Infamous bank robber Slick Willie Sutton is said to have said that he robbed banks “because that’s where the money is.”
Sutton later denied having made that exact statement, but there’s no doubt that he and others of his ilk followed that simple logic. In the 21st century, though, they face competition from a new type of thief: those who hack into banks’ data troves for the purposes of stealing money – or, in some cases, with other goals in mind.
All industries face the challenge of keeping their data secure, says David Murray, chief business development officer at Corvil, which provides cyberthreat detection and investigation software aimed most particularly at banks, financial services and other at-risk companies.
“Financial services has some challenges that are more acute than other industries, just by the nature of where they are,” he says. “Why do cyber attackers most aggressively go after banks? Well, it’s where the money is. And two, if you are a nation-state, it’s disruptive and destabilizing, plus there’s the potential for espionage. And since with money comes greed, and with greed comes an opposing righteousness, they’re a fine target for ‘hacktivists’ because somebody decides they want to embarrass the banks.”
The vast majority of attacks today come from the inside – either inadvertently or maliciously, Murray believes. “Again you have the implications of greed, or righteousness, like an employee writing malware to try to steal trading algorithms,” he says, adding another related challenge: “We’re seeing more regulation now, which the industry would dispute whether that’s helpful or hurtful.”
Banks and financial services companies have faced an increase in two different types of exploits: ransomware and business e-mail compromises, says Doug Johnson, senior vice president, payments and cybersecurity policy at the American Banking Association (ABA). The latter has replaced corporate account takeovers in recent years as the threat du jour aimed against bank customers, he says.
Ransomware affects customers more so than banks themselves, so the response there also tends to be more geared toward customer education, says Heather Wyson-Constantine, vice president, risk management policy at the ABA.
“It’s a huge reputational threat to an institution, or any type of business,” she says. “If you have files locked down and can’t access them, you can’t serve your customers. If you make the payment to the criminals, who’s to say they’re going to return the data, or if they’re going to return the data in the condition they got it. And also, if you pay with anything other than Bitcoin, they have your payment information to conduct further crimes. And, they know you’ll pay.”
Business E-mail Compromise
Corporate account takeovers had been prevalent for about a decade, but “they’re rather complicated, require malicious software, and mules at the end of the line to make the deposits or transfer the money overseas,” Johnson says. “They require a lot of steps, including the use of social media. Business e-mail compromise has been popular lately because all it requires is social media, and the ability to have a hook on your spearphish.”
People in the banking industry and others tend to think of threats as getting more sophisticated all the time, but that’s not necessarily the case, Johnson says. “Hackers go back to tried-and-true types of activities from the past because we’ve helped harden our customers against more malicious software,” he says. With business e-mail compromise, “All someone has to do is build a spearphish that purports to be from the CEO, or another person high up in the business. And then you send that e-mail to somebody who has the keys to the treasury kingdom.”
Banks and other financial services firms need to address the human factors involved, Johnson says. “No matter how sophisticated a particular exploit is, it all comes back to e-mail,” he says. “That’s why the education piece is so important. … It’s always that combination: continually changing the manner in which we’re using software tools, and the manner in which we’re ensuring that our customers, particularly, can recognize what they should and should not be doing. We always like to say that it’s only when you have a partnership between bank and customer that you’re going to be able to most effectively protect the environment.” Phishing attacks in which hackers use the name and apparent e-mail of a senior executive to prompt other employees to open an attachment or click on a link are one of the biggest concerns of Damian Laviolette, senior vice president and chief information security officer at Webster Bank, in Waterbury, Conn. “They’re trying to get somebody to click on that link and execute ransomware, or malware,” he says.
Webster Bank requires annual online compliance training that teaches employees what to do and what not to do, provides continuous phishing awareness campaigns and targets key areas with input from executives, Laviolette says.
Webster Bank runs numerous campaigns to entice people to participate, such as quizzes with small prizes to those who finish, as well as a new “challenge coin” program for employees who are working to improve information security, similar to those used in government or the military, Laviolette says. “We’re hitting awareness from multiple different angles,” he says. “We have an appointed group of individuals who are responsible for this type of awareness.”
Wire Transfers and DOS Attacks
Another vulnerability that hackers sometimes exploit is wholesale payments, particularly wire transfers, in some cases through an automated clearing house (ACH) system, Johnson says. Financial institutions typically have concerned themselves with preventing the origination of fraudulent transfers, but it’s become clear during the past couple of years that the entity on the receiving end can be vulnerable, as well, he says.
“Financial institutions need to be aware of not only what types of illicit wires they may be receiving, but which ones come in from other entities,” Johnson says. “There is reputational and financial risk associated with those transactions, as well. The question becomes, ‘Is that transaction unusual for that particular account?’ It’s a know-your-customer regime.”
Johnson also continues to see the perpetuation of denial-of-service attacks, which bring a barrage of data instructions and activity against a bank’s site and hampers the availability of that site to a customer. In some cases, DOS attacks are a diversion from another type of attack, he says. And bank customers don’t always recognize DOS attacks for what they are.
“For example, let’s say that a customer has been infected with illicit software that’s going to affect an account takeover,” he says. “When the malicious software launches, it will flash a screen saying that the Internet banking platform is down, please try again later. … They might not realize that essentially what’s happened is that particular Internet banking session has been hijacked, and somebody else is conducting a transaction against their account. Again, that’s a customer education piece.”
Wyson-Constantine adds that bringing the financial institution employees up to speed on trends and where attacks might be coming from, so they’re alert and report suspicious activity, is key. “It’s also having anomaly and intrusion detection, and making sure customers are aware of what the trends are, and reporting anything they’re seeing to the banks. It’s one big circle.”
When customers aren’t updating their browsers and software that can create vulnerabilities because banks’ updated security measures do not jibe with the browser, so banks need to stress the importance of that, as well, Johnson says.
“It’s more individuals than businesses, but you can never say never,” he says. “When you’re talking to a business, particularly with ACH, you can get the customer to agree to certain, reasonable security measures. And one of those measures can be, keep your browser up to date. If they don’t a commercial customer has to recognize that if there is some loss, they might have some potential liability.”
Regulatory Compliance
In addition to combating phishing attacks, banks have been working to comply with federal and state regulators. When it comes to data security, regulators are expanding their purview into banks’ third parties, Laviolette says.
“Anything we have to do from a banking perspective, they want our top-tier and second-tier third parties to be doing, at a minimum,” Laviolette says. “It’s a challenge. We’re focusing on, ‘Do you have a Third Party Risk Management Program? Do you have an employee awareness program, and are you training employees?’ ”
Most financial institutions’ risk management organizations have been growing in recent years to keep up with regulators. “We’ve had to add more people,” Laviolette says. “Managers across multiple lines of business are spending more time in risk discussions at a technical level to try to deal with this new regulatory compliance. The challenge is, it takes money and it takes time to deal with the risk. Protecting data and information is protecting your reputation.
Mobile Identity Verification
On the mobile banking side of the industry, the greatest challenge has been balancing consumer expectations of full connectivity without compromising on security standards, says David Van Damme, team lead in business development at bunq, a Dutch mobile bank, which uses biometric technology from Veridium to verify identity and thus safeguard data.
“This means that every action the user undertakes needs to have a separate risk assessment, which then demands a different specific action from the user,” he says. “Depending on the action, this can be a Hand Recognition, Passphrase, Touch ID, a PIN code or a simple tap. From a technological perspective, this means we ensure a single point of entry … protections by various keys and combinations.”
The speed of technological development has meant that bunq needs to stay ahead of hackers and change their methodology if a specific security method has been compromised, Van Damme says.
“Combining smartphones with cutting-edge back-end technology with regards to biometric security, transaction monitoring and customer onboarding is how bunq stands out. With this as the foundation, we enhance the knowledge and expertise of our customer guides so that they can make quicker decisions. Written policies and procedures are necessary because human error exists.”
Bank Sites Flunk Test
Banks need to ramp up their game when it comes to website security, according to an annual survey by the nonprofit Online Trust Alliance, although Johnson of the ABA disputes the findings, according to NBC News. Sites run by the nation’s largest banks and government agencies scored most poorly overall out of the six categories studied.
Twenty-seven of the nation’s 100 largest banks made the OTA Honor Roll, down from 55 in 2016, ending a trend of consistent and significant improvement in the survey, according to NBC, which added that the decline was mainly due to “increased breaches, low privacy scores, and low levels of email authentication.”
Johnson questioned both the results and some of the data used in the evaluation, such as OTA’s assertion that 24 of the top 100 FDIC banks had major data breaches in 2016, a number ABA says is significantly lower than that. And while big banks had good website security overall, where they felt short was e-mail security – and Johnson points out that banks don’t communicate much with their customers via e-mail.
“We can always do better, and we will look at the results to see how we can better do that,” Johnson told NBC News. “We absolutely take privacy and security very seriously.”