NCR Banned Mint, QuickBooks Online Over Alleged Account Hacks
The incident reflects a growing problem with safeguarding online bank accounts.
Global retail and banking service giant NCR Corp. took the step of temporarily blocking Intuit products Mint and QuickBooks from accessing its online banking platform Digital Insight, according to a November 3 report from KrebsOnSecurity. The ban was a response to a number of bank account takeovers that allegedly used the Intuit platform to circumvent security measures.
Finder has not been able to independently confirm this report. However, if true, this incident highlights the escalating dangers of password abuse with online banking.
A credit union officer that uses Digital Insight told KrebsOnSecurity that his institution was hacked. During the week of October 20, several dozens of his bank’s accounts were compromised. The attack took place over the week in 12-hour periods, targeting accounts every 5 to 10 minutes. The aggregator service used to access the accounts failed to consistently deliver prompts for multifactor authentication, meaning the hacker needed only to submit the username and password to gain access.
NCR, in a statement sent to KrebsOnSecurity, confirmed that the company temporarily suspended aggregation capability for some of its customers on October 25. “The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data,” the statement reads, which was also sent to NCR customers on October 29.
Connectivity was restored once the situation was resolved. “As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.”
Banks and Security
This situation reveals an unsettling truth about banks. According to a report from cybersecurity company FireEye, less than half of all organizations feel they are ready for a data breach or cyberattack. Almost 29% of organizations that have created cyberattack response plans have not tested or updated them in the last 12 months.
While the U.S. has taken the lead in data protection, per the report, the amount of fraud detected — particularly to nonbank fintech platforms — is on the rise. While about 5,000 account takeovers are reported to FinCEN monthly, according to the US Treasury Financial Crimes Enforcement Network Director Kenneth Blanco, involving about $350 million, actual losses can be greater.
“With billions of compromised credentials exposed online, there is a high likelihood that most users of the U.S. financial system have had some information about themselves, whether PII or login information, compromised at some point,” Blanco said at the Federal Identity Forum and Exposition in September.
Usernames and passwords are readily available on the darknet. These username and password lists are typically either phished — stolen by sending a user a link to a false login, which logs the authentication data — or “brute forced” using specialized software. Brute forcing works by using known passwords and word lists to guess valid usernames and passwords.
These lists are sold on the darknet to “verifiers,” who use them to coordinate an automated attack to verify the combinations. The “verified” combinations are sold to aggregators, who use software interfaces from platforms like QuickBooks to regularly check the logins and confirm they stay valid. Finally, a human logs in to one of the accounts, links to it a transfer account like PayPal, goes through any confirmation steps and then makes withdrawals from the account. Because the bank doesn’t necessarily know that anything is amiss until the human interaction, it is possible for this kind of attack to go unnoticed for weeks or even months.
As such, proper financial hygiene is essential. Because it is easier to “brute force” a simple or recycled password, change your passwords at regular intervals. Confirm links before clicking on them, and check your balance and account history often, reporting any irregularities immediately.
Most importantly, keep an eye on your personal and financial security. As technology continues to evolve, so does the ability of criminals to defraud you. “The question that we have to think about is what is available to be hacked and how can it be used?” Blanco added.
“These days social media has combined with DNA to discover family members — a remarkable achievement. But if the past is any indication of the future, we have to consider how this data could be compromised and used for inheritance fraud, to steal intellectual property, or fraudulently plant genetic evidence at the scene of crimes.”