Expert On NCR Barred Mint, QuickBooks From Banking Platform During Account Takeover Storm

Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse, Brian Krebs reported.


EXPERTS COMMENTS
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
November 05, 2019
variety of services have grown organically from the more traditional banking system.
The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit. A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk. When you have an incident to deal with, you can only take action on the systems where you have control. It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.
Elad Shapira, Head of Research ,  Panorays
November 06, 2019
The industry is moving towards a positive trend where NCR took action in relation to third party security.
NCR’s temporary blocking of third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight is noteworthy for three reasons: It illustrates what can happen if passwords are reused, it underscores the tremendous risk that third-parties can potentially pose to banking customers, and it demonstrates how companies such as NCR are taking steps to mitigate that risk. Password reuse is a serious cybersecurity issue, but it can be hindered through a stringent password policy, adding two-factor authentication and requiring longer and more complex passwords. The industry is moving towards a positive trend where NCR took action in relation to third party security. That said, the third-parties themselves need to learn from this incident and recognize that their security controls will have an effect on doing business with their partners. These third parties need to be able to attest to their security controls and provide needed evidence of their cyber resilience as part of doing business.
Jonathan Deveaux, Head of Enterprise Data Protection ,  comforte AG
November 06, 2019
Jonathan Deveaux, head of enterprise data protection at comforte AG
Halting business transactions because of cybersecurity concerns should not be considered something new. In this case, NCR recognized a cybersecurity situation in which a set of consumers were severely impacted, and took action to temporarily block certain companies from accessing an online banking platform. In principal, some cybersecurity standards and regulations call for similar action. For example, with the Payment Card Industry Data Security Standard (globally recognized as PCI DSS), organizations failing to meet the 12 requirements to protect payment cardholder data may be subject to cease accepting card payments issued by one of the four major credit card brands (Visa, MasterCard, American Express, or Discover). It would not be surprising if more companies (public or private) took the same approach in the future, as a response to cybersecurity incidents against its customers.

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article