I had a friend in elementary school who liked to proclaim, mock-ominously and out of the blue, "When you least expect it, expect it."
No one can declare with certainty which cybersecurity threats will rise to the fore in 2016, except leaders of cybercriminal rings. And even they may not have a concrete plan.
Nevertheless, I’ll venture a few predictions, mostly safe ones, about cybersecurity in financial services in 2016, with the help of some top experts.
Cybersecurity rules for banks will get tougher. New York regulators have been aggressively pushing stronger security requirements for banks under its jurisdiction. If the New York Department of Financial Services gets its way, two-factor authentication will be mandatory for customers’ access to online banking and for employees’ access to certain databases and external networks. Every bank will have to appoint a Chief Information Security Officer. And so on. It remains to be seen whether national regulators like the Office of the Comptroller of the Currency will give up their generally looser approach of recommending rather than mandating such practices, but they are certainly being pushed to take a harder line.
The problem with this is that bankers will concentrate on fighting the last war.
"This will distract from the real focus, which needs to be on cyber resilience measures that are forward looking and anticipatory in scope rather than defensive and reactive," said Steve Durbin, managing director of the Information Security Forum, a cybersecurity research firm. "But such is the nature of regulation — legislators occasionally wake up and issue historically focused edicts whilst cyber never sleeps and continues to innovate."
The crypto wars will heat up. The battle between governments and tech companies over access to customer data is sure to continue, with resolutions possible but unlikely in 2016. The issue: governments want large tech companies to provide a so-called "back door" to their systems, so that they may mine their databases for information about criminals and terrorists. As a practical matter, such back doors are the equivalent of a user name and password government officials can use to look up information they would normally need a search warrant to obtain. Apple and other tech companies have been resisting, arguing that the same back doors that give the government access to private information could be used by cybercriminals and bad actors.
In financial services, in 2015 we saw messaging provider Symphony stand up to this pressure. The company worked out a compromise with regulators under which it will archive copies of its clients’ messages for seven years. Four banks (Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon) that are customers of and investors in Symphony agreed to turn over copies of their encryption keys to an independent custodian that could provide regulators with the access they seek.
Expect to see "more use of encryption by cybercriminals, cyberspies and other disaffected parties, with law enforcement unable to decrypt data messaging communications even if they have back doors into hardware operating systems and encryption software," said Avivah Litan, vice president at Gartner. However, she said, voice communications will continue to be open to law enforcement agencies because of their relationships with telecom carriers.
Password resets will become more disciplined. The security blogger Brian Krebs wrote in late December about how his PayPal account was hacked by cybercriminals linked to ISIS, through PayPal's "lazy authentication." An attacker called PayPal’s customer service call center and managed to impersonate Krebs and reset his password by providing the last four digits of his Social Security number and the last four numbers of an old credit card account. PayPal had given Krebs a key fob that generates security passcodes for two-factor authentication, but did not require the passcode for a password reset.
PayPal said in a statement that its standard procedures were not followed in this case. "While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again," the company wrote.
The story illustrates one of the many places where the balance between convenience and security is delicate.
"The way to solve that problem is to take a very harsh stance — for instance, 'if we've issued you a multifactor token and you lose it, we can't help you get access to your account,'" said Dominic Venturo, chief innovation officer at U.S. Bank. "That wouldn't go over well in the banking industry. So as a result, you've got to balance that carefully."
Consumers are starting to be aware of and demand two-factor authentication, and bank regulators are starting to demand it too (especially in New York). Challenge questions (such as your first pet's name) are no longer enough to provide that second factor, because the answers are too easy to find on the Internet. In 2016, we’ll see more banks adopt mobile authentication, sending a passcode to the user’s smartphone via text message or email.