'Banks are being terrorized': Fallout from a year of data breaches

Millions of times in a day, a single financial institution was attacked by bots looking for a way in. Waves of automated infiltrators returned, again and again for months, probing for weaknesses.

The horror story, according to a new report from the security firm ThreatMetrix, is just one example of how banks have become top targets for cybercriminals as they step up attacks across all industries.

Overall, there was a 32% increase in cyberattacks in the third quarter from a year earlier, according to the report. Bank-specific attacks surged: Attacks in which phony mobile accounts were created rose 45% from the third quarter of 2016, and have grown 240% from 2015.

Pie chart showing breakdown of where hackers attack bank websites. Three key vulnerable points

Largely contributing to this trend is the availability of compromised personal data and user credentials on the darknet that fraudsters look to buy and sell. Much of it is gained by applying for loans or by compromising existing accounts, said Vanita Pandey, vice president of strategy and product marketing at ThreatMetrix.

“With the robust ‘identity marketplace’ and amount of identity data available on the dark web, fraudsters can open accounts or apply for loans and really seem genuine,” she said.

And, these types of attacks tend to spike in the months after major data breaches, Pandey noted, meanings banks will soon — or already are — dealing with higher attack volumes after the major Equifax breach disclosed in September.

“We see the biggest spikes following high-profile data breaches,” Pandey noted.

Of course, the threat doesn’t just end with the last data breach; cybercriminals are devising new methods every day to steal personal data and bank credentials. For example, security researchers at IBM X-Force this week reported discovering a new banking Trojan called IcedID.

According to a blog post written by IBM security researcher Limor Kessem, the malware targets U.S. banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites. Two major banks in the U.K. are also on the target list the malware fetches.

“The redirection scheme IcedID uses is not a simple handover to another website with a different URL,” Kessem wrote. “Rather, it is designed to appear as seamless as possible to the victim. These tactics include displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate, which is made possible by keeping a live connection with the actual bank’s site.”

This new scam highlights another element of cybersecurity for banks: educating customers on their role in helping prevent cybercrime.

“On our website we try to provide useful information for customers on fraud prevention,” said Cheryl Sorensen, president of Prosperity Bank in Houston. The bank publishes ongoing updates on what to do after a big data breach like Equifax, and tips for customers on how to be aware of fake banking apps that infect devices with malware once they’re downloaded.

Customer education is crucial since data can be compromised without a bank being breached, Pandey said.

“The customer is often the point of weakness,” she said. “Usually it’s a fraudster convincing a customer to download something malicious. The customer is increasingly becoming the point of vulnerability.”

This means banks have to be extra careful without detracting from the customer experience, Sorensen said.

'The customer is increasingly becoming the point of vulnerability.'

“We double-check everything and put into place all kinds of security measures,” she said. “We also have training for employees and have them go through a series of tests. It’s become rampant and [banks] are being terrorized.”

Such a ubiquitous threat should force banks to be “quite rigorous looking for anomalies,” said Shawn Connors, principal, cybersecurity and privacy at PwC.

“If someone normally logs in once every three weeks, and now there’s much more frequent logins, or even if the activity in a particular session is abnormal, those are possible warning signs,” he said. “At the same time, you don’t want to interrupt the flow of commerce and normal transactions, so banks need to be vigilant.”

To do this most effectively banks need to implement state-of-the-art fraud monitoring technology, Connors added.

Most fraud technology now “is largely dependent on static rules and known scenarios, and if something falls outside of those known patterns it gets looked at closer,” he said. “What’s on the horizon is banks are looking at [implementing] machine learning and AI technology that has a dynamic understanding of data and patterns.”

With customers asking for the ability to conduct more transactions and services digitally, such as opening an account entirely on a mobile device, there are concerns about whether the rise of these digital services is also making it easier for cybercriminals to target banks.

But Sorensen said such fears — while valid and ones that must be addressed—shouldn’t prevent banks from providing the digital experience customers are asking for.

“There’s always a period of trial and error when it comes to new technologies,” she said. “When the ATM first came out people were afraid to use it, and now there’s one on every corner.”

As for digital, Sorensen said, “I think the industry has been pretty adaptive and we’ve come a long way in a short period of time.”

For reprint and licensing requests for this article, click here.
Cyber attacks Cyber security Malware Online banking Digital banking Data security Mobile banking Mobile payments
MORE FROM AMERICAN BANKER