Cyber threats against financial service organizations are on the increase, and the COVID-19 pandemic has only served to accelerate this trend.
By the middle of 2020 cyber attacks against banks had seen a rise of 238%, which points to cybercriminals jumping at the chance to exploit new opportunities arising from the chaos.
The pandemic forced many companies to adapt by making significant physical, operational, and technological changes to their operations, often at speed, which exposed vulnerabilities for some. So to protect data and systems necessitates knowing what threats to watch out for and how to defend against them.
<<Read our case study to learn how we help financial firms succeed!>>
The pandemic will come to an end of course, but it’s a mistake to think that the tide of cyber threats will subside once it does. The rise in cyber threats only emphasizes the appetite that criminals have for finding their way past the defenses of financial service organizations.
35% of all data breaches are perpetrated against financial services organizations. That’s more than any other sector, possibly because they routinely handle more money than other types of business.
Cybersecurity experts see a variety of significant cyber threats facing financial service organizations, and these cyber threats range from well known exploits to newly emerging threats.
Cyber attacks are often launched using “backdoors” – compromised applications that give remote access to hackers – because they bypass intrusion detection systems. Terms like connection availability abuse, legitimate platform abuse, and custom DNS lookups all refer to types of backdoor cyber attacks.
ShadowPad is the name of one almost successful supply chain cyber attack carried out on a financial institution. Luckily, it was caught when the company noticed suspicious DNS requests on a financial transactions processing system. They traced them to server management software that’s actually produced by a legitimate company and is trusted by hundreds of customers in various industries, but it wasn’t supposed to be making such requests.
It was only thanks to active auditing and monitoring that it was caught in time, and this is one of the reasons why we recommend using a managed IT services provider to put in place such risk mitigation measures.
Banks and other financial service providers always need to stay competitive so they are always trying to offer more to their customers. More features mean more components in the supply chain and thus more complexity, and the increased interconnectedness of their supply chain components and their inherent interdependencies have introduced more avenues of attack for criminals to exploit.
Supply chain attacks are nothing new, but recent ones on financial institutions during the COVID pandemic have involved technology service providers (TSPs), including managed service providers (MSPs) and cloud service providers (CSPs).
Some TSPs have fallen prey to ransomware attacks, which have knocked out core technology for the banks and impacted all of the financial providers that they serve.
Banks and financial service supply chains are dependent on the telecommunications ecosystem. SMS text messages are often a key part of two-factor authentication, but it’s known that an exploit for SS7, a technology that texting relies on, has sometimes allowed cyber attackers to intercept them.
Likewise, the global navigation satellite systems (GNSS) that stock exchanges rely on to timestamp financial transactions can be spoofed or jammed, and there’s potential for this kind of activity to block ATMs from working properly because transactions can’t be time-stamped and thus verified.
There is no quick fix for some of these problems. The increasing number of avenues for supply chain cyber attacks make it essential for financial institutions to at least actively share intelligence and plan collective responses to cybersecurity threats.
We’ve seen a rise in credential-stealing malware since the start of the pandemic, including mobile-targeting variants like EventBot19 and Cerberus. Between them, these two can hack the customer credentials of 200 banks and financial institutions. If that alone wasn’t reason enough for criminals to want to use them, COVID-19 has provided an additional spur to them in the shape of stimulus packages and furlough schemes designed to funnel relief money to beleaguered businesses and workers.
The problem with credential stealing malware like Cerberus is that it’s for sale openly on the darknet, and its biggest seller there reported huge sales in April 2020. This illegal store made more money in one week than it had in the previous four months put together – a clear sign that stealing such sensitive information became more lucrative as the pandemic took hold.
Although it’s claimed that Cerebus may have been installed more than one million times, its creators say they have now disbanded, but they’ve given away the source code for free, so we can expect this threat and others like it to persist.
Deep fakes are AI-generated copies of human physical attributes like faces and voices that can be hard to distinguish from the real thing. In March 2019, criminals used a deep fake voice to impersonate a CEO, and it was so realistic that they managed to trick company staff into setting up a fraudulent transfer of US$245,000.
With that kind of success, such cyber threats are bound to increase in both frequency and variety. If facial recognition software is used then it’s time to review whether it can be fooled by deep fakes.
This particular case points to the need for staff training and policy changes to add extra layers of protection for high-value transactions.
5G or fifth-generation mobile networks are being adopted around the world because they offer faster data speeds over the air. The problem for financial service providers is that this new infrastructure is being put in by just a handful of technology providers, which raises questions of trust and integrity. Could nation-states use them to spy on or cripple adversaries? The United States is certainly treating Huawei as a potential espionage vehicle for China.
With so few providers of 5G technology, the fallout from a single malicious campaign or backdoor exploit could create a knock-on effect for multiple victims globally because customers are all reliant on the same few technology providers.
Disruptive (in the good, entrepreneurial sense) financial technology providers (FinTechs) have quickly proliferated in new markets and the financial sector has come to rely on them to deliver core products and services. But one problem with them is that they aren’t regulated in the same way that traditional financial institutions are.
One survey revealed that in New York, 38% of FinTechs said that they weren’t addressing regulatory issues, which could mean that their processes may not be secure enough, and that bad actors may see them as a shortcut to other providers’ systems and data.
Threat groups used ransomware against 20 smaller local governments in Texas during 2019. This kind of attack was the first of its kind and a federal and state-level response dealt with it swiftly. But this won’t be an isolated incident, and financial institutions and banks are sure to be high on attackers’ lists. So, in the same way that naval fleets conduct battle exercises to rehearse their responses to threats, banks and financial service providers need to be proactive, prioritizing multi-party attack simulations involving players from within the industry and parties that are connected to it.
It’s now well established that online misinformation campaigns can influence everything from the reputations of individuals to the outcomes of elections. It can also damage trust in state-run banks, private institutions, and be used to manipulate markets for gain.
In the wake of COVID-19, the NASDAQ, Securities Exchange Commission, and FINRA have all issued warnings to expect market manipulation. In the volatile markets brought about by the pandemic, malicious actors see opportunities to profit.
‘Pump and dump’ schemes involve artificially inflating the price of a stock before selling it, for example, and there is also the opposite scenario – engineering a price drop and profiting through shorting (borrowing an asset to sell, buying it back at a lower price and pocketing the difference). A false WhatsApp rumor started a run on a bank in London, England during 2019, resulting in an 11% drop in its share price. The bank had to reassure its customers that it wasn’t collapsing.
This kind of thing has happened a few times across different countries and may not actually be orchestrated, but bad actors will be taking note and so banks and financial service providers should consider preparing for more widespread occurrences of misinformation attacks.
Google suite web applications are among many that we’ve come to depend on, but they’re vulnerable because they are reliant on user input. To work, access to these apps is via Port 80 (HTTP) or Port 443 (HTTPS). The attacks on them can include invalidated redirects and forwards, SQL injections, and DDoS attacks.
One way to defend against these cyber threats is to use an intelligent web application firewall (WAF) alongside a behavioral firewall that blocks cross-site scripting (XSS) attacks.
Simple measures like clearing stored cookies, staying away from dubious websites and Endpoint Detection and Response are basic, essential housekeeping activities for reducing cybersecurity threats. It’s also essential to audit your databases on a regular basis so that any potential vulnerabilities can be identified before they can be exploited.
It’s known that banks and financial service providers are especially reliant on legacy systems and that some of these have been inherited due to mergers and acquisitions. Some finance systems running today are still coded in the 60-year-old COBOL language and the number of qualified people maintaining its codebase is declining.
While many banks and financial service providers are increasingly moving services to the cloud, it’s not always as easy as simply ‘lifting and shifting’ them. Such moves need to be planned carefully to avoid the pitfalls, such as accidentally exposing legacy login credentials during the transition.
However, it is possible to combine legacy and cloud-based services safely, as this example illustrates. The UK’s Treasury Committee looked into financial services sector IT failures and found that the operational risks that this creates weren’t being adequately addressed. Perhaps with this in mind, The Bank of England’s Real Time Gross Settlement Renewal Programme or RTGS2 has been designed to offer greater levels of resilience and yet still be ‘future proof’ when it’s completed in 2024. Despite using the legacy financial messaging service SWIFT for connectivity and messaging services it will not rely on any single message network. Banks around the world are naturally watching its development closely.
DDoS attacks are for sale on the darknet for as little as $150, which is not much to pay for visiting a week's worth of disruption on somebody’s business. A distributed denial of service attack uses botnets to bombard a target organization with overwhelming amounts of traffic. If the business can’t function normally, this causes financial losses and also reputation damage.
One recent twist on DDoS attacks has been using them for ransom. In February 2020 Australian banks and financial institutions faced attacks from a group called Silence. Their approach was to threaten continued disruption unless ransoms were paid.
DDoS attacks are responsible for one-third of all network downtime occurrences, but since they’re an older threat, many defensive tools are available. For instance, reputation-based blocking involves building a database of previously identified malicious URLs to guard against future attacks.
There are also routing options that dilute malicious traffic, such as Anycast, for example. This solution splits up DDoS attack traffic so that no single target is overwhelmed.
According to research, 60% of cyber threats come from within the company itself, and banks and financial service providers are among the top three sectors affected. Of those cyber threats, 75% are deliberate, so think unhappy employees offering up their login details to a hacker, for instance. The other 25% were down to human error. People make mistakes, and that’s exactly what phishing attacks rely on.
Social engineering is another name for phishing or spear-phishing attacks. The term ‘social’ comes from the fact that they involve a confidence trick. In this cyber threat, a legitimate-looking email is sent to the victim. They open it, are tricked into clicking on an attachment, and a malware payload is released that compromises security.
Training is obviously a key defense here, along with frequent reminders to be vigilant and internal testing using fake phishing emails.
These and other cyber threats are now an unfortunate reality of doing business. Everyone from nation-states down to opportunistic credit card fraudsters are looking to gain unauthorized access to systems, commit data breaches, inject malware, steal sensitive data, and more.
Ntiva delivers managed IT services and we are experts at helping banks and financial service providers to stay safe, compliant, and competitive amidst the constantly evolving complexity of cyber threats. Give us a call to discuss your needs, and we’ll help you to navigate the most cost-effective solutions.
Want to learn more about IT Services and Support for Financial Firms? See Ntiva’s Financial IT Services and Solutions.