Banks need to prepare for many more massive cyberattacks along the lines of the sophisticated campaign that hit JPMorgan Chase and other financial services organizations, says Al Pascual, director of fraud and security at Javelin Strategy & Research.
Cybercriminals will increasingly target banks and brokerage firms for market information and PII they can use to perpetrate their schemes, as was described in this week's indictments tied to the JPMorgan Chase attack, Pascual predicts.
"Cybercrime isn't unique to this organization or just to the folks who were indicted," Pascual says in an interview with Information Security Media Group. "This level of complexity, while it is among the most complex that I've seen or heard of, doesn't mean that there aren't others out there trying to replicate this or who have been trying to replicate this type of scale and diversity of crime. ... This is going to become much more the norm than the outlier, and so the financial industry ... should be taking this as a clarion call for action and prepare themselves for more of this."
Protecting data is going to prove increasingly challenging because attackers are relentless and cybercrime is becoming a big business, Pascual says.
"There are probably going to be schemes in the next few years that we haven't even conceived of yet," he says. "While our city streets may be experiencing lower crime than we've seen in a decade in most places, in cyberspace, we're only just getting started."
Consumer Data: A Prime Target
The cyberattack against JPMorgan Chase and others involved the theft of customers' contact information, which was then used to conduct spam campaigns aimed at tricking recipients into buying stocks whose value had been artificially inflated. That's why financial institutions need to better protect all PII - even routine contact information, he says.
"Every bit of data that you have has value," he notes."[Criminals are] going to find a way to take advantage of it; they're going to want to gain access into your systems, not only to commit fraud from the accounts that you're servicing and affect the trust that you have among your accountholders, but also, again, to use your good name in order to manipulate customers."
In addition to encrypting payment data and account data, Pascual says, "personally identifiable information should also be obfuscated within the network, or at least made as hard to get to as possible. We know that in the case of the Chase breach, that's not what happened."
During this interview (see audio link below photo), Pascual also discusses:
- The role social media likely played in helping law enforcement connect the defendants allegedly linked to the cyberattacks;
- Why boards should be concerned about cyber risks, especially now that it's clear cyberattacks can directly impact shareholders; and
- How the cybercrime scheme described in this week's indictments proves attackers are relentless and don't necessarily always to stick to one type of attack or crime.
Pascual leads Javelin's security, risk and fraud practice. He began his career with HSBC during the height of the mortgage boom. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. He also worked at Fidelity National Information Services, now FIS Global, overseeing data driven investigations of organized payment fraud groups in the United States. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.