KYD Mean Know Your Data

http://datamigrationresources.com/
Data Migration from Data Migration Resources

Knowing your data is very important and I find that many bankers think they know data. I’m not exactly sure what they are envisioning, but if they are envisioning pivot tables and vlookups, then they know about as much as a freshman MIS student after week of classes. (MIS means management information systems.) All systems can be configured to generate data.

This subject is just too big to even do an overview, which would take a semester worth of  classroom work. The best thing for any organization is to make sure to hire a team of technical experts in both computer sciences and statistics to manage and analyze data to get a good understanding about what the data is saying. For now, I will just briefly mention the two sides of KYD – data management and data analysis. Knowing one does not make one remotely close to knowing the other.

Data Management is the work of software and hardware professionals who keep data like inventory. They are often under-appreciated. For the data layman, data management looks like a bunch of overpaid people who move around bits of information from one server to the next. Data Analysts, however, know how crucial these people are. In order to do data analysis, understanding of all of the issues to maintain data analyzable is incredible difficult, especially as the organization gets larger. Size of data sets present technical problems that most people do not encounter, but data analysts do. Software often cannot handle computing data set size beyond a certain point. Data managers are the people who solve these issues, making it technically possible for data analysts to do their work. Also, data managers can keep data safe from corruption or breaches in security or controls.

Data analysts have received lots of attention over the past decade. Almost all consuming facing internet now is feeding data centers so that analysis about potential customers can be mined. But newspaper reporters are often poor interpreters of data. So, reading their work might lead one to have false sense of confidence about this topic. The only place I can think of right now that a data layman can go for news and data analysis is Nate Silver‘s Five Thirty Eight, the blog that first used to do data analysis of baseball stats and then turned to using the same type of analysis to predict presidential campaign results for every county in the United States. In 2012, he correctly predicted the presidential election results for each state and 31 of the 33 senate elections as well. This type of work cannot be done through mere argument. One cannot convince someone else of the correctness of a prediction. One must simply wait for the results. And then one must analyze whether the predictions were correct due to luck or predicted causes.

Opinion

In order for banks to be able to better protect their businesses from cybercrime and enhance business opportunities, they will need to hire data managers and data scientists in every area of the bank. Currently, most of these people are in operations. But this simply isn’t going to be enough. A large portion of the world, even a large portion of Americans, are not in the traditional banking system and now they are being provided options without having to join the banking system. This is good for an economy up to a certain point. And then it will hinder economic growth. Why? Because banking is the industry that finds excess money and invest into areas of the economy that needs money. Providing transaction services might facilitate transactions that could not be done before but as long as those funds never enter the banking system, governments will be required to borrow more money to fund their private sector growth, rather than private sector figuring it out for itself.

Advertisements

Obama to Create New Central Cybersecurity Agency

The private sector plays a more central role in spotting and responding to cyber incidents than they do in the counterterrorism realm, where the government largely takes the lead. – Lisa O. Monaco, President’s Homeland Security and Counterterrorism Advisor

http://www.darkgovernment.com/news/wp-content/uploads/2008/11/director_of_national_intelligence.png
Seal of the Office of the Director of National Intelligence

Lisa Monaco announced the launch of Cyber Threat Intelligence Integration Center (CTIIC), which will provide analysis to policymakers and intelligence operatives using private sector data.

CTIIC will report to the Director of National Intelligence.

This was also written about in a previous post.

 

 

 


About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.


Carbanak Robs Banks And Bank Clients of $1 Billions

The greatest heist of the century: hackers stole $1 bln.

Carbanak is a an APT-style campaign targeting (but not limited to) financial institutions that was claimed to have been discovered in 2015 by the Russian/UK Cyber Crime company Kaspersky Lab who said that it had been used to steal money from banks. The malware was said to have been introduced to its targets via phishing emails. The hacker group was said to have stolen over 500 million dollars, or 1BN dollars in other reports, not only from the banks but from more than a thousand private customers. – Kaspersky Labs

To date, the main targets have been in the United States and Russia followed by Germany, Ukraine and China. Not only is the amount stolen large and the number of institution breached many, but the amount of time this has been going on has been long, years, in fact. The official Kaspersky Labs report claims to have evidence of this beginning in 2013. The way the hackers extracted money were varied. Sometimes it was relatively simple: the virus would attack an ATM and would just spit out loads of cash at a scheduled time, allowing a member of the hacking team to go and pickup the cash. Other times it used sophisticated methods: attacking the accounting system, incorrectly placing the decimal point of an account so the account balance was ten times more than it should be and then it would correct it by transferring the extra amount into accounts it had setup in other banks, laundering the funds and making it legit. Essentially, it was creating money. And the correction would go unnoticed because all of this would take place before the banks would have run a account balance check, which banks do with every account, though it’s been found out that many banks only do this about once every ten hours.

While I am able to explain it to you, my reader, in just one long sentence about one of its sophisticated methods, you must understand that there are multiple systems checking for correct coding of every transaction and every account. In order to go undetected, the virus must be able to do two things very well: it must understand the various languages used by various systems and the algorithms being used by these systems for both routine and special operations as well as mimic human interaction with these systems. The first part might sound like a defined problem that can be solved but it isn’t. The algorithms are built to change as it learns more. Carbanak was designed to learn and wait long before executing its financial transactions, if one can call it that.

Kaspersky Labs is the name of a cyber security firm based out of Russia named after its founder, Eugene Kaspersky. Kaspersky was trained in mathematical engineering at Moscow Institute of Physics and Technology, which was established and run by the Russian Defense Ministry and the KGB, Russian intelligence. Because of this background, the Lab hasn’t received as much business as it could have. However, over the years, with Kaspersky writing and opining about cyber crime and cyber security in reputable media outlets and with the Lab’s success in forensic research, like this one, Kaspersky Lab has been garnering more and more corporate clients. Kaspersky Lab also has retail security products.

Below, I have provided the report and various inforgraphics that Kaspersky Labs has created to educate the world on Carbanak. Also, I have provided a list of links that will help you quickly understand the issues surrounding the initiation, operation and discovery of the virus.

Carbanak APT Rpt Img
Carbanak APT: The Great Bank Robbery v2.0 by Kaspersky Lab

 

http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Programmable_logic_controller
https://twitter.com/e_kaspersky/status/532595984111382529
http://blog.kaspersky.com/billion-dollar-apt-carbanak/
http://en.wikipedia.org/wiki/Eugene_Kaspersky
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf

 

 

Carbanak_2_en map_Carbanak inf_Carbanak_x12802Carbanak_2_en

 


About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.


How super cookies threaten bank security

Super cookies threaten bank security by exposing both customer data in ways that are more discreet than ever before.

zombie_cookies

What are super cookies?

Super cookie are sometimes called zombie cookies. The most typical type of super cookie is called flash cookie because it is a cookie from Adobe Flash plug-in. Cookies are little bits of code websites leave on your browsers cookie folder so that it can remember your preferences and, should you choose to do so, account information and password. Basically, when you turn on your browser and you can get to your email or Facebook without having you login, the website has a cookie in your browser cookie folder. It is pretty convenient.

The usual threat

If this bit of code contains personal information, then of course your identity is threatened by anything that is going to try to retrieve it when it is not supposed to. The codes need to be deciphered, usually. There are lots of websites and phone applications known to have very security on their cookies, making it very simple to decipher. On a consumer level, this is dangerous because most consumers are not all that creative with their passwords, using the same one for all of their accounts.

The banking relevance

For banks, the threat is more real than ever. Transactions are usually legitimized in multiple ways: correctly identifying the transaction parties, correctly using the transaction accounts, correctly using passwords, matching payment sender and receiver, matching banking institutions and on and on. Most of these matches have been nearly eliminated because the banking system has taken care of most of them, having the consumer contact points reduced to the point of sale.

The primary banking threat

Now that the whole purchasing process can take place online, a digital path can be created for transactions. Here’s how it works: Jaco wants to purchase a bass guitar. He goes to SuperBassGuitarGlobalMarket.com and looks around. Jaco looks are strings and pick-ups and amplifiers along with bass guitars. He purchases a rare Flea Bass and nothing else. SBGGM keeps a cookie on his computer so that when he returns the website can present him with suggestions based on his purchase and his surfing history. If Jaco deletes the SBGGM cookie, then his return visit will not have any suggestions based on his surfing history. If SBGGM uses Adobe Flash on its website and creates a cookie in Adobe Flash, it keeps the cookie in an Adobe folder rather than a browser folder. Jaco’s return visit, will show him suggestions based on his previous visits even if he deleted SBGGM’s browser cookie. A cyber criminal can hack into Jaco’s computer, get onto SBGGM’s website, get on Jaco’s account, make purchases from the website suggestions, have them shipped to another address. From there, bought items could be sold for money. To add an additional layer of stealth, the cyber criminal can make purchases that are small every month to go undetected, especially if Jaco tends to just pay for all of the credit card balance at the end of each month. As long as the consumer does not pay attention to every transaction, consumer is paying for these transactions. Banks have been flooded with small fraudulent transactions. These transactions make banking more expensive for everyone.

Because super cookies circumvent a consumer’s deliberate attempt to erase information trails, it poses a super threat.


About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.


How Net Neutrality Threatens Banks

Tom Wheeler is being credited for being the twenty first century’s Senator Joseph Kennedy.Tom_Wheeler_FCC

Last week, Tom Wheeler, Chairman of the Federal Communications Commission (FCC), publicly announced his support for Net Neutrality.

Background

1219px-FCC_New_Logo.svgNet Neutrality is the name of the principle that all internet service providers (ISPs) should provide equal access to the their content providers. Proponents of Net Neutrality claim that it is this principle that has enabled many small content providers, social networks and economic platforms to flourish. Without continuing a policy that implements this principle, the next developing the next big thing will be so expensive that it won’t happen, at worst, or will happen in other economies, at best. Also, proponents are argue that a tiered service would amount to content discrimination. Proponents include Yahoo!, eBay, Amazon, Microsoft, Lawrence Lessig, Steve Wozniak and, even, President Barack Obama.

Those against Net Neutrality argue that the current system hinders financing the development of better telecom infrastructure, customers, especially lower income customers, are subsidizing large bandwidth heavy content providers and effectively lowering the service quality they receive. Those against Net Neutrality include major telecommunications providers, internet service providers and free market types. (Sadly, the names against Net Neutrality just aren’t as well known as the proponents, thereby making it unnecessary to enumerate.)

Both sides are correct.

Net Neutrality logoCurrently, Net Neutrality is in place. This means that when most people go online to do bandwidth heavy activities, such as listening music on Spotify or Pandora, or watching videos on Youtube or Netflix, no additional charges are incurred. If Net Neutrality was done away with, either the customers or the music and video providers or a combination of the two will have to pay for the heavy bandwidth. Seems more expensive?

Well, imagine if you are one of those creative types who are trying to develop something that will compete with YouTube, one of the groups of people proponents would like to protect. Because your competitor is providing their service for free, no one wants to go to your site. You are ten years behind and whatever great idea you have is very unlikely to get the notice to effectively compete with the established players. Customers are getting a great experience with existing industry players but they are missing out on potentially others.

There are more ways to think about what the alternative universe would look like in a world without Net Neutrality. One can even look at other developed economies to see how their industries have fared without Net Neutrality. Most common example is the United Kingdom.

How Net Neutrality Threatens Banks

Banking on both retail and investment side are being done more and more on the internet. Banking was one of the first industries to adopt internet technology. this makes sense since banking is a transaction system. Anything that helps to reduce the cost, increase the speed and better secure transactions would make an industry player more competitive.

Banking industry has experienced two major transitions in the last century. First was the transition from currencies backed by precious metals to fiat currencies. Second was from fiat currencies to digital currencies. Today, nearly all of the $2 Trillion in currency transactions per day are done digitally between computers. Despite the fact that the US Dollar and other currencies are government backed, in nature they aren’t much different from cyber-currencies like BitCoin. (There are some significant differences but those primarily have to do with the capabilities of the currency types, which, at this point, are not relevant for this discussion.)

Cyber-crime is performed in two primary ways. The “old school” method is to email or otherwise contact a person, deceive them in some way, and steal valuable information, which then can be used to “legitimately” tap into customer accounts. The more sophisticated method is to write codes that would do steal information or take over the processing capabilities to tap into customer accounts. These codes are, in many sense, the same as content. in order for Youtube to provide you with free videos, YouTube must develop code to do so. So, effectively, everyone is subsidizing the dissemination of cyber-crime.

Banks have been working very hard to secure themselves from both types of threats. Protection from phishing, the “old school” cyber-crime, banks require registering computers (via IP addresses) before entry into bank accounts. For institutional clients, this might be much more sophisticated than for retail customers but it is essentially the same.

To protect customers from code attacks, which are generally attacks directly on bank infrastructure, banks have hired technologists to develop hardware and software that protect servers.

Net Neutrality is a subject most people do not understand the nuances of, and, usually, favor without understanding the ramifications of its perpetuity. I am not taking a stance on either side of the discussion, but I think knowledge would do it great service.


About the Author: Marcus Maltempo is a compliance professional with more than a decade of experience helping banks, law firms and clients manage investigations and regulatory responses.