Cybercriminals who hack banks are mainly taking aim at their web servers and websites, according to Verizon’s latest Data Breach Investigation Report.

The report, issued Thursday, covers 19,035 breaches (in which data has been accessed and maybe stolen) and 40,000 incidents (in which a breach occurs but investigators couldn’t confirm whether data was taken — an example might be a denial-of-service attack in which a website is shut down but nothing is stolen).

Almost a quarter of breaches in Verizon’s latest Data Breach Investigation Report affected financial organizations. The report covered more than 19,000 breaches and 40,000 other kinds of events. Adobe Stock

The report found in the world at large a significant rise in ransomware in 2016 — 50% more than in 2015. Cyberespionage attacks were also more frequent in 2016, especially in government and manufacturing.

Almost a quarter of breaches in the report affected financial organizations.

In financial services, distributed denial-of-service attacks — in which bad actors flood a website with so many connection attempts that it fails — were the most prevalent type of incident in 2016, according to the report, which counted 445 of them.

“People are targeting the denial-of-service attack to bring down the bank,” said Dave Hylender, senior risk analyst at Verizon and one of the authors of the report. Verizon’s researchers don’t know the hackers’ motivations.

Four years ago, a group aimed such an attack at dozens of banks to protest a YouTube video about the Prophet Mohammed. Today, some of these attacks could be done as a camouflage for more serious breaches — distract the IT department with a website shutdown so that no one will see you hack into a credit card database, perhaps.

The second most common type of cybercrime against banks cited in the report was web app attacks, which occurred 376 times in 2016. Verizon defines a web app attack as any incident aimed at a web application. This includes exploiting code-level vulnerabilities in the application as well as thwarting authentication mechanisms.

“Criminals are using web app vulnerabilities to get in to steal usernames and passwords,” Hylender said. They are usually motivated by the desire for financial gain. Overall, about 96% of security breaches at banks are financially motivated and 1% are espionage, according to the report.

Payment card skimming came in third, with 53 incidents reported. Verizon researchers have seen a decrease in ATM skimming and an increase in gas pump skimming, which might be related to the fact that the card networks have given fuel pump owners an extra year to comply with EMV, making the pumps attractive to criminals who want to get the most out of their magnetic stripe card skimmers.

So what should banks take away from the report’s findings?

“One thing financial services firms really need to do is look at their applications and web app development,” Hylender said. “Security needs to be more built in to the software from the very beginning.”

Another thing banks could do is limit the amount of personal information or credentials stored on the web apps and encrypt whatever information has to be stored there. Two-factor authentication on web apps would also help, as well as patching to make sure that, for instance, the content management system is up to date.

And with denial-of-service attacks, they should evaluate the possible damage that could be done by an attack and put the effort into proper mitigation.

“If you’re a multinational banking concern that does primarily consumer products, your web presence is huge so you need to put forth the effort to protect against attacks,” Hylender said.

Of the dozens of security reports issued by vendors throughout the year, Verizon’s takes a more comprehensive approach.

It does not just report conclusions from the 500-odd breach investigations Verizon conducts each year, it also compiles data from 65 partners, including the U.S. Secret Service, Akamai Technologies, Arbor Networks, Center for Internet Security, CERT Insider Threat Center, Cisco Security Services, CrowdStrike, Cylance, Deloitte, EMC Critical Incident Response Center, Juniper Networks, Kaspersky Lab, McAfee and Palo Alto Networks.