Banking Cyber-Attack Trends to WatchSocial Engineering, Mobile Risks on Rise
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2014.
When it comes to cyberthreats, what are the major concerns for banking institutions in 2014? Distributed-denial-of-service attacks waged as a mode of distraction to perpetrate fraud across numerous banking channels are a growing threat. But financial institutions also are concerned about ransomware attacks designed to wage account takeover fraud, as well as mobile malware and insider threats.
The key for banking institutions in 2014 will be to focus on detecting and mitigating multiple risks across multiple channels. "We will see more blended attacks that combine DDoS with some form of attempted data compromise," says Doug Johnson, vice president and senior adviser of risk management policy for the American Bankers Association.
Other threats that will require renewed attention include spear-phishing attacks and call-center schemes waged against employees, as well as nation-state threats and third-party breaches.
DDoS as a Distraction
Avivah Litan, a financial fraud expert who's an analyst for the consultancy Gartner, says 30 percent of all banking institution fraud is perpetrated across multiple channels.
For example, attackers will target an institution's online-banking site with a DDoS attack as a distraction. Then, during the attack, when the online-banking site is unavailable, fraudsters can take advantage of customer service representatives who are overburdened, Litan says.
But cross-channel attacks can be launched in a variety of ways, says Shirley Inscoe, a financial fraud analyst at the consultancy Aite.
"Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc., and then calling repeatedly to gain additional information so they can successfully impersonate the client," Inscoe says. "Once they have enough information, they may ask for a password reset to gain online access, request a debit card or request a wire transfer be sent. The resultant fraud may originate through the contact center or a different channel."
Spear Phishing and Ransomware
Employees' credentials also can be compromised through socially engineered schemes, such as spear-phishing attacks. Banking institutions can expect these targeted attacks waged against their employees, as well as their customers, to increase in volume and sophistication in the year ahead, experts say.
And when it comes to social engineering schemes waged against customers, institutions should brace for a significant uptick in ransomware attacks, such as CryptoLocker, says Tom Wills, a financial fraud expert in Singapore and director of Ontrack Advisory, a consulting firm focused on payments.
"The banking industry is already being hit indirectly, as ransomware is being delivered as phishing e-mail payloads, purportedly from banks," he explains.
Malware that targets mobile phones and tablets will continue to be a substantial threat in 2014.
"When it comes to mobile, there are a lot of different steps that banks have to take to protect their mobile applications," Litan says. "But most financial institutions just don't have the resources to protect these mobile applications as fully as they should. I do think that we'll see that change, because it's becoming so prevalent to engage a mobile banking app," she says. But the industry still has a long way to go, she notes.
"The most serious issue that banks and all of us face in trying to protect assets and data is our open architecture," Litan says. "There are so many different channels users can come in from. There are so many different activities employees can engage in. We're pretty much an open society: The Web code is there to be deciphered and the mobile apps are there to be downloaded."
Edward Snowden's leak of classified documents about the National Security Agency's surveillance programs brought attention to insider threats in 2013.
"The worldwide focus on insider threats, privacy, responsibility and trust ... has had a massive impact on security in all industries," Wills says. "This may be the story of the decade, not just the year."
Snowden's breach put a spotlight on the need for stronger insider controls, Litan says. "And sometimes that's as simple as changing default passwords," she explains.
From an authentication perspective, it's not just customers who require stronger authentication; employees who have access to sensitive data need to be scrutinized as well, Litan says.
"There are more disgruntled employees and there are more opportunities for them to commit fraud with outside parties," she says. "You have to pay attention to who you hire and continuously authenticate those individuals."
As the DDoS attacks against leading U.S. banking institutions have proved, cyberwarfare campaigns are increasing (see: DDoS Attacks: More to Come?). Self-proclaimed hacktivist groups and nation-states are taking aim at financial services to disrupt service, compromise accounts and steal intellectual property.
"Banks have always been a target for nation-state launched threats," Wills says. "Geographically coordinated attacks, not just across states but across the world, seem to be becoming more and more common."
And banking institutions cannot afford to ignore the risk of third-party data breaches, says Anton Chuvakin, an emerging technology analyst at Gartner. As banks and credit unions outsource more of their core banking services, third-party risks will increase.
But it's not just risks associated with vendor relationships that banking institutions have to consider, Chuvakin and others say.
Increasingly, payments risks associated with retailers and payments processors are becoming a greater concern. Point-of-sale breaches, such as the ones that struck Target Corp. and Neiman Marcus, illustrate the complexity of securing financial transactions across numerous entities.
In 2013, several smaller retailers were targeted by malware that exploited POS software and network vulnerabilities. These smaller organizations often have less sophisticated and secure systems, which make them prime targets for attackers.
But the Target and Neiman Marcus breaches prove that even some of the larger retailers are vulnerable to attack - often through the point of sale.
"The biggest weakness in the breaches I see is the point of sale," says cybersecurity attorney David Navetta, a partner at the Information Law Group.
In the wake of recent breaches, some banking institutions have sued breached retailers to recoup losses not covered by their merchant services agreements through the card brands. Other institutions have leaned more heavily on cyber-insurance to cover financial losses and expenses that result from a breach.
In October 2013, the Office of the Controller of the Currency issued updated guidance for banking institutions risks related to third parties, such as technology vendors and core processors. Other federal banking regulators, including the Federal Deposit Insurance Corp., are expected to follow suit. As a result, banking institutions should prepare now for increased scrutiny of their vendor management programs.
"As banks improve security, the security of their service providers becomes more of an issue," Chuvakin says.
Banking institutions need to focus more attention on risk assessments - those conducted internally as well as those of the third parties with which they have contractual relationships.
Big Data for Fraud Detection
In light of emerging threats, banking institutions are enhancing their fraud detection and prevention capabilities. And a lot of these enhancements will revolve around big data, Wills says.
"Analytics technology is getting better at pinpointing actual high-risk activity, with fewer false positives and negatives," he says.
But while the use of big data in the fraud fight shows potential, most banking institutions will be limited by their infrastructure, Litan says. The systems and processes a majority of institutions have in place today just aren't equipped to handle that much information, she says.
"Big data analytics and the revolution in technology that's taking place in that domain are going to put a lot of pressure on operational systems," she says. "As organizations learn to get their arms around data really quickly, in real time, the systems that they've put in place aren't going to be able to keep up that easily. It's an interesting phenomena, but one that's very promising; and I don't think the bad guys are going to have the last word."
Thanks to data analytics, banking institutions are starting to make more connections between cross-channel fraud trends, Litan says.
Still, the role big data will play in the banking sector will vary widely, Wills says. "They have to do their risk assessments and secure accordingly," he adds.