We are increasingly aware of the importance of passwords: we create stronger ones, change them regularly and make sure not to use the same ones for everything. We also know that one of the biggest risks we face is password theft, since passwords unlock our information. But are we as careful with the passwords we store in our browsers?

After the incidents of the previous months (SolarWinds, Codecov,...) it is becoming more evident that it is necessary to have a strong inventory and control over the components with which we build our software, as well as to strengthen the process used to build it.

BBVA has launched Aqua, a new line of pioneering credit cards in Spain which feature a dynamic CVV code and do not contain card numbers (PAN) or expiration dates printed on them. This reinforces security both for its digital and physical versions since not having this data prevents possible fraudulent use of them. In addition, BBVA´s app has renewed the entire payment experience to make it easier for the customer to manage their expenses and order the services it offers based on their use. The bank is already working to launch this mobile experience in other countries.

Garanti BBVA launches Bonus Diji, a rewards credit card that is extremely secure, as it does not include any numbers or codes that can be copied.

How do cybercriminals think? What techniques do they use and how do they set up to implement them? What are their goals? There's nothing better than putting yourself inside the bad guy's mind so you will be ready to react. We tell you how these criminals behave.

A few weeks ago some colleagues from a development team told us about their worries on the JSON Web tokens (JWT) generation they were doing as part of a new tool integration they were working on. They had heard about several security issues regarding the use of JWT tokens so they asked us for help in order to validate if the tokens they were issuing were correct and met some basic security requirements.

We are currently working on a project to help automate security tests, APICheck, which we’ve recently released as open source. APICheck is comprised of a set of small tools that can be pipe chained in order to run several tests on API requests, so we got down to work with the development of a new tool for validating the JWT they were issuing, jwt-checker, in which we’ve implemented the ability to pass the validations on the tokens we’ll talk about. Below I’ll show you an example of a test implemented using the tool.

Essential remote working has forced a change to on-site employee training plans. BBVA had already espoused a culture of online learning before the pandemic, offering its staff a comprehensive digital training catalog via the Campus BBVA platform. The platform has been refreshed to adapt to employee needs during the weeks of confinement. Employee response has been positive: traffic to the training portal shot up 96 percent with more than two million sessions during the first month of lockdown. A review of the most consumed topics reveals employees’ growing interest in developing new competencies (data, design, sustainability), which are priority for BBVA and and even more apropos given the new reality that awaits.

Voice is already the gateway to many services and applications that have become an integral part of our daily lives. The level of intuitiveness and user-friendliness enabled by voice-based interfaces place them heads and shoulders above other options when it comes to interacting in a seamless way with our devices. From a biometrics standpoint, voice offers additional benefits.

November 30th has been designated the day to remind Internet users of important, day-to-day cybersecurity habits that help prevent them falling prey to scams, malware, or the loss of personal data. Here are some useful “cybertips” to help you browse the Internet worry-free.

These are some of the strategies that a company can implement to prevent this increasingly popular kind of cybernetic scam which can affect any kind of business, both SMEs and large multinational firms.

Data available in physical format represent an important source of information for cybercriminals - things like passwords written on paper or cards, as well as information susceptible to theft that moves through social networks and computers. Here are some of the different social engineering techniques designed to extract information available in non-digital format.

This type of cyberattack –targeted at companies' employees – has been increasing steadily during the last year. The ‘CEO fraud’ can affect any type of company, from small family businesses to large multinationals and it is essential to understand how it works in order protect companies from it.

Crooks have tapped into a goldmine by getting personal data over the phone. This scam, known as vishing, is a new method of social engineering, which is rooted in the psychological manipulation of its victims.

Internet shopping is more and more common: grocery shopping, movie tickets, airline travel, and more. Shopping online has become habitual day-to-day practice, though occasionally potential buyers leave themselves open to fraud or data theft. The following cybersecurity tips serve to reduce the risks associated with card payments on the Internet.

This summer, approximately 400 children and teens between the ages of 9 and 17 enjoyed BBVA’s cybersafe Fridays. The bank held a series of different workshops to raise awareness and educate employee families about how to use technology and social networks safely.

After coming back from summer vacation, the back-to-school shopping preparations get underway. We frequently choose to buy school materials online in order to save time and money. Consequently, we should familiarize ourselves with security measures to be sure we are making our back-to-school purchases with trusted ecommerce sites and protecting our personal data.

Although ransomware attacks (holding a victim’s data ransom) and phishing have recently become more and more frequent, distributed denial of service (DDoS) attacks continue to top of the lists of those techniques most used by cybercriminals.

Garanti BBVA's data center, formerly located in Istanbul's Güneşli district, has moved to an Uptime Institute Tier IV certified building in Pendik, also in Istanbul.

In the business world, the CISO or Chief Information Security Officer is the person responsible for ensuring and upgrading information security within the organization. At home, we can apply many of the basic principles that are foundation of the CISO role to protect and preserve our family’s private information. No matter how daunting the task may seem at first, it is really not that hard to achieve this goal without being an expert on the subject.

Any company can fall victim to this kind of crime in which criminals trick an employee authorized to give bank payment orders into performing a transaction for them. Financial institutions like BBVA never request sensitive information, such as passwords or personal data, by email or outside of the secure environment on Net Cash and BBVA.es. For organizations, the key to preventing this kind of fraud is to reinforce control systems and  exercise great caution.

BBVA Group has developed a platform to facilitate mobile payments across all the countries in its footprint. The platform developed by BBVA connects to Visa and Mastercard directly from each country's application and provides the data required to process digital transactions from a smartphone.

This new payment method replaces sensitive debit or credit card data with a unique identification code called a ‘token,’ which is used during a digital transaction. Online transactions are therefore more secure because the customer’s actual card data no longer needs to be provided. BBVA has already committed to helping its customers adopt this new payment approach.

A group of 12 leading regional and digital financial institutions have joined together as investors and members in KY3P®, a company dedicated to working with the financial industry to standardize best practices for managing third-party risk and optimizing the processes by which financial institutions assess and monitor inherent risk in engaging suppliers and entering into third-party relationships.

As technological innovation continues, customer expectations evolve at a similarly rapid pace.  In navigating this dynamic landscape, financial institutions are increasingly seeking assistance from outside, third party providers, a strategy that itself poses inherent risks, like cybersecurity challenges and the potential for digital-related fraud.  Greater attention and scrutiny from regulators naturally results from this developing risk paradigm.

The sidecar pattern shows itself as a very powerful tool in the new world of containers and can be found in several use cases. In this post we focus in analyzing some of the most interesting use cases from an IT security perspective.

The European Commission (EC) is convening institutions, businesses, and regulators today and tomorrow in BBVA's headquarters in Madrid with the aim of promoting security and privacy measures that will stimulate greater use of cloud services and the free flow of data in Europe's digital single market (DSM). BBVA is hosting the event and is an active member of the EC working group, which is seeking to standardize security certification for cloud providers and establish a code of conduct that will facilitate data portability and the ability to switch providers.

On February 26, BBVA will host the sixth plenary meeting of the working group that promotes the use of cloud technologies in Europe's Digital Single Market (DSM Cloud Stakeholders). The stakeholder group includes business and regulatory representatives specializing in the fields of cybersecurity and the free flow of data.

It’s the holiday season, which means many of us are hitting our favorite stores or shopping online with plastic in hand. With all this activity, it only makes sense that credit and debit card fraud tends to increase during this time of year.

Friday November 30 is International Computer Security Day (ICSD), a day that aims to raise awareness and remind society about the importance of protecting both company and personal computer resources in order to prevent the misuse of financial and personal data, and even identity theft.