More money, more problems – the cybersecurity threats facing financial services companies
According to the Federal Bureau of Investigation, federally insured financial institutions were robbed approximately 3,900 times in 2014. Although that number is almost half of what it was a decade ago (7,556 total robberies in 2004), it’s still a startling number of bank robberies.
And it’s also indicative of a larger issue – when greed gets the better of people, they historically turn to the institutions that hold, invest and care for the wealth of large populations of people – banks and other financial institutions. This is especially true today – when robbing a bank and its customers no longer requires a ski mask or even leaving your house.
Banks and other financial institutions are some of the largest targets for cyber attacks for the very reason why people physically robbed banks 3,900 times in 2014 – it’s where the money is. And since the money is stored there, these types of cyber attacks tend to follow a pattern.
The usual suspects…and their loot
Cyber attacks impacting financial institutions are predominantly focused on trying to scam people and get money from them. If pressed, I would say that 95 percent of these attacks are executed for direct financial gain. The other 5 percent? In most cases organized hacktivists and other groups working towards hurting a financial institution, its brand and its customer loyalty.
To gain financially from an attack on a financial institution, these bad actors are most likely looking to accomplish one of two things. They can utilize credentials from a financial institution’s customers to access their accounts directly and siphon off their funds. Or, they can use the personally identifiable information that they can gather from a customer’s records to create new accounts for their own benefit.
Financial institutions are privy to a large amount of information about their customers. They can have social security numbers, birthdates, email addresses and other information. And perusing recent transactions can also disclose other valuable information about an individual – like their other paid online accounts.
Using this information, bad actors can apply for lines of credit, credit cards and other accounts that they can then exploit. They can also use this information to fuel brute force attacks against the other online accounts of an unsuspecting bank customer and use them for other fraudulent activity.
How it all went down
Now that we’ve looked at who executes these attacks on financial institutions and why, let’s look at how they conduct these attacks.
According to Verizon’s Financial Services Threat Landscape Report, the bulk of cyber attacks impacting financial services institutions are focused on ATMs. In these instances – which Verizon claims account for approximately 66 percent of attacks on financial service institutions – the ATM machines are in some way tampered with. This tampering can include the installation of a credit card skimmer or other device that captures, stores and transmits the information carried in an ATM card’s magnetic strip back to the perpetrator.
However, eliminating attacks on ATMs leaves the remaining 34 percent of attacks on financial services companies. And in those cases, the targets are predominantly databases (20 percent), end-users (9 percent), desktops (8 percent) and Web applications (8 percent). And – according to Verizon – the attacks targeted at these areas break down as follows:
- Spyware/Keylogger – 78 percent
- Stolen credentials – 66 percent
- Backdoor – 52 percent
- Export data – 45 percent
- Backdoor or C2 – 39 percent
- SQL injection – 38 percent
Taking a bite out of crime
We’ve explored who perpetrates cyber attacks against banks and how they pull off their heists. Now, let’s look at something simple that banks can do to protect themselves. Namely – out-of-band, multifactor authentication.
With 66 percent of attacks impacting ATMs, it’s important to consider how we can make ATMs more secure and keep bank customers from having their credentials stolen at the cash machine.
Traditionally, ATMs feature two-factor authentication. They require the use of a token (the card) and a PIN number. Unfortunately, the authentication process is completely in-band – both the card and the PIN are entered and transmitted via the same device (the ATM machine). This means that compromising the ATM machine gives a bad actor access to everything they need to access a customer’s account.
By utilizing an out-of-band authentication solution at the ATM instead, compromising the ATM machine would only generate a fraction of the needed security credentials. This makes it difficult or impossible for the bad actor to compromise one device, and subsequently compromise a user’s account.
The remaining attacks not involving ATMs could be equally thwarted by the utilization of out-of-band, multifactor authentication. Spyware and keyloggers would be unable to capture all necessary authentication credentials and factors, since they only impact one of the devices necessary to authenticate the user. Stolen credentials would most likely account for just a fraction of the factors needed to authenticate. This would make it significantly harder on bad actors to gain access to user accounts, customers’ online banking and company servers.
Bank robberies no longer have to be conducted with a gun – or in person for that matter. Today, a customer’s money and information can be taken from the comfort of a criminal’s home. But by embracing better authentication, we can prevent many of these breaches, and keep banks – and their customers – safe.
To learn more about the cyber threats facing financial services companies and get lessons learned from a recent high-profile breach that impacted JPMorgan Chase, register to attend our upcoming Webinar, “Anatomy of a Breach.”