Back in the days of the Wild West, rootin’ tootin’ bad hombres like Jesse James and Butch Cassidy struck fear into the hearts of bankers. But in the age of the Internet of Things, those names have been replaced by Cobalt, Carbanak, Lazarus, and Lurk—not an anti-law firm, but four covens for lawless cyber thieves.
The groups were identified in a study on bank attacks by Positive Technologies, a Boston-based enterprise security firm that works with the financial industry sector. And instead of bullets, these rats use mouse pads.
“In the wild, we currently see attacks on interbank transfers, card processing, ATM management, e-banking, and payment gateways,” say the study’s authors.
Cybersecurity experts who work in the financial services industry describe the top five ways today’s fraudsters mount some of the most dangerous, persistent attacks.
One: Credential stuffing
With this type of cyberattack, stolen account credentials such as usernames and passwords are used to gain unauthorized access to accounts through large-scale automated login requests, says Brian Brannon, vice president of security product strategy for Safe Systems, an IT security firm that works exclusively with community and small banks.
“These lists are available due to breaches and can often be purchased on the dark web,” Brannon says. “This form of fraud does not have to play the password guessing game. There is an automated process where the hacker can log thousands to millions of breached passwords and usernames using standard web automation tools.” The best way to guard against this sort of attack is to use different passwords for different accounts, says Brannon.
Jeremy Dalpiaz, vice president for cyber and data security policy at the Independent Community Bankers of America, says even obsolete information must be guarded closely, as hackers can still find ways to wield it: “At one time, those user names and passwords were valid,” he says.
Two: Extortion emails
The industry is seeing more and more extortion email threats, Brannon adds.
“In this email, the hacker acknowledges knowing username and password pairings; ‘admits’ they have hacked into your computer and have been watching you and has some sort of secret recording recorded from your own webcam; and demands some sort of bitcoin payment in exchange for not making the records public,” he says.
But true to the nefarious character of the bad guy, it’s a lie. “The hackers don’t typically have the footage,” Brannon points out. “It’s just a scare tactic to extort money. The target of this sort of attack is usually a C-level executive: someone who has a lot to lose.”
In August 2018, the University of Delaware described a scenario where “attackers use an old password in the subject line to get your attention and claim that they have installed a virus on your device that gives them access to your webcam.” The threat: They’ll release sensitive or embarrassing footage to all your contacts if you don’t pay a ransom.
The idea here is to report all such emails to the chief technology officer of head of IT immediately. The threat of what happens if you respond to the message is far greater than any threat in the body of the message.
Three: Internet of Things (IoT) exploitation
As institutions continue to connect more gadgetry to the internet, “the number of potential security weaknesses on their network will increase,” says Brannon. Unsecured Internet of Things (IoT) devices such as DVRs, home routers, printers and IP cameras are vulnerable to attack, since they’re often not required to have the same level of security as computers.
“To breach a financial institution, attackers will target insecure devices to create a pathway to other systems,” he notes. Once they have entry from the IoT device, they have full access to the entire network, including all customer data.”
Similarly, fraudsters are exploiting banks’ application programming interface (API) systems, says digital banking expert Gerhard Oosthuizen, chief technology officer at Entersekt, a financial industry cybersecurity firm.
APIs act as the glue to connect multiple systems to build one efficient platform. Think of a ride sharing application such as Lyft or Uber, which uses APIs to synchronize maps, payments and texting in one application.
Oosthuizen notes that legacy APIs were likely not designed with the connected and cloud world in mind—leaving systems unprotected from the start. “Open banking is exacerbating this,” he says. “More things are exposed and not everything is hardened.”
To create a truly secure network, inventory all the devices connected to your network and create a solid asset management program that helps financial institutions account for “what systems they have in place, what devices they have in general, where they are located, and what is connected,” Brannon advises.
Brannon also points to “an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords.” The ultimate goal is to trick bank employees to click on links or open attachments that redirect them to fake websites. There, they are encouraged to share login credentials and other personal information.
“With access to an employee’s email account, cyber criminals can read a bank’s critical information, send emails on the bank’s behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information,” he says. “This can result in both financial and reputational risks for the institution and its employees.”
For banks, “these breaches continue to mount,” says Delpiaz of the ICBA.
Employee training is the number one way to combat phishing attacks, teaching them to spot what these messages look like and how to treat them—which begins with not clicking on any link and again, alerting IT workers.
As cyber threats go, ransomware remains one of the biggest, with instances occurring each day. True, ransomware attacks actually fell nearly 30 percent between 2016-2017 and 2017-2018, according to a Kaspersky Lab report. Yet that still adds up to more than 1.8 million instances—with financial services the second most targeted industry after healthcare.
Successful ransomware attacks not only reveal the lack of adequate endpoint protection: The can act as a starting point for a host of terrible woes.
“In addition to the monetary damage of these attacks, not proactively protecting against ransomware can also lead to reputational risk among customers, weakened staff morale and considerable IT staff hours spent on ransomware response,” Brannon says.
To adequately protect against ransomware, financial institutions should place “many uniquely tailored layers throughout their networks,” he says—each one acting as an obstacle to block the malicious software.
Putting it altogether: From vulnerability to manageability
Experts unanimously agree that every financial institution stands in the crosshairs of cyber crooks. Financial firms faced a staggering average of 983 attacks a day in 2017, according to research by Positive Technologies. It only takes one successful attempt to empty the vaults and bring a bank to its knees.
So yes, it’s like the Wild West out there … only without a Lone Ranger or cavalry to ride to the rescue. But when IT, bank executives and employees circle the wagons as a team, who needs heroes?
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.