Friday Report: Banks in the Crosshairs, Google Knows Where You Are, Election Security Still Not a Sure Thing

By Cynthia Brumfield,

Welcome to Metacurity’s Friday Report where we boil down the big information security themes of the week into digestible condensed bites to bring you up-to-speed on the major trends.

One big theme this week is that banks everywhere are in the crosshairs of motivated hackers. First, the FBI issued a warning to banks that cybercriminals are preparing to carry out a highly choreographed global fraud scheme involving “ATM cash-outs” in which the crooks hack a bank or payment card processor and use cloned cards to fraudulently withdraw millions from ATMs around the world in a short time span.

Then, sure enough, news broke that hackers stole around $13.5 million from Pune-based Cosmos cooperative bank in India using simultaneous withdrawals across 28 countries around the world between August 11 and August 13. The week wrapped up with the news that the Necurs Botnet, one of the world’s biggest spam botnets, is now targeting banks with a new phishing campaign which started last week and has so far targeted 2,700 bank domains and employees who work for those banks.

Google’s inability to let go of users’ location data was another top topic of the week. The AP dropped a bombshell that many Google services on Android devices and iPhones store potential privacy-violating users’ location data even if users have switched off their “location” history option.

The real-world downside consequence of this furtive location tracking was demonstrated when Forbes reported that the FBI requested location data from Google covering 100 acres to find all users of its services who’d been within the vicinity of at least two of nine of robberies Portland, Maine. Google refused to hand over the data, forcing the FBI to rely on good old-fashioned police work to solve the case. After an outcry among privacy advocates, by week’s end, quietly changed its help page to clarify that turning off the location option actually does not stop the company from storing location data.

As the U.S. heads toward Labor Day and the “official” start of the midterm election campaigns, voting and election security news continued to make headlines. Last weekend, during DEF CON’s voting village hackathons, an eleven-year-old hacked a replica of the Florida secretary of state’s website within 10 minutes and changed the appearance of the results. Just today,, after the Washington Post all but accused Florida Democratic Senator Bill Nelson of making up his statement that Russian hackers have penetrated some of his state’s county voting systems, NBC News reported that sources who back who Nelson’s claims intimate that the Russian are in some Florida county voting systems owing to a 2016 hack of a Florida elections vendor, VR Systems.

On the good news front, a majority of U.S. states, 36 out of 50, has adopted so-called Albert sensors that allow the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers, according to Department of Homeland Security sources.

With that, we will leave you with one of our favorite tweets of the week that definitively settles what the shorthand prefix “crypto” really means.

Be safe and be sane out there! And for those of you reading this far, we’ve got some exciting news (for us, anyway) next week at Metacurity! Stay glued to our every word.