By Elida Policastro, Regional VP – Cybersecurity division at Auriga

Digital banking brings huge benefits to customers, but the risks of cyber-attacks continue to rise. For banks, there is a need to stay ahead of the game, anticipating new methods of attack so that innovative solutions can be put in place in time to minimise those changing threats.

In terms of attack targets, the ATM ecosystem is complex and made up of heterogeneous hardware and software that is expensive and difficult to update especially when ATMs and customer touchpoints need to be available 24/7. Because of this, financial organisations usually do not have the latest security policies in place, nor a centralised view of the ATM attack surface. It is vital that banks and ATM operators strike the balance between software deployment and hardware maintenance with keeping control of changes in software and hardware and ensuring the ATM network is as secure as possible.

This is critical because ATMs and central servers, which are the systems that control ATMs, have become a popular target for cyber-attacks. Last year, over a half (58%) of the global banking industry respondents to the ATMIA Global Fraud and Security Survey 2019 reported that ATM attacks, which includes both physical security breaches and fraud incidents, had increased.

ATM fraud attacks fall into three categories:

• Data fraud, resulting from data breach, such as account numbers, pin codes, and other personal data
• Physical fraud, consisting of theft of valuable assets, such as cash by stealing cards
• Cyber fraud – logical attacks to the systems and communications

Jackpotting is a an increasingly popular form of cyber-attack that exploits physical and software-based vulnerabilities in ATMs to get cash and thus an immediate financial reward for the attacker. It is estimated that in the last five years, financial organisations have lost millions to jackpotting. For example, the Ploutus family of ATM malware, which originally appeared in Mexico in 2013, has created losses of over $450 million dollars (€398 million) around the world.

ATMs suffer physical and logical attacks for several reasons: one is that the physical cash inside acts as an incentive, and another is that cash machines contain confidential information like debit card numbers and PIN codes, which can be stolen and sold.

Critically, ATMs are a weak link in a bank’s security systems. They appeal to attackers because they are often poorly monitored and little logical action is taken to protect the data in them. In addition, cyber-criminals have also realised that ATM networks utilise security infrastructure that is based on a great deal of legacy hardware and software. This is more vulnerable to attacks because of the high cost of upgrades and difficulty to install security updates with machines that are geographically dispersed and use older operating systems and protocols. Unfortunately, this results in insecure systems that can be easily exploited.

On top of all of that, there is a real risk of an insider threat. There are a lot of different people and roles responsible for the upkeep of an ATM and these all have administration rights, including employees from the financial institutions, service providers, developers and installers.

One of the main ways cyber adversaries attack ATMs is via the ‘XFS layer’, a standard interface designed to have multivendor software running on manufacturers’ ATMs and other hardware. While the XFS layer uses standard APIs to communicate with self-service applications, there is no standard way of secure authentication that comes with it, making it easy for cyber-criminals to exploit this vulnerability. Cyber-attackers can therefore deploy malware into banking touchpoints such as cash machines to trick them into giving ‘cash out’ commands and dispense money. The card reader may also be compromised – able to steal card numbers and track the pin pad to learn pin numbers, making the XFS layer a very attractive target. The importance of cybersecurity in banking is therefore only going to increase.

So, how should banks and ATM operators best prevent attacks? For ATMs, typical endpoint protection security such as anti-malware technology is just not enough. ATM networks and systems are critical infrastructure devices that need to be constantly available and so they require greater protection and a different approach.

The best approach is a centralised security solution that protects, monitors, and controls ATM networks and thus manages the entire banking asset network in one place and take appropriate action, such as stopping malware spreading throughout the network from infected ATMs.

Such modern technology solutions not only provide invaluable cybersecurity protection, they can also save banking organisations time and money, as ATM and infrastructure management is centralised into a single hub. Actions can be executed remotely to quickly establish new defences via techniques such as network segmentation or implementing new firewalls.

It is particularly important for banks to have several layers of protection in one single platform. Such layers could involve full disk encryption, application whitelisting, hardware protection and file integrity protection.

Although financial organisations are making a concerted effort to improve their security landscape, cyber-criminals are continuing to innovate their attacks, making it an environment of threats that is evolving and advancing. From this, banks must constantly be proactive in implementing and testing their cyber-defences. It is therefore wise to draw upon external counsel with specialist security knowledge to double check on security plans and processes and help ensure ATM security is up to date and preventative.

Cyber Threat Intelligence (CTI) can provide banks with an early warning system to detect and contain potential threats before they become incidents. This intelligence is essential for any business as cybersecurity threats become increasingly indiscriminate. Once they become aware of any relevant threats and vulnerabilities, then they will begin to understand where and how these can be exploited, as well as the impact this may have on both the business and individuals.

Awareness of the threat landscape is vital for banks to understand what could be exploited and utilised for future cyber-attacks. If they do not, they open themselves up to the very real possibility of experiencing security breaches, loss of sensitive customer data, and of course stolen cash.

By Pierre-Antoine Dusoulier, Founder and CEO, iBanFirst

Fraud on the rise

According to recent research from a leading UK retail bank, there was a 66 per cent increase in reported scams in the first six months of 2020 compared with the last six months of 2019 – due to the COVID-19 pandemic.

Across the summer months, Action Fraud UK reported a total financial loss of £11,316,266 by 2,866 victims of coronavirus-related scams.

The rise in fraud rates is a warning that banks, building societies and other financial providers need to be as alert as ever in identifying fraud.

So, what do banks need to do to ensure their customers are protected from fraud in a post-COVID-19 world?

Educate your customers to safeguard against fraud

On the customer level, banks need to be informing their customers on the types of common fraud to ensure that they are protected for all eventualities.

Authorised push payment scams are one of the fastest growing types of fraud. According to the FT, £354 million pounds was stolen this way last year. It is where a company or individual is tricked into paying money into a criminal’s account. Emails come from a genuine email address but are then intercepted by a criminal, so it’s imperative that businesses have end-to-end email encryption, and the customer double-checks the account details with the supplier on the phone prior to making a payment.

At the same time, scammers can also exploit the company’s invoicing process, where criminals create a bogus invoice for a small amount and send it to a company’s accounting department. If the finance team does not identify this as fraudulent, it can result in the business losing a considerable amount of revenue over a long period of time.

Supplier fraud is also a widespread scam. This involves the fraudster taking on the appearance of a supplier that has changed their bank details. The fraudster will have collected information on the suppliers of the targeted company, in order to pose as an official supplier. This can be prevented by ensuring that the supplier is contacted to confirm the legitimacy of the communication. It’s important not to call or email the supplier using the details provided on the suspected fraudulent correspondence. Instead they must check the original details of the supplier and speak to them on their official telephone number or email on file.

Banking malware is the least commonly cited type of fraud but has a greater financial risk attached to it. Malware is sent by email redirecting the recipients of the message to a fake banking interface, as a way of transferring funds to offshore accounts.

Remodel processes post-COVID-19 to keep customer data safe

To fight cyber fraud and scams, banks must also play their part. In a world where entire workforces are working from home banks must remain vigilant with customer data. COVID-19 has created a change in working habits and banks need to carry out the right level of training for its employees to protect customer data. Virtual team meetings and remote data sharing poses a threat to exposing sensitive information to malicious actors, and banks need to put the necessary safeguards in place.

All virtual meetings should use the banks’ private company network, and file sharing should be carried out through secure, encrypted company drives. Meanwhile, banks need to provision for all employees to receive regular software updates that will keep customer data safe, and ensure that they are aligned with new and existing data processing regulations.

Monitoring suspicious payments

A vital element to fraud detection is through monitoring customer transactions in real time, and harnessing emerging technologies such as artificial intelligence and machine learning to spot the signs of a scam or fraud before it is too late.

One way that banks protect businesses from fraud is through keeping a log and examining regular transactional history. Any transactions which appear suspicious based on location, amount, the beneficiary, and the method will be alerted to the business customer, to mitigate the immediate and future financial risk to the business.

Know your transaction

To understand financial flows better, every bank has a Know Your Customer (KYC) engine. This is a payment infrastructure that supports onboarding processes and risk-based transaction monitoring. This system is already well known and we don’t need to elaborate on this further, as it is the fundamental building block to ensure the highest level of traceability across all transactions – including remittances and receipts of funds and foreign exchange transactions internationally.

However, KYC is limited and doesn’t include real-time analysis. What can be overlooked is a KYT engine – Know your Transaction. The aim of KYT (Know Your Transactions) is to identify potentially risky transactions and their underlying unusual behaviour for detecting money laundering, fraud or corruption. An automated concentration of transactions with accurate and relevant information directly from the original data sources is essential.

Finally, banks and payment companies need to implement anti-fraud modules to defend against cyberattacks, based on the latest algorithms capable of analysing transactions issued in real time and detecting anomalies or suspicious behaviour upstream, strengthening the security and transparency of payments and building a network of trust between issuers and recipients of payments.

In a post-COVID-19 world it’s clear that scams will become more common place. Within this environment there is a shared responsibility when mitigating the risk of financial fraud. The bank must educate and inform customers to enable them to protect themselves, while ensuring a robust technological infrastructure and ways of working are in place that protects customer data; their finances, and fundamentally their business and livelihood.

By Robert Golladay, Strategic Accounts Director, Illusive Networks

Cybercriminals and hacktivists have a special fondness for financial institutions. Continuous business innovation, complex ecosystems, merger and acquisition activity, fintech, cloud adoption and a growing consumer-driven attack surface multiply the problem for financial organizations. Despite the vast resources financial institutions devote to cybersecurity, one challenge has been especially difficult to solve – that of detecting and stopping APTs before real damage is done.

Securing cloud-based banking

An active lender in the UK sought a new way to protect its customers and the valuable assets it holds. The bank needed to:

• Defend customer and employee information from compromise
• Detect and thwart sophisticated attacks
• Effectively defend cloud-based operations across accounts and instances

As a cloud-first company, the bank’s preference is to always invest in next-generation technology for operations and security infrastructure. In May 2016, with the help of Amazon Web Services (AWS), it became the first bank in the UK to be fully cloud hosted. The bank also uses AWS to deliver a financial technology service that helps lenders make informed decisions through data and automation.

Security is always a priority, which is one of the reasons the company chose AWS, conducts regular penetration testing, and performs advanced attack simulations. To maximize effectiveness of its layered security infrastructure, the company continually trains its employees and reinforces data security best practices.

In particular, the bank sought additional safeguards from sophisticated threats that evade other security measures, such as advanced persistent threats, as well as gain insight into attacker tactics and techniques. The new layer needed to be cloud-based for high scalability and flexibility, and it had to defend the company without time-wasting false positive alerts. The security team looked at deception technology and chose a solution that allowed them to gain real-time verification of anomalies and lateral movement in the network.

Choosing deception

The deception solution enabled the bank to focus on attackers’ behaviour and perspective. The solution’s expertise in attacker methodology augmented the bank’s internal capability to detect novel attacks, while enabling rapid and adaptable coverage in its cloud-based environment.

The bank’s deception solution uses agentless, intelligence-driven technology that creates a dense web of deceptions and effortlessly scales across the infrastructure. Featherweight deceptions on every endpoint look exactly like the bank’s real data, access credentials and connections. When an attacker is confronted with deceptions, this deceptive view of reality makes it impossible to choose a real path forward. One wrong step triggers an alert to the bank’s security team.

The bank’s CISO found it invaluable to be able to deploy a solution that creates doubt and confusion in an intruder’s mind. When attackers can’t distinguish between real and deceptive assets, the security team can collect information and apply intelligence to patterns that it has observed during that time period of activity. The solution simultaneously sharpens the bank’s investigative process and constrain the attacker.

The lender easily deployed deception technology across its complex environment, scaling it across AWS instances and accounts. The IT security team now has continuous visibility and confidence that these defences enable them to thwart sophisticated threat actors.

Deceptively secure

The bank gained proactive threat response and the assurance that an alert represents a real issue. These alerts are only triggered when an attacker engages with a deceptive asset. At that point, the deception technology immediately begins capturing forensic data from the system where the attacker is operating, presenting real-time forensics and a quantifiable measure of potential business risk. It uncovered, for example, malicious processes trying to operate on an endpoint.

The deception solution enables the lender to be much more proactive. It detects and analyses attacks in real time to produce actionable alerts, directing the security team to relevant and valuable conclusions. The technology provides exceptional, innovative coverage for malicious pivoting and lateral movement. It uncovers the in-depth, sophisticated actors who evade other countermeasures and gives security analysts direct visibility into targeted attacks, which they find invaluable.

A laser-focused approach

The financial sector remains a perennial favourite of the cybercriminal crowd. As networks become more complex, their perimeters all but disappear, creating the need for stronger and more comprehensive security than ever previously imagined. Advanced persistent threats are a particular concern, as they are notoriously difficult to detect before significant damage is done. For financial institutions, the reputation damage alone may be insurmountable.

Banks and other financial services organizations pour resources into cybersecurity, but one option that needs further exploration is deception technology. This method of security monitors for lateral movements toward critical assets and thus provides a powerful alternative or enhancement to traditional monitoring approaches. Security teams can see attackers’ proximity to those crown jewels early in the attack cycle, buying time for careful response. As the lender above learned, deception technology cuts through the noise of alerts to deliver the intel financial institutions need to act quickly and safeguard their high-value data.