Financial Cyber-Threat Briefing 2014


Thank you for participating in the Briefing

11st July 2014 - The Cyber-Threat Financial Briefing was a great success, we had great attendance and interaction.

We would like to thank you to all the delegates from many Financial Institutions!

The Briefing presented an overview of the most common and latest attack vectors affecting online banking and other financial online services; strategies and methodologies for addressing growing risks in this domain; and demonstrate some of latest untraceable exploits as well as solutions to stop them.
The Presentations and the videos are now available.

Video and Presentations of the Briefing:

The following video represents the Briefing Event Summary, with the introduction to the meeting, the best parts of the talks and the interviews to participants:

Introduction to the Briefing and Context
Speaker: Lucas Allan, Managing Director LiquidNexxus

Lucas Presentation

Emerging Cyber-Threats Targeting Financial Institutions
Speaker: Marco Morana, SVP Technology Risks & Controls, Citi
Video - Presentation

Marco Video

Marco Presentation

This presentation shared research carried out on the root causes of security incidents caused by attacks from emerging threats such as malware banking. The session provided practical examples of instances of compromises causes by various threat agents and provided an in depth analysis of methods and attacks vectors employed against online banking applications. The scope of this analysis was to analyse the threats, simulate attacks and identify flaws in application architecture that can be prioritised for remediation. To simulate the attack, modelling techniques such as the attack kill chain and attack trees has been shown. The goal of this session was to provide information security officer’s examples of processes, methodologies and risk frameworks that can be used to identify countermeasures to mitigate emerging threats.

Overview of Online Banking Malware & Countermeasures
Speaker: Giorgio Fedon, COO, Minded Security & OWASP Lead
Video - Presentation


Giorgio Presentation

This session presented how attackers currently identify and exploit web vulnerabilities on financial institution websites to stealing credentials. Giorgio also demonstrated how compromised customer PC’s can compromise online transaction platforms. Finally Giorgio presented a new technology “AMT Banking Malware Detector” that allows banks to identify users infected with malware before they become victims of fraud.

Preventing In-Browser Malicious Code Execution
Speaker: Stefano Di Paola. CTO, Minded Security & OWASP Project Lead
Video - Presentation



DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation demonstrated vulnerabilities and also presented Minded Security’s latest countermeasure called DOMinatorPro.

Cyber Crime: extending an already loose perimeter
Speaker: Massimo Cotrozzi, Assistant Director - Fraud Investigation & Dispute Services Practice, Ernst & Young.


"EY’s 13th Global Fraud Survey ( of over 2,700 executives across 59 countries highlights that while respondents believe emerging risks are not being taken seriously enough, nearly half of them consider cybercrime a low risk."With cybercrime expanding its reach and reaching new hights, companies struggle with the basics, from supporting cybercrime initiatives to failing to understand what to protect from whom. Massimo went through a brief panorama of the issues and pointed some useful directions to follow.