Cyber SecurityVideo

The Risk of Weak Online Banking Passwords

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, PlaidYodlee, YNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

A screenshot of a password-checking tool being used to target Chase Bank customers who re-use passwords from other sites. Image: Hold Security.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Costello said while some banks have implemented processes which pass through multi-factor authentication (MFA) prompts when consumers wish to link aggregation services, many have not.

“Because we have become something of a known quantity with the banks, we’ve set up turning off MFA with many of them,” Costello said.  “Many of them are substituting coming from a Yodlee IP or agent as a factor because banks have historically been relying on our security posture to help them out.”

Such reconnaissance helps lay the groundwork for further attacks: If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

This targeting can occur in at least one of two ways. The first involves spear phishing attacks to gain access to that second authentication factor, which can be made much more convincing once the attackers have access to specific details about the customer’s account — such as recent transactions or account numbers (even partial account numbers).

The second is through an unauthorized SIM swap, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPal, Zelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

Alex Holden is founder and chief technology officer of Hold Security, a Milwaukee-based security consultancy. Holden and his team closely monitor the cybercrime forums, and he said the company has seen a number of cybercriminals discussing how the financial aggregators are useful for targeting potential victims.

Holden said it’s not uncommon for thieves in these communities to resell access to bank account balance and transaction information to other crooks who specialize in cashing out such information.

“The price for these details is often very cheap, just a fraction of the monetary value in the account, because they’re not selling ‘final’ access to the account,” Holden said. “If the account is active, hackers then can go to the next stage for 2FA phishing or social engineering, or linking the accounts with another.”

Currently, the major aggregators and/or applications that use those platforms store bank logins and interactively log in to consumer accounts to periodically sync transaction data. But most of the financial aggregator platforms are slowly shifting toward using the OAuth standard for logins, which can give banks a greater ability to enforce their own fraud detection and transaction scoring systems when aggregator systems and apps are initially linked to a bank account.

That’s according to Don Cardinal, managing director of the Financial Data Exchange (FDX), which is seeking to unite the financial industry around a common, interoperable, and royalty-free standard for secure consumer and business access to their financial data.

“This is where we’re going,” Cardinal said. “The way it works today, you the aggregator or app stores the credentials encrypted and presents them to the bank. What we’re moving to is [an account linking process] that interactively loads the bank’s Web site, you login there, and the site gives the aggregator an OAuth token. In that token granting process, all the bank’s fraud controls are then direct to the consumer.”

Alissa Knight, a senior analyst with the Aite Group, a financial and technology analyst firm, said such attacks highlight the need to get rid of passwords altogether. But until such time, she said, more consumers should take full advantage of the strongest multi-factor authentication option offered by their bank(s), and consider using a password manager, which helps users pick and remember strong and unique passwords for each Web site.

“This is just more empirical data around the fact that passwords just need to go away,” Knight said. “For now, all the standard precautions we’ve been giving consumers for years still stand: Pick strong passwords, avoid re-using passwords, and get a password manager.”

Some of the most popular password managers include 1Password, Dashlane, LastPass and Keepass. Wired.com recently published a worthwhile writeup which breaks down each of these based on price, features and usability.


Tags: , , , , , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

One thought on “The Risk of Weak Online Banking Passwords

  • That’s an excellent feature to have on a dating site! AmourMeet is a preferred dating platform for international men seeking Asian females. AmazingAsianz – an excellent selection for those looking for intimate interaction with an Asian female target market. Why we chose AsianDating: AsianDating common data sources with over 30 Asian dating sites like JapanCupid, ThaiLoveLinks, and VietnamCupid, so you can access much more relationship opportunities with a solitary account. If you swipe left on somebody’s account, it’s respectful to define why you’re not interested. The GPS tracking slipped us out whenever we left your home if we’re being honest. Upgrade or set up to the most up to date variant to evaluate it out! You’ll need to update if you desire no limitations on your swiping sessions. Nonetheless you’ll get a different collection of profiles the following time around if you don’t discover your crush the extremely initial time you can constantly play once again. By adhering to these easy actions one can optimize their possibilities at success while using Thai dating applications – have delightful swiping away! To conclude, Thai dating applications utilize a efficient and convenient approach to please possible partners.

    So if you desire premium quality matches when you’re thailand dating application asiame scam in China, stay with these 8 Chinese thailand dating application sites and apps that truly function! Second, make the most of all the tools easily available on these apps such as filters and search features which enable users to limit their options based on certain standards like age array or area – this makes searching for appropriate companions much less complex! For this video game, the application reveals four account images, and you have to select the one you think sent you a like. The app operates the exact same way for exceptional and free of charge clients. Numerous men feel the very same. The reason they are not uncovering each various other is quite simple, too many older men want to have a twenty years of age bride-to-be. When they do not prefer to be tracked (complimentary and paid), participants can go undetected. That helps with protection, however it’s honestly way also challenging to locate somebody you want to meet. Once, at a bar, somebody said to him, “I do not such as Asians,” as delicately as one states, “I do not like pickles,” or “Spinning is simply not my point.” I’m not right into you either, I need to have claimed.

    Besides, it’s a simple account eastmeeteast understand what sort of an individual your possible suit is the app you definitely like. Viki Tv is an American app that was developed to aid advertise social exchange between Eastern and western countries. This website utilizes a fantastic range of solutions and attributes to aid you discover the woman of your desires from Ukraine or various other Slavic nations. You are accountable for: (i) securing any type of passwords used to access your account and our solutions, and (ii) all use of our solutions under your account. You can utilize your existing ThaiRomances account or join absolutely free. Naturally, they’re on other websites as well, yet preparedness to experience the lengthy signup, give individual details, and confirm the account filters those without significant intents. Yes. Asian Friend Finder, Asian Fun, Asian Single Connection, and Heart of Asia are all such sites. The research study found Hong Kong had one of the most solitary girls (62 percent) who were prepared to day males that made less than they did, while Indonesia had the smallest portion of ladies (regarding 40 per cent) who were open to dating guys with a lower revenue. You could get a deal for a cost-free costs subscription or some various other special perk in exchange for ending up a study that includes similar concerns to those made use of for banking.

    An unique dating application, Happn has a great deal of features that you have actually probably never ever seen prior to. Sure, Happn does not provide other customers your exact area, but we still located ourselves looking over our shoulders, asking yourself if somebody had seen us on Happn. Don’t tension, nonetheless, because we’re mosting likely to give you all the details around of our testimonial of Happn. We’re lukewarm on this attribute. Happn released the Similarities feature in 2021, and you do not have to do anything to activate it. Instead, have a look at the 14 best dating apps in 2023. You’ll discover options that are much extra safe and secure and extra reliable than Happn on the checklist. Today, the electronic world has really ushered in a brand-new age of love, with dating applications at the leading edge of this change. It’s not surprise consequently that Thai women are a magnet for Western gents, thousands who fly center(a) around the modern world every twelve months to obtain charming partnerships. This takes a few of the clumsiness out of moving things into the genuine globe. It’s not of actual relevance if we do have a great deal of usual interests or otherwise.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *