Published Aug 17, 2022 by Xiph
Cyber threats are becoming more sophisticated than ever, with attacks on the banking sector becoming rampant. In fact, an ImmuniWeb state of application security report reveals that 97 out of the 100 largest banks in the world are vulnerable to web and mobile attacks, enabling hackers to steal sensitive data.
A cyber breach in digital banking can have devasting consequences. Not only are large amounts of money on the line, but when banks and other financial systems are compromised, it affects millions of livelihoods, impacts multiple IT infrastructures within a banking network, creates distrust in an entire industry, and disrupts the economy as a whole. We reveal the biggest cyber security risks and challenges in digital banking and how to counter them.
The biggest threats to a bank’s cyber security
Phishing (especially mobile phishing attacks) is one of the top cyber incidents reported by banks, according to the Office of the Australian Information Commissioner (OAIC). Most phishing attacks typically involve hackers sending untargeted, mass messages to employees, internal stakeholders, or customers of financial institutions, with a request for information (known as credential phishing) or with the intent to trick unsuspecting users into downloading malicious files. Cyber criminals often send phishing emails disguised as official bank correspondence to customers with a request ‘verification’ which they use to steal personal and financial data. Other phishing attacks target employees with requests for login credentials to access customer information. Banks should provide ongoing training to employees to help them better understand how phishing works and how to spot the tell-tale signs of a phishing attack.
Spoofing is a newer form of cyber threat, similar to phishing but that hinges more on impersonation. This typically involves hackers pretending to be a legitimate business, using falsified information or a fraudulent version of an actual domain/website to trick users into giving away login credentials and personal information. This cyber threat banks on the likelihood that people don’t typically look closely at a website if it appears legitimate. More advanced methods of website spoofing make use of a cloaked URL. By using domain forwarding or inserting control characters, the URL may look genuine while hiding the true address of the fake website. Meanwhile, email spoofing uses forged email headers to hide the true source of the email message. Links in spoofing emails also infect the recipient's computer with malware.
Malware and ransomware are always among the most dangerous threats across all industries due to their high-profit, low-cost profile and success rate. According to Microsoft, 96.88% of all ransomware infections take under four hours to successfully infiltrate a target.
While ransomware attacks have increased exponentially across all sectors since the start of the COVID-19 pandemic, one report found there was a 1000%+ increase in ransomware attacks in the banking industry (in 2021).
Ransomware is a type of malware that targets organisations by encrypting vital files or data, or blocking access to internal systems or networks (essentially crippling all operations) until a ransom is paid. Hackers typically block access to important files or information or threaten to publish that information unless the business pays the ransom. Banks should use a combination of monitoring applications, security patching, frequent file backups, anti-malware software, and user training to avoid ransomware attacks.
4. Unencrypted data
Banks sit on a gold mine of information which makes them a prime target for hackers looking for sensitive information like financial documents, credit scores, bank accounts, and credit card numbers. It’s no wonder the finance sector is the second most breached industry sector (after healthcare), notifying 12% of all 464 breaches, reported to the Office of the Australian Information Commissioner (OAIC) in the last half of 2021. Financial institutions must encrypt all data that pass over the internet (in transit) as well as structured and unstructured data stored on computers and in cloud environments. This also includes encryption at the database and application level. This will ensure that even if hackers get hold of financial data, they won’t be able to decipher it. Most financial institutions use standard bank-level encryption 256-bit AES, which is the largest AES key length size, as well as the most mathematically complex.
Data breaches cost banks and financial institutions millions (if not billions) in damages and not just in the outright theft of account funds, but in recovering lost customer data, rebuilding compromised IT infrastructures and consumer trust; there are also hefty penalties and fines associated with not properly shoring up systems or notifying customers of a breach promptly. It’s a mandatory requirement for banks to report any cyber breach to the OAIC and to notify customers and stakeholders of the said breach in a reasonable time.
5. Cloud-based cyber attacks
Cloud innovation is fast becoming a fundamental component of digital transformation with cloud adoption gaining more prominence and cogency with banks. However, cloud ecosystems are now one of the most targeted cyber environments after corporate and internal networks. That’s why banks should implement tailored checks and balances to ensure their cloud infrastructure is configured securely to protect against breaches. Cloud services come in all shapes and sizes which means all have different cyber security parameters and strategies.
With more software systems and data stored in the cloud, cyber criminals are banking on potential vulnerabilities and security gaps in the cloud shared security model to target banks, businesses, and organisations that deal with lucrative information.
6. Remote work
The widespread adoption of hybrid work has created a host of new cyber security risks for banks and other corporate networks. Some include having internal networks compromised by employees accessing sensitive data through public Wi-Fi networks, not using a secure VPN, using work devices for personal use, employees accidentally sharing unencrypted files, using weak passwords, etc. Fundamentals like employee training, multi-factor authentication (MFA), and security patching are still the cornerstones of cyber security.
7. Third-party services
Third-party vendors used by banks all have different cyber security policies and processes, leaving banks that use them at risk of a supply chain attack. A supply chain attack targets the weakest link in the supply chain – if one organisation has a strong cyber security strategy, but uses a not-so-secure vendor, then hackers will tend to target that vendor for your information/data.
It’s common practice for banks and financial institutions to use contractors or third-party vendors to streamline business-critical functions and outsource some of their operations and services. This may include employing contracted mortgage brokers, debt collectors, or using offshore IT or call centres to support customer care, just to name of few examples.
8. Social engineering
One of the biggest threats to banking and finance is social engineering or impersonation. While phishing emails are the most common vector, hackers are getting more creative at tricking employees into handing over sensitive details and credentials. A social engineering attack almost always involves some type of initial human interaction whereby hackers manipulate people into breaking normal security procedures and best practices to gain access to systems, networks, or physical locations. That’s where training employees and workforce members to recognise social engineering attempts and having clear protocols for them to follow in the event of an attack is important.
A final word
Cyber attacks can impact more than banks’ bottom line, but also their customers’ assets, trust, and the whole network’s infrastructure. Financial institutions should have stringent cyber security measures in place and undertake regular risk/vulnerability assessments to stay abreast of the ever-change cyber security landscape. For advice or more information on cyber security risk assessments and audits, contact us via email: [email protected]
Posted in: Security