Why the financial sector is especially vulnerable to cyberattacks [Q&A]
There's a famous quote attributed to career criminal William Francis Sutton Jr., when asked why he robbed banks he is said to have replied, "Because that's where the money is."
For today's cybercriminals the motivation to make money is much the same, so the banking and financial services sector is a prime target. We spoke to Paul Prudhomme, cyber threat intelligence advisor at IntSights to find out more about the threats the industry faces and how they can be addressed.
BN: In what ways is the financial industry particularly vulnerable?
PP: Broadly speaking we have three structured ways in which it can be attacked. The first one being attacks on the banks themselves, reaching the bank networks, moving laterally to gain access to systems that they can use to conduct fraud on a large scale, millions or billions of dollars. These attacks are probably the newest variety, when I say new I mean the last four or five years, like the North Korean attacks, using SWIFT systems to do very large fraudulent transfers.
Then there are also banking Trojans which aren't so much aimed at bank networks themselves but at the customers, either retail or business. They'll try to steal bank account credentials for online banking that they can use to conduct fraudulent transactions on a smaller scale.
The third way would be payment card fraud. In this case again not against the banks themselves but retailers and other businesses that accept payment cards. This may be threat actors targeting point of sale systems in physical retail locations or other brick and mortar businesses. But we've seen more recently -- and I think this will be more of a trend moving forward -- the targeting of eCommerce and any other website that accepts cards, using specialized tools to collect the payment card information customers enter into the website when they're making a purchase.
BN: Is that partly because of things like chip and PIN that make POS fraud harder?
PP: Here in the US we're a bit behind Europe and some other economies in that, but just making that change in the US was enough to tip the market in that direction because it had historically been the biggest market for payment card fraud. Now of course more recently we've had the pandemic which, among many other things, has really shifted more and more shopping to online. I think those are the two drivers that I predict will push the target more in the direction of 'card not present' fraud.
BN: Is there a role for artificial intelligence here in being better able to spot threats?
PP: There is, although a lot of these tools are fairly well known, AI is especially useful for state sponsored threats, detecting malware, more advanced malware or more sophisticated techniques that are not already known. The criminal tools are fairly well documented already they circulate among a much wider user base and frankly you can go on the underground forums to find them. So, yes AI can be helpful, but since some of the critical tools are not as hard to recognize some of the more traditional and less sophisticated detection methods will often do the trick.
BN: So there's still a role for traditional sharing of intelligence between businesses and security providers?
PP: Yes. Sharing is caring. Indicators are helpful and diverse detection and other detection signatures can be useful. That's a good start, I think also recognizing the tactics and techniques that actors use is important. Those can be more persistent over time, they aren't just a switch to new malware or to new malicious infrastructure. The way that they do business is more persistent, over time, so you learn to recognize those behaviors, that is where a suspicious behavior does not necessarily match a specific indicator or a specific detection.
BN: Will that help in recognizing the wider potential for threats too? For example, the past few weeks we've seen an uptick in in scams targeting vaccinations.
PP: That's another consequence of the pandemic. We've seen a shift in the themes that attackers are engaging in. Traditionally, it would be things like invoices, which are relevant to financial services targets and then also package deliveries. The pandemic is a perfect storm for social engineering because of the fear and, uncertainty that is created. It gets a bit more specific with things like unemployment insurance coverage with some new people losing their jobs, people losing their health insurance when they lose their jobs. You're getting COVID tests, also travel plans many people having to cancel the travel. It's important to look out for those things. With vaccines coming out I predict that we will see an increase in attacks using vaccination themes, simply because there's so many people who want to get them and there have been some issues with the initial rollout.
BN: You mentioned social engineering, it's still true isn't it that the human component is the weakest part of security?
PP: Yes, patching vulnerabilities in your human beings can be a bit more of a challenge. User education is a key consideration, especially with more and more people working remotely. That can reduce interaction with other team members in the security teams.
Training using things like test phishing emails can be more of an inducement to change and perhaps make more of an impression on people than just sending a message telling them to beware of attacks. If you've actually experienced something yourself that would have led to a compromise had it been a real attack it's more lasting. Ultimately everyone is involved in cybersecurity.
BN: Where does threat intelligence fit in terms of a broader package of protection for financial businesses?
PP: I mentioned earlier the more sophisticated types of attacks on actual bank networks, moving laterally to whatever systems they want to commit fraud on. They can start in a number of weak points around the perimeter. One simple one would be something like a phishing attack, where for example a teller receives a message that has some sort of compelling social engineering content that they feel the need to open. That would lead to infection of just that teller's computer but once the attackers have that initial access they could move laterally across the bank's network until they find whatever it is they're looking for, such as the terminals for the SWIFT interbank payment system, or the servers that control ATMs, or the systems they use to communicate with the external card processors so they can lift withdrawal limits.
Once they get that initial hook somewhere in the network they expand and move around until they find what they want. Other potential hooks could be a vulnerable system that hasn't been patched or has left certain points of access open with services for remote access. I will mention in particular, the RDP protocol which we see is a very common target, not so much for the banks particularly but for targeted ransomware attacks in general.
BN: We've seen a lot of new FinTech startups in recent years, are they more or less vulnerable than traditional banks?
PP: As far as purely online offerings we do see more of a shifting in the bank Trojan market away from the Windows desktop towards mobile Trojans for Android. This is not just because people are spending more time on their phone than their desktop or laptop, but also because of two factor authentication which is a critical security posture of many banks to protect customer essentials.
Two factor authentication through text message is very good, but it's not immune to attack. We have seen instances of foreign actors jacking the phone number, through a SIM swapping account where they have some sort of insider access to the company. They use that to basically take over someone's phone number by assigning it to a SIM card that they physically have in their possession and then use that to to to to receive the two factor authentication meant for the legitimate customer.
The alternative is authenticator apps like Google Authenticator. But even this is not immune to attack. What we have seen is new mobile banking Trojans that will target those apps like Google and Microsoft and collect the two factor authentication code. So while two factor authentication is good it's wrong to think it's immune to attack.
Android is also vulnerable because devices, especially older ones, are less likely to be updated.