Today’s cybercriminals employ high tech tools to break through the virtual walls of a bank to access sensitive customer information and valuable financial data, or steal money from customer accounts.
Once inside those walls, the financial institution might not immediately know it, according to Tom Kellerman, founder and CEO with Strategic Cyber Adventures, a company that develops architecture that helps organizations identify gaps in their cybersecurity. Before launching his business, Kellerman headed up cybersecurity for the World Bank and International Monetary Fund.
“Most bank heists and attacks on the financial sector are noticed days if not weeks after the fact,” Kellerman said. “And many times hackers hack through colluded networks.”
Vanita Pandey, product management and payments executive with ThreatMetrix, a company that provides digital identity solutions, said last year on average, nearly 5 million identities were being tested daily, by hackers, according to their customer database. The hackers already have the identity and use a bot to verify the email and password, she said.
Based on customer data at ThreatMetrix for the first quarter of 2017, Pandey said “we’ve seen 230 million (fraud) attacks in 90 days .” She noted a large proportion of those attacks are targeted to financial services and fintech.
According to recent study published by AIG titled “Systemic Cyber Attacks Likely in 2017; Financial Services, Power/Energy, International Cyber Conflicts Key Concerns,” financial institutions are among the top targets of systemic attacks.
The survey looked at several high profile systemic cyber events such as Dyn Denial-of-Service (DDoS) and MongoDB ransomware attacks. The survey of cyber security and risk experts identified the financial services sector as the industry most likely to experience a systemic attack this year (19%), followed by the power/energy sector (15%), and telecommunications/utilities (14%).
While the experts interviewed agree that banks must be vigilant about cybersecurity protocols and practices, Jeremy Dalpiaz, assistant vice president of cyber and data security policy for the Independent Community Bankers of America, said he does not if the AIG sample was large enough to give an accurate reflection of the threat level that faces different industries.
However, he said cybercriminals want the “family jewels” in just about any industry.
Cybercriminals do not typically work alone, but are usually part of large criminal networks, according to Pandey. These sophisticated criminal networks run seamlessly because attackers freely share sensitive information with each other and sell it to other hackers, he said.
If financial institutions want to minimize cyberattacks, they need to be aware that some of the most sophisticated hackers in the world are trying to infiltrate their networks, Kellerman said.
Banks, in particular, are a target of cyberattacks, largely because banks have access to sensitive information and large sums of cash, he said. Many of the cybercriminals who launch these attacks are affiliated with foreign nation states or international organized crime groups.
“If they’re working for a nation state or a true organized crime syndicate, they can manifest capital market schemes like front running or digital insider trading,” Kellerman said.
Kellerman said hackers have become quite sophisticated. When they design an email takeover scheme, Kellerman said they can make it appear as if the CEO of the company sent a wire transfer request for a large sum of money to be deposited in a foreign country.
‘Anatomy of attack’
Long before a full on cyberattack occurs, Pandey said hackers begin their planning and test various email and password combinations. She calls this process the “anatomy of an attack.” The process leading up the actual attack is quite extensive, and it can be planned and executed from nearly any corner of the world without ever stepping foot in the bank, Pandey said.
“Hackers get data from the dark web, then they test the data, then logon to a social media or big email sites to test emails,” which she says allows them to match password and email accounts of real people.
“If they figure out your password, now a sophisticated attack will follow,” she said. “If they don’t know your password, they try to set up a new account. Once they have tested credentials, they will go to a bank [website or email server] and actually use that data.”
Pandey noted that hackers do not generally start with large companies – instead they execute a test run on smaller companies because they tend to be much easier targets. When larger companies report “huge attack days,” where they receive millions of attacks in a single day, Pandey said this activity is often associated with hackers conducting identity tests.
To help prepare against cyberattacks, Dalpiaz suggests banks educate their staff by running practice drills that resemble a real cyberattack. The Federal Deposit Insurance Corporation publishes a cyber challenge series with mockup drills for staff to follow.
In terms of training, Dalpiaz recommends the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool as a reference for financial institutions to assess their risks and cybersecurity preparedness.
“Training and culture includes the employee training and customer awareness programs contributing to an organizational culture that emphasizes the mitigation of cybersecurity threats,” he said.
He cited the IT Handbook, also published by FFIEC, as yet another training reference. The handbook suggests institutions consider the following areas for training: phishing and social engineering attempts, data loss through e-mail or removable media, or posting confidential or proprietary information on social media unintentionally.
Financial institutions should not skimp on investing in their organization’s cybersecurity program.
“A good rule of thumb is 20% of your IT budget should go toward sustaining and securing your IT, especially if you are a financial institution,” Kellerman said.
Organizations also should not overlook budgeting for cybersecurity in their online marketing department. He said when the marketing department doesn’t have security protocols in place for websites or social media accounts it can create a weak link in a financial institution’s security network – and an easy place for hackers to get in.
“If you create a blog on your website and if you don’t update WordPress, you (can) get hacked,” said Kellerman, noting that the same thing can happen with mobile apps.
Most people understand the need for a secure environment and the importance of the right architecture to help prevent attacks, according to Pandey. However, not everyone realizes how to obtain the right information to help those prevent attacks, she said.
“Attacks are becoming more complex, more frequent and bigger; fraudsters have better tools,” Pandey said.
When planning for cybersecurity, Kellerman suggests organizations look the entire supply chain so hackers have less opportunity to “piggy back” on outside vendors or service providers. Those might include the bank’s technical service provider, cloud integrator and marketing vendor.
“Companies should accept the policies of their it vendor and have the right to conduct a penetration test of the supply chain or deploy adaptive authentication which would dramatically improve control over who has access to your network,” Kellerman said.
Freelance writer Elise Oberliesen contributed to the writing and research of this article.