Banks: Carrying the can for bad people, broken tech and confused customers
Banks: Carrying the can for bad people, broken tech and confused customers
Like moths to a flame, criminals gravitate towards money. For anyone who has been in the cyber-security industry for more than a day, it's clear that banks are a prime target. In a world where vast amounts of wealth flow in digital form through financial institutions 24 hours per day, with a dizzying array of variables, this means one thing for cyber-criminals: opportunity.   

In response, banks spend huge amounts of money defining, auditing and shoring up their perimeter and internal systems. They are aware that each single connected touch-point is a potential point of attack. Every flawed line of code, ATM and consumer endpoint is suspect. There is a siege mentality. The barricades are manned, but threats keep getting in.   

Nowhere is this more evident than the seemingly never-ending battle to protect customers from banking trojans. A problem for over fifteen years now, veterans of the fight started off addressing a relatively static problem using signature updates. A malicious file might be released that had some short-term success stealing customer logins, but was eventually rendered useless forever by an AV update. The bad guys then had to start again.  

So was set in place a game of cat and mouse that formed an overall approach still in place today. Unfortunately for banks, the attacks have evolved into a variety of advanced exploits and the countermeasures haven't kept pace. It's a bit like trying to fight a massed army of overwhelming numbers, in the dark. The banks may be able to take a swing and hit a few targets, but there are many more attackers and they only have to get lucky once.  

Despite this, customers of online banks are still being offered endpoint protection, with very low adoption numbers, and they are having their accounts slowly drained as a result. 

What is to blame for this situation? 

Firstly and most obviously, criminals. It's glib to say - but the ever-evolving underground markets dedicated purely to the theft of bank logins, card details and associated personal information give financial cyber-crime a massive amount of oxygen. It is all too easy to rent a cyber-crime-as-a-service operation. Someone with relatively limited technical knowledge can buy obfuscated malware, load it into a malvertising campaign and sit back and make money from everyday customers, all from the comfort of their own home.   Like the bank teller who scolds the gun-wielding robber, “You know, you can do this much easier online now!”

Secondly, the vendor landscape should shoulder a proportion of the blame. As capital investment has poured into cyber-security over the last fifteen years, the commercial imperative has come to dictate everything. Effective products have often been driven into second place or worse behind the need to get installs, whether with home users or the enterprise. This has led to a skewing of the narrative, promises of product success were overcooked and FUD has been leveraged as hard as possible. The end result for financial services firms is that they have been persuaded to cling onto outdated approaches to protect their customers, despite them being proven to be fallible.  

Finally, is customers themselves. It's often said that people are the largest vulnerability in the cyber-security space. They do stupid things, go to dangerous places online, click on random links or attachments, and ignore software updates. Now imagine being a bank with countless customers. It's like having millions of people walking around a bad neighbourhood with their bank card details pinned on their jacket. Risk is everywhere and, unfortunately, cyber-criminals take advantage at every opportunity.  

Ultimately, these three forces have come together to present banks with a game it is struggling to win. They are expected to carry the can for a convergence of confusion, malice and half-truths. If customers get their account emptied, more often than not the burden of responsibility lies with the bank themselves to reimburse the customer, effectively subsidising a criminal running enterprise.  

This is an endless cycle that must change. The real question is, what's next? It's fine having knowledge of the problem, but how to effect positive change for banks? 

Moving the battleground

The answer lies in removing these three elements entirely - the less influence customers, endpoint security and criminals have on a transaction, the smaller the risk. The banks have one potential advantage over the cyber- criminal, in that they own the battleground, as each session – legitimate or otherwise - uses their infrastructure. 

You will never be able to stop every single customer from downloading malware. However, if the transaction session is isolated, the malware's actions can be rendered useless. By capitalising on this advantage and moving the battle from where it has traditionally been fought on the endpoint into an environment they can control and isolate, banks can – for the first time in a long time – give themselves a fighting chance. 

Contributed by Joseph Patanella, CEO of Trusted Knight

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.