Given the nature of the financial services industry, it understandable why it is a prime target for cybercriminals. After all, financial institutions deal with large amounts of money as well as sensitive data, which could be used for other fraudulent activities.
Then there’s hacktivists and nation-state actors, who are politically motivated cybercriminals seeking to cause disruption, for whatever reason. Some of the most common threats to financial services include phishing, web application attacks, DDoS, backdoors, supply-chain attacks, third-party vendors, and let’s not forget about our own employees – who account for 60% of all cyber-attacks.
According to the 2017 Cloud Security Report (registration required), web application attacks accounted for 73% of all security incidents, many of which are related to the financial sector. This is not surprising given that some have referred to the combination of finance with web applications as the “perfect storm”.
Last year, attacks on financial services accounted for 17% of cyber-attacks globally. In recent years we’ve seen an explosion of new entrants into the sector, as well as a whole host of web applications that collect payment card data and allow users to monitor their finances. Many organizations are keen to embrace the digital paradigm, yet relatively few are keeping up-to-speed with the latest cyber security trends, where new attack vectors are constantly emerging.
61% of online banks have a “poor or extremely poor protection level”. Every application that was involved in the analysis had vulnerabilities, which could have “potentially serious consequences”. For example, 54% of online banking applications that were tested were susceptible to fraud and theft. 77% of online banking applications had poorly implemented two-factor authentication (2FA), thus directly putting their users at risk.
Currently, most cyber-attacks on finance use spyware and key-loggers to extract payment information. However, there are many ways web applications can be compromised, some of which include Cross-Site Scripting (XSS), SQL Injection (SQLi), Distributed Denial of Service (DDoS), and more. Both XSS and SQLi are typically the consequence of failing to properly sanitize user input, which can be remedied through rigorous testing of web-forms. Protecting against DDoS attacks is a bit more complicated as they do not rely on vulnerabilities in the applications themselves.
Businesses must first be able to establish an understanding of what is considered “normal network traffic” and be able to differentiate between human traffic and bots by comparing signatures, IP addresses, packet headers and various other attributes. While it is theoretically possible to mitigate DDoS attacks manually, it is not recommended. Instead, businesses should implement specialized anti-DDoS technology which uses a large number of techniques including advanced threat intelligence, deep packet inspection, rate limiting, blacklisting/whitelisting, and a lot more. We are also seeing significant rise in the number of Formjacking attacks – where attackers insert malicious code into web forms in order to extract payment card details. Most Formjacking attacks have been on e-commerce websites, although we will likely see more online banking applications being targeted.
As already stated, 60% of all cyber-attacks are carried out by insiders, yet many financial institutions are still primarily focused on external threats. Let’s keep in mind that insiders have legitimate access to large amounts of data, which they could potentially steal or misuse for their own personal gain. It is imperative that all financial institutions have clear visibility into who is accessing what data, and when. They will need to be able to detect, alert and respond to suspicious user behavior in real-time, if they are minimizing the likelihood of an insider attack.
While many traditional security measures are still relevant, businesses must ensure that they are keeping abreast of the lasted attack vectors as well as leveraging the necessary tools and technologies to counter them. For more information check out LepideAuditor.