By Victor Acin, Threat Intelligence Analyst, Blueliv
Financial services firms are increasingly being told to embrace disruption in order to compete in a fast-evolving market. But this very disruption threatens to drive a new type of risk: the risk of data loss, service outages and fraud on a massive scale. The resulting hit to the bottom line and corporate reputation may undo all the good work that digital transformation has helped to foment.
As we enter a new decade, banks need to think carefully about how they respond to these mounting cyber-risks, without holding back digital innovation. Cybersecurity, with threat intelligence at its core, must be a central part not just of business strategy but also of corporate culture.
Digital goes mainstream
According to PwC, financial institutions are increasingly migrating infrastructure to public cloud systems, as “digital becomes mainstream” in 2020. These investments are helping to create the more user-friendly services that customers are demanding today. With fintech innovators often leading the way, lenders have invested heavily in mobile app-based services at the front-end and more streamlined processes for opening accounts and other laborious tasks. In the future, it’s predicted that AI and robotics will become commonplace, and that blockchain will disrupt.
However, PwC also warns that amidst all this change, cybersecurity will be one of the top challenges facing financial institutions in 2020. The truth is that financial institutions have always been a main target for hackers — after all, they guard huge volumes of highly sensitive data, as well as money. And as they build out more digital infrastructure, cyber-risk increases unless proper controls are put in place.
What does cyber-risk look like?
The bad news is that hackers have developed multiple ways to get what they want. A typical financial institution’s attack surface covers not just core banking IT systems, but also customer accounts and the wider payment ecosystem. That’s a lot to protect.
Humans are often perceived as the weakest link in the security chain. That’s why attackers target banking customers in raids aimed at accessing their back accounts. Phishing emails, automated tools which try huge volumes of breached passwords (known as credential stuffing), and malware are some of the most popular mechanisms for account takeover. In fact, earlier this year Blueliv’s threat researchers noticed a 283% increase in activity linked to Trickbot, one of the key botnets used to spread a banking Trojans designed to compromise customer accounts.
Humans are also targeted inside banks themselves. Phishing emails sent to employees are a common first step in potentially sophisticated multi-stage attacks designed to illegally transfer huge sums of money or steal large data troves. Other threats to banks and their customers come from ransomware and DDoS, designed to extort money and deny critical services, and attacks aimed at harvesting payment card details — either from POS systems in retail and hospitality outlets or from e-commerce sites.
Money, money, money
If any indication were needed of the riches to be gained from targeting financial institutions, it’s the relatively large number of sophisticated attack groups that have emerged over recent years. The Carbanak/Cobalt gang is believed to have stolen $1.2 billion from over 100 banks in 40 countries, installing malware internally via phishing emails which either dispensed cash via ATMs or facilitated illegal SWIFT wire transfers, for example.
Others include Dridex, the group behind one of the most prolific banking Trojans ever created, and the North Korean state-backed Lazarus Group, which is thought to have been responsible for the audacious $81 million cyber heist at Bangladesh Bank.
As for the victims of such attacks, there’s a host of potential knock-on effects that can undermine financial stability and customer confidence. There are costs associated with: investigation and remediation of the incident itself; customer notification and possible credit monitoring; and business interruption, if services are taken offline. Legal costs may follow if customers take their bank to court and there may be follow-on fraud attempts to tackle. Then there are the less immediate impacts such as regulatory fines, declining share price, damaged reputation and customer churn.
The latter risk is particularly acute given the UK’s new Open Banking environment, in which a new breed of fintech start-ups are entering the market. More than ever, banks have to prove that they can offer their customers value, and keep their data and finances safe.
What happens next?
The bad news is that attacks are on the rise. The number of cybersecurity incidents reported to the FCA jumped by 1000% between 2017 and 2018. But there are things financial institutions can do.
A layered approach to security is required, promoted from the top down by engaged executives. Company-wide security awareness training is also essential: even by spotting and reporting phishing emails more effectively, staff could transform from being the weakest link to a formidable first line of defence against attacks. Tried and tested incident response plans are also essential: it’s inevitable that hackers will eventually target an organisation, so best be prepared.
Most importantly, banks need to improve their threat intelligence. Systems powered by accurate, real-time data from multiple sources can enhance decision making, improve the resilience of existing cyber-defences, automatically block attacks and support incident response. They can also scour dark web marketplaces to alert security teams if customer card data or user logins are about to be traded by cyber-criminals.
With this in place, banks can move from a reactive to a proactive security posture, hunting down those who seek to do them harm, cancelling cards and resetting passwords before an attack can even be monetised. Collaboration within and between organisations is also key. The bad guys are past masters at sharing information and expertise to get what they want. It’s time the security teams within our banks did the same.
