ABA Banking Journal: Financial Regulators Acted Outside Legal Bounds in Proposing Financial Data Standards
September 4, 2024
A proposed rule to establish uniform financial data standards across regulatory agencies is flawed because it failed to consider using CUSIP and ISIN as common identifiers for financial instruments despite their widespread use in the financial system, and because the agencies acted outside their statutory authority in setting a new standard, the American Bankers Association said this week in a letter to the agencies. ABA is the owner of CUSIP, which was created in the late 1960s to promote open, transparent and efficient markets.
The Securities and Exchange Commission, Federal Reserve, FDIC and six other agencies in August proposed common data standards that would form the basis of data collections by financial regulators. For an identifier of financial instruments, they chose to use the Bloomberg’s Financial Instrument Global Identifier (FIGI) rather than the Committee on Uniform Security Identification Procedures (CUSIP) or the closely related International Securities Identification Number (ISIN).
ABA noted that for nearly 60 years, CUSIP has worked closely with market participants to cover a wide range of global financial instruments, including extensive equity issues, fixed income, derivatives and U.S./Canadian-listed equity options and single stock futures, as well as loans. “Importantly, CUSIPs are the required means of identifying financial instruments for nearly every financial reporting form collected by the agencies, as well as the underlying identifier for a myriad of agency operations including Treasury issuances,” the association said.
ABA also said that by designating FIGI as the sole identifier, the agencies operated outside the statutory boundaries set by the Financial Data Transparency Act and the Administrative Procedure Act, which sets the legal process for agency rulemaking. The agencies overlooked the essential services that CUSIP provides to the financial system, ignored the negative effects that designating FIGI would have on the connectivity and stability of global financial markets, and failed to engage in any cost-benefit analysis, the association said.
ABA added that if the agencies push forward with the rulemaking, they should extend the comment period by 60 days to provide the public with a reasonable and meaningful opportunity to comment on the proposal.
Full Article.
CISA News: New Password Hacking Warning For Gmail, Facebook and Amazon Users
August 29, 2024
Update, Aug. 29, 2024: This story, originally published Aug. 27, includes new details of a phishing campaign that’s using particularly hard-to-detect attack methodologies.
New threat analysis from researchers at Kaspersky has revealed a dramatic rise in the number of password-stealing attacks targeting Amazon, Facebook and, most of all, Google users. Here’s what you need to know.
Amazon, Facebook And Gmail Are A Magnet For Password Hackers
It should come as no surprise that the likes of Gmail, Facebook and Amazon account credentials are so sought after by malicious hackers. After all, such accounts can be used to complete the cybercrime triumvirate of data theft, malware distribution and credit card fraud, respectively. Google accounts, in particular, are something of a skeleton key that can unlock a treasure trove of other account credentials and personal information to commit fraud. Just think about the information that is contained in your Gmail inbox, and the chances are high that you have one given how popular the web-based free email service is. And that’s before you consider how many organizations still send password change requests and second-factor authentication links to your email account.
Kaspersky analyzed a total of 25 of the biggest and most popular global brands in order to determine those that are targeted more by cybercriminals when it comes to phishing attacks. The researchers found that there were around 26 million attempts to access malicious sites masquerading as any one of these brands in the first half of 2024 alone, Kaspersky said. That represents an increase of approximately 40% from the same period in 2023.
Phishing Attacks Against Google Increased By 243%
Sitting at the top of the phishing target pile, for all the reasons already mentioned, was Google. When it comes to attempting to steal credentials such as passwords, Google remains a firm favorite on the cybercriminal attack radar. Kaspersky said it had seen a 243% increase in attack attempts for the first six months of 2024, with some 4 million such attempts blocked by Kaspersky security solutions during this period.
“This year has seen a significant increase in phishing attempts targeting Google,” said Olga Svistunova, a security expert at Kaspersky, confirming that a criminal who gains access to a Gmail account “can potentially access multiple services, making it a prime target.”
Facebook users saw 3.7 million phishing attempts, according to the Kaspersky research, which has yet to be published publicly online, while Amazon was on 3 million. Microsoft, DHL, PayPal, Mastercard, Apple, Netflix and Instagram completed the top 10 most targeted brands list. Although they didn’t make the top 10, Kaspersky said that other brands seeing a dramatic increase in targeting during the first six months of the year included HSBC, eBay, Airbnb, American Express and LinkedIn.
It’s important to note, however, that Kaspersky security researchers have put this rise down to an increase in fraudulent activity and not any decline in vigilance on the part of the targeted users.
Attackers Are Using Direct Calls And Text Messages In New Campaign
A new and worrying ongoing phishing campaign targeting more than 130 U.S. organizations has been identified, according to researchers Rui Ataide and Hermes Bojaxhi from the GuidePoint Research and Intelligence Team. The term “highly sophisticated threat actor” has been misused so much that it is now almost worthless, but the tactics and intrusion capabilities used by this as-yet unnamed attacker have prompted the GRIT researchers to attach the epithet to this campaign.
As is often the case in so-called spear-phishing campaigns, the starting point for this attack is to target individuals within organizations rather than taking a scattergun approach to the entire business address book. The researchers said that, since June this year, the threat actors have registered at least eight domain names that are created to resemble those of legitimate virtual private network technologies that are used by the targeted organizations themselves. More proof of this being a highly motivated attacker doing the homework for an attack on specific users of particular enterprises. “This attack starts with the targeting of individual users within an organization to harvest credentials as well as one-time passcodes via social engineering methods,” the researchers said.
Although not new in and of themselves, the use of social engineering techniques that are outside the focus of most traditional security tools—such as calls and messages to users’ smartphones—does further obfuscate the phishing activity. As the researchers pointed out, unless these users actually report the receipt of the calls or messages then security teams will be none the wiser. While this isn’t overly concerning if it were just a one-off, and the recipient recognizes it for what it is, it does become important if, as the report noted, multiple individuals are targeted until a successful result is achieved. Patterns are important when it comes to cybersecurity defense. The calls are made to appear as if they originate from IT staff within the target business and concern a VPN login fault. The threat actor will then send a successfully convinced user a link by text message to a malicious site using the relevant custom VPN domain and interface where credentials are then entered.
The GRIT researchers suggest that in order to mitigate this campaign, security teams should check logs for specific suspicious activity “from VPN assigned IP addresses from the past 30 days from the day of this notification.” If there any signs of compromise this might mean there’s an immediate threat of potential ransomware attack. “You should immediately declare an incident and perform a thorough investigation,” they said. Education is also important, so making users aware of social engineering/phishing in general is a given, but this awareness needs to be kept up to date. “Inform your users of this type of social engineering method for awareness, and to immediately report calls from unknown numbers claiming to be part of the IT or help desk staff,” the researchers concluded.
Microsoft Targeted By New Upswing In QR Code Phishing
Microsoft might have only come fourth in the Kaspersky list of attacks targeting brands, but one phishing technique has seen the Redmond, Washington giant rocket in recent months. According to a new report by Jan Michael Alcantara, a threat research engineer at Netskope, “a 2,000-fold increase in traffic to phishing pages delivered through Microsoft Sway” was tracked across July 2024 alone.
Microsoft Sway is freely available to users of Microsoft 365 as a cloud-based application to enable the creation of visually rich documentation, newsletters and presentations. Alcantara notes that when opening a Sway page, a potential victim is already logged in to their Microsoft 365 account, which adds an air of legitimacy to the phishing attempts—ones that, as tracked by Netskope at least, target Microsoft Office credentials by the use of QR codes. The target is advised to scan a QR code on their smartphones for ease of use, but the main reason is to bypass stricter security measures found on corporate laptops. This particular campaign used some interesting techniques to avoid arousing suspicion, such as a CAPTCHA test to protect against static URL scanners and an attacker-in-the-middle technique where the real login URLs are then substituted for the phishing ones to collect the credentials allowing the threat actor to login as the victim.
Full Article.
Order Your 2025 Scenes of South Dakota Calendars!
The SDBA has opened up orders for the 2025 Scenes of South Dakota Calendar! This calendar features photos of South Dakota submitted by South Dakota bankers, their family members and customers.
These calendars are a great opportunity to thank your customers for their business and promote your bank or business. Your bank, branch or business' logo and name can be printed on each calendar to display in homes and businesses all year long. The SDBA logo is also included to emphasize the strength and security of South Dakota’s banking industry. The Scenes of South Dakota Calendar is exclusive to SDBA member banks and associate members.
Place your order here for the 2025 Scenes of South Dakota Calendar!
ORDERS ARE DUE BY SEPTEMBER 18.
If you have any questions, email Laura Norton or call the SDBA Office at 605.224.1653.
2024 SBA Minnesota Small Business Lenders Conference
Thursday, September 12, 2024 | 8:30 a.m. - 4:15 p.m. CDT | Bloomington, MN
The SBA Minnesota Lenders Conference is now the Minnesota Small Business Lenders Conference! The SBA loan programs should be a key part of every lender’s strategy. They are a proven tool for attracting new customers with competitive loans for business expansion and working capital needs. Don’t miss this full day of premier education sessions designed specifically to help you optimize your organization’s participation in SBA’s lending programs and build your network of SBA program and industry experts.
Book your room by September 13.
Information & Registration
2024 IRA School
September 17-19, 2024 | Ramkota Hotel, Sioux Falls
IRAs are one of the most complicated areas of bank personnel responsibility. Working with them is a process and must begin with a strong foundation. This IRA school can provide such a foundation through an extensive curriculum, covering both new and current IRA material, along with previous topics covered at the school that will be expanded on. This program is the quickest, easiest, and most comprehensive coverage of IRAs and HSAs.
Information and Registration
Question of the Week
Q: What is the scope of the new Reconsideration of Value (ROV) Final Rule? When must banks comply with its updates?
A: While the Interagency Guidance is considered to be effective upon publishing, it is important to note that the language of the guidance indicates that "the final guidance does not have the force and effect of law or regulation and does not impose any new requirements on supervised institutions,” reflected here:
"The agencies reiterate that the final guidance does not have the force and effect of law or regulation and does not impose any new requirements on supervised institutions.
The examples of policies and procedures in the final guidance are illustrative and not requirements. The final guidance clarifies that these examples may not be applicable or material to each institution or their ROV processes. Risk-based ROV-related policies, procedures, control systems, and complaint processes may vary according to the size and complexity of the financial institution. Smaller financial institutions that choose to implement the guidance may have policies and procedures that differ from those at larger and midsize institutions. Under this guidance, institutions have flexibility in their approach to their internal ROV processes and deciding the relevance of the considerations discussed in the final guidance." Interagency Guidance on Reconsiderations of Value of Residential Real Estate Valuations
It is also important to note, however, that for certain loans under programs such as HUD, Freddie Mac and Fannie Mae, lenders are required to have policies and procedures in place addressing requests for ROVs.
Learn how to put compliance management solutions from Compliance Alliance to work for your bank, by contacting (888) 353-3933 or [email protected] and ask for our Membership Team.
For timely compliance updates, subscribe to Bankers Alliance’s email newsletters.
SDBA eNews Archive View past issues of the SDBA eNews
Advertising Opportunity Learn more about sponsoring the SDBA eNews
Questions/Comments Contact the SDBA at 605.224.1653 or via email
|