Financial institutions have now taken on an even more active role in the growing information technology (IT) and operational technology (OT) convergence. The need for 24/7-connected smart devices has driven the industry to adapt, especially with the wider adoption of the internet of things (IoT) among businesses and users. Unfortunately, this round-the-clock connection with their respective financial accounts have been seen by cybercriminals as a ripe opportunity to profit at legitimate businesses’ expense.
Banks and financial companies have constantly highlighted security to be of paramount concern. However, the industry and their respective customers remain – and are expected to still be – the foremost targets of malicious actors despite new mandates to further strengthen cybersecurity and privacy. In addition to the flourishing business opportunities that e-commerce and financial technology (FinTech) companies have opened, the constant connectivity of mobile devices presented cybercriminals access to study and observe the security gaps, putting users and financial companies as easier targets for fraudulent transactions and breaches.
Here, we enumerate the evolving attacks and threats that cybercriminals can use to compromise financial companies, their third-party partners and suppliers, and their customers.
Physical tampering of automated teller machines (ATMs), gas pumps, or point-of-sales (PoS) machines have been occurring since early 2000s with the use of skimmers, tools installed by malicious actors to steal banking information of legitimate users. This illegally acquired information can be used to directly steal money from banks and businesses, or used at a later time for consolidation and monetization in the underground.
While Trend Micro, in its research, pointed out the decline of cybercriminals’ physical tampering of devices, this form of attack is still prevalent in several countries. Moreover, cybercriminals have included skimmer scripts and malware in their arsenal, allowing them to easily gather and steal banking credentials and information by infiltrating the network and intercepting the network traffic. This also becomes easier when the machines themselves are exposed in the internet for scanning and breaching, injecting with malware, or further used to compromise operating systems (OS). Often, the OS used by banks for their machines are outdated and no longer receive security updates nor hotfixes, leaving them vulnerable to attacks, which malicious actors can exploit for higher payouts.
Banks are also beginning to recognize cost-effective means of delivering services and keeping files in storage with cloud services. However, availing and maintaining these new functions can be daunting and misconfigurations of these cloud software and containers are common occurrences when used for the first time. These lapses can result to leakage of databases and processes online, as well as present malicious actors an avenue to breach the banks’ systems.
Figure 1. Threats to banks, their partners and suppliers, and their clients
Attacks on banking applications and networks
Online banking through banks’ websites and apps have become staple features for both offline businesses and e-commerce pages. As mentioned by Trend Micro’s research on the newest European Union (EU) mandate for Open Banking, risky techniques employed by companies to gather data, compounded by the delays in technical implementation of mandated security protocols, have increased cybersecurity threats and broadened the attack surfaces for these institutions. Website and app components can be placed in-house, hosted somewhere else, or on the cloud, which requires security maintenance and customization. Misconfigurations in cloud settings, unsecure crash reports, sensitive information in URLs, injecting malicious scripts, and unsecure application programming interfaces (APIs) are just some of the attack surfaces that can be overlooked by company personnel; openings that cybercriminals can look into abusing for intrusion as well as research on high value targets for more nefarious activities.
And while each financial institution may have their own respectively distinct operational processes, cybercriminals can also use these to manipulate, attack, and compromise banks via incidents of business process compromise (BPC). These techniques continue to be exploited by malicious actors in order to siphon off with legitimate institutions’ and users’ money using malware, exploit kits, and even legitimate monitoring tools after intensive research and observation. Some of the biggest online bank heists in recent years involved these kinds of network attacks based on pinpointing weak gaps in processes and platforms to enable fund transfers to cybercriminals.
The increasing affordability of the internet and the expanding range of products banks offer for small business owners paved the way for the flourishing opportunities for consumer retailing, marketing, and sales. However, many established financial companies or small and medium-sized businesses (SMBs) outsource the design and development of apps, websites and APIs to FinTech companies, as they often do not have yet the in-house personnel for these tasks. Moreover, a number of these financial institutions still rely on third-party service providers for their network and system maintenance, as well as their technical customer service needs, such as crash and bug reports.
These perceived weaknesses have painted SMBs as “easy” targets because they are seen to allot a smaller amount of resources to cybersecurity, and will have a more difficult time dealing with the aftermath of an attack. SMBs are often seen as indirectly linked or a part of a bigger supply chain or consortium of business organizations. To cybercriminals, SMBs are their backdoors to attack more prominent brands that can lead to a significant treasure trove of customers’ data, employees’ information, bank accounts of business owners, proprietary information and files, or a downtime in operations.
With banks and other financial organizations opening their systems to accommodate new online services and cost-effective transactions – such as the stipulations for financial recommendations pushed by the EU’s Open Banking law – online businesses’, mobile applications’, and banks’ continuous connectivity to the internet allow cybercriminals to continuously study their respective technical and human resource facets for abuse and attack. Trend Micro’s research on the readiness of banks’ and financial companies for the Revised Payment Service Directive (PSD2) showed that even currently, these apps and websites have security concerns exposing bank and customer information. Cybercriminals may take advantage of FinTech companies’ inexperience in detecting and handling fraudulent transactions, leaving clients and customers vulnerable to attacks. Business email compromise (BEC) and phishing attacks are just some of the techniques cybercriminals can use to exploit the trust customers, bank, and FinTech employees now share.
The trend of offline assets being integrated present process improvements and service expansions driven by “big data” collection and analytics: facilitating transactions for optimized supply chain flows, performance enhancements, and production transformation. For financial institutions, ensuring optimization, sustainability, and convenience online have emphasized the role of security enhancement with every step. In the event of a compromise, banks do not just have to defend themselves from more sinister cybersecurity attack aftershocks, but also have to protect themselves given their established reputations to keep their customers’ trust. Online and offline attacks threaten banking and finance institutions constantly, and as technology use grows and develops more business and cybercriminal opportunities present themselves simultaneously. As part of the “old guard” being forced by technology to innovate and further develop, security awareness, vigilance, and integrity remain robust constants in the sector at every turn.