Month: May 2019

On May 28, the European Central Bank (ECB) announced that it had begun circulation of new €100 and €200 banknotes with upgraded security features.  The ECB described these features, which “make the banknotes more resistant to counterfeiting,” as follows:

At the top of the silvery stripe a satellite hologram shows small € symbols that move around the number when the banknote is tilted and become clearer under direct light. The silvery stripe also shows a portrait of Europa, the architectural motif and a large € symbol. The new €100 and €200 banknotes also feature an enhanced emerald number. While the emerald number is present on all the other notes of the Europa series, this enhanced version also shows € symbols inside the number.

In addition, the ECB explained that the new €100 and €200 notes “are now the same height as the €50 banknote, which makes them easier to handle and process by machines,” and “will also fit better in people’s wallets and last longer, as they will be subject to less wear and tear.”

The new €100 and €200 notes are the last and highest-denomination notes in the so-called “Europa” series.  Although the first series of Euro banknotes issued in 2002 included a €500 note, the ECB stated that there will be no €500 note in the new series. The last of the 19 central banks in the Euro area ceased issuing such notes as of April 26.  The ECB emphasized, however, that all of the old series, including the €500 note, will continue to be legal tender.

Note:  Not only retail operations in European banks, but anti-money laundering teams in financial institutions that handle Euro banknotes, should take note of these changes.   According to the European Union law enforcement agency Europol, the €20 and €50 notes are, respectively, the most and second-most popular denominations for counterfeiters, accounting for 83.3 percent of counterfeit notes detected in the first half of 2015.

With the withdrawal of the €500 notes from circulation, however, the €100 and €200 notes are likely to become increasingly in demand for criminal as well as legitimate cash transactions.  The ECB reported that the demand for €100 and €200 banknotes is already increasing, at annual rates of 7.6 percent for the €100 and 8.6 percent for the €200.

For those interested in more information about the security features of the new notes, the ECB has a detailed fact sheet.

On May 10, Equifax announced its financial results for the quarter ended March 31, 2019.  In that announcement, the company reported that during that quarter, it took a $690 million pre-tax legal accrual relating to the 2017 data breach that “resulted in the exposure of the personal data of 148 million individuals in the U.S., or 56 percent of all American adults.”  Equifax explained that the $690 million reflects its “estimate of losses we expect to incur in connection with a potential global resolution of the consumer class action cases and the investigations by certain federal and state regulators [related to the breach].”

The $690 million, according to Bank Information Security, represents only a substantial portion of the $1.35 billion in costs that Equifax reported it has incurred to deal with the breach.  Moreover, as Equifax acknowledged, that $1.35 billion is not the final tally of breach-related costs:

While it is reasonably possible that losses exceeding the amount accrued will be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty and complexity of achieving a multi-party resolution, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.

Equifax ended this statement on a potentially ominous note: “The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.”

Note: Chief Information Security Officers and Chief Compliance Officers should draw on this information in reminding senior executives in their companies and agencies about the substantial compliance, reputational, and other risks that can flow from inadequate cyber-defenses.  At the time, the Equifax breach seemed to be an object lesson for public- and private-sector entities in maintaining robust cybersecurity.  The continuing spate of reports about breaches that have resulted in losses of billions of  personal records, and cyberthefts that caused billions of dollars in losses, however, indicates that too many firms and agencies have not taken that lesson to heart.

On May 21, Irish Tech News reported that the Irish professional services firm Mazars Ireland published the results of a survey to examine occupational fraud and abuse in Ireland.  The survey, conducted in February 2019, obtained information from nearly 100 senior figures in the Irish private, nonprofit, and public sectors for insight into the level of actual occupational fraud and abuse.

Key findings from the Mazars survey included the following:

• Approximately 50 percent of respondents had suffered a loss due to occupational fraud and abuse in the past two years. The average financial loss was between €10,000 and €20,000.
• Twelve percent of respondents suffered losses greater than €500,000 in the past two years.
• The principal causes of such losses related to the theft of cash (32 percent) and of goods (19 percent), but businesses also experienced losses due to expense fraud (16 percent) as well as payroll, invoice fraud, and conflict of interest issues.
• Thirty-three percent of the frauds reportedly was detected by internal audits, and 25 percent by whistleblowing or “speak up” channels.
• Nearly two-thirds (65 percent) “had not undertaken a formal fraud risk assessment or implemented proactive data monitoring across their business operations.”
• Approximately 34 percent of respondents “did not have formal investigation procedures or anti-fraud policies in place.”
• Forty percent placed a high degree of reliance on the head of internal audit to perform Investigations.
• Eighty percent “provided a strong indication that they have whistleblowing or speak up arrangements in place.”
• Forty percent indicated that, in addition to their own organizations’ staff, customers and suppliers could also use the organizations’ whistleblowing arrangements.

The report also “pointed to a worryingly low level of awareness of anti-bribery and corruption legislation amongst Irish businesses.”  Fifty percent of respondents reportedly were unaware of the recent Criminal Justice (Corruption Offences) Act 2018, “which introduced the new corporate liability offence and allowed for a corporate body to be held liable for the corrupt actions committed for its benefit by any director, manager, secretary, employee, agent or subsidiary.”

Note: The Mazars survey provides strong indications that Irish small, medium, and large private- and public-sector concerns need to review the state of their fraud risk management programs, and be prepared to remedy any significant shortfalls in risk and compliance program implementation.  Certainly not all businesses and agencies can completely prevent fraud directed at their operations, but when nearly two-third of respondent companies have not even conducted formal risk assessments or put proactive data monitoring in place, they run the risk of substantial losses and – depending on the industry, nonprofit, or government function they perform – further adverse consequences from regulatory enforcement actions.

The survey’s finding that half of respondents are unaware of the new Irish corruption-offenses legislation, which has been in force since July 2018, also indicates that public- and private-sector entities need to undertake a new round of publicity and training about the Act’s key provisions.  In addition to the corporate-liability offense and “failure to prevent”-style liability mentioned above, businesspeople and government employees need to recognize that the Act contains a number of other new offenses that expands criminal liability to other aspects of corruption.  These include active and passive trading in influence; an Irish official doing a corrupt act in relation to his or her office;  giving a gift, consideration, or advantage, knowing that it will be used to commit a corruption offence; creating or using false documents; and intimidation where a threat of harm, rather than a bribe, is used.

Irish  companies and agencies, regardless of their size, need to incorporate that information into their internal trainings and briefings, and to expand their compliance programs appropriately, including internal controls, if they are to be able to demonstrate the effectiveness of those programs.

On May 7, the global cryptocurrency exchange Binance issued a statement that it had discovered “a large scale security breach” in which “hackers used a variety of techniques, including phishing, viruses and other attacks,” to withdraw 7000 Bitcoin in a single transaction.  That withdrawal, according to The Times, was equivalent to more than $40 million.

Binance’s Chief Executive, Changpeng Zhao, emphasized in the statement that the attack “impacted our BTC hot wallet only (which contained about 2% of our total BTC holdings). All of our other wallets are secure and  unharmed.”  He also described the general outlines of the attack:

The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.

Zhao committed to using Binance’s Secure Asset Fund for Users (SAFU), an emergency insurance fund stored in a separate cold wallet, “to cover this incident in full. No user funds will be affected.”  While Zhao informed customers that Binance was temporarily suspending deposits and withdrawals pending a thorough security review, he promised that Binance would continue to enable trading, but added a caveat that “the hackers may still control certain user accounts and may use those to influence prices in the meantime.”  On May 15, Binance issued a supplemental statement that it had completed its system upgrade and would resume all trading activity.

Note: Although one Binance admirer tweeted that at Binance “they take security serious” [sic], this latest incident involving massive cyberthefts from cryptocurrency exchanges does nothing to enhance the financial sector’s confidence in the crypto sector’s commitment to cybersecurity.  Unlike other recent large losses by cryptocurrency companies, Binance – reportedly one of the world’s largest cryptocurrency exchanges — at least has its SAFU to provide customers with protection from individual losses.  Other cryptocurrency exchanges need to establish similar insurance funds for customers’ deposits, and to make the size and operations of such funds highly transparent, if they are to broaden their still relatively narrow base of public confidence.

On May 15, the APWG (formerly the Anti-Phishing Working Group) published its Phishing Activity Trends Report, 1^st Quarter 2019.  The Report addressed the following topics:

• Unique Phishing Websites Detected: The total number of unique phishing websites that the APWG detected in 1Q 2019 was 180,768. That represents a 30.7 percent increase from 4Q 2018 (138,328), and a 19.7 percent increase from 3Q 2018 (151,014).
• Unique Phishing Reports from Consumers to the APWG: The total number of unique phishing reports that the APWG received from consumers in 1Q 2019 was 112,393. It should be noted that although the number of phishing reports received in January and February was almost identical (34,630 and 35,364, respectively), the number of reports received in March was 42,399 – a 19.9 percent increase since February.
• Brands Targeted by Phishing Campaigns: The number of brands that phishing campaigns targeted remained fairly even during 1Q 2019 (327, 288, and 330 for January-March, respectively).
• Most Targeted Industry Sectors: For the first time in APWG quarterly reports, Software-as-a-Service (SaaS) and webmail services became the most-targeted industry sector, with 36 percent of all phishing attacks (compared to 30 percent in 4Q 2018 and 20.1 percent in 3Q 2018).  The next four most-targeted industry sectors were payment (27 percent), financial institution (16 percent), e-commerce/retail (3 percent) and telecom (3 percent).  Attacks against cloud storage and file hosting sites accounted for only 2 percent of all attacks in 1Q 2019 – a substantial decline from 11.3 percent of all phishing attacks in Q1 2018.
• Use of Encryption to Deceive Victims: In 1Q 2019, 58 percent of phishing sites used SSL certificates, indicating that they were protected by the HTTPS encryption protocol, to create a false appearance of legitimacy. That represents a 26 percent increase since 4Q 2018 (i.e., 46 percent using SSL certificates), as well as the highest percentage of phishing attacks hosted on HTTPS since Q1 2015.  According to John LaCour, Chief Technology Officer of PhishLabs, there are two reasons for phishers’ increased use of SSL certificates: more web sites in general are using SSL, because browsers are warning users when SSL is not used, “[a]nd most phishing is hosted on hacked, legitimate sites.”
• Brazil Phishing Trends: In 1Q 2019, the volume of Brazil-related phishing (i.e., e attacks against Brazilian brands or against foreign services that are available in Portuguese in Brazil) increased since 4Q 2018 to 3,220, including more than 1,200 in January alone.  Brazil-related malware cases in 1Q 2019 were 180, and malware detections in March were less than at any time since the start of  4Q 2018.  The report also states that “[e]ach kind of malware identified during this period, on average, aimed to affect up to thirteen Brazilian financial institutions and their customers. The largest number of targets found in a single malware device was nineteen.”

Note: Chief Information Security Officers and Chief Compliance Officers should share these data with their respective teams for general awareness.  As with other APWG quarterly reports, this report reflects general data on phishing trends and not the severity of any single phishing attack on a particular company or financial institution.  Companies offering SaaS and webmail services, however, should take particular note of the significant increase in phishing attacks targeting their sectors.