Security News

OAuth is an especially appealing target for criminals in cases where compromised accounts don't have strong authentication in place, and user permissions allow them to create or modify OAuth applications. Microsoft, in a threat intel report, details one cyber crime crew it tracks as Storm-1283 that used a compromised account to create an OAuth application and deploy VMs for crypto mining, while also racking up between $10,000 and $1.5 million in Azure compute fees.

Toyota Financial Services is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.

Nearly 72% of applications in the financial services sector contain security flaws, according to Veracode. Despite the alarming figure, this rate of software vulnerability was the lowest of all industries analyzed and has improved since last year.

Fortune 500 insurance biz Fidelity National Financial has confirmed that it has fallen victim to a "Cybersecurity incident." FNF recorded more than $11 billion in total revenue in 2022 and is one of the largest underwriters of title insurance and providers of transaction services to the real estate and mortgage industries in the US. Although investigations remain ongoing and the company has not yet disclosed the incident's material impact on trade, it did say an intruder "Accessed certain FNF systems and acquired certain credentials."

Phishing, infostealer malware, ransomware, supply chain attacks, data breaches and crypto-related attacks are among the top evolving threats in the financial sector, says Sekoia. A new report from French-based cybersecurity company Sekoia describes evolutions in the financial sector threat landscape.

The world's largest cryptocurrency exchange just got a little smaller, with the US Department of Justice announcing Binance and its CEO Changpeng Zhao have both pleaded guilty to a multitude of financial crimes. According to a criminal case [PDF] unsealed Tuesday, Binance failed to register as a money services business in the United States, broke the Bank Secrecy Act by failing to implement and maintain an anti-money laundering program, and violated the International Emergency Economic Powers Act by allowing US users to transact with individuals in sanctioned countries.

Boards of directors, or other senior committees, are charged with overseeing cybersecurity risk management, and must retain an appropriate level of expertise to understand cyber issues, the rules say. Directors must sign off on cybersecurity programs, and ensure that any security program has "Sufficient resources" to function.

The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface contributing to a year-over-year reduction in the percentage of applications containing flaws, according to Veracode. While nearly 72% of applications in the financial services sector contain security flaws, this is the lowest of all industries analyzed and an improvement since last year.

A threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been observed waging a sophisticated cyber espionage campaign targeting financial, government, military, and...

The U.S. Federal Trade Commission has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days. "The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers' data."