Cybersecurity in Digital Banking: Strengthen Defences by Knowing Your Weaknesses
Friday, April 8, 2022
In a dangerous world, Ekaterina Khrustaleva, Chief Operating Officer at ImmuniWeb, offers plenty of stats and evidence.
Banks and financial institutions hold valuable data for millions of customers, enterprises, and government bodies, and they can’t afford to be negligent when it comes to digital security.
As consumers oversee bank accounts from PCs, tablets, or smartphones, many believe that internet banking is unsafe due to multiple incidents of fraudulent online transactions. Indeed a recent survey by Entrust discovered that, while 88% of consumers prefer to conduct banking transactions via the internet, a vast majority of respondents (90%) were concerned about the risk of banking or credit fraud.
Such concerns are not unfounded, as 59% of respondents admitted that they had received notification of a personal banking or credit fraud within the past 12 months, and 67% of them had switched to a different bank or credit union after receiving the fraud alert.
The challenge is on a global scale. In January, 2022, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) introduced a set of additional measures to strengthen digital banking security after a surge of phishing SMS scams, notably a December incident at Singapore’s second-largest bank, OCBC Bank, when more than 400 customers lost at least SGD 8.5 million (£4.8 million) due to fraud. An investigation revealed that the victims were tricked into visiting phishing websites where they provided their online banking log-in credentials and one-time passwords, enabling scammers to take over their accounts.
Yet more research by ImmuniWeb revealed that a whopping 97% of the world’s largest banks are vulnerable to mobile and web attacks. In terms of e-banking web-applications security, 85 banks out of 100 failed their GDPR compliance test, and nearly half of the banks (49%) were also unsuccessful in their PCI DSS (Payment Card Industry Data Security Standard) compliance test. Furthermore, 25% of the banks were not protected by a web application firewall. It was also found that 92% of mobile banking applications contained at least one medium-risk security vulnerability.
Only three banks (Switzerland’s Credit Suisse, Denmark’s Danske Bank, and Sweden’s Handelsbanken) received the highest grades “A+” both for SSL encryption and website security. What’s more, every single website tested had security, privacy and compliance issues related to abandoned or forgotten APIs, subdomains and web applications.
Experts at Cybersecurity Ventures predict that cybercrime will cost companies worldwide an estimated $10.5 trillion (£8 trillion) annually by 2025, up from $3 trillion (£2.3 trillion) in 2015. In the banking sector, cybersecurity incidents affect not only customers’ assets, but can lead to huge financial losses for banks while they attempt to recover the data.
When it comes to building resilience against cybersecurity risks, financial institutions face unique challenges, because they need to combat cyber threats like phishing and web application attacks while providing seamless service to their customers.
Web skimming (so-called Magecart attacks) is another security risk organisations (especially in the banking and online retail sectors) should be aware of. The name Magecart refers to a global syndicate of at least 12 cybercriminal groups that specialise in cyber-attacks involving digital credit card theft by skimming online payment forms. These subgroups are behind some of the world’s largest attacks, including British Airways and Ticketmaster in 2018, or online gold retailer JM Bullion in 2020. In the latter incident, hackers planted a malicious code on the company’s website that stole customers’ credit card information. Sadly, the malicious scripts went undetected for almost a year.
This case emphasizes that application security is not an ad hoc activity, but should be based on a continuous, risk-based and threat-aware set of processes involving internal and external experts.
In the financial sector, even a minor cybersecurity oversight can be damaging, especially if a mistake is made by a Fortune 500 company. In one such incident, Fiserv, a multi-billion-dollar provider of financial services technology solutions, used an unregistered domain as a default email, which could have exposed its clients’ user information to anyone ready to spend a few dollars to buy the domain.
Expired or non-existing domains are a rapidly growing but largely underestimated security risk. Many software developers unwittingly make typos or use non-existing domains for testing purposes thereby creating major risks.
For instance, countless production web applications, including sensitive enterprise systems, may include a JS or CSS from a non-existing domain – not a big deal until attackers buy the domain and inject malware instead of the JS. In this case, organisations should setup an ongoing domain inventory and monitoring system to avoid such incidents.
To keep up with digital banking trends and changing consumer expectations, banks are adopting emerging technologies (like biometric authentication, hybrid cloud, or AI-powered technologies) and new business models, but with innovation comes new risks.
Experts at Kaspersky predict that social engineering and account takeover fraud will become even more prevalent in 2022, as well as mobile banking trojans, cryptocurrency-related threats, and threats to online payment systems. Understanding the threats and potential weaknesses and how they could be exploited by malicious actors is the foundation of an efficient cybersecurity strategy flexible enough to adapt to the constantly changing threat landscape. Read Full Article
Professional Security: Crypto-related phishing scams