Cybersecurity experts agree that the threats facing financial services providers aren’t just increasing; they’re doubling with each passing year.
In fact, a new report from cybersecurity company Kaspersky states that the amount of data held by financial services companies makes them prime targets for “cyberthreat actors,” but the company cautions that even the most advanced security protocols may not be enough to protect against an attack.
So, what specific threats should companies be on the lookout for in 2020 and beyond?
According to the report, Kaspersky expects to see a rise in paid access to banking infrastructure and ransomware attacks against banks over the next 12 months.
There are several reasons for the expected increase in attacks, including the amount of consolidation that there’s been in the banking industry in the last several years, along with banks’ seeming willingness to pay up when held hostage by a ransomware attack.
According to Kaspersky, the attackers “prime targets” are likely small banks and other financial organizations that were recently bought by bigger companies that are rebuilding their cybersecurity system in accordance with the standards of their new parent companies.
“It is also expected that the same banks may become victims of targeted ransomware attacks, as banks are among those organizations that are more likely to pay a ransom than accept the loss of data,” Kaspersky added.
Kaspersky also cautions that there are already “large-scale, anti-fraud bypass” efforts underway.
Over the last few years, Kaspersky notes that cybercriminals have seriously invested in ways to bypass anti-fraud systems, because, in many cases, a user’s login, password, and personally identifiable information is not enough to gain access to their accounts.
And, according to the report, those investments are paying off because there is now a “huge underground market” called Genesis, which sells digital fingerprints of online banking users from all over the world.
Digital fingerprints include a combination of system attributes that are unique to each user’s device, and the personal behavioral attributes of that user, including the IP address (external and local), screen information (screen resolution, window size), firmware version, operating system version, browser plugins installed, time zone, device ID, battery information, fonts, etc.
The report states that the “Genesis Store” is an online, invitation-only “private cybercriminal market” for stolen digital fingerprints.
According to Kaspersky, it uncovered more than 60,000 stolen bot profiles on the Genesis Store earlier this year. These profiles include browser fingerprints, website user logins and passwords, cookies, credit card information, etc.
Combine all of that information together and criminals are able to “masquerade as legitimate online banking users from any region, country, state, city, etc.” and gain access to banking systems.
The company notes that multi-factor identification is the “best option” to avoid these type of intrusions, but cautions that even multi-factor identification can be breached due to issues with biometrics, using a person’s physical features as a means of security.
“In theory, biometrics should solve a lot of problems associated with two-factor authentication, but practice has shown that it may not be so simple,” Kaspersky notes. “Over the past year, several cases have been identified that indicate biometrics technology is still far from perfect.”
One significant issue in biometric security is leaks of biometric databases, and there have been several of those in the last year.
“The most notorious was the leak of the Biostar 2 database that included the biometric data of over 1 million people. The company stored unencrypted data, including names, passwords, home addresses, email addresses and, most importantly, unencrypted biometric data that included fingerprints and facial recognition patterns as well as the actual photos of faces,” Kaspersky noted. “A similar leak occurred at a US Customs and Border Patrol contractor, where biometric information of over 100,000 people was leaked.”
So, even a user’s face may not be enough to ensure the security of sensitive data.
Kaspersky also notes that fintech companies are facing increasing attacks as well.
“Mobile investments apps have become more popular among users around the globe, and this trend won’t go unnoticed by cybercriminals in 2020,” Kaspersky stated. “Not all of these apps utilize best security practices, like multi-factor authentication or protection of the app connection, which may give cybercriminals a potential way to target users of such applications.”
Financial services providers also need to aware that their own employees could be targets for hackers, who could use those employees to gain access to company systems.
There’s been a rise in this type of cybercrime in recent years, especially in the real estate industry.
Several years ago, the Federal Trade Commission and the National Association of Realtors issued a warning to people interested in buying a home about scammers who were posing as real estate agents, Realtors and title insurance companies to steal consumers’ closing costs.
And last year, the federal government arrested nearly 75 people who allegedly participated in schemes designed to intercept and hijack wire transfers from businesses and individuals, including those involving real estate transactions.
And as Kaspersky noted, these types of phishing attacks are only going to increase, as the “human factor” is a constant “weak link” in companies’ security.
Kaspersky also noted that attackers may be willing to offer “large amounts of money” to insiders to get them to turn against their own companies.
Kaspersky notes there are a number of ways that “insiders” may be recruited into schemes like these, including:
- By simply posting an offer on forums and offering a reward for certain information.
- The attackers may disguise their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity. For example, the potential victims may be offered a simple job on the side to provide information, while being reassured that the data is not sensitive, though it may, in fact, relate to the number of funds in a bank client’s personal account or the phone number of an intended target.
- Blackmailing. We also expect to see increased demand for the services of groups engaged in corporate cyber-blackmail and, as a consequence, an increase in their activity.
“With 2020 on the horizon, we recommend security teams in potentially affected areas of the finance industry to gear up for new challenges,” Yuriy Namestnikov, a security researcher at Kaspersky, said. “There is nothing inevitable in potential upcoming threats, it is just important to be properly prepared for them.”