The increasing threat of cyber attacks on financial service providers is driving a major focus on cybersecurity, particularly in banking. Cyber attacks are typically attempts by cybercriminals to access, alter, or damage the target’s computer system or network, which can result in down-time for sites and apps, and theft of funds and data.
The banking industry has always been vulnerable to attack, with the methods of those breaches evolving from the physical such as bank robberies, to today’s digital campaigns that target customer data and funds, as well as banks’ core systems. These cyber attack operations are most commonly done through phishing, denial-of-service (DDos) attacks and malware.
Though all banks are targeted by cybercriminals, the larger incumbents are seen as more attractive as one attack can potentially lead to serious financial gain because of the type of information that can be obtained, such as credit card and bank account details.
These threats aren’t new, so why is cybersecurity a growing priority now?
This is something banks all over the world are familiar with. Last year, Capital One discovered that a flaw in its security allowed attackers to capture and leak the more than 100 million consumers’ personal information. In 2016, an attack on Bangladesh Bank resulted in the loss of $81 million in just a few hours. The urgency in addressing cybersecurity is boosted by a rise in incidents. According to FCA reports, data breaches at financial services companies have increased by over 1,000 percent between 2017 and 2018. Over a quarter of global malware attacks targeted financial services providers – the highest rates for any industry. Recently, Travelex garnered the wrong kind of headlines after a ransomware attack forced them to shut down their websites in 30 countries.
Cybercriminals target banks because their data is more valuable. Whereas information on a social media site may lack detail or accuracy, bank data will contain details such as addresses and dates of birth. This data has inherent value and can be used for other malicious activity such as ID fraud, which makes the consequences of attacks more devastating.
With more services being offered online and increasing the risk of data breaches, there’s now a greater emphasis to examine the importance of cybersecurity in the banking sector. The impact of these breaches cannot be understated.One in three cyber attacks on financial services are successful and in the UK alone, a record £671 million was lost to card fraud.
“Costs” of cybercrime for banks also include regulatory fines, additional cybersecurity following the breach, negative media coverage and loss of business due to reputational damage. For example, a DDoS attack renders the system server useless, with downtime that can last for up to two days, meaning the banks suffer losses which can be as high as $300,000 an hour while customers have no access to their accounts and funds. As such, cybercrime is estimated to cost banks globally $1 trillion each year.
Meanwhile, the introduction of regulations such as GDPR centred on protecting consumer data and heavy punishments for firms that fall prey to cyber attacks are certainly contributing to institutions prioritising cybersecurity. Tesco Bank’s £16 million fine in October 2018 for failing to prevent a 2017 cyber attack serves as a warning to other banks should they fail to adequately protect their consumer information.
All this means that banks are now viewing cybersecurity as a top priority for 2020, as revealed by a survey conducted by Lloyds Banking Group. The fact that the potential damage from cyber attacks extends beyond just stealing money from customer accounts and accessing customer data but also costs firms their revenue, reputation and customer base is making it imperative for banks to act.
Technology: A lifeline for all, including cybercriminals
Technology is driving the digital economy and allowing us to become more mobile, share data and stay connected. Banking is quickly becoming a multi-channel access game and as excellent as these initiatives are, they also create new risks and increase new opportunities for hackers. As much as service providers have been working on mitigating risks, the attackers, aided by technology, are also tirelessly working on new ways to attack systems and networks or getting around the cyber defenses.
Cybercriminals are always on the lookout for ways to exploit vulnerabilities in banking systems. One newly emerging exploit being targeted is third party providers that connect to banks using open banking APIs and might lack investment in security, meaning their infrastructures might not be as robust.
Targeting such institutions can potentially result in data breaches or fraudulent payments as seen when cybercriminals gained access to Westpac customers’ bank account details via an attack on PayID, a real-time payments platform. To protect their customers, banks have to ensure their partners’ systems are just as secure.
Criminals are also adopting new technologies that are making cyber attacks more sophisticated and difficult to defend against. For example, deepfakes, videos that use AI to superimpose one person's face or voice over another’s, were recently used to convince a manager into transferring £200,000 into the accounts of cybercriminals, thinking it was under the instruction of his CEO.
AI attacks could also allow cybercriminals to hack systems faster and disguise the attacks more convincingly, leaving banks unaware they’ve been compromised. The fact that we are in an era where cybercriminals can reach their targets in any part of the world at any time makes prioritising cybersecurity even more critical.
At the same time, the banking industry continues to rely upon outdated legacy infrastructure, which lacks the capabilities to keep up with evolving threats. For example, global jackpotting (malware) attacks on ATMs have been on the rise. Many of these machines operate over Windows 7, which will no longer be supported by Microsoft as of January 2020. Banks that have not updated their systems will no longer have security patch updates, leaving these machines vulnerable to attacks.
Taking inspiration from other non-financial services providers such as tech giants, banks are increasingly adopting cloud strategies, especially when it comes to data storage. This is also the result of the cloud being considered more secure than on-premises legacy systems, according to security experts. And to deal with evolving cloud storage threats, some organisations are already exploring incorporating security-as-a-service into their systems, which will also allow for flexibility and scalability.
How can banks address cyber attacks?
So far, cybersecurity strategies across industries have focused on reacting quickly after problems occur. But strategies need to be more anticipatory than reactive; after all, prevention is better than cure.
Banks need to increase prescriptive approaches to cybersecurity. Preventative measures already in use include firewalls, antiviral and anti-malware applications and vulnerability scanning. However, defenses can be boosted by implementing other intelligence-driven measures, such as the use of artificial intelligence (AI), already applied in strengthening authentication methods via biometric logins for multi-factor authentication (MFA). One example is the use of fingerprints to verify payments from digital wallets such as Apple Pay or Google Pay.
Another instance is the combination of AI and Machine Learning (ML) to detect and prevent potential phishing threats (which are one of the most common cyber attacks on banks) in real-time. These techniques can detect and track a significantly higher number of phishing sources (possibly thousands) and react much quicker than humans can. Neobanks such as Monzo have already incorporated similar measures into their systems for fraud prevention. In the future, we are more likely to see banks using AI-ML for vulnerability management. The technology proactively looks for potential vulnerabilities in organisational information systems and neutralises them before hackers can exploit them. The mindset here is simple: cyber attacks are not a matter of if but of when. These are just some of the ways technology is being explored to boost cybersecurity.
Organisations also need to be proactive in implementing and testing their cyber defenses, and learn from the strategies used by other service providers such as Apple, which invites researchers to try and bypass the security measures on some of its software.
Security is not just an IT issue
Education has always been and will remain critical in tackling cybersecurity issues. Historically, the issue of defending against attacks has been viewed as a job only for the IT departments, but firms need to adopt a holistic approach to security, and introduce basic hygiene measures for all those involved in banking processes including the consumers and employees.
From inadequate passwords to phishing emails, information systems are vulnerable to both human and technological flaws. Recently, there has been a rise in spear phishing attacks. These breaches are more targeted and personal, therefore making them harder to identify. They’re commonly used to get corporate employees to release sensitive company information to criminals. Seventy percent of UK firms reportedly had security incidents in 2018, with half of them caused by internal errors such as staff being caught out by a phishing attack.
We have seen measures such as MFA (with biometric authentication) being implemented as basic hygiene factors that customers have to adhere to and play their part in protecting their data, and especially valuable when discussing mobile app risks.
Further to this, authentication measures are being strengthened by PSD2’s SCA requirements coming into effect, adding on to cyber defenses. In efforts to reduce fraud, consumers will be required to provide additional form of identification when making online transactions over €30. This will be a combination of two out of three: something they know (e.g. PIN), something they possess (e.g. mobile phone) and something they are (e.g. fingerprint).
As the world becomes more digital, security measures need to be more complex and sophisticated than ever, while also being constantly updated. The technologies that protect against external threats can be used alongside other measures to address internal threats such as employee errors and outdated legacy systems. But most importantly, firms need to instill a culture that keeping data secure is everyone’s job including employees and customers.
Article partially published on 11fs.com
Credit: BofA, 11fs, WSJ
© De Angelis & Associates 2020. All Rights Reserved.