June 17, 2017
Financial institutions deliver a vast amount of services to consumers and business. Trillions of dollars’ exchange hands daily to keep the world going. These institutions hold, invest and care for the wealth of large populations. Financial institutions form the backbone of our industrialized world. These institutions depend heavily on information technology systems and any form of disruption to these critical systems can severely undermine confidence and thereby result in loss of business and reputation to these financial institutions. As these institutions manage a lot of money, they are also a key target for cybercriminals.
Cyberattacks impacting financial institutions are predominantly focused on trying to scam people and get money from them. If pressed, I would say that 95% of these attacks are executed for direct financial gain. The other 5%? In most cases, organized hacktivists and other groups working towards hurting a financial institution, its brand, and its customer loyalty.
To financially gain from an attack on a financial institution, these bad actors are most likely looking to accomplish one of two things:
Financial institutions are privy to a large amount of information about their customers. They can have social security numbers, birthdates, email addresses and other information. And perusing recent transactions can also disclose other valuable information about an individual – like their other paid online accounts.
Using this information, bad actors can apply for lines of credit, credit cards and other accounts that they can then exploit. They can also use this information to fuel brute force attacks against the other online accounts of an unsuspecting bank customer and use them for other fraudulent activity.
According to the Verizon Data Breach Investigations Report, about 88% of security incidents in the finance sector fall into just three categories:
In addition, the bulk of cyberattacks impacting financial services institutions are focused on ATMs. In these instances – which Verizon claims account for approximately 66% of attacks on financial service institutions – the ATM machines are in some way tampered with. This tampering can include the installation of a credit card skimmer or another device that captures, stores, and transmits the information carried in an ATM card’s magnetic strip back to the perpetrator.
However, eliminating attacks on ATMs leaves the remaining 34% of attacks on financial services companies. And in those cases, the targets are predominantly databases (20%), end-users (9%), desktops (8%) and Web applications (8%). And – according to Verizon – the attacks targeted at these areas break down as follows:
Traditionally, accessing account on ATMs requires a user to have two factors - What I have and What I know. They require the use of a physical ATM or credit card (what I have) and a PIN number (what I know). Unfortunately, the authentication process is completely in-band – both the card and the PIN are entered and transmitted via the same device (the ATM machine). This means that compromising the ATM machine gives a bad actor access to everything they need to access a customer’s account.
The new EMV card is more resilient to card duplication as they use a technology known as Dynamic CVV. Instead of a static CVV (as in the case of magnetic stripe cards), the EMV chip cards generate a new CVV for each transaction that is valid only for that transaction and thus protects against misuse of that card. Thus, new EMV chip cards do address the card skimming but the users are still vulnerable to PIN stealing. But cybercriminals are not far behind here as well. A new form of card skimming for EMV cards called shimming has been uncovered that target chip-based credit and debit cards. While a traditional skimmer reads the card data from the magnetic stripe of the older cards, the new shimming device sits between the card chip and the chip reader and can be used to clone a magnetic stripe card which is still accepted.
Game-changing improvements are needed in the security of global payments systems to protect organizations from hackers. One approach is to completely side step and do not include the ATM. By utilizing an out-of-band authentication solution at the ATM instead, compromising the ATM machine would only generate a fraction of the needed security credentials. This makes it impossible for the bad actor to compromise one device, and subsequently compromise a user’s account. The user card data, as well as any identifying PIN and CVV, will not go through the ATM at all.
The remaining attacks not involving ATMs could be equally thwarted by the utilization of out-of-band, multifactor authentication. Spyware and keyloggers would be unable to capture all necessary authentication credentials and factors since they only impact one of the devices necessary to authenticate the user. Stolen credentials would most likely account for just a fraction of the factors needed to authenticate. This would make it significantly harder for bad actors to gain access to user accounts, customers’ online banking and company servers.
Bank robberies no longer have to be conducted with a gun – or in person for that matter. Today, a customer’s money and information can be taken from the comfort of a criminal’s home. But by embracing better authentication, we can prevent many of these breaches, and keep banks – and their customers – safe.
Authomate’s patented framework allows organizations to mitigate credential harvesting by moving credentials away from the attack surfaces that are used today to expose the enterprise and their customers. At the same time, we increase the security controls to further mitigate hacking and breaches.
Authomate’s platform brings greater convenience, shifting the security burden from your memory to your device. Your unique identity, tied to your phone does the job of securing your credentials and identity, so your brain doesn't have to.
About Authomate and Plug and Play
Authomate recently graduated from the Silicon Valley based accelerator Plug and Play. Want to be in touch? contact Ashlene Ramadan at firstname.lastname@example.org