Today’s Top Threats to the Financial Industry

Today’s Top Threats to the Financial Industry

Verizon has identified the dangers financial businesses are facing. Here are tips for combatting them.

By Ken Michael

When we tuck our money into a bank, invest it into stocks, or put money into a 401K for our retirement, we like to think of it as “safe.” The fact of the matter is that the financial industry is just as compromised as others when it comes to cybersecurity and businesses need to take action to promote a secure environment for clients.

“No locale, industry, or organization is bulletproof when it comes to the compromise of data,” according to the 2016 Data Breach Investigations Report (DBIR) by Verizon.

Over the course of the last three years, there have been several repeated threats to businesses in the financial sector: Web application attacks, distributed denial of service (DDoS) attacks, and the use of payment card skimmers.

Web Application Attacks
Through the last decade, more and more businesses have turned to the web as a way to connect with both current and potential customers. Visitors to enterprise websites are often invited to subscribe to newsletters, submit an application form when requesting services or products, or provide details to customize their browsing experience when they next visit the business website. All of this data is captured, stored, and transmitted to be used by the business.

It is that very data cybercriminals are after as it typically includes names, email addresses, phone numbers, and more. Many web apps have direct access to backend data so if a hacker finds a chink in your security armor, they can easily acquire sensitive information. Attackers will often target such websites to steal personal data and credentials that they can use elsewhere. This is why web app attacks are on the rise in general and have become one of the greatest threats to the financial industry.

A Prevalent Problem
Between 2016 and 2018, web app attacks accounted for nearly half of the incidents included in the Verizon DBIRs for those years. In 2016, web app attacks accounted for 48 percent of verified incidents. That was an increase of 17 percent over the previous year. In its most recent report, the 2018 DBIR, Verizon stated there were about 40,000 web app attacks accounted for just that year, most of which were the result of banking Trojan botnets.

Web application incidents included exploits of code-level vulnerabilities in applications as well as the thwarting of authentication mechanisms by employing keylogging malware. It is with these methods hackers are able to infiltrate and steal valuable consumer information. Year after year, the Verizon report shows cybercriminals are financially motivated and this personal data can really make them bank on the dark web.

The Multi-factor Factor
One of the best ways to combat web app attacks is the use of multi-factor authentication. Implement two-factor authentication in your business for those who administer any web applications or databases. If at all possible, establish two-factor authentication with all users in your organization. Anything mission critical to your business or the protection of your client data should be protected with multi-factor authentication. You can also encourage customers to vary their passwords and use two-factor authentication as well.
Supervise Input & Storage

Ensure that you are validating information going to your network. Whether that means making sure an image upload is actually an image and not a web shell or that users can’t pass commands to the database via the customer name field, you must supervise the information going into your system. You can employ a Web Application Firewall to monitor information going into your network and stop invalid input from doing any harm. As a business, you’ll also want to limit the amount of sensitive data stored in web-facing applications as much as possible.
More Secure Software

Many web applications are custom-made which can create security problems that off-the-shelf software may not have. Custom web apps tend to have less testing, leaving them more susceptible to attack. In addition, general patches usually don’t work on custom apps. They often require custom patches to shore up security flaws. Your business may be better off with web app software that is not customized to your site in order to best implement regular security updates and patches.

Plugins and Patches
Be sure you are watching your third-party plugins. You will want to establish a patch process for your content management system (CMS) platform as well as any third-party plugins to ensure consistent security coverage.

Distributed Denial of Service
Distributed denial of service attacks are consistently a top threat within the financial and insurance industries. A DDoS attack is an attempt to make an online service unavailable which can stop a business in its tracks. Such attacks are achieved by overwhelming a system with traffic from multiple sources. This can make it challenging, if not impossible, for businesses from banks to insurance companies to publish important information or allow access to accounts by clients.

In 2016, DDoS attacks were the second greatest threat to businesses in the financial sector accounting for 34 percent of security incidents. This percentage included both network and application attacks that were designed to overwhelm systems, resulting in performance degradation or the interruption of service.

While some businesses face attacks throughout the year, most DDoS attacks only last a couple of days and most often it is larger businesses being targeted though smaller businesses are not immune. According to the 2017 Verizon DBIR, DDoS attacks targeted larger businesses 98 percent of the time but some smaller businesses were also hit.

Banking Trojan botnets are used frequently, according to the 2018 report, which stated there were almost 40,000 such attacks included in this year’s analysis. Though your business may have strengthened authentication for its applications, businesses must also ensure there are controls and a response plan in place to address availability attacks as well.

Look to the Cloud
As DDoS attacks continue to evolve and become more prevalent, Cloud computing may offer good protection for your business. Cloud service providers have solutions in place to protect the availability of their services and infrastructure which means your data is safer there, too.

Limit Connectivity and Access
To prevent DDoS attacks, isolate key business assets to prevent devices from being used to launch attacks. Use the principle of least privilege, close any ports that are not necessary, and if you don’t need a device, turn it off. Patch all servers and services, use your IDS/IPS to identify and block bad traffic, and employ firewalls to filter out anything malicious.

Understand Your Defenses
Check that you have DDoS mitigation services in place to thwart attacks, that those services are regularly tested for effectiveness, and that they actually work. It is important that you understand your DDoS mitigation service-level agreements. Ensure your business has DDoS response procedures in place and that your operations team is trained on how to use the service when needed.

Monitor Closely
Monitor your daily usage and prepare for spikes in traffic that are indicative of larger than normal, legitimate usage. This will clue you in that there may have been a security incident or breach.

Practice Proper Hygiene
Develop and implement a routine checklist for the general security hygiene of your business. Have system administrators make sure the systems you build are ready to deploy patches and make updates in a timely fashion. Automate everything you can to reduce human error and conduct routine scans to discover misconfigurations before a bad actor can. Finally, ensure you have a response plan in place should things go awry.

Payment Card Skimmers
Another major threat to the financial industry is payment card skimming. This involves all incidents in which skimming devices were physically implanted on an asset that reads magnetic strip data from a payment card such as ATMs, gas pumps, point of sale terminals, and more.

Payment card skimming continues to be one of the most lucrative and simple schemes to pull off. This holds true for both organized criminals and the occasional small-time thief. Most skimming crimes in 2016, 94 percent, were committed at ATMs while five percent occurred at gas pumps. “Surveillance” was part of 90 percent of the skimming cases identified in 2016 due to the installation of pinhole cameras designed specifically to capture PIN codes on the devices being skimmed.

While ATMs continued to be the main target for payment card skimmers in 2017, the number of gas pump terminals used to harvest payment card data more than tripled compared to 2016. In 2018, card skimmers continue to be a problem, especially at ATMs. While the use of skimmers is still prominent and the construction of card readers is making them less noticeable, a new threat is also on the horizon.

ATM jackpotting, a form of tampering where physical access allows the installation of hardware and/or software that causes the ATM to spit out money is becoming popular. These types of attacks have just begun in the U.S. and have started making headlines but have not yet been accounted for in the Verizon reports.

Merchant Controls

  • Purchase Tamper-resistant Terminals: Certain designs are more susceptible to tampering than others. Some models of ATMs are designed to prevent skimming. Ask your retailer about tamper-resistant models when it comes time to purchase new equipment.
  • Use Tamper-evident Controls: When possible, do things that will make it clear tampering has occurred. For example, apply stickers over the door of terminals and check all video footage of ATMs and gas pumps to watch for criminals installing nefarious equipment.
  • Institute ATM Checkups: Establish a regular process to check the physical integrity of ATMs. Train employees on how to spot signs of tampering as a regular task as well as how to report it.
  • Educate Customers: Teach clients what to look for in terms of skimmers and how to report anything that appears suspicious. Make it easy for them to make a report 24/7 to best protect your business and consumers.
  • Consumer Controls

  • Look Around You: Identity thieves like to target places that are unattended. They will often target the farthest gas pump from the store or an ATM that is not well lit. Keep an eye open for places hidden cameras may be lurking to steal your PIN.
  • Guard Your PIN: Whenever you enter your PIN, cover your hand so a pinhole camera can’t see the number you are putting in.
  • Give It a Tug: Before putting your card into a card reader, give the front of the card reader a good tug or shake. If it comes off or feels loose, it is likely a skimming device. Report it immediately.
  • Trust Your Gut: If you think something looks odd or out of place, don’t use the machine. Go elsewhere and report anything suspicious to the merchant as soon as possible.
  • If you should have any questions about how to best protect your business from security threats, contact Dox at (585) 473-7766. Our experts are happy to help and we offer free initial consultations for businesses of every size. Thanks for your time and stay safe online!