Goodbye, Wild West: Are You Prepared for a Cyberattack?

Financial institution security practices and policies have substantially evolved since popular media depicted robbers in the Wild West as masked men running down a dirt road with a sack full of cash.

The glorified bank robbery scenario has underpinned the traditional image of bank security: armed guards, panic buttons, armoured vaults and vans — all of which are necessary to protect consumers’ physical money, but do nothing to thwart cybercriminals from attacking.

In June of 2019, Boston Consulting Group’s “Global Wealthreport found that financial services firms were 300 times more likely the target of cyberattacks than other companies. This trend seems to be continuing, as an April 2021 article from Alloy found that high-risk new account applications were up 137% from March to December of 2020, as compared to the same time period during 2019. The Covid-19 crisis escalated workers’ transition to unsecured networks at home, forced consumers to move to digital channels and increased institutions’ risk appetite, among other factors.

Cyberthreats like data breaches, malware, ransomware, keyloggers, synthetic fraud, identity theft and trojans — to name a few — are continuously evolving over time. Attacks can happen at opportune moments, like when hackers find weaknesses in networks and firewalls to execute a data breach, or can sit unnoticed in bank systems, harvesting and tracking data over time.

Historically, banks have sought to mitigate the effects of cybercrime, like advising customers with compromised data to close their accounts and open new ones, or reset their passwords.

While these instructions were adequate in the early 2000s, they will not work in 2021 and beyond. Much further than repairing the damages a cyber incident causes, customers expect the incident not to occur in the first place.

Banks need to adopt proactive, real-time cybersecurity initiatives if they wish to retain customers, stay ahead of the cyberattack curve and protect their data.  It is not enough to perform an annual vulnerability scan. It is not enough to have two-factor identification. It is not enough to encrypt data. Cybersecurity practices must become an integral and consistent part of a bank’s overall strategy and culture if it wishes to keep customer trust and industry credibility.

But banks don’t have to venture into this endeavor alone. In fact, many don’t want to: Cornerstone Advisors’ 2021 “What’s Going On in Banking” report found that 70% of responding banks were interested in a fintech partnership that provided fraud and risk management services or products. An additional 20% were already engaged in one. When it came to data breach and identity protection services, 67% of banks were interested and 7% were already engaged.

Many financial technology companies are dedicated to working with banks to better secure data and assets. Their products span an incredible range, from completely managing and monitoring a bank’s network to software installation that verifies account data in real time. Just as cyberthreats evolve over time, cybersecurity measures are advancing beside it.

Three fintechs that have proven to work with banks in protecting their institutions from cyberattacks are:

Cimcor’s CimTrak Integrity Suite, which alerts an enterprise of potential breaches by detecting real-time changes to its information technology’s infrastructure. CimTrak monitors the integrity of critical files, folders, configuration settings, users, policies and authorized registry keys. It also offers complete visibility into a breach from detection to recovery, tracking and encrypting all of the forensic details of the attack and storing them in its database.

DefenseStorm, a cybersecurity company that consolidates security data from all of a bank’s data sources to provide a comprehensive view of online security. Its Threat Ready Active Compliance team co-manages and monitors the network in conjunction with the bank, so it doesn’t necessarily need to have a full-time cybersecurity officer or team on staff. DefenseStorm was selected as a finalist for Bank Director’s 2021 Best of FinXTech Awards. 

Illusive, a fintech that plants deceptive data — information that looks exactly like what attackers need to progress in a cyberattack — across a bank’s network, servers and endpoints, which are physical stopping points that include laptops, desktops, workstations and mobile devices, etc. Once attacked, Illusive detects and captures forensics from the compromised machine.

Banks are constantly put in high-risk situations, and one cyberattack could derail decades of relationship building. Finding the right technology providers to help thwart attacks, partnered with adaptive internal policies, procedures and training, could give a bank the proactive stance it needs to protect its data, assets and customers in the new Wild West of today.

*All three technology companies are included in Bank Director’s FinXTech Connect platform, a curated database of proven financial technology solutions that are working with banks to better connect them with digital offerings. Fintechs cannot pay to be included and are selected through an interview and vetting process. For more information, please email [email protected] with any questions, comments or concerns.

Banks in Cyber-Fraud Crosshairs

5-21-13_Cyber_Fraud.pngIn September 2012, the FBI warned financial institutions about malware attacks targeting bank employees to steal login credentials. Although financial malware such as Zeus and SpyEye have been used to attack online banking customers for years, using these tools to perpetrate fraud directly against financial institutions by compromising bank employee accounts is relatively new. Because banks are generally doing a better job at protecting customers against malware, criminal gangs are looking for another entry point. They are now turning their attention to bank employees with the same advanced malware and extensive money mules (people who transfer funds stolen from online banking accounts to the criminals). They are also using money laundering to commit fraud against online banking users.

Advanced Malware Battle
The FBI report specifically mentions two types of malware attacks: keylogging and remote access tools (RATs). While keylogging (which copies keystrokes typed by the victim) has existed for many years, RATs (which are used to remotely access and control an infected computer) are a relatively new addition to financial malware toolkits. They have been specifically added to enable pre-attack reconnaissance and target non-browser based applications like email on employee computers.

Compromising employee devices (PCs and laptops) is relatively straightforward. Cybercriminals use phishing emails to trick users into either opening documents infected with malware or lure users to click on embedded links that lead to websites that serve up malware. Cybercriminals also compromise legitimate websites that can automatically infect devices just by visiting a compromised page. Once there, popular exploit kits, such as Blackhole, actively scan a user’s device for a variety of vulnerabilities and then use the appropriate files to invisibly install malware. Cybercriminals target both undisclosed and disclosed, but unpatched, vulnerabilities to bypass system restrictions that would otherwise prevent these infections. 

Most financial institutions implement controls like anti-virus protection on endpoint devices and intrusion prevention systems (IPS) on the network—both of which are evaded by readily available malware kits. Trusteer Intelligence has found that up to 4 percent of employee devices can be infected with dangerous data stealing malware over the course of a year at a typical financial institution. Most financial institution security professionals understand that anti-virus solutions are ineffective against advanced data-stealing malware that is specifically designed to evade such protections. Evidence of this is readily apparent on bank customers’ computers, which are continuously infected with malware, despite running up-to-date anti-virus software.

Unfortunately, even anti-malware solutions like sandboxing that place suspicious files in a safe, isolated container on the computer and virtual machine analysis which inspects suspicious files on a separate, isolated computer are not very effective. Worse, these solutions require considerable information technology (IT) management oversight to analyze suspicious files and respond to employees who are prevented from running legitimate, yet blocked applications on their computers. Additionally, network-based security approaches, such as intrusion prevention systems, only function when the endpoint device is connected to the corporate network. Many employees use corporate devices to connect to the Internet when they are outside the office (e.g., when they are at home or traveling). In fact, a large Trusteer customer recently revealed to us that their corporate-issued employee laptops are ten times more infected with malware than their employees’ desktops.

To Protect the Enterprise, Secure the Endpoints
Knowing that cybercriminals are targeting employee devices, financial institutions must detect and remove the malware before it can do harm. Malware can cause damage only when it is executing on the endpoint machine, such as a laptop or mobile phone. Once malware executes, it exposes itself for what it is. Although we can’t fully prevent malware from infecting a device, we can certainly determine when malware is running—if we know what to look for. This means conducting real-time, persistent device monitoring to find active malware threats and specifically those that seek to compromise a bank’s critical internal information technology systems.

Bank boards should ensure that their IT security and fraud prevention teams are aware of the fact that criminals are attacking bank employee computers to commit fraud. These groups should be able to articulate the defense mechanisms that are in place to prevent malware from infecting employee computers (both desktop and laptop). They should also have protection measures deployed that can prevent infected computers from being used to compromise other systems on the corporate network. Boards should expect the bank to be protected by  several layers of security that use multiple technologies, periodic threat assessments, and a detailed mitigation plan in case fraud does occur.