Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

To understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Litan’s column continues:

Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.

For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.

Identity proofing in a non-face-to-face environment is anything but easy but there are some decent solutions around that can be stitched together to significantly narrow down the population of fraudulent transactions and identities. The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.

This problem is only going to get worse as Samsung/LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.

Sure, the banks could pressure Apple Pay to make their users take a picture of their credit cards with the iPhone and upload that data before signing up. That might work for a short while to deter fraud, at least until the people at underground document forgery sites like Scanlab see a new market for their services.

But in the end, most banks coming online with Apple Pay are still using customer call centers to validate new users, leveraging data that can be purchased very cheaply from underground identity theft sites. If any of you doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee.

The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.

Even more deliciously ironic, as noted in Cherian Abraham‘s insightful column at Droplabs, is how much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple’s own brick-and-mortar stores! That banks end up eating the fraud costs from this activity is just the cherry on top.

Abraham said the banks are in this mess because they didn’t demand more transparency and traceability from Apple before rushing to sign customers up (or “provision” them, in banker-speak) for Apple Pay.

“One of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate,” Abaraham wrote. “As long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well.”

Both Abraham and Gartner’s Litan say banks need to take a step back and take the time to develop more robust, thoughtful and scalable solutions to identity proofing customers, particularly as other mobile providers begin rolling out their mobile payment systems without the customer data advantages that Apple has in their relatively closed environment.

“The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps,” Litan wrote. “Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

On this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day.

Two other patches address security issues that have received a great deal of media attention of late: The Superfish malware and the FREAK SSL vulnerability. Freak is a flaw that allows an attacker who controls the local network to downgrade your computer’s encrypted communications to a much weaker (and crackable) level of security — potentially allowing attackers to eavesdrop on your browsing and modify or redirect your communications.

As security expert and cryptologist Matthew Green noted, the FREAK vulnerability is thought to stem from efforts by the National Security Agency to weaken encryption technology allowed to be shipped overseas. Ironically, several researchers have shown how the NSA’s own Web site was made vulnerable by this flaw; check out SmackTLS.com for more on that.

Microsoft also blogged that on Feb. 19 it released an update to its Malicious Software Removal Tool which searches for and removes Superfish, an adware program that was recently discovered to have factory-shipped with many consumer PCs made by Lenovo. Superfish also has been shown to undermine the SSL encryption on systems with the invasive program installed, as demonstrated by researcher Robert Graham in this post. Lenovo has said it is no longer shipping Superfish with PCs, and has released a tool to help remove the program.

For the first time in a while, there are no fixes from Adobe on Patch Tuesday, although one of the critical patches Microsoft released today addresses a dangerous bug in the Adobe Font Driver on most versions of Windows. For more on today’s Microsoft updates, check out the roundups published by Qualys and Shavlik. Links to the individual bulletins released today are here.

Intuit: Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings

Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.

Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike. To learn more about the run-up to this extraordinary step and other tax fraud trends this year, I talked with Indu Kodukula, chief information security officer at Intuit.

Kodukula explained that in years past the dominant form of tax return scams the company has dealt with stemmed from phony federal tax refund requests. But this tax season, things changed dramatically.

“The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”

The data released by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the work of the IRS, suggests the IRS does indeed appear to have improved at flagging and ultimately denying fraudulent federal tax returns. In an interim report on the 2014 tax filing season, TIGTA said the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft.

THE ROLE OF UNLINKED RETURNS

Kodukula said tax fraudsters have evolved in response to increased information sharing by the IRS with state revenue departments about phony tax returns received at the federal level. He described a process that began about three years ago, when Intuit and TurboTax received express permission from the IRS to share information about suspected bogus tax refund requests.

“It has been our understanding that this information is in turn being shared with [state treasury departments], Kodukula said. “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”

States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.

Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.

“It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”

ACCOUNT TAKEOVERS FUELED BY PASSWORD RE-USE

Not only have the fraudsters shifted from attacking the IRS to robbing state coffers, but the methods they use to steal taxpayer data also are evolving. Kodukula explained that traditionally most of the bogus refund requests were the result of what the company calls “stolen identity refund fraud” or SIRF. In SIRF scams, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

But Kodukula said that over the past 18 months, Intuit has watched fraudsters shift from SIRF to account takeovers, wherein scammers compromise TurboTax credentials by exploiting human nature: The tendency for people to re-use passwords across multiple sites.  This technique works because a fair percentage of users re-use passwords at multiple sites. When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.

“Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.

Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.

“From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”

Security experts (including this author) have long called on  TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.

Kodukula said TurboTax began rolling that Feb. 13, and that the company is currently evaluating customer logins — requiring additional authentication for returning customers who log in from a computer or device the company has never seen previously associated with that customer’s account. Those users will be forced to re-login using one of three additional authentication methods of the customer’s choosing: Email verification; enter a special code sent via text message; or a series of knowledge-based authentication (KBA) questions from big-three credit bureau Experian.

“We’re currently challenging about 20 percent of returning users [from the previous tax season] who are logging in, which is fairly standard,” Kodukula said. “Our current MFA approach is to provide a challenge to devices we don’t recognize and we have a 15-month history of devices. Our intent is to clear that backlog over the coming weeks so that we essentially clean out our entire portfolio of devices over the next few weeks.”

WHAT TO DO IF YOU’RE A VICTIM

If you file your state taxes this year and discover that your state return has already been filed, you should report the matter to your state revenue agency. For a list of state agencies, their hotlines and Web sites, see the second half of this page.

Intuit is encouraging all previous and current TurboTax customers to log into their accounts to see if there has been a return fraudulently filed. The company also is encouraging users to verify their bank account information and be sure that hasn’t been changed, as well as any other contact information associated with the account. Customers who detect errant changes can call TurboTax customer service at 800-944-8596. The company says it’s also offering free credit monitoring service for customers that have had account compromises.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

Also, consider placing a fraud alert or freeze on your file at the major credit bureaus. If crooks have enough of your personal information to file a fraudulent tax return in your name, those same lowlifes can use that data to commit other crimes. Placing a fraud alert on your credit file every 90 days is the cheapest (as in free) way to block creditors from granting new lines of credit in your name, and from unnecessarily dinging your credit score.

You are entitled to a free copy of your credit report from each of the three major credit bureaus annually. The only site you need to obtain this free copy is annualcreditreport.com, or by phone via 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.

If you have been the victim of identity theft, or if you don’t anticipate needing to take out a loan or apply for new lines of credit anytime soon and you’d rather not deal with fraud alerts, placing a freeze on your credit file may be the smarter option.

A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name. As Consumers Union writes, “when a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed.”

Forty-nine states and the District of Columbia now have laws on the books allowing consumers to freeze their credit (Michigan is the holdout). Many of these laws allow the placement of a freeze for free if the consumer has a police report documenting an identity theft episode; for those without an ID theft scare notched on their belt, most states allow for the placement of a freeze for a $10 fee. See this site for more details on the various state freeze laws and instructions on how to obtain them.

Consumers also can reduce their exposure to identity theft by opting out of unsolicited credit card or insurance offers. Doing this, via www.optoutprescreen.com, or 888-5OPT-OUT, should block most unsolicited applications and reduce the incidence of identity theft. Doing so removes your name, address and personal identifiers from lists supplied by the Equifax, Experian, TransUnion and Innovis credit reporting agencies that are used for preapproved and pre-screened offers of credit or insurance.

Many consumers turn to credit monitoring services to protect them and their loved ones from identity thieves. Before you shell out good money for such a service, check out the primer I wrote about the uses and limitations of credit monitoring services.

Also, check to see if an organization that stores your information has potentially jeopardized in a recent data breach. Chances are they are already offering credit monitoring to you for free. For example, some 80 million+ Americans are likely to get this offer from Anthem, the health insurance giant that recently announced that it would be notifying affected members by snail mail about credit monitoring offers. Some 56 million Home Depot shoppers also are eligible thanks to their data breach in Sept. 2014.

Virtually any company listed in the past year in my Data Breaches category is offering it, but my site is hardly an exhaustive list. California’s Office of the Attorney General has a searchable list of companies that have recently reported data breaches, and nearly all of those firms are offering free monitoring services for affected consumers.

I am pleased to announce that my new book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door, has been honored with a 2015 PROSE Award in the Media & Cultural Studies category.

The PROSE Awards are given by the Professional and Scholarly Publishing Division of the Association of American Publishers.

From the AAP’s site: “The awards annually recognize the very best in professional and scholarly publishing by bringing attention to distinguished books, journals, and electronic content in over 40 categories. Judged by peer publishers, librarians, and medical professionals since 1976, the PROSE Awards are extraordinary for their breadth and depth.”

I am grateful to the AAP for this honor. According to the AAP, the 2015 PROSE Awards received a record-breaking 540 entries this year – more than ever before in their 39-year history – from more than 70 publishers around the world. ” Other 2015 PROSE Awards winners are listed at this page.

I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece.

The Times’ story, “Bank Hackers Steal Millions Via Malware,” looks at the activities of an Eastern European cybercrime group that Russian security firm Kaspersky Lab calls the “Carbanak” gang. According to Kaspersky, this group deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million — possibly as high as USD $1 billion.

Such jaw-dropping numbers were missing from a story I wrote in December 2014 about this same outfit, Gang Hacked ATMs From Inside Banks. That piece was based on similar research published (PDF) jointly by Dutch security firm Fox-IT and by Group-IB, a Russian computer forensics company. Fox-IT and Group-IB called the crime group “Anunak,” and described how the crooks sent malware laced Microsoft Office attachments in spear phishing attacks to compromise specific users inside targeted banks.

“Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,” my December 2014 story observed. “But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”

I also noted that a source told me this group of hackers is thought to be the same criminal gang responsible for several credit and debit card breaches at major retailers across the United States, including women’s clothier Bebe Stores Inc., western wear store Sheplers, and office supply store Staples Inc.

Andy Chandler, Fox-IT’s general manager and senior vice president, said the group profiled in its December report and in the Kaspersky study are the same.

“Anunak or Carbanak are the same,” Chandler said. “We continue to track this organization but there are no major revelations since December. So far in 2015, the financial industry have been kept busy by other more creative criminal groups,” such as those responsible for spreading the Dyre and Dridex banking malware, he said.

ANALYSIS

Certainly, learning that this group stole possibly close to USD $1 billion advances the story, even if the Kaspersky report is a couple of months late, or generous to the attackers by a few hundred million bucks. The Kaspersky report also references (but doesn’t name) victim banks in the United States, although the New York Times story notes that the majority of the targeted financial institutions were in Russia. The Group-IB/Fox-IT report did not mention US banks as victims.

Two readers at different financial institutions asked whether The Times was accurate in stating that employees at victim banks had their computers infected merely after opening booby-trapped emails. “The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait,” The  Times’ story reads. “When the bank employees clicked on the email, they inadvertently downloaded malicious code.”

As the Kaspersky report (and my earlier reporting) notes, the attackers leveraged vulnerabilities in Microsoft Office products for which Microsoft had already produced patches many months prior — targeting organizations that had fallen behind on patching. Victims had to open booby trapped attachments within spear phishing emails.

“Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies,” Kaspersky’s report concludes. “Attackers always use this minimal effort approach in order to bypass a victim’s defenses.”

Minimal effort. That’s an interesting choice of words to describe the activities of crime groups like this one. The Kaspersky report is titled “The Great Bank Robbery,” but the work of this gang could probably be more accurately described as “Death by 1,000 cuts.”

Why should crime groups like this one expend more than minimal effort? After all, there are thousands of financial institutions here in the United States alone, and it’s a fair bet that on any given day a decent number of those banks are months behind on installing security updates. They’re mostly running IT infrastructure entirely based on Microsoft Windows, and probably letting employees browse the Web with older versions of Internet Explorer from the same computers used to initiate wire transfers (I witnessed this firsthand just last week at the local branch of a major U.S. bank). It’s worth noting that most of the crime gang’s infrastructure appears to be Linux-based.

This isn’t intended as a dig at Microsoft, but to illustrate a point: Most organizations — even many financial institutions — aren’t set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response. This “security maturity” graphic nicely illustrates the gap between these two types of organizations.

As I wrote in my December story, the attacks from the Anunak/Carbanak gang showcase once again how important it is for organizations to refocus more resources away from preventing intrusions toward detecting intrusions as quickly as possible and stopping the bleeding. According to the Fox-IT/Group-IB report, the average time from the moment this group breaks into bank internal networks and the successful theft of cash is a whopping 42 days.

Kaspersky’s report notes a similar time range: “There is evidence indicating that in most cases the network was compromised for between two to four months, and that many hundreds of computers within a single victim organization may have been infected.” Both the Kaspersky and Group-IB/Fox-IT reports contain pages and pages of threat indicators, including digital signatures and network infrastructure used by this group.

So those are some takeaways for financial institutions, but what about banking customers? Sadly, these developments should serve as yet another wake-up call for small to mid-sized businesses based in the U.S. and banking online. While consumers in the United States are shielded by law against unauthorized online banking transactions, businesses have no such protection.

Russian hacking gangs like this one have stolen hundreds of millions of dollars from small- to mid-sized businesses in the U.S. and Europe over the past five years (for dozens of examples, see my series, Target: Small Businesses). In the vast majority of those cyberheists, the malware that thieves used to empty business accounts was on the victim organization’s computers — not the bank’s.

Now, add to that risk the threat of the business’s bank getting compromised from within and the inability of the institution to detect the breach for months on end.

“Advanced control and fraud detection systems have been used for years by the financial services industry,” the Kaspersky report observed. “However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections, by for example, using the industry-wide funds transfer (the SWIFT network), updating balances of account holders and using disbursement mechanisms (the ATM network). In neither of these cases did the attackers exploit a vulnerability within the service. Instead, they studied the victim´s internal procedures and pinpointed who they should impersonate locally in order to process fraudulent transactions through the aforementioned services. It is clear that the attackers were very familiar with financial services software and networks.”

Do you run your own business and bank online but are unwilling to place all of your trust in your bank’s security? Consider adopting some of the advice I laid out in Online Banking Best Practices for Businesses and Banking on a Live CD.

Update, 3:45 p.m. ET: A copy of the Kaspersky report on the Carbanak gang is here (PDF). Also, Fox-IT has released a Q&A on the differences and commonalities between their December report and Kaspersky’s this week.