Why Banks Need to Rethink Their Cybersecurity Strategy


CEO Jeremy Samide warns that banks need to focus on cutting edge technologies to survive the cyberwar.

Banks are lending more than money these days. As banks and financial institutions all over the world continue to expand their digital footprint by aggressively marketing for new customers, keeping pace with regulatory compliance and implementing new technology services to better serve is current customer base, they are lending more risk to their customers than ever before.

With over 70% of cyber attacks today categorized as financially motivated, hackers have their sites fixed on a relatively easy bank heist worthy of John Dilinger’s approval. With financial institutions trying to compete for business, they are rapidly deploying more cloud-based solutions, mobile banking options and global online services susceptible to cyber attacks. Banks are making some progress but still lack a formidable strategy to combat the evolution of cyber threats.

Boards and the C-suite need a new approach and more "out of the box" thinking in order to stay afloat if financial institutions intend to turn the tide in their fight. Everyone is a target, big or small and to think you’re not is career suicide. It’s more than the next generation firewall or latest black box technology, it’s about intelligence – Collection and analytics, and lots of it. Organizations that are focusing on cutting edge, applied concepts like artificial intelligence, contextual analytics, cognitive analysis, natural language processing and quantum technologies will advance and ultimately survive into the next frontier of the cyber war.

Introduction

When we sign up for a bank account, we are expected to show multiple proofs of identification including a photo ID, Social Security Number, and current mailing address. It makes sense that a bank would need all this to help establish an identity with the bank. However, handing over this personally identifiable information (PII) is essentially handing over our identities as individuals to the bank. In surrendering this sensitive information, we also expect the bank will have proper safeguards in place to keep that sensitive information secure and intact.

What happens when a bank suffers a cyberattack? What are some of the cyber threats that affect banks? How can these threats be mitigated? These are just a few questions that will be answered.

Specific Threats to Big Banks

Source: CIO & LEADER

There are a number of cyber threats that affect the financial and banking industry worldwide. Specifically, some of the biggest cyber threats that affect bigger banks include social engineering, the insider threat, outside hackers or hacker groups, and malware. These all affect the financial and banking industry in one way or another.

Social engineering is when an outsider pretends to be someone of importance trying to gain physical or remote access to the organization. For example, someone posing as a computer repair technician shows up at a business. The receptionist has no idea who the repair tech is, but let’s the technician into the business’ server room. From there, the repair tech has complete control over the business’ IT equipment.

The insider threat is a person within the organization itself and can be anyone, from a teller to a CEO. The insider threat quite often has more access to data than they really need, and because of this fact alone, it makes them one of the biggest threats. For example, a teller has unlimited access to a bank’s loan documents. Should a teller have access to such documents? Not necessarily, as tellers are not loan officers. Should this teller, for whatever reason, get terminated as an employee, that teller could in theory copy all those loan documents to a USB flash drive and walk off the premises with them. The disgruntled employee could then turn around and sell that sensitive information on the dark web or maybe even hold it ransom.

There are outside hackers and hacker groups that are almost always trying to break into bank and financial organization networks. Either to steal money or sensitive data to sell on the dark web. An example would be the SWIFT cyberheist of Bangladesh this past February. Cybercriminals were able to infiltrate the Bangladesh bank using internal credentials, and then initiate bank transfers between Bangladesh and the Federal Reserve Bank of New York. The result was a stolen $81 million.

Then there’s malware. There are two types of malware to have targeted the banking and financial industry for some time now; banking Trojans and ransomware, which are most commonly deployed via phishing campaigns using malicious email attachments. Banking Trojans, aim to steal a victim’s online banking credentials, and are a global threat. These banking Trojans are quite convincing, as cybercriminals use a technique called web injection and overlays. Basically, a victim’s online login page is overlaid with an exact duplicate, but with the credential fields getting harvested by the cybercriminals during the authentication process.

Ransomware on the other hand, is malware designed to encrypt files, and will sometimes delete the encrypted files if a ransom is not paid (often in Bitcoin) within a certain time frame. Ransomware has become so advanced and dangerous, that some of the most recent variants are capable of spreading like a virus. One encrypted file when executed on an uninfected machine, will start the encryption process all over again. The ransomware infection can spread like a wildfire, potentially infecting an entire organization if a single infected file were shared out to all other users.

Specific Threats to Credit Unions

Credit unions are slightly different from banks. However, some of the same cyber threats that affect banks also affect credit unions. One of the different threats affecting credit unions are vendors. Credit unions are different in that they offer services that banks do not. However, they offer these services through multiple vendors, rather than offering services through themselves. Take the number of services offered by the credit union and multiply that by six to eight different vendors. That number goes to show how vulnerable a credit union really is, as the vendors themselves need to have their own cyber defenses in place, and not all those vendors will necessarily be compliant.

What About Smaller Banks?

Smaller banks are just as susceptible to cyber threats as the bigger banks and credit unions are. However, it can be argued that smaller banks are more at risk than their larger counterparts. This is highly due to the fact that they lack the necessary budget to possess the latest tech and hire the necessary staff to monitor and respond to cyberattacks.

Threats to the Larger Financial Industry

With all the cyber threats that go against the banking and financial industry, there are certain ways, or attack vectors, in which a cyberattack gets carried out.

Source: American Banker

Infected web apps are the top attack vector through which a cyberattack can occur. According to the Report on Cyber Security in the Banking Sector, from the New York State Department of Financial Services, some of the most frequently used cyberattacks include account takeovers (46%), identity theft (18%), telecommunications network disruptions (15%), and data integrity breaches (9.3%). Additionally, larger financial institutions reported mobile banking exploitation (15%), ATM skimming/PoS schemes (23%), and insider access breaches (8%) as common types of cyberattacks.

Regardless of size, most organizations have experienced some type of cyberattack on their IT systems over the last three years. Most organizations reported malware (22%), phishing (21%), pharming (7%), and botnets/zombies (7%). The bigger the organization, the more phishing and malware attempts there were. Only about 13% of smaller organizations reported malware, while medium- and larger-sized organizations reported 21% and 35% respectively. Not surprisingly, about 16% of those same smaller organizations were hit with phishing attempts, while medium- and larger-sized organizations saw 22% and 33% respectively.

Cyberattacks on the Industry

The Last Few Years

There have been a number of cyberattacks on the banking industry over the last five years. In 2010, Bank of America suffered a fraudulent ATM cyberattack by a bank employee, Rodney Reed Caverly. He deployed malware throughout the bank’s systems so ATMs would dispense cash without recording the transaction. The Federal Deposit Insurance Corporation (FDIC) also suffered breaches in 2010, 2011, and 2013, by an “advanced persistent threat…believed to have been the Chinese government,” according to a cybersecurity report from House of Representatives Science, Space, and Technology Committee. Citigroup suffered a cyberattack in May 2011 and had over 360,000 credit card accounts affected by a data breach. Bank of America, JPMorgan Chase, Wells Fargo, US Bank, and PNC Bank all suffered denial-of-service (DoS) attacks in September of 2012, essentially slowing their web traffic to a crawl or taking their web site offline. One of the larger cyberattacks of the last few years involved JPMorgan Chase, the largest bank in the nation, where 76 million customer (household) accounts and 7 million small business accounts were compromised. This cyberattack took place in 2014.

The Last Few Months

Some of the most recent cyberattacks on the banking and financial industries have occurred just in the last few months. Many of these cyberattacks include banking Trojans such as Zeus; ransomware such as CryptoLocker; various ATM hacks; including some social engineering and phishing attempts. There’s even been a recent cyberattack involving the insider threat with Wells Fargo Bank. This involved over 5,000 bank employees opening upwards of 1.5 million deposit accounts and applied for over 560,000 credit card accounts. While this wasn’t a traditional cyberattack, it did involve fraudulent activity over the course of five years, and was only done to meet sales goals and make additional commission.

In February this year, the network used by the Society for Worldwide Interbank Financial Telecommunications (SWIFT) was hacked using stolen credentials for the Bangladesh Central Bank. This cyberheist involved the transfer of $81 million between Bangladesh and the New York Federal Reserve.

The most recent cyberattack involved a hacker (or hackers) by the name of TheDarkOverlord, claiming to have stolen internal bank documents for WestPark Capital, an investment bank in Los Angeles. TheDarkOverlord gained entry not through typical means like a phishing campaign or malware, but through a flaw in Microsoft’s Remote Desktop Protocol (RDP).

Cybersecurity Health of the Financial Sector

Banks and credit unions appear to be hardening their internal networks and doing what they can to help mitigate cyber threats. However, according to SurfWatch, banks are still the biggest contender in the financial industry for cyberattacks. Recently, Infosecurity Magazine also stated that financial services organizations suffer 300 times more security incidents than organizations across other industries.

Source: SurfWatch

Banks and other financial services are starting to invest more money in cybersecurity. Over the next two years, according to consulting firm PwC, financial services organizations will increase their cybersecurity spending by $2 billion. According to the Wall Street Journal, JP Morgan Chase & Co. is going to accelerate its own timeline for cybersecurity spending, expecting to boost its spending to $500 million in 2016.

Zero-Day Threats to Target the Financial Industry

There are a number of zero-day threats that target the financial industry ranging from banking Trojans to ATM malware. Stealthcare has gathered intelligence on a number of these threats.

  1. Banking Trojans – GozNym, Citadel Atmos, Blackbird, Kronos; capable of stealing online banking credentials, credit card info, and Bitcoin wallets
  2. Keyloggers – Smoke Bot and XKey Private Keylogger; capable of capturing keyboard and mouse input
  3. ATM and PoS Malware – Katrina PoS and Ploutos ATM Malware; capable of stealing credit card data and dispensing cash from an ATM
  4. Ransomware – Stampado and Philadelphia; capable of encrypting a victim’s files and charging a ransom

In May 2016, the banking Trojan known as GozNym, a hybrid banking Trojan of Gozi and Nymaim, was the top contender for cyber threats according to SurfWatch.

Source: SurfWatch

Industry Specific Solutions

Many banks are often lacking in their cyber defenses. However, as more and more cyberattacks occur, like stealing money via wire transfers using the SWIFT network, ATMs getting hacked, and online banking credentials getting pilfered, banks are starting to step up their game.

One particular example of mitigation is Two-Factor Authentication, or 2FA. This is where users are able to login to their accounts using not just a password, but a secondary form of ID, like a common access card (CAC) or biometric thumbprint.

For both banks and credit unions, it would be highly advisable hiring a managed security services company such as Stealthcare. Stealthcare employs professional network engineers and cybersecurity experts, in addition to professional cyber analysts capable of researching the latest cyber threats such as hackers and ransomware.

Some of the specific solutions to help mitigate the risks of the various cyber threats include:

  1. Appropriate investment in staffing, education and training – hire a good team of cybersecurity experts, make sure they’re well educated on the latest threats and defenses, and keep that team current with certifications
  2. Network and collaborate – banks and credit unions need to work together to fight off cyber threats
  3. Aim past industry standards – keep current on financial industry best practices
  4. Engage your board – directors need to be constantly involved in cybersecurity so they know what the latest threats are, including social engineering
  5. Better vendor management (credit unions) – vendors add more security holes to the credit union infrastructure
  6. Encrypt, encrypt, encrypt – this can mean the difference between stolen and protected data, despite cost and speed of service delivery
  7. Assess risks, costs, and opportunities – determine what are acceptable risks/losses and their associated costs

Wrapping It All Up

In conclusion, banks, credit unions and financial investment firms are major targets for all types of cyber threats including hackers and hacker groups, cybercriminals, and malware (ransomware). The attack vectors are almost limitless, especially when hackers are constantly coming up with new ways to infiltrate networks, exfiltrate data, and infect various systems with some type of malware.

Not just the banking and financial industry, but all industries need to step up their cybersecurity measures to keep the cyber threats at bay. While many of the aforementioned cyber threats are specific to the banking and financial industry alone, there are still many more that affect the travel, critical infrastructure, legal, government, and retail industries. Cybersecurity experts need to determine what’s next. What’s the next biggest cyber threat how do we combat that?