A bank CEO said recently, "I have great products and great people, but security is top of mind and what keeps me up. You never know if you're going to be targeted. Do I have the right security posture?"
It's a question bank CIOs and CISOs are asking themselves lately. Although some insist that they have always made security a top priority and little has changed, experts say cyberhacktivist attacks and other threats to mobile and online banking security are driving banks to invest more in security technology and to join security information sharing forums like the Financial Services Information Sharing and Analysis Center. Signs are they're getting better at warding off attacks: an FS-ISAC survey shows that while the total number of account takeover attempts reported by financial institutions rose from 87 in 2009 to 314 in 2011, the percentage of cases where transactions were created and funds were sent out of the bank dropped to 32% in 2011 from a high of 70% in 2009. Bank security executives say they are focusing their security efforts on four areas: applications, network monitoring, DDOS and identity/authentication.
Malware, especially malicious programs targeting mobile apps, is still the largest and fastest-growing type of threat.
One bank CIO who spoke off the record feels that mobile attacks are increasing and consumers are apathetic. "The consumer who is attacked may not care," he says. "They go everywhere with the device, they let other people use it. But if the consumer has a problem with it, it's almost disposable to them. They just start over again or they hit a reset button."
The simple fact that customers spend so much of their lives on their mobile devices makes mobile app security a top priority. "As institutions have invested in protecting data at risk within the institution, which is important, we have to make sure we keep up security processes so mobile devices don't become the weak leak," notes Bill Wansley, senior vice president at Booz Allen.
Most strains of malware are designed to do one thing: swipe a customer's user name, password and other personal information, in the hopes of eventually stealing money from their account.
The most common defense against fraud of this nature is analytics that pore through customer transaction data and find anomalies that indicate out-of-character behavior: a person who normally logs in from Southern California suddenly logging in from Eastern Europe, for example.
Those that target mobile apps tend to find and exploit vulnerabilities in the mobile app code. "I think app layer threats will continue to grow," says a former bank CISO.
Lack of input validation (making an application understand what data it should accept, including syntax and length) and cross-site scripting (a weakness that lets attackers inject client-side script into Web pages viewed by other users) are still the most exploited of the app vulnerabilities. They're also the easiest to identify in static code analysis, the easiest to fix during the development process, and the hardest to detect with technology. Avivah Litan, vice president and distinguished analyst at Gartner, says companies like Arxan and Metaforic offer mobile app wrappers that can obfuscate the mobile app code that the customer downloads to his phone, making it impossible to reverse-engineer.
DENIAL OF SERVICE
In September and October, 12 large financial institutions' online banking sites were hit with distributed denial of service attacks. The Izz ad-Din al-Qassam Cyber Fighters took responsibility, and said that they would keep targeting large U.S. banks until a video called "Innocence of Muslims" is removed from YouTube. (YouTube will not take it down. The company has said the video falls within its guidelines as it is against Islam, but not against Muslim people, and thus not considered "hate speech.")
Online banking functions were affected, generally for brief periods of time. "No real critical or core operational functions were really directly affected by these attacks," says William B. Nelson, president and CEO of the Financial Services - Information Sharing and Analysis Center, Reston, Va. "They didn't have payments collapse or their loan system destroyed, the checking account system worked," Nelson says.
The targeted banks have been working together to share information about the threats and their efforts to defend themselves, helped in part by FS-ISAC. (FS-ISAC also gathers threat and mitigation information from its members and sends out anonymized reports and alerts.)
In spite of the website outages that occurred in the fall, Nelson considers the response to the DDOS attacks "a huge success story." The government is working with the banks and their internet service providers are helping them identify where the threats coming from and doing something about it. "It's been one happy community," he says.
Bank security executives agree they've formed a close network in the face of shared danger. "In the security community, it is not considered a competitive advantage to watch your competitor get tipped over from a DDOS. There's no honor in that, and security folks don't think that way," says the former CISO.