Malware attacks on banking and what the finance industry should do to regulate against these attacks.

As the internet continues to provide more ways to add convenience and enrichment to our lives, it becomes a fertile ground for today’s e-criminals who are technically savvy, highly motivated, and highly focused in their attacks. It used to be that thieves could only steal from those close enough for them to touch. Now, assets can be plundered from half a world a way, drastically increasing the number of malevolent actors we need defend against. How can we beat this global threat of cyber crime? Fundamentally, a flexible security approach is perhaps the single-most important step to protect against hacking-based theft.

Emerging online threats bring to light the sophistication of today’s hackers – which starkly contrast the preparedness of most financial institutions. Organised cyber criminals cleverly exploit the unprotected and exposed vulnerabilities of end users and their PCs. They perpetuate advanced targeted attacks, taking a variety of forms, from social engineered phishing email attacks that trick users into disclosing authentication credentials onto a counterfeit web site, through to drive-by download of spyware, virus and malware on the PC without the users’ consent. 

Web malware is perhaps the most dangerous, along with stolen or weak credentials, causing the most worrisome security breaches. Existing traditional firewall, IDS, antivirus and gateway defences provide little protection against them. These sophisticated exploits are able to control the application used to transact online (e.g. the web browser) and can be successful irrespective of the authentication method in place.The threats they pose to the resources and data of both financial organisations and users are contributing to rising fraud-suffered losses.

Understandably, most financial organisations are feeling some level of insecurity, and if they’re not, they should be. In the past few years there have been a spate of attacks by hackers and other cyber criminals. One of the most notorious being the attacks using the Zeus Trojan malwareto scam hundreds of millions of dollars from banking customers around the world, demonstrating that there are seriously skilled and dangerous cyber criminals out there, and that no financial organisation should rest on its laurels.

In light of this, the classical “perimeter” defence no longer exists as a method of securing online assets.Security threats are advancing at a rapid rate and therefore the level of protectionemployed by an organisation must be heightened. With the number of security attacks varying in strength and design, a proactive means of securing data and resources is required. To help identify the gaps in endpoint security and flexibility needed to serve a broad user base, fraud risk assessments must be conducted.

Notwithstanding, many financial service organisations are not equipped with a layered security and fraud prevention strategy advocated by regulators and security experts. Many are constrained by limited resources, fear of alienating customers with unfriendly user-interfaces or simply ablinkered view of the risks associated with cybercrime.The next level of technology to be adopted by banks needs to be cost effective, multi-functional, and holistic to ensure both security and compliance requirements can be addressed for the medium and long-term (such as avoiding fraud losses, minimising reputational risk, limiting customer impact, and scaling for the future).

Banks in particular now have a wide selection of token and token-less authentication, out-of-band (OOB) verification, malware detection and device/IP profiling, and risk scoring options to employ stronger adaptive authentication and real-time fraud prevention. Their retail and corporate customers can be distinguished for the appropriate level of security and user-friendliness, as well as contextually invoked for step-up authorisation on riskier transactions. This ensures compliance can be achieved when dealing with the multitude of customer data that streams through their online systems.

As more banks extend mobile banking and payment services, threat and risk opportunities for cyber criminals to perpetrate cross-channel fraud increase. To remain compliant banks must realise that the level of threats are ever changing and in order to prevent a breach they must have more flexibility in adapting security to their online and mobile applications. The increasing number of end users accessing networks via mobile devices, some of which will be unauthorised personal devices, means that defence in layers beyond strong user credentials is ever more apparent. As mentioned earlier, the most dangerous threats to a bank is unauthorised users hijacking the online experience of legitimate end users, and the mobile platform present similar threats and risks. 

Banks looking to migrate services to the cloud to harness efficiency and scalability will also require a cost-effective, in-depth security solution that is highly manageable and convenient for a large volume of end-users.Despite the increase of sophisticated malware, which has been a strong catalyst for more multi-layered security, banks need to strike a delicate balance between regulatory and risk requirements and their customers’ user experience to retain online transaction efficiency.

Whilst all of the above should be on the radar of all senior finance professionals who need to meet compliance regulations, there are plenty of warning signs out there aside from the security threats themselves. Earlier this year the Financial Services Authority (FSA) revealed that more than half of the fines handed out to financial services businesses in 2011 were due to weak risk management systems, including inadequate anti-money laundering controls and ring-fencing of client assets. A lightly disguised warning from the FSA on the need for financial organisations to prioritise their risk management strategies; this should not be ignored as the level of fines is likely to increase.

As the internet continues to provide more ways to add convenience and enrichment to our lives, it becomes a fertile ground for today’s e-criminals who are technically savvy, highly motivated, and highly focused in their attacks. It used to be that thieves could only steal from those close enough for them to touch. Now, assets can be plundered from half a world a way, drastically increasing the number of malevolent actors we need defend against. How can we beat this global threat of cyber crime? Fundamentally, a flexible security approach is perhaps the single-most important step to protect against hacking-based theft.

Emerging online threats bring to light the sophistication of today’s hackers – which starkly contrast the preparedness of most financial institutions. Organised cyber criminals cleverly exploit the unprotected and exposed vulnerabilities of end users and their PCs. They perpetuate advanced targeted attacks, taking a variety of forms, from social engineered phishing email attacks that trick users into disclosing authentication credentials onto a counterfeit web site, through to drive-by download of spyware, virus and malware on the PC without the users’ consent. 

Web malware is perhaps the most dangerous, along with stolen or weak credentials, causing the most worrisome security breaches. Existing traditional firewall, IDS, antivirus and gateway defences provide little protection against them. These sophisticated exploits are able to control the application used to transact online (e.g. the web browser) and can be successful irrespective of the authentication method in place.The threats they pose to the resources and data of both financial organisations and users are contributing to rising fraud-suffered losses.

Understandably, most financial organisations are feeling some level of insecurity, and if they’re not, they should be. In the past few years there have been a spate of attacks by hackers and other cyber criminals. One of the most notorious being the attacks using the Zeus Trojan malwareto scam hundreds of millions of dollars from banking customers around the world, demonstrating that there are seriously skilled and dangerous cyber criminals out there, and that no financial organisation should rest on its laurels.

In light of this, the classical “perimeter” defence no longer exists as a method of securing online assets.Security threats are advancing at a rapid rate and therefore the level of protectionemployed by an organisation must be heightened. With the number of security attacks varying in strength and design, a proactive means of securing data and resources is required. To help identify the gaps in endpoint security and flexibility needed to serve a broad user base, fraud risk assessments must be conducted.

Notwithstanding, many financial service organisations are not equipped with a layered security and fraud prevention strategy advocated by regulators and security experts. Many are constrained by limited resources, fear of alienating customers with unfriendly user-interfaces or simply ablinkered view of the risks associated with cybercrime.The next level of technology to be adopted by banks needs to be cost effective, multi-functional, and holistic to ensure both security and compliance requirements can be addressed for the medium and long-term (such as avoiding fraud losses, minimising reputational risk, limiting customer impact, and scaling for the future).

Banks in particular now have a wide selection of token and token-less authentication, out-of-band (OOB) verification, malware detection and device/IP profiling, and risk scoring options to employ stronger adaptive authentication and real-time fraud prevention. Their retail and corporate customers can be distinguished for the appropriate level of security and user-friendliness, as well as contextually invoked for step-up authorisation on riskier transactions. This ensures compliance can be achieved when dealing with the multitude of customer data that streams through their online systems.

As more banks extend mobile banking and payment services, threat and risk opportunities for cyber criminals to perpetrate cross-channel fraud increase. To remain compliant banks must realise that the level of threats are ever changing and in order to prevent a breach they must have more flexibility in adapting security to their online and mobile applications. The increasing number of end users accessing networks via mobile devices, some of which will be unauthorised personal devices, means that defence in layers beyond strong user credentials is ever more apparent. As mentioned earlier, the most dangerous threats to a bank is unauthorised users hijacking the online experience of legitimate end users, and the mobile platform present similar threats and risks. 

Banks looking to migrate services to the cloud to harness efficiency and scalability will also require a cost-effective, in-depth security solution that is highly manageable and convenient for a large volume of end-users.Despite the increase of sophisticated malware, which has been a strong catalyst for more multi-layered security, banks need to strike a delicate balance between regulatory and risk requirements and their customers’ user experience to retain online transaction efficiency.

Whilst all of the above should be on the radar of all senior finance professionals who need to meet compliance regulations, there are plenty of warning signs out there aside from the security threats themselves. Earlier this year the Financial Services Authority (FSA) revealed that more than half of the fines handed out to financial services businesses in 2011 were due to weak risk management systems, including inadequate anti-money laundering controls and ring-fencing of client assets. A lightly disguised warning from the FSA on the need for financial organisations to prioritise their risk management strategies; this should not be ignored as the level of fines is likely to increase.