Cybercriminals are increasingly targeting the financial services industry

Universally, consumers and small and large businesses alike,
are increasingly aware of the well-established fact that cybercrime is on the
rise. Last year, 4iQ discovered nearly 15
billion identity records that had been stolen from companies and
were circulating the deep and dark web, including 3.6 billion new and verified
records. There were also over 12,000 identity breaches, more than four times as
many as the previous year. While high-profile data breaches such as Facebook
and Equifax may be stealing headlines on the basis of endangering consumer
privacy, the untold story is that the businesses that employ those consumers
also suffer huge expansions in their risk profiles after such events. And arguably,
the industry that truly faces the most danger is the financial services
industry.

It’s no secret that over
25 percent of all malware attacks target the banking and financial services
sector, more than any other industry. The number of compromised credit cards
increased 212 percent in 2019 compared with the prior year, while credential
leaks rose 129 percent and instances of malicious apps increased 102 percent –
staggering numbers for a single year. Cyber criminals target financial services
companies by using trojans to steal banking information and
download data, and also use ATM malware to steal credit and debit card
information. Recently, in Mexico, ransomware was used to devastating effect on
their major financial institutions. In February, a UK-based bank became the first public victim of SMS verification code
interception. Cybercriminals exploited flaws in the SS7 telecommunications protocol
to intercept messages authorizing payments from accounts. And criminals also
can still leverage older methods such as DDoS attacks and phishing against the
least prepared companies.

The data breach that hit Equifax is estimated to cost the
company over $600 million. Companies are spending more on
cyber and digital protection than ever before. Estimates are that it costs
companies within the financial services industry, on average, about $2,300 per employee, while some firms pay as
much as $3,000 per employee. Considering the number of individuals employed by
some of the larger banks, this works out to roughly $750 million for the likes
of JPMorgan Chase or HSBC. These numbers have tripled within the last three to
four years.

But although companies may now be paying more to secure
infrastructures, protect critical business data and assure customer privacy,
criminals remain highly motivated by high-value targets in the digital realm
and have responded to more sophisticated protections by rapidly evolving their
method of attacks.

They do the same thing in response to the measures required
by regulation. There is an inherent lag time with respect to regulatory
creation and implementation – it can take up to 24 months just to understand
and identify weaknesses within existing regulatory guidelines, and the timeline
for compliance often requires between 12 to 18 months. What’s more, companies
whose security strategies are dictated by compliance are in effect providing
“access blueprints” to malicious actors. Cyber criminals immediately shift
tactics to target the weaknesses not covered in regulation.

The increasing digitization of financial services, via
cashless payments with cards (card not present) and mobile apps, has led to
greater overall digital capital flow. As more capital circulates on the digital
marketplace, companies become increasingly vulnerable to malicious
cyber-attacks. In addition, automation of cybercrime has become more common.
Crawlers are able to continuously and automatically sift through vast amounts
of data and search for vulnerabilities and exposed networks, sometimes even
without user input. These technologies help malicious actors more rapidly
acquire their targets, and the ease with which it is done lowers the threshold
of expertise required for operation, widening the opportunities to include bad
actors with less technical expertise.

Although financial services companies are alive to the risk
of their own breaches and are responding by beefing up cybersecurity protection
of their infrastructures, very few consider and respond to the cumulative
effects of other companies’ breaches which have already happened. Yet an
employee’s or partner’s personal information exfiltrated in one breach is often
used subsequently to gain unauthorized access to another infrastructure,
whether through password re-use or social engineering attacks.

And increasingly, criminals don’t need to be master hackers
to utilize much of this data. But they are exchanging it on the Deep Dark Web,
aggregating it and weaponizing it, in order to pursue enterprise-level targets.
The criminals use previously stolen identity data to copy new valuable company
IP, steal inside information about mergers and acquisitions, or even execute
actual account takeovers. And while most leader companies execute financial and
criminal background checks for their employees, too few know to do so when it
comes to the hygiene of employees’ digital footprints.

Financial services companies are among
the group of risk averse organizations responding by turning toward identity
intelligence capabilities. Identity intelligence comprises tools and practices
that scour the Deep Dark Web for known exfiltration of identity-related data,
from usernames and passwords to social security numbers and even addresses.
Identity intelligence providers are helping large banks, credit card issuers
and insurers understand and limit the “employee attack surface” created by
prior breaches. This next layer of situational awareness enables companies to
head-off problems that can be caused by password re-use, open the organization
to spear-phishing or enable even more complex social engineering attacks.

Making progress requires a more agile and strategic
approach, and firms within the financial services industry have led the way
toward using other forms of intelligence to prevent or mitigate such
cyberattacks. Threat intelligence companies have evolved to provide, according
to Gartner, the “context, mechanisms, indicators,
implications, and action-oriented advice about existing or emerging” hazards
companies need to make an informed decision about how to address security needs
and concerns.

But that technical threat
intelligence about a company’s IT infrastructure is not enough. The savviest
organizations are beginning to adopt a more proactive approach, by layering in
identity intelligence, or threat actor tracking. By combining open source
information with privately held data, intelligence analysts, security
operations, threat hunters, incident response and forensic professionals no
longer just play “whack-a-mole,” but instead delve deeper into understanding
precisely who is behind the attacks. This allows intel analysts and operators
not only to anticipate attack styles and catch the warning signs as early as
possible, but helps financial services firms learn more actionable information
to assist in their own protection. And it’s helping law enforcement put more
criminals behind bars.  Monica Pal is CEO for
4iQ

Comments are closed.