Thought leadership. Threat analysis. Cybersecurity news and alerts.
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data Breaches
Two Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers.
BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank.
A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers.
According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday.
The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number.
To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information.
The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters."
Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."
The attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method.
The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out.
According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers.
Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said.
In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication.
A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed.
In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers.
"As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.”
If you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction.
The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients.
One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code.
“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?”
Top 10 Benefits of a Virtual CISO
No company can afford to underestimate the importance of airtight cybersecurity.
Cyber-criminals continue to develop evermore sophisticated ways to attack organizations and exploit weaknesses. Global corporations invest heavily in protecting theirs and their clients’ assets, and even smaller enterprises should do the same.
Chief Information Security Officers (CISO) can make a monumental difference to an organization’s defence against risks. They are responsible for handling cybersecurity, creating strategies to reinforce systems against the most cutting-edge external threats. They need to ensure that all essential policies and procedures are in place to reduce the organization’s vulnerability.
However, bringing an in-house CISO into your office may not be viable if you lack the space and / or available funds.
Virtual CISOs are an effective, affordable alternative for businesses of all sizes, from tiny startups to international chains. Here are 10 key benefits of hiring one for your company.
1. Low-Cost Expertise
First and foremost, hiring a virtual CISO tends to be far cheaper than employing one full-time.
There are no overheads attached, no benefits to consider, no overtime or sick pay. You don’t have to pay them even when they’re sitting at their desk with nothing to do. You essentially reap all the rewards of bringing an invaluable asset into your organization without paying for anything other than their best work.
2. VCISOs Offer More Diverse Knowledge
Most virtual CISOs will possess a wealth of industry experience, having worked with numerous clients across varied sectors.
They are constantly implementing strategies to protect businesses of different sizes against changing threats, gaining valuable knowledge they can apply to your company’s security needs.
This is much more effective and reassuring than hiring a full-time, in-house CISO who may have only worked within one business environment during their career.
3. A Tighter Focus for Better Value
Your virtual CISO specializes in cybersecurity and keeping systems continually protected, developing strategies to reinforce your infrastructure. This is their core focus, their day-to-day commitment.
This is in sharp contrast to bringing an IT specialist into your company who will no doubt be expected to help other employees regain access to their computer, recover forgotten passwords, and remove low-threat malware after someone downloads something they shouldn’t.
You pay for your virtual CISO’s security expertise only, and their time is dedicated to it entirely without less-important distractions.
4. Less Disruption to Everyday Tasks
Hiring a virtual CISO will free up your employees, allowing them the time to focus on their day-to-day tasks and responsibilities without worrying about compliance or related technical issues.
This helps to ensure every department concentrates on their respective goals, free of security-related worries or tasks beyond their technical knowledge.
5. Invaluable Flexibility
Hiring a virtual CISO offers far greater flexibility than a full-time, in-house employee.
For a start, you don’t have to find a place within your company and budget for a new long-term worker. The additional costs that come with that (salary, insurance etc.) are of no concern either.
Furthermore, though, virtual CISOs will generally create tailored services for your exact needs. Perhaps you only want to hire them for a few months to see how it improves your security before committing to a multi-year arrangement. Maybe you’re planning to train your own IT specialists but need the virtual CISO to protect your company in the meantime.
Bringing a virtual CISO aboard in either of these situations is much more preferable to hiring a full-time employee and letting them go once you feel they have served their purpose.
6. Bespoke Service for your Business
Virtual CISOs are familiar with adapting to suit different companies with unique needs. While a CISO with experience within one or two businesses may be stuck in their ways and expect you to work around them, virtual specialists are happy to offer more bespoke services.
They will provide the ideal solutions for your company and processes.
7. Vital Industry Contacts
Virtual CISOs are more likely to have wide-ranging industry contacts from across their career. They tend to maintain relationships with fellow cybersecurity specialists, gain exclusive information on emerging threats, and build networks of useful connections.
Such contacts mean they will be able to learn more and gain additional support if they encounter a technical issue they haven’t seen before, enabling them to get a handle on the situation with minimal delay.
This might involve making a phone call to a thought leader or a contact on the front line of cyber-crime – solutions that in-house employees with little experience may be unable to offer.
8. Independent Expertise without Bias
In-house CISOs may be susceptible to the same distractions, petty arguments, and office politics as the rest of your workforce. This can lead them to lose focus on the task at hand and potentially develop their own agendas.
Maintaining the highest levels of security could seem less important to a disgruntled employee who feels they aren’t getting the respect they deserve. Virtual CISOs, though, tend to be completely neutral, channeling all their energy into protecting your company no matter what.
9. Minimal Disruption to your Organization
Your virtual CISO can work independently and without supervision. They will no doubt need to learn about your business and your operations, but they certainly don’t require any training or input.
They will be able to work quickly and efficiently, identifying potential vulnerabilities and updating your system for the utmost protection. Your business will be able to continue as normal without any of the time-consuming training or administrative duties involved with hiring a new full-time employee.
10. Ongoing Commitment and Quality
A CISO working as part of your in-house team will end up leaving you at one time or another, whether they are headhunted by a competitor or simply want a change. This can leave you without their expertise if you wait too long to bring a new specialist aboard, and means you have to start afresh again.
You can enjoy greater continuity and seamless service with a virtual CISO. Even if the person(s) assigned to your business leaves the company you hire, there will be no disruption – you may not even realize a change has occurred at all.
Do you have questions about working with a virtual CISO? Our expert team is here to answer them!
2-Factor Authentication Weakness: It’s also Hackable
The 2-factor authentication, also known as 2FA, is one cyberdefense that gets you one step away from cyberattackers. It shouldn’t be viewed, however, as a cure-all cyberdefense as it’s also vulnerable to other hacking activities.
What is 2-Factor Authentication (2FA)?
The 2-factor authentication is an added layer of security that’s designed to block cyberintruders even if they know your password. Verification codes can be sent via SMS text, email or verification apps like Google Auth. A special USB drive can also be used for 2-factor authentication.
Early Security Vulnerability of 2FA
Before 2FA became widely available to the public, this cybersecurity defense measure was used only by high-security government and corporate entities. One of the early adaptors of the 2FA was Lockheed Martin, the Pentagon’s No. 1 supplier.
In 2011, hackers were able to breach Lockheed Martin’s network using compromised 2FA codes. The supplier of Lockheed Martin’s 2FA codes, the RSA Security Division of the EMC Corporationacknowledged that it suffered a data breach that compromised one of its computer security products, the 2-factor authentication.
While it wasn’t disclosed what was breached at RSA, Whitfield Diffie,
one of the pioneers of public-key cryptography, told the New York Times that a "master key" – a massive secret number used as part of RSA’s encryption algorithm – might have been stolen.
The worst-case scenario, Diffie said, would be that the cyberattacker could reproduce cards that duplicate the ones supplied by RSA to generate two-factor authentication codes, enabling the cyberattacker to gain access to corporate networks and computer systems.
Here are 3 ways by which cybercriminals can hack 2-factor authentication:
1. Man-in-the-Middle Attacks
A man-in-the-middle (MITM) attack refers to a cyberattack where the attacker positions himself in a conversation between a computer user and a software application or a website. The attacker may eavesdrop or impersonate a software application or a website, making it appear as if a normal exchange of information is ongoing.
For instance, a MITM attacker may trick you into logging into a fake banking app and ask for your 2FA code. Once you input your 2FA code, you’re doomed.
An example of MITM attack that fools users into exposing their 2-factor authentication code is the malicious software (malware) called “Acecard”. One of the ways, Acecard is able to get inside the victims’ devices is by being listed as a legitimate game app in Google Play store. Once the Acecard app is installed on the victim’s mobile device, it lies in wait until the victim launches a legitimate banking app.
Once the malware detects which banking app is used, it then overlays a fake banking app interface, fooling the user that he’s inside a legitimate banking interface.
The login details entered in the fake app are then sent by the malware to the attacker and these details are used to login into the victim’s real banking app to withdraw money.
Acecard can convincingly impersonate a banking app by hijacking SMS message containing one-time password sent by the bank’s system as part of 2-factor authentication.
The SMS message containing one-time password sent by the bank’s system to the victim’s phone as part of two-factor authentication is then intercepted by the malware and sent to the attacker. The malware also intercepts and sends to the attacker the transaction confirmation.
Victims have, therefore, no knowledge about the SMS message as well as the transaction confirmation. Victims will only know about the withdrawal transaction when they check their bank account balance and transaction history.
A mobile banking malware like Acecard can hijack SMS messages by asking permission to access SMS.
According to Kaspersky, Acecard is capable of bypassing security measures of nearly 50 different online financial apps and services, including WhatsApp, Viber, Instagram, Skype, VKontakte, Odnoklassniki, Facebook, Twitter, Gmail and PayPal.
KnowBe4 Chief Hacking Officer Kevin Mitnick recently demonstrated how LinkedIn’s 2-factor authentication can be spoofed. Mitnick used the spoofing tool developed by white hat hacker Kuba Gretzky called “Evilginx”. In bypassing LinkedIn’s 2-factor authentication, Mitnick sends a user to a fake LinkedIn login page which runs Evilginx.
“I'm releasing my latest Evilginx project, which is a man-in-the-middle attack framework for remotely capturing credentials and session cookies of any web service,” Gretzky described his Evilginx project. “It uses Nginx HTTP server to proxy legitimate login page, to visitors, and captures credentials and session cookies on-the-fly. It works remotely, uses custom domain and a valid SSL certificate.”
Gretzky added that Evilginx can be adapted to work with any website.
2. Exploiting Account-Recovery Systems
Another way cyberattackers bypass 2-factor authentication is by exploiting the account-recovery systems.
Cyberattackers who have previously hacked the personally-identifiable information of their victims can easily use the account-recovery feature of many websites by inputting the current password, answering password reset questions or calling tech support to get around the 2-factor authentication.
3. Brute Force Attacks
While many websites or online services have the 2-factor authentication feature, many don’t have bad login attempt control – a feature that locks out a user after a number of failed 2-factor authentication attempts.
Failure to put in place bad login attempt control will enable attackers to conduct brute force attacks, whereby they’ll simply guess the 2-factor authentication code over and over again until they hit the correct code. High-powered computers nowadays can crack thousands of passwords or codes per second.
Exercising caution whenever you grant an app access to your SMS, scanning apps for malware, being vigilant in clicking links as these might lead you to fake websites and not making it easy for hackers to guess your password reset questions are some of the measures in preventing cyberattackers from hacking your accounts via 2-factor authentication.
Two-factor authentication isn’t meant to replace other good cybersecurity practices. It’s meant only as an additional layer of security.
When you need help, our security professionals are a phone call away.
How to Avoid Being a Victim of Email-Based Ransomware
The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.
Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.
GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.
How Ransomware Victims Are Baited via Email Spam Campaign
The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.
Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.
This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.
GandCrab Ransomware Earlier Versions
The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.
This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.
Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.
According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.
According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.
A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.
According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.
Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.
Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.
Social Engineering Feature of GandCrab Ransomware
As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.
Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.
Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.
GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.
Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.
Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Are You Failing to Protect Yourself Against Fraud?
Online fraud is, sadly, a common danger.
More than 15 million people fell victim to it in 2016, and the risk is still very much present. Companies across all areas of industry must take steps to protect their finances, making any changes necessary to minimize threats.
Some of these may seem simple, while others appear a tad more complicated. As specialists in cybersecurity, we’re dedicated to helping businesses like yours stay safe against ever-more sophisticated tactics.
So, what changes can you make to your everyday operations to combat online fraud?
You Ignore the Warning Signs
Seeing new customers make large purchases can be an exciting time, but you need to be aware of some common warning signs.
Orders placed late at night could be a red flag, while large orders of products that can be resold easily are another fraud giveaway to watch out for.
Another red flag? Multiple attempts to buy an expensive item (or items) with the same payment method, but with minor differences in the expiration date or name.
Purchases made by buyers who have been repeat customers for a long time should be watched if they make an unusual change in their purchases, address, contact details, and order size.
Last but not least: be wary of customers buying goods with a domestic billing address but sending the purchases to international locations. This is especially true if multiple international addresses are used.
You Don’t Invest in the Best Security
In our experience, too many businesses – both big and small – invest too little into their cybersecurity. Even though businesses are expected to spend more than $100bn on online protectionin 2020, it’s still not uncommon to see companies letting themselves down.
It’s easy to assume you can handle your business’s online security when you first enter the market. After all, download some anti-virus software, get yourself a firewall – job done, right?
Sadly, it’s not so simple. Finding the budget for high-quality security protocols can be difficult, but it’s vital – you’re reinforcing your company’s infrastructure, protecting your assets, and minimizing further expense.
In other words: take the danger of online fraud seriously. Your customers and your employees are depending on you to keep their details, their salaries, and safer.
You Haven’t Educated Your Team
Your workforce has to be educated on the signs of online fraud, trained in criminals’ latest tactics and the techniques available to combat them.
After all, they’re the people keeping your operations running day in, day out. They’re handling customers’ purchases, processing transactions, communicating with buyers, using your databases, downloading resources, and more.
Uninformed staff may end up making mistakes that leave your business vulnerable, facing fraudulent activity, and ultimately at risk. When they have the information and the training, they can actually be a much-needed defense against cyber criminals preying on companies like yours.
Make sure you host regular meetings to train your employees on the cyber-security threats they are likely to encounter, and the warning signs they should watch out for. This doesn’t have to be at an expert level, as you don’t want to overwhelm or confuse them, but it should be enough to give them the confidence they need to perform at their best.
Your staff should know enough to identify possible fraudulent behavior, handle customers’ personal information properly, and avoid leaving your business exposed.
You Haven’t Implemented a Reliable Password Policy
Passwords have to be strong, hard to guess, and varied. Make sure your employees and your customers have the information and advice they need to avoid weak passwords.
We all have so many passwords to remember today. Many of us run numerous different aspects of our lives online, relying on online banking, online shopping, online communications … it’s easy to be complacent.
However, complacency leads you to use the same passwords again and again. Your customers may simply create an account and make purchases with your business, but inadvertently let someone else know what their password is.
This could lead to fraudulent purchases, and the customer might blame your company for failing to offer them sufficient advice on how to best create efficient passwords.
It’s vital, then, to provide helpful information at the sign-up stage, and a dedicated page on your site. Make sure they know not to use something simple and easy to find out, such as their child’s name or their birthday. Varying letter case, adding symbols and numbers, and combining words to make longer passwords can all be a big help.
Your employees should follow the same strategy. Using the same password in their work emails or accounts as their personal ones can make increase your business’s vulnerability.
You Don’t Run Background Checks on Your Employees
Hiring employees with a history of criminal activity or suspicious behavior in previous roles (leading to dismissals) can be an easy way to expose your business to fraud.
Running background checks may seem to be something of a hassle, but it’s well worth doing to protect your company. This should consist of criminal background checks, their education, and their past employment – you will have the information to identify who you have working for you.
Trust goes a long, long way in maintaining an efficient, satisfied workforce. If you know your team is unlikely to undertake fraudulent activity and put your company’s and your customers’ data at risk, you can focus on combating external dangers instead.
Employees will generally accept that these background checks are par for the course. Though it might seem intrusive, it’s for the good of your company, your clients, and your reputation.
Online fraud is an intimidating area and makes businesses of all sizes feel vulnerable. Taking the steps explored above is an effective start to a stronger infrastructure, but you should trust the professionals to reinforce (and maintain) your business’s cybersecurity program for maximum protection against threats.
Contact ustoday to assess your risks and protect your business.
Steve E. Driz, I.S.P., ITCP