Eight Lessons for Banks from the Data Breaches of 2014
The online banking malware Dridex leans on an old technique, phishing, and an even older ruse, malicious macros, to steal online banking credentials from unsuspecting employees and customers.
Investigations of the major data breaches of 2014, which have involved about 927 million consumer records, are shedding light on the dark world of cybercrime. Here are eight lessons to guide bank security teams as they work to strengthen their defenses.
1. Hackers have become better organized.
"It's important to recognize that these are no longer folks doing this on their own, who are isolated, or who are doing it mostly for reputation and ego and notoriety," said Lillian Ablon, a researcher at the Rand Corp., a research organization based in Santa Monica, Calif. "These players are part of large organizations that have robust infrastructure."
Their hierarchies include managers, administrators and subject-matter experts such as cryptographers and "cyberlaunderers" who know how to turn stolen data into cash.
According to a recent Rand report, 80% of hackers were freelancers, and 20% were part of larger organizations, 10 years ago; today that ratio is reversed.
Many of these organizations look like typical businesses with a normal corporate infrastructure, she said. Sometimes the hackers work together at the same location, and other times they are just emailing back and forth across great distances, but all are working toward a common goal. Often they are tied to traditional criminal organizations.
2. Law enforcement is aggressively going after the black markets for stolen data.
In November in a sting called Operation Onymous (a name meant to signal the bringing to light of formerly dark and anonymous sites), the FBI and Europol took down 414 websites (including the the second incarnation of the notorious Silk Road) on the Tor network, which conceals users' identities. Authorities also made 17 arrests, mostly related to illicit drug sales.
U.S. law enforcement agencies, including the FBI, the Secret Service, and the Department of Homeland Security, are getting better at catching bad behavior on the Internet, partly because of collaboration among countries and among groups in this country, including the Financial Services Information Sharing and Analysis Center, a Washington-based organization that gathers and disseminates information about security incidents at banks.
3. Employees are often the weakest link.
"We continue to see that [hackers] are attacking users rather than banks directly," said Jake Kouns, chairman and chief executive of the Open Security Foundation. "Zeus, Spyeye, other trojans it's the same thought process. I can attack a user, get into that person's machine, [and] then when she tries to go to the bank, let her type in the passwords and sit on her shoulder eavesdropping," said Kouns, who is also the chief information officer of Risk Based Security, a threat-intelligence company based in Richmond, Va.
Eighty percent of breaches have a root cause in employee negligence or human error, according to Michael Bruemmer, a vice president in Experian's Data Breach Resolution group, which has investigated close to 3,000 data breaches in the past year.
"Chip and PIN is great but if you have someone, such as a system administrator, get their credentials compromised and let [a hacker] into the payment or email system or [point-of-sale] terminal, that's where the problem is," he said. "It's not the technology; it's the people operating it."
For instance, employees lose laptops, create weak passwords and have their administration credentials stolen, among other mistakes.
The JPMorgan breach this past summer, which compromised the data of 76 million households and seven million small businesses, is believed to have originated with a hacker breaking into the computer of an employee working from home.
This all means banks need to get better at security training, Bruemmer said. "Unfortunately, companies are not spending enough on security and privacy training," he said. Only 54% of surveyed organizations conduct regular security-awareness training for all employees.
4. Third-party providers are a huge target.
Hackers, most notably those who broke into Target's point-of-sale network, have discovered that going after a third party, such as a heating and air conditioning provider, is also much easier than attacking a business directly.
"Assessing and better understanding the third parties you do business with should be on everyone's mind going forward," Kouns said. "Where we are currently is security is losing, and the attackers have the upper hand. It's an unfortunate situation but there are things that can be done to reduce your exposure."
For instance, requiring extra authentication beyond the basic username and password would help.
Avoiding third-party providers is not an option, Kouns acknowledged. "We all need vendors," he said. "Everyone is going to the cloud, and we have all these different services we rely on. Everyone needs to take a more proactive and continuous assessment approach, instead of an annual ticking off of a box."
Kouns advises banks to provide multiple levels of security controls for their data, just as they provide varying degrees of physical security in their branches.
"When you walk into a branch, it's open and inviting and they may give you lollipops for the kids," he said. "You're welcome in the lobby, behind the counter there's a little more security, [and] then further back there's a vault that has all the security."
5. Data breach fatigue is setting in.
American Banker recently asked readers about the effect of frequent news reports about data breaches. A little more than a third said they were experiencing fatigue and getting desensitized. A quarter said the news was making them extra vigilant about security. About 10% said they thought more consumers would try to stay off the grid and pay with cash.
"There are so many breaches going, at some point we think data breaches are going to jump the shark and no one's going to care anymore," Kouns sad. "We'll have that fatigue of, 'Another breach what do I care?'"
Even highly publicized retailer breaches fail to make a lasting impression. "Every time there's a breach at a retailer, I go into the store after it happens and ask people, did you hear about this breach? Just to see if they have and what they say," Kouns said. "After two or three days, no one cares any more. The end consumer may be inconvenienced, but they're not going to be on the hook for money on the credit card. The banks bear this brunt."
In the financial industry, small banks and credit unions often think a breach will not happen to them, that only large companies are targets, Kouns says. "That's not true. All organizations, in all industries and of all sizes, are susceptible."
6. Open source software libraries will continue to be targeted.
Some data breaches of the past year took advantage of vulnerabilities in popular open source software. For instance, Heartbleed the bug with its own website and logo is a weakness in commonly used OpenSSL cryptographic software. The Bash bug involves a vulnerability in a commonly used piece of code that exists on hundreds of millions of computers worldwide running Unix, Linux and Mac OS X operating systems and gives a computer commands (e.g. turn on, turn off).
"We're continuing to see the usage of these libraries in very critical products," Kouns said. "We'll see more of these issues come up. In the banking world, they don't have the right controls in place to monitor and understand these third-party libraries. That's something they're going to want to start focusing on."
7. Payment data breaches are expected to rise, then fall, as a consequence of the U.S.'s adoption of EMV card standards.
"Because of the implementation window of Oct. 15 for EMV chip and PIN, there are going to be continued attacks on brick-and-mortar retailers at the point of sale," Bruemmer said. When Europe adopted EMV, some fraud shifted from brick-and-mortar retailers to online stores. Experian's breach investigators anticipate a race among hackers to find vulnerabilities in both existing magnetic stripe payment terminals as well as newer EMV-compliant equipment.
"The hackers are getting ahead of it," Bruemmer said.
8. Business leaders are being held more accountable for data breaches.
The most obvious example of a head rolling after a data breach is Gregg Steinhafel, who was forced out as the CEO of Target in May, several months after the company's CIO, Beth Jacobs, lost her job for the same reason.
"It used to be the CEO and the board could distance themselves from what the CIO was responsible for," Bruemmer said. "They no longer can."
In a recent Experian survey of 680 senior executives, 17% said they were not aware if their organization had been a victim of a breach.
"That survey was taken a couple of months ago," Bruemmer notes. "If you did that now I think that number would drop significantly, because there's a lot more scrutiny from the board level on down. Senior executives are accountable not only for having the right security and technology in place for a breach, but also being personally accountable for the response."
Banking regulators have echoed this sentiment, and are backing it up with cybersecurity exams.