Banking Technology Connections: September 5, 2012
September 5, 2012
Hackers are always looking for new ways to exploit the exploding popularity of smartphones, but one simple flaw has persisted in the iPhone operating system since the very first release-and hackers are taking advantage of this. Every SMS text message includes both the sender's phone number and a "reply-to" phone number, which can be manipulated by the sender. iPhones only display the "reply-to" phone number and present it as the source of a text message.
This opens up yet another social engineering opportunity for hackers. Spoofing (or falsifying) the source of an SMS text message can be just as effective as spoofing an email, and the attacker won't have to contend with your email security systems. This tactic is known as "smishing." You should train your employees to be skeptical of any unusual text messages they receive, and not to trust the source.
This also applies to your customers. They can receive "smishing" texts that appear to come from your institution, so you will need to be prepared to handle these incidents. You should also consider that out-of-band authentication channels sometimes involve text messaging. These could be spoofed as well!
Most people are familiar with social engineering tactics by now, but it's important to remember that social engineers will use every available avenue of attack, and that includes text messaging.
One Tuesday each month we will feature comments from our professionals on topical issues. This month's contributor is Ryan J. Rodrigue, CISA, a Supervisor in the IT Assurance Services group. Please feel free to contact Ryan with any questions at firstname.lastname@example.org.
Interesting Articles of the Week
Hackers vow 'hellfire' in latest major data leak (CNet)
SEC gets serious about cyberattack disclosures
William Henley of FDIC discusses examiners' approach to assessing banks' conformance to Auth Guide
Banks urged to accelerate their mobile-wallet deployments
Bank vs Customer: Bank loses
Lessons from FFIEC Authentication Exam
Do you have an article that you would like to share with the group? Let us know and we will add it to the list! Did you miss a newsletter? Check out past newsletters here.
9/7/12 (Bretton Woods, NH)
NH/VT Bankers Association: Annual Conference
9/7/12 (Marlborough, MA)
MA Bankers Association: 2012 Risk Managers Forum
9/9/12 (Verona, NY)
IBANYS: Annual Convention
Goodbye Request for Proposal, Hello Smart Vendor Selection
9/12/12 (Atlantic City, NJ)
NJ Bankers Association: Senior Manager Conference
9/13/12 (East Greenwich, RI)
ISACA RI: Software (In) Security – The Problem
9/13/12 (Newport, RI)
Maine Bankers Association: Annual Conference
9/13/12 (Jersey City, NJ)
ISACA NY: Third Party Risk Management Mini Summit
9/18/12 (Wisconsin Dells, WI)
Wisconsin Bankers Association: Technology Conference
10/17/12 (Marlborough, MA)
Massachusetts Bankers Association: IT Audit Training 2012
11/2/12 (Atlantic City, NJ)
NJ Bankers Association: BankHorizons
Do you have an event that you would like to share with the group? Let us know and we will add it to the list!
Questions? Interested in learning more about Wolf's IT Assurance and Security services?
Please contact Matthew J. Putvinski, CPA, CISA, CISSP, Member of the Firm and Director of IT Assurance and Security services, at (617) 428-5479 or email@example.com.
If you would like to subscribe to this newsletter and receive it via email please contact Sam Sexer at firstname.lastname@example.org.