New guidance obtained by American Banker would reduce the number of suspicious activity reports, or SARs, banks are required to file, a move aimed at easing banks’ compliance burden and making data more useful for law enforcement. The Treasury Department, Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency are releasing a new Frequently Asked Questions guidance document that is meant to cut the compliance burden for banks and other financial firms by reducing the number of SARs that they need to file. Treasury said that the changes would refocus the system on reports that provide the greatest value to law enforcement. “SARs should deliver better outcomes by providing law enforcement the most useful information — not by overwhelming the system with noise,” said Treasury Under Secretary for Terrorism and Financial Intelligence John Hurley in a statement. “Compliance requires real resources, and that’s why prioritization is crucial. At Treasury, we will continue to reform our Anti-Money Laundering and Countering the Financing of Terrorism framework to de-prioritize low-value activity and direct compliance resources towards the most significant threats to our country.” Banks are required to file SARs to the Treasury Department’s Financial Crimes Enforcement Network, or Fincen, under certain circumstances, such as upon observing a known or suspected federal crime or when a customer deposits more than $10,000 in cash. Banks can also voluntarily file SARs on suspicious transactions that might be relevant to a possible violation. Banks tend to over-file SARs relative to what is required out of concern that they could face supervisory or enforcement penalties if they are found to have inadequate anti-money laundering controls. But the reporting rules have also become central to the administration’s crusade against political debanking because SARs filed against a consumer can lead to that person or group losing access to banking services. The OCC even recently warned financial institutions against using voluntary SARs as “a pretext to improperly disclose customers’ financial information.” The new guidance from the banking regulators should ease some of those worries.
Proof launches Certify enabling instant legally-accepted digital signing of financial, legal and personal content using verified legal identity, cryptographically signing media and data to generate irrefutable evidence that prevents AI counterfeiting
Proof has launched a new solution aimed at solving the problem of falsified content, deepfakes and digital impersonation that artificial intelligence has dramatically exacerbated. Called Certify, the new solution seeks to address the proliferation of fake documents, images, videos and data driven by generative AI to the point where it’s indistinguishable from reality. Proof argues that although fake media and misinformation have garnered the most attention, the real danger in AI lies in its ability to forge signatures, falsify records, impersonate one’s voice on the phone, or fake a person’s likeness on video. Certify enables instant, legally accepted digital signing of any content, whether financial, legal or personal, using a verified legal identity. The service cryptographically signs all media and data to generate irrefutable digital evidence that cannot be counterfeited by generative AI. With Certify, identities are embedded in everything done online to create verifiable records that anyone can instantly trust, the company says. Proof claims Certify verifiable records will supplant any digital asset that is accepted by existing legal frameworks — documents, images, video, audio and structured data, making it possible to authenticate all forms of media to ensure provenance and accountability in an era where digital forgeries are proliferating. Organizations can immediately verify the authenticity of any evidence they receive, without requiring users to present their identification every time. Along with the launch of Certify, Proof also announced the availability of the Identity Authorization Network, where consumers can save their verified biometric identity once and instantly true-sign any media and data across the Proof platform. The digital identity eliminates the need for repeated onboarding and establishes a chain of trust with every authorization, since there’s an inextricable link between an identity and the record it produces.
Financial industry coalition pushes unified anti-scam framework integrating AI monitoring, information sharing, and consumer education amid 25% spike in fraud losses YoY
Cybersecurity Awareness Month arrives this week against a sobering backdrop: Consumer losses from fraud have surged to $12.5 billion, a 25% increase in just one year. In response, the financial industry, consumer advocates and the federal government have rolled out a coordinated effort to fight back. Throughout October, organizations from the American Bankers Association to the federal government’s lead cybersecurity agency will be pushing new campaigns and security frameworks aimed at protecting both consumers and the nation’s critical financial infrastructure. Here are the most important developments to watch, from new anti-scam strategies to useful updated resources. The biggest announcement to kick off Cybersecurity Awareness Month on Wednesday came from the Aspen Institute, which released a national strategy on preventing scams developed jointly by multiple banks, payment networks, financial services companies, consumer advocates, government agencies, major retailers and others. Members of the steering committee that developed the report represented JPMorganChase, Zelle, Block, Plaid, Amazon, Target and others. Other members of the task force that developed the report included Bank of America, Citizens, Wells Fargo, Visa, Paypal, Transunion, the American Bankers Association and the Bank Policy Institute. The 70-page strategy document functions as a blueprint for how companies, the U.S. government, and others can combat a problem that the report calls a “global conflict” and “whole-of-society threat to America.” The strategy document emphasizes that artificial intelligence and faster payment options are making scams more destructive and widespread. Financial services — including banking, payments, fintech and crypto — are among the sectors scammers exploit. The report urged government and corporate leaders to modernize legal frameworks and enhance incentives for action. A critical component of the framework organized by the Aspen Institute is addressing the current ambiguity regarding the duty of care to suppress scam activity across sectors. Because the report serves to document the consensus between various consumer advocates, banks and other stakeholders, it does not reach a conclusion on the core, nuanced subject of the duty of care (who should be liable) when a consumer is tricked into authorizing a payment to a fraudster. However, the report does note that there is currently no clear or consistent duty of care to suppress scam activity across sectors targeted by scammers, such as telecommunications, digital platforms and financial services. This ambiguity creates tension, as companies fear undue liability if clear mandates are established. So, the strategy calls for Congress to normalize duties across sectors and enact good Samaritan liability protections for companies that act reasonably and in good faith against scams. These protections would help de-risk corporate participation in scam suppression efforts. The report also cited the Australia Scams Prevention Framework as an international model, noting it provides a safe harbor protecting firms from liability when they take reasonable, proportionate and good-faith action to block suspected scams. The strategy advocates that companies maintain robust anti-scam policies covering the entire scam lifecycle and ensure C-suite leaders own and review these policies regularly.
Tapjacking and the TapTrap theat lets an app without any permissions at all can abuse screen animations to open another screen without the user knowing, turn it invisible, and get them to unknowingly click on a permission prompt
Philipp Beer, Marco Squarcina and Martina Lindorfer, researchers from the Security and Privacy Group at TU Wien Informatics in Austria, and Sebastian Roth from the University of Bayreuth in Germany, have revealed with their research into Tapjacking and the TapTrap threat. In developing TapTrap, the researchers have demonstrated how an app without any permissions at all can abuse screen animations to open another screen without the user knowing, turn it invisible, and get them to unknowingly click on a permission prompt. This method of executing a transparent action with an invisible malicious one underneath is new and dangerous. Whereas, ordinarily, when the screen changes in Android, you would expect to see an animation, maybe a sliding or fading effect at one screen changes to another, a TapTrap attack can make the new screen “fully transparent, keeping it hidden from you,” the researcher said. “Any taps you make during this animation go to the hidden screen,” they continued, “not the visible app.” The app could then get you to tap areas of the screen that “correspond to sensitive actions on the hidden screen,” the researchers explained, “allowing it to perform actions without your knowledge.” Actions like, for example, enabling the device administrator permission, which can let an app remotely wipe your phone.
Virtru’s cloud platform lets organizations securely share sensitive data by using an open-source file format TDF that connects files to a server which encrypts them and only decrypts them for permissioned users, requiring one-time codes for access
Virtru Inc., a startup that helps enterprises prevent unauthorized access to their data, commercializes an open-source file format known as TDF designed to let organizations to securely share sensitive data with one another. TDF works by connecting files to a server controlled by the company that created them. This server encrypts the files and only decrypts them for users who have permission to view them. Virtru sells a cloud platform that uses TDF to help companies encrypt files before they move outside the corporate network. Users can specify who may view the records and revoke access through a centralized interface. The platform also provides other cybersecurity controls. Workers may set an expiration date for shared files, watermark them and monitor how they’re accessed. The recipients of such files can only open them using a Virtru-operated cloud application that is activated with one-time codes. There’s a standalone file sharing service called Virtru Secure Share, as well as versions that integrate with Google Workspace and Microsoft 365. The latter tools can encrypt not only business files but also emails. Another Virtru product called Virtru Private Keystore helps enterprises manage the encryption keys and generates an audit trail that tracks how encryption keys are used. Another tool called Data Protection Gateway scans inbound emails, detects sensitive data such as credit card numbers and encrypts them.
Trustwave’s managed phishing protection service for Microsoft users service aims to address gaps in native email security product deployments by offering a more comprehensive solution
Trustwave has launched Managed Phishing for Microsoft, a service designed to improve phishing defenses for organizations using Microsoft Office 365 and Defender for Office. Phishing remains the most reported type of cybercrime globally, with attackers using advanced AI-powered tactics to bypass default email security measures. Trustwave has developed a managed cybersecurity solution to deliver continuous protection and user awareness for businesses. The service works alongside Microsoft’s built-in defenses, providing additional layers of risk reduction and email security management. Features include end-to-end technology management, multi-layered detection systems, regular simulated phishing exercises, and around-the-clock threat response. Trustwave’s technology management capabilities provide complete setup and administration of phishing-related policies and rules, minimizing the management burden for internal IT teams. The detection aspect uses AI-driven engines supported by Trustwave SpiderLabs threat research, reducing exposure to threats by over 99 per cent. The service also offers regular phishing simulations to strengthen employee vigilance, tailored to each organization’s unique environment. The Managed Phishing for Microsoft service aims to address gaps in native email security product deployments by offering a more comprehensive solution through a combination of technology, security expertise, and employee awareness. Regular phishing simulations are tailored to an organization’s specific business environment, creating ongoing awareness and a stronger culture of vigilance among employees.
Nacha’s Payments Innovation Alliance’s educational video on quantum computing urges for industry-wide collaboration and transitioning to quantum-resistant cryptographic methods to ensure secure and resilient payments ecosystem
Nacha’s Payments Innovation Alliance, a membership program that brings together diverse global stakeholders seeking to transform the payments industry, has released a new educational video, Protecting Payments in the Quantum Era: Prepare for Impact. Developed by the Alliance’s Quantum Payments Project Team, the video provides a foundational understanding of quantum computing and its implications for the payments ecosystem. As quantum technology advances, it poses both transformative opportunities and significant risks, particularly to the cryptographic systems that underpin today’s secure transactions. The video introduces viewers to the fundamentals of quantum computing, highlighting how it differs from classical computing in its ability to process complex calculations at unprecedented speeds. It also delves into the potential impact of quantum advancements on encryption and data security, emphasizing the vulnerabilities of current cryptographic systems. The video also underscores the urgency for financial institutions to begin transitioning to quantum-resistant cryptographic methods and calls for industry-wide collaboration to ensure a secure and resilient payments infrastructure that is prepared for the quantum era.
Fingerprint’s platform can help identify all types of agentic-driven fraud by detecting residential proxies which are increasingly accessible and affordable, and commonly used by fraudsters looking to mask their IP addresses
Fingerprint announced new Smart Signals and platform enhancements that detect malicious bots and AI agents, distinguishing them from legitimate automated traffic: Bot/AI Agent Detection: Bot Detection Smart Signal can detect dozens of bot detection and browser automation software tools. It performs intelligent classification on each API request to determine whether a bot or agent is legitimate or malicious, with only verified beneficial bots and agents classified as trustworthy. Virtual Machine Detection Smart Signal further enhances AI agent and bot detection by identifying virtual machines, which are commonly used in automated fraud schemes. This capability provides an additional layer of protection against sophisticated attack vectors. Residential Proxy Detection addresses one of the most challenging aspects of modern fraud detection. Residential proxies are increasingly accessible and affordable, making them attractive tools for fraudsters looking to mask their IP addresses. Because agentic traffic can be routed through ISPs to real residential IP addresses—giving malicious agents high authenticity—the ability to detect residential proxies with confidence levels is crucial for identifying all types of agentic-driven fraud. Request Filtering: Fingerprint has gathered a list of known user agents used by AI companies for web scraping and model training, as well as AI assistants that help with scheduling and other repetitive tasks. The Request Filtering functionality allows customers to filter out these legitimate AI agents and bots from fingerprinting, helping optimize billing costs without compromising detection capabilities for AI-driven fraud.
US phone carriers are rolling out blocking of unauthorized number port outs and wireless account locking for combating SIM swap attacks
To combat SIM swap attacks of impersonation and deception tactics, known as social engineering attacks, three major phone carriers in the United States — AT&T, T-Mobile, and Verizon — have introduced security features that make it more difficult for malicious hackers to deceptively get a customer’s account changed, such as porting out their phone number. In July, AT&T introduced its free Wireless Account Lock security feature to help prevent SIM swaps. The feature allows AT&T customers to add extra account protection by toggling on a setting that prevents anyone from moving a SIM card or phone number to another device or account. The feature can be switched on via AT&T’s app or through its online account portal by anyone who manages the account, so make sure that account is protected with a unique password and multi-factor authentication. T-Mobile allows customers to prevent SIM swaps and block unauthorized number port outs for free through their T-Mobile online account. The primary account holder will have to log in to change to the setting, such as switching it on or off. Verizon has two security features called SIM Protection and Number Lock, which prevent SIM swaps and phone number transfers, respectively. Both of these features can be turned on via the Verizon app and through the online account portal by an account’s owner or manager. Verizon says that switching off the feature may result in a 15-minute delay before any transactions can be performed — another safeguard to allow the legitimate account holder to reverse any account changes.
Android 16’s Advanced Protection features seek to secure mobile devices on Chrome by auto-enabling HTTPS for secure connections, disabling the optimizing Javascript compilers inside V8 and isolating malicious sites from accessing data or code from another website
With Android 16, users can enable Advanced Protection to “activate Google’s strongest security for mobile devices.” There are three main Advanced Protection features in Chrome 137+ on Android 16, starting with “Always use secure connections” — or HTTPS — being enabled. Before connecting to an insecure (HTTP) site, Chrome asks for explicit permission before loading. This setting protects users from attackers reading confidential data and injecting malicious content into otherwise innocuous webpages. The next feature disables the “higher-level optimizing Javascript compilers inside V8.” V8 is Chrome’s high-performance Javascript and WebAssembly engine. The optimizing compilers in V8 make certain websites run faster, however they historically also have been a source of known exploitation of Chrome. Of all the patched security bugs in V8 with known exploitation, disabling the optimizers would have mitigated ~50%. This prevents a large category of exploits, but at the expense of “causing performance issues for some websites.” Finally, Advanced Protection enables Site Isolation wherein Chrome “isolates each website into its own rendering OS process” in memory. This isolation prevents a malicious website from accessing data or code from another website, even if that malicious website manages to exploit a vulnerability in Chrome’s renderer—a second bug to escape the renderer sandbox is required to access other sites.