When banks leave the front door open
Claus Rosendal, SMS Passcode
Cyber attacks against the banking industry have soared in the last few years. And financial institutions now face 300% more attacks than any other industry. Comparatively with other industries, the financial services industry isn’t shy where it comes to cyber security investment and generally has a superior level of protection.
But this attracts a more sophisticated demographic of hacker, who will hone different types of attacks to target a bank, as they are fully aware of the rewards they could reap if they succeed.
But, given the investment banks plough into defence, how do the hackers succeed? According to the FBI, one of the key entry points for cyber criminals is to gain employee login credentials through using spam and phishing emails, key stroke loggers and remote access Trojans.
This was certainly the case for JPMorgan Chase, when, in 2014, it became the victim of the world’s biggest hit on a financial services company. This was despite having spent over $250 million and having over 1,000 of its people focused on cyber security. Hackers gained access through the computer of an employee working from home, stealing their login credentials and targeting a network server that only needed a username and password. More than 83 million customer records were compromised and although no account information was taken, the bank’s reputation took a considerable knock.
For financial institutions, the JPMorgan Chase breach highlighted a few important things. The first is the effectiveness of malware; the second is the vulnerability of workers, particularly remote workers; and thirdly, how easily hackers are able to roam around company networks once they get in. The hackers in the JP Morgan attack were “inside” for over a month before the breach was discovered.
So why is remote working such a weak spot? One reason is user authentication – over 75% of cyber attacks stem from weak or stolen passwords. In the case of JPMorgan Chase, having poor authentication in place effectively meant they left the bank’s front door open. Using phishing or key-stroke loggers, hackers can identify usernames and passwords. The proliferation of devices is also to blame – banking employees want to be able to use their smartphones and tablets to access company systems. But “bring your own device” (BYOD) has added multiple layers of complexity to security.
When you consider the risks, you can understand banks’ reticence to sanction remote working. But financial organisations can make massive productivity gains through remote working policies – allowing people to work from home, the train or when away with work gives business productivity a real boost. The question is, how do you lock it down and make it as secure as possible?
Authentication is a key consideration. As demonstrated by JPMorgan Chase, many have password only solutions and hackers use dictionary attacks or brute force attacks to get in. Others have two-factor authentication in place but even these solutions can be compromised, as they involve tokens or cards that generate pre-issued passwords based on seed files, which can be hacked.
Biometric technology is becoming more popular but it is flawed and phenomenally expensive to implement and manage. And it can be compromised. The US’s Office of Personnel and Management was recently involved in a massive cyber attack where 5.6 million fingerprints were stolen. Fingerprints, if stolen, can’t be changed.
Multi-factor authentication (MFA) is a solution that banks and insurers could consider – it captures and uses contextual data around each login to determine whether the user should be granted access, such as a user’s connection, their geographic location, a valid point of entry and time of day. If there is nothing suspicious, a one time passcode is generated in real time and sent to the employee’s mobile, allowing them to log in securely.
The cyber security threat facing banks is increasingly exponentially. And IT professionals on the front line owe it to the bank and its customers to have every solution at their fingertips to try and circumvent attacks. MFA is only part of the solution, but in terms of locking down security around authentication, they need to do the best they can.
By Claus Rosendal, chief technology officer at SMS Passcode (a Censornet company)
