The financial services sector remained a sweet spot for cybercriminals in the second half of 2016. As we predicted in June, the industry continued to grapple with threats from individual fraudsters, organized cybergangs and even nation-states. As always, cybercriminals go where the money is.

Many high-profile thefts hit the headlines all over the world in the past six months. These attacks exploited authentication protocols and mobile application vulnerabilities, and even indicated the presence of organized crime.

Brute-Force Break-In

In November, Tesco Bank noted suspicious activity on 40,000 of its 136,000 accounts. The U.K. supermarket bank later confirmed that 2.5 million pounds had been stolen from 9,000 accounts. The thieves used brute-force methodologies to test login and password combinations. After breaking an account, they set up contactless payment accounts with a variety of global retailers.

The bank claimed it wasn’t breached directly, however. Due to a flaw in the online banking methodology Tesco employed, accounts belonging to users who chose weak or reused login credentials were vulnerable. But Tesco should have noticed that the IP addresses had changed and required additional forms of authentication.

The takeaway: It’s important to never reuse login credentials, especially for banking or email services. Additionally, always use multifactor authentication when offered.

What a Rip-Off

A Russian gang known as Buhtrap allegedly committed a series of ATM attacks around the world. The FBI issued an alert explaining that these machines would be a prime target of cybergangs, detailing a July 2016 attack in Taiwan in which attackers stole cash from ATMs controlled by the First Commercial Bank. Similar attacks targeting the Government Savings Bank in Thailand followed in July and August. Buhtrap had been testing ATM attacks against Russian banks earlier in the year.

Cybersecurity firm FireEye conducted a comprehensive review of the Ripper malware and noted that the ATMs themselves are being wiped clean and new software is being installed. The new software waits for the card with an expected Europay, MasterCard and Visa (EMV) chip, then spews currency, 40 bills at a time.

Once the ATMs are disconnected from the bank’s network, it is difficult to monitor the activity taking place on a given device. Had the firmware required appropriate authentication prior to allowing updates, the results may have been different.

Arena Rocked

Retailers and vendors alike struggled to protect their point-of-sale (POS) systems from financial fraudsters during the second half of 2016. In November, The Madison Square Garden Company revealed that its POS system had been compromised. According to an official statement, concession stands within the venue had been exposed to cybercriminals from Nov. 9, 2015, through Oct. 24, 2016. Anyone who paid with a credit card at the concession stands throughout the arena during that time is at risk.

The company noted that the cybersecurity firm it had hired to investigate the incident discovered “external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization.”

MSG wasn’t the only one facing cyberattacks. For its part, Oracle Corporation confirmed that its Micros POS system had been breached, allegedly by a Russian organized crime group, in August. The Micros POS system is used in over 180 countries. Oracle simply advised users to change their passwords.

Fast food restaurant chain Wendy’s also suffered a POS breach that enabled cybercriminals to abscond with complete card data. The compromise occurred when a third-party vendor’s credentials were compromised.

These incidents are reminiscent of the POS attacks directed at Target and Home Depot in 2013 and 2014, respectively. Yet here we are several years later, sharing the same stories with different names.

Challenges for Financial Services in 2017

As we head into 2017, financial services organizations should be on the lookout for distributed denial-of-service (DDoS) and ransomware attacks, either of which could produce disastrous results. This looming threat amplifies the need for financial companies to challenge their vendors to demonstrate the security of their systems and implement the necessary telemetry to detect anomalous activity.

Read the white paper: Outsmarting Fraudsters with Cognitive Fraud Detection

More from Banking & Finance

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today