Cybersecurity experts agree that the threats facing financial services providers aren’t just increasing; they’re doubling with each passing year.
In fact, a new report from cybersecurity company Kaspersky states that the amount of data held by financial services companies makes them prime targets for “cyberthreat actors,” but the company cautions that even the most advanced security protocols may not be enough to protect against an attack.
So, what specific threats should companies be on the lookout
for in 2020 and beyond?
According to the report, Kaspersky expects to see a rise in
paid access to banking infrastructure and ransomware attacks against banks over
the next 12 months.
There are several reasons for the expected increase in
attacks, including the amount of consolidation that there’s been in the banking
industry in the last several years, along with banks’ seeming willingness to
pay up when held hostage by a ransomware attack.
According to Kaspersky, the attackers “prime targets” are
likely small banks and other financial organizations that were recently bought
by bigger companies that are rebuilding their cybersecurity system in
accordance with the standards of their new parent companies.
“It is also expected that the same banks may become victims
of targeted ransomware attacks, as banks are among those organizations that are
more likely to pay a ransom than accept the loss of data,” Kaspersky added.
Kaspersky also cautions that there are already “large-scale, anti-fraud bypass” efforts underway.
Over the last few years, Kaspersky notes that cybercriminals
have seriously invested in ways to bypass anti-fraud systems, because, in many
cases, a user’s login, password, and personally identifiable information is not
enough to gain access to their accounts.
And, according to the report, those investments are paying
off because there is now a “huge underground market” called Genesis, which
sells digital fingerprints of online banking users from all over the world.
Digital fingerprints include a combination of system
attributes that are unique to each user’s device, and the personal behavioral
attributes of that user, including the IP address (external and local), screen
information (screen resolution, window size), firmware version, operating
system version, browser plugins installed, time zone, device ID, battery
information, fonts, etc.
The report states that the “Genesis Store” is an online,
invitation-only “private cybercriminal market” for stolen digital fingerprints.
According to Kaspersky, it uncovered more than 60,000 stolen
bot profiles on the Genesis Store earlier this year. These profiles include
browser fingerprints, website user logins and passwords, cookies, credit card
Combine all of that information together and criminals are
able to “masquerade as legitimate online banking users from any region,
country, state, city, etc.” and gain access to banking systems.
The company notes that multi-factor identification is the
“best option” to avoid these type of intrusions, but cautions that even
multi-factor identification can be breached due to issues with biometrics,
using a person’s physical features as a means of security.
“In theory, biometrics should solve a lot of problems
associated with two-factor authentication, but practice has shown that it may
not be so simple,” Kaspersky notes. “Over the past year, several cases have
been identified that indicate biometrics technology is still far from perfect.”
One significant issue in biometric security is leaks of
biometric databases, and there have been several of those in the last year.
“The most notorious was the leak of the Biostar 2 database
that included the biometric data of over 1 million people. The company stored
unencrypted data, including names, passwords, home addresses, email addresses
and, most importantly, unencrypted biometric data that included fingerprints
and facial recognition patterns as well as the actual photos of faces,”
Kaspersky noted. “A similar leak occurred at a US Customs and Border Patrol
contractor, where biometric information of over 100,000 people was leaked.”
So, even a user’s face may not be enough to ensure the
security of sensitive data.
Kaspersky also notes that fintech companies are facing
increasing attacks as well.
“Mobile investments apps have become more popular among
users around the globe, and this trend won’t go unnoticed by cybercriminals in
2020,” Kaspersky stated. “Not all of these apps utilize best security
practices, like multi-factor authentication or protection of the app
connection, which may give cybercriminals a potential way to target users of
Financial services providers also need to aware that their
own employees could be targets for hackers, who could use those employees to
gain access to company systems.
There’s been a rise in this type of cybercrime in recent
years, especially in the real estate industry.
Several years ago, the Federal Trade Commission and the National Association of Realtors issued a warning to people interested in buying a home about scammers who were posing as real estate agents, Realtors and title insurance companies to steal consumers’ closing costs.
And last year, the federal government arrested nearly 75 people who allegedly participated in schemes designed to intercept and hijack wire transfers from businesses and individuals, including those involving real estate transactions.
And as Kaspersky noted, these types of phishing attacks are
only going to increase, as the “human factor” is a constant “weak link” in
Kaspersky also noted that attackers may be willing to offer
“large amounts of money” to insiders to get them to turn against their own
Kaspersky notes there are a number of ways that “insiders” may be recruited into schemes like these, including:
- By simply posting an offer on forums and offering a reward for certain information.
- The attackers may disguise their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity. For example, the potential victims may be offered a simple job on the side to provide information, while being reassured that the data is not sensitive, though it may, in fact, relate to the number of funds in a bank client’s personal account or the phone number of an intended target.
- Blackmailing. We also expect to see increased demand for the services of groups engaged in corporate cyber-blackmail and, as a consequence, an increase in their activity.
“With 2020 on the horizon, we recommend security teams in
potentially affected areas of the finance industry to gear up for new
challenges,” Yuriy Namestnikov, a security researcher at Kaspersky, said. “There
is nothing inevitable in potential upcoming threats, it is just important to be
properly prepared for them.”