyber attack uncovered; 360 mn accounts, 1.25 bn email addresses hacked - -

Boston: A cybersecurity firm said that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

"The sheer volume is overwhelming," said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.
He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.
He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

"They can get access to your actual bank account. That is huge," Bearfield said. "That is not necessarily recoverable funds."

After recent payment-card data breaches, including one at US retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.

Wade Baker, a data breach investigator with Verizon Communications Inc, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers have gotten better at identifying that type of breach and quickly moving to prevent crooks from making fraudulent transactions, he said.

In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website.

By Ananthkumar For Bengaluru 

Thursday, June 6, 2013

$200 Million Cybercrime Forum Disabled - $200 Million Cybercrime Forum Disabled - 05 June 2013

Eleven people connected with the forum have been arrested in Vietnam and the UK.

The UK's Serious Organized Crime Agency (SOCA) recently announced that, a leading cybercrime forum has been disabled by an operation led by the Vietnamese High-Tech Crime Unit (HTCU), the Criminal Investigation Dvision (CID) of the Ministry of Public Security of Vietnam (MPSVN), SOCA, the UK's Metropolitan Police Central e-Crime Unit (PCeU), and the FBI.

According to SOCA, CID and HTCU officers have also arrested eight members of the group behind the site in Vietnam, and three forum users were arrested in the UK.

SOCA reports that the site, which had about 16,000 members, had facilitated more than $200 million worth of credit card fraud worldwide through the hacking of commercial entities and the harvesting and sale of more than 1.1 million credit card numbers.

"One of the world's major facilitation networks for online card fraud has been dismantled by this operation, and those engaged in this type of crime should know that that they are neither anonymous, nor beyond the reach of law enforcement agencies," Andy Archibald, interim deputy director of SOCA's National Cyber Crime Unit, said in a statement. "We and our partners, in the UK and abroad, continue to protect the public and legitimate businesses by targeting websites trading in stolen card data, and relentlessly pursuing those who operate and frequent them."

By Jeff Goldman