Feds take aim at terrorist use of cryptocurrencies, prepaid cards

By Jim Bronskill

THE CANADIAN PRESS

OTTAWA _ The federal government is proposing measures that take aim at shadowy payments made by terrorists and money launderers using virtual currencies and prepaid credit cards.

The planned regulations would help close loopholes in Canada’s anti-money laundering regime and address shortcomings pointed out by an international watchdog.

Virtual currencies, such as Bitcoin, are increasingly being used to commit fraud and cybercrime and to buy illicit goods and services in the darker corners of the internet, notes a federal summary accompanying the proposed changes.

“They allow for the rapid transfer of funds within or across borders, oftentimes without any intermediary, are generally characterized by non-face-to-face customer relationships, and can circumvent the physical ‘brick and mortar’ financial system entirely.”

The measures would impose new reporting obligations on people and businesses dealing in such cryptocurrencies.

Like more traditional money service businesses, they would have to register with Fintrac, Canada’s anti-money laundering agency, as well as keep track of virtual currency transactions of $10,000 or more.

Prepaid credit cards can be abused because it is difficult to trace the origins of money loaded to them, the government says.

Under the changes, prepaid cards would be treated like bank accounts, meaning issuers would need to verify the card purchaser’s identity, keep records and report any suspicious dealings.

The measures would not apply to gift cards tied to specific retailers or shopping centres.

The planned changes represent an attempt by regulators to keep up with the dawn of new financial technologies to deliver services more conveniently.

“While providing benefits to consumers, the new business models can complicate monitoring as well as make it more difficult for authorities to follow the money trail,” the federal summary says.

The overall goal is to ensure banks, money service businesses and others who provide access to the financial system know their customers and keep good records, the summary adds.

“Such information could assist in the investigation, apprehension and prosecution of money launderers and terrorist financiers.”

The proposals come as the RCMP makes the fight against money laundering “a key strategic priority” for its federal policing branch by “elevating the priority” of the crime, according to an internal memo released under the Access to Information Act.

Other proposed changes would:

_Require foreign money service businesses to report suspicious transactions to Fintrac, ensuring a level playing field with domestic businesses;

_ Force financial institutions to confirm the accuracy of any new ownership information about companies as it comes in, a measure intended to prevent firms from hiding the identities of their true proprietors;

_ Impose stricter record-keeping and reporting requirements on the life insurance sector, which has begun issuing mortgages and loans against the amount of a policy.

The government is accepting public comment on the planned measures until early September.

Bank breaches highlight rise of cyber threats as new exploitation strategies emerge

Apparent attempts to extort two major Canadian banks highlight the increasing threat and variety of cyberattacks against major companies.

Attacks against BMO and CIBC-owned Simplii _ that compromised the information of up to a combined 90,000 Canadians _ made public Monday, appear to be the latest in a number of high-profile ransom attacks. The attacks have the banks in damage control mode, prompting them to assuage client concern about the safety of Canadian accounts.

CBC reported that it received a letter from someone who said they demanded a $1-million ransom from the targeted banks.

The banks would not confirm the CBC report Tuesday. BMO said only that a `”threat” was made, but it has a policy of not making payments to fraudsters, while Simplii was similarly cryptic, saying only that fraudsters may have electronically accessed some data, but that its practice is not to pay ransom demands.

Both banks said they both took additional security measures after learning of the potential breach and would be directly contacting customers whose accounts may have been compromised. Royal Bank, Scotiabank and Toronto-Dominion Bank have said they have no indication they have been affected.

The apparent extortion attempt against BMO and CIBC’s direct-banking brand Simplii comes after a string of other high-profile pay-for-data attempts.

Recent examples include a failed attempt at Uber to pay off hackers _ only for the company to later reveal that some 815,000 Canadians had their information compromised as part of a global attack, and the infamous cyberattack on cheating website Ashley Madison, which did not comply with hackers’ demands to close the website, resulting in the exposure of personal information of millions of users.

Smaller organizations are also falling victim to hacking payment scams, including the University of Calgary, which paid $20,000 to have its computer systems unlocked after a ransomware attack in 2016.

The risks are clearly on the rise, said cybersecurity expert Satyamoorthy Kabilan at the Conference Board of Canada.

“In terms of cyber incidents overall, whether it’s breaches, whether it’s these sorts of attacks, whether it’s standard ransomware, that’s skyrocketing.”

However, the incident involving BMO and Simplii varies from more standard efforts to either use the data itself to profit or to try and sell it to third parties _ which makes it harder for companies to set up defensive plans, said Kabilan.

“Understanding tactics actually gives us an advantage in terms of defending ourselves, but if those are constantly varying, it starts putting up a few more challenges.”

Companies, especially banks, need to keep improving security efforts but also plan for resiliency and being able to respond in the event of an attack, he said.

“Companies have to wake up to the fact that there is no such thing as 100 per cent security in the cyber world. It’s a question of when and how bad.”

BMO and Simplii did the right thing in being quick to assure customers that their money is safe and that they’re working diligently to improve security, said Barry Waite, chair of the communications department at Centennial College.

Both banks said they’d directly reach out to affected customers and are co-ordinating with officials to respond to the incident and protect clients.

Demonstrating the safety of banking services will become increasingly important as they roll out more digital products, said Waite.

“This is important for the whole banking industry, demonstrating that as they increase technology, they’re introducing new apps, that they have the best security in place.”

The whole banking sector is looking to improve digital security in light of such threats, Scotiabank CFO Sean McGuckin said on a media conference call discussing its quarterly results.

“There’s a very open dialogue amongst financial institutions around cyber threats. So we are all quite open and learning and sharing from each other.”

BMO and CIBC’s Simplii warn fraudsters may have accessed clients’ data

Two of Canada’s biggest banks warned Monday that “fraudsters” may have accessed certain personal and financial information of up to 90,000 customers.

The Bank of Montreal said hackers contacted the bank on Sunday claiming to be in possession of the personal information of fewer than 50,000 customers and threatened to make it public.

“We became aware of unverified claims that customer personal and financial data may have been accessed by a fraudster,” said spokesman Paul Gammal in an emailed statement Monday, May 28, 2018.

“A threat was made. Our practice is not to make payments to fraudsters. We are focused on protecting and helping our customers,” he said.

The bank said it believes the attack originated outside Canada, but did not elaborate on the type of data they accessed.

Gammal said the bank is conducting a thorough investigation and is working with the relevant authorities.

The disclosure followed a warning from CIBC’s direct banking brand Simplii Financial that also said “fraudsters” may have electronically accessed certain personal and account information for approximately 40,000 Simplii Financial clients.

Simplii said Monday it learned of the potential issue on Sunday and has implemented additional online security measures such as enhanced online fraud monitoring, adding it is working with the relevant authorities.

Gammal said the potential breach at BMO appears to be related to the CIBC issue. Royal Bank, Scotiabank and Toronto-Dominion Bank said they have no indication they were affected.

Both BMO and CIBC said they will be contacting clients, and recommended that customers monitor their accounts and notify their financial institution about any suspicious activity.

“We are investigating to determine the validity of the claims and the type of the information that may have been accessed,” CIBC spokesman Tom Wallis said in an emailed statement.

Minister of Finance Bill Morneau has spoken to the chief executives of the affected institutions, ministry spokeswoman Jocelyn Sweet said.

“We are monitoring the situation closely with the Office of the Superintendent of Financial Institutions,” she said in an emailed statement. “The situation is being investigated by the institutions in collaboration with law enforcement.”

The Office of the Privacy Commissioner said Monday that both financial institutions have notified it about the issue.

“We are working with the organizations to better understand what occurred and what they are doing to mitigate the situation,” said spokeswoman Valerie Lawton in an email.

“At this point in time, we are in contact with the companies; we have not opened a formal investigation.”

Simplii said Monday that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.

CIBC launched Simplii in November and absorbed the accounts of some two million President’s Choice Financial account holders. CIBC had provided the back-end banking services for PC Financial for nearly 20 years, but last August the bank struck a deal with PC’s parent company Loblaw to go their separate ways.

The potential data breaches reported by Simplii and BMO on Monday are the latest cybersecurity incidents involving Canadians.

Last fall, credit reporting service Equifax notified the public that hackers accessed or stole the personal data of 145.5 million U.S. customers and 19,000 Canadians. In January, Bell Canada warned some of its customers that their information, such as names and email addresses, had been illegally accessed in a data breach.

In November, ride-sharing company Uber said hackers stole names, email addresses and cellphone numbers of millions of riders. Uber in December said that 815,000 Canadian riders and drivers may have been affected as part of the worldwide data breach.

New federal data breach regulations which would require mandatory reporting of security breaches are set to take effect on Nov. 1.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.” Previously, companies that had been hacked had been alerting the public on their own timeline.

International probe shuts down cyberattack provider

By Mike Corder

THE ASSOCIATED PRESS

THE HAGUE, Netherlands _ In a major hit against cybercriminals, an international police operation has taken down what investigators called the world’s biggest provider of potentially crippling Distributed Denial of Service attacks.

On Wednesday, police hailed the success of the operation Wednesday, saying that a joint investigation led by Dutch and British experts and supported by European Union police agency Europol led to the arrest on Tuesday of the administrators of the website webstresser.org.

Europol said webstresser.org had more than 136,000 registered users and racked up 4 million attacks on banks, governments, police forces and the gaming industry. Distributed Denial of Service, or DDoS, attacks attempt to make online services unavailable by overwhelming them with traffic from multiple sources.

“It used to be that in order to launch a DDoS attack, one had to be pretty well versed in internet technology,” Europol said in a statement. “That is no longer the case.”

The agency said that registered users could pay a fee of as little as 15 euros ($18) per month to rent its services and launch cyberattacks.

Administrators of the service were arrested Tuesday in Britain, Croatia, Canada and Serbia, Europol said. The illegal service was shut down and computers and other infrastructure seized in the Netherlands, the United States and Germany.

Croatian police said that a 19-year-old Croat, whom they described as the owner of webstresser.org, was detained on charges of “serious criminal acts against computer systems, programs and data” that carry a possible sentence of one to eight years in prison.

Gert Ras, head of the Dutch police’s High Tech Crime unit, said the operation should send a clear warning to users of websites like webstresser.

“Don’t do it,” Ras said. “By tracking down the DDoS service you use, we strip you of your anonymity, hand you a criminal record and put your victims in a position to claim back damages from you.”

Cyber Cross-Jurisdictional Risks And The Impact Of GDPR: Europe

Article by Henning Schaloske, Kathrin Feldmann and Amrei Zürn

Companies that become a target of a cyber-attack may face global impacts. Cyber-attacks often cause cross-border and thus cross-jurisdictional data breaches as, for example, data is often stolen or illegally published from a company’s subsidiary in a different country.

An issue in such events is that each jurisdiction has different requirements regarding the notification of authorities and the subjects of the data breach. Companies have to establish in how many countries a data breach occurred and if there are special notification requirements with respect to the data subject and the national authorities. Further, targets of cyber-attacks may face difficulties estimating the amount of fines and penalties and third party claims since the relevant provisions vary from one country to another. In addition, each jurisdiction imposes different requirements on risk management.

Within the European Union, these different approaches will be harmonised on 25 May 2018 when the General Data Protection Regulation (“GDPR”) comes into effect. As a regulation, the GDPR directly applies in each member state and does not need to be transposed into national law. The GDPR contains provisions regarding data breach notifications, data protection management systems, fines and penalties as well as third party claims. Even though these provisions are partially stricter than national regulations, the GDPR’s advantage is that companies, in general, only have to consider this data protection regulation instead of, potentially, 28 individual domestic data protection laws in all member states. However, with respect to non-EU member states, companies will still face various data protection provisions.

Cyber cross-jurisdictional risks not only occur in connection with data breaches. Internationally operating companies also face different regulations when it comes to general IT risk management and the prevention of cyber-attacks. In Germany, for example, pursuant to section 8a of the Act on the Federal Office for Information Security (“BSIG”), so called operators of critical infrastructure, such as energy, transportation or telecommunication companies as well as insurers, have to take organisational and technical measures to avoid errors of the availability, integrity, authenticity and confidentiality of their information technology systems, components and processes which are essential for the functionality of the operated critical infrastructures. Operators of such infrastructure have to prove that they are meeting these requirements to the German Federal Office for Information Security (“BSI”) every two years.

Since 3 November 2017, financial institutions have been obliged to meet special IT risk management requirements. The German Federal Financial Supervisory Authority (“BaFin”) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, “BAIT”). The intention behind BAIT is to provide clarity for executive boards of banking institutions regarding the banking supervisors’ expectations with respect to a secure design of IT systems and the associated processes. These requirements form a core component of IT supervision in the banking sector in Germany. The financial institutions have to define a sustainable IT strategy outlining the institution’s objectives and measures to achieve these objectives. BAIT furthermore requires companies to put in place an information risk and information security management as well as a user access management. Similar regulatory requirements for insurance companies shall be published at the end of 2018.

Another significant cross-jurisdictional issue is the assessment of global litigation risks. It may be easier for a company to estimate its potential liability in a country like the United States where cyber cases have already been subject of legal proceedings than in other countries such as Germany where there is hardly any case law on cyber liability. What is more, companies cannot be certain whether or not cyber claims will be covered by a cyber policy. Since 2017, the German cyber market has grown significantly. However, German courts have not yet had to deal with cyber policies and it is difficult to predict how a German court would decide in a cyber coverage dispute. Thus, for insurers and their insureds alike, it is important to continuously improve legal certainty of the policy wordings as well as to understand, manage and allocate cyber risks appropriately between different types of cover, including, e.g., crime and general liability next to the cyber policies. Last but not least, in the international cyber breach scenario, the interplay of local and master policies brings along additional challenges, in particular in relation to non-admitted countries and the setup of well-functioning international insurance programmes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Making a point: Aon says airlines, retailers need to criminal proof loyalty points

By David Paddon

THE CANADIAN PRESS

TORONTO _ A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.

The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.

The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.

“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.

If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.

However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy _ a newer but increasingly common insurance.

“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.

The multinational advisory firm said in its 2018 cybersecurity report that many industries _ including those with points programs _ will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.

In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.

“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”

So-called bug bounties  a way to reward ethical hackers who find bugs so they can be exterminated have been used to good effect by tech companies.

Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences following the lead of tech companies and financial services providers.

Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet and for good reason:  “I think there’s bugs in the bug bounty program.”

One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.

“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest