Published on August 11th, 2015 | by admin
Cyber Security Risks Series: Finance
This week’s cyber security exploration will look at the main cyber security challenges of the financial sector. The financial sector is an obvious target of cybercrime; after all, they are literally where the buck stops.
The financial sector and cyber crime
The financial sector is the most highly targeted industry. According to PWC’s report on Threats to the Financial Services Sector, 45% of companies in this sector have experienced a cyber attack compared to 34% in other industry areas. The same report details the types of crimes that the financial services sector experiences, with unsurprisingly, asset misappropriation being the top crime, with cyber crime following closely behind it. Interestingly, the industry still has more issues with external threats than internal ones, which is contrary to research data showing insider crime as being the most significant security issue in general.
One of the saving graces of the financial sector is that the industry has an ethos of sharing information about cyber threats with other industry members. This behavior is vital in managing the security of critical infrastructures like finance. PWC in their 2014 report on the State of US Cyber Crime, has identified that collaboration around security threats is a very effective mechanism of control.
The financial sector experiences a number of cyber attack threats, from card based crimes to theft of personally identifying information (PII) from customer accounts.
Examples of financial sector breaches
There has been a massive upsurge in attacks against financial institutions in the last two years. The FBI in a recent interview with USA Today reported that 500 million banking records have been stolen in the last 12 months. The interview went on to detail that 35% of those breaches were from website breaches, 22% from cyber espionage, 14% point of sale and 9% from card swipes. Here are a few examples of recent financial sector breaches that made the headlines:
JP Morgan: A staggering 83 million customers were affected in this cyber attack. The attack is believed to be due to stolen employee login credentials and the lack of two-factor authentication measures, which are fairly simple occurrences in the grand scheme of things when compared to some attacks that utilize zero-day vulnerabilities and Advanced Persistent Threats (APTs).
Global Payments Inc.: Up to 7 million US customers’ card accounts were stolen by this possible APT based breach, which cost Global almost $94 million to rectify.
Citibank: This breach ended up affecting over 360,000 customers with 218,000 new cards needing to be issued. It’s believed that the same cybercriminals who attacked JP Morgan were also responsible for the Citibank breach.
A hacking ring, known as the ‘Carbanak Cybergang’ was recently uncovered, which has reportedly stolen up to $1 billion from over 100 banks across 30 countries. The hacking ring is likely international and highly organized, targeting bank employees and using APT technology to syphon information over long periods. It is probable that the JP Morgan and Citibank attacks were carried out by this gang.
Threats of Denial of Service (DDoS) attacks are being used to extort money from larger banks. In addition to blackmail, DDoS attacks are also used to attack U.S. financial institutions as part of hacktivist activities. For example, in 2013, Wells Fargo experienced a series of DDoS attacks emanating from the Izz ad-Din al-Qassam Cyber Fighters activist group. According to analyst firm, Gartner, there is an onslaught of these types of threats against banks. The firm advocating context-aware security, such as behavioral monitoring, will help to recognize both insider and external attacks before they take hold and also have technology in place to rapidly remediate all those that get through.
New technologies, new crimes
The financial sector has always been an early adopter of technology. Online banking, for example, is now fairly entrenched, being used across the demographic divide – even seeing 47% of the over 65 age group using it. The financial sector is now moving quickly into other technology areas such as near field contactless payment systems and mobile app payments. Each leap into new technological areas brings with it new security challenges. These new technologies bring with them new vectors of attack.
The use of mobile payments is picking up speed. Mobile use for online purchases is already well established with mobile shopping accounting for around 32% of online sales and on Black Friday 2013, now known as ‘mobile Friday,’ 40% of sales. Mobile payments are the next natural step from this, now that we are all becoming used to using our phones to make purchases. There are a number of different methods for making payments via mobile, including:
Contactless payment cards: This system allows you, as the owner of the card, to make quick purchases. Contactless payment cards are very convenient. You make the purchase by passing your card (or phone) over the reader and your money is taken without signature or input of a PIN. The card manufacturers have based the cards on radio frequency technology and have secured memory and microprocessors underpinning them. They also work over much shorter distances than their cousin technology RFID. The banks have added another layer of security by controlling the amount available to use in any single transaction, usually under $30.
However, in the eternal arms race between the cybercriminal and technology, this new payment method is now a new attack vector. Recently a university study showed how these cards are vulnerable using easy to obtain RFID reader devices. In the experiment, the user’s card details were able to be skimmed and could be used to do online purchases.
The latest in a long line of contactless payment schemes is the increasingly popular, Apple Pay system. One of the better security aspects of Apple iPay is that you have to authenticate the phone before using the contactless payment system, aka use a fingerprint or PIN, whereas with the card based systems, you only need the card to perform the transaction.
SMS payments: This system, used in a number of countries and proving to be popular, allows you to use a simple SMS to perform a financial transaction between yourself and a company or individual. This system has decent security; no account details are shared. It isn’t suitable for many types of transactions, but is used extensively by charities, for example.
Personal Data Stores: A new area that the financial technology sector, aka, Fintech is starting to explore, is the use of user-centric financial stores, that allow an individual to manage and control all of their financial life within a Cloud or Mobile app based virtual data store. The user can set up permissions between themselves, banks, and commercial organizations, as well as individuals, which can then be used to manage and control financial transactions between the entities. This system is known as Personal Finance Management or PFM. PFM systems have to ensure both security and privacy and are designed with a security layer baked in. Access controls to authenticate the owner of the data store, however, are a problematic area simply because consumer based authentication is still a difficult area to resolve – ease of use and good security in a single login credential being the prime objective.
Organizing some financial security for the future
We are at a stage in the security industry where the simple fact is that cybercrime is proliferating and affecting financial institutions of all sizes, and ultimately, their customers. The types of theft include not just card related theft, but also identity theft that can then be used for subsequent and continued attacks. The reasons for this shift in capacity of the cybercriminal is partly to do with state/commercial sponsorship helping to build gangs of cybercriminals and partly to do with the ease of access to hacking tools.
Traditional security tools like firewalls and anti-virus software cannot cope with the new levels and vectors of attack. A new security approach using monitoring, behavioral analysis and rapid remediation are the only way to combat the new breed of cybercriminal.
Perimeter defenses are insufficient when protecting vulnerable industries, such as finance. These vectors require a holistic approach to cyber security that allows them to rapidly remediate post-attack.