Looking back on the first half of 2016, we’ve seen that financial services threats have not dissipated — and they are not anticipated to do so anytime soon. Unfortunately, prognosticating security threats is about as accurate as predicting the weather, except banks of supercomputers do the calculations for meteorologists, while the security analyst is often left with reams of data, instincts and experience. Still, experts try to forecast what’s on the horizon to be better prepared when the inevitable issue strikes.
Financial services threats are very real, though not limited strictly to the financial industry. Threat predictions at the beginning of the year touched on nation-states, organized crime, biometric security, credit card fraud, criminal exchanges and crime within the mobile environment.
Let’s review those threats and the 2016 predictions in a midyear review of these challenges.
As predicted, the influx of sophisticated tools combined with significant motivation led to a number of financial entities being successfully attacked, including the U.S. Federal Reserve Bank, the Bangladesh Central Bank and an unidentified commercial bank in Vietnam. We can expect the level of sophistication to increase since these attacks can be both a financial bonanza and a treasure trove of information.
In the case of Bangladesh Central Bank, more than $80 million was stolen when the bank’s interconnectivity to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial network was manipulated. The Vietnamese commercial bank’s losses have not be revealed.
SWIFT noted the compromise occurred somewhere in the manipulation of checks and balances used by the individual banks. “The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process,” the organization said in a press release. “In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”
Additionally, the U.S. Federal Reserve Bank flagged more than 50 cybersecurity events from 2011 to 2015. The agency revealed to Reuters, in a highly redacted Freedom of Information Act (FOIA) request, that it is fending off constant probes and attacks.
As predicted, the Dark Web has continued to evolve. For example, there is now a monitoring service to advise those who wish to use dark marketplaces that provides updates on current statuses, security issues and more.
The Dark Net Market Comparison is the one-stop review for cybercriminals, drug traffickers or others selling illegal goods or services. Given the plethora of marketplaces and attack vectors, we can expect this trend to continue with more review options springing up.
Voice, retina and fingerprint scanning are all types of biometric authentication capabilities available today, with the fingerprint reader already implemented in many devices. The Fast Identity Online (FIDO) Alliance is developing standards to bring a high level of security to these authentication protocols. Within its standards, it noted that “biometric information, if used, never leaves the user’s device.”
Theft of biometric data in bulk will only occur when it is stored in bulk. This was the case with the Office of Personnel Management (OPM) data breach, which resulted in 5 million-plus individuals with U.S. government security clearances having their fingerprints compromised.
As new biometric capabilities come to the market, we will be forced to ask where the data is stored. If the answer doesn’t satisfy your privacy or security needs, then it is not the capability you should employ.
Credit Card Fraud
The prediction of an increase in card-not-present (CNP) fraud as the implementation of chip-and-PIN cards rolled out across the U.S. appears to be spot-on. Indicators in the “Card Fraud Report 2015” predicted similar trends.
Those forecasts may have come true: Krebs on Security reported banks and retailers around the country — and the world — have fallen victim to skimmers installed on their point-of-sale devices to capture credit card data.
The first half of 2016 saw cybersecurity issues surrounding mobile devices, with Android devices receiving the bulk of the attention. Users need to be reminded of best practices: Download applications only from trusted vendors, realize that operating system updates may reset carefully configured privacy settings and ensure that the mobile device has equal or better security than a stationary one since it is more portable and thus easier to lose or steal.
The U.S. Federal Communications Commission (FCC), in partnership with the U.S. Federal Trade Commission (FTC), launched an inquiry into mobile device security, specifically, why it takes so long for security patch updates of identified vulnerabilities to reach the consumer.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC and FTC jointly noted in a release. “To date, operating system providers, original equipment manufacturers and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices — and … older devices may never be patched.”
Enterprises and their financial transactions continued to be the target of organized criminal entities during the first half of the year. The rise in whaling, or the individual targeting of key corporate individuals, continues to be successful. The frenetic pace of business allows for convenience to trump security.
Similarly, the phenomenon of CEO fraud, which manipulates the process and procedures of a given entity to irrevocably transfer financial assets, has tagged a number of entities. The FBI electronic crimes team issued a warning in April 2016 on the “dramatic” increase in business email scams. According to the release, $2.3 billion in losses have been experienced by more than 17,500 victims.
Financial Services Threats for the Second Half of 2016
The threats to financial services will not decrease in the second half of 2016. But will the organized criminal entity, nation-state or unscrupulous individual be successful at breaching or socially engineering their way to the fiscal assets of banks, companies or individuals? The entity not investing in employee and infrastructure awareness will be among the most vulnerable.
It can and will happen to you — regardless of your industry. The most you can do is understand what threats present the biggest risk to your organization and prepare for those security incidents as best you can.