What’s at stake when a bank customer is duped by a phishing attack? Or when an ATM network is compromised? Or when cyber-criminals hack into a smartphone that is used for online banking?
Increasingly, the correct answer is “everything.”
As financial institutions interact with more of their customers electronically, they face unprecedented challenges in ensuring that every single new channel touching a customer is secure.
A recent report by Gartner Inc.
should be an eye-opener. The report sheds light on the impact of data breaches and financial fraud on consumers’ behavior, particularly their banking activity.
According to Gartner, victims of electronic checking and/or savings account transfer fraud are almost five times more likely to change banks due to security concerns, compared to the average consumer.
“From a bank point of view, this is really causing customer churn,” said Avivah Litan, vice president and distinguished analyst at Gartner, in a statement. “It's costing them customers.”
This article examines the key risks associated with these new channels; it then shows how financial institutions that implement strong security can use that fact as a way to gain their customers’ confidence.
With the Underground Economy growing in sophistication and exponentially increasing the numbers of financially motivated attacks, fraudsters are exploiting security weaknesses across multiple channels of the bank. And ATMs are no exception.
Fair Isaac, developer of the widely used FICO credit scores, recently ranked the top ATM/debit card fraud trends as follows:
- Skimming. This is where criminals go to a bank and install a PIN pad overlay and card reader. The transaction goes through, and the customer doesn’t realize that his or her ATM card or debit card has been compromised.
- Ghost ATMs. Here the entire ATM card reader is blocked off and customers can’t perform a transaction. The customer swipes the card, enters the PIN, and then the fake ATM says it can't complete the transaction.
- Ram raids. This is where criminals physically break out (or “ram”) ATMs from the wall at the institution.
- PIN IDs. This is a technique where criminals capture the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.
- Automated PIN changes. This involves criminals going through a financial institution’s call center to change a PIN.
- SMS attacks. “Smishing” is an attack that comes through the Short Message Service (SMS) onto a smartphone or a cell phone.
- Malware. Security researchers say they have found malware code that lets a criminal take control over ATMs. There have been reports of such malware in Eastern Europe and Russia.
Separately, there are the risks that FSIs face as they continue to migrate their ATMs from older proprietary networks to open Internet Protocol (IP) networks.
While IP ATMs offer many advantages, IP-based systems running on Microsoft Windows can expose a financial institution’s network to infection, tampering, and other threats. That’s why they need to be protected from worms, viruses, and denial-of-service attacks.
At the same time, FSIs have their hands full combating increasingly sophisticated online fraud. A recent report by the Anti-Phishing Working Group
pulls no punches, saying the Internet “has never been more dangerous.”
The APWG says cyber-criminals have “apparently unchecked ambition” to use crimeware that targets financial institutions’ customers.
Perhaps most disturbing for financial institutions, attacks are now being made against corporate bank accounts. These attacks target the CFO and then attempt to take over the corporation’s online banking credentials to make corporate wire transfers. Previously, phishing attacks targeted individual users, not corporate accounts.
“Brand erosion as a result of online fraud is the #1 boardroom-level issue for financial services institutions,” says Ted Donat, Senior Director, Product Management Solutions Group, at Symantec.
Donat said Symantec expects to see a big increase in the number of “spear phishing” cases that are reported, particularly in Europe as mobile computing catches on. Spear phishing is a targeted form of phishing where the apparent source of the email is likely to be an individual within the recipient's own company and generally someone in a position of authority.
Over the past year, the FDIC says it has detected an increase in the number of reports of losses resulting from unauthorized electronic fund transfers, such as automated clearing house and wire transfers.
reported that the top U.S.-based energy and building supply company found its banking account compromised by hackers from Eastern Europe in a sophisticated email scam.
The scam began with a spear phishing email to an employee that looked like it was from the company’s bank. A link in the email took the employee to a Web site that was identical to the bank’s. Once the company’s user name and password were entered in the bogus site, the information was sent to the hackers, and $150,000 was stolen from the bank’s account.
Cyber-criminals are also increasingly focusing their attacks on the hundreds of millions of users of social networks, such as Facebook and Twitter.
Wall Street & Technology
recently reported that, as a result, Wall Street regulator FINRA is turning its attention to Wall Street’s use of social networking tools.
“Social networking sites such as Facebook or LinkedIn provide new ways to connect, inform, and interact with customers,” said Rick Ketchum, FINRA’s chairman and CEO. “They also raise new regulatory challenges. For example, as currently designed they may not allow you to archive and maintain the communications on your own books and records.”
How strategic a development is mobile banking? Some industry observers have claimed that mobile banking is a market mandate no less important than the dawn of the Internet banking in the late 1990s.
While the number of threats to mobile devices such as smartphones is dwarfed by those targeting PCs, Symantec sees these devices as the next destination of hackers. In fact, recent editions of the Symantec Internet Security Threat Report have found that threats such as spam and phishing are increasingly “going mobile.”
It’s not hard to see why.
Some industry observers say that a “perfect storm” is brewing in the area of mobile security, owing to three key factors:
First, adoption rates for smartphones are on the rise. Researchers at Gartner predict that smartphones will outship PCs this year.
Second, the technical capabilities of smartphones are catching up to PCs at a rapid rate. Email, instant messaging, online banking, online shopping, and Web surfing are all possible.
And third, since 2004, the number of threats targeting handheld devices has roughly doubled every six months.
As a result of these developments, Symantec recommends that smart devices be secured in the same way that a laptop or PC is secured. That means antivirus protection, antispam for SMS, a firewall, and data encryption technologies that minimize the risks associated with the loss of a device.
The Gartner survey
gauging the impact of identity theft and other financial fraud offers some straightforward advice to financial institutions that implement strong security controls and protections: make the fact known to your customers.
“Financial institutions that take security seriously will be rewarded with greater customer retention, which is a smart move when you consider that the cost of acquiring new customers is typically much higher than the cost of retaining existing ones.”
It’s advice that resonates with Symantec’s Donat.
“To convince your customers that they’re safe in these channels, you have to prove that you’re safe,” he says. “You have to create a culture of security.”
Donat says Symantec enables banks to protect themselves, their employees, and their customers by:
- Proactively identifying possible threats across the bank’s channels and implementing countermeasures
- Protecting and monitoring the IP-ATM network with an integrated security solution
- Reacting quickly to security incidents to regain customer confidence
- Providing consumers proven security tools to protect online transactions.