Tag Archive for: proposed

EU’s Proposed CSAM Bill Poses Hacking Risks

/in


Endpoint Security
,
Governance & Risk Management
,
Legislation & Litigation

Hackers Would Exploit Client-Side Scanning, LIBE Committee Hears

Akshaya Asokan (asokan_akshaya) •
April 13, 2023    

EU's Proposed CSAM Bill Poses Hacking Risks

Members of a European Parliament committee heard Thursday an assessment warning them that a bill intended to fight child sexual abuse material would instead weaken online security.

See Also: Webinar | The Evolution of Network Architecture: What You Don’t Know Can Hurt You

The Child Sexual Abuse Material proposal unveiled by the European Commission in May 2022 faces a barrage of opposition from industry and civil liberty groups concerned that its mandate for digital communication services such as instant messenger apps to scan for CSAM is incompatible with end-to-end encryption.

Bart Preneel, a cryptography professor at Catholic University of Leuven in Belgium, told the Committee on Civil Liberties, Justice and Home Affairs, or LIBE, the only way mandatory scanning is compatible with end-to-end encryption by scanning for images on devices before they’re transmitted across the web. Preneel is co-author of an assessment of the CSAM proposal commissioned by the committee.

“The only way you could actually detect CSAM would be by scanning on the device of the user. You would have to insert additional software in the user device, and such a software will create new vulnerabilities that are open to attack and abuse,” he said.

Scanning communications would violate a right to confidential communications while client-side scanning “violates the essence of the right of protection…

Source…

Big banks’ proposed digital wallet payment system likely to fail

/in


A group of leading banks is partnering with payment service Zelle’s parent company to create their own “digital wallet” connected to consumer credit and debit cards to enable online or retail store payments.

The new payment service, however, must compete with entrenched digital wallets such as Apple Pay and Google Pay that are embedded on mobile devices and already well established. It’s also not the first attempt for some in the consortium to create a digital wallet payment service.

The consortium includes Wells Fargo & Co., Bank of America, JPMorgan Chase, and four other financial services companies, according to The Wall Street Journal. The digital wallet, which does not yet have a name, is expected to launch in the second half of this year.

The system will be managed by Zelle’s parent company, Early Warning Services LLC (EWS). It will have about 150 million Visa and Mastercard credit and debit cards connected at launch, with plans to add other card networks later, according to an EWS blog.

“Early Warning is working closely with financial institutions to build a wallet that provides consumers a secure and easy way to pay,” James Anderson, EWS’ managing director of Wallet, said in the blog. “The wallet will also aim to deliver better business outcomes for merchants — including higher transaction approval rates and more completed sales.”

The consortium’s digital wallet will be a standalone service, not something under Zelle’s service, according to reports. It’s expected to compete with other digital wallet payment services such as Apple Pay, Google Pay, and Neo. And it will be up against other digital wallets run by banks, such as Revolut, Monzo and Curve and payment organizations that offer PayPal and Venmo.

Source…

Concerns emerge over proposed SEC cyber incident disclosure changes

/in


Gary Gensler, chair of the U.S. Securities and Exchange Commission, testifies during ta Senate Banking, Housing, and Urban Affairs Committee hearing on Sept. 14, 2021, in Washington. (Photo by Bill Clark-Pool/Getty Images)

Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.

The SEC proposed new amendments in March to govern how investment firms and public companies under its purview should improve upon their IT security management and incident reporting.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler in a March release.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” Gensler said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

SEC gets tough on identity programs and incident reporting

In July, the SEC slammed JP Morgan Chase & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, each having violated the Identity Theft Red Flags Rule, or Regulation S-ID between January 2017 and October 2019. Regulation S-ID seeks to protect investors from the risk of identity theft. All three financial institutions agreed to cease and desist from future violations, to be censured, and to pay fines of $1.2 million, $925,000, and $425,000, respectively.

Among other commitments, the SEC’s proposed amendments would require that financial institutions offer current reporting about “material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.

In March, the SEC issued that a “proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information…

Source…

$350 Million Settlement of T-Mobile Breach Lawsuits Proposed

/in


Breach Notification
,
Cybercrime
,
Fraud Management & Cybercrime

On Top of Settling With Victims, Telecom Carrier Would Invest More in Security

Prajeet Nair (@prajeetspeaks) •
July 23, 2022    

$350 Million Settlement of T-Mobile Breach Lawsuits Proposed

A proposed $350 million settlement to resolve a consolidated class action lawsuit against the U.S. telecom carrier T-Mobile, after a 2021 data breach that affected nearly 77 million people, includes breach victims and related legal costs.

See Also: OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

Under the settlement, T-Mobile is required to invest an additional $150 million to bolster its data security and related technology in 2022 and 2023, according to the settlement described in an SEC filing.

Terms of Settlement

The proposed agreement, which was filed in federal court in Missouri on Friday, would settle a class action lawsuit that consolidated more than 40 lawsuits filed after the data breach was revealed in August 2021 by the U.S. telecom carrier.

It awaits court approval that is “expected as early as December 2022 but could be delayed by appeals or other proceedings,” the filing says.

The telecom carrier says it denies all the allegations made in the complaints filed against them, especially those that describe T-Mobile’s failure to protect customer data, and states that the settlement is not an admission of “liability, wrongdoing or responsibility.”

“T-Mobile denies all material allegations of the Amended Complaint and specifically…

Source…