Japan raises security after ¥1.8bn taken from ATMs

Japan raises security after ¥1.8bn taken from ATMs » Banking Technology

Fintech in Japan is not so calm at present

Japan’s Seven Bank has improved security for ATM withdrawals following Japanese banks losing JPY 1.8 billion ($16.8 million) through fake overseas cards.

Banks across the island nation are rushing to deal with the fraud, and Seven Bank which operates ATMs in the 7-Eleven convenience store chain, has cut its withdrawal limit to JPY 50,000 ($468) from JPY 100,000 ($937) for customers using non-Japanese cards.

Seven Bank says it has “complied with EMV regulations, globally accepted security standards, and equipped a system that detects criminal transactions so as to prevent crimes committed on our ATMs”.

It is not alone. E-net, a joint-banking service which operates about 13,300 ATMs across the country, reduced its withdrawal limit to ¥40,000 ($375) from ¥200,000 ($1,874) for non-Japanese cards.

According to the Japanese media and Associated Press; the “illegal withdrawals were made using fake cards of a South African bank in just a few hours” on 15 May at more than 1,000 ATMs in 17 prefectures.

Japanese police have arrested three suspects so far, one in Tokyo and two in Aichi Prefecture.

Associated Press and Japan’s NHK say in the latest development, “police found a manual with detailed instructions on how to use fake cards to withdraw money from ATMs”.

Masatoshi Ogihara, a Seven Bank spokesman, says the bank is “strengthening monitoring and co-operation with police” but declined to give specifics for “security reasons”.

Ogihara adds that China Union Pay cardholders are now limited to JPY 50,000 ($468). Previously, it was JPY 200,000 ($1,874).

On top of all these developments, money was also taken at Japan Post Bank ATMs.

Hayato Kayanuma, a spokesman for Japan Post Bank, says it is “working on plans to deal with the fraud but has not lowered the withdrawal limit”. He adds the plans would not affect cards issued in Japan.

post

Agile Security for Agile Software Development

The presence of agile software development brought some ideals to software development methodology, maybe that’s why it did not take long before it gained wide acceptance. The manifesto of agile adapted to software development life cycle (SDLC) can as well improve the security status of applications which currently serves as the most exploited threat vector across the globe and reported by Symantec to have increased by 30 percent this year (web applications).

Agile

From experience, the “agility” of software development process increases vulnerability of software. Adapting the Agile development process manifesto to improve software security will boost applications security. Agile manifesto as found applicable to software security is described below:

Agile promises to value individuals and interactions over processes or tools. This concept is great for business relationship between software vendors and their clients. Adapting agile to software security, individuals, for instance, users and interactions with the system should be discussed as part of the security requirements and well measured to decide the risk appetite of the organization. While processes and tools are important, individuals and interactions eventually decide the efficacy of the security.

Agile promises working software over comprehensive documentation. The details of what makes how a software works is not as important as if the software works. However, the fact that software is working does not make it secure neither does it guarantee its quality. So, for agile security, we prefer working security over comprehensive documentation. Simply should be risk-based and not tick-the-box security.
7998262_orig

Agile promises customer collaboration over contract negotiation. In order to improve the security of SDLC, customers and good understanding of business objectives is imperative over negotiations and deliberations. It is in understanding of the customers and their business that facilitates business collaboration and hence collaboration for secure software.

Agile promises responding to change over following a plan. Change is constant and growth is change in itself, which is another reason why continuous monitoring is imperative in agile security. Threat analyzed through modelling and risk defined software security is a more decent approach and when a change is made agile security requires that it’s security is responsive, that is, re-calibrated to reduce the risk posture of the organization.

However, as discussed in the agile manifesto it is not a bad idea to follow plans, negotiate contract, document comprehensively or rely on process and tools. It is more expedient to follow the left-side options. While we deliver software with agile process, we can adopt agile security concept for a brilliant, better and secure application.

post

Our Achilles heels, Communication; The weakest security link

3703472

“… but the CIA followed his COURIER to a place near the Pakistan Military Academy in Bilal Town, Abbottabad”.

I am persuaded by my exposure, expertise and experience to relate to my readers the security beast in communication this month. This argument is not against the common notion that ‘Humans’ are the weakest link. Really, I think it does strengthens it.

According to Wikipedia, Communication (from Latin communicare, meaning “to share”) is the activity of conveying information. It is also the meaningful exchange of information between two or more participants (machines, organisms or their parts).

Communicating with others involves three primary steps:
Thought: First, information exists in the mind of the sender. This can be a concept, idea, information, or feeling.
Encoding: Next, a message is sent to a receiver in words or other symbols.
Decoding: Lastly, the receiver translates the words or symbols into a concept or information that a person can understand.

I really wish communication could stop at the first level. I mean, thought-to-thought communication because most times,
humans become vulnerable in the process of encoding and decoding, also transfer of their messages. Man is made to
communicate and so does all living things and that’s why it’s tougher to protect and easier to exploit. Most breaches
happened as a result of communication between either applications, systems or people. The problem is, we can not always isolate or sandbox, we will at a point need to integrate and communicate.

In Phil Zimmermann’s (author and creator of PGP) words on ‘Why I wrote PGP’, he said, “…But with the coming of the information age, starting with the invention of the telephone, all that has changed. Now most of our conversations are conducted electronically. This allows our most intimate conversations to be exposed without our knowledge.”

In the first paragraph of this post, is the line that described how almost evasive Osama bin Laden was captured and
killed according to Howard E. Wasdin and Stephen Templin in their book titled ‘SEAL TEAM SIX’. It was described in the book that Osama lived in a place protected by walls topped with barbed wire, has two security gate (physical security), has no phone or internet connection (attempted to disconnect from computers to avoid eavesdropping or tracking). Also, the people who live there burned their trash instead of setting it out for garbage collection like their neighbour( may be to also prevent dumpster diving, a kind of social engineering).

However, with all his security measure, he has one single point of failure – his COURIER (A courier is a person who delivers messages, packages and mails) and that was all that was needed. He was tracked and killed. I presume he never knew that was his Achilles’ heel. And like most of us we don’t know or we really don’t care about it.

I think as long as man exist and technology evolves, man will continue to be vulnerable with his communication. the only solution here is to be aware. And I repeat be aware so you can decide to either live or die by it!

Thank you for reading