Looking back on the first half of 2016, we’ve seen that financial services threats have not dissipated — and they are not anticipated to do so anytime soon. Unfortunately, prognosticating security threats is about as accurate as predicting the weather, except banks of supercomputers do the calculations for meteorologists, while the security analyst is often left with reams of data, instincts and experience. Still, experts try to forecast what’s on the horizon to be better prepared when the inevitable issue strikes.

Financial services threats are very real, though not limited strictly to the financial industry. Threat predictions at the beginning of the year touched on nation-states, organized crime, biometric security, credit card fraud, criminal exchanges and crime within the mobile environment.

Let’s review those threats and the 2016 predictions in a midyear review of these challenges.


As predicted, the influx of sophisticated tools combined with significant motivation led to a number of financial entities being successfully attacked, including the U.S. Federal Reserve Bank, the Bangladesh Central Bank and an unidentified commercial bank in Vietnam. We can expect the level of sophistication to increase since these attacks can be both a financial bonanza and a treasure trove of information.

In the case of Bangladesh Central Bank, more than $80 million was stolen when the bank’s interconnectivity to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial network was manipulated. The Vietnamese commercial bank’s losses have not be revealed.

SWIFT noted the compromise occurred somewhere in the manipulation of checks and balances used by the individual banks. “The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process,” the organization said in a press release. “In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”

Additionally, the U.S. Federal Reserve Bank flagged more than 50 cybersecurity events from 2011 to 2015. The agency revealed to Reuters, in a highly redacted Freedom of Information Act (FOIA) request, that it is fending off constant probes and attacks.

Criminal Exchanges

As predicted, the Dark Web has continued to evolve. For example, there is now a monitoring service to advise those who wish to use dark marketplaces that provides updates on current statuses, security issues and more.

The Dark Net Market Comparison is the one-stop review for cybercriminals, drug traffickers or others selling illegal goods or services. Given the plethora of marketplaces and attack vectors, we can expect this trend to continue with more review options springing up.

Biometric Security

Voice, retina and fingerprint scanning are all types of biometric authentication capabilities available today, with the fingerprint reader already implemented in many devices. The Fast Identity Online (FIDO) Alliance is developing standards to bring a high level of security to these authentication protocols. Within its standards, it noted that “biometric information, if used, never leaves the user’s device.”

Theft of biometric data in bulk will only occur when it is stored in bulk. This was the case with the Office of Personnel Management (OPM) data breach, which resulted in 5 million-plus individuals with U.S. government security clearances having their fingerprints compromised.

As new biometric capabilities come to the market, we will be forced to ask where the data is stored. If the answer doesn’t satisfy your privacy or security needs, then it is not the capability you should employ.

Credit Card Fraud

The prediction of an increase in card-not-present (CNP) fraud as the implementation of chip-and-PIN cards rolled out across the U.S. appears to be spot-on. Indicators in the “Card Fraud Report 2015” predicted similar trends.

Those forecasts may have come true: Krebs on Security reported banks and retailers around the country — and the world — have fallen victim to skimmers installed on their point-of-sale devices to capture credit card data.

Mobile Threats

The first half of 2016 saw cybersecurity issues surrounding mobile devices, with Android devices receiving the bulk of the attention. Users need to be reminded of best practices: Download applications only from trusted vendors, realize that operating system updates may reset carefully configured privacy settings and ensure that the mobile device has equal or better security than a stationary one since it is more portable and thus easier to lose or steal.

The U.S. Federal Communications Commission (FCC), in partnership with the U.S. Federal Trade Commission (FTC), launched an inquiry into mobile device security, specifically, why it takes so long for security patch updates of identified vulnerabilities to reach the consumer.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC and FTC jointly noted in a release. “To date, operating system providers, original equipment manufacturers and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices — and … older devices may never be patched.”

Organized Crime

Enterprises and their financial transactions continued to be the target of organized criminal entities during the first half of the year. The rise in whaling, or the individual targeting of key corporate individuals, continues to be successful. The frenetic pace of business allows for convenience to trump security.

Similarly, the phenomenon of CEO fraud, which manipulates the process and procedures of a given entity to irrevocably transfer financial assets, has tagged a number of entities. The FBI electronic crimes team issued a warning in April 2016 on the “dramatic” increase in business email scams. According to the release, $2.3 billion in losses have been experienced by more than 17,500 victims.

Financial Services Threats for the Second Half of 2016

The threats to financial services will not decrease in the second half of 2016. But will the organized criminal entity, nation-state or unscrupulous individual be successful at breaching or socially engineering their way to the fiscal assets of banks, companies or individuals? The entity not investing in employee and infrastructure awareness will be among the most vulnerable.

It can and will happen to you — regardless of your industry. The most you can do is understand what threats present the biggest risk to your organization and prepare for those security incidents as best you can.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today