As organizations undergo the arduous process of selecting banking partners, one of the critical factors they must evaluate is the security of the institution. This aspect of the process cannot be understated. It has to be more than a single box that’s checked as a part of the due diligence process, especially when the financial services industry is one of the top 5 sectors targeted for attacks, with banks accounting for nearly 40% of the problem.
It would be easy to assume that all banks – bastions of regulation and process – would of course have the best security in place, but the facts tell a far different story. Security Scorecard, an organization that provides ratings of security risk for organizations, recently conducted a rating that uncovered a number of sobering facts:
- The U.S. Commercial bank with the lowest security posture is one of the top 10 largest financial service organizations in the U.S (by revenue).
- Only one of the top 10 largest banks, Bank of America, received an overall ‘A’ grade.
- 75% out of the top 20 U.S. commercial banks (by revenue) are infected with malware and a number of malware families were discovered within these banks
- 95% out of the top 20 U.S. commercial banks (by revenue) have a Network Security grade of “C” or below.
- Nearly 1 out of 5 financial institutions use an email service provider with severe security vulnerabilities.
Now add to this the fact that more than 38% of all banks and payment organizations admit that it has become more and more difficult to tell the difference between a real transaction and a fraudulent one, largely due to the sheer volume of transactions being processed, and it’s clear that corporations looking for a bank partner that will keep their payments secure have their work cut out for them.
Organizations must exercise the utmost in due diligence when selecting bank partners, seeking out only those that offer the most advanced and comprehensive cyber security protection.
Start by understanding the scope of the threats banks face
The most common types of attacks are familiar to anyone who’s read a newspaper. Practices such as social engineering, phishing, and whaling immediately come to mind. They’re the attempts by hackers to obtain sensitive information by disguising themselves as trustworthy entities – and they work, easily, in a frightening majority of cases, especially in institutions that don’t conduct regular, rigorous and mandatory cyber security training with all staff.
Malware, software that’s designed to damage, disable and infiltrate computer systems, is perhaps the scariest threat for IT professionals. For one thing, spam messages containing malware experienced a 6,000% increase from 2015 – 2016. It’s also never known when an employee will unwittingly click on an infected file and cause the system to go into a tailspin that puts thousands of payments at risk. As with phishing attacks, the human link is the weakest link when it comes to combating these threats. Employees make many innocent mistakes that perpetuate malware attacks, such as checking social media on a work computer or work email on a home computer, and sharing flash drives between home and work computers.
Ransomware is an attack that involves malware delivered through spear phishing emails and is designed to lock up valuable data assets and demand a ransom to release them. It has been dubbed “weaponized encryption” by James Scott, senior fellow and co-founder of the Institute for Critical Infrastructure Technology, and co-author of the 2016 Institute for Critical Infrastructure Technology Ransomware Report. Criminals made $209 million executing these types of attacks in the first three months of 2016 alone – it’s not a threat to be taken lightly.
It’s also important to consider attacks directed at bank customers that are designed specifically to infiltrate the banks. GozNym, a Trojan hybrid malware, is a perfect example of this type of threat. This particularly nasty malware strain stole roughly $4 million dollars from more than 24 U.S. and Canadian banks in 2016.
While this list alone is enough to strike terror into the hearts of even seasoned security professionals, there’s a new generation of threats that make all of these types of attacks seem like a vacation. Frighteningly, these emerging threats are even sneakier than their commonplace predecessors.
Fileless attacks, such as the kind used in the Target breach, are designed to escape detection by hiding in computer memory or a legitimate computer tool, where it generally can’t be detected by typical security software. Networks belonging to at least 140 banks and other networks have been infected by this type of malware. These 140 orgs are located in 40 different countries, with the U.S., France, Ecuador, Kenya and the U.K. as the top 5 infected nations.
Malware-free intrusions, the type of approach used in the hack of the Democratic National Convention, are specifically targeting banks and have seen 40% growth in recent years. These attacks are successful because most existing antivirus and whitelisting solutions are looking for malware and there’s no malware to be found. Instead, attack scripts are embedded in legitimate tools already present in the environment.
The severity of these new breeds of attack are bad enough, but their high-profile nature makes them extremely popular with advanced criminals eager to make headlines. Monetary gain plus notoriety are always dangerous partners when it comes to payment fraud threats.
Considering threats on a global scale is also important. Banks must be familiar with attack types that are popular in other parts of the world. For example, an investigation into unusual thefts from 29 banks and other organizations in Russia led to the discovery of three new sophisticated attack campaigns:
- One group of attackers is using a modular malware program called Corkow to infect computer systems belonging to banks and to reverse ATM transactions. During a single night, the gang stole millions of rubles from a Russian bank using this hard-to-detect transaction rollback trick.
- A second group that also targets banks and financial institutions uses a malware program distributed using emails with malicious executable RAR archives and which masquerade as Microsoft Word documents. In one case it was found that these scripts initiated transactions at a rate of $200 per minute.
- The third group is not new, but is one that previously went silent for about five months after being exposed in February 2015. Until that time, the gang had used a custom malware program called Carbanak to steal millions of dollars from hundreds of financial institutions in at least 30 countries. The group has returned with a new version of the malware — Carbanak 2.0 — and has started targeting budgeting and accounting departments in non-financial organizations as well.
In the face of all of this truly frightening evidence about the prevalence and severity of security threats faced by banks, it would be easy to feel as though there were no hope. The reality is, in some ways, that’s true.It only takes one vulnerability for a hacker to be successful. Click To Tweet
Banks cannot defend against every threat – that’s a fact with as much legitimacy as the details that have been laid out above. Hackers are getting more clever and creative every day, working tirelessly to find ingenious ways to work around every security protocol that’s thrown at them.
The bottom line is this: banks can’t stop an attack, period. No one can – and if a potential bank partner tries to tell you otherwise, run.
A smart bank will assume that they’re going to be breached and plan accordingly. It might sound counter intuitive, but having a realistic view of the threat landscape is the best start to crafting a truly secure strategy.
So what should you expect from a potential bank partner?
It’s no secret that banks are built on labyrinthine legacy systems that can make securing payments challenging. Such old school systems are expensive to maintain, prone to unpatched vulnerabilities and they’re cumbersome, especially as the result of M&A activities. Some institutions are comfortable with this status quo and are resistant to change. Most, however, recognize that they need to adapt to a technology-driven society. Partner with an institution that has a modern mindset. They will be far more willing and able to adopt the technology needed to properly protect your payments.
A potential bank partner should have the highest standards when it comes to security, and they should reflect those standards in their actions, not just their words. That starts with going beyond the basic security measures already in place, such as firewalls, user authentication systems, access control systems etc. Unfortunately, simply meeting security regulations and mandates isn’t sufficient. They are only designed to enforce minimum standards and that’s not good enough. Neither is adhering to widely accepted best practices. What everyone else is doing clearly that isn’t working. Your organization needs to find a better path than the status quo in order to keep your payments secure.
The ultimate goal should be to stop fraudulent transactions from being executed. Any financial institution you consider working with needs to have systems in place to proactively identify threats and stop them before they become a problem. Log file solutions – what most financial institutions rely on – won’t help you accomplish this. For one thing, they generally only detect partial information. But most importantly, they only provide information after an incident has taken place and that’s too late.
For ultimate protection, banks should monitor the usage of business applications on two fronts, both internally and externally. Internal monitoring should include employees, contractors and anyone else who has access. External monitoring should include customers and any other online channels, including bank-to-bank systems, such as SWIFT. A comprehensive approach like this will protect the bank from a combined attack, such as malware that enters externally then imitates an employee committing an internal attack.
Their standard monitoring practices should take place at the application level (understanding if a certain behavior is atypical — reviewing payments, inquiries, lookups etc.) as well as at the network level (detecting anomalies with traffic). By taking such proactive measures, it will be far easier to identify activities that are likely fraudulent and stop them before financial losses occur.
It all comes down to using a multi-layered approach to security. For true peace of mind, you need an institution that understands that security isn’t just about building walls to keep intruders out — it’s about securing payments. Having such a mindset is the only way to protect your payments today while also safeguarding them in the future. Any bank that follows that mantra is worth having as a partner.
Ultimately, finding a bank partner that has the resources (and the mindset) to adequately protect your payments won’t be as easy as you think. It’s doable, however, if you know what to look for. By expecting the highest standards, looking for a modern mindset and demanding a proactive stance, you stand the best chance of securing your payments against growing cyber security threats.
Boaz Krelbaum is General Manager of Cyber Fraud & Risk Management for Bottomline Technologies.