No matter the outcome, financial institutions and their clients both lose when cybercrime cases go to court.
How much time, effort, and money is spent pursuing a lawsuit against a financial institution in the aftermath of a cybercrime? In the last several weeks U.S. courts resolved several lawsuits filed by cybercrime victims against their financial institutions. Each took nearly three years to process and had different outcomes. One Institution successfully defended itself, the financial institution chose to settle. They repaid the client’s losses rather than take the lawsuit to trial.
I learned news of yet another “attack” on one-time password (OTP) authentication. By its design, All OTP authentications (including RSA SecurID, VeriSign VIP, Vasco Tokens, Oath Tokens, and most SMS implementations) need to protect against a man-in-the-middle (MITM) attack. The Emmental attack leverages a MITM attack by redirecting the DNS records of at least 34 financial institutions to the hacker’s server. The twist is that it also includes the redirect of an SMS message on the end user’s mobile device, the second authentication factor in the two-factor schema.
2014 might just be remembered as the year of high profile data breaches. Companies such as eBay, PF Chang's, and the University of Maryland have already been targeted and new attacks are being uncovered almost daily. Consumers are beginning to shrug off the news as a normal cost of paperless e-commerce. This is truly unfortunate because the average consumer will end up footing a portion of the bill for a data breach. This is true whether or not their personal information was compromised during the breach.