53% would switch banks if their institution had a data breach: Cyber Security Today for Thursday, October 17, 2024

Share post:

Hi, given the long weekend in Canada we moved to a Tuesday, Thursday and Saturday weekend show. With some travel I have to do to appear at SecTor in Toronto and some other potential appearances we’re going to stick with the Tuesday, Thursday, Saturday format for next week as well.We’ll keep you up to date.

BTW, Saturday’s show is going to be a deep dive look at phishing and how sophisticated it has become. It’s part of some changes we are making to the weekend shows to include interviews, deeper dives into research and we’ll still have a month in review for those who are fans of our panel shows.Check it out and let us know what you think. And now – here’s the show.

A new study says that reveals that 53% over half of the participants would likely switch banks if their current institution suffered a data breach, Apple’s Proposal to Shorten SSL/TLS Certificate Lifespan Sparks Sysadmin Outrage, FIDO Alliance Proposes New Protocol to Enhance Passkey Portability Across Platforms

This is Cyber Security Today. I”m your host, Jim Love


A national survey conducted by Angus Reid on behalf of the firm ISA Cybersecurity reveals that 53% over half of the participants would likely switch banks if their current institution suffered a data breach and almost three quarters (73%) consider a bank’s cybersecurity measures when choosing to stay or switch institutions.

The survey, which included responses from 1,519 Canadians, was carried out in late September and early October through the Angus Reid Forum. Kevin Dawson, President & CEO of ISA Cybersecurity, noted that the survey results underscore an urgent need for banks to enhance their cybersecurity measures.

“The 54 percent of respondents who would switch financial institutions after a data breach highlights a significant risk of customer turnover, emphasizing the need for banks to enhance their cybersecurity and effectively communicate these efforts to maintain trust and loyalty. Many of our financial sector clients are leveraging us for cutting edge technology and AI enhanced detection and monitoring to protect themselves from evolving cyber threats in real time. “

The study revealed that there is indeed a high level of concern amongst Canadian banking customers. Over three quarters (78%) of Canadians are increasingly worried about cyber crimes related to online banking. This concern comes as financial institutions grapple with more sophisticated cyberattacks facilitated by advances in artificial intelligence and other digital technologies. Moreover, 76% of those surveyed fear a potential data breach at their bank, with 22% being extremely concerned.

The concerns are real. A report from the Office of the Superintendent of Financial Institutions (OSFI), indicated a nearly threefold increase in “high impact” cyber attacks on banks over the past year.

Other significant findings from the survey include. Despite a willingness among 95% of Canadians to adopt additional security measures like multi-factor authentication, only 54% currently use biometrics for accessing their financial accounts.

Indeed, the survey also highlighted a communication gap, with 62% of respondents noting that they rarely or never receive information about cybersecurity practices from their banks. We asked Dawson what accounted for this gap:

“We work with financial institutions of all sizes across Canada, and we know they are making significant investments in cybersecurity measures, and using companies like ISA Cybersecurity to train their own employees to watch out for red flags.

The problem is, they may not be effectively conveying these efforts and sharing this information with their customers, because they don’t realize how concerned customers are. This survey should help change that.”

Indeed this presents a critical opportunity for financial institutions to engage more actively in educating their customers on cybersecurity.

And while the costs in terms of customer churn are potentially large, direct losses to financial services firms in Canada are also costly.

Another recent study from IBM, in partnership with ISA Cybersecurity, revealed that financial services in Canada face some of the most expensive data breaches, costing an average of CDN$9.28 million each.

Experts look to the adoption of AI and automation to significantly reduce both the cost and the lifecycle of breaches.

But while Dawson emphasized the importance of advanced cybersecurity measures he notes there is a role for customers to play in protecting themselves. He recommends that consumers use strong, unique passwords for each account, stay informed about the latest scams, and keep their devices updated and secured against potential threats.
Source: Study findings from ISA Cybersecurity

Apple’s Proposal to Shorten SSL/TLS Certificate Lifespan Sparks Sysadmin Outrage
Apple has proposed a dramatic reduction in the lifespan of SSL/TLS security certificates, causing widespread consternation among system administrators. Currently set at 398 days, the lifespan could be reduced to just 45 days by 2027, according to a draft ballot measure discussed at the Certification Authority Browser Forum (CA/B Forum) this fall.

The proposal outlines a phased reduction: certificates would have a maximum validity of 200 days starting September 2025, then 100 days from September 2026, and finally down to 45 days after April 2027. Additionally, the measure would reduce the domain control validation (DCV) period to just 10 days by September 2027.

This move is part of a broader trend toward shorter certificate lifespans in the tech industry, aimed at enhancing internet security. Proponents argue that shorter lifespans prevent criminals from exploiting compromised certificates for extended periods. However, this comes at the cost of increased administrative burden for those managing these certificates.

Sysadmins, already tasked with maintaining secure and functional internet infrastructures, have taken to platforms like Reddit to express their frustration and concern over the heightened workload the proposal would entail. Many fear that the frequent renewal process will not only be cumbersome but also prone to errors and security risks due to the constant need for updates and verifications.

Google has previously advocated for shorter certificate lifespans, suggesting a reduction to 90 days for TLS server authentication subscriber certificates. The push for tighter security measures reflects growing concerns over cybersecurity threats but also highlights the tension between advancing security protocols and the practical realities faced by those tasked with implementing these changes.

Certificate providers like Sectigo, despite supporting the proposal, acknowledge the potential headaches it will cause for IT security teams, who will have to manage numerous certificates expiring at different times.

The proposal has yet to pass a CA/B Forum ballot, and there is speculation within the sysadmin community that major players like Google or Apple may enforce these changes unilaterally if the measure does not pass. This situation underscores the ongoing challenges in balancing enhanced security measures with operational practicality in the management of digital infrastructures.

Sources include: The Register

23andMe Settles for $30 Million After Massive Data Breach Exposes Millions of Users – But the losses are more than monetary.

23andMe, a popular genetic testing company, has agreed to a $30 million settlement following a significant data breach that exposed the personal information of approximately 6.9 million users, nearly half of its customer base. The breach, which was first detected in April 2023 but not fully disclosed until December, led to a class-action lawsuit accusing the company of inadequate data protection.

The breach primarily affected users of 23andMe’s DNA Relatives and Family Tree services, exposing sensitive personal information. Under the terms of the proposed settlement, impacted users, especially those who can demonstrate hardships such as identity theft or falsified tax returns directly resulting from the breach, may be eligible for compensation up to $10,000. Additionally, 23andMe will provide three years of a security monitoring service to help protect users from future privacy breaches.

In the wake of the breach and the resulting settlement, 23andMe faces intense scrutiny and criticism. The situation has led to the resignation of the company’s independent directors and raised significant concerns about its data retention practices. Following these events, many customers are considering deleting their data from 23andMe, and an article in the popular tech blog Gizmoto gave detailed instructions on how to request deletion of your data.

The process involves navigating through the Account Settings tab and confirming the deletion via email. However, it’s important for users to understand that even with the requested deletion, some data may be retained by the company, as outlined in their privacy policy. This revelation about data retention even after account deletion adds another layer of complexity for users concerned about their privacy.

The 23andMe data breach serves as a stark reminder of the vulnerabilities associated with handling sensitive genetic information and the profound consequences of cybersecurity failures. It underscores the need for enhanced protective measures in the burgeoning field of genetic testing and personal genomics.

But its also a stark reminder of how, in a digital age, loss of trust following a breach can devastate and even destroy a company regardless of its size or even its popularity.

—-

FIDO Alliance Proposes New Protocol to Enhance Passkey Portability Across Platforms
Finally, the FIDO Alliance is making strides in passwordless authentication with its latest initiative aimed at improving the interoperability of passkeys across various platforms. The alliance, which includes major tech companies like Apple, Google, Microsoft, and others, has introduced a draft for a new set of specifications, known as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF). These specifications are designed to facilitate the secure transfer of credentials, such as passkeys, between different providers.
Passkeys are increasingly adopted as a secure, phishing-resistant alternative to traditional passwords. They streamline the login process, making it not only faster but also more successful by reducing the likelihood of credential reuse and phishing attacks. Despite these advantages, passkeys are generally tied to specific operating systems or password management services, posing challenges when users switch devices or platforms. Currently, this limitation necessitates the creation of new passkeys with each device, complicating user experience and hindering broader adoption.

The FIDO Alliance’s proposed Credential Exchange Protocol aims to address these challenges by standardizing how credentials are transferred between systems. According to the Alliance, the new protocol and format will ensure that credentials are not transferred “in the clear” but are instead securely handled by default. This initiative promises to enhance user experience by allowing for the seamless transfer of passkeys and other credentials across different ecosystems, thereby supporting a more universal application of passwordless sign-ins.

The development of these new specifications follows the successful implementation of passkeys by various companies, including a notable rollout by Amazon, which reported that over 175 million customers have enabled passkeys on their accounts. This widespread adoption underscores the growing recognition of passkeys’ potential to enhance online security and user convenience.

As the FIDO Alliance continues to refine these protocols, the potential for a more interconnected and secure digital authentication landscape becomes increasingly tangible. This initiative not only supports the broader adoption of passkeys but also aligns with ongoing efforts to eliminate passwords altogether, marking a significant step forward in cybersecurity and user authentication technology.
That’s our show for today.

You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca

I’m your host, Jim Love, thanks for listening.

SUBSCRIBE NOW

Related articles

Sneaky 2FA Attacks Two Factor Authentication: Cyber Security Today for Monday, January 20, 2025

Sneaky 2FA, a new phishing as a service attack defeats two-factor authentication, A scammed company ordered to pay...

Social Media Fraud Focuses Attacks On Truth Social: Cyber Security Today Weekend for January 18, 2025

Unmasking Social Media Scams: An Interview with Netcraft's Robert Duncan In this weekend edition of 'Cybersecurity Today,' host Jim...

Can Canada Get It’s Mojo Back? An Exclusive Interview With Jim Balsillie for Hashtag Trending

In this episode of the series, 'Can Canada Get Its Mojo Back?', host Jim Love explores the economic...

Open AI and Google Both Have Major AI Announcements: Hashtag Trending for Thursday, January 16, 2025

OpenAI’s new Tasks feature hints at autonomous AI, Google unveils Titans AI with long-term memory, and where are...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways