In the second in our series of articles on cybercrime and industry we will look at how the financial services industry is being impacted by the rise of cybercrime. The financial services sector has always been a traditional target for cybercrime. However, as we saw in the previous article, healthcare has taken over the title from financial services as the number one most targeted industry sector. But does this mean the beady eyes of the cybercriminal are no longer focused on financial services? This article will explore the current climate for hacking our financial sector.
Cybercrime and Financial Service
The financial sector is like the perfect package for a hacker. Bank and other financial institutions contain information that spans everything a cybercriminal wants all wrapped up in one place; from your financial details and bank account, to identity data. If you look at some of the breaches in the financial services sector just in 2014 and 2015, you can see that they are some of the most major in history. For example, in 2014 JP Morgan Chase had 83 million bank accounts exposed in a phishing (including Text phishing or SMishing) scam.
Security attacks are perpetrated using several methods. Phishing is still a major issue for the financial sector as it has been now for many years. The Carbanak bank heist, which purportedly has cost around $1 billion so far, began with a phishing email. The email contained a piece of malware that stole login credentials once installed. The fact that access to bank accounts can be potentially compromised from an email shows how integrated banking is in all of our lives. A new variant of this is the targeting of personal accounts that use mobile banking. For instance, an Android-based malware spots what bank a user is navigating to from their smartphone, and overlays a spoof page that looks identical to the mobile banking page. It then steals the credentials used to access the site, which the hacker can then use to access the real mobile banking account.
But phishing isn’t just hitting individuals. Companies are being targeted by a variant known as Business Email Compromise or BES. This technique uses the natural hierarchy of an organization to scam employees. Typically, a company accountant or other similar role, will receive an email from someone high up in the organization, like a CFO or CEO. The email will look exactly like it is from that person is supposed to be from – as the phisher will have done a lot of research into their target. The email will ask that the person make an urgent transfer of money to a supplier who has had to change their bank account for some reason. This scam has already cost around $2.3 billion according to the FBI.
Advanced Persistent Threats which use stealth and the long game to extract information and monies, are also being used against the financial sector. In a recent Financial Sector Cyber Intelligence Group identified APT threat, spear phishing was the way in for the APT actor. The first step in this type of attack is to implant a Command and Control center (C&C) so that hackers could add further malware to the compromised system. A C&C is like the hacker having their finger right inside the pie – they can control malware and update it remotely. APT’s are notoriously difficult to detect as they morph (via the C&C) when any hint of possible detection is observed.
Financial sector attacks are not just about direct access to money anymore. They are also about identity theft and breaching data. The financial sector was ranked third for identity theft last year by the Identity Theft Resource Center. This is because in the world of cybercrime, personal information equates to money. Financial records fetch on average $221 per record- compared to the $30 that a U.S based stolen credit card commands on the dark web.
Denial of Service (DDoS) attacks are also a major threat for the financial sector with DDoS and web app attacks against financial services having increased 31% since 2015, according to the ‘2016 Data Breach Investigations Report’. However, DDoS attacks are less about pulling down websites and more about being a smokescreen to allow hackers to implant malware, which is then used to steal data and login credentials.
Where Should We Concentrate Our Efforts in Controlling Financial Sector Security Threats?
One of the issues in the banking sector is getting the word out to all the stakeholders, including the board, that cybersecurity is a company wide issue, not just a problem for IT. This is a general problem for any sector, but financial services are feeling the impact in a massive way, and right across the ecosystem, from direct attacks, to supply chain breaches as well as business and personal account compromise.
Because the financial sector, more than most, has very close touch points with its customer base, and has an extended supply chain with direct ties into the main company, it is a sweet target. Even with a broad thinking and strategic security plan, and state of the art security tools in place, with such a wide ecosystem, the sector is at risk. PWC in their ‘Global State of Information Security Survey: Financial Services 2016’ stated that third party vendor security assessment and management, is the single biggest challenge of the industry in controlling security threats. PWC points out that industry organizations that use risk based security frameworks to communicate with third party vendors were more successful in controlling security risks within the vendor ecosystem.
Going forward, the increased awareness of threats to the financial sector, brought about to a large degree by the major attacks perpetrated against the industry, will mean that we should all become more vigilant. This should include a generalized education program, not just for those employed within the sector but also the supply chain and customers. The push for a more secure financial services sector needs to be a top down approach. The board must engage in a program of security, which includes frameworks for communicating security information across the supply chain and beyond. As cybercriminals continue to up their game, the financial sector can win the cybersecurity war by upping their game too.