Banking security incidents and a mobile phone scam warning
Welcome to Cyber Security Today. It’s Wednesday November 6th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
Two incidents in the past few days have me wondering why banks, credit unions and the new breed of financial services providers don’t force customers to use multi-factor authentication to protect their accounts.
First, LendingCrowd, an online platform for lending money to businesses in the United Kingdom, discovered a hacker had accessed the personal information of some investors. This company offers a form of crowdsourcing with investors putting in money for loans. The investor accounts were not accessed. LendingCrowd offers multi-factor authentication to users as an option, but doesn’t make it mandatory.
Second, users of two financial services companies — Mint and QuickBooks Online — were temporarily blocked last week from accessing an online platform used by banks and credit unions around the world. Mint and QuickBooks allow users to show all their financial accounts on one screen, even if they’re from different banks or brokers. But criminals have been breaking into bank accounts and stealing money through these services. The suspicion is they are hacking Mint and Quickbooks Online accounts using stolen passwords with the hope that someone is using the same password for more than one service. Security reporter Brian Krebs broke the story. He quoted an unnamed source in the financial sector saying some victims had multi-factor authentication set up with a bank for extra login protection. When they login through Mint or Quickbooks it should pass the prompt form the bank for the extra login code through to customers. Apparently in some cases it didn’t. It seems as a result the company that makes the banking platform canceled the two providers’ access until they cleaned something up.
But it raises the question of why any company that offers financial services — be it an aggregator like Mint or Quickbooks, or a bank or credit union, doesn’t force all customers to use the extra step of multifactor authentication for logins. You need the extra step because so many usernames and passwords get stolen in data breaches. However, many financial services only offer this as an option.
As for consumers, Tim Erlin, a vice-president at security vendor Tripwire, offers two lessons: If any financial service you use offers two-factor or multifactor authentication, subscribe to it. And please, never use the same password for more than one site.
The Canadian Anti-Fraud Centre has issued an alert to smartphone users to protect their personal information because criminals are stealing phone numbers. The scam is called SIM swapping, and works like this: The criminal calls a cellphone company and impersonates a victim, saying their old phone has either died or been stolen, so they need to switch the SIM card to a new phone. Once they have the number switched to the new phone they change the password so the victim can’t tell the carrier to turn off service. Then they may be able to access the victim’s bank account or cryptocurrency account, if the victim does mobile banking, or access the employer’s email or network. This warning is similar to an alert sent out in March by the FBI.
So, listeners, don’t do foolish things with your personal information like put your birthday or social insurance number online. That’s right, no one on social media needs to know your birthday. That’s one of the things a carrier may ask to prove you who you say you are. Don’t answer emails or text messages asking you to confirm your password or update account information. If you don’t already have one, get a PIN number from your carrier. Only a person with your PIN number should be able to make account changes. One of your challenge questions should NOT be your mother’s maiden name. Consider asking your mobile carrier if there are extra conditions that can be put on your account before changes can be made. Meanwhile, carriers need to make sure their authentication systems are tough and customer service people can’t easily be persuaded to make account changes.
I asked Canadian carriers Rogers and Bell Canada for comment. Bell Canada said it uses advanced security measures and strict account verification policies to protect our customers from fraud and other cybercrimes.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon