[BreachExchange] Is cybercrime costing banks more than money?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 7 19:01:12 EST 2017


http://www.itwebafrica.com/home-page/opinion/241356-is-
cybercrime-costing-banks-more-than-money

Banking has changed vastly over the past few years, as new technologies
emerge to change the way we transact. Non-traditional methods of
transacting, such as the blockchain and mobile banking, have emerged,
causing an influx of data from multiple sources. Data is no longer
generated purely from ATMs or on site, but through online banking,
eCommerce platforms, mobile applications – both banking and for mobile
purchasing, and non-banking platforms such as the blockchain.

The introduction of these omni-channel platforms has led to a need for
broader, more effective security measures to be put in place.

The likes of Ransomware and Malware have been causing quite a stir on a
global scale in the past few months, however the banking sector been
besieged by all manner of cybercrime since the dawn of digital banking. As
the business of banking is centred around the handling and transacting of
money on various scales, banks and their customers are often considered
soft targets for cybercriminals looking to make a quick buck.

However, while cybercrime can be massively expensive for banks, their true
Achilles heel is their reputation, the loss of which can extend the cost of
cybercrime even more, as banks lose existing customers, potential business
and even sometimes having to shut their doors.

Cybercrime, in line with technology, continues to evolve, taking new forms
and finding new ways to infiltrate financial enterprises, and banks are
struggling to maintain pace with this evolution. This is largely due to the
fact that there are so many new methods of banking along with the strong
shift from traditional banking to mobile banking.

Financial theft, fraud, identity theft, theft of intellectual property (IP)
and general damage to the business processes, critical infrastructure and
IT systems are but a few of the ways in which banks are affected by
cybercrime - on a daily basis.

With banks typically absorbing the financial impact of losses caused by
cybercrime, whether to themselves or their customers, there is a huge focus
on ensuring they are protected and ready for anything that enterprising
hackers can throw at them.

The evolution of banking cybercrime

As banking has become more digital, moving from traditional banking methods
to Internet banking, telephone banking and mobile banking, breaches of data
and confidential information have risen. With every new avenue of banking
that is explored, another door is opened for potential access by a
cybercriminal.

With so many mobile applications available for transacting, the data
generated no longer belongs solely to the bank. Third parties have access
to banking data, which compounds the risk. Banks are able to control only a
portion of the security of transactions today, and much of the onus is on
the third party. The security of unknown devices, such as mobile smart
phones, cannot be established, so application developers and banks need to
ensure that security measures are built into these applications themselves,
in order to protect their customers.

Cross channel and cross border payments and transfers are often intercepted
by hackers who lay claim to the funds being transferred. Additionally, the
rise of eCommerce has introduced the need for third parties to act as
intermediaries between eCommerce stores and banks, which poses yet another
opportunity for interception through the likes of phishing scams and data
collecting malware.

Over and above the theft of money, is the theft of identities. With so much
personal information being required by online retailers and banks, people
are quick to trust that their information is going into the right hands
that few run the necessary checks to ensure that the data portal is secure,
or that their information is reaching the intended destination. This
further compounds the risk for both banks and retailers as the likes of the
Protection of Personal Information (PoPI) Act come into play.

The impact on banks

Banks carry a lot of risk when it comes to cybercrime. Not only are they
susceptible to the financial impact of unsecured transactions, phishing
sites, re-imbursement, transaction reversal fees and so much more, but they
also need to consider the impact of investigating the cause of a breach and
re-addressing their cyber security every time a breach occurs. Beyond the
possible risk of an "inside job", they need to pinpoint their weak spots
and address them with urgency – something that can be a cost intensive
exercise. There is also the concern of damage to the confidentiality of
their customers, which can irreparably ruin their reputation and
credibility as a financial institution.

Loss of reputation directly translates to a loss of customer trust in the
bank's ability to safeguard and manage their wealth and assets. A bank that
cannot effectively "bank" is no bank at all, in the eyes of the discerning
customer. In an age where the customer is the key driver of business, loss
of credibility can be detrimental to the success of the business and can
lead to total failure.

It is absolutely imperative that, more than simply protecting against theft
and financial breach, banks focus on protecting their customer's personal
information and other sensitive data. Not only to appease regulatory bodies
– in play or yet to come – but also to retain their good standing with
their customers.

Prevention is better than cure

As more and more parties get involved with transacting and as more players
become involved in the banking space, often from other industries such as
ICT, so do more compliance and security requirements emerge. Traditional
security measures simply aren't going to cut it any longer, and banks need
to be always looking to future technologies in order to stay a step ahead
of cybercriminals.

Confidentiality is key in today's age of big data and omni-channel banking.
Ensuring data and transactions are protected from all angles will be a
challenge – one that banks and third parties will have to collaborate on to
ensure their customers are wholly protected, and their data and privacy is
completely secure.

Cyber security teams need to be looking at all potential entry points, from
online banking to application access to the type of encryption employed by
third party enablers. Every engagement platform needs to be addressed. They
need to ensure that access is controlled, leveraging measures such as
authentication, voice recognition and other biometricsolutions, passwords
and encryption. As new technologies are introduced and new security risks
are identified, approaches such as new forms of multiple authentication
will become a new trend.

Banks need to ensure they maintain a 360-degree view of their security,
keeping a finger on every pulse of the industry, even extending beyond
their own domain to businesses that touch on, or overlap with, theirs.
Their measures need to be drawn from beyond existing customers,
encompassing past customers as well. Network security, identity protection,
governance, mobile and application security, channel security, protection
of data in motion and data at rest, data masking, encryption, and myriad
other security tools need to be reviewed and updated on a constant and
regular basis.

Banks can start by assessing and securing their architecture, ensuring
their network and servers are trustworthy, and that access to these are
controlled and entrusted to select individuals. They should also be
addressing their governance structures and standards, ensuring these are
compliant not only with local governing bodies, but also with those
countries with whom they do business. Having the right people in the right
place, and with the proper identity verifications and biometrics in place
can also go a long way to managing risk.

There are a vast number of tools and security measures available on the
market today, however banks don't necessarily need all of them – just the
right tools in the right places, with the right access to them, or a
service provider who understand the nature of banking from a strategic
point of view, who can ensure that the bank has the necessary tools in
place for a solution that is integrated and effective and yet won't break
the bank.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171107/e0d2f978/attachment.html>


More information about the BreachExchange mailing list