The financial services (FS) sector is right up there on the hackers' most wanted list. Financial institutions face 300 percent more cyber-attacks than any other sector. And regulators around the globe have noted how serious a threat to banking stability cyber-attacks could be – a report by the US Financial Stability Oversight Council noted that hackers could pose a “systemic risk to the sector.”
And given the monetary rewards should hackers hit the jackpot, it's little wonder that FS is such a hot target. But how do cyber-criminals get in?
Remote working is one of the most vulnerable areas. Cast your mind back to the JP Morgan breach. In 2014, 83 million customer records were compromised in what remains the largest theft of customer data from a US financial institution. Hackers gained access through the computer of an employee working from home. For financial institutions, the JP Morgan breach flagged up a number of important things. The first is the increasing power of malware attacks. Secondly, was the vulnerability of workers – particularly remote workers - to phishing and spear-phishing. And finally, how easily hackers are able to roam around banking networks unnoticed. In JP Morgan's case, the attack was under way for a month before it was discovered.
So why is remote working such an Achilles Heel? One reason is user authentication - over 75 percent of cyber-attacks stem from weak or stolen passwords. In the case of JP Morgan, hackers stole the login credentials of an employee. They then proceeded to gain entry through a network server that only required a username and password. JP Morgan's security team had allegedly neglected to upgrade one of its network servers with two factor authentication methods that it had installed elsewhere in the bank, leaving the bank vulnerable to intrusion.
The proliferation of devices has also increased the vulnerability for financial organisations. Banking and insurance employees want to be able to use their tablets, smart phones and wearable devices to check work emails, use applications and enter data into systems, all of which adds layers of complexity to the environment.
Given the risks, why would financial institutions want to sanction remote working? It's not just a “nice to have” – remote working brings real business benefit to financial organisations. Research has shown that 70 percent of 2,500 managers reported an uplift in productivity after a shift to remote working and that 63 percent linked a growth in revenue directly to flexible working practices. And it's good for employees – organisations that have remote working policies in place report increased employee satisfaction and lower attrition rates.
In terms of breaches, a major problem is that many financial institutions have authentication solutions in place that are nowhere near secure enough. As demonstrated by JP Morgan, many have password-only solutions in place – hackers can use dictionary attacks or brute force attacks to try and get in and they're often successful. Other institutions use encrypted certificates on a PC, but there are significant problems with certificates including difficult provisioning and a complicated management process. Others have two-factor authentication in place. These solutions often involve tokens or cards that generate pre-issued passwords based on a seed file – but these seed flies can be hacked and tokens can be phished and are vulnerable to “man in the middle” attacks.
Even biometric solutions are vulnerable. They are becoming an increasingly popular way for banks to protect logins, but the technology is flawed, astronomically expensive to implement and maintain and can be compromised. The US's Office of Personnel and Management was recently involved in a massive cyber-attack where 5.6 million fingerprints were stolen. Breaches involving biometric data are worrying because of the permanence of fingerprints – they can't be changed.
Multi-factor authentication (MFA) is a solution that perhaps banks and insurers should be considering, given the threats they face. MFA captures and uses contextual data around each log in to determine whether the user should be granted access, such as a user's connection, their geographic location, a valid point of entry and time of day. If there is nothing suspicious, a one time passcode is generated in real time and sent to the employee's mobile.
The cyber-security threat that financial institutions face is growing every day. IT professionals on the front line of defence at banks and insurers have to make sure they have every solution possible in their security defence to thwart these attacks. MFA is only part of the solution – but in terms of locking down security around authentication, given the fact that over three quarters of network breaches are through people's log ins, they need to do everything they can.
Contributed by Claus Rosendal, CTO, of SMS PASSCODE (a Censornet company)