Archive
New European rules for mobile banking apps coming to a device near you…
The world is clearly a better place now that we carry computers in our back pocket but we need an increase in security measures for payment transactions and therefore we will require an increase in regulation, such as the PSD2 from European Commission.
The Payment Services Directive mandates compliance by September 2019 and aims to regulate banks, payment service providers and electronic payments to include security features to protect consumers across digital channels. The PSD2 legislation will require financial services in the European Union (EU) to contribute to a more integrated, secure, and efficient payments ecosystem.
The PSD2 directive requires financial institutions to:
- Provide/Implement a monitoring mechanism in their apps to detect/report signs of malware.
- Provide security measures in their app to mitigate risk for the user device.
- Ensure consumers have a secure environment to execute their financial transactions
In Article 2 and Article 9 of the directive, PSD2 highlights Strong Customer Authentication (SCA) and Safe Execution Environment (SEE), which requires de-risking across various threat vectors impacting mobile apps.
These include detecting compromised devices (eg: jailbroken or rooted), unsafe environments (such as a fake or malicious wi-fi), as well as malware and vulnerabilities within the application execution environment. PSD2 also includes RTS (Regulatory Technical Standards), which are regulatory requirements set by the European Banking Authority (EBA) to ensure that payments across the EU are secure, fair & efficient.
To meet these requirements, financial institutions should add strong security capabilities like binary protections to their mobile apps. These controls are designed to protect against known and unknown threats on users’ devices.
Mobile banking apps should also be able to detect when they are installed on risky devices and consider restricting access to high value banking services until those risks have been remediated.
Honest, it was like that when I drove up?
It can be comforting to know that McD’s is still running Windows XP for their drive up kiosks…
and is still having logic based software problems like the rest of big enterprise isn’t it?
WebInspect has 3 great new features – Micro Focus Community – 1796294
Malicious Python libraries targeting Linux servers removed from PyPI | ZDNet
3 malicious libraries used in many open source packages. https://www.zdnet.com/google-amp/article/malicious-python-libraries-targeting-linux-servers-removed-from-pypi/
How to Gain Access to Domain Credentials Without Being on a Target’s Network
A two part series on password spraying that can help to illustrate the dangers with web based authentication sites.
This is a good read for those in development that are not familiar with how hackers are gaining access.
TD customers question how Visa Debit chequing accounts were compromised | CBC News
https://www.cbc.ca/news/canada/nova-scotia/spotify-charges-td-accounts-virtual-debit-cards-1.5213569
Slack resets thousands of user passwords four years after hack – The Verge
Google joins Microsoft and deprecates XSS Auditor for Chrome
In an effort to remove overhead and avoid the backlash, Chromium devs have decided to remove xss filtering from future versions of chrome.
https://portswigger.net/daily-swig/google-deprecates-xss-auditor-for-chrome
Let’s make Security everyone’s concern
In what I consider to be a concise delivery of how Cybersecurity can affect all of us, this guy has gone in front of the Committee on Public Safety and National Security to tell our politicians why Security is important and what is at stake!
I have known Thomas Davies for several years and consider him well versed in Cybersecurity. He understands how the bad guys continue to penetrate our computers despite the best methods of network defence and has taken the time to share his perspective with our government.
I included this session from April 1 of this year and have snipped a few minutes of what was an hour and a half where many of our Canadian brethren helped hit home the message that ‘Cybersecurity cannot do it alone’. Gone are the days where the masked man on the white horse can swoop in and save the day because there aren’t enough masked men (and women) in our industry, anywhere.
We built a network of interconnected endpoints using a communication method that just wasn’t designed to be secure. We then built applications on top of those networks that were also not designed to be secure. Netscape came along and created a way to provide some security and here we are several decades later. (Not blaming anyone here but this is what we did and now we have to live with the consequences) 😎
My hope is that our government and other countries like ours, will come to understand that without the resources required to ‘try and keep the ship from taking on water’ our electronic commerce will be in jeopardy. It is only a matter of time before a major outage could occur as a result of a major cyber incident.
I am not sure any type of legislation can help us solve this problem in the near future but it might be time for our government to get involved before it’s too late.
Kudos to you Thomas Davies for being part of the solution. I am proud to call you a friend! (we are still friends right?)
Security Analyst - Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH 