The Target card data breach dominated headlines last year, but it was just one of hundreds of hacking incidents to hit banks and expose the personal information of their customers, according to Verizon's latest Data Breach Investigations Report.
The biggest security threats to banks last year were web app tampering, distributed denial-of-service attacks, and the increased use of payment card skimmers, according to Verizon's widely trusted report, which was released Monday. These three categories of attacks made up three-quarters of security incidents targeting banks.
Verizon, with the help of 50 partners including law enforcement agencies, the Financial Services-Information Sharing and Analysis Center, government agencies, other forensic investigation companies, and research companies, tracked 1,367 confirmed data breaches and 63,437 security incidents in 95 countries.
More than one-quarter — 27% — of all security breaches at banks last year involved web app attacks, the report found. In web app attacks, cybercriminals use a variety of tactics to interfere with web applications. Many start with phishing, a fake email sent to a customer that appears to be from their bank that tricks them into sharing their user name and password, or into clicking on a link that leads to the installation of malware on their machine. Brute-force password guessing can also be used in a web app attack. A less-used type of web app attack uses SQL injection, in which a hacker inserts malicious SQL statements into an entry field for execution; for instance, to dump the database contents to the attacker. (Distributed denial-of-service attacks can also be web app attacks, but due to the volume and impact of DDoS, Verizon broke those out separately.)
"Web attacks are everybody's scourge," says Dr. Anton Chuvakin, research vice president, security and risk management at Gartner. "As the Internet is growing, all sorts of less-skilled programmers are deploying applications. You have fewer security-minded programmers."
In five years, we'll all still be talking about web app attacks, he says.
The goal of web app attacks on banks is often to steal online banking user names and passwords.
"A lot of organizations whose web apps are being successfully breached are those still using single-factor" authentication, says Chris Novak, global managing principal, risk team at Verizon Enterprise Solutions. "The perpetrators look at that as an easy avenue to get into any one of these environments."
This is one reason why several banks, including U.S. Bancorp, Wells Fargo, and Westpac New Zealand are piloting biometric security, letting customers identify themselves to an online or mobile banking app (or even an ATM) with a fingerprint or with their voice. (Still, most banks will be offering biometric access as an option. It won't be a true deterrent to fraud until everyone uses it.)
The recently discovered Heartbleed bug has made many people rethink their website security, Novak says.
"The Heartbleed situation took the Internet by storm and all these organizations came out of the woodwork scanning their websites as if it was the first time they ever did it," he says. Security scans of websites ought to be routine for banks.
Another major threat is a distributed denial of service attack. Such attacks, while not technically data breaches, accounted for 26% of all bank incidents last year, according to the Verizon report.
They involve the launching of excessive, malicious streams of traffic at a web server in the hopes of slowing it down or stopping it altogether. The perpetrators usually don't try to steal data during an attack; they are generally trying to damage the integrity of a company's operations. Verizon included DDoS attacks in this year's report because they are becoming more widespread.
"It used to be that DDoS attacks were small and would pass quickly; a lot of organizations would put them by the wayside," Novak says.
Last year was the biggest ever for DDoS attacks; not only were there more incidents than in any previous year, the average size of individual DDoS attacks more than doubled from 4.7 gigabytes per second in 2011 to 10 gbps in 2013.
Many DDoS attacks last year went unreported in the press, but were investigated, Novak says.
"I think the reason they didn't make as big of a wave [as they did in 2012, the year the Izz ad-Din al-Qassam Cyber Fighters began their high-impact series of attacks on banks] was because more organizations were successfully mitigating them," Novak says. Because of DDoS mitigation practices and technology companies have put in place, although they're getting hit, they're scrubbing a lot of the malicious traffic, allowing the websites to remain in operation.
The perpetrators of these attacks are hard to find because of the large number of decentralized proxy points used. Yet in some cases, as with attacks launched by Al Qassam and Anonymous, attribution is obvious.
A large majority are politically motivated, Novak says. Some are financially motivated — the nuisance DDoS attack is just a diversionary tactic for a data theft taking place while security officers are focused elsewhere.
"We hear a lot of people theorizing about the smokescreen aspect, but that tends to be on the smaller end of the spectrum," Novak says.