When it comes to cyberthreats, what are the major concerns for banking institutions in 2014?Distributed-denial-of-service attacks waged as a mode of distraction to perpetrate fraudacross numerous banking channels are a growing threat. But financial institutions also are concerned about ransomware attacks designed to wage account takeover fraud, as well as mobilemalware and insider threats.
The key for banking institutions in 2014 will be to focus on detecting and mitigating multiple risks across multiple channels. “We will see more blended attacks that combine DDoS with some form of attempted data compromise,” says Doug Johnson, vice president and senior adviser of risk management policy for the American Bankers Association.
Other threats that will require renewed attention include spear-phishing attacks and call-center schemes waged against employees, as well as nation-state threats and third-party breaches.
DDoS as a Distraction
Avivah Litan, a financial fraud expert who’s an analyst for the consultancy Gartner, says 30 percent of all banking institution fraud is perpetrated across multiple channels.
For example, attackers will target an institution’s online-banking site with a DDoS attack as a distraction. Then, during the attack, when the online-banking site is unavailable, fraudsters can take advantage of customer service representatives who are overburdened, Litan says.
But cross-channel attacks can be launched in a variety of ways, says Shirley Inscoe, a financial fraud analyst at the consultancy Aite.
“Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc., and then calling repeatedly to gain additional information so they can successfully impersonate the client,” Inscoe says. “Once they have enough information, they may ask for a password reset to gain online access, request a debit card or request a wire transfer be sent. The resultant fraud may originate through the contact center or a different channel.”
Spear Phishing and Ransomware
Employees’ credentials also can be compromised through socially engineered schemes, such as spear-phishing attacks. Banking institutions can expect these targeted attacks waged against their employees, as well as their customers, to increase in volume and sophistication in the year ahead, experts say.
And when it comes to social engineering schemes waged against customers, institutions should brace for a significant uptick in ransomware attacks, such as CryptoLocker, says Tom Wills, a financial fraud expert in Singapore and director of Ontrack Advisory, a consulting firm focused on payments.
“The banking industry is already being hit indirectly, as ransomware is being delivered as phishing e-mail payloads, purportedly from banks,” he explains.
Malware that targets mobile phones and tablets will continue to be a substantial threat in 2014.
“When it comes to mobile, there are a lot of different steps that banks have to take to protect their mobile applications,” Litan says. “But most financial institutions just don’t have the resources to protect these mobile applications as fully as they should. I do think that we’ll see that change, because it’s becoming so prevalent to engage a mobile banking app,” she says. But the industry still has a long way to go, she notes.
“The most serious issue that banks and all of us face in trying to protect assets and data is our open architecture,” Litan says. “There are so many different channels users can come in from. There are so many different activities employees can engage in. We’re pretty much an open society: The Web code is there to be deciphered and the mobile apps are there to be downloaded.”
Edward Snowden’s leak of classified documents about the National Security Agency’s surveillance programs brought attention to insider threats in 2013.
“The worldwide focus on insider threats, privacy, responsibility and trust … has had a massive impact on security in all industries,” Wills says. “This may be the story of the decade, not just the year.”
Snowden’s breach put a spotlight on the need for stronger insider controls, Litan says. “And sometimes that’s as simple as changing default passwords,” she explains.
From an authentication perspective, it’s not just customers who require stronger authentication; employees who have access to sensitive data need to be scrutinized as well, Litan says.
“There are more disgruntled employees and there are more opportunities for them to commit fraud with outside parties,” she says. “You have to pay attention to who you hire and continuously authenticate those individuals.”
As the DDoS attacks against leading U.S. banking institutions have proved, cyberwarfare campaigns are increasing (see: DDoS Attacks: More to Come?). Self-proclaimed hacktivist groups and nation-states are taking aim at financial services to disrupt service, compromise accounts and steal intellectual property.
“Banks have always been a target for nation-state launched threats,” Wills says. “Geographically coordinated attacks, not just across states but across the world, seem to be becoming more and more common.”
And banking institutions cannot afford to ignore the risk of third-party data breaches, says Anton Chuvakin, an emerging technology analyst at Gartner. As banks and credit unions outsource more of their core banking services, third-party risks will increase.
But it’s not just risks associated with vendor relationships that banking institutions have