Surveillance State: Biometrics Coming To A Bank Near You Very Soon

The banking password may be about to expire — forever.

Some of the nation’s largest banks, acknowledging that traditional passwords are either too cumbersome or no longer secure, are increasingly using fingerprints, facial scans and other types of biometrics to safeguard accounts.

Millions of customers at Bank of America, JPMorgan Chase and Wells Fargo routinely use fingerprints to log into their bank accounts through their mobile phones. This feature, which some of the largest banks have introduced in the last few months, is enabling a huge share of American banking customers to verify their identities with biometrics. And millions more are expected to opt in as more phones incorporate fingerprint scans.

Other uses of biometrics are also coming online. Wells Fargo lets some customers scan their eyes with their mobile phones to log into corporate accounts and wire millions of dollars. Citigroup can help verify 800,000 of its credit card customers by their voices. USAA, which provides insurance and banking services to members of the military and their families, identifies some of its customers through their facial contours.

Some of the moves reflect concern that so many hundreds of millions of email addresses, phone numbers, Social Security numbers and other personal identifiers have fallen into the hands of criminals, rendering those identifiers increasingly ineffective at protecting accounts. And while thieves could eventually find ways to steal biometric data, banks are convinced they offer more protection.

“We believe the password is dying,” said Tom Shaw, vice president for enterprise financial crimes management at USAA, which is based in San Antonio. “We realized we have to get away from personal identification information because of the growing number of data breaches.”

Long regarded as the stuff of science fiction, biometrics have been tested by big banks for decades, but have only recently become sufficiently accurate and cost effective to use in a big way. It has taken a great deal of trial and error: With many of the early prototypes, a facial scan could be foiled by bad lighting, and voice recognition could be scuttled by background noise or laryngitis.

Before smartphones became ubiquitous, there was an even bigger obstacle: To capture a finger image or scan an eyeball, a bank would have to pay to distribute the necessary technology to tens of millions of customers. A few tried, but their efforts were costly and short-lived.

Read the Remainder at NY Times

Modern Crime: Will Cyber-Assassinations Soon Be A Reality?

As we hurtle forward into the digital, connected future, ever more objects are becoming targets for hackers and malicious software.

Where once hacks only affected computers, they now bring down everything from cars to power grids and thermostats to secretive nuclear enrichment programs.

So how long until a hack doesn’t just cause a nuisance or monetary losses but actually kills someone?

One well-respected security expert thinks humanity will see its first death as a result of a hack within 10 years – and it may even have already happened.

“It could have happened already, but we don’t know. Stuxnet could already have killed people,” Mikko Hypponen, chief research officer for F-Secure, told Business Insider, referring to the sophisticated computer worm that targeted Iranian nuclear facilities that most people believe was developed by the American and Israeli intelligence services.

“We don’t know if it killed people, it’s possible because it caused centrifuges which are filled with uranium gas to break down in the middle of their spinning cycle, so if there are scientists in the room they could’ve died … I guess the Iranians would have told the world if Americans had killed people with the hack.”

“We as mankind crossed a line”

Hypponen is a highly regarded security expert who has been working in the field since the ’90s. He’s a regular public speaker on the subject, once tracked down the authors of the first ever computer virus, and has been profiled by Vanity Fair.

The security executive doesn’t think whether someone has died is what’s important. “The important part is the Americans and the Israelis must have understood what they were doing. It could kill people, and they did it anyway. And I think we crossed some line – we as mankind crossed some line – when they made that decision.”

Stuxnet isn’t the only time we’ve seen a hack with potentially fatal consequences. In December 2015, the Ukrainian power grid was taken offline by a devastating hack. Had it gone on longer, or had conditions been worse, it could have easily resulted in a death. “If the power outage had gone for longer, yeah, we would’ve had people starting to die for many different reasons. Hospitals starting to fail, or just people starting to freeze because it’s December.”

Like Stuxnet, nation-state-sponsored hackers are suspected, with investigators pointing fingers at a Russia-based team.

Read the Remainder at Business Inisder

Modern Crime: Inside a Russian Hacker Ring

A man with intense eyes crouches over a laptop in a darkened room, his face and hands hidden by a black ski mask and gloves. The scene is lit only by the computer screen’s eerie glow.

Exaggerated portraits of malicious hackers just like this keep popping up in movies and TV, despite the best efforts of shows like Mr. Robot to depict hackers in a more realistic way.

Add a cacophony of news about data breaches that have shaken the U.S. government, taken entire hospital systems hostage, anddefrauded the international banking system, and hackers start to sound like omnipotent super-villains.

But the reality is, as usual, less dramatic. While some of the largest cyberattacks have been the work of state-sponsored hackers-the OPM data breach that affected millions of Americans last year, for example, or the Sony hack that revealed Hollywood’s intimate secrets-the vast majority of the world’s quotidian digital malice comes from garden-variety hackers.

And for many of those cybercriminals, hacking is as unglamorous as any other business. That’s what a group of security researchers found when they infiltrated a ring of hackers based in Russia earlier this year, and monitored its dealings over the course of five months.

The researchers were with Flashpoint, an American cybersecurity company that investigates threats on the dark and deep web. Their undercover operation began when they came across a post on a Russian hacker forum on the dark web-a part of the internet that’s inaccessible to regular browsers-that read very much like a get-rich-quick ad you might find on Facebook.

Read the Remainder at Business Insider

Cyber-Crime: Why Hospitals Are The Perfect Targets For Ransomware

RANSOMWARE HAS BEEN an Internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.

The malware works by locking your computer to prevent you from accessing data until you pay a ransom, usually demanded in Bitcoin. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

“If you have patients, you are going to panic way quicker than if you are selling sheet metal,” says Stu Sjouwerman, CEO of the security firm KnowBe4. Hospitals are a good target for another reason as well: they “have not trained their employees on security awareness … and hospitals don’t focus on cybersecurity in general,” he says. Instead, their primary concern is HIPAA compliance, ensuring that employees meet the federal requirements for protecting patient privacy.

Last month, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.

Earlier this month, Methodist Hospital in Henderson, Kentucky was struck by Locky as well, an attack that prevented healthcare providers from accessing patient files. The facility declared a “state of emergency” on a Friday but by Monday was reporting that its systems were “up and running.” Methodist officials, however, said they did not pay the ransomware; administrators in that case had simply restored the hospital’s data from backups.

Then this week, news broke that MedStar Health, which operates 10 hospitals and more than 250 out-patient clinics in the Maryland/Washington, DC area, was hit by a virus that may be ransomware. MedStar wrote in a Facebook post that its network “was affected by a virus that prevents certain users from logging-in to our system,” but a number of employees told the Washington Post that they saw a pop-up screen appear on their computers demanding payment in Bitcoin. The organization responded immediately by shutting down large portions of its network. Employees were unable to access email or a database of patient records, though clinics and other facilities remained open and operating. MedStar did not respond to a call from WIRED.

Read the Remainder at WIRED 

Cyber-Warfare: Policing The Dark Web and How it Can Effect National Sovereignty

Cops hack into foreign computers to find cyber criminals

As crime continues to proliferate on the so-called dark web, law enforcement agencies are sometimes having to work outside of their jurisdiction. When a suspected criminal acts on the dark web, authorities are unlikely to know where in the world he or she is physically located. So if they then attempt to take action, they might be inadvertently carrying out an operation that crosses borders.

One researcher argues in a working paper that this raises serious concerns around national sovereignty, and could even lead to retaliation from affected countries or prosecution of investigators.

“Basically, it’s like playing Russian Roulette with cross-border cyber operations,” Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law and author of the paper “Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web,” told Motherboard in a phone call.

In response to dark web-related crime, law enforcement agencies have moved to more non-traditional means of identifying suspects, in some cases directly hacking criminals’ computers to circumvent the protections given by the Tor anonymity network.

But, because it’s largely impossible to know where a target computer is located before it’s been hacked, the FBI and other bodies are sometimes breaking into computers overseas, without explicit consent of the host country. “At bottom, no country has consented to us hacking them, or hacking their citizens, in the same way that we haven’t consented to another country to hack us,” Ghappour said.

Read the Remainder at Motherboard