Editor’s Note: News of another security breach reaches us almost daily. In November, it was Marriott admitting customer data had been compromised. That should keep you up at night. We asked Paul Benda, senior vice president, risk and cybersecurity policy for the American Bankers Association, to give us an update on cyber threats as a reminder to banks to pay attention to cyber best practices.
Q: Describe the most prominent cyber threats to banks.
Paul Benda: One of the most prominent and difficult threats to address is the social engineering of customers, staff and third party providers. Whether criminals are attempting to trick their victim into providing information (personal, account, internal procedures), downloading malware, conducting fraudulent transactions, or allowing physical or cyber access into the bank, social engineering is often the foundation that leads to fraud and other security concerns.
Banks have fortified their physical and digital perimeters, making it difficult for criminals to get in. Rather than target banks directly, criminals are shifting their focus to banks’ retail and corporate customers, which inevitably impacts the bank. One such example is Business Email Compromise, in which criminals compromise a corporate email account in order to impersonate an executive and compel another employee to transfer money on their behalf, often bypassing security controls.
These frauds are often successful because criminals use urgency and fear as a tactic, or they exploit the employee’s effort to provide good customer service. Therefore, it is very important that companies regularly educate their employees on current evolving frauds and train them to identify and report them.
Another risk area is a bank’s exposure through 3rd party providers. Many banks may contract management of their website and customer portal. If the contract operators of these functions do not properly maintain and patch these systems, they leave open vulnerabilities that criminals may be able to exploit.
Q: Describe a particular episode that impacted a bank?
P.B.: Here’s an example from a hack that occurred this year: A bank’s customer web portal was hacked and the criminals were able to reset customer passwords. This was a multi-step hack but with a relatively low-level of sophistication. The hack started by the criminals obtaining valid card numbers of existing bank customers. The exact method used is not certain, but there are multiple ways to obtain debit card numbers, including purchasing them on the “dark web.” The hackers then used these valid numbers to start the password reset process on the website. The website recognized the numbers as valid, but the hackers couldn’t reset the passwords because they didn’t know the answers to the security questions. Unfortunately the website was unpatched and a known vulnerability granted the hacker an authenticated cookie, basically an entry pass into the website, because they were using valid card numbers. With this authenticated cookie, all the hacker had to do was figure out the address for the security questions page and they were able to change the answers because the website thought they were an authenticated user. Once the hacker changed the answers, they restarted the password reset process, knew the updated security questions, and changed the password so they could have full access to the account.
This was all made possible because the website was not properly patched for a vulnerability that was known for over two years. Also, the bank did not have in place any multi-factor authentication and relied on simple static security questions versus questions based on account activity such as, “Approximately how much was your last credit card charge?”
Q: Is “foolproof” possible in cybersecurity?
P.B.: Since technology and the cyber-threat landscape are constantly changing and advancing, there is no such thing as “foolproof.” Security should be a prominent component of a bank’s corporate culture and promoted at all levels, including third-party providers.
A company should also adopt a multi-layered security approach. This consists of conducting risk assessments, deploying and updating basic cyber hygiene protections and procedures, restricting physical and cyber access, providing regular security awareness training for employees (and possibly customers), having tested and updated an incident response plan and engaging with trade associations and local law enforcement to share information regarding threats and practices. Another tool is offering multi-factor authentication for customer account logins, which increases security by requiring both a password and a second mechanism, commonly a text message, to the account holder’s cell phone that provides a single use PIN for them to finish the login process. It is an extremely powerful tool.