by Josh Lefkowitz, CEO, Flashpoint
There’s no such thing as one size fits all when it comes to the intelligence needed to uncover, specify, and prevent cyberthreats. Each industry faces unique challenges and vulnerabilities as criminals tailor their activities to target prime assets. The financial services sector occupies an undeniable position in the crosshairs of cybercriminal activity. Intelligence analysts and cybersecurity teams tasked with protecting the business need in-depth understanding of the risks and weaknesses of financial institutions so they can mount an effective defence.
Targeting the digital vault
Banks and financial institutions face a complex set of circumstances when it comes to threat management and compliance risk. First, their “product” is the very thing that cybercriminals typically desire most – money – meaning that, unlike many other industries, they are directly targeted on the basis of their core activity. Instead of primarily targeting customers, cybercriminals are also focusing on stealing money directly from the source by attempting to access and maintain a persistent presence on banking networks such as the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network. In 2016, for example, this presence was used in an attack against the Bangladesh Bank, which resulted in more than $850 million in fraudulent transactions initiated through the network.
Second, banks collect and process huge amounts of personally identifiable information (PII) to verify customer identities and protect against fraud. This credential data is a sought-after commodity among criminals who plan to use it to perpetuate the very fraud it’s meant to prevent. The risk here lies on at least two fronts: the data stored on bank networks may be targeted directly, such as through credential theft, credential-stuffing attacks, or insider threats, among other means. Alternatively, the bank’s customers may be hit by phishing and other social engineering schemes as well as banking trojans designed to steal their passwords, other security information and credit/debit card numbers.
In addition to these external threats, financial institutions have to manage insider threat risk, and the regulatory and compliance risks they face if their systems are used for illicit purposes such as money laundering.
Tracking emerging tactics, techniques, and procedures
Faced with this litany of threats via multiple vectors, banks adopt a strong defensive posture to protect systems and customers. From physical security to cybersecurity, the finance sector is probably the most advanced in the world.
Defence is less effective, however, without solid intelligence on specific risks that guide where efforts should be focused. To ensure that financial institutions are marshalling their defences effectively, and prioritising responses to meet current and emerging threats, business risk intelligence (BRI) provides essential context.
The effective use of BRI starts with anti-fraud and cybersecurity teams working together to build a comprehensive picture of business risk and the weaknesses exacerbating that risk. They then map this information to current intelligence about how their adversaries are planning to exploit those weaknesses. This intelligence can be gathered from multiple sources, from illicit deep & dark web (DDW) forums and open web sources, to “card shops” where stolen credit card data is offered for sale – anywhere cybercriminals discuss tactics, plan campaigns, and market their stolen goods. The aim is to utilize the security and anti-fraud teams’ knowledge of the high-level threats the institution faces to hone in on specific indicators of emerging threats directly targeting the company.
From general risk to specific threat
Take as an example the issue of password security. Passwords are a weakness in the security chain and hackers regularly devise tools to crack them and access accounts. Consequently, banks devote resources to protecting against this general threat. However, when BRI uncovers a DDW actor that has released a new version of a password-cracking tool specifically designed to compromise online accounts of a particular bank, that bank can use this information to act swiftly to mitigate the vulnerability.
Similarly, money laundering is a critical risk for financial institutions who are subject to strict regulation with international jurisdiction and large financial penalties for negligence. All institutions must protect against money laundering through robust policies and compliance checks. However, cybercriminals are always looking for new ways to launder money, so companies must remain alert. As a case in point, our BRI analysts observed discussion of a new criminal technique to launder funds from compromised bank accounts and stolen credit cards by leveraging subscription services offered with business accounts with a major online payment service. Alerted to this risk, clients were able to take corrective measures to protect customer accounts and eliminate that specific money-laundering risk.
Thinking ahead to monitor strategic risk
Risk assessments and threat monitoring cannot be limited to a point-in-time activity. The financial services environment is constantly changing and threats emerge and evolve to match. As fast as the sector devises new ways to serve customers and provide convenient, secure access to banking, the cybercriminal community is working on ways to infiltrate and leverage them. The use of mobile phone text codes, used to provide authorisation for transactions, is one such example. This additional security layer was exploited earlier this year by cybercriminals who intercepted messages by tracking customers’ phones, and used the information gleaned to empty bank accounts.
Financial institutions need to think ahead whenever a new feature or service is introduced and anticipate how it might be breached, because they can be certain that threat actors are doing just that. Our analysts encountered this prior to the launch of chip-based credit cards in the US. They spotted indicators of compromise on the DDW relating to EMV chip recording software and manufacturing techniques that could be used to make fake chip-enabled cards. This intelligence was used to inform rollout strategies and re-evaluate the risk associated with EMV.
Intelligence analysts need to be fully briefed on the roadmap for financial products and services so that they can keep watch for evidence of emerging threats in the cybercriminal communities that they monitor. Armed with BRI, financial institutions can assess risk and identify specific threats. They can also adjust their risk posture based on valid intelligence and better focus defensive activities. This strengthens their ability to protect the digital vault and keep customers’ money, and data, safer.
BANKS UNDER ATTACK: HOW FINANCIAL INSTITUTIONS CAN PROTECT DIGITAL GROWTH
By Victor Acin, Threat Intelligence Analyst, Blueliv
Financial services firms are increasingly being told to embrace disruption in order to compete in a fast-evolving market. But this very disruption threatens to drive a new type of risk: the risk of data loss, service outages and fraud on a massive scale. The resulting hit to the bottom line and corporate reputation may undo all the good work that digital transformation has helped to foment.
As we enter a new decade, banks need to think carefully about how they respond to these mounting cyber-risks, without holding back digital innovation. Cybersecurity, with threat intelligence at its core, must be a central part not just of business strategy but also of corporate culture.
Digital goes mainstream
According to PwC, financial institutions are increasingly migrating infrastructure to public cloud systems, as “digital becomes mainstream” in 2020. These investments are helping to create the more user-friendly services that customers are demanding today. With fintech innovators often leading the way, lenders have invested heavily in mobile app-based services at the front-end and more streamlined processes for opening accounts and other laborious tasks. In the future, it’s predicted that AI and robotics will become commonplace, and that blockchain will disrupt.
However, PwC also warns that amidst all this change, cybersecurity will be one of the top challenges facing financial institutions in 2020. The truth is that financial institutions have always been a main target for hackers — after all, they guard huge volumes of highly sensitive data, as well as money. And as they build out more digital infrastructure, cyber-risk increases unless proper controls are put in place.
What does cyber-risk look like?
The bad news is that hackers have developed multiple ways to get what they want. A typical financial institution’s attack surface covers not just core banking IT systems, but also customer accounts and the wider payment ecosystem. That’s a lot to protect.
Humans are often perceived as the weakest link in the security chain. That’s why attackers target banking customers in raids aimed at accessing their back accounts. Phishing emails, automated tools which try huge volumes of breached passwords (known as credential stuffing), and malware are some of the most popular mechanisms for account takeover. In fact, earlier this year Blueliv’s threat researchers noticed a 283% increase in activity linked to Trickbot, one of the key botnets used to spread a banking Trojans designed to compromise customer accounts.
Humans are also targeted inside banks themselves. Phishing emails sent to employees are a common first step in potentially sophisticated multi-stage attacks designed to illegally transfer huge sums of money or steal large data troves. Other threats to banks and their customers come from ransomware and DDoS, designed to extort money and deny critical services, and attacks aimed at harvesting payment card details — either from POS systems in retail and hospitality outlets or from e-commerce sites.
Money, money, money
If any indication were needed of the riches to be gained from targeting financial institutions, it’s the relatively large number of sophisticated attack groups that have emerged over recent years. The Carbanak/Cobalt gang is believed to have stolen $1.2 billion from over 100 banks in 40 countries, installing malware internally via phishing emails which either dispensed cash via ATMs or facilitated illegal SWIFT wire transfers, for example.
Others include Dridex, the group behind one of the most prolific banking Trojans ever created, and the North Korean state-backed Lazarus Group, which is thought to have been responsible for the audacious $81 million cyber heist at Bangladesh Bank.
As for the victims of such attacks, there’s a host of potential knock-on effects that can undermine financial stability and customer confidence. There are costs associated with: investigation and remediation of the incident itself; customer notification and possible credit monitoring; and business interruption, if services are taken offline. Legal costs may follow if customers take their bank to court and there may be follow-on fraud attempts to tackle. Then there are the less immediate impacts such as regulatory fines, declining share price, damaged reputation and customer churn.
The latter risk is particularly acute given the UK’s new Open Banking environment, in which a new breed of fintech start-ups are entering the market. More than ever, banks have to prove that they can offer their customers value, and keep their data and finances safe.
What happens next?
The bad news is that attacks are on the rise. The number of cybersecurity incidents reported to the FCA jumped by 1000% between 2017 and 2018. But there are things financial institutions can do.
A layered approach to security is required, promoted from the top down by engaged executives. Company-wide security awareness training is also essential: even by spotting and reporting phishing emails more effectively, staff could transform from being the weakest link to a formidable first line of defence against attacks. Tried and tested incident response plans are also essential: it’s inevitable that hackers will eventually target an organisation, so best be prepared.
Most importantly, banks need to improve their threat intelligence. Systems powered by accurate, real-time data from multiple sources can enhance decision making, improve the resilience of existing cyber-defences, automatically block attacks and support incident response. They can also scour dark web marketplaces to alert security teams if customer card data or user logins are about to be traded by cyber-criminals.
With this in place, banks can move from a reactive to a proactive security posture, hunting down those who seek to do them harm, cancelling cards and resetting passwords before an attack can even be monetised. Collaboration within and between organisations is also key. The bad guys are past masters at sharing information and expertise to get what they want. It’s time the security teams within our banks did the same.
THE ROLE OF NEW TECHNOLOGY IN DEVELOPMENT OF MYANMAR’S BANKING INDUSTRY
U Htoo Htet Tay Za, Managing Director, AGD Bank
Myanmar’s economy is one of the fastest growing in Asia and presents a dynamic business environment for international investments and business. But it is not without its problems. High interest rates, fluctuation and instability of the local currency vs the dollar exchange rate can all present difficulties.
The lack of a centralized scoring system has led to problems with verifying credible candidates for access to finance options. With many companies indebted to banks and unable to repay their overdrafts this has led to high non-performing loan ratios. There is a real need for companies to agree a timetable to repay these loans, as this affected the long-term security of the banking system.
Opportunities provided by new technology
There are 53 million people in Myanmar and by 2030 and the smart phone user rate is constantly increasing. The digital technology sector in ASEAN could be worth up to US$625billion, which represents 8% of the region’s entire GDP. To reach this, our region must establish cohesive regulatory frameworks for the delivery of new services, which includes the development of Fintech.
Banks and financial institutions play a key role in the transformation in market economies. Fintech is largely an untapped market within the ASEAN region. This is where the financial sector should focus its opportunities and increase awareness and understanding of digital banking, e-commerce and online business.
Is cash still king?
In an economy where 99% of all estimated transactions are cash, the future of banking still lies in digital. Only 23% of adults have a bank account which presents some challenges to the finance industry in Myanmar. Branch penetration across all banks in Myanmar is less than 10 percent which equates to 3.8 branches per 100,000 people, with the global average a lot higher at 11.7 per 100,000.
However, smart phone penetration is at its highest rates, with an estimated 80% of adults having access to the internet. Data usage across the country on a par with more developed European countries. This leads to a strong shift towards the digitisation of products and services from banks throughout the country.
In countries such as China the increase of smart phone penetration has driven the requirement for more mobile payment options, and I’d see the development in Myanmar to be similar. Smart phones have opened new avenues of integration to financial services such as new apps and services.
Digital wallets and lifestyle mobile apps, like Onepay, are on the rise and enable the unbanked population to perform mobile transactions. Most banks in Myanmar are seeing the change and creating their own versions of e-wallets, such as KBZ Pay, MAB Mobile and Onepay supported by its banking partner AGD Bank.
Digital wallets offer a lot more security for their users, as there’s no need to carry large amounts of cash around. Mobile, or digital, wallets also help the unbanked population establish a credit rating in order to access finance. For example, AGD Bank use the data from their usage to establish credit scores for future use, or similar to use the data to cross-sell other banking products.
But retail businesses and merchants are benefitting too from the development in new technologies. Both electronic and physical merchants are now all accepting card payments through Visa, Mastercard, UnionPay or MPU. With applications like AGD Pay, the first QR payment application in Myanmar it has opened access to more access to mobile transactions.
The rise of new technologies in Myanmar has led to a new trend of mobile payments, with explosive growth of mobile and internet penetration that is making a huge impact on the financial services sector. Merchants will be able to offer users a secure and easy way to pay for goods and services as well the ability to add or withdraw cash to and from their e-wallet.
The future of banking
Banking in Myanmar is constantly changing, and I expect this to continue in the future. It’s looking good and I predict that we’ll be seeing an increasing amount of the population gaining access to financing.
In June 2019, International banks were granted licences to begin retail banking in Myanmar, and whilst I don’t necessarily see International banks opening loads of branches as it’s a very long process to get the licence, I think they’ll start looking to local banks to start new partnerships.
Whilst the opening of International bank branches will present some competition for local banks, we don’t see it being with our retail customer base. Local banks have the knowledge and a solid branch base which benefits our customer relationships going forward.
The Myanmar banking system has always had the willingness to develop and invest in new technology and we’re already seen
AGD bank is already seeing a strong shift to the digitalisation of products and services and I expect this to continue for some time.
BANKS UNDER ATTACK: HOW FINANCIAL INSTITUTIONS CAN PROTECT DIGITAL GROWTH
By Victor Acin, Threat Intelligence Analyst, Blueliv Financial services firms are increasingly being told to embrace disruption in order...
THE ROLE OF NEW TECHNOLOGY IN DEVELOPMENT OF MYANMAR’S BANKING INDUSTRY
U Htoo Htet Tay Za, Managing Director, AGD Bank Myanmar’s economy is one of the fastest growing in Asia...
WHY 2020 IS THE RIGHT TIME FOR FS MODERNISATION
Chris McLaughlin is chief product and marketing officer at Nuxeo Few would argue against the notion that the UK...
WHAT DOES 2020 LOOK LIKE FOR P2P LENDING?
By Roberts Lasovskis, Investment Platform Lead, TWINO It’s a new year; time for resolutions and forward planning, positivity and...
WHY MAKING MONEY ON YOUR MOBILE IS EASIER THAN YOU MIGHT THINK
Aaron Brooks, Co-Founder of Vamp For Millennials and Generation Z, becoming a social media influencer is an increasingly desired...
DIFFERENTIATION – THE KEY TO THRIVING IN A SATURATED MARKET
Graham Glass, CEO of Cypher Learning What has enabled Cypher to continue to grow in an increasingly saturated market?...
WILL BLOCKCHAIN REVOLUTIONIZE FINANCE?
By Ken Timsit, ConsenSys Over the last 10 years, researchers, software developers, start-ups, and large companies have been conducting...
FIVE FINANCIAL SERVICES TRENDS FOR 2020: BIGTECHS SWOOP IN, BANKS GO ON THE OFFENSIVE AND CRYPTOCURRENCY STALLS
Rahul Singh, president of financial services at HCL Technologies We’ve just finished a very exciting decade in financial services, with new...
COMBATING INSURANCE FRAUD WITH MACHINE LEARNING
By Georgios Kapetanvasileiou, Analytical Consultant at SAS Most insurance companies depend on human expertise and business rules-based software to...
DELIVERING SUCCESSFUL IT SYSTEMS THROUGH THE POWER OF PARTNERSHIPS
By Mike Smith, Executive Director, Virgin Media Business (Direct) Is there anything more frustrating than finding out your bank account...
BATTLEFACE RECEIVES INVESTMENT FROM FINTECH VENTURES FUND
battleface Inc., a rapidly growing tech-enabled insurance startup focused on providing travel insurance products for unconventional travellers worldwide, announced today...
VANQUIS BANK PARTNERS WITH HOOYUTO DIGITALISE KYC PROCESSES
HooYu KYC digital journey deployed during the customer lifecycle on a risk-based approach Leading customer onboarding and KYC technology...
WHY NEOBANKS ARE ON THE RISE IN THE UK
New research by SmallBusinessPrices.co.uk analyses how neobanks are on the rise and why they’re so popular amongst consumers compared to...
RECOLLECTING 2019 CRYPTOCURRENCY TRENDS & LOOKING FORWARD TO 2020
Marie Tatibouet is the CMO at Gate.io It has been a bold and progressive year for the digital asset...
WILL HONG KONG REMAIN THE JURISDICTION OF CHOICE FOR OFFSHORE BANKING?
Hong Kong has traditionally been seen as a tax haven and the financial hub of Asia, if not the world....
HOW CHARITIES CAN MEET TOMORROW’S DIGITAL CHALLENGES?
By Steve Georgiou, Business Consultant at Xpedition Charities are under constant scrutiny for how they handle their finances. Budgets...
RECALL YOUR REPUTATION: HOW TO HANDLE PRODUCT RECALLS
By Alex Balcombe, Partner at Harris Balcombe John Lewis, Tesco, and Hotpoint have all been in the news in...
THE WORLD’S MOST ENTREPRENEURIAL COUNTRIES PERFECT TO START A BUSINESS IN
Latona’s has analysed The Global Entrepreneur Monitor data to reveal the world’s most entrepreneurial nation. Analysing each country by a...
MENDIX SUPPLIES RABOBANK WITH LOW-CODE PLATFORM TO BUILD NEW CORE ONLINE BANKING APPLICATION
New online portal leverages low-code’s speed and flexibility Mendix, a Siemens business and the global leader in low-code and...
RETIREMENT ANNUITIES AND THEIR ADVANTAGES EXPLAINED
By Gerard Visser, Financial Planning Consultant at Alexander Forbes There are a number of ways to save and a...