Banking Cyber-Attack Trends to Watch

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govinfosecurity.com/banking-cyber-attack-trends-to-watch-a-6482

When it comes to cyberthreats, what are the major concerns for banking
institutions in 2014? Distributed-denial-of-service attacks waged as a mode
of distraction to perpetrate fraud across numerous banking channels are a
growing threat. But financial institutions also are concerned about
ransomware attacks designed to wage account takeover fraud, as well as
mobile malware and insider threats.

The key for banking institutions in 2014 will be to focus on detecting and
mitigating multiple risks across multiple channels. "We will see more
blended attacks that combine DDoS with some form of attempted data
compromise," says Doug Johnson, vice president and senior adviser of risk
management policy for the American Bankers Association.

Other threats that will require renewed attention include spear-phishing
attacks and call-center schemes waged against employees, as well as
nation-state threats and third-party breaches.

In 2014, banking institutions need to focus on stronger authentication and
increased reliance on big data analytics to anticipate and mitigate fraud.

DDoS as a Distraction

Avivah Litan, a financial fraud expert who's an analyst for the consultancy
Gartner, says 30 percent of all banking institution fraud is perpetrated
across multiple channels.

For example, attackers will target an institution's online-banking site
with a DDoS attack as a distraction. Then, during the attack, when the
online-banking site is unavailable, fraudsters can take advantage of
customer service representatives who are overburdened, Litan says.

But cross-channel attacks can be launched in a variety of ways, says
Shirley Inscoe, a financial fraud analyst at the consultancy Aite.

"Organized fraud rings are targeting call centers, armed with some
information gleaned from data breaches, hacking, etc., and then calling
repeatedly to gain additional information so they can successfully
impersonate the client," Inscoe says. "Once they have enough information,
they may ask for a password reset to gain online access, request a debit
card or request a wire transfer be sent. The resultant fraud may originate
through the contact center or a different channel."

Spear Phishing and Ransomware

Employees' credentials also can be compromised through socially engineered
schemes, such as spear-phishing attacks. Banking institutions can expect
these targeted attacks waged against their employees, as well as their
customers, to increase in volume and sophistication in the year ahead,
experts say.

And when it comes to social engineering schemes waged against customers,
institutions should brace for a significant uptick in ransomware attacks,
such as CryptoLocker, says Tom Wills, a financial fraud expert in Singapore
and director of Ontrack Advisory, a consulting firm focused on payments.

"The banking industry is already being hit indirectly, as ransomware is
being delivered as phishing e-mail payloads, purportedly from banks," he
explains.

Mobile Malware

Malware that targets mobile phones and tablets will continue to be a
substantial threat in 2014.

"When it comes to mobile, there are a lot of different steps that banks
have to take to protect their mobile applications," Litan says. "But most
financial institutions just don't have the resources to protect these
mobile applications as fully as they should. I do think that we'll see that
change, because it's becoming so prevalent to engage a mobile banking app,"
she says. But the industry still has a long way to go, she notes.

"The most serious issue that banks and all of us face in trying to protect
assets and data is our open architecture," Litan says. "There are so many
different channels users can come in from. There are so many different
activities employees can engage in. We're pretty much an open society: The
Web code is there to be deciphered and the mobile apps are there to be
downloaded."

Insider Threats

Edward Snowden's leak of classified documents about the National Security
Agency's surveillance programs brought attention to insider threats in 2013.

"The worldwide focus on insider threats, privacy, responsibility and trust
... has had a massive impact on security in all industries," Wills says.
"This may be the story of the decade, not just the year."

Snowden's breach put a spotlight on the need for stronger insider controls,
Litan says. "And sometimes that's as simple as changing default passwords,"
she explains.

> From an authentication perspective, it's not just customers who require
stronger authentication; employees who have access to sensitive data need
to be scrutinized as well, Litan says.

"There are more disgruntled employees and there are more opportunities for
them to commit fraud with outside parties," she says. "You have to pay
attention to who you hire and continuously authenticate those individuals."

Cyberwarfare

As the DDoS attacks against leading U.S. banking institutions have proved,
cyberwarfare campaigns are increasing (see: DDoS Attacks: More to Come?).
Self-proclaimed hacktivist groups and nation-states are taking aim at
financial services to disrupt service, compromise accounts and steal
intellectual property.

"Banks have always been a target for nation-state launched threats," Wills
says. "Geographically coordinated attacks, not just across states but
across the world, seem to be becoming more and more common."

And banking institutions cannot afford to ignore the risk of third-party
data breaches, says Anton Chuvakin, an emerging technology analyst at
Gartner. As banks and credit unions outsource more of their core banking
services, third-party risks will increase.

Retailer Breaches

But it's not just risks associated with vendor relationships that banking
institutions have to consider, Chuvakin and others say.

Increasingly, payments risks associated with retailers and payments
processors are becoming a greater concern. Point-of-sale breaches, such as
the ones that struck Target Corp. and Neiman Marcus, illustrate the
complexity of securing financial transactions across numerous entities.

In 2013, several smaller retailers were targeted by malware that exploited
POS software and network vulnerabilities. These smaller organizations often
have less sophisticated and secure systems, which make them prime targets
for attackers.

But the Target and Neiman Marcus breaches prove that even some of the
larger retailers are vulnerable to attack - often through the point of sale.

"The biggest weakness in the breaches I see is the point of sale," says
cybersecurity attorney David Navetta, a partner at the Information Law
Group.

In the wake of recent breaches, some banking institutions have sued
breached retailers to recoup losses not covered by their merchant services
agreements through the card brands. Other institutions have leaned more
heavily on cyber-insurance to cover financial losses and expenses that
result from a breach.

In October 2013, the Office of the Controller of the Currency issued
updated guidance for banking institutions risks related to third parties,
such as technology vendors and core processors. Other federal banking
regulators, including the Federal Deposit Insurance Corp., are expected to
follow suit. As a result, banking institutions should prepare now for
increased scrutiny of their vendor management programs.

"As banks improve security, the security of their service providers becomes
more of an issue," Chuvakin says.

Banking institutions need to focus more attention on risk assessments -
those conducted internally as well as those of the third parties with which
they have contractual relationships.

Big Data for Fraud Detection

In light of emerging threats, banking institutions are enhancing their
fraud detection and prevention capabilities. And a lot of these
enhancements will revolve around big data, Wills says.

"Analytics technology is getting better at pinpointing actual high-risk
activity, with fewer false positives and negatives," he says.

But while the use of big data in the fraud fight shows potential, most
banking institutions will be limited by their infrastructure, Litan says.
The systems and processes a majority of institutions have in place today
just aren't equipped to handle that much information, she says.

"Big data analytics and the revolution in technology that's taking place in
that domain are going to put a lot of pressure on operational systems," she
says. "As organizations learn to get their arms around data really quickly,
in real time, the systems that they've put in place aren't going to be able
to keep up that easily. It's an interesting phenomena, but one that's very
promising; and I don't think the bad guys are going to have the last word."

Thanks to data analytics, banking institutions are starting to make more
connections between cross-channel fraud trends, Litan says.

Still, the role big data will play in the banking sector will vary widely,
Wills says. "They have to do their risk assessments and secure
accordingly," he adds.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!