Search This Blog

Showing posts with label customer privacy. Show all posts

Banking customers are tricked by SCA checks

Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?

The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.

Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.

Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.

Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.

Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.

Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.

The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.

Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.

“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.

“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”

GDPR privacy law exploited to reveal personal data

About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.

The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancee.

In one case, the response included the results of a criminal activity check.

Other replies included credit card information, travel details, account logins and passwords, and the target's full US social security number.

University of Oxford-based researcher James Pavur has presented his findings at the Black Hat conference in Las Vegas.

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company - especially tech ones - they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

- a UK hotel chain that shared a complete record of his partner's overnight stays

- two UK rail companies that provided records of all the journeys she had taken with them over several years

- a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

Mr Pavur has, however, named some of the companies that he said had performed well.

10,000 Clients Affected in Aegon Life Insurance Data Leak


Around 10,000 customers of Aegon Life Insurance, a joint venture between the Netherlands-based Aegon and India's Times Group, fall prey to a data leak which was caused through website's support channels, which clients used to communicate with the insurer regarding their grievances.

Reportedly, the data compromised included all the details ranging from the very basic demographic ones like name, gender, age to more specific ones such as health policy problems and annual income. It occurred due to a security vulnerability in the company's website.

Renie Ravin, Indian web developer and co-founder of the independent blogging platform, 'IndiBlogger', discovered the vulnerability which led to the data leak and reported it to the company in July 2019.

However, there is no evidence of the exposed data being illegally accessed or misused.

Referencing from the statements given by the company, "Aegon Life Insurance, India announces that a vulnerability on their website exposed information of some Indian customers who had used web forms to get in touch with Aegon Life."

"Aegon Life immediately fixed the vulnerability and have since informed all customers of this exposure. Aegon Life estimates that up to 10,000 customers were possibly affected."

"We will initiate an outreach program in the coming days to offer guidance to affected customers and to let them know what information was exposed. At Aegon Life, data security and customer privacy are of utmost importance and we will continue to be transparent with customers as we investigate further," the company added.