Financial institutions deliver a vast amount of services to consumers and businesses – with trillions of dollars exchanging hands daily to keep the world going. Financial institutions form the backbone of our industrialized world.
These institutions depend heavily on information technology systems and any form of disruption to these critical systems can severely undermine confidence and result in the loss of business and reputation. It is precisely because these institutions manage a lot of money that they are a key target for cybercriminals. Cyber-attacks impacting financial institutions are predominantly focused on trying to scam people and get money from them. If pressed, I would say that 95 percent of these attacks are executed for direct financial gain. The other 5 percent? In most cases organized hacktivists and other groups working towards hurting a financial institution, its brand, and its customer loyalty.
To gain financially from an attack on a financial institution, these bad actors are most likely looking to accomplish one of two things:
1) They can utilize credentials from a financial institution’s customers to access their accounts directly and siphon off their funds.
2) They can use the personally identifiable information that they gather from a customer’s records to create new accounts for their own benefit.
Financial institutions are privy to a large amount of information about their customers. They can have social security numbers, birthdates, email addresses, and other information. And perusing recent transactions can also disclose other valuable information about an individual – like their other paid online accounts. Using this information, bad actors can apply for lines of credit, credit cards, and other accounts that they can then exploit. They can also use this information to fuel brute force attacks against the other online accounts of an unsuspecting bank customer and use them for other fraudulent activity. According to the Verizon Data Breach Investigations Report, about 88% of security incidents in the finance sector fall into just three categories: web app attacks, distributed denial-of-service (DDoS) attacks, and payment card skimmers.
In addition, the bulk of cyber attacks impacting financial services institutions are focused on ATMs. In these instances – which Verizon claims account for approximately 66% of attacks on financial service institutions – the ATM machines are in some way tampered with. This tampering can include the installation of a credit card skimmer or other devices that captures, stores, and transmits the information carried in an ATM card’s magnetic strip back to the perpetrator.
However, eliminating attacks on ATMs leaves the remaining 34% of attacks on financial services companies. And in those cases, the targets are predominantly databases (20%), end-users (9%), desktops (8%) and Web applications (8%).
With 66% of attacks impacting ATMs, it’s important to consider how we can make ATMs more secure and keep bank customers from having their credentials stolen at the cash machine.Traditionally, accessing an account on ATMs requires a user to have two factors- “What I have” and “What I know”. They require the use of a physical ATM or credit card (what I have) and a PIN number (what I know). Unfortunately, the authentication process is completely in-band – both the card and the PIN are entered and transmitted via the same device (the ATM machine). This means that compromising the ATM machine gives a bad actor access to everything they need to access a customer’s account.
The SolutionThe new EMV card is more resilient to card duplication as they use a technology known as Dynamic CVV.
Instead of a static CVV as in case of magnetic stripe cards, the EMV chip cards generate a new CVV for each transaction that is valid only for that transaction and thus protects against misuse of that card. Thus, new EMV Chip cards do address the card skimming but the users are still vulnerable to pin stealing. But cyber criminals are not far behind here as well. A new form of card skimming for EMV cards called “shimming” has been uncovered that target chip-based credit and debit cards. While a traditional skimmer read the card data from the magnetic stripe of the older cards, the new shimming devices sit between the card chip and the chip reader and can be used to clone a magnetic stripe card which is still accepted.
Game-changing improvements are needed in the security of global payments systems to protect organizations from hackers. One approach is to completely sidestep and do not include the ATM. By utilizing an out-of-band authentication solution at the ATM instead, compromising the ATM machine would only generate a fraction of the needed security credentials. This makes it impossible for the bad actor to compromise one device, and subsequently compromise a user’s account. The user Card data, as well as any identifying PIN and CVV, will not go through the ATM at all.
The remaining attacks not involving ATMs could be equally thwarted by the utilization of out-of-band, multifactor authentication. Spyware and keyloggers would be unable to capture all necessary authentication credentials and factors since they only impact one of the devices necessary to authenticate the user. Stolen credentials would most likely account for just a fraction of the factors needed to authenticate. This would make it significantly harder for bad actors to gain access to user accounts, customers’ online banking and company servers. Bank robberies no longer have to be conducted with a gun – or in person for that matter. Today, a customer’s money and information can be taken from the comfort of a criminal’s home. But by embracing better authentication, we can prevent many of these breaches, and keep banks and their customers safe.