NAB Says Up To 60,000 Migrant Bank Customer Details Emailed In Error

In a statement released by NAB Executive General Manager International Branches Peter Coad, he advises that NAB has written to customers who migrated to Australia, regarding accounts they established through the bank’s migrant banking team while they resided overseas.

In this letter, NAB notified these customers that an email confirming their account had been established was also sent in error to an incorrect email address.

This error does not impact customers who set up an account in Australia.

Our number one priority was to notify our customers.

The email included customer information such as a name, address, email address, BSB and account number and in some cases NAB identification number – but it did not include any passwords.

We take the privacy and the protection of our customers’ personal information extremely seriously.

We also take full responsibility and we sincerely apologise to our customers for this mistake.

The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action.

We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity.  We will continue to monitor 24/7 to protect our customers’ accounts.

We are reaching out to approximately 60,000 migrant banking customers to notify them about this error.

Approximately 40 per cent of these customers have either closed or have not used their account this year.

Furthermore, 19,000 of these accounts have a balance of less than $2.

We have also notified and are working with industry regulators, including the Office of the Australian Information Commissioner and ASIC.

We do not consider that customers need to take any action with their account.

More On Tesco Bank’s Cyber Attack

The Financial Times says Tesco Bank ignored warnings about their cyber weakness, which led to around 9,000 customers loosing £2.5m from their accounts.

risk-pic-2The bank said on Monday:

Customer Apology and Update

Normal service resumed at Tesco Bank on Wednesday 9 November 2016 following the temporary suspension of online debit transactions from current accounts on Monday 7 November 2016.

We have refunded all customer accounts which were affected by the fraud on 5/6 November and are taking every step to compensate anyone who has been out of pocket as a result of the incident.

We are limited by what we can say publicly about how the attack took place, as this is still a criminal investigation, but we want you to know that the security and protection of your money and information remains our number one priority.

Thank you for your ongoing patience, and again, let me apologise for the inconvenience caused. We will do everything it takes to ensure you can have confidence in Tesco Bank.

In addition, the FT says the banks was also the subject of an earlier attack orchestrated by a criminal gang who purchased low-priced goods using contactless mobile phone payments at  retailers in Brazil and USA.

Cybersecurity company Cyberint said it had discovered posts on a variety of dark web forums whose members had described the lender as being a “cash milking cow” and “easy to cash out”.

It is not clear, however, whether there is any link between these claims and the money stolen just over a week ago.

Fiserv, who were mentioned in the earlier post on the latest attack told me:

We can confirm that Tesco Bank is a client. We have been made aware of the incident mentioned in your blog. Neither Fiserv software nor our services were involved in the incident that Tesco Bank experienced over the weekend of 5 November. Nonetheless, we are offering our support in whatever manner will be helpful to Tesco Bank.

SME’s At Risk From An “ATO” scam – fake emails again

From ITWire.

Cyber criminals always search for the motherload – phishing emails that get through. This time they have targeted small to medium businesses that that lodge Business Activity Statements (BAS) online.

ATO scam email jpg

The Australian Internet Security Initiative (AISI) part of the Australian Communications and Media Authority (ACMA) has issued a warning over what is one of the most sophisticated spear phishing campaigns yet.

The emails come from BASnotification@atogovau.org and state that your next activity statement is now due. The real email address for the ATO is BASnotification@ato.gov.au. It is very well done – all links go back to the ATO website except for “Click here to download your statement.”

That link takes you to a fake ATO website that can download malware designed to steal your online banking and other credentials and can potentially open a ‘back door’ that enables installation of malware, such as ransomware.

The cybercriminals have also managed to add atogovau.org to the global list of “approved” domains and added Sender Policy Framework (SPF) that reduces the likelihood of email servers rejecting it as spam.

Protection

  • It comes down to common sense – hover your mouse over all links before clicking. You need to know that atogovau.org is a fake.
  • If the link asks you to install any application, say no.
  • Use paid anti-malware on all critical systems.

Comment

I added the “paid” word to the AISI advice because the majority of these paid protection programs use machine learning to identify scams. For example – and it is only one provider – Symantec has created the world’s largest Global Intelligence Network (GIN) and according to the company it only takes a handful of instances to be identified before it blocks it for everyone.

Also, it has developed phishing website detection that analyses the known websites (ATO.gov.au) and can tell if another is a phishing site (atogovau.org).

It never ceases to surprise me that SMB skimps on security, many still using free or consumer-grade, anti-virus solutions when enterprise-grade will protect from these scams.

 

Tesco Bank breach causes 20,000 customers to lose money

Tesco Bank, the U.K. finance subsidiary of Tesco supermarkets suffered a horrendous cyber-attack last week, with some 20,000 customers loosing money from their bank accounts thanks to a widespread attack. Some speculate this was as “inside-job”.

Cyber security is a critical issue for the safety banks and their customers. Whilst individual customers may sometimes be attacked this was a breach on a whole different scale. Take note!

risk-pic-2

This from Network World:

The fine details are still murky, but news surfaced in the last day or two that Tesco Bank, a U.K.-based bank owned by the Tesco supermarket chain, suffered some sort of widespread fraud.

The bank’s CEO, Benny Higgins, told Radio 4 that around 40,000 of the bank’s 7 million accounts had seen “some sort of suspicious transactions.” Of those, around 20,000 customers have actually lost money from their bank accounts. In the interview, the CEO told the BBC he was “very hopeful” that customers would be refunded the lost funds. What he didn’t say is that I am sure he is also “very hopeful” that once this all washes up he and his IT team will still have jobs.

Customers have, at this stage, been blocked from making online transactions, suggesting that the fraud is related to online functionality. Transfers between and to other account holders are still being actioned, however. Banking security experts seem to be unanimous that both in terms of the scale of the breach, and the depth of it, this is an unprecedented event.

Customers who have been impacted by the losses received text notifications and, as would be expected, the U.K. media is full of emotional stories of customers unable to pay for their groceries, gasoline or heating fuel. But while the human aspect is important and very troubling, there is, of course, an IT aspect to this that is particularly interesting.

Bank was running a system from a newer banking technology vendor

Interestingly Tesco Bank reinvented its core banking technology a few years ago, moving away from a big legacy solution and instead investing in a core banking system from FiServ, a newer banking technology vendor. I’ve long been a critic of banks that stick to big old (often mainframe-based) solutions and have pointed out that these systems severely limit banks’ ability to innovate and gain agility.

I’ve been a proponent of “decoupling” systems and discussed the topic at length with Dawie Oliver, CIO of Westpac Bank. Of course, we don’t yet know for sure that the issue lies with FiServ or any parts of Tesco Bank’s core systems, but the sheer scale of this breach would suggest that it does. We also, it must be said, can’t rule out nefarious insider activity, although in fairness, fraud detection systems should be able to identify both inside and external attack vectors.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, commented: “The situation is not clear yet, and it’s too early to make any conclusions about the origins and the source of the breach. In the past, similar incidents involved many different approaches: from e-banking system compromise to targeted spear-phishing and social engineering campaigns aimed at infecting bank clients’ machines or mobile devices with sophisticated malware, stealing money from their accounts. A massive skimming campaign cannot be excluded either.

Kolochenko adds some color, saying:

“It is important to highlight that such a large-scale attack with important financial losses would hardly be possible without some insider help to the attackers. Banking system, compliance processes and fraud-prevention systems are usually bank-specific, and in order to bypass them (we can speak about successful bypass, as so many people have already lost their money) we need to have some insider knowledge. Nevertheless, we need to wait for the official investigation results before making any conclusions.”

I’ll continue to watch this developing story. Meanwhile, at least Tesco Bank’s ownership status means that its IT team have a good source of over-the-counter pain medication. Something tells me they’ll need it.

Lack of cyber security knowledge leads to lazy decisions from executives

From The Conversation.

The numbers and size of cyber security attacks are increasing and Australia is one of the world’s largest targets. The Federal government noted the current impact of cyber attacks on the Australian economy is A$17 billion annually.

risk-pic-2

The reasons are many and include a lack of direction and commitment to understanding information security at the strategic level. Research from the Australian National University shows executive/board knowledge of cyber risks among medium sized businesses is inadequate and board-level governance of cyber security risks varies wildly between organisations. This is troubling given the ultimate accountability of board directors.

The report found that only 58% of cyber security professionals thought their board had a sufficient understanding of cyber risks. Less than half (46%) said their board discusses cyber security rarely or never. Almost a third (30%) even said their board does not receive reports of cyber threats to the company.

Research from Cambridge University and retail bank Lloyds, also shows this level of uncertainty is causing boards to realise they have no idea what they are dealing with and giving up. Boards are doing this by simply outsourcing the risk of a cyber attack through the purchase of cyber insurance. The report comments:

“The amount of cyber insurance being purchased in Australia [has] increased 168-fold (16,828%) in the last two years, as more and more businesses seek to protect their balance sheets from this emerging threat.”

The problem with this approach to cyber risk is that too little effort is being made to understand the value, control and cost of the information that an organisation holds.

Cyber insurance is a product that covers businesses for the risk of data breaches, employee errors in mishandling data and computer hacking attacks. It covers liabilities and the expense involved in responding to a cyber attack. For example, Sony estimated that it spent US$171 million in cleaning up after its PlayStation Network was famously hacked in 2011.

Simply outsourcing the risk of an attack by purchasing cyber insurance fails to protect an organisation’s reputation from repeated and sustained cyber attacks. Another problem is that the erosion of an organisation’s competitive advantage through the loss of trade secrets through cyber attacks, is difficult to measure and insure.

My research shows executives should be identifying the value and sensitivity of the information in their organisations. Only then can they make sensible decisions about what IT infrastructure should be used and whether to seek expert help by outsourcing.

However identifying all the information that an organisation holds is not as easy as it first sounds. For example, some business conversations take place on social media platforms such as LinkedIn. Businesses need to consider whether those conversations are within the realms of responsibility for employers and therefore if employees should be admonished or supported for holding these electronic conversations.

Organisations can sometimes hold vast pools of information that are secret. However holding sensitive, secret information that is non-strategic is costly and may be pointless. Consider for example a retail organisation that has an online ordering website. This sort of organisation shouldn’t be recording and holding the credit card details of customers, if it can be helped.

Outsourcing the payment for goods or services to finance service intermediaries makes good business sense. By not holding credit card details and effectively outsourcing that function, an organisation has made itself safer because it simply can’t end up on the front page of a newspaper for leaking credit card details.

Sometimes sensitive information is necessary for conducting business operations. If this is unavoidable, then organisations might need to ask whether the security controls they have in place to protect their sensitive information are enough. This might also extend to information being used by suppliers or customers.

If the assessment reveals that security controls are not enough, then a business case needs to be made for increased budget to the board. This may be costly, but if sensitive information is necessary for conducting business operations, then it must be protected and the security budget should be approved.

Retailer Target was affected by a point of sale cyber attack in 2013. Paul Miller/AAP

Organisations routinely fail to fully assess and protect against the risks introduced by storing or sharing information with other organisations. Examples include sharing with suppliers, customers, regulators and contract staff.

High profile cyber bungles from supplier-side attacks include the Target attack in December 2013, where the point-of-sale machines, supplied and operated by a third-party supplier, were infected with a virus that siphoned off all the credit card details of customers.

Board directors not taking the time to understand information security strategy can lead to a blanket approach of mitigating all risk of a cyber security attack by simply purchasing cyber insurance. This clumsy approach is not sustainable and consumers should be demanding more from our business leaders.

Author: Craig Horne, PhD candidate, Chairman of the Australian Computer Society in Victoria, University of Melbourne

Data surveillance is all around us, and it’s going to change our behaviour

From The Conversation.

Enabled by exponential technological advancements in data storage, transmission and analysis, the drive to “datify” our lives is creating an ultra-transparent world where we are never free from being under surveillance.

Binary-People

Increasing aspects of our lives are now recorded as digital data that are systematically stored, aggregated, analysed, and sold. Despite the promise of big data to improve our lives, all encompassing data surveillance constitutes a new form of power that poses a risk not only to our privacy, but to our free will.

Data surveillance started out with online behaviour tracking designed to help marketers customise their messages and offerings. Driven by companies aiming to provide personalised product, service and content recommendations, data were utilised to generate value for customers.

But data surveillance has become increasingly invasive and its scope has broadened with the proliferation of the internet-of-things and embedded computing. The former expands surveillance to our homes, cars, and daily activities by harvesting data from smart and mobile devices. The latter extends surveillance and places it inside our bodies where biometric data can be collected.

Two characteristics of data surveillance enable its expansion.

It’s multifaceted

Data are used to track and circumscribe people’s behaviour across space and time dimensions. An example of space-based tracking is geo-marketing. With access to real-time physical location data, marketers can send tailored ads to consumers’ mobile devices to prompt them to visit stores in their vicinity. To maximise their effectiveness, marketers can tailor the content and timing of ads based on consumers’ past and current location behaviours, sometimes without consumers’ consent.

Location data from GPS or street maps can only approximate a person’s location. But with recent technology, marketers can accurately determine whether a consumer has been inside a store or merely passed by it. This way they can check whether serving ads has resulted in a store visit, and refine subsequent ads.

Health applications track and structure people’s time. They allow users to plan daily activities, schedule workouts, and monitor their progress. Some applications enable users to plan their caloric intake over time. Other applications let users track their sleep pattern.

While users can set their initial health goals, many applications rely on the initial information to structure a progress plan that includes recommended rest times, workout load, caloric intake, and sleep. Applications can send users notifications to ensure compliance with the plan: a reminder that a workout is overdue; a warning that a caloric limit is reached; or a positive reinforcement when a goal has been reached. Despite the sensitive nature of these data, it is not uncommon that they are sold to third parties.

It’s opaque and distributed

Our digital traces are collected by multiple governmental and business entities which engage in data exchange through markets whose structure is mostly hidden from people.

Data are typically classified into three categories: first-party, which companies gather directly from their customers through their website, app, or customer-relationship-management system; second-party, which is another company’s first-party data and is acquired directly from it, and; third-party, which is collected, aggregated, and sold by specialised data vendors.

Despite the size of this market, how data are exchanged through it remains unknown to most people (how many of us know who can see our Facebook likes, Google searches, or Uber rides, and what they use these data for?).

Some data surveillance applications go beyond recording to predicting behavioural trends.

Predictive analytics are used in healthcare, public policy, and management to render organisations and people more productive. Growing in popularity, these practices have raised serious ethical concerns around social inequality, social discrimination, and privacy. They have also sparked a debate about what predictive big data can be used for.

It’s nudging us

A more worrying trend is the use of big data to manipulate human behaviour at scale by incentivising “appropriate” activities, and penalising “inappropriate” activities. In recent years, governments in the UK, US, and Australia have been experimenting with attempts to “correct” the behaviour of their citizens through “nudge units”.

With the application of big data, the scope of such efforts can be greatly extended. For instance, based on data acquired (directly or indirectly) from your favourite health app, your insurance company could raise your rates if it determined your lifestyle to be unhealthy. Based on the same data, your bank could classify you as a “high-risk customer” and charge you a higher interest on your loan.

Using data from your smart car, your car insurance company could decrease your premium if it deemed your driving to be safe.

By signalling “appropriate behaviours” companies and governments aim to shape our behaviour. As the scope of data surveillance increases, more of our behaviours will be evaluated and “corrected” and this disciplinary drive will become increasingly inescapable.

With this disciplinary drive becoming routine, there is a danger we will start to accept it as the norm, and pattern our own behaviour to comply with external expectations, to the detriment of our free will.

The “datafication” of our lives is an undeniable trend which is impacting all of us. However, its societal consequences are not predetermined. We need to have an open discussion about its nature and implications, and about the kind of society we want to live in.

Author: Uri Gal, Associate Professor in Business Information Systems, University of Sydney

APRA Highlights Cyber Security

APRA has released the results from their 2016 Cyber Security Survey which ran from October 2015 to March 2016 to gather information on cyber security incidents and their management within APRA-regulated sectors. Respondents to the survey included 37 regulated entities and four significant service providers, covering all APRA-regulated industries, with the exception of private health insurance.

Just over half of all survey respondents – 20 regulated entities and one service provider – experienced at least one cyber security incident in the 12 months leading up to the survey that was sufficiently material to warrant executive management involvement.

Superannuation industry respondents reported a higher occurrence of incidents that warranted reporting to executive management as compared to other industries. While the underlying cause of this was not apparent in the survey results, possible explanations are that the superannuation industry is a more attractive target to perpetrators due to the relatively high customer account balances, and/or variances in reporting thresholds between the industries.

apra-csIncidents reported by survey respondents included:

  • potentially high impact incidents such as advanced persistent threats (APTs), distributed denial of service (DDoS) attacks and compromises of highly privileged access. These were experienced by a number of respondents (21 per cent) and reinforce the value of preparedness (prevention, detection and response controls) in the face of sophisticated
    attacks which cannot always be prevented;
  • ransomware attacks, which represent an increasing threat. The reported incidence of these attacks (14 per cent of respondents) reinforces the importance of frequent system and data back-ups as a last resort mitigation;
  • potentially reputation damaging incidents such as website defacement and social media account misuse, which were experienced by approximately 1 in 8 entities (12 per cent of respondents). Whilst these incidents have had a low impact and frequency to date, the potential reputational impact necessitates continued vigilance with respect to the management of public facing channels and services; and
  • other incidents with low impact such as compromise of client accounts, internet banking fraud, phishing and malware attacks. These were experienced by almost 1 in 4 respondents (24 per cent).

They conclude:

To date, no APRA regulated entity has suffered material losses from a cyber incident, and security controls have held up against past attacks. However, this should not provide grounds for complacency. As a result of the expanding sophistication, frequency and impact of cyber attacks, APRA-regulated entities should expect to experience significant cyber security incidents and be prepared for an evolving range of threats. APRA intends to lift the supervisory and regulatory expectations for regulated entities to not only secure themselves against cyber attacks, but to implement improved mechanisms to quickly identify and remediate successful attacks when they occur.

They rightly highlight the cultural dimensions to effective Cyber Security as we discussed recently.