Cybercrime Focuses on Financial Services

Finance is going digital and while that opens up all sorts of opportunities it also leaves the door wide open to cybercrime.

When criminals go looking for targets, they naturally go where the money is. So, as crime goes cyber it should be no surprise that most of the attacks focus on the financial sector. Digital technology is changing the game, organisations are sharing data between multiple parties and start-ups are bursting onto the scene. In the finance world they refer to this as digital transformation. Cyber criminals call it Christmas.

Cyber crime is booming

While the rest of the economy might be struggling, cybercriminals have never had it so good. The digital revolution is tailor made for them and they are thriving. A study from Accenture suggests that businesses could incur an additional $5.2 trillion in costs and lost revenue due to cybercrime over the next five years. Cybercrime has become a multibillion dollar industry and, in 2018, the number of cyber-attacks increased fivefold according to data from the FCA.

The financial sector is firmly in its sights.Cyber Intelligent Company, Intsights says 25% of all malware attacks focus on the financial sector while credit card fraud is up 200%. The reason? As a report from PwC says, that’s where the money is. Cybercrime isn’t changing, argues the report, but the criminals are ramping things up in terms of volume. The number of cyber-attacks has increased by 160% over the past 12 months according to data from Carbon Black and Octiv Security.

The digital revolution

The problem for the finance sector lies in technology. Digitisation has transformed the sector. Online and mobile banking are booming as customers prove themselves increasingly willing to conduct their financial affairs online. One result of this is that the number of personal loans hit a record high in 2018 as online banking services made them more convenient and accessible to customers.

The cloud is allowing for big data analytics and mobile collaboration, artificial intelligence is helping to drive more sales and deepen engagement with customers. The internet of things (IoT) is connecting all sorts of physical devices and the blockchain is transforming international payments. Everywhere you look, technology is streamlining processes, saving money and driving revenue.

A new generation of fintech companies are also bursting onto the scene offering a host of services from financial management to personal loans. These firms are smaller, more agile and offer more accessible services to consumers. While some may see these new players as a threat, most banks have been quick to embrace the rise of fintech. Big banks such as JP Morgan and ING are already well along the path towards fintech partnerships.

Initiatives such as open banking make data more fluid and mobile. This allows customers to give regulated providers access to their financial information. It has led to the creation of new payment platforms such as TrueLayer which offers an alternative way to transfer money. Mastercard, meanwhile, has also launched its own Open Banking platform which involves close partnerships with several other payment providers.

In this age of digital transformation, systems are open, data is fluid and a huge amount of money and information is flying around the digital realm. The benefits are immense, but it all comes at a cost. By embracing digital technology, banks are creating opportunities for cyber criminals and they are grasping these with both hands.

Major attacks

In 2016, cyber criminals stole £2 million from 34 Tesco Bank accounts after exploiting deficiencies in Tesco’s debit card. A report into the hack by the FCA found that fraudsters had been able to make thousands of fake contactless transactions using Tesco Bank accounts. In 2017 Equifax suffered a hack which exposed the details of millions of accounts. The hack revealed details such as social security numbers of almost 150 million Americans, more than half of the population.

The problem is vast. Stolen data from almost every bank in Pakistan, for example, is available on the dark web. There’s a good chance that everyone of us may find at least some of our details are in the hands of criminals.

All that data has an enormous amount of value and can be used for all sorts of nefarious purposes. Criminals are buying up the data and attempting to develop as complete a profile as possible of individuals. They can use these details to target them with phishing emails or to hack into their accounts.

Attacks come in many shapes and sizes. Their first port of call has been mobile and banking apps. The threat landscape report found that a quarter of organisations experienced malware attacks in the third quarter of 2018. The vast majority of these threats were focused on Android devices; 14% were android related while less than 1% targeted Apple’s IOS system.

Apple’s system is seen as being more secure. It is closed and Apple doesn’t share its source code with app developers. Users can also not modify the apps themselves. Androids, meanwhile, rely on an open code and allows users to tinker with it. If there is a problem with the code, cybercriminals will be likely to find it.

For this reason, cybercriminals have tended to target Android apps more than Apple which means this landscape is much more developed. However, there are signs that this trend is changing. The number of malware attacks developed against Apple operating systems is growing. Their products and apps are so popular that this market is impossible to ignore.

Indeed, Apple users are more appealing to cyber criminals as their credentials are much more valuable on the dark web. Users might also be slower to implement defences than their Android counterparts who have become accustomed to a world in which people are looking to steal their data. Spoofing attacks, phishing and complex multi vector attacks are becoming more common.

Fighting back

The inescapable truth for retailers is that cybercrime will continue to be a major threat. It has a low cost of entry and a minimal chance of being caught. That retailers are upping their spend on cybercrime suggests they are taking it seriously, but the fact that crime continues to rise suggests it might not always be working. Staying safe is difficult and, as we’ve seen, even the biggest names are not immune.

The challenge for retailers is twofold. They need to protect their own business systems but also to safeguard their customers. Online shopping and loyalty schemes mean customers are handing over more personal information about themselves than ever before. This data has enormous value on the dark web and the more complete a picture criminals can build about their targets the more valuable that information will be.

Retailers will need to educate their customers. Phishing attacks represent one of the most common issues with cyber criminals attempting to impersonate a retailer. Retailers should make it clear to customers when and how they will contact them and how they can tell if a message comes from a fraudster.

Equally, retailers can remind customers of the importance of maintaining strong and separate passwords for their accounts. Surprisingly, even in today’s digital world, consumers remain remarkably relaxed about their passwords. A recent poll found that almost 60% of people had the same passwords for everything. So, while we might be savvier than we used to be, we still have some way to go.

Crime goes high tech

Cyber criminals are also turning to technologies such as AI to help them identify weaknesses and make their attacks more convincing. Algorithms can analyse a company’s defences, identifying weaknesses and crafting attacks accordingly. It is also helping them to gather more information about their chosen targets to make their attacks much more convincing.

This is crucial because cyber criminals rely on fooling a human and that is becoming much more difficult than it used to be. Most of us are targeted by cyber criminals every day which means we’ve become much more sophisticated at identifying suspicious activity. The days when someone would be fooled by a badly spelled email claiming to be from the Nigerian State Lottery are long gone. Today’s criminals are developing attacks which seem much more believable.

For example, using social media, they can see where a person works, who they are working with and may even be able to glean details of any projects are working on. Imagine a piece of malware had infiltrated a virtual assistant copied in on email conversations. It might see that you have an upcoming appointment at the doctor’s and send an email reminding you of the appointment with malware embedded into the link. The chances are that most people would click this link because it is personalised and convincing. Their natural defences which would normally prevent them from clicking on a link from an unknown source are not there anymore.

Connected devices mean bugs could be found in seemingly innocent office equipment. For example, connected video conferencing devices have been found to be vulnerable to attack. Hackers may be able to take control of a device gaining access to any information shared in confidential meetings. The implications could be profound. Think of a board which regularly meets via video conferencing. If hackers have gained access to the video software, any information discussed in meetings flies straight to malicious ears.

Must do better

The landscape is evolving incredibly quickly. Threats come from everywhere and financial institutions are having a tough time catching up. They are having some success. Last year a report from Accenture showed that, despite a dramatic increase in the number of cyber-attacks targeting the financial sector, more than 80% of breaches were being stopped compared with around 60% for the same time period a year earlier. Much of this improvement has come through the adoption of new technologies such as AI, machine learning and robotic process automation which, according to respondents, are crucial in the fight against cybercrime.

Automated processes can collect data and search the system for vulnerabilities. In a world in which multiple end points increase the number of potential attack points, these systems can dramatically improve a company’s monitoring and threat detection capacity.

Even so, gaps still exist which criminals can exploit. The report noted that 40% of breaches went undetected for more than a week while 9% were undetected for more than a month. When the FCA interviewed 300 financial services firms to gain a better understanding of the financial sector’s cyber resilience, they identified alarming gaps. Their report found executives were overly confident about their current readiness and oblivious of some of the threats posed by major technology projects. In other words, financial institutions are marching bravely into the new digital world unprepared. Not only have they failed to build defences against the threats; they are often unaware that they exist at all.

People represent both a weakness and an asset. For all the technology involved in cyber security, simple mistakes such as clicking a suspicious link can give the whole game away. Every individual within an organisation needs to be made aware of incoming threats and follow strict guidelines to maintain the integrity of systems. Practices such as having the same password for work and personal accounts or using personal computers for sensitive work, can undermine the best cyber security policies. Even so, they are remarkably common.

Building that capacity and expertise within a team can be difficult. This is a highly technical and evolving landscape and there is a finite number of people with the requisite expertise. Instead, many companies are turning to cyber security as a service and hiring specialist companies to manage all their security issues. However, this is about much more than just specialists. Accenture’s report found that, although cyber security teams had identified approximately two thirds of breaches, employees outside of those teams were responsible for most of the others.
It needs to be a blended approach in which technology, cyber security specialists and general employees work in partnership. For example, imagine a company is targeted by a phishing attack. That could be quickly neutralised by reports from employees who have flagged emails as suspicious. Cyber security teams could identify where those emails are going and have them isolated and blocked.

Businesses must take more care when choosing the third parties they work with, whether as partnerships or service providers. Accenture’s report found that most executives held their partners to a lower standard than themselves. This is a mistake. If your partner’s systems were to be compromised your data could also be at risk. Under GDPR you would be held responsible for any of your data which was breached because of a problem with a third party’s system. The penalties can be as much as 4% of turnover or €20million, whichever is greater. For example, had Tesco Bank’s data breach occurred under GDPR, they could have potentially faced a fine of £1.9bn against their annual turnover of $48.4bn.

Although not directly at fault, authorities will still hold you responsible for that lost data. In a world of third-party collaboration, therefore, companies are regularly surrendering control of their data while retaining liability for it.

Cyber assessments of third parties should be a key part of any due diligence processes before agreeing to work with them. This applies to any cloud vendor or collaborating organisation which could potentially compromise the integrity of IT systems.

What if a breach does occur?

If a breach does occur, businesses will need a robust response strategy. It starts with communication. As soon as a breach has been detected, everyone within the organisation who will be affected or can help must be informed. Customers and the authorities should also be notified. This can be a delicate matter and firms may understandably be concerned about the impact on their reputations but acting now will prevent further damage down the line. These communications should be transparent and sincere; they should detail what has happened and what steps are being taken to resolve the issue. This will help to reassure all parties and retain trust.

You will also need to understand the root cause. Engineers can forensically analyse traffic to see if this occurs. Often this can be uncomfortable, especially if it reveals the breach occurred as a result of an error from a member of staff. However, it will be important to eradicate the attack and to improve defences for the future.

A third-party specialist response team may also be able to help oversee your response. The chances are they will have expertise and resources which might not be generally available within your team. Just as importantly, they will be independent. If the breach occurred as a result of a third party’s IT system, they might have a vested interest in not telling you the whole truth. An independent specialist can help you to get right to the core of the problem and stop it from happening again.

Ultimately, security is a bit like building defences of a castle. It has to be multi-layered. Once attackers breach the firewall, systems should be built using proactive measures such as patching, application whitelisting and privilege management which will help to slow the path of infection once it has made its way onto the system.

It can seem complicated and challenging, but in a world in which cyber criminals are updating their attacks continuously, it will be vital. The landscape is evolving rapidly. New threats are appearing daily, and the financial sector will always be a favourite target of the cybercriminal. It’s a high-tech game of cat and mouse in which AI and automation are being deployed by both sides. Protection starts with understanding the threat and developing an organisation wide response. Technology will have to be blended with education with every individual being made aware of their responsibilities. Once attacks do occur, businesses will need a robust response strategy in place to limit the fall out as much as possible. The cyber criminals are definitely coming for the financial sector. The challenge is to ensure they have world class defences meeting them when they arrive.

C-19 Cyber Resilience Service: