Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fintech. Show all posts

Direct Trading Technologies Exposes Data of 300K Traders in Major Security Breach

 

Direct Trading Technologies (DTT), an international fintech enterprise, has compromised the security of more than 300,000 traders by inadvertently exposing their confidential information and trading histories, potentially exposing them to the risk of unauthorized account access.

On October 27th, the research team at Cybernews identified a misconfigured web server containing backups and development code believed to be associated with Direct Trading Technologies. The company, which operates globally and specializes in providing trading platforms for various financial instruments, including stocks, forex, precious metals, energies, indices, Contracts for Difference (CFDs), and cryptocurrencies, also extends its services through white-label solutions. 

While its primary clientele is situated in Saudi Arabia, Direct Trading Technologies maintains offices in multiple countries, including the UK, Lithuania, UAE, Kuwait, Colombia, Turkey, Bahrain, Lebanon, and the Republic of Vanuatu. Within the identified directory, several database backups were found, each containing substantial amounts of sensitive information concerning the company's users and partners. The breach introduces a spectrum of potential risks, ranging from identity theft to the takeover and unauthorized withdrawal of funds from traders' accounts.

Upon discovery, Cybernews promptly notified the company of their findings. Although the identified issues were rectified, an official response from Direct Trading Technologies is still pending.

The leaked data encompasses the trading activities of more than 300,000 users spanning the last six years, including names, email addresses, correspondence sent by the company, and IP addresses. Notably, individuals using the company's email addresses, possibly employees, had their passwords exposed in plaintext. Hashed passwords for accessing user accounts on the DTT trading platform were also among the leaked information. Furthermore, certain clients had their home addresses, phone numbers, and partial credit card details exposed.

The comprehensive list of leaked data includes:
  • Trading account activity
  • Contents of emails sent by DTT
  • User IP addresses, emails, usernames, and plaintext passwords
  • Notes on outreach calls
  • Names
  • Email addresses
  • Phone numbers
  • Home addresses
  • Hashed passwords
  • Database endpoints and plaintext credentials of white-label customers (endpoints were protected by IP whitelists)
  • Locations where KYC documents are stored, filenames, types, expiration dates, and other metadata
While the KYC documents themselves were not compromised, the leaked files disclosed the locations where the documents are stored and additional metadata.

The credentials of clients utilizing the white-label service were exposed in plaintext, alongside details regarding database locations and negotiated commission percentages. The leaked information also contained internal comments from the company's outreach team, including derogatory terms used to categorize certain clients in the company's system.

Given the rapid growth of the fintech industry, this breach serves as a stark reminder of the crucial importance of robust cybersecurity measures. Fintech companies, entrusted with managing highly sensitive customer data, become prime targets for threat actors, especially considering the substantial value held in traders' accounts. 

With access to leaked data from a trading platform, attackers possess ample information to launch various malicious activities, including account takeovers, phishing, identity theft, and malware exploits based on leaked IPs. The potential threat is heightened by the fact that Direct Trading Technologies offers white-label services to numerous firms, storing credentials for clients' databases. While this could pose an additional threat, accessing these databases would require attackers to compromise a trusted network, adding an extra layer of complexity to the potential threat.

The United States is Monitoring Vulnerabilities in Bitcoin

 

The United States has shown a keen interest in the cybersecurity aspects of Bitcoin, particularly honing in on a vulnerability associated with the Ordinals Protocol in 2022. The National Vulnerability Database (NVD), overseen by the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce, has brought attention to this issue for public awareness. This underscores the growing focus of government agencies on the security dimensions of cryptocurrencies.

The vulnerability at the core of this development is specific to certain versions of Bitcoin Core and Bitcoin Knots. It enables the bypassing of the datacarrier limit by disguising data as code. In practical terms, this vulnerability could result in the Bitcoin network being inundated with non-transactional data, potentially causing congestion in the blockchain and affecting performance and transaction fees. This concern is not merely theoretical, as evidenced by the exploitation of the Ordinals inscriptions in 2022 and 2023.

The Ordinals gained prominence in late 2022, involving the embedding of additional data onto a satoshi, the smallest Bitcoin unit, similar to the concept of nonfungible tokens (NFTs) on the Ethereum network. However, the increased usage of Ordinals transactions has led to heightened network congestion, resulting in elevated transaction fees and slower processing times. For blockchain enthusiasts, these issues are not just technical glitches but critical challenges that could influence the future trajectory of Bitcoin.

Luke Dashjr, a Bitcoin Core developer, has been outspoken about this vulnerability, likening it to receiving a flood of junk mail that obstructs essential communications. This metaphor aptly encapsulates the essence of the vulnerability, disrupting the otherwise streamlined process of Bitcoin transactions.

In response to these concerns, a patch has been developed in Bitcoin Knots v25.1. However, Dashjr notes that Bitcoin Core remains vulnerable in its upcoming v26 release. He expresses hope that the issue will be addressed in the v27 release next year. The implications of this vulnerability and its subsequent patching are substantial. Rectifying the bug could limit Ordinals inscriptions, although existing inscriptions would persist due to the immutable nature of the network.

This situation underscores a broader theme in the cryptocurrency world: the constant evolution and the need for vigilance in maintaining network security. The involvement of U.S. federal agencies in tracking and cataloging these vulnerabilities may signify a step toward more robust and secure blockchain technologies. While the identification of Bitcoin's vulnerability by the NVD serves as a cautionary tale, it also presents an opportunity for growth and improvement in the cryptocurrency ecosystem.

FinTech Sector Emerges as a Prominent Target for Cybercriminals


Like every other sector that has evolved, thanks to the innovative digital transformation it has adopted, cybercrime has become a significant challenge in the finances of organizations. As per research by VMware’s Modern Bank Heist, there has been an increase of a whopping 238% in cyberattacks on companies’ financial sectors since the wake of the COVID-19 pandemic. 

A series of cyberattacks witnessed recently on the DeFi platform illustrates how fintech companies have emerged as a prominent target and a big prize to cyber criminals. Particularly when it comes to fintech apps, there is often a huge possibility for profit. Attackers can also do greater damage by going after tech users, who may have adopted comparatively less stringent cybersecurity measures. One malicious software can deprive fintech consumers of their assets and ruin the reputation of the financial organization. 

Considering the seriousness of the constantly evolving threat, fintech companies are now required to reconsider their approach including their identity and access control strategies, in order to ensure sure that their platforms are equally trusted by consumers and businesses. It is crucial to implement the right controls to maintain an organization's security posture as this industry continues to transition to the cloud, but doing so presents a unique set of problems. 

Why Are FinTech Applications Hard to Secure? 

While cloud development has emerged as a breakthrough, garnering the opportunity for new apps to be made possible and existing apps to operate more smoothly than before, it has also rapidly increased the number of potential attack surfaces and created additional opportunities for configuration errors, human mistake, and identity management problems. 

Any form of change makes a company vulnerable at the cloud scale, whether it is upgrading an outdated program to a new and better cloud-based architecture or enhancing current capabilities. Due to the fact that an infrastructure's attack surface now expands and is dynamic in the cloud, this can further increase the explosion radius of a single attack. 

Fintech applications must also adhere to strict regularity standards that differ from country to country and frequently incur heavy fines for noncompliance. 

Since operating in the financial sector requires a greater standard of accountability towards clients and the entire sector, which can be a challenging task, organizations must assure visibility, dependability, and proper configuration as a result of fintech. 

Fintech companies need to maintain a tight grasp on security and privacy from the very beginning of growth, especially as third-party services continue to expand, in order to remain competitive in this extremely crowded market. 

How can FinTech Sector be Secured? 

Since fintech organizations are more dependent on vendors and other partners like manufacturers, suppliers, and subcontractors and an increasingly complex supply chain. This further could be a reason for the system being exposed to potential attackers. 

Companies frequently lack visibility into their third- and fourth-party partners, and consequently, the large amount of data that is available to them. Interoperability is crucial in today's software-centric world, but it frequently makes firms even more vulnerable to attackers. 

Fintech developers are thus advised to continuously be vigilant for potential problems with the software supply chain and the security risks that third-party services may pose to their companies. 

We are listing more measures that could be adopted by fintech organizations to safeguard themselves from potential cyber-attacks that could hinder their security: 

  • Companies must be aware of the entities that have access to their data and applications, along with their location and what they do with it. It will be crucial to integrate identity and access management (IAM) systems as dangers inside fintech continue to develop significantly.
  • An organization must have the appropriate technology and tactics in place to safeguard and comply with industry regulations as well as to consistently protect its sensitive data, especially in the cloud. IAM systems, for instance, offer businesses protection without impeding progress or burdening their teams with the extra workload. 
Unfortunately, the security risks offered by financially motivated cybercriminals will only get more advanced over time. The fintech sector must adopt a proactive security posture and a strong identity and access management strategy that can handle the complexity and scope of today's cloud security concerns in order to meet the pressure to protect sensitive client data.   

Hong Kong Will Legalize Retail Crypto Trading to Establish a Cryptocurrency Hub

 


A plan to legalize retail cryptocurrency trading has been announced by Hong Kong to create a more friendly regulatory regime for cryptocurrencies. There has been an opposite trend over the last few years in the city, with skeptical views, as well as China's ban on the practice. 

According to sources familiar with the matter, an upcoming mandatory licensing program for crypto platforms scheduled to take effect in March next year will allow retail traders access to crypto platforms. There has been a request not to name these people since they are not authorized to release this information publicly.

There have been reports that the regulators are planning to allow the listing of higher-value tokens in the coming months but will not endorse specific coins such as Bitcoin or Ether, according to the people. They noted that the details and timeframe are yet to be finalized since a public consultation is due first.

At a fintech conference that starts on Monday, the government is expected to provide more details regarding its recently announced goal of creating a top crypto hub in the region. To restore Hong Kong's reputation as a financial center after years of political turmoil and the aftermath of Covid curbs sparked a talent exodus, the marketing campaign comes amid a larger effort to put Hong Kong back on the map.

Gary Tiu, executive director at crypto firm BC Technology Group Ltd, said that, while mandatory licensing in Hong Kong is one of the most effective things regulators can do, they cannot forever satisfy the needs of retail investors who are investing in crypto assets. 

Criteria for listing 

According to people familiar with the matter, the upcoming regime for listing tokens on retail exchanges is likely to include criteria such as the token's market value, liquidity, and membership in third-party crypto indexes to determine eligibility for listing. Their approach resembles the one they used when it came to structured products such as warrants, they continued. 

Hong Kong's Securities and Futures Commission spokesperson did not respond to a request for comment regarding the details of the revised stance adopted by the agency. 

Several crypto-related Hong Kong companies that are listed on the stock exchange increased their share prices on Friday. In the same report, BC Technology climbed 4.8% to its highest in three weeks during the third quarter, whilst Huobi Technology Holdings Ltd. rose slightly. 

In a world where more and more regulators are grappling with how to manage the volatile area of digital assets. This area has gone through a $2 trillion rout, following a peak in early November 2021. The sector is finding it difficult to regain its previous strength. Firms that dealt in cryptocurrency were crushed by the crash because their leverage grew without limit and their risk management methods were exposed.

It is widely believed that Singapore has tightened up its digital-asset rules to curb retail trading in digital assets to deal with the implosion that has hit Hong Kong. 

There was a proposal earlier this week by Singapore to ban the purchase of leveraged retail tokens on the retail market. There was a ban on cryptos in China a year ago because it was largely illegal. 

Michel Lee, executive president of digital-asset specialist HashKey Group, said that Hong Kong is trying to frame a crypto regime that extends beyond the retail token trading market to incorporate all types of digital assets, including cryptocurrencies. 

Bringing the ecosystem to the next level 

Among other things, Lee believes that tokenized versions of stocks and bonds could become a much more significant segment in the future as time passes on. Lee said, "Just trading digital assets on its own is not the goal". According to Lee, digital assets are not intended to be traded on their own but the ecosystem must grow as quickly as possible.”

A big exchange such as Binance and FTX once had their base in Hong Kong. Their attraction was the reputation of a laissez-faire regime and their strong ties to China. A voluntary licensing regime, that was introduced by the city in 2018, limited crypto platforms' access to clients with portfolios exceeding HK$8 million ($1 million) to those with portfolios of less than that amount. 

It has been confirmed that only two firms have been approved to operate under the license, BC Group and HashKey. FTX successfully managed to turn away the more lucrative consumer-facing business to the Bahamas last year as a result of the signal of a tough approach. 

However, the plan to attract crypto entrepreneurs back to Hong Kong seems to be a bit short of what is needed to usher them back. Among other things, it remains to be seen if mainland Chinese investors would be able to trade in tokens through Hong Kong if that were to be permitted. 

Leonhard Weese, the co-founder of the Bitcoin Association of Hong Kong, expressed a fear that there might be a very strict licensing regime in the future. "The conversations I have had indicate that people still fear it will be very stressful," he said. The company claims that it is not competitive on the same level as overseas platforms. Therefore, it will not be as attractive to customers as it would be if it dealt directly with retail users. 

According to blockchain specialist Chainalysis Inc., the volume of digital-token transactions in Hong Kong through June declined less than 10% from a year earlier, the most modest increase in the region outside of a slump in China, in the 12 months through June. It has fallen two positions from its global ranking of 39 in 2021 to 46 in 2022 when it comes to crypto adoption throughout the city. 

The Securities and Futures Commission of Hong Kong's Fintech Department has also suggested that the city could take further steps in this area, including the establishment of a regime to authorize exchange-traded funds seeking exposure to mainstream virtual assets. 

It shows that the one country, two systems principle is being put into action in financial markets, Wong said at an event last week. He said that the fact that the city can introduce a cryptocurrency framework distinct from China's indicates how far it has come.

Ola Finance: Attackers Stole $4.7M in 'Re-Entrancy' Exploit

 

According to a post-mortem report released by the developers, the decentralised lending platform Ola Finance was exploited for approximately $4.67 million in a "re-entrancy" assault on Thursday. 

Ola runs a decentralised finance (DeFi) platform that spans multiple blockchains, and the hack on Thursday targeted the Fuse network. For financial services such as lending and borrowing, DeFi refers to the use of smart contracts rather than third parties. 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin, and 1,240,000.00 FUSE were obtained using Ola's services on the Fuse network. 

At current pricing, all of that is worth more than $4.67 million. The attack took use of a re-entrancy flaw in the ERC677 token standard. Reentrancy is a frequent issue that allows attackers to deceive a smart contract into stealing assets by repeatedly calling a protocol. An authorization for a smart contract address to communicate with a user's wallet address is known as a call. 

The attacker used a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to execute the initial heist transaction. The attacker avoided a flash loan in subsequent transactions by using funds that had already been stolen, according to the post-mortem study. Voltage is a decentralised trading protocol for the Fuse network that enables for automated trading of DeFi coins. 

Attackers were able to fool Voltage's smart contracts by transferring wrapped assets — which they generated using flash loans, a type of short-term uncollateralized borrowing, asking the smart contract send payments from Voltage to the hacker's addresses The attack, according to Ola Finance, could not be replicated on any of the lending networks it supports. The developers stated, “We will investigate each token’s 'transfer' logic to make sure no problematic token standards are in use.” 

 Meanwhile, Voltage stated it was in contact with third parties to track down the attacker and devise a method to compensate those who had been harmed.

Payment Fraud Attack Rate Across Fintech Increased by 70% in 2021

 

The index based on a global network of over 34,000 sites and apps and a poll of over 1,000 consumers, reveals that payment fraud attacks across fintech increased by 70% in 2021, the greatest increase of any category in the network. 

Payment fraud has increased in tandem with a whopping 121 percent year-over-year increase in fintech transaction volumes on Sift's network, making this industry a tempting target for cybercriminals. These escalating attacks, as per this data, were mostly focused on alternative payments such as digital wallets, which witnessed a 200 percent increase in payment fraud, as well as payments service providers (+169 percent) and cryptocurrency exchanges (+140 percent). 

These approaches were targeted towards buy now/pay later (BNPL) providers, which showed a 54 percent increase in fraud attack rates year over year. Sift's Trust and Safety Architects discovered a rising number of fraud schemes on Telegram in late 2021, providing unlimited access to BNPL accounts via fake credit card numbers and compromised email addresses, demonstrating the wide range of methods fraudsters use to target the whole fintech sector.

Along with a 23 percent increase in blocked payment fraud assaults in 2021, Sift noticed a network-wide rise in daily transaction volumes across all industries. Similarly, 49 percent of poll respondents indicated they've been a victim of payment abuse in the last one to three years, with 41 percent of those who have been victims in the last year alone. Financial service websites were regarded as the sites that pose the most risk by 33% of the victims, which could have a detrimental impact on the customer’s trust. 

Jane Lee, Trust and Safety Architect at Sift. stated, “Many brands fail to realize that the damage of payment fraud goes beyond the initial financial impact. The vast majority of consumers report abandoning brands after they experience fraud on a business’s website or app, diminishing customer lifetime value and driving up acquisition costs. Further, potential customers who see unauthorized charges from a particular company on their bank statements will forever associate that brand with fraud. In order to combat these attacks and grow revenue, businesses should look to adopt a Digital Trust & Safety strategy—one that focuses on preventing fraud while streamlining the experience for their customers.”