Security & Fraud

NCR Blocked Mint, QuickBooks As Cyberattack Precaution

Global enterprise technology company NCR Corp. blocked Mint and QuickBooks Online as a precautionary tactic following a series of bank account cyberattacks, KrebsOnSecurity reported on Sunday (Nov. 3).

The hacker used third-party aggregation sites like Mint and QuickBooks to steal bank account passwords and siphon funds. NCR overturned the ban, which had blocked the sites from accessing its online banking platform Digital Insight, which is used by hundreds of financial institutions.

A credit union chief security officer that uses Digital Insight told KrebsOnSecurity on Oct. 29 that several bank accounts at his institution were hacked the previous week.

The cybercriminals seemingly automated unauthorized logins every five to 10 minutes in several “distinct 12-hour periods,” the source told the security news outlet.

“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source. Many times, the attackers were able to get into accounts using only a username and password.

NCR notified Digital Insight customers “that the aggregation capabilities of certain third-party products were being temporarily suspended,” NCR said in a written statement to Krebs.

“The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data. After confirming that the incident was contained, NCR restored connectivity that is used for account aggregation. As we noted, the criminals are getting aggressive and creative in accessing tools to access online information … NCR continues to evaluate and proactively defend against these activities,” the statement said.

The hacked accounts are thought to have been caused in part by the use of passwords from previously breached sites.

“If you bank online and choose weak or reused passwords, there’s a decent chance your account could be pilfered by cyberthieves – even if your bank offers multi-factor authentication as part of its login process,” the Krebs article said, citing its report The Risk of Weak Online Banking Passwords.

Passwords remain relatively primitive tools that continue to endure despite repeated data breaches. A host of companies, organizations, entrepreneurs and technology experts are working to come up with mainstream replacements for them.



B2B APIs aren’t just for large enterprises anymore — middle-market firms and SMBs now realize their potential for enabling low-cost access to real-time payments and account data. But those capabilities are only the tip of the API iceberg, says HSBC global head of liquidity and cash management Diane Reyes. In this month’s B2B API Tracker, Reyes explains how the next wave of banking APIs could fight payments fraud and proactively alert middle-market treasurers to investment opportunities.