When it comes to protecting financial data from hackers, it is important for banks to anticipate threats but at the same time not let that knowledge slow down their growth and expansion. That is the challenge of working in bank security – constantly anticipating new threats that may come in as a bank continues to innovate and develop its products. For example:
- With the Internet of Things emerging, there are an estimated 6.4B that will be connected to the internet this year – which also means there is more data vulnerable to hacking.
- Two major extortion hacks happened this year, where malware locks access to a victim’s computer until the victim pays a ransom. One of these was at an investment bank in the United Arab Emirates, where customer information was exposed. The tricky part about tracking extortion hacks is that if the victim caves in and pays, the hack will be kept secret and the public will be unable to learn from it.
- Barting, where people purposefully leave virus-infected USBs for people to plug into their computers, is another risk. So is pretexting, where users are asked to provide additional information that a hacker can then use to steal their assets.
- As an example of pretexting, the Neverquest trojan was one of the biggest threats in online banking three years ago. It inserts rogue forms into the customer’s banking page and gets them to unintentionally give away their financial data. The trojan is also an evolved form of an older threat, which hints that old threats are never really ‘solved’.
- A simple phishing scam can cost an unprotected bank $1B.
Investment banks have highly sensitive corporate information, so it is even more critical that as they push for a better customer experience, they build secure software from the get-go versus thinking of security later. It is a good idea for banks to run inwardly-directed attacks (i.e. penetration tests) and intentionally cause failures, in order to test the robustness of their security.
Many banks have not yet adopted two-factor authentication, which requires a user’s SMS/voice in order for transactions to go through. This type of authentication is especially important for users dealing with large sums of money. On the other end, it is recommended for users to avoid doing online banking through public Wi-Fi where they can get hacked.
A recent study found that 22% of bank security incidents are from malicious software, 21% are from phishing (46% of those being account takeovers), 18% are from identity theft, and 15% are telecom network disruptions.
What are the challenges of adopting robust security? Ranked, they are
- Threat sophistication
- Emerging technology
- Lack of budget: understandably, costly software is rarely updated
- Lack of visibility
Bank security is a surprisingly dynamic field – if you asked me about security three months ago I would say ‘boooriinnng’. I thought it was all about ‘staying safe’, ‘prepping for a rainy day’, and ‘making sure you’ve got your ducks lined in order, again and again and again’. Seriously, though, the more I find out about it, the more I see it as a dynamic battlefield and a warzone where the same monster never comes twice. I would be an unseen hero who makes sure that no one ever has to put in 20 years of blood, sweat and tears to earn their nest egg and then unknowingly lose it all in one day.
Did anything in this article capture your interest? What would you like to read more about? I am curious to find out more about cybersecurity threats in general, cybersecurity threats in investment banks, ways of predicting threats and reacting to them real-time, and best practices for managing risk and developing software with risk in mind.
Google-search “banking security risks” to find out more. Cheers!