Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday November 05 2019, @01:20AM   Printer-friendly
from the we-planned-it-that-way dept.

Brian Krebs has an interesting story about NCR barring both Mint and QuickBooks last month during a period of high account takeover activity.

Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse.

[...] In a statement provided to KrebsOnSecurity, NCR said that on Friday, Oct. 25, the company notified Digital Insight customers "that the aggregation capabilities of certain third-party product were being temporarily suspended."

"The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data," reads their statement, which was sent to customers on Oct. 29. After confirming that the incident was contained, NCR restored connectivity that is used for account aggregation. "As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.""

[...] Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators, including Mint, Plaid, QuickBooks, Yodlee, and YNAB.

[...] If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPal, Zelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Troll) by Anonymous Coward on Tuesday November 05 2019, @02:40AM

    by Anonymous Coward on Tuesday November 05 2019, @02:40AM (#916090)

    They've declared jihad on your bank accounts.

  • (Score: 1, Offtopic) by jmichaelhudsondotnet on Tuesday November 05 2019, @11:54AM

    by jmichaelhudsondotnet (8122) on Tuesday November 05 2019, @11:54AM (#916202) Journal

    I am looking for confirmation for a rumor I heard.

    I worked for Retail Data Systems in Kansas City for 3 months and got fired I think on January 1, 2016. I spent most of my time there writing submissions for mcsweeneys and dirty cowboy music for my burlesque character. My team was just me and another 2 guys one of whom was in the hospital, I was there because they needed to rush to hire someone just in case something happened over christmas like in 2014 when there were multiple random shutdowns of the new 'chip' system, you may recall.

    I tell some of the story here, I lost the job I think primarily because I left a dirty song at the printer and a female colleague grabbed it. Really random doubleprint at a very bad time. Water under the bridge, it really sucked at the time but I am sure glad I don't have to install upgrades at price chopper win7 cash registers for the rest of my life.

    https://soundcloud.com/j-michael-hudson/3-stories [soundcloud.com]

    At this job, the guy who hired me was a diminutive whitebread dude with nearly no distinguishing characteristics besides goalie for a hockey club. We drove all over kansas city upgrading cash register computers with thumb drives for the time I was there and he was the guy who had been there the longest and had been out in the field with 2 old guys who were about ready to retire, one had cancer. So this guy was kindof trying to find a way to build a team up paying people like 30k a year and that's how I got that job.

    It's only after you get to know me that you realize you may not want a critic of capitalism managing the cash register software...fair enough...a common problem is they want a really bright person who will work for a peanuts and has no ideas whatsoever besides what they are told, and those interests are clearly at odds.

    This guy, lets call him Cody, says to me one day while we're driving around in his corolla that all of the NCR transactions are processed in Israel. Cody does not have any swastika tatoos or politics whatsoever. He is like working with a stick of butter or bar of soap. It is impossible to imagine a guy this nice getting in a fight, except maybe in hockey gear.

    This is not a guy who would make up shit about israel or say any slurs about anybody, one of the nicest most normal guys I can even imagine, Cody. Nor had I mentioned to him that I don't support the alliance with israel or any of my politics like that, this was in like month 1, an offhand remark.

    I was like, whaa? I went and looked it up, best I can tell ATT, Teradata and Retalix have operations in Israel while NCR itself on its wikipedia says all of its offices are everywhere but israel.

    So riddle me this soylent news, was Cody misinformed? Where does NCR process its transactions?

    Or better put, is there any country, location or network node where a single point of failure could shut down every NCR cash register globally?

    And is it really smart to have a centralized payment system that is OUTSIDE of your country? Is this a good or bad type of globalization?

    And yeah I know I am despise the nation of Israel for all of their usual treachery but that doesn't mean I would advise Israelis to have their payments processed outside of their country either.

    It is a basic principle, critical systems should be INSIDE the country or you are putting your balls on the cold steel table.

    So who out there can answer me this question and confirm the well-qualified rumor that I heard on the job?

    (and yes this is on topic because the question here is about NCR arbitrarily shutting down payments, which is what a foreign country could also do if they had a button for it, not to mention that I don't want Harvey Weinstein's informal spy network to have access to my life purchase history)

    When software starts to act like government, we need to start asking some real questions or the people who own the software will become more powerful than the government and some people are really into business plans that are actually war plans, and we should not let them do whatever they want, as has been the custom with the first iterations of the internet.

(1)