Written by: Eric Chase
Information Security Consultant - Security Banking Solutions, LLC

How are cyber criminals attacking your customers?

Financial institutions are facing a multitude of threats while attempting to keep customer information safe. Organizations are working diligently to counter such threats as data breaches, insider activities, and unintentional destruction of data in the environments they manage. However, one obstacle that is increasingly difficult to counter is the lack of control around information that customers may give out while browsing online, as well as what an attacker is doing with such information. Cyber criminals may ignore the financial institution all together and target the institution’s customers through phishing and other means of social engineering. On top of payment processor breaches, data breaches from websites allows attackers to gather information from customers that may or may not be considered confidential. Examples of information that an attacker finds more than useful could include names, addresses, and phone numbers. Recent website data breaches have shown how creative an attacker can be with this information by using blackmail techniques to customers visiting less than reputable websites. In this case, the financial institution has no defense against the customer paying the attacker to keep quiet. The Ashley Madison breach is a prime example of cyber criminals attempting (and succeeding) to extort leaked customer information by threatening to contact significant others and notify them of infidelity if a ransom is not paid.

Recent breaches have also shown that compromised websites can yield decrypted password hashes that may offer valuable stepping stones in the direction of the customer’s account, especially since customers are known to use the same, or similar, passwords across multiple websites.

The increasing popularity of mobile devices may also aid attackers in gaining information that could be used to help compromise customer accounts. These devices are not often held up to the same standards of security and protections including anti-virus, encryption, device passwords, and remote wipe capabilities, which are often missing. After all, a smartphone is simply a small computer that makes calls and takes photos in addition to browsing websites, checking Facebook, and performing electronic banking transactions. The lack of even basic security controls opens up a greater attack area for attackers to exploit and gain information, should the customer practice unsafe browsing habits.

Who should be concerned?

All financial institutions should be wary of customer compromise, particularly since customers with the ability to perform wire transfers and external account transfers are often the most susceptible to the loss of customer information through alternate means. Requests for transfers appearing from legitimate customers to outside accounts can also be possible depending on how much personal information is obtained by an attacker.

How can you protect yourself?

Financial institutions can actively work toward reducing the success rate of attacks from compromised customer information by constantly adjusting and incorporating layered security. Here are five (5) quick layered security tips that financial institutions should consider employing to help mitigate the risk of customer compromise:

1. Educate customers on good security practices(FREE Ten Essential Cybersecurity Best Practices Guide here: https://www.protectmybank.com/wp-content/uploads/2015/10/BestPractices2.pdf)
2. Employ and enforce policies and procedures around sending wires and external account transfers
3. Continued education of employees to spot suspicious customer activity
4. Highlight identity theft services to customers if the service is not already offered
5. Subscribe critical employees to a threat sharing network such as US-Cert and FS-ISAC to raise awareness of cyber-attacks affecting customers in the wild.

Additionally, on November 3, 2015, the FFIEC released a Joint Statement on Cyber Attacks involving Extortion. This new Joint Statement warns financial institutions of such attacks causing harm to customers and encourages financial institutions to ensure their risk assessments, Business Continuity Plans, and Incident Response Plans address extortion attacks against customers. Financial institutions are also encouraged to immediately inform law enforcement officials and regulators.

Finally, the FFIEC has also released a Cybersecurity Assessment tool to help financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and mitigate those risks facing the institution. If you are looking for more information on the FFIEC’s Cyber Assessment tool, SBS has put together automated software to help smoothly incorporate the FFIEC Cybersecurity Assessment Tool into an easy-to-use program. To automate your Cybersecurity Assessment, check out SBS’ FREE Cyber-RISK^tm tool here: https://cyber-risk.protectmybank.com

Conclusions

With layered security controls in place, financial institutions can help counter and respond to the misuse of customer information from outside sources. If you are looking for some additional details on cybercrime and what you can do to protect yourself, the SBS Institute will be releasing a specialized certification program on incident response. Check out the SBS Institute certification programs here: https://www.protectmybank.com/sbsinstitute/

For additional information security updates or assistance with anything information security related, please visit us at www.protectmybank.com and let us know how we can help!

REFERENCES:

1. http://www.gonzobanker.com/2015/09/prevent-ashley-madison-burn/
2. http://resources.infosecinstitute.com/modern-online-banking-cyber-crime/ 
3. https://www.ffiec.gov/cybersecurity.htm
4. https://www.ffiec.gov/press/pr110315.htm