Banks Targeted for Malicious Attacks

New Report Says Organized Crime Targeting Mobile Devices, Social Networking Sites Financial institutions should brace themselves for more malicious attacks, as the recent Threat Horizon 2010 report from the Information Security Forum (ISF) warns of an increase in such threats -- including attacks from organized crime and industrial espionage.

"In general, financial services probably represent the most attractive target," says Andy Jones, CISSP and ISF's Principal Research Consultant, who was the report's primary author. The report draws on the knowledge and hands-on experiences of ISF members, representing more than 300 of the world's largest business and public sector organizations. (The global financial services industry makes up 35% of ISF members.)

The ISF is already seeing a shift from indiscriminate events to highly targeted and planned attacks by organized crime groups, says Jones. These organized groups are developing more sophisticated 'business' models to extort the online businesses, and using these models for money laundering. A combination of social engineering and technical attacks are increasingly being used to steal identities and information in order to commit fraud.

The ISF report also warns of the spread of malware targeting mobile devices, which often don't have the same anti-virus or security controls as traditional networks and PCs. The growing trend of mobile and remote working will inevitably attract new forms of mobile malware designed, for example, to create fraudulent payments or denial of service attacks.

Financial institutions that are already offering mobile banking or are considering offering it to their customers need to put security first. "The mobile internet is still in its relative infancy, and it is important that consumers do not lose confidence in mobile transactions," says Jones "Given the current high level of public concern over identity theft, any weaknesses in mobile phone security will be very damaging to the customer acceptance of mobile-based channels. It is possible to exploit weaknesses in early versions of Bluetooth to take over control of mobile phones."

While the vulnerabilities of early versions of Bluetooth have been addressed, some early Trojans (such as Flexispy) have been reported and demonstrate that the mobile platform could be vulnerable, he warns. "There are also several hundred reported types of mobile malware. Most are fairly immature and rely on user action to install (usually achieved by social engineering techniques)," Jones says.

The third area of increasing risk is the rise of social networking sites such as Facebook and MySpace that are popular with employees. Along with being another way for accidental leaks of an institution's data, Jones believes that cyber criminals will adapt new methods of attack to target the vulnerabilities of social networking sites. Virtual worlds such as Second Life may also present new risks if brand damage in the virtual world translates back into the real world.

Jones says institutions should also consider other threats such as:

Weakening of infrastructures due to power cuts and internet failures;
Tougher legislation and compliance burdens;
Increased outsourcing and off-shoring operations;
Insecure coding that is vulnerable to attack;
Erosion of the traditional network boundary, which leaves data at greater risk.

For more information on the report,

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.