Banking – new threats grow
Have you ever wondered what are the main threats have concerns the banks and financial institutions? Several survey have been conducted and apart small differenced of on numbers they all have evidenced that Top fraud threats are
- payment card fraud
- check fraud
- phishing/vishing
- account takeover
- third-party POS skimming
When these frauds are detected? The major part of the incidents are evidenced by the customers, the final victims. We are speaking of a percentage that is around the 80%,numbers that are worrying and highlight the difficulty of approaching a problem. Institutions feel prepared to prevent classic card fraud like check fraud and money laundering but it is not a new that these institutions are not so skilled to fight the new threat represented by cybercrime. We have observed an exponential escalation of malware attacks which target transactions, this kind of fraud is increasing respect the others.
Cyber threats are among those that are of particular concern and the reason is understandable analyzing the number of transitions that are made every second all over the word. A boundless ocean from which to “fish” and within each control and prevention is very difficult. Compounding the scenario is the same technological evolution, increasingly complex and sophisticated malware able to attack advanced platforms to provide miscellaneous services to customers and internal staff. Easy for those malware typically found before then next-generation agents that take advantage of 0 day vulnerability and from them is really hard to implement prevention policies.
But what are the main threats that the world of finance is concerned?
Attacck DDOS, spearphishing, malware as Zeus and SpyEye … but what would happen if all these components come together in one combined action? The threat could cause much damages, and if you think that is the result of my paranoia then read what I have to tell you:
The Federal Bureau of Investigation (FBI) recently warned consumers about a scam multiprong That Involves the use of spearphishing, the Zeus Trojan horses, DDoS attacks, and a jewelry heist.The spam campaign pretends to be Legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there is a problem with the ACH transaction at Their bank. They click on the link Once They Are infected with a variant of the Zeus Trojan known as GameOver, Which Is Able to keylog and steal information Their Their online banking credentials, the Denver FBI Cyber Squad explained. “After the accounts are compromised, the perpetrators conduct a DDoS attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired)”, the FBI explained.
I could finally give some additional information on the potential related to a malware that is designed to attack the banking sector.Let’s introduce for example Zeus, a Trojan developed to steal banking information by keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. In June 2009 the company Prevx has discovered that Zeus had compromised over 75,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. To give a dimension of the phenomenon the various Zeus’ botnets has been calculated to include to include aroind 4 millions of compromised computers only in USA. As of October 28, 2009 over 1.5 million phishing messages were sent on Facebook with the purpose of spreading the Zeus’ trojan.
It was still active in 2010.On July 14, 2010, security firm Trusteer filed a report, which says that the credit cards of more than 15 unnamed US banks have been compromised. The number of computers infected with the ZeuS banking trojan is four times higher than that of systems infected with SpyEye, according to statistics compiled by Trusteer.
Consider that the economic impact on the institutions is really high due direct fraud and other indirect voices like loss of productivity and loss of customer confidence. Of course, managing customer trust is tricky in consideration of the increase of cyber attacks like the phishing threat, where customers may think their institution has been breached even though that’s not the case.
Banks and similar institutions are responding to the threat in different way:
- engaging technology experts
- acquiring fraud detection tools and technology
- increasing customers/employees awareness
- implementing internal monitoring
- dedicated Budged and Staff increasing
- third party outsourcing
The awareness of the threat and the attention that the economic/financial world are paying for these new forms of fraud, a hopeful sign that the fight will be tough but that we are ready to deal with the right energy.
The world is changing and with it the way we do and offer banking services.
Pierluigi Paganini
References
http://www.fico.com/en/FIResourcesLibrary/Fraud-Survey-ExecSummary.pdf
Hi,
Interesting post, as usual. I have a question : do you think that users “cyber education” might resolve some (most ?) of the problems of phishing, or trojans like Zeus are well designed enough to powned users anyway ? I’m sorry if that sounds as a noob question, but I have always wondered if security breaches really exists between the chair and the keyboard. Part of them do for sure, but all ?
You also might be interested in this study (hopping you did not already read it as it is a bit old and was published in August of 2011), though it does not only concerns banks and financial institutes : http://www.arcsight.com/collateral/whitepapers/2011_Cost_of_Cyber_Crime_Study_August.pdf
Anyway, thanks for the time you are taking to write and puplish on this blog.
Well it’s a good question. For sure awareness could help to mitigate the risk. The cyber “war” that financial institutes have to fight is really hard. The white paper you addressed is a Bible for me!
Well written!
Thank you for your contibution … any suggestions are welcome
best regards
Pierluigi
Thanks for the article. It was a good read, I’ve seen some of those stats before and they seem be increasing at an alarming speed.
To addressee the first comment above I definitely believe security awareness training and “cyber education” can be extremely effective for both employees and customers of the institution to prevent these attacks. People are not going to be able to do the right thing if they have never been taught what the right thing is. Security evolves daily, so not only do you need executing training, it needs to be reoccurring. Security education needs to be a daily event.
I agree!
I share your point of you.
Regarding the stats, they are increasing with an alarming speed … that is sign of the time!
Thank you
Pierluigi
Thanks for your answers ! But this brings some other thoughts : InfoSight said ““cyber education” can be extremely effective for both employees and customers”.
I agree, but who should be in charge of giving theses security trainings ? For employees, it is clearly (at least in my mind) their employers. But banks cannot gives their customers a proper training.
For the youngest we could imagine that it could be their schools. As computers are everywhere and can be used for almost everything, it sounds reasonable to me that every school’s programs integrate that kind of courses.
But for all the others, who does not know there are some risks, who should trained them ? Well, I hope I have not moved too further away from the original subject.
Regards
Hi,
right observation. I believe that a reasonable level of awareness could be given from the Bank itself. How? For example with dedicated session on the official web site or via webinar.
In Italy some banks already done this for their customer and some other banks organize a customer dedicated training session (30mm) when a new bank account is opened.
I understand that it is hard job, but it is absolutely necessary
best regards
Pierluigi
“For example with dedicated session on the official web site or via webinar.”
That is good idea. That it is even kind of obvious. I wonder why I haven’t thought to this solution.
“In Italy some banks already done this for their customer and some other banks organize a customer dedicated training session (30mm) when a new bank account is opened.”
I was not aware of that. That is a good thing. I checked for French banks, they do not seem to provide that kind of services. But the French CNIL [1] does : they have released a report about the “best on-line banking pratcices [2]“. Unfortunately, that is not a document that will be easilly found unless one explicitely search for it.
Regards
[1] : http://www.cnil.org/
[2] : http://www.cnil.fr/fileadmin/documents/approfondir/dossier/banque/Operation-banqueenligne.pdf (in French and old, 2005)
Hi,
for sure at least two banks that in Italy have done it. I remember MPS for the awareness page on its web site, regarding the training on the service when a new bank account is opened Fineco bank provide you an on demand training session.
Best regards
and thank you for the comments
best regards
Pierluigi
In reference to the comment that you can train employees but not your customers, that is completely untrue. Under the new Regulations and FFIEC guidance, effective January 2012, Examiners will enforce compliance with the supplemental multi-factor authentication guidance requiring financial institutions to manage a robust awareness and education effort for their retail and commercial CUSTOMERS.
Our comprehensive Customer Awareness Program educates your retail and commercial customers about phishing, malware, ACH and wire fraud, and more. It also provides methods to evaluate your Program’s effectiveness in accordance with federal mandates, as well as documentation of your organization’s efforts to comply. In addition, it tracks fraud attempts, losses relating to ID theft, and more
But a smiling visitor here to share the love (:, btw great style .
I agree with most of your points, but a few need to be discussed further, I will hold a small talk with my partners and maybe I will look for you some suggestion soon.
In reference to the comment that you can train employees but not your customers, that is completely untrue. Under the new Regulations and FFIEC guidance, effective January 2012, Examiners will enforce compliance with the supplemental multi-factor authentication guidance requiring financial institutions to manage a robust awareness and education effort for their retail and commercial CUSTOMERS.
Our comprehensive Customer Awareness Program educates your retail and commercial customers about phishing, malware, ACH and wire fraud, and more. It also provides methods to evaluate your Program’s effectiveness in accordance with federal mandates, as well as documentation of your organization’s efforts to comply. In addition, it tracks fraud attempts, losses relating to ID theft, and more
Hi you are welcome
these is the observation of reality … in Italy several banks are using their web site to make awareness regarding the main cyber threats. Some bank also give, on demand, support for on line tool when a new bank account is opened.
best regards
Pierluigi
You are my breathing in, I possess few web logs and often run out from brand
. “He who controls the past commands the future. He who commands the future conquers the past.” by George Orwell.
Nice read, I just passed this onto a colleague who was doing a little research on that. And he actually bought me lunch because I found it for him smile Thus let me rephrase that: Thanks for lunch!
I’d been honored to obtain a call from a friend as he found the important points shared on the site. Reading through your blog post is a real great experience. Thanks again for thinking about readers like me, and I want for you the best of achievements for a professional domain.