Don’t expect the financial services industry to ever willingly disclose how much it loses to cyber thieves on an annual basis. But make no mistake determined, well-funded hacking rings continue to breach banking systems on a regular basis. And they continue to inflict material losses–likely at a scale the general public would find shocking.
Breach attempts against financial services firms occurs 24/7/365, says Brian Soldato, senior product management director at NSS Labs, an Austin, Tex.-based consultancy that helps enterprises monitor the ebb and flow of malicious attacks moving across the Internet. The biggest multinational institutions, as well as some 13,000 U.S. community banks and credit unions, remain under continual siege, Soldato says.
So far, financial firms have quietly absorbed the associated losses. But in the end, we all pay. With that said, here are a few things you should know about how cyber pirates, at this moment, are plundering the global banking system.
Knocking over a multinational
Researchers from Kaspersky Lab recently disclosed how one day last October, a hacking ring wrested complete control over all major operations of a multinational Brazilian bank for five hours. The bank was not named, except to say that it has $25 billion in assets, 5 million customers and 500 branches in Brazil, Argentina, the US and the Cayman Islands. The cyber thieves–believed to be part of a Brazilian crime ring–took control of all of the bank’s 36 domains in order to push out malware to bank customers visiting those pages. They also accessed all of the bank’s online banking, mobile, point-of-sale, ATM, and investment transactions.
Remotely tapping ATMs
Kaspersky researchers also divulged how another hacking ring broke into the networks of government agencies and banks in at least 40 countries to spread something called “fileless malware,” which leaves the faintest of footprints. The researchers were able to unravel a couple of amazing hacks deploying this type of bad code against the ATM systems of a bank in Russia, as well as one in Kazakhstan.
In each case, the crooks managed to remotely instruct a specific ATM machine to disgorge cash to an accomplice standing by the machine at an appointed time, without him or her ever touching the ATM, surveillance footage shows. Based on event logs, researchers believe the ATM displayed the salutation “Catch some money Bitch!” on its screen as it dispensed the ill-gotten cash to the money mule.
Small institutions targeted
There are 6,000-plus community banks and some 7,000 credit unions in the United States. While big multinationals represent the biggest paydays, and thus attract the most sophisticated attacks, community banks and credit unions are attractive to criminals for another reason: they tend to be less well-defended.
Thus local banks and credit unions have become the training ground for less experienced cyber robbers who show initiative by making good use of older generation – but still very effective — hacking tools and techniques, Soldato says. The institutions under the most pressure to beef up cyber defenses are the ones with $50 million or less in annual revenue, Soldato says.
Ransomware attacks directed at the financial services sector more than tripled in 2016 vs. 2015, mostly against smaller firms. Besides failing to adequately defend against this particularly virulent form of cyber extortion, many community banks and credit unions today lack nimble backup systems and disaster recovery routines.
“It’s very common for them to end up having to pay the ransom because it’s actually faster for them to get back online by paying than it is for them to try to recover their systems,” Soldato says, adding that he expects ransomware attacks against smaller financial firms to continue to escalate.
Seeking help from MSSPs
While it’s typical for a small bank or credit union to rely on basic network defense systems, what’s needed is round-the-clock analysis of every bit of traffic hitting the institution’s network. Malicious probes and communications with criminal command-and-control servers are non-stop. Understanding and being able to detect malicious traffic is key, Soldato says. He expects small institutions to increasingly turn to managed security service providers to supply this expertise.
Yet even as the financial sector shores up its defenses, cyber thieves will adapt and innovate. The pressure won’t ease anytime soon. It’s up to each of us to keep an eagle eye on our financial accounts – and shout loudly when a discrepancy occurs. That’s the age we live in.