The financial services sector remained a sweet spot for cybercriminals in the second half of 2016. As we predicted in June, the industry continued to grapple with threats from individual fraudsters, organized cybergangs and even nation-states. As always, cybercriminals go where the money is.

Many high-profile thefts hit the headlines all over the world in the past six months. These attacks exploited authentication protocols and mobile application vulnerabilities, and even indicated the presence of organized crime.

Brute-Force Break-In

In November, Tesco Bank noted suspicious activity on 40,000 of its 136,000 accounts. The U.K. supermarket bank later confirmed that 2.5 million pounds had been stolen from 9,000 accounts. The thieves used brute-force methodologies to test login and password combinations. After breaking an account, they set up contactless payment accounts with a variety of global retailers.

The bank claimed it wasn’t breached directly, however. Due to a flaw in the online banking methodology Tesco employed, accounts belonging to users who chose weak or reused login credentials were vulnerable. But Tesco should have noticed that the IP addresses had changed and required additional forms of authentication.

The takeaway: It’s important to never reuse login credentials, especially for banking or email services. Additionally, always use multifactor authentication when offered.

What a Rip-Off

A Russian gang known as Buhtrap allegedly committed a series of ATM attacks around the world. The FBI issued an alert explaining that these machines would be a prime target of cybergangs, detailing a July 2016 attack in Taiwan in which attackers stole cash from ATMs controlled by the First Commercial Bank. Similar attacks targeting the Government Savings Bank in Thailand followed in July and August. Buhtrap had been testing ATM attacks against Russian banks earlier in the year.

Cybersecurity firm FireEye conducted a comprehensive review of the Ripper malware and noted that the ATMs themselves are being wiped clean and new software is being installed. The new software waits for the card with an expected Europay, MasterCard and Visa (EMV) chip, then spews currency, 40 bills at a time.

Once the ATMs are disconnected from the bank’s network, it is difficult to monitor the activity taking place on a given device. Had the firmware required appropriate authentication prior to allowing updates, the results may have been different.

Arena Rocked

Retailers and vendors alike struggled to protect their point-of-sale (POS) systems from financial fraudsters during the second half of 2016. In November, The Madison Square Garden Company revealed that its POS system had been compromised. According to an official statement, concession stands within the venue had been exposed to cybercriminals from Nov. 9, 2015, through Oct. 24, 2016. Anyone who paid with a credit card at the concession stands throughout the arena during that time is at risk.

The company noted that the cybersecurity firm it had hired to investigate the incident discovered “external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorization.”

MSG wasn’t the only one facing cyberattacks. For its part, Oracle Corporation confirmed that its Micros POS system had been breached, allegedly by a Russian organized crime group, in August. The Micros POS system is used in over 180 countries. Oracle simply advised users to change their passwords.

Fast food restaurant chain Wendy’s also suffered a POS breach that enabled cybercriminals to abscond with complete card data. The compromise occurred when a third-party vendor’s credentials were compromised.

These incidents are reminiscent of the POS attacks directed at Target and Home Depot in 2013 and 2014, respectively. Yet here we are several years later, sharing the same stories with different names.

Challenges for Financial Services in 2017

As we head into 2017, financial services organizations should be on the lookout for distributed denial-of-service (DDoS) and ransomware attacks, either of which could produce disastrous results. This looming threat amplifies the need for financial companies to challenge their vendors to demonstrate the security of their systems and implement the necessary telemetry to detect anomalous activity.

Read the white paper: Outsmarting Fraudsters with Cognitive Fraud Detection

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read