Financial institutions around the world, and in particular banking payment and card processing systems, are under sustained and sophisticated attack. As banking has gone online so we are now all potential victims of this new high-tech crime. We’re all familiar with the reality of a bank robber in the physical world breaking in and stealing large sums of money from a bank. It is now more common, as most of us now transact online, for criminals to steal credentials for e-banking services and use these to siphon off funds. What is less familiar to us, and increasingly common, is the act of breaking into an organisation’s systems and transferring large amounts of money using a toolkit of remote access software and excellent social engineering skills. Tools and techniques that until recently were only used by those carrying out targeted cyber espionage are now an integral part of a traditional financial crime groups armoury. And these tools and techniques will quickly become more sophisticated and industrialised.
So what’s happening?
There have been a small number of well publicised incidents targeting financial institutions in the last year where a financially motivated attack has been enabled by sophisticated cyber espionage techniques. This ‘convergence’ between traditional financial crime and cyber espionage tools has resulted in some financial institutions, and their customers, losing significant amounts of money. And this appears to be just the tip of the iceberg - many other similar incidents have not ‘gone public’. These attacks commonly use covert and highly targeted social engineering techniques to maximise the chances of the attack staying undetected until the target ‘payload’ is converted into money quickly and efficiently, often across multiple countries.
The recent indictment of five individuals in one of the largest cyber enabled financial fraud attacks highlights that this convergence between financial and cyber crime isn’t a future threat. It now sits at the centre of criminal attempts to compromise the financial system today. Although a relatively small organised criminal gang, the attack was well-orchestrated and targeted at sensitive financial and personal data within financial institutions and retailers involved in financial transactions. Whilst this use of cyber intrusion to collect card data isn’t new, the extent of the attack and the scope of financial data involved highlights the fact that prevention relies increasingly on coordinating cyber security and fraud monitoring systems to triangulate on the attack vector.
The sophistication of the attack used in this recent case puts the spotlight on generic cyber defences that are designed to spot well known network vulnerabilities but which are not effective against well-funded, determined criminals. There is no doubt that the use of sophisticated cyber intrusion techniques as a key part of financial crime is a threat that we as an industry need to take very seriously.
The attack components
The four most common components of these attacks are:
- Distributed Denial of Service (DDoS) smokescreens: Financial institutions are regularly the victims of co-ordinated denial of service attacks that often seem designed simply to disrupt the use of online banking assets. An increasing number of these denial of service attacks are designed to act as a digital smokescreen for a wider large scale online banking attack.
- Transactional based network penetration: One of the emerging cyber enabled fraud attacks occurs when the financial institution systems are penetrated to initiate or facilitate transactions from within the financial institution itself. This has occurred with both banks and payment processors.
- Data theft based network penetration: Although not new, criminals continue to work to penetrate processor and other financial institution systems to steal customer data - account numbers, card numbers and other personal identity information.
- Conventional remote banking fraud: What is novel about the recent wave of attacks is the combination of some or all of the attacks outlined above with conventional online, mobile, phone payment and card attacks.
So how can financial institutions respond to this increasingly prevalent attack vector?
There are a number of ways for how financial institutions and other organisations can respond effectively:
1. Investigate and assess the extent to which your organisation is being targeted by this new attack vector. Understand your vulnerabilities and the tools and processes you have in place to mitigate these risks.
2. Fraud surveillance solutions by themselves are not capable of defending effectively against this new cyber enabled financial crime. You should aim to ensure you have dynamic analytical defences that protect the organisation from both fraud and cyber crime, even if these defences are not co-ordinated.
3. As the techniques used by fraudsters to carry out sophisticated attacks converge and become industrialised, organisations should consider how they can create a unified defence against all external attacks to their valued data.
4. Longer term an industry or group of leading organisations across different related industries could join together to work collaboratively to identify, analyse and protect against the most advanced forms of fraud that involve cyber-attack vectors.