Financial institutions have had a torrid time of it of late, as the echoes of the Bangladeshi SWIFT attack continue to reverberate. With a solid $81m still missing, and bickering between stakeholders over responsibility for the compromise just beginning, the headlines aren’t making good reading for the industry. Was the problem a flaw in the global SWIFT system, or a more localised issue, as some reports claim cheap switches and un-firewalled routers could be to blame – it’s not for us to speculate, but the incident comes as no surprise.
Many financial institutions fail to perform comprehensive risk analysis and assessment, even in these more enlightened digital times, thus exposing their companies and clients to enormous risk. For example, many banks tend to underestimate or even completely ignore the security of their front-end websites, focusing instead on “more sensitive” web applications such as e-banking. This is totally wrong, as even if the bank website does not contain any financial data, it is a perfect target for cybercriminals. For example, a medium-risk Cross-Site Scripting (XSS) vulnerability on the bank website may be used to perform spear-phishing campaigns against bank’s clients, infecting their PCs or mobile devices with a Trojan when visiting the website of the bank.
Despite all the efforts taken by the antivirus industry, hackers are still more sophisticated than the security software. Almost any type of e-banking security solution implemented on the client side can be by-passed if the client’s computer is compromised. One time passwords, two factor authentication, and all other modern security mechanisms will fail if a client’s machine is hacked. And, in combination with a tiny vulnerability on the bank website abandoned by the security team, uneducated users and smart hackers, a client will be hacked – it’s just a question of time. As the Hong Kong Monetary Authority illustrated recently, calling for wider local implementation of even these basic security steps after a slew of compromises.
Therefore, make sure that you have implemented a strict monitoring service that can notify your fraud prevention team about any abnormal activities and block or pause suspicious money transfers. The increasing popularity of external client notification procedures, via SMS or a phone call, in the event of suspicious account activity, show just how effective this can be in preventing fraudulent transactions.
Every single user of e-banking should be considered as being potentially hacked and compromised. In this area, paranoia is less expensive to the business than negligence.
Of course, Two Factor Authentication (2FA) and One Time Passwords (OTP) may be completely useless if implemented wrongly. I know a bank that has replaced old fashioned scratch cards with more “modern” notification via SMS for their mobile banking solution. The problem was that normally the card was stored separately from the mobile phone, and so in the event of a robbery, criminals could not access your bank account. However, with this security upgrade, it became enough to steal and authenticated mobile phone to get unlimited access to the bank account! Therefore, when you implement new security solutions, make sure that they are appropriate for your business environment, otherwise you are just harming your business.
On the other side of this coin, some financial organisations spend huge amounts on cybersecurity solutions without analysing if these solutions are effective, necessary, appropriate, and compatible with their particular business environment and business needs. I have seen small organisations who spent hundreds of thousands dollars on expensive Data Leakage Prevention (DLP) solutions, then leaving their front-end applications with critical data unprotected. All this just because some security vendor showed them Gartner’s report saying that 90% of threats are coming from insiders – as the Bangladesh bank compromise seems to prove, it’s not always the insiders you need to worry about…
Another common case is the expensive security solution purchased for the sake of compliance or ordered directly by upper management, scared to death by the latest cybersecurity hype. Due to the complexity of fully configuring and managing these solutions, those expensive boxes are often abandoned by IT teams, left in default configuration, which results in the corporate infrastructure remaining as vulnerable as if they didn’t exist.
Remember, spending a lot on your IT security does not necessarily mean spending wisely, but spending nothing at all isn’t really an option for a financial institution in 2016. However, choosing technology solutions wisely, based on a full-fat risk assessment which includes all aspects of the business and ecosystem you operate in has to be seen as no-brainer.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.