Light Dark
June 27, 2016 By Christopher Burgess 4 min read
Banking & Finance
Endpoint
Fraud Protection

Looking back on the first half of 2016, we’ve seen that financial services threats have not dissipated — and they are not anticipated to do so anytime soon. Unfortunately, prognosticating security threats is about as accurate as predicting the weather, except banks of supercomputers do the calculations for meteorologists, while the security analyst is often left with reams of data, instincts and experience. Still, experts try to forecast what’s on the horizon to be better prepared when the inevitable issue strikes.

Financial services threats are very real, though not limited strictly to the financial industry. Threat predictions at the beginning of the year touched on nation-states, organized crime, biometric security, credit card fraud, criminal exchanges and crime within the mobile environment.

Let’s review those threats and the 2016 predictions in a midyear review of these challenges.

Nation-States

As predicted, the influx of sophisticated tools combined with significant motivation led to a number of financial entities being successfully attacked, including the U.S. Federal Reserve Bank, the Bangladesh Central Bank and an unidentified commercial bank in Vietnam. We can expect the level of sophistication to increase since these attacks can be both a financial bonanza and a treasure trove of information.

In the case of Bangladesh Central Bank, more than $80 million was stolen when the bank’s interconnectivity to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial network was manipulated. The Vietnamese commercial bank’s losses have not be revealed.

SWIFT noted the compromise occurred somewhere in the manipulation of checks and balances used by the individual banks. “The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process,” the organization said in a press release. “In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”

Additionally, the U.S. Federal Reserve Bank flagged more than 50 cybersecurity events from 2011 to 2015. The agency revealed to Reuters, in a highly redacted Freedom of Information Act (FOIA) request, that it is fending off constant probes and attacks.

Criminal Exchanges

As predicted, the Dark Web has continued to evolve. For example, there is now a monitoring service to advise those who wish to use dark marketplaces that provides updates on current statuses, security issues and more.

The Dark Net Market Comparison is the one-stop review for cybercriminals, drug traffickers or others selling illegal goods or services. Given the plethora of marketplaces and attack vectors, we can expect this trend to continue with more review options springing up.

Biometric Security

Voice, retina and fingerprint scanning are all types of biometric authentication capabilities available today, with the fingerprint reader already implemented in many devices. The Fast Identity Online (FIDO) Alliance is developing standards to bring a high level of security to these authentication protocols. Within its standards, it noted that “biometric information, if used, never leaves the user’s device.”

Theft of biometric data in bulk will only occur when it is stored in bulk. This was the case with the Office of Personnel Management (OPM) data breach, which resulted in 5 million-plus individuals with U.S. government security clearances having their fingerprints compromised.

As new biometric capabilities come to the market, we will be forced to ask where the data is stored. If the answer doesn’t satisfy your privacy or security needs, then it is not the capability you should employ.

Credit Card Fraud

The prediction of an increase in card-not-present (CNP) fraud as the implementation of chip-and-PIN cards rolled out across the U.S. appears to be spot-on. Indicators in the “Card Fraud Report 2015” predicted similar trends.

Those forecasts may have come true: Krebs on Security reported banks and retailers around the country — and the world — have fallen victim to skimmers installed on their point-of-sale devices to capture credit card data.

Mobile Threats

The first half of 2016 saw cybersecurity issues surrounding mobile devices, with Android devices receiving the bulk of the attention. Users need to be reminded of best practices: Download applications only from trusted vendors, realize that operating system updates may reset carefully configured privacy settings and ensure that the mobile device has equal or better security than a stationary one since it is more portable and thus easier to lose or steal.

The U.S. Federal Communications Commission (FCC), in partnership with the U.S. Federal Trade Commission (FTC), launched an inquiry into mobile device security, specifically, why it takes so long for security patch updates of identified vulnerabilities to reach the consumer.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC and FTC jointly noted in a release. “To date, operating system providers, original equipment manufacturers and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices — and … older devices may never be patched.”

Organized Crime

Enterprises and their financial transactions continued to be the target of organized criminal entities during the first half of the year. The rise in whaling, or the individual targeting of key corporate individuals, continues to be successful. The frenetic pace of business allows for convenience to trump security.

Similarly, the phenomenon of CEO fraud, which manipulates the process and procedures of a given entity to irrevocably transfer financial assets, has tagged a number of entities. The FBI electronic crimes team issued a warning in April 2016 on the “dramatic” increase in business email scams. According to the release, $2.3 billion in losses have been experienced by more than 17,500 victims.

Financial Services Threats for the Second Half of 2016

The threats to financial services will not decrease in the second half of 2016. But will the organized criminal entity, nation-state or unscrupulous individual be successful at breaching or socially engineering their way to the fiscal assets of banks, companies or individuals? The entity not investing in employee and infrastructure awareness will be among the most vulnerable.

It can and will happen to you — regardless of your industry. The most you can do is understand what threats present the biggest risk to your organization and prepare for those security incidents as best you can.

Read the white paper: Accelerating growth and digital adoption with seamless identity trust

 |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from Banking & Finance
March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

January 26, 2024

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature