{"id":1013,"date":"2020-01-22T12:19:11","date_gmt":"2020-01-22T11:19:11","guid":{"rendered":"http:\/\/hjinterim.org\/?p=1013"},"modified":"2020-01-22T12:19:11","modified_gmt":"2020-01-22T11:19:11","slug":"cybersecurity-threats-facing-financial-services","status":"publish","type":"post","link":"https:\/\/hjinterim.tech\/index.php\/2020\/01\/22\/cybersecurity-threats-facing-financial-services\/","title":{"rendered":"Cybersecurity Threats Facing Financial Services"},"content":{"rendered":"

By Prof. Dr. Ir. Henk Jan Jansen<\/strong> 22.01.2020<\/strong><\/p>\n

\"Picture1\"
Financial institutions are an obvious target for cybercrime.<\/figcaption><\/figure>\n

Unless they double down on strong internal security against a broad range of threat vectors, they will continue to be targeted and victimized by fraud rings and nation states. Unfortunately, their IT security is perceived to be deficient \u2014 especially within smaller banks and credit unions.<\/p>\n

Making matters worse, cybercriminals are adopting new technologies, increasing their coordination and becoming more sophisticated. They\u2019re compromising employees\u2019 and customers\u2019 personally identifiable information (PII) for use in illicit schemes elsewhere. Thanks to large-scale data breaches, they\u2019re leveraging the dark web to take over legitimate accounts.<\/p>\n

In this post, we\u2019ll explore five emerging cybersecurity threats that financial institutions need to take seriously by building the requisite safeguards to protect their assets, customer data and reputation.<\/p>\n

1. Identity Theft<\/strong><\/h3>\n

Scary Stat:\u00a0<\/strong>16.7 million U.S. consumers were the victims of identity fraud last year, a record high that followed a previous record the year before, according to the\u00a02018 Identity Fraud Study<\/a>\u00a0by Javelin Strategy & Research. Last year the amount stolen hit $16.8 billion and 30 percent of U.S. consumers were notified of a data breach, an increase of 12 percent from 2016.<\/p>\n

Defined:\u00a0<\/strong>Identity theft is the crime of using someone\u2019s personal information, credit history or other identifying characteristics in order to make purchases or borrow money without that person\u2019s permission.<\/p>\n

Impact:<\/strong>\u00a0When there\u2019s a large-scale data breach, much of the personal information hijacked from the breach is soon be available on the dark web, where it can be bought and sold and appended to other data acquired from other breaches to perpetrate identity theft and account takeover on a grander scale. This means every time a new customer creates a new account online; the question is whether the new customer is actually who they claim to be. A natural reaction is to build in more identity checks, but this leads to increased friction and abandonment of legitimate customers.<\/p>\n

2. Account Takeover<\/strong><\/h3>\n

Scary Stat:<\/strong>\u00a0Account takeovers tripled in 2017 from 2016, and losses totaled $5.1 billion, according to the 2018 Identity Fraud Study by Javelin Strategy & Research.<\/p>\n

Defined:\u00a0<\/strong>Using another person\u2019s account information (e.g., a credit card number) to obtain products and services using that person\u2019s existing accounts.<\/p>\n

Impact:\u00a0<\/strong>To execute an\u00a0account takeover\u00a0(ATO)-based email attack a cybercriminal first gains access to a trusted email account, then uses this account to launch subsequent email attacks for financial gain or to execute a data breach. ATO-based attacks are particularly dangerous and effective because they originate from email accounts of trusted senders via phishing attacks. This has two important ramifications: First, the attack is very likely to succeed because there is a pre-existing trust relationship with the customer. Second, these attacks often go undetected by traditional security controls because they originate from legitimate accounts.<\/p>\n

3. Synthetic Fraud<\/strong><\/h3>\n

Scary Stat:<\/strong>\u00a0According to reports in The Wall Street Journal, a record\u00a0$355 million<\/a>\u00a0in outstanding credit card debt is now owned by people who didn\u2019t even exist as recently as 2017. By year\u2019s end, losses from synthetic identity fraud alone could top\u00a0$8 billion<\/a>, and the real damage caused by fictitious people is casting doubt on the entire consumer-credit ecosystem.<\/p>\n

\u00a0<\/strong><\/p>\n

Defined:\u00a0<\/strong>Synthetic identity theft occurs when criminals create a fictitious identity using various pieces of real and fabricated information \u2014 such as a Social Security number, date of birth, address, phone number and email. The immediate victim is the bank or lender, but long-term, whoever\u2019s Social Security number is used (this can be a child or adult), will have to deal with the impact of any accounts or debts attached to them fraudulently.<\/p>\n

\u201cAll of it is real data and all of it will potentially check out when scanned against systems, but the real person won\u2019t really know it\u2019s happening because they\u2019re only a third of the identity that\u2019s created,\u201d said Ryan Rasske, CERP, CAFP, American Bankers Association\u2019s SVP responsible for serving bankers in risk and compliance area.<\/p>\n

Impact:<\/strong>\u00a0By all appearances, these fictitious people can seem like ideal customers, with multiple \u201cproof of life\u201d indicators, including their own social media profiles. And when they take out credit, they tend to pay bills promptly and nurture accounts for months or even years \u2014 only to max them out and never repay them. It\u2019s important to note that monetary losses are just part of the whole story \u2014 financial institutions also need to dedicate time, energy and resources to chase down these non-existent identities.<\/p>\n

What\u2019s particularly worrisome about this new method of compromising the systems used to validate identities at account opening is that it\u2019s working. In the short-term, lack of technology to connect an ever-growing set of data points can make a fraudster\u2019s job easier, but in the future AI-powered tech will likely be part of the solution.<\/p>\n

4. Ransomware<\/strong><\/h3>\n

Scary Stat:\u00a0<\/strong>In 2017, financial services were the second most targeted industry of ransomware after healthcare. Ransomware attacks actually fell nearly 30 percent over the past 12 months (source: Kaspersky\u2019s \u201cKSN Report: Ransomware and malicious cryptominers 2016-2018<\/a>\u201d), but financial services companies are still the second most popular industry victimized by ransomware.<\/p>\n

Defined:\u00a0<\/strong>A type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware is almost always triggered by an employee clicking on a link in a phishing email that they shouldn\u2019t and clicking the link ignites the malware.<\/p>\n

Impact:<\/strong>\u00a0It is non-negotiable for financial services companies to maintain the privacy of their customers and the security of their confidential data. If a bank or credit union is hit with a ransomware attack, significant backlash is undoubtedly going to ensue \u2014 especially if customer data is held ransom for a significant amount of time.<\/p>\n

5. Social Engineering<\/strong><\/h3>\n

Scary Stat:<\/strong>\u00a0Today, only about 3 percent of malware tries to exploit an exclusively technical flaw. The other 97 percent target instead users through social engineering, according to KnowBe4. Nearly 60 percent of security leaders say their organizations may have fallen victim to social engineering within just the past 12 months.<\/p>\n

Defined:\u00a0<\/strong>Social engineering is a method of deceiving people into giving you their information, or exploiting their weakness, or laziness, to find that information. It is believed to be the most frequently used method to get into a corporation\u2019s network these days.<\/p>\n

Impact:<\/strong>\u00a0Social engineering attacks are designed to trick your employees into granting access to systems or divulging information that helps attackers gain that access through low-, or often no-tech means. Social engineering attacks can come in many forms \u2014 by phone, email, snail mail, in person or through social media. So, it\u2019s important that you train your employees to be wary.<\/p>\n

Protecting your Financial Castle<\/strong><\/h3>\n

\u201cThe digital world has transformed almost every aspect of our lives, including risk and crime, so that crime is more efficient, less risky, more profitable and has never been easier to execute,\u201d said Steve Grobman, Chief Technology Officer for McAfee. \u201cThat\u2019s why financial institutions of all stripes \u2014 banks, credit unions, brokerages, and payments companies \u2014 need to take a layered approach to cybersecurity and fraud prevention.\u201d<\/p>\n

In the chart below, we\u2019ve outlined each of the five cyber threats and the defense strategies that can be used to mitigate against them. For example, some of the best tactics to protect your business against identity theft (specifically how businesses can ensure that the user is who they claim to be and not a scammer who has stolen someone else\u2019s identity) is through a combination of ID verification, biometrics and liveness detection, anomaly detection and employee training. Each of these defense strategies will be discussed in turn.<\/p>\n

\"Treat\"<\/p>\n

ID Verification<\/strong>: Require the user to provide a government-issued ID document (e.g., a driver\u2019s license or passport) as part of the onboarding (account setup) process.<\/p>\n

Biometrics & Liveness:\u00a0<\/strong>Behavioral biometric technology is rising in popularity thanks to new European banking rules, the rise of machine learning and artificial intelligence, and the never-ending drive to replace passwords.<\/p>\n

Since ID documents can be stolen and forged, adding some form of biometrics and\u00a0liveness detection<\/a>\u00a0helps confirm that the user initiating transactions is the owner of the identity document. More importantly, requiring the user to take a\u00a0selfie<\/a>\u00a0and perform a liveness check is a strong deterrent to would-be fraudsters since it means sharing their own likeness with the company they\u2019re looking to defraud.<\/p>\n

Anomaly Detection:<\/strong>\u00a0There are a number of variants of these types of automated software solutions that detect anomalies in customer behavior. Behavioral biometrics is an innovative approach to user authentication that is based on the creation of a unique profile for every customer. Today, using leading-edge big data and machine learning technologies, behavioral biometrics leverages a rich mix of personal and device characteristics to distinguish between legitimate customers and fraudsters. Typically, this includes automatic recognition of patterns (e.g., how keystrokes are made on a phone or tablet) and how a mouse is used. These human traits are reinforced with device-based indicators such as IP addresses and geo-location. Banks can analyze anomalous behavior (based on a biometric-based footprint) to spot suspicious activity and trigger real-time authentication to help stop fraudulent money movements.<\/p>\n

Simulated Attacks:<\/strong>\u00a0With over 90 percent of network breaches starting with a phishing email, businesses need to deploy a managed service for simulated email campaigns that help condition employees to be resilient to phishing attacks. A number of services exist to provide such training, including periodically sending fake phishing emails to staff members and alerting them if they respond unsafely.<\/p>\n

Backup & DRaaS:\u00a0<\/strong>Ransomware is a prime example of \u201cbetter safe than sorry.\u201d Simplistic, non-encrypting ransomware can usually be cleansed, by restoring from a clean (uncorrupted) backup. Better still, companies can deploy a disaster recovery as a service (DRaaS) solution that provides full business continuity by restoring running systems (e.g., Exchange) in minutes.<\/p>\n

Employee Training<\/strong>: Humans remain the weak link in corporate data protection. Every threat outlined in this post needs to be addressed as part of regular employee awareness training. Train your entire staff on email security, social engineering,\u00a0identity verification<\/a>, anomaly detection and emerging cybersecurity trends and audit their understanding with regular tests and simulated attacks.<\/p>\n

It\u2019s clear that there is no one-size-fits-all approach to cybersecurity readiness. It invariably requires an enterprise-wide approach tailored to the culture of your financial services organization, accounting for regulatory requirements.<\/p>\n

Foundationally, financial services organizations need to rethink how they capture and establish digital identities of new customers and verify high-risk transactions and leverage innovative solutions to ensure that your customers are who they claim to be. I know it\u2019s become a bit of a clich\u00e9, but cybersecurity is part of everyone\u2019s job description.<\/p>\n

\u00a0<\/em>\u00a0<\/em><\/p>\n

\n

By recognizing the fact that cyber criminals will find a way to exploit vulnerabilities,\u00a0financial companies can improve the way they deliver their services, manage security risks, and train their employees.<\/strong><\/h2>\n<\/blockquote>\n

For over half a decade,\u00a0cyber security issues have been\u00a0a bane for many\u00a0industries. But\u00a0firms operating in the financial\u00a0sector have been the worst affected due to their inability to keep up with the security requirements of the modern world. Most cyber criminals attack firms operating in the financial sector because that\u2019s where all the money is. However, with banks and other firms quickly learning how to strike a balance between being open and being secure, instances of digital break-ins have reduced significantly.\u00a0That being said, here are some of the\u00a0potential\u00a0cyber security threats that the players in the financial sector\u00a0should watch out for:<\/p>\n

Third party cyber security risk<\/strong><\/p>\n

Financial sector\u00a0companies can experience cyber threats from the third parties and the vendors that they work with. Players in the industry must ensure that they have a system to monitor their vendors or other third-party providers continuously. Having a continuous monitoring tool will give companies in the financial sector some relief from cyber threats.<\/p>\n

Fourth party cyber security risk<\/strong><\/p>\n

Companies in the financial\u00a0sector do not generally keep a close watch on their fourth parties. When the fourth party is affected by some ransomware attack, there are high chances of the third party, who has the company\u2019s vital information also to be affected. Therefore, it is essential to keep a close watch on fourth party activities also from time to time.<\/p>\n

Global business operation risk<\/strong><\/p>\n

For financial sector companies that operate across borders or at an international level, the threat of cybersecurity is greater. So, companies operating at a global scale must be aware of the cyber\u00a0threats prevalent in\u00a0the regions that they operate in.<\/strong><\/p>\n

DDOS attacks<\/strong><\/p>\n

Distributed Denial of Service, or DDOS, is the latest buzzword in the financial sector. This form of cyber-attack causes a temporary outage of services, affecting the company\u2019s operations. Some common examples of companies affected by these attacks were Amazon and PayPal.<\/strong><\/p>\n

\u00a0<\/strong><\/p>\n

\n

To know more about the financial services industry<\/strong><\/h1>\n<\/blockquote>\n

\"banking_financial\"<\/p>\n

The financial services industry is an important part of the global economy as it facilitates funds transfer and drives global trade. The companies in the financial services industry offer finance and banking services to different customer segments right from individuals, small and medium enterprises to multi-national organizations. The financial services providers are involved in a range of activities such as insurance, investment and portfolio management, banking services, securities and commodity trading, and insurance among others. The digitalization wave has transformed the financial services industry and eliminated processes that necessitate paper money and human interactions. However, the companies in the financial services industry face several challenges that have to be\u00a0addressed so as to drive profitability.<\/em><\/p>\n

Challenge 1: Enhancing Customer Service and Demands<\/strong><\/h4>\n

The organizations in the financial services industry are struggling to meet customer demands and are extremely pressurized to comply with government authorities. Today, every company irrespective of the industry they operate in must enhance the customer experience by improving their services. However, the financial sector falters in offering flawless, innovative services that meet the customers\u2019 needs and preferences.<\/p>\n

Challenge 2: Stringent Regulatory Compliance<\/strong><\/h4>\n

Another major challenge for the companies in the financial sector are the increasingly stringent regulatory compliances. The nature of the business is highly sensitive in the financial services industry, which demands them to ensure high-level data security. Why do the financial companies need to comply with the regulatory authorities? Because they deal with sensitive customer information that cannot be compromised and the cost of a profile breach and non-compliance can negatively impact the bottom line of the companies in the financial services industry.<\/p>\n

Challenge 3: The Digitalization Hurdle<\/strong><\/h4>\n

As a matter of fact, the financial\u00a0sector is trying its best to adapt its processes and operation to the technological advancement but somehow can\u2019t wrap their hands around it. With the sudden increase in competition in the financial sector and increasing consumer demands, the companies in the financial services industry have to innovate, improve their go-to-market strategy, and develop brand and product differentiation strategies.<\/p>\n

\u00a0<\/strong><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

By Prof. Dr. Ir. Henk Jan Jansen 22.01.2020 Unless they double down on strong internal security against a broad range of threat vectors, they will continue to be targeted and victimized by fraud rings and nation states. Unfortunately, their IT security is perceived to be deficient \u2014 especially within smaller banks and credit unions. Making … Read moreCybersecurity Threats Facing Financial Services<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1016,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"quote","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19,20,25,26],"tags":[],"class_list":["post-1013","post","type-post","status-publish","format-quote","has-post-thumbnail","hentry","category-financial-industry","category-gdpr","category-security","category-security-treats","post_format-post-format-quote"],"_links":{"self":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts\/1013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/comments?post=1013"}],"version-history":[{"count":0,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/posts\/1013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/media?parent=1013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/categories?post=1013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hjinterim.tech\/index.php\/wp-json\/wp\/v2\/tags?post=1013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}