A bank CEO said recently, "I have great products and great people, but security is top of mind and what keeps me up. You never know if you're going to be targeted. Do I have the right security posture?"
It's a question bank CIOs and CISOs are asking themselves lately. Although some insist that they have always made security a top priority and little has changed, experts say cyberhacktivist attacks and other threats to mobile and online banking security are driving banks to invest more in security technology and to join security information sharing forums like the Financial Services Information Sharing and Analysis Center. Signs are they're getting better at warding off attacks: an FS-ISAC survey shows that while the total number of account takeover attempts reported by financial institutions rose from 87 in 2009 to 314 in 2011, the percentage of cases where transactions were created and funds were sent out of the bank dropped to 32% in 2011 from a high of 70% in 2009. Bank security executives say they are focusing their security efforts on four areas: applications, network monitoring, DDOS and identity/authentication.
Malware, especially malicious programs targeting mobile apps, is still the largest and fastest-growing type of threat.
One bank CIO who spoke off the record feels that mobile attacks are increasing and consumers are apathetic. "The consumer who is attacked may not care," he says. "They go everywhere with the device, they let other people use it. But if the consumer has a problem with it, it's almost disposable to them. They just start over again or they hit a reset button."
The simple fact that customers spend so much of their lives on their mobile devices makes mobile app security a top priority. "As institutions have invested in protecting data at risk within the institution, which is important, we have to make sure we keep up security processes so mobile devices don't become the weak leak," notes Bill Wansley, senior vice president at Booz Allen.
Most strains of malware are designed to do one thing: swipe a customer's user name, password and other personal information, in the hopes of eventually stealing money from their account.
The most common defense against fraud of this nature is analytics that pore through customer transaction data and find anomalies that indicate out-of-character behavior: a person who normally logs in from Southern California suddenly logging in from Eastern Europe, for example.
Those that target mobile apps tend to find and exploit vulnerabilities in the mobile app code. "I think app layer threats will continue to grow," says a former bank CISO.
Lack of input validation (making an application understand what data it should accept, including syntax and length) and cross-site scripting (a weakness that lets attackers inject client-side script into Web pages viewed by other users) are still the most exploited of the app vulnerabilities. They're also the easiest to identify in static code analysis, the easiest to fix during the development process, and the hardest to detect with technology. Avivah Litan, vice president and distinguished analyst at Gartner, says companies like Arxan and Metaforic offer mobile app wrappers that can obfuscate the mobile app code that the customer downloads to his phone, making it impossible to reverse-engineer.
DENIAL OF SERVICE
In September and October, 12 large financial institutions' online banking sites were hit with distributed denial of service attacks. The Izz ad-Din al-Qassam Cyber Fighters took responsibility, and said that they would keep targeting large U.S. banks until a video called "Innocence of Muslims" is removed from YouTube. (YouTube will not take it down. The company has said the video falls within its guidelines as it is against Islam, but not against Muslim people, and thus not considered "hate speech.")