How faster internet could lead to cyberattacks on steroids
This story is the first installment in Credit Union Journal’s ongoing special report on cybersecurity, which will run throughout the month of October.
Nearly two years ago, fraudsters robbed a casino blind, at least of its database, through an unlikely vulnerability — a thermometer in the casino lobby’s fish tank.
The rise of 5G — the fifth generation of wireless communication standards — is expected to increase connectivity speed and data transfers. That will enable different types of wireless devices, such as fish tanks, to connect to the internet and transmit a wider bandwidth of data at a faster pace.
But all of this has a downside. With the onset of more devices connecting to the internet, attacks that were once unimaginable, like hackers stealing data through a fish tank, have become reality. As a result, credit unions will have a harder time defending themselves against cybercriminals.
“We’re trying to move to a more automated approach in identifying threats and pointing out to human beings what to look at,” said Rob Hoyle, chief information officer at the $971 million-asset Credit Union of America in Wichita, Kan. “That will play into the 5G conversation pretty significantly.”
The adoption of 5G is expected to ramp up in 2020, making it more difficult for financial institutions to patch their vulnerabilities against attacks, according to Justin Fier, Darktrace’s director for cyber intelligence. Basically, combining the internet of things — or IoT, meaning any gadget that has the ability to connect to the internet — with 5G is the equivalent of injecting steroids into these cyberattacks.
“From a security standpoint, we’re only just getting a handhold of IoT devices,” Fier said. “When you’re talking 5G being as little as a year out and this explosion of unregulated IoT devices, that’s a scary thought.”
That means that more types of devices connecting to the web are becoming fair game for fraudsters. And though some may snicker about it now, it’s not too far-fetched to picture a hacker penetrating a network through something like a smart toaster, left in the kitchen of an institution.
The global market for IoT devices continues to expand. The industry was valued at $190 billion in 2018 and is expected to reach $1.11 trillion by 2026, according to a report from Fortune Business Insights. There is even the possibility that ATMs will switch over to 5G, Fier said.
“I think the new threat with 5G is that its internet of things related,” Hoyle said. “There’s so many devices that are in play that are a huge problem.”
One of Fier’s favorite questions to ask clients is whether they know how many nontraditional devices they have on their network with a 5% margin of error. He has discovered that most people underestimated that number by 15% to 20%.
Although the new standard set forth by 5G may be exciting for consumers, it places even more pressure on financial institutions to protect against cybercrime. For one, data can flow through networks at a faster rate. That increases credit unions’ exposure to potential hacking.
“With increased speed will probably come reduced time for the institution to respond to incoming threats or requests,” said Jason Bernstein, a partner at the law firm Barnes & Thornburg. “Also, larger malware packages could be delivered to institutions faster, or by more wireless devices and harder to detect the wireless devices.”
IoT attacks can have a domino effect as well. Once hackers are able to breach one area they may discover other vulnerable devices to exploit. For example, Microsoft previously reported that Russian hackers had penetrated IoT devices that granted them access to private networks. That allowed the hackers to discover other unsecure IoT devices.
What is especially worrisome for credit unions is that even common devices and security measures can be manipulated against an institution, Hoyle said. For example, a hacker could infiltrate an iPhone’s pass lock and then manipulate the device to relay information back to them.
Credit unions can protect themselves by layering in multiple security steps, Hoyle said. They should also re-evaluate their insurance policies and consider adding more specific cyber insurance policies, added Scott Godes, a partner at Barnes & Thornburg. That could help cover any potential losses from a breach.
“A best practice would be to consider how broad the scope of coverage is within the policies, and whether there are exclusions that an aggressive insurance company could cite to try to limit coverage in case of an event like that,” Godes said.
Still, 5G remains unchartered territory, meaning many credit unions may be in a holding pattern until they have a firmer grasp on the technology. But the pressure is still on to guard against hackers.
“Financial institutions need to start thinking differently about their security,” Fier said. “Ask questions that may have been absolutely crazy years ago, but are not anymore.”