Cybersecurity Threats Facing Financial Services

By Prof. Dr. Ir. Henk Jan Jansen 22.01.2020

Picture1
Financial institutions are an obvious target for cybercrime.

Unless they double down on strong internal security against a broad range of threat vectors, they will continue to be targeted and victimized by fraud rings and nation states. Unfortunately, their IT security is perceived to be deficient — especially within smaller banks and credit unions.

Making matters worse, cybercriminals are adopting new technologies, increasing their coordination and becoming more sophisticated. They’re compromising employees’ and customers’ personally identifiable information (PII) for use in illicit schemes elsewhere. Thanks to large-scale data breaches, they’re leveraging the dark web to take over legitimate accounts.

In this post, we’ll explore five emerging cybersecurity threats that financial institutions need to take seriously by building the requisite safeguards to protect their assets, customer data and reputation.

1. Identity Theft

Scary Stat: 16.7 million U.S. consumers were the victims of identity fraud last year, a record high that followed a previous record the year before, according to the 2018 Identity Fraud Study by Javelin Strategy & Research. Last year the amount stolen hit $16.8 billion and 30 percent of U.S. consumers were notified of a data breach, an increase of 12 percent from 2016.

Defined: Identity theft is the crime of using someone’s personal information, credit history or other identifying characteristics in order to make purchases or borrow money without that person’s permission.

Impact: When there’s a large-scale data breach, much of the personal information hijacked from the breach is soon be available on the dark web, where it can be bought and sold and appended to other data acquired from other breaches to perpetrate identity theft and account takeover on a grander scale. This means every time a new customer creates a new account online; the question is whether the new customer is actually who they claim to be. A natural reaction is to build in more identity checks, but this leads to increased friction and abandonment of legitimate customers.

2. Account Takeover

Scary Stat: Account takeovers tripled in 2017 from 2016, and losses totaled $5.1 billion, according to the 2018 Identity Fraud Study by Javelin Strategy & Research.

Defined: Using another person’s account information (e.g., a credit card number) to obtain products and services using that person’s existing accounts.

Impact: To execute an account takeover (ATO)-based email attack a cybercriminal first gains access to a trusted email account, then uses this account to launch subsequent email attacks for financial gain or to execute a data breach. ATO-based attacks are particularly dangerous and effective because they originate from email accounts of trusted senders via phishing attacks. This has two important ramifications: First, the attack is very likely to succeed because there is a pre-existing trust relationship with the customer. Second, these attacks often go undetected by traditional security controls because they originate from legitimate accounts.

3. Synthetic Fraud

Scary Stat: According to reports in The Wall Street Journal, a record $355 million in outstanding credit card debt is now owned by people who didn’t even exist as recently as 2017. By year’s end, losses from synthetic identity fraud alone could top $8 billion, and the real damage caused by fictitious people is casting doubt on the entire consumer-credit ecosystem.

 

Defined: Synthetic identity theft occurs when criminals create a fictitious identity using various pieces of real and fabricated information — such as a Social Security number, date of birth, address, phone number and email. The immediate victim is the bank or lender, but long-term, whoever’s Social Security number is used (this can be a child or adult), will have to deal with the impact of any accounts or debts attached to them fraudulently.

“All of it is real data and all of it will potentially check out when scanned against systems, but the real person won’t really know it’s happening because they’re only a third of the identity that’s created,” said Ryan Rasske, CERP, CAFP, American Bankers Association’s SVP responsible for serving bankers in risk and compliance area.

Impact: By all appearances, these fictitious people can seem like ideal customers, with multiple “proof of life” indicators, including their own social media profiles. And when they take out credit, they tend to pay bills promptly and nurture accounts for months or even years — only to max them out and never repay them. It’s important to note that monetary losses are just part of the whole story — financial institutions also need to dedicate time, energy and resources to chase down these non-existent identities.

What’s particularly worrisome about this new method of compromising the systems used to validate identities at account opening is that it’s working. In the short-term, lack of technology to connect an ever-growing set of data points can make a fraudster’s job easier, but in the future AI-powered tech will likely be part of the solution.

4. Ransomware

Scary Stat: In 2017, financial services were the second most targeted industry of ransomware after healthcare. Ransomware attacks actually fell nearly 30 percent over the past 12 months (source: Kaspersky’s “KSN Report: Ransomware and malicious cryptominers 2016-2018”), but financial services companies are still the second most popular industry victimized by ransomware.

Defined: A type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware is almost always triggered by an employee clicking on a link in a phishing email that they shouldn’t and clicking the link ignites the malware.

Impact: It is non-negotiable for financial services companies to maintain the privacy of their customers and the security of their confidential data. If a bank or credit union is hit with a ransomware attack, significant backlash is undoubtedly going to ensue — especially if customer data is held ransom for a significant amount of time.

5. Social Engineering

Scary Stat: Today, only about 3 percent of malware tries to exploit an exclusively technical flaw. The other 97 percent target instead users through social engineering, according to KnowBe4. Nearly 60 percent of security leaders say their organizations may have fallen victim to social engineering within just the past 12 months.

Defined: Social engineering is a method of deceiving people into giving you their information, or exploiting their weakness, or laziness, to find that information. It is believed to be the most frequently used method to get into a corporation’s network these days.

Impact: Social engineering attacks are designed to trick your employees into granting access to systems or divulging information that helps attackers gain that access through low-, or often no-tech means. Social engineering attacks can come in many forms — by phone, email, snail mail, in person or through social media. So, it’s important that you train your employees to be wary.

Protecting your Financial Castle

“The digital world has transformed almost every aspect of our lives, including risk and crime, so that crime is more efficient, less risky, more profitable and has never been easier to execute,” said Steve Grobman, Chief Technology Officer for McAfee. “That’s why financial institutions of all stripes — banks, credit unions, brokerages, and payments companies — need to take a layered approach to cybersecurity and fraud prevention.”

In the chart below, we’ve outlined each of the five cyber threats and the defense strategies that can be used to mitigate against them. For example, some of the best tactics to protect your business against identity theft (specifically how businesses can ensure that the user is who they claim to be and not a scammer who has stolen someone else’s identity) is through a combination of ID verification, biometrics and liveness detection, anomaly detection and employee training. Each of these defense strategies will be discussed in turn.

Treat

ID Verification: Require the user to provide a government-issued ID document (e.g., a driver’s license or passport) as part of the onboarding (account setup) process.

Biometrics & Liveness: Behavioral biometric technology is rising in popularity thanks to new European banking rules, the rise of machine learning and artificial intelligence, and the never-ending drive to replace passwords.

Since ID documents can be stolen and forged, adding some form of biometrics and liveness detection helps confirm that the user initiating transactions is the owner of the identity document. More importantly, requiring the user to take a selfie and perform a liveness check is a strong deterrent to would-be fraudsters since it means sharing their own likeness with the company they’re looking to defraud.

Anomaly Detection: There are a number of variants of these types of automated software solutions that detect anomalies in customer behavior. Behavioral biometrics is an innovative approach to user authentication that is based on the creation of a unique profile for every customer. Today, using leading-edge big data and machine learning technologies, behavioral biometrics leverages a rich mix of personal and device characteristics to distinguish between legitimate customers and fraudsters. Typically, this includes automatic recognition of patterns (e.g., how keystrokes are made on a phone or tablet) and how a mouse is used. These human traits are reinforced with device-based indicators such as IP addresses and geo-location. Banks can analyze anomalous behavior (based on a biometric-based footprint) to spot suspicious activity and trigger real-time authentication to help stop fraudulent money movements.

Simulated Attacks: With over 90 percent of network breaches starting with a phishing email, businesses need to deploy a managed service for simulated email campaigns that help condition employees to be resilient to phishing attacks. A number of services exist to provide such training, including periodically sending fake phishing emails to staff members and alerting them if they respond unsafely.

Backup & DRaaS: Ransomware is a prime example of “better safe than sorry.” Simplistic, non-encrypting ransomware can usually be cleansed, by restoring from a clean (uncorrupted) backup. Better still, companies can deploy a disaster recovery as a service (DRaaS) solution that provides full business continuity by restoring running systems (e.g., Exchange) in minutes.

Employee Training: Humans remain the weak link in corporate data protection. Every threat outlined in this post needs to be addressed as part of regular employee awareness training. Train your entire staff on email security, social engineering, identity verification, anomaly detection and emerging cybersecurity trends and audit their understanding with regular tests and simulated attacks.

It’s clear that there is no one-size-fits-all approach to cybersecurity readiness. It invariably requires an enterprise-wide approach tailored to the culture of your financial services organization, accounting for regulatory requirements.

Foundationally, financial services organizations need to rethink how they capture and establish digital identities of new customers and verify high-risk transactions and leverage innovative solutions to ensure that your customers are who they claim to be. I know it’s become a bit of a cliché, but cybersecurity is part of everyone’s job description.

  

By recognizing the fact that cyber criminals will find a way to exploit vulnerabilities, financial companies can improve the way they deliver their services, manage security risks, and train their employees.

For over half a decade, cyber security issues have been a bane for many industries. But firms operating in the financial sector have been the worst affected due to their inability to keep up with the security requirements of the modern world. Most cyber criminals attack firms operating in the financial sector because that’s where all the money is. However, with banks and other firms quickly learning how to strike a balance between being open and being secure, instances of digital break-ins have reduced significantly. That being said, here are some of the potential cyber security threats that the players in the financial sector should watch out for:

Third party cyber security risk

Financial sector companies can experience cyber threats from the third parties and the vendors that they work with. Players in the industry must ensure that they have a system to monitor their vendors or other third-party providers continuously. Having a continuous monitoring tool will give companies in the financial sector some relief from cyber threats.

Fourth party cyber security risk

Companies in the financial sector do not generally keep a close watch on their fourth parties. When the fourth party is affected by some ransomware attack, there are high chances of the third party, who has the company’s vital information also to be affected. Therefore, it is essential to keep a close watch on fourth party activities also from time to time.

Global business operation risk

For financial sector companies that operate across borders or at an international level, the threat of cybersecurity is greater. So, companies operating at a global scale must be aware of the cyber threats prevalent in the regions that they operate in.

DDOS attacks

Distributed Denial of Service, or DDOS, is the latest buzzword in the financial sector. This form of cyber-attack causes a temporary outage of services, affecting the company’s operations. Some common examples of companies affected by these attacks were Amazon and PayPal.

 

To know more about the financial services industry

banking_financial

The financial services industry is an important part of the global economy as it facilitates funds transfer and drives global trade. The companies in the financial services industry offer finance and banking services to different customer segments right from individuals, small and medium enterprises to multi-national organizations. The financial services providers are involved in a range of activities such as insurance, investment and portfolio management, banking services, securities and commodity trading, and insurance among others. The digitalization wave has transformed the financial services industry and eliminated processes that necessitate paper money and human interactions. However, the companies in the financial services industry face several challenges that have to be addressed so as to drive profitability.

Challenge 1: Enhancing Customer Service and Demands

The organizations in the financial services industry are struggling to meet customer demands and are extremely pressurized to comply with government authorities. Today, every company irrespective of the industry they operate in must enhance the customer experience by improving their services. However, the financial sector falters in offering flawless, innovative services that meet the customers’ needs and preferences.

Challenge 2: Stringent Regulatory Compliance

Another major challenge for the companies in the financial sector are the increasingly stringent regulatory compliances. The nature of the business is highly sensitive in the financial services industry, which demands them to ensure high-level data security. Why do the financial companies need to comply with the regulatory authorities? Because they deal with sensitive customer information that cannot be compromised and the cost of a profile breach and non-compliance can negatively impact the bottom line of the companies in the financial services industry.

Challenge 3: The Digitalization Hurdle

As a matter of fact, the financial sector is trying its best to adapt its processes and operation to the technological advancement but somehow can’t wrap their hands around it. With the sudden increase in competition in the financial sector and increasing consumer demands, the companies in the financial services industry have to innovate, improve their go-to-market strategy, and develop brand and product differentiation strategies.

 

 

 

 

Leave a Comment

Verified by MonsterInsights