Banks Remain the Top Target for Hackers, Report Says

For thieves, cash is usually the motive – so when high-tech crooks commit data breach crimes, banks are the top target.

Finance was number one on Verizon's list of industries hackers are trying to crack for the second year in a row, according to the telecommunication and technology company's recently released Data Breach Investigations Report.

Money motivated crime accounted for three-quarters of all the breaches the DBIR investigation analyzed, trailed by state-affiliated espionage and intellectual property theft.

The report included data from 621 confirmed data breaches and more than 47,000 reported security incidents.

"The biggest takeaway for banks is they had a huge portion of ATM skimming and we had to account for that in some of our data analysis," says Jay Jacobs, a senior analyst with Verizon's RISK Team, the company's investigative response unit.

He adds that without ATM skimming, financial services companies drop from first place on the list to seventh, behind retail and food services.

The annual report details evidence collected during investigations of distributed denial of service attacks, network intrusions and insider incursions, conducted by Verizon's RISK team.

Verizon has been documenting this kind of activity in reports since 2004.

This year's DBIR research was more comprehensive than the last. It provides data from 19 different contributors, including Deloitte and the U.S. Secret Service. Last year, there were only six.

That makes it tough to measure the types of threats that loom larger for banks.

For instance, ATM skimming accounted for a bulk of the incidences of fraud banks combatted over the past year. But it's impossible to say whether that type of activity increased in 2012 from the previous year -- mostly because of the sheer amount of data Verizon collected for the 2013 report.

Banks are increasing security around their mobile and online services. Cyber thieves have responded by zeroing in what they perceive to be banks' vulnerabilities, says Jacobs.

"As we look at some of the targeted breaches and we look specifically at the financial industry, we see [hackers] focusing on these targeted and customized attacks," says Jacobs. "Trying to find a specific vulnerability and expose a weakness."

In the past, attacks have been somewhat automated, meaning that malicious software blanketed a bank's customers' and employees' computers with viruses. That devious software would in turn scan for usernames and passwords.

The more targeted attacks "are an indication that a lot of the larger banks are doing a pretty good job at the basic stuff," says Jacobs. "It's an indication of a maturity level."

The DBIR report also said that attacks involving hacktivists have become more numerous since last fall.

"But the amount of data stolen has decreased, as many hacktivists have shifted to other forms of attacks, such as distributed denial of service (DDoS) attacks," said Verizon, in a press release.

Those attacks pose a different kind of threat to banks (loss of access to online banking, not account data) and are happening in increasing frequency. Just this month, Wells Fargo acknowledged two attacks in nine days that took down its online and mobile banking services for hours.

Indeed, bankers must work as hard at stopping attacks before they happen as they do monitoring their systems.

"I think we should all realize that we are in an era where financially motivated actors and even other types of actors are getting very sophisticated," says Chandan Sharma, the telecommunication company's global managing director. "They are very persistent, and you will have a breach."

Inevitably, banks can expect to be hit as technology becomes more pervasive in the services that those companies are providing to customers.

The only way to deflect a breach, Sharma says, is through monitoring efforts that can better assess threats.

Often times, banks are among the last companies involved in a breach to know an attack is underway.

"It's the outside parties [law enforcement agencies and others] that tell banks that they have been breached," says Sharma.

The main lesson from the report, he says: Bankers must remain vigilant.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER