A few weeks ago some colleagues from a development team told us about their worries on the JSON Web tokens (JWT) generation they were doing as part of a new tool integration they were working on. They had heard about several security issues regarding the use of JWT tokens so they asked us for help in order to validate if the tokens they were issuing were correct and met some basic security requirements.

We are currently working on a project to help automate security tests, APICheck, which we’ve recently released as open source. APICheck is comprised of a set of small tools that can be pipe chained in order to run several tests on API requests, so we got down to work with the development of a new tool for validating the JWT they were issuing, jwt-checker, in which we’ve implemented the ability to pass the validations on the tokens we’ll talk about. Below I’ll show you an example of a test implemented using the tool.

Essential remote working has forced a change to on-site employee training plans. BBVA had already espoused a culture of online learning before the pandemic, offering its staff a comprehensive digital training catalog via the Campus BBVA platform. The platform has been refreshed to adapt to employee needs during the weeks of confinement. Employee response has been positive: traffic to the training portal shot up 96 percent with more than two million sessions during the first month of lockdown. A review of the most consumed topics reveals employees’ growing interest in developing new competencies (data, design, sustainability), which are priority for BBVA and and even more apropos given the new reality that awaits.

November 30th has been designated the day to remind Internet users of important, day-to-day cybersecurity habits that help prevent them falling prey to scams, malware, or the loss of personal data. Here are some useful “cybertips” to help you browse the Internet worry-free.

These are some of the strategies that a company can implement to prevent this increasingly popular kind of cybernetic scam which can affect any kind of business, both SMEs and large multinational firms.

Data available in physical format represent an important source of information for cybercriminals – things like passwords written on paper or cards, as well as information susceptible to theft that moves through social networks and computers. Here are some of the different social engineering techniques designed to extract information available in non-digital format.

This type of cyberattack –targeted at companies’ employees – has been increasing steadily during the last year. The ‘CEO fraud’ can affect any type of company, from small family businesses to large multinationals and it is essential to understand how it works in order protect companies from it.

Crooks have tapped into a goldmine by getting personal data over the phone. This scam, known as vishing, is a new method of social engineering, which is rooted in the psychological manipulation of its victims.

Internet shopping is more and more common: grocery shopping, movie tickets, airline travel, and more. Shopping online has become habitual day-to-day practice, though occasionally potential buyers leave themselves open to fraud or data theft. The following cybersecurity tips serve to reduce the risks associated with card payments on the Internet.

This summer, approximately 400 children and teens between the ages of 9 and 17 enjoyed BBVA’s cybersafe Fridays. The bank held a series of different workshops to raise awareness and educate employee families about how to use technology and social networks safely.

After coming back from summer vacation, the back-to-school shopping preparations get underway. We frequently choose to buy school materials online in order to save time and money. Consequently, we should familiarize ourselves with security measures to be sure we are making our back-to-school purchases with trusted ecommerce sites and protecting our personal data.

Although ransomware attacks (holding a victim’s data ransom) and phishing have recently become more and more frequent, distributed denial of service (DDoS) attacks continue to top of the lists of those techniques most used by cybercriminals.

Garanti BBVA’s data center, formerly located in Istanbul’s Güneşli district, has moved to an Uptime Institute Tier IV certified building in Pendik, also in Istanbul.

In the business world, the CISO or Chief Information Security Officer is the person responsible for ensuring and upgrading information security within the organization. At home, we can apply many of the basic principles that are foundation of the CISO role to protect and preserve our family’s private information. No matter how daunting the task may seem at first, it is really not that hard to achieve this goal without being an expert on the subject.

Any company can fall victim to this kind of crime in which criminals trick an employee authorized to give bank payment orders into performing a transaction for them. Financial institutions like BBVA never request sensitive information, such as passwords or personal data, by email or outside of the secure environment on Net Cash and BBVA.es. For organizations, the key to preventing this kind of fraud is to reinforce control systems and  exercise great caution.

BBVA Group has developed a platform to facilitate mobile payments across all the countries in its footprint. The platform developed by BBVA connects to Visa and Mastercard directly from each country’s application and provides the data required to process digital transactions from a smartphone.

This new payment method replaces sensitive debit or credit card data with a unique identification code called a ‘token,’ which is used during a digital transaction. Online transactions are therefore more secure because the customer’s actual card data no longer needs to be provided. BBVA has already committed to helping its customers adopt this new payment approach.

A group of 12 leading regional and digital financial institutions have joined together as investors and members in KY3P®, a company dedicated to working with the financial industry to standardize best practices for managing third-party risk and optimizing the processes by which financial institutions assess and monitor inherent risk in engaging suppliers and entering into third-party relationships.

As technological innovation continues, customer expectations evolve at a similarly rapid pace.  In navigating this dynamic landscape, financial institutions are increasingly seeking assistance from outside, third party providers, a strategy that itself poses inherent risks, like cybersecurity challenges and the potential for digital-related fraud.  Greater attention and scrutiny from regulators naturally results from this developing risk paradigm.

The sidecar pattern shows itself as a very powerful tool in the new world of containers and can be found in several use cases. In this post we focus in analyzing some of the most interesting use cases from an IT security perspective.

The European Commission (EC) is convening institutions, businesses, and regulators today and tomorrow in BBVA’s headquarters in Madrid with the aim of promoting security and privacy measures that will stimulate greater use of cloud services and the free flow of data in Europe’s digital single market (DSM). BBVA is hosting the event and is an active member of the EC working group, which is seeking to standardize security certification for cloud providers and establish a code of conduct that will facilitate data portability and the ability to switch providers.

On February 26, BBVA will host the sixth plenary meeting of the working group that promotes the use of cloud technologies in Europe’s Digital Single Market (DSM Cloud Stakeholders). The stakeholder group includes business and regulatory representatives specializing in the fields of cybersecurity and the free flow of data.

It’s the holiday season, which means many of us are hitting our favorite stores or shopping online with plastic in hand. With all this activity, it only makes sense that credit and debit card fraud tends to increase during this time of year.

Friday November 30 is International Computer Security Day (ICSD), a day that aims to raise awareness and remind society about the importance of protecting both company and personal computer resources in order to prevent the misuse of financial and personal data, and even identity theft.

Now that using a cell phone and computer has become an everyday part of life, it’s important to be aware of the different types of online threats.  Phishing, vishing and smishing are just a few of the online scams cybercriminals use to steal private data, but this can be avoided through information and preventative action.

Flora Egea is BBVA’s Data Protection Officer (DPO). She has a critical assignment in her hands: to ensure that BBVA complies with Europe’s GDPR (General Data Protection Regulation), which has revolutionized the way companies handle personal data. On the six month anniversary of its implementation, she believes the legislation has raised awareness among the general public about the need to protect their personal data, but there is still work to be done. In her opinion, GDPR is a positive step and positions Europe as a world leader given its unique treatment of data as a fundamental right.

The problem of data integrity verification is a classic topic that has been well-studied in the last decades. Many database or log systems run on untrusted servers or are subject to malicious attacks from insiders and, therefore, vulnerable to tampering. With the advent of cloud computing and the possibility of dealing with outsourced data, such situation has been aggravated. This problem is an essential challenge for financial institutions where preserving the correctness of customer data and transactions is crucial in terms of legal compliance and reputation.

BBVA had the opportunity to share with the European Commission (EC) its vision of the cybersecurity challenges facing the financial sector. It provided its insight in a report submitted by the working group, ECIL (European Cybersecurity Industry Leaders), where the bank participates alongside companies from different sectors.

BBVA collaborated with a research team from the Massachusetts Institute of Technology (MIT) to develop a model that can reduce the level of false positives in fraudulent card transactions up to 54 percent, thanks to algorithms based on machine learning.

The BBVA Compass Mobile Banking App has made it easier than ever to take an active role in keeping your money safe and secure, with features that allow you to decide on alerts and enabling or disabling your card.

For the sixth year in a row, the European Commission and the European Union Agency for Network and Information Security (ENISA) are calling October “European Cybersecurity Month” in order to promote cybersecurity across the EU. The goal is to raise awareness of cybersecurity, identify and change unsafe behavior and provide users resources to learn how to protect themselves online.

In an online world, scammers are using new tricks and forms of deception to get what they want from their victims. Although the tools may have changed, today’s scams are not much different from the old-school “pigeon drop” scam in which a victim is persuaded to give the scammer money with the promise of receiving a much larger sum. In this new scenario, cybersecurity training is essential to protect the private data of both individuals and professionals.

For the sixth year in a row, the European Commission and the European Union Agency for Network and Information Security (ENISA) are calling October “European Cybersecurity Month” in order to promote cybersecurity across the EU. The goal is to raise awareness of cybersecurity, identify and change unsafe behavior and provide users resources to learn how to protect themselves online.

In an online world, scammers are using new tricks and forms of deception to get what they want from their victims. Although the tools may have changed, today’s scams are not much different from the old-school “pigeon drop” scam in which a victim is persuaded to give the scammer money with the promise of receiving a much larger sum. In this new scenario, cybersecurity training is essential to protect the private data of both individuals and professionals.

For the sixth year in a row, the European Commission and the European Union Agency for Network and Information Security (ENISA) are calling October “European Cybersecurity Month” in order to promote cybersecurity across the EU. The goal is to raise awareness of cybersecurity, identify and change unsafe behavior and provide users resources to learn how to protect themselves online.

With the slogan “Stop. Think. Connect. Cybersecurity is a shared responsibility”, more than 400 activities will take place during ‘European Cybersecurity Month’ across Europe. Activities like conferences, workshops, training sessions, presentations, webinars, Internet campaigns and much more are all designed to protect users from Internet scammers.

In an online world, scammers are using new tricks and forms of deception to get what they want from their victims. Although the tools may have changed, today’s scams are not much different from the old-school “pigeon drop” scam in which a victim is persuaded to give the scammer money with the promise of receiving a much larger sum. In this new scenario, cybersecurity training is essential to protect the private data of both individuals and professionals.

Summer has come to an end, and the usual back-to-school season gets underway. It’s the time of the year to prepare school supplies, and it can also be a good time to take stock of our digital habits to be sure to start the year safely on the right foot:

In May 2018, the Federal Bureau of Investigations released its 2017 Internet Crime Report from its Internet Crime Complaint Center, or IC3. According to the report, in the last year, $1.42 billion in total losses was reported, all attributable to Internet crime. The crime reporting the biggest monetary loss was related to Business Email Compromise/Email Account Compromise (BEC/EAC).

What does rooting or jailbreaking a mobile device mean? Both verbs refer to the same action of removing the limitations that mobile device manufacturers impose to limit user access to the devices’ resources, thus becoming some sort of superuser. Root however is used when the action is performed on android devices, and jailbreak on iOS devices.

On the back of increased web attacks, the priority of cybersecurity has increased for businesses and banks worldwide. How do financial institutions balance this risk with the need to expand their digital services?

Moviegoers can remember a time when they’d watch a sci-fi, spy or crime picture in the theaters, complete with a scene that shows a main character gaining access to a top-secret area with finger print identification. We’re looking at you, Ocean’s Eleven.

This post in 10 seconds

In this post we will address software dependency management: the security problems it implies, how to automate its management, receiving new vulnerabilities alerts in real time and how to implement a productive and satisfactory system using new Open Source tools as Deeptracy and Patton.

Throughout history, there have been several versions of the family and different models of relating with one another. The latest version is the family 2.0.

New modes of communication have transformed the way news is delivered. Thanks to the Internet, access to information has never been so fast. Each minute more than 3.5 million Google searches are made, Facebook is accessed 900,000 times, and 156 million emails are sent. The compulsion to be informed every minute of the day has provoked a surge in so-called “fake news.”

In this article we explain how to include security in the browser and to be able to monitor in real time attacks directed to the client and that are very complicated to control in the server.

Malware, or malicious software, covers different programs which, when run in devices, cause different types of damage and complications such as interrupting their operations, disrupting how they work, stealing information and displaying unwanted advertising.

That surfing on the internet means leaving a trail of personal information is nothing new. Browsers gather preferences and habits thanks to the cookies installed in computers when surfing.

At this point, it’s not surprising that apps that are spontaneously installed on our devices use our personal data in a number of ways.