I had a friend in elementary school who liked to proclaim, mock-ominously and out of the blue, "When you least expect it, expect it."
No one can declare with certainty which cybersecurity threats will rise to the fore in 2016, except leaders of cybercriminal rings. And even they may not have a concrete plan.
Nevertheless, I’ll venture a few predictions, mostly safe ones, about cybersecurity in financial services in 2016, with the help of some top experts.
Cybersecurity rules for banks will get tougher. New York regulators have been aggressively pushing stronger security requirements for banks under its jurisdiction. If the New York Department of Financial Services gets its way, two-factor authentication will be mandatory for customers’ access to online banking and for employees’ access to certain databases and external networks. Every bank will have to appoint a Chief Information Security Officer. And so on. It remains to be seen whether national regulators like the Office of the Comptroller of the Currency will give up their generally looser approach of recommending rather than mandating such practices, but they are certainly being pushed to take a harder line.
The problem with this is that bankers will concentrate on fighting the last war.
"This will distract from the real focus, which needs to be on cyber resilience measures that are forward looking and anticipatory in scope rather than defensive and reactive," said Steve Durbin, managing director of the Information Security Forum, a cybersecurity research firm. "But such is the nature of regulation — legislators occasionally wake up and issue historically focused edicts whilst cyber never sleeps and continues to innovate."
The crypto wars will heat up. The battle between governments and tech companies over access to customer data is sure to continue, with resolutions possible but unlikely in 2016. The issue: governments want large tech companies to provide a so-called "back door" to their systems, so that they may mine their databases for information about criminals and terrorists. As a practical matter, such back doors are the equivalent of a user name and password government officials can use to look up information they would normally need a search warrant to obtain. Apple and other tech companies have been resisting, arguing that the same back doors that give the government access to private information could be used by cybercriminals and bad actors.
In financial services, in 2015 we saw messaging provider Symphony stand up to this pressure. The company worked out a compromise with regulators under which it will archive copies of its clients’ messages for seven years. Four banks (Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon) that are customers of and investors in Symphony agreed to turn over copies of their encryption keys to an independent custodian that could provide regulators with the access they seek.
Expect to see "more use of encryption by cybercriminals, cyberspies and other disaffected parties, with law enforcement unable to decrypt data messaging communications even if they have back doors into hardware operating systems and encryption software," said Avivah Litan, vice president at Gartner. However, she said, voice communications will continue to be open to law enforcement agencies because of their relationships with telecom carriers.
Password resets will become more disciplined. The security blogger Brian Krebs wrote in late December about how his PayPal account was hacked by cybercriminals linked to ISIS, through PayPal's "lazy authentication." An attacker called PayPal’s customer service call center and managed to impersonate Krebs and reset his password by providing the last four digits of his Social Security number and the last four numbers of an old credit card account. PayPal had given Krebs a key fob that generates security passcodes for two-factor authentication, but did not require the passcode for a password reset.
PayPal said in a statement that its standard procedures were not followed in this case. "While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again," the company wrote.
The story illustrates one of the many places where the balance between convenience and security is delicate.
"The way to solve that problem is to take a very harsh stance — for instance, 'if we've issued you a multifactor token and you lose it, we can't help you get access to your account,'" said Dominic Venturo, chief innovation officer at U.S. Bank. "That wouldn't go over well in the banking industry. So as a result, you've got to balance that carefully."
Consumers are starting to be aware of and demand two-factor authentication, and bank regulators are starting to demand it too (especially in New York). Challenge questions (such as your first pet's name) are no longer enough to provide that second factor, because the answers are too easy to find on the Internet. In 2016, we’ll see more banks adopt mobile authentication, sending a passcode to the user’s smartphone via text message or email.
The insider threat will escalate. In late December, it came out that two private bankers at JPMorgan had been using ATM cards they issued to steal up to $400,000 from 15 accounts over the course of a year. Most of the accounts reportedly were dormant ones belonging to dead people who were still receiving Social Security deposits because of a reporting error.
Litan predicts more insider theft and collusion in the coming year, sometimes motivated by financial gain, sometimes by the employee’s radicalization or spite.
"Many of these inside jobs will be committed by lone wolves, or actors who are disgruntled, and who are able to commit serious damage just by using system access rights they already have," she said.
Part of the problem is third parties such as vendors and contractors that fit in the "insider" category. In the 2013 Target breach, for instance, it was an HVAC vendor that inadvertently allowed access to the network running the store's point-of-sale terminals, whereby card data was scraped.
"This is one of the most complex areas to guard against and it will require continued investment in state-of-the-art security monitoring and resource management systems," Durbin said.
The Internet of Things will introduce new security and privacy risks. This goes in the "duh" category. How could quickly connecting billions of new items to the internet (6.4 billion "things" will be linked to the web in 2016, according to Gartner, with 5.5 million added every day) not bring risks to privacy and security?
The particular problem for banks here is they may not have the IT and security talent to deal with the odd new security threats that arise as customers’ smartphones are pinged with messages, alerts and whatnot from wireless sensors and other new connected devices.
"I see the Internet of Things adding privacy, supply chain and data management and data integrity issues whilst we are still no closer to shrinking the skills gap between those cyber skills that we need and those that are actually available," Durbin said. Banks' chief information security officers "should prepare to build information security capabilities across the organization and position the executive team to recognize and retain talent, both those who have come up through the ranks and newer employees who have worked in a digital environment and business roles."
Banks and payment companies will remain popular targets. "Adversaries will continue to target the financial services industry to steal funds, obtain sensitive information, disrupt operations, destroy data and equipment, or harm the reputation of financial institutions," said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (the industry’s cybersecurity data-sharing hub).
Litan said she expects to see "a continued escalation of massive, low and slow, distributed, under-the-radar attacks against consumer services with websites that host digital wallets or stored value, such as coffee cards, gift cards, wallets with credit card numbers stored for fast check out, airline point programs, and hotel point programs." Companies’ mobile application programming interfaces are a likely target for hackers, she said.
Identity theft and impersonation will continue to plague consumers and their financial institutions. Litan also said she anticipates more theft of U.S. consumers’ personally identifiable information in 2016. "Some government agencies have told us that over half of their citizens’ PII data has been compromised," she said. Next year, 65% of all Americans will have had some personal or financial data compromised, but not necessarily used, she forecasted.
Once again, humans are liable to be the weak link.
"Adversaries will continue to abuse the trust individuals have with others and each other with trusted assets by impersonating a trusted individual or entity in order to deceive, destroy, disrupt, or steal," Nelson said. "Social engineering will continue to play a major role in combination with technical capabilities."
Email will remain a primary vehicle for injecting malware and conducting reconnaissance. It will also be a vehicle for phishing, including targeted attacks on senior executives. "However, as security teams improve email filtering and examination capabilities and users become more aware of email tactics, the delivery of malware may migrate to delivering malware through web pages or online advertising," Nelson said.
Card-not-present fraud will rise. Many experts, including Litan, anticipate that the adoption of EMV chip cards in the U.S. will lead to a notable increase in fraud with online shopping and phone orders, as happened in the U.K.
Sharing of information about cybersecurity breaches will increase. Banks share information about cybersecurity incidents with each other (the FS-ISAC, which brokers this information, has 7,000 member companies, 2,000 of which signed up in 2015). But communication with government agencies has been less frequent.
That will change now that the Cybersecurity Sharing Information Act of 2015, which Congress slipped into its eleventh-hour omnibus spending bill, gives safe harbor to those who share.
"In the past, the lawyers normally put a stop to meaningful information sharing because of liability concerns that should be eliminated now under the new legislation," Litan said.
Unfortunately, the law provides little privacy protection for consumers whose personal data gets mixed in with incident reports. Hopefully the agencies that receive this data have better security practices than the Office of Personnel Management.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.