A new report from Verizon raises big concerns about how data security in the financial services industry.
According to Verizon’s 2018 Data Breach Investigations Report, 39 percent of malware-related data breaches involve malware, while Trojan botnets and denial of service (DoS) attacks are most common for the financial industry.
If credit unions hope to improve their security, “Reducing the level of reliance on the security practices of your members (customers) is key,” said Marc Spitler, senior manager of Verizon security research. “The sheer amount of successful authentications (almost 40,000) into applications using stolen customer credentials is concerning.”
The Verizon report includes data from 67 contributing organizations, with analysis on more than 53,000 incidents and 2,216 breaches from 65 countries. “We promote the use of multi-factor authentication to protect banking applications, which helps mitigate the risks of this attack method,” said Spitler.
Even more concerning, said Spitler, is that attacks are moving into business critical systems, which encrypt file servers or databases that inflict more damage and command bigger ransom requests.
“All companies need to ensure they have routine backups to fall back on in the not-unlikely case of a ransomware attack,” he advised. “Segregate assets that are more critical to protect them and prioritize them with regard to business continuity.”
A wide range of cyber attacks
At least one credit union analyst wasn’t surprised by the Verizon findings, noting that if credit unions want to be prepared they will have to fight as hard as the fraudsters.
“There are people who spend their whole lives looking for ways to commit fraud,” said Gene Fredriksen, chief security strategist at PSCU. “We have to spend the same amount of resources as they do.”
While Fredriksen said he may sound like a “broken record,” the biggest attacks, he noted, center around phishing scams, with employees and members falling victim.
According to the Verizon’s research, financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated. And at 96 percent of all cases, email continues to be the main entry point.
“Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education,” the report stated.
The DBIR also found that of the reported compromised data, 36 percent was personal, 34 percent was payment and 13 percent was banking.
Spitler described personal information similar to personally identifiable information (PII) or data that can be identifiable to an individual, which includes name and address, social security number or salary information, among other indicators.
“Payment information is limited to the data resident on the magnetic strip of a payment card and/or the PIN. Banking would be account numbers and other financial data,” he said. “Many of these can have overlap. When PII and banking info is part of the same record, we do not count them separately for an overall record loss count.”
The report also found that DoS, Everything Else, Crimeware and Payment Card Skimmers represent 82 percent of all security incidents. The “actor motives” were financial 93 percent of the time, with the balance being for espionage.
Fraud upticks were also found in the realm of cyber espionage. Fredriksen said that this often occurs when one employer is trying to hire an employee from a competitor and the new employee brings “tribal knowledge” to the position.
“The biggest cyber espionage we see is when someone leaves a company and doesn’t close out their rights,” he said. “After they leave, they continue to go back into the system and pull information. There are a lot of people who want to make a good impression on their new boss.”
In most cases, Spitler said “targeting trade secrets” or other intellectual property scams often begin with external actors “in the form of state-affiliated groups” executing a phishing campaign.
ATM jackpotting has also become an unfortunate reality for credit unions and banks. Fredriksen said good thieves can skim hundreds of dollars in mere minutes. He called on ATM providers and credit unions to be vigilant against these attacks, but said it is “just the latest” the industry is seeing in ATM-related fraud attempts.
Spitler explained that the level of ATM tampering is “typically much more significant” than just installing skimming devices. He noted there are certain “legacy ATMs” that feature less secure hardware set-ups, and many of those are likely to be found in non-financial institution industry locations.
“Asking the right questions to the manufacturer of the machines and understanding the level of work that would be required to successfully jackpot an ATM will provide organizations an idea of how easy such an attack is,” he said. “Understanding the weakness from a hardware and software point of view and ensuring that patch levels are up to date and the physical configuration does not mark ATMs in your environment as low hanging fruit is essential.”