From Russia with ‘Love’

Cybersecurity has lately become a top concern for bank boards and their senior management teams in the face of an unrelenting wave of ransomware attacks. Now you can add heightened geopolitical tension resulting from Russia’s invasion of Ukraine to the worry list.

“Clearly we have a geopolitical situation going on which, given the threat actor, does raise cybersecurity concerns,” says Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency. “And financial institutions, as well as government agencies themselves, are very focused on this heightened alert and are making sure that cyber defenses are up.”

And if they’re not, they certainly should be.

In an interview, Greenfield says that threat actors have been known to have used cyber attacks as an effective tool against their opponents in the past for political purposes. The concern is that at some point during the conflict in Ukraine, threat actors could potentially target cyber attacks against this country’s critical infrastructure – including its banking system.

“The financial system is a critical infrastructure, which means that it is something that is very important for not just individual institutions,” says Greenfield. “The banking system supports the U.S. economy and the U.S. people. And it’s important to maintain the integrity and resilience of that system. Banks need to make sure they lockdown key controls and make sure they are monitoring for any threat indicators.”

The OCC regulates banks with a national charter, but Greenfield’s comments are just as relevant to state-chartered banks regulated by states, the Federal Deposit Insurance Corp., or the Federal Reserve.

In early January, even before the Russian invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security, issued a threat alert — “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”

In the alert, CISA made the following recommendations for all U.S. companies, including banks.

1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.

2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.

3. Increase organization vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA has also set up a website – Shields Up – focused on providing threat information, tools and resources to help all organizations safeguard and respond to geopolitical threats in cyber space. “We have pushed that information out to financial institutions because these are the experts,” says Greenfield.

Separate and apart from the current geopolitical situation, Greenfield says the OCC is also seeing an increase in ransomware attacks. “Just from personal observation, we’re seeing more use of ransomware and using [it] to solicit illicit funds from banks,” says Greenfield. “We’re seeing it and I think one of the reasons why is because it works.”

Greenfield says it’s up to banks whether they should pay a ransom if their critical data has been locked up following an attack. “That’s an institution’s decision,” he says. “Executive management and the board need to make that decision. The one thing I’ll tell you is, understand [that] you’re dealing with criminals. You’re not dealing with honest people. It’s not something that we would encourage, but there’s no regulation against it.”

Any bank that does decide to pay a ransom needs to make sure it doesn’t violate any restrictions that have been imposed by the Office of Foreign Assets Control (OFAC), an agency under the U.S. Treasury Department. “When paying ransoms, be aware of any OFAC requirements and any sanctions on those who might be getting paid,” he says. “You can contact OFAC to request a waiver, but that’s something that will be very important to ensure an institution does not violate any sanctions requirements.”

In the face of continued ransomware attacks, Greenfield says that banks should focus on fundamental elements of cyber security. “We have been very clear on our messaging to banks about the importance of cybersecurity and just fundamental cyber hygiene, because when events do occur and then we explore the root cause, it tends not to be a zero-day exploit, but a basic control oversight,” he says. A “zero-day exploit” is a previously unknown vulnerability in a software program.

At the top of Greenfield’s list of poor cyber hygiene habits that leave banks vulnerable to ransomware attacks are weak authentication controls, including the failure to use multi-factor authentication. And even when a multi-factor protocol is in place, banks sometimes grant exceptions that end up getting targeted by hackers who know to look for them.

Greenfield says the federal banking regulators have been emphasizing “effective authentication,” and recently the Federal Financial Institutions Examination Council (FFEIC) – an interagency group comprised of bank and credit union regulators – updated its guidance on authentication. “We tried not to be technology specific so there’s not a corporate requirement for multi-factor,” he says. “But our guidance is you need to have effective authentication, which typically we would see as a layered security approach with multi-factor or similarly strong technologies.”

The guidance also advocates that if nothing else, banks at least take a risk-based approach and protect their most sensitive or critical systems. “This is something that I communicate to all bank management teams; if it’s nonpublic and you don’t want anyone to gain access that’s not authorized, use multi-factor authentication or something similarly strong,” he says. “We’ve seen that malicious actors will get into a system and they will wait for the opportunity to exploit it and move laterally throughout the network as they’re able to figure it out.”

Another vulnerability is poor network management, a potential problem that has been exacerbated by the industry-wide shift to many employees working from home on laptops. Common shortcomings include networks that are not effectively configured, including a failure to turn on security controls that already exist within a particular software product or service. Or a failure to install an available patch when a vulnerability has been identified. “Sometimes we’re seeing they’re not changing default administrator IDs and passwords – I mean, simple things,” Greenfield says. “And especially when we’re talking about off-the-shelf software applications that everyone uses. All those user manuals that you have access to, the bad guys have access to as well, so they know how it works.”

Successful cyber attacks can often be traced back to multiple causes. “Typically, it’s a combination of phishing or some other [tactic] to steal a credential, then weak multi-factor [authentication], and then looking for vulnerabilities such as misconfigured or unpatched systems,” Greenfield says. “The biggest thing I can tell any institution is, make sure your controls are up and as strong as they can be so that you’re not a target, because the one thing that I have seen with many malicious actors is, they’re going to go for the easiest target.”

*Clarification: This article has been amended from an earlier version in part to clarify that Greenfield did not specifically mention Russia in the interview. 

The Threat of Email Compromise

While ransomware attacks grab most of the headlines — for instance, the Colonial Pipeline in Spring 2021 — business email compromise/email account compromise (BEC/EAC) was the top crime in terms of direct loss reported to the FBI.

Business email compromise attacks have evolved over the decade, and are now also referred to as email account compromise, acknowledging that personal email accounts are also targets. According to the FBI’s Internet Crime Complaint Center’s Internet Crime Report for 2020, more than $1.8 billion was lost in 2020 to BEC/EAC attacks. That is more than 50 times the money lost in direct payments to ransomware attacks. BEC/EAC attacks are also much more common, with nearly eight times as many complaints to the FBI compared to ransomware: 19,369 email complaints, compared to 2,474 ransomware complaints in 2020.

Ransomware is still a serious threat, including the threat of business interruption, but you are more likely to be targeted in a BEC/EAC attack than a ransomware attack. A BEC/EAC attack in 2021 usually starts with one of the following:

  • A successful phishing attack against an individual. A fraudulent email is sent to an individual, usually as a part of a large campaign, and that email tricks the user into entering their credentials into a fake login form, which then passes those credentials to the attacker.
  • A successful social engineering attack. Social engineering attacks are most often carried out over the phone, but can also be accomplished via email or instant messaging, or even in person. The attacker will contact the victim and convince them to provide information or inappropriate access to the attacker. In a BEC/EAC attack, the victim’s email login credentials are most valuable.
  • A successful computer intrusion. Computer intrusion in this context is a catch-all for malware and active intrusion of computer systems, resulting in credential compromise.

After gaining access to the victim’s email account, the attacker may lie in wait until a valuable transaction is sent over email. If the account compromised isn’t a valuable enough target, the attacker may use the victim’s account to launch more attacks against the victim’s contacts.

BEC/EAC losses impact organizations in all industries; the common thread through business conducted via wire transfer. The attacker waits until an email with wire instructions is received or is expected, and replaces legitimate instructions with fraudulent ones. Once the wire is sent to the wrong bank, the funds are transferred quickly to other banks, often overseas. In many of these cases, the victim did not recognize the wire was missing for a month or longer — well past the window to recover those funds.

Protecting Yourself and Your Bank

The good news is that you can protect yourself and your organization from these attacks, but it requires vigilance and some inconvenience. Below is a summary of steps to protect personal and company email accounts:

  • Train employees to recognize phishing emails. Common themes in phishing emails are poor grammar and spelling, a sense of urgency, or a link to log in and fix a problem or verify information.
  • Do not click links in emails, instant messages or text messages.
  • Enable multi-factor authentication on all accounts that support it. Enabling multi-factor authentication means that even if your credentials are compromised, an attacker will not be able to access your account.
  • Insist that payments be sent by physical check, not a wire transfer, whenever possible.
  • If a wire must be sent, call a known number on file to verify the wiring instructions when sending a wire to a company for the first time and any time the wire instructions change. If you don’t know the sender’s phone number, call the company’s main number. Do not rely on information in the email, including the phone number. If you do call that number, you may be calling the attacker.
  • Regularly update your computer, cell phone and any other device you use to access email with all security patches.

Goodbye, Wild West: Are You Prepared for a Cyberattack?

Financial institution security practices and policies have substantially evolved since popular media depicted robbers in the Wild West as masked men running down a dirt road with a sack full of cash.

The glorified bank robbery scenario has underpinned the traditional image of bank security: armed guards, panic buttons, armoured vaults and vans — all of which are necessary to protect consumers’ physical money, but do nothing to thwart cybercriminals from attacking.

In June of 2019, Boston Consulting Group’s “Global Wealthreport found that financial services firms were 300 times more likely the target of cyberattacks than other companies. This trend seems to be continuing, as an April 2021 article from Alloy found that high-risk new account applications were up 137% from March to December of 2020, as compared to the same time period during 2019. The Covid-19 crisis escalated workers’ transition to unsecured networks at home, forced consumers to move to digital channels and increased institutions’ risk appetite, among other factors.

Cyberthreats like data breaches, malware, ransomware, keyloggers, synthetic fraud, identity theft and trojans — to name a few — are continuously evolving over time. Attacks can happen at opportune moments, like when hackers find weaknesses in networks and firewalls to execute a data breach, or can sit unnoticed in bank systems, harvesting and tracking data over time.

Historically, banks have sought to mitigate the effects of cybercrime, like advising customers with compromised data to close their accounts and open new ones, or reset their passwords.

While these instructions were adequate in the early 2000s, they will not work in 2021 and beyond. Much further than repairing the damages a cyber incident causes, customers expect the incident not to occur in the first place.

Banks need to adopt proactive, real-time cybersecurity initiatives if they wish to retain customers, stay ahead of the cyberattack curve and protect their data.  It is not enough to perform an annual vulnerability scan. It is not enough to have two-factor identification. It is not enough to encrypt data. Cybersecurity practices must become an integral and consistent part of a bank’s overall strategy and culture if it wishes to keep customer trust and industry credibility.

But banks don’t have to venture into this endeavor alone. In fact, many don’t want to: Cornerstone Advisors’ 2021 “What’s Going On in Banking” report found that 70% of responding banks were interested in a fintech partnership that provided fraud and risk management services or products. An additional 20% were already engaged in one. When it came to data breach and identity protection services, 67% of banks were interested and 7% were already engaged.

Many financial technology companies are dedicated to working with banks to better secure data and assets. Their products span an incredible range, from completely managing and monitoring a bank’s network to software installation that verifies account data in real time. Just as cyberthreats evolve over time, cybersecurity measures are advancing beside it.

Three fintechs that have proven to work with banks in protecting their institutions from cyberattacks are:

Cimcor’s CimTrak Integrity Suite, which alerts an enterprise of potential breaches by detecting real-time changes to its information technology’s infrastructure. CimTrak monitors the integrity of critical files, folders, configuration settings, users, policies and authorized registry keys. It also offers complete visibility into a breach from detection to recovery, tracking and encrypting all of the forensic details of the attack and storing them in its database.

DefenseStorm, a cybersecurity company that consolidates security data from all of a bank’s data sources to provide a comprehensive view of online security. Its Threat Ready Active Compliance team co-manages and monitors the network in conjunction with the bank, so it doesn’t necessarily need to have a full-time cybersecurity officer or team on staff. DefenseStorm was selected as a finalist for Bank Director’s 2021 Best of FinXTech Awards. 

Illusive, a fintech that plants deceptive data — information that looks exactly like what attackers need to progress in a cyberattack — across a bank’s network, servers and endpoints, which are physical stopping points that include laptops, desktops, workstations and mobile devices, etc. Once attacked, Illusive detects and captures forensics from the compromised machine.

Banks are constantly put in high-risk situations, and one cyberattack could derail decades of relationship building. Finding the right technology providers to help thwart attacks, partnered with adaptive internal policies, procedures and training, could give a bank the proactive stance it needs to protect its data, assets and customers in the new Wild West of today.

*All three technology companies are included in Bank Director’s FinXTech Connect platform, a curated database of proven financial technology solutions that are working with banks to better connect them with digital offerings. Fintechs cannot pay to be included and are selected through an interview and vetting process. For more information, please email [email protected] with any questions, comments or concerns.