Ways to Fight Back Against BIN Attacks, Card Fraud

Written by

Credit card fraud has steadily increased over the past five years, according to the Federal Trade Commission. Reports of credit card fraud peaked at more than 118,000 reports in the second quarter of 2022. As e-commerce continues to gain traction with consumers and retailers alike, there is a growing number of fraudsters that target customers’ credit cards using their bank identification number (BIN).

BIN attacks occur when fraudsters run the first six digits of a credit card, which are specific to each card-issuing bank, through sophisticated software to methodically produce the remaining numbers, CCVs and expiration dates. They then test to determine which cards are active. These days, fraudsters are capable of developing programs that assess hundreds of card numbers a minute, making detection harder for both fraud systems and consumers.

BIN attacks are a major headache for banks that get stuck with both the financial and operating costs resulting from fraudulent charges. But it may take some time for compromised cards to get monetized, giving banks some leeway to avert more damage.

Compromised cards harvested from BIN attacks can cause significant fraud losses for banks, in the form of accumulating chargebacks, call centers and re-issuance expenses. Adding fuel to the fire, the ensuing cardholder disruption and friction can further damage a bank’s reputation and lead to losses in debit interchange revenues.

Banks are still at risk in the wake of a BIN attack, and should continue monitoring for suspicious activity by reviewing electronic transaction trails for important data like time stamps, geolocation and IP addresses. However, these corrective and protective measures can require costly resources that many banks cannot afford. When an institution comes under attack from fraudsters, manual and purely consultative solutions are a start but must do more.

Bolstering Against BIN Attacks
Luckily, there are efficient ways that banks can fight back against the fraudsters. Here are several tips on proactive monitoring strategies to stop or limit damage from BIN attacks and other card fraud.

  1. Randomize card account numbers and expiration dates.
  2. Set up card transaction limits and velocity rules.
  3. Think about placing risk controls and transaction limits in foreign countries. BIN attacks from tested transactions often originate outside the U.S. Banks should pay close attention to countries that appear in FinCEN advisories.
  4. Implement decision rules to bar transactions from fraudulent merchants to hinder card testing. Analyzing transaction data for suspicious patterns can reveal card testing. If for a legitimate merchant reaches a transaction threshold, the bank can include a rule to monitor transaction velocity per hour and restrict transactions when further investigation is necessary.
  5. Automate the monitoring of BINs and transactions with a system to mitigate and act against fraudulent credit card activity. This system should automatically identify whether your bank is a victim of a BIN attack, including repeated low-value transactions, high decline rates and a high volume of CCV errors.
  6. Take advantage of automated network surveillance to pinpoint both legitimate and fraudulent merchants involved in BIN attacks. This gives banks an opportunity to obstruct additional BIN attacks if other fraudulent merchants are caught during this process.
  7. Work with your vendor to deploy fraudster-level tools and strategies to detect and prevent BIN attacks. Vendors can offer a wide variety of solutions, including fraud score, compromise card detection, merchant type, merchant category code (MCC), geography, zip codes and device ID, among others.

Preventative measures that can immediately interrupt BIN attacks paired with automated monitoring and surveillance gives banks a way to stay ahead of suspicious activity and effectively identify compromised cards. Mitigation may not stop BIN attacks completely, but it can reduce the resulting financial and operating costs while reinforcing the bank’s fraud department resiliency against BIN attacks.

From Russia with ‘Love’

Written by

Cybersecurity has lately become a top concern for bank boards and their senior management teams in the face of an unrelenting wave of ransomware attacks. Now you can add heightened geopolitical tension resulting from Russia’s invasion of Ukraine to the worry list.

“Clearly we have a geopolitical situation going on which, given the threat actor, does raise cybersecurity concerns,” says Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency. “And financial institutions, as well as government agencies themselves, are very focused on this heightened alert and are making sure that cyber defenses are up.”

And if they’re not, they certainly should be.

In an interview, Greenfield says that threat actors have been known to have used cyber attacks as an effective tool against their opponents in the past for political purposes. The concern is that at some point during the conflict in Ukraine, threat actors could potentially target cyber attacks against this country’s critical infrastructure – including its banking system.

“The financial system is a critical infrastructure, which means that it is something that is very important for not just individual institutions,” says Greenfield. “The banking system supports the U.S. economy and the U.S. people. And it’s important to maintain the integrity and resilience of that system. Banks need to make sure they lockdown key controls and make sure they are monitoring for any threat indicators.”

The OCC regulates banks with a national charter, but Greenfield’s comments are just as relevant to state-chartered banks regulated by states, the Federal Deposit Insurance Corp., or the Federal Reserve.

In early January, even before the Russian invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security, issued a threat alert — “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”

In the alert, CISA made the following recommendations for all U.S. companies, including banks.

1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.

2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.

3. Increase organization vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA has also set up a website – Shields Up – focused on providing threat information, tools and resources to help all organizations safeguard and respond to geopolitical threats in cyber space. “We have pushed that information out to financial institutions because these are the experts,” says Greenfield.

Separate and apart from the current geopolitical situation, Greenfield says the OCC is also seeing an increase in ransomware attacks. “Just from personal observation, we’re seeing more use of ransomware and using [it] to solicit illicit funds from banks,” says Greenfield. “We’re seeing it and I think one of the reasons why is because it works.”

Greenfield says it’s up to banks whether they should pay a ransom if their critical data has been locked up following an attack. “That’s an institution’s decision,” he says. “Executive management and the board need to make that decision. The one thing I’ll tell you is, understand [that] you’re dealing with criminals. You’re not dealing with honest people. It’s not something that we would encourage, but there’s no regulation against it.”

Any bank that does decide to pay a ransom needs to make sure it doesn’t violate any restrictions that have been imposed by the Office of Foreign Assets Control (OFAC), an agency under the U.S. Treasury Department. “When paying ransoms, be aware of any OFAC requirements and any sanctions on those who might be getting paid,” he says. “You can contact OFAC to request a waiver, but that’s something that will be very important to ensure an institution does not violate any sanctions requirements.”

In the face of continued ransomware attacks, Greenfield says that banks should focus on fundamental elements of cyber security. “We have been very clear on our messaging to banks about the importance of cybersecurity and just fundamental cyber hygiene, because when events do occur and then we explore the root cause, it tends not to be a zero-day exploit, but a basic control oversight,” he says. A “zero-day exploit” is a previously unknown vulnerability in a software program.

At the top of Greenfield’s list of poor cyber hygiene habits that leave banks vulnerable to ransomware attacks are weak authentication controls, including the failure to use multi-factor authentication. And even when a multi-factor protocol is in place, banks sometimes grant exceptions that end up getting targeted by hackers who know to look for them.

Greenfield says the federal banking regulators have been emphasizing “effective authentication,” and recently the Federal Financial Institutions Examination Council (FFEIC) – an interagency group comprised of bank and credit union regulators – updated its guidance on authentication. “We tried not to be technology specific so there’s not a corporate requirement for multi-factor,” he says. “But our guidance is you need to have effective authentication, which typically we would see as a layered security approach with multi-factor or similarly strong technologies.”

The guidance also advocates that if nothing else, banks at least take a risk-based approach and protect their most sensitive or critical systems. “This is something that I communicate to all bank management teams; if it’s nonpublic and you don’t want anyone to gain access that’s not authorized, use multi-factor authentication or something similarly strong,” he says. “We’ve seen that malicious actors will get into a system and they will wait for the opportunity to exploit it and move laterally throughout the network as they’re able to figure it out.”

Another vulnerability is poor network management, a potential problem that has been exacerbated by the industry-wide shift to many employees working from home on laptops. Common shortcomings include networks that are not effectively configured, including a failure to turn on security controls that already exist within a particular software product or service. Or a failure to install an available patch when a vulnerability has been identified. “Sometimes we’re seeing they’re not changing default administrator IDs and passwords – I mean, simple things,” Greenfield says. “And especially when we’re talking about off-the-shelf software applications that everyone uses. All those user manuals that you have access to, the bad guys have access to as well, so they know how it works.”

Successful cyber attacks can often be traced back to multiple causes. “Typically, it’s a combination of phishing or some other [tactic] to steal a credential, then weak multi-factor [authentication], and then looking for vulnerabilities such as misconfigured or unpatched systems,” Greenfield says. “The biggest thing I can tell any institution is, make sure your controls are up and as strong as they can be so that you’re not a target, because the one thing that I have seen with many malicious actors is, they’re going to go for the easiest target.”

*Clarification: This article has been amended from an earlier version in part to clarify that Greenfield did not specifically mention Russia in the interview. 

The Threat of Email Compromise

Written by

While ransomware attacks grab most of the headlines — for instance, the Colonial Pipeline in Spring 2021 — business email compromise/email account compromise (BEC/EAC) was the top crime in terms of direct loss reported to the FBI.

Business email compromise attacks have evolved over the decade, and are now also referred to as email account compromise, acknowledging that personal email accounts are also targets. According to the FBI’s Internet Crime Complaint Center’s Internet Crime Report for 2020, more than $1.8 billion was lost in 2020 to BEC/EAC attacks. That is more than 50 times the money lost in direct payments to ransomware attacks. BEC/EAC attacks are also much more common, with nearly eight times as many complaints to the FBI compared to ransomware: 19,369 email complaints, compared to 2,474 ransomware complaints in 2020.

Ransomware is still a serious threat, including the threat of business interruption, but you are more likely to be targeted in a BEC/EAC attack than a ransomware attack. A BEC/EAC attack in 2021 usually starts with one of the following:

  • A successful phishing attack against an individual. A fraudulent email is sent to an individual, usually as a part of a large campaign, and that email tricks the user into entering their credentials into a fake login form, which then passes those credentials to the attacker.
  • A successful social engineering attack. Social engineering attacks are most often carried out over the phone, but can also be accomplished via email or instant messaging, or even in person. The attacker will contact the victim and convince them to provide information or inappropriate access to the attacker. In a BEC/EAC attack, the victim’s email login credentials are most valuable.
  • A successful computer intrusion. Computer intrusion in this context is a catch-all for malware and active intrusion of computer systems, resulting in credential compromise.

After gaining access to the victim’s email account, the attacker may lie in wait until a valuable transaction is sent over email. If the account compromised isn’t a valuable enough target, the attacker may use the victim’s account to launch more attacks against the victim’s contacts.

BEC/EAC losses impact organizations in all industries; the common thread through business conducted via wire transfer. The attacker waits until an email with wire instructions is received or is expected, and replaces legitimate instructions with fraudulent ones. Once the wire is sent to the wrong bank, the funds are transferred quickly to other banks, often overseas. In many of these cases, the victim did not recognize the wire was missing for a month or longer — well past the window to recover those funds.

Protecting Yourself and Your Bank

The good news is that you can protect yourself and your organization from these attacks, but it requires vigilance and some inconvenience. Below is a summary of steps to protect personal and company email accounts:

  • Train employees to recognize phishing emails. Common themes in phishing emails are poor grammar and spelling, a sense of urgency, or a link to log in and fix a problem or verify information.
  • Do not click links in emails, instant messages or text messages.
  • Enable multi-factor authentication on all accounts that support it. Enabling multi-factor authentication means that even if your credentials are compromised, an attacker will not be able to access your account.
  • Insist that payments be sent by physical check, not a wire transfer, whenever possible.
  • If a wire must be sent, call a known number on file to verify the wiring instructions when sending a wire to a company for the first time and any time the wire instructions change. If you don’t know the sender’s phone number, call the company’s main number. Do not rely on information in the email, including the phone number. If you do call that number, you may be calling the attacker.
  • Regularly update your computer, cell phone and any other device you use to access email with all security patches.

Protecting Customers Through a Cybersecurity Control Tower

Written by


cybersecurity.png

Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.

As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.

This is where DefenseStorm comes in.

Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.

By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.

Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.

Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.

Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.

The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.

Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.

For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.

“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”

Banking on the Cloud: Why Banks Should Embrace Cloud Technology

Written by


cloud-technology.png

Cloud adoption has reached critical mass, with roughly 90 percent of businesses employing its technology in some facet of their organization. The cloud presents opportunities for enhanced efficiencies and flexibility—without any security trade-offs—so it’s no surprise that we’re seeing more organizations shift to the software as a service (SaaS) model. But while we’ve seen the healthcare, legal and insurance industries evolve, banks have been more reluctant to adopt new technologies built outside of their own walls.

Why Banks Lag at Cloud Adoption
The banking industry is not known for being nimble. As one of the oldest, largest and most vital industries in the U.S. economy, banking has, in some ways, fallen victim to inertia—relying on traditional technologies and internal networks to disseminate its services. This is in large part due to the widely-held belief that on-premise solutions are inherently more secure than the cloud because data lives in proprietary servers and systems, rather than a service provider’s environment. However, research shows that cyber attacks affect both environments, with on-premise users experiencing over twice as many web application attacks as service provider customers, on average.

Still, for many banks, the perceived risks of the cloud outweigh its forecasted benefits. In fact, 73 percent identified security concerns as the main reason for avoiding it, while 63 percent listed privacy issues as their top worry. That perception is beginning to change, as the cloud’s business advantages have become too significant to ignore. A recent study found big banks are expected to grow from as little as zero percent public cloud adoption to 30 percent by 2019—a dizzying adoption rate for an industry that still relies on legacy systems from the 1960s.

For those still wary of making the switch, here are three of the biggest benefits of moving to the cloud:

Security
Cloud technologies boost your security in ways that on-premise systems are unable to. Traditionally, to use a new offering, you install an on-premise server in your datacenter. Then you must configure network, firewall and secure access to the server. This stretches resources by increasing training requirements, which ultimately detracts from the goal of the offering. Due to economies of scale, cloud companies can own the server, the networks and the processes making the entire offering more complete and secure.

With strict protocols and security certifications like SOC2 and ISO27001 built into many services, banks can ensure that the cloud is accessed and enabled securely for any solution provider they work with.

Understanding the value of security and the benefits that cloud technology brings to banks, a handful of institutions are leading the shift and others are expected to follow. Capital One Financial Corp., an early adopter of Amazon Web Services (AWS), has steadily built its infrastructure in the cloud over the past two years. The company continues to work closely with AWS on specific security and data protocols, allowing the company to operate more securely in the public cloud than it could have in its own data centers, according to Capital One CIO Rob Alexander.

Efficiency and Scalability
The cloud enables teams to be more agile than ever. The SaaS model gives teams the ability to be flexible and enable new interations on-demand. This access to real-time commentary empowers teams to ship updates more quickly and frequently and to push the envelope so they’re constantly improving products to align with what customers are looking for.

By leveraging the cloud to store complex data, organizations can meet ever-evolving regulatory compliance and governance rules mandating data protection. A recent example would be financial institutions working to comply with the EU’s General Data Protection Regulation. The ability to meet regulations can be sped up by a number of the cloud’s features, including built-in auditability for more clarity around your compliance status, and virtual infrastructure that reduces room for error.

On top of addressing infrastructure models, the cloud allows businesses to be elastic. For instance, being able to address the mass amount of credit card purchases on Cyber Monday and expand for that specific demand, rather than having to buy new servers to address the one day-per-year demand.

Overhead Cost Savings
Switching from on-premise to cloud can mean significant savings on overhead costs.

When you work with a SaaS provider, you no longer need to invest in proprietary infrastructure. Instead, you’re able to access and maintain your data through your partner’s established environment. This cuts down on both the up-front capital costs associated with hardware and the continuous costs that eat up budget to keep hardware and software optimized and refreshed.

Rather than pay a flat fee to keep systems up and running, cloud providers offer a variety of metered, pay-per-use options. These include Salesforce and Microsoft Office 365’s pay-per-seat, AWS’ infrastructure as a service (IAAS) pay-per-hour model, and Oracle’s high integration fees.

By outsourcing services to the data center, you can also realize savings on staffing. On-premise technologies can require a team varying in size from one to dozens, depending on the bank’s size. Because your cloud provider takes on the computing, your internal team no longer has to worry about hardware refreshes or server and software updates, freeing up their time to focus on what matters most: your business. Cost savings can also be reinvested into the business to increase headcount, boost wages and drive product innovation.

Cloud technology has already been embraced by businesses in numerous industries, but banks have been slower to acknowledge its benefits. Now, as cloud’s positive impact on security, efficiency and cost come to the forefront, it’s becoming harder for banks to ignore the advantages. Already, we’re seeing early adopters reap the benefits, from a financial standpoint and innovation perspective, and in the coming years, we can expect to see banking in the cloud transition from a “nice-to-have” to a business-critical approach to moving up in the market.

Are Directors Tone Deaf on Cybersecurity?

Written by


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

What You Don’t Know About Network Defenses Can Definitely Hurt You

Written by


defense.png

Hackers have many avenues to choose from when it comes to attacking your organization, the most obvious of which is breaking in from the outside, or attacking your network’s perimeter. But they also can choose to attack from the inside-out by targeting your employees and internal weaknesses.

Cyber criminals use tactics like password attacks, session hijacking, exploiting application vulnerabilities and leveraging malware to gain unauthorized access to your network. Once inside, they steal, delete or distort confidential data, and often alter or disable security features to enable larger future attacks and avoid detection.

As revealed in Verizon’s 2016 Data Breach Investigations Report—a yearly study composed of findings from law enforcement agencies, forensic services firms and other entities—external threat perpetrators have been responsible for at least 75 percent of confirmed data breaches in each of the last six years.

To help protect your network, all employees—from the top down—should learn to spot the signs of a possible attack or breach, from suspicious emails and system modifications to unusual network glitches.

Here are some examples of the possible tools in an attacker’s arsenal:

  • Session hijacking: occurs when an attacker hijacks a network session shared by two systems by masquerading as one of them.
  • Password cracking: involves identifying the password of a user or administrator to gain system access.
  • Denial of Service (DoS) attacks: bombard a system, causing it to crash or deny access to legitimate users.
  • Web-application attacks: hackers exploit weaknesses and/or security flaws in a web application, possibly leading to the compromise of the host device or internal network.
  • Malware: includes ransomware that encrypts your files on the network drives and demands payment of a “ransom” to decrypt them; rootkits that embed themselves in your computer’s software, replacing legitimate software or hiding malicious ones; and remote access trojans (RATs), disguised as legitimate programs, but giving attackers an open door into your network.

Toughen Your Defenses with Vulnerability Assessments and Penetration Testing
Two crucial types of security testing offer financial institutions the best protection against these threats: vulnerability assessments and penetration testing. One is focused on finding as many vulnerabilities as possible, while the other can reveal the impact of an attack rather than theorizing about it, and also ensure that controls work as expected.

A vulnerability assessment is designed to yield a prioritized list of the environment’s vulnerabilities, and works best for institutions that already understand they are not where they should be in terms of security. However, recent guidance outlines the importance of regularly performing vulnerability assessments on your network. The scope, in industry terms, is breadth over depth.

This type of assessment, which helps ensure compliance with Gramm-Leach-Bliley Act data guidelines, can be performed using a remote scanning device—configured by a certified provider—that is plugged into an organization’s network. The device scans the entire network, including hardware and software, and performs internal vulnerability, patch management and port-scanning functions.

The provider can then analyze the data and prepare a detailed report with recommendations for securing your network.

By contrast, a penetration test’s ethical hackers seek to achieve a specific, attacker-simulated goal. A typical goal could be to gain access to the internal network and compromise a privileged account, or obtain the contents of the customer database. The test determines whether a mature security posture can withstand an intrusion attempt from a hacker. Here, the scope is depth over breadth.

A thorough penetration test consists of these elements:

  • Reconnaissance: Entails learning about the target using little or no interaction with their systems. This compares to a burglar watching a neighborhood to determine the patterns of its residents as well as their types of possessions and whether they have security systems. Reconnaissance includes Internet searches, website reviews, IP block information and domain name system (DNS) interrogation.
  • Scanning: The first major contact with the target’s systems, which involves looking for potential openings. This is likened to a burglar rattling doorknobs and checking for unlocked windows. Scanning includes network mapping, port scanning, operating system (OS) fingerprinting, service detection and vulnerability scanning.
  • Gaining Access: This is where the hacker comes in, with an attempt to compromise the system. This step is similar to the burglar breaking into the home using the most vulnerable door or window. Gaining access features password and web application attacks and the exploitation of vulnerable software and configuration flaws.
  • Maintaining Access and Covering Your Tracks: Performed only upon successful penetration into the institution’s network. It should be noted that many organizations forego these steps because they involve manipulating systems, applications and files.

It is crucial for your financial institution to maintain cyber-resilient networks and systems. The costs of disrupted business, reduced customer confidence, fines and lower profitability resulting from an attack are simply too great.

Getting Called Out on Cybersecurity

Written by


cybersecurity-6-15-16.pngSeventy-seven percent of respondents to Bank Director’s 2016 Risk Practices Survey identified cybersecurity as their number one risk concern—and yet the great majority of them discuss cybersecurity only infrequently during board meetings. This surprising result was confirmed during a presentation at Bank Director’s Bank Audit and Risk Committees Conference, when only 23 percent of the attendees said they discuss cybersecurity at every board meeting during an audience response survey.

The majority of boards still do not review cybersecurity at every board meeting and only a minority do,” said Sai Huda, senior vice president and general manager risk, information security and compliance solutions at FIS Global. “The majority of boards do not review their cybersecurity plan on a regular basis.”

The audit and risk conference was held June 14-15 in Chicago and attracted over 300 bank directors and risk management professionals.

Huda also questioned whether the attendees were spending enough money on cybersecurity. Over 29 percent of the audience said their bank had increased the cybersecurity budget from 10 percent to 25 percent, and roughly 15 percent had increased the cybersecurity budget more than 25 percent. But nearly 56 percent of the respondents had either increased their cybersecurity budgets by less than 10 percent, had made no increase at all or didn’t know what their budgeting practices were in this area.

The nature of cybersecurity spending is expected to change significantly over the next five years, according to Huda. Until recently most of the money has been spent on building secure defenses against intruders, and yet by Huda’s estimate more than 90 percent of all U.S. companies have been successfully penetrated. “A breach is going to happen,” he said. “It’s a questions of when, not if.” Going forward more of the cybersecurity budget will be spent on reacting to intrusions than preventing them. “Timely detection and response are the keys to success,” he said.

When asked during the audience survey which threats they thought their bank was the least prepared for, 40 percent said they were ill prepared to detect malicious insider activity, 21 percent felt they were not receiving the latest intelligence on cyber threats, 19 percent said they were ill prepared to detect anomalous or abnormal activity, 12 percent worried about their ability to block denial of service attacks and roughly 8 percent thought that detecting malware was a deficiency of their bank.

The nature of cyber security attacks has also changed in recent years, according to Huda. Today, the attacks are stealthier, more targeted in that the hackers are after something very specific, and persistent in that the hackers keep at it until they have broken through a bank’s defenses. Today’s threats also tend to be multi-pronged, in that hackers will attack bank systems at a variety of access points simultaneously, and the hackers themselves have evolved over time. Where once they were often individuals acting on their own, “today they tend to be well funded crime syndicates and nation states,” he said. “The whole cybersecurity ballgame has changed.”

Icebergs Ahead: Five Questions Every Board Should Ask the CISO

Written by


CISO-questions-5-30-16.pngPicture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

How Banks Can Increase Cybersecurity Risk Management

Written by


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.