Expert On NCR Barred Mint, QuickBooks From Banking Platform During Account Takeover Storm

By   ISBuzz Team
Writer , Information Security Buzz | Nov 05, 2019 11:56 am PST

Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse, Brian Krebs reported.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Jonathan Deveaux
Jonathan Deveaux , Head of Enterprise Data Protection
InfoSec Expert
November 6, 2019 10:10 pm

Halting business transactions because of cybersecurity concerns should not be considered something new.

In this case, NCR recognized a cybersecurity situation in which a set of consumers were severely impacted, and took action to temporarily block certain companies from accessing an online banking platform.

In principal, some cybersecurity standards and regulations call for similar action. For example, with the Payment Card Industry Data Security Standard (globally recognized as PCI DSS), organizations failing to meet the 12 requirements to protect payment cardholder data may be subject to cease accepting card payments issued by one of the four major credit card brands (Visa, MasterCard, American Express, or Discover).

It would not be surprising if more companies (public or private) took the same approach in the future, as a response to cybersecurity incidents against its customers.

Last edited 3 years ago by Jonathan Deveaux
Elad Shapira
Elad Shapira , Head of Research
InfoSec Expert
November 6, 2019 10:58 am

NCR’s temporary blocking of third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight is noteworthy for three reasons: It illustrates what can happen if passwords are reused, it underscores the tremendous risk that third-parties can potentially pose to banking customers, and it demonstrates how companies such as NCR are taking steps to mitigate that risk. Password reuse is a serious cybersecurity issue, but it can be hindered through a stringent password policy, adding two-factor authentication and requiring longer and more complex passwords. The industry is moving towards a positive trend where NCR took action in relation to third party security. That said, the third-parties themselves need to learn from this incident and recognize that their security controls will have an effect on doing business with their partners. These third parties need to be able to attest to their security controls and provide needed evidence of their cyber resilience as part of doing business.

Last edited 3 years ago by Elad Shapira
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
November 5, 2019 8:01 pm

The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit. A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk.

When you have an incident to deal with, you can only take action on the systems where you have control. It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.

Last edited 3 years ago by Tim Erlin

Recent Posts

Would love your thoughts, please comment.x