Here are some lessons to learn about the protection of banks’ IT systems and networks
Modern banks face a double security challenge since they have to protect both physical monetary assets stored in their vaults, and sensitive financial data stored in digital ledgers. With neobanks, proper data storage is the ultimate condition of their existence. Compromising customers’ data means lost money, a stained reputation, potential lawsuits, penalties, and loss of public trust. Therefore, maintaining strong cybersecurity policies is crucial in the banking industry.
1. Multi-factor and biometric authentication prevents identity theft
According to Javelin’s 2020 Identity Fraud Report, 13 million consumers in the U.S. were affected by identity fraud in 2019 with total fraud losses of nearly $17 billion. In 2020, the numbers increased significantly. There were 4.8 million identity theft and fraud reports received by the FTC in 2020, up 45% from 2019, mostly due to the 113% increase in identity theft complaints. Tech progress made it easier for criminals to manipulate and socially engineer information while making it harder for financial institutions to detect account takeovers without additional security infrastructure. Account takeovers can be challenging to detect, because fraudsters can hide behind a customer’s positive history and mimic normal login behavior.
Moreover, because of the nature of electronic information, it is now possible to fraudulently obtain and use identifying information on a large, cost-effective scale. Therefore, it’s easier to prevent it from happening in the first place. The first crucial prevention factor is using multi-factor authentication (MFA). This should include biometrics which is difficult to impersonate. MFA has pitfalls too. People may lose their phones or SIM cards and not be able to generate an authentication code, for example. Moreover, if a stolen phone has a banking app installed without biometric authentication, it is technically possible to bypass MFA. However, the technical side is only a part of the puzzle.
2. Increase your customers’ cybertheft literacy
Educating users about password secrecy and phishing attacks is another key element of successful identity-theft prevention. No matter how hard you improve your technical data protection, users’ ignorance will make them reveal secret passwords and codes to fraudsters. The Identity Theft Resource Center (ITRC) reported that cybercriminals continue to be less interested in mass attacks seeking consumer information, but instead they are taking advantage of bad consumer behaviors to commit identity-related crimes against businesses. Thus, criminals can attack businesses using stolen credentials like logins and passwords.
Banks are not an exception. Therefore, banks need to constantly increase their customers’ awareness about potential schemes and disclosed cyber-crimes. Banks should use their social network profiles to teach clients how not to get tricked, send security awareness newsletters, create short education videos, collaborate with media influencers, write easy-to-read informative blog posts, send in-app notifications, etc. Remember that the content should be personalised, i.e. specific to different levels of understanding and experience of various demographic categories. Do not forget to target teenagers and kids, if you offer kids’ banking products. Youngsters may be more gullible and their parents are not always able to explain the cyber threats themselves.
3. Beware of phishing
According to the FBI, phishing was the most common type of cybercrime in 2020. The total number of phishing incidents nearly doubled last year, from 114,702 incidents in 2019, to 241,324 incidents in 2020. In 2019, the share of financial phishing among all phishing types increased from 44.7% to 51.4%. Almost every third attempt to visit a phishing page blocked by Kaspersky products was related to banking phishing (27% share). Although in 2020 the overall percentage of financial phishing went significantly down to 37.2%, banks should not let down their guard at the time. If we analyse the distribution pattern, we can see that the attackers mostly targeted e-shops.
However, that change of activity was apparently connected to lockdown restrictions which forced people to turn to previously unused online shopping options (like grocery purchases). Obviously, cyber criminals could not miss that chance. Yet, with the vaccine introduction, people are more or less returning to their familiar shopping habits. During the fourth quarter of 2020, 22.5% of phishing attacks worldwide were directed towards financial institutions. Saas and webmail services accounted for 22.2% of attacks as well. The second fact is important as only last December FBI Director Christopher Wray warned banks to be wary of “cyber criminals targeting the vulnerabilities in third-party services” as a way in towards financial institution data.
Moreover, scammers began using more spear phishing schemes (targeted attacks on particular organisations). Losses from business email compromise (BEC) have skyrocketed over the last year, reaching $1.8B. Thus, banks should not ease their anti-phishing frameworks and also conduct extensive compliance training for their employees. The data for such training sessions should be constantly updated, as phishing methods evolve and many employees are forced to work from home.
In home-based work settings, the IT infrastructure may not be protected as well as in the office. Speaking of encryption, the use of HTTPS rose sharply across all phishing sites with an impressive 72% making use of digital certificates and TLS encryption. Office 365 also continues to present a rich and compelling target for attackers with fraudsters employing new tactics such as “consent phishing”. Moreover, an increasing number of phishing sites are using evasion techniques to avoid detection and inspection by targeted businesses and security researchers.
4. Use complex encryption
All data stored on computers within your financial institution and online should be encrypted. Companies providing financial services are among those with the highest percentage of exposed sensitive files (352K, on average). Hackers never sleep and can’t miss such an occasion. Therefore, the banking industry suffers most from cybercrime. Namely, the cost of cyberattacks is highest in the banking industry, over $18 million annually per company. When the coronavirus-related panic had just started, a 238% rise in attacks on banks was registered. Thousands of new malware types are released every day. Thus, even if your data is stolen by hackers, encryption will prevent its immediate use. Criminals will need a lot of time and computing resources to decrypt the information, and time is money.
AES 256-bit encryption is the strongest and most robust encryption standard that is commercially available today. However, the hardest encryption to crack is a combination of two to three encryption methods, used together. If this comes along with a complex hash and a well-protected key, decryption could take ages. In addition to MFA, some banks offer encrypted security tokens. These small, handheld devices generate one-time passcodes you use to log into your account. Because they’re physical devices owned by the bank and kept safe by customers, the chances for a hacker to gain access to one’s account are minimal. If phones are stolen frequently, small devices are not.
5. Protect the cloud
Banks are increasingly using cloud environments in their operations. Some of the world’s largest banks use cloud strategies for their digital transformations, including BNP Paribas, Lloyds, Westpac and PecunPay. In Japan, the TSUBASA cloud-based shared banking system was developed and supported by IBM. This core banking system shares business processing features such as deposits, currencies and loans, various channels such as ATM, internet banking and data connecting features with sub-systems.
According to Accenture, today the average bank also has 58% of its workloads in the cloud, mostly in private cloud centres. The Cloud computing system provides a very high level of data protection, especially for sensitive data that includes customer information. However, it has a lot of threats too. Many banks and financial institutions employ third-party services from other vendors in an effort to better serve their customers. Those are connected to the general banking system via the cloud. However, if those third-party vendors don’t have good cyber security measures in place, banks will still suffer from cyber attacks.
Moreover, sometimes hackers don’t just steal data – they change it. It may be challenging to identify, as there is often a lack of adequate visibility within the cloud environment. Therefore, the third-party services used by banks should be provided by reliable partners and have limited permissions. Every user having the admin functions on the cloud must be thoroughly instructed and not share their credentials with colleagues. Don’t forget that data theft is often caused by insiders rather than external attackers.