As hackers become more organised, previously challenging targets seem like easy pickings. In the past, a thief would need to take on high-risk behaviour to gain access to the goods. Now, the big payoff may be only a few clicks away.
Banks and financial institutions have long been targets of criminal activities – the potential bounty is high, and as bad actors become more sophisticated in their attacks, potential for prosecution can seem low. As security technology has developed, so too have the tools and techniques of those trying to defeat traditional security measures. In the technology age, airtight steel vaults and sophisticated alarm systems are only half the battle against criminal behaviour. The new frontier of financial security is, of course, digital. As with the development of silent alarms and impenetrable safes, financial institutions are now obligated to develop digital security measures that can counteract the ever-advancing digital criminal who aims to acquire our most valuable financial data.
When financial data falls into the wrong hands, the results are devastating for consumers, financial institutions and enterprises alike. Recent news of DDoS attacks on banking infrastructure in the region have consumers understandably spooked. As security technology evolves, it seems that attackers have no trouble keeping up. Most have moved beyond the idea that our data might be stolen, and accepted this fate as a fact. With that in mind, it is imperative that IT professionals and consumers stay abreast of threats in the market, and what is being done to thwart digital bank robbers.
Unlike the traditional safe cracker, modern bank robbers – at least those who are tech savvy – are using techniques that rival even the toughest cutting-edge security measures, and with increasing frequency. Maged Eid, Regional Director, Nexthink, discusses recent attacks in the region, and explains how they have been used to profit on stolen financial data.
“Recent attacks include Gauss, Dyre and Carbanak,” says Eid. “The Gauss attack infects USB-drives, collects user domain information and steals passwords, banking credentials and browser cookies. The Dyre banking Trojan is designed to steal banking credentials and enable cybercriminals to commit financial fraud, typically targeting customers of large financial institutions. The Carbanak is a major advanced persistent threat targeted against financial institutions around the world. Unlike the traditional cybercriminal method of stealing consumer credentials or compromising individual online banking sessions with malware, Carbanak is targeting banks’ internal systems and operations.”
As Eid explains, it is not only the consumers who are negatively affected by these attackers, but financial institutions themselves. However, it is important to note that often it is the consumer who is the easiest target. The end-user interface is the weakest link in the IT infrastructure chain, and, therefore most often the doorway into the bank itself. This, of course, makes it difficult for banks to mitigate these attacks, as they cannot reasonably expect that each of their customers is a digital security expert.
It is important that banks and financial institutions not only react to and prevent attacks on financial data, but learn from these events when they happen. Perhaps the most challenging quality these attackers showcase is their ability to learn and react to continually developing security measures. Banks and financial institutions need to compete and surpass attackers in their ability to learn and adapt in order to secure their information and that of their customers.
Hussam Sidani, Regional Manager, Gulf, Symantec, describes the ways in which the approach to securing information has changed in response to increasingly complex attacks. “As security vendors in the digital age, we have now adopted the idea that it is no longer a question of if companies will be attacked, but when. Our goal is to always stay up-to-date with emerging threats and protect our customer network, including those in the financial sector, from these threats and malware attacks.”
As Sidani suggests, the most effective method to secure data – financial or otherwise – is by analysing the most recent data created by current and recent threats. While the burden of security data analytics lies firmly on the shoulders of financial institutions and their security vendors, clients and consumers are not without responsibility for their own finances. Thwarting digital attacks, however, can seem like a daunting task for an individual. Still, there are certain behaviours that end-users can adopt to advocate the protection of their financial data.
Amit Mehta, Vice President, Information Security, SAMEA, MasterCard, suggests that prevention is the best way for consumers to keep their financial information protected. “Consumers should rely on their own judgment and practical observation when using their cards. It’s a good idea for cardholders to keep all ATM receipts and credit card transaction slips and check them against their monthly statement to guard against fraud. If possible, we also advise consumers to enrol for SMS alerts with their financial institution in order to receive alerts every time a transaction is made with their credit or debit card; this will alert the cardholder immediately in case of any fraudulent activity.“
Mehta also reminds consumers to keep their online financial transactions in mind when considering personal security. “Even though the risks of fraudulent websites and online scams are inherent, customers can assess the credibility of a website while shopping online through its appearance and simple comparisons to other trusted sites,” he says. “In the UAE, MasterCard cardholders can sign up for SecureCode which provides an additional layer of online shopping security. The authentication process is pushed to the consumers’ mobile phones, with services like one-time passwords being delivered via SMS or email to the cardholder during the transaction process.”
Cooperation and communication between banks and their customers can greatly increase the level of protection for consumer data. Security measures like one-time passwords and SMS transaction receipts can also go a long way in securing financial data, but most experts conclude that the responsibility for financial data protection is shared amongst the consumer, the bank and even, some say, the government.
Sidani asserts that, when it comes to the safety of customer information, banks are responsible for leading the battle against cybercriminals. To help lead this charge, he puts his stock in awareness. “Regular training sessions for all banking employees – in order to help individuals better recognise anonymous links which they might receive from unknown sources – and building a solid understanding of endpoint and network security are key.”
Sidani also suggests this type of awareness campaign should extend to customers. “As banks continue to offer new online services to customers,” he says, “including smartphone applications and online portals, tips and recommendations to remain safe, stronger firewalls and reminders to change passwords, must be circulated to its customer base.”
“Consumers and cardholders’ need to be responsible as well.” says Mehta. “They can proactively monitor their accounts and report any suspicious transactions to their card issuer, as well as flag if their card is lost or stolen.”
In regard to the government’s share of the financial security responsibility, Eid suggests a cooperative effort. “Governments should work with the central bank of each country to define and enforce the necessary IT security rules and regulations. The banks then, have to comply with ever-evolving security policies and follow best practices to meet financial industry standards.”
The digital frontier can be a place of ingenuity and opportunity, but in equal proportion to risk, danger, and attack. In order to secure financial information, it is clear that banks, governments and individual customers must work together to battle new attacks and achieve the best in protection.