There used to be a certain romance about a classic bank robbery - the outlandish plots, the intricate planning and the ingenious strategies (often involving digging tunnels) designed to get criminals into the vault and out with the cash. In the 21st century, though, the digital banking revolution means that instead of cracking the vault, cybercriminals are concentrating on cracking the network and moving laterally within it to get their hands on the goods. This doesn’t make for such great movie plots but it does mean that banks are facing a far more relentless threat to their security systems. Below Finance Monthly hears from Rick McElroy, Security Strategist of Carbon Black, to find out how today’s would-be bank robbers are targeting the digital vault.

It’s no surprise that the financial sector is constantly under attack as criminals pursue financial gain directly, or via the theft and sale of valuable customer data. The number of material cyber incidents reported to the Financial Conduct Authority rose 80% in 2017 and that trend is only likely to continue. More specifically, what we found when talking to CISOs is that the threat has undergone considerable evolution in the past three years and the last six months have seen still greater innovation from cybercriminals as they adopt new techniques, tactics and procedures to thwart banks’ attempts to keep them at bay.

The invisible invasion – fileless attacks on the rise

Instead of leaving a gaping hole in the door of the vault, cybercriminals would rather banks didn’t know they’d got in at all. Fileless or non-malware attacks are increasing as actors “hide in plain sight” using legitimate tools, such as PowerShell and Windows Management instrumentation, to gain illegitimate access to networks and facilitate lateral movement without detection. 90% of the CISOs we talked to had seen PowerShell being used during an attempted attack on their network. This awareness is actually a good thing, because with 97% of Carbon Black customers suffering non-malware attacks in the last year, if our CISOs hadn’t spotted an attack of this kind it would simply have meant that the attacker had succeeded in getting in unseen.

Ransomware remains a tactic of choice for cybercriminals with 90% of financial institutions reporting that they were targeted by a ransomware attack in 2017. The commoditisation of ransomware, which now sees it offered on an “as-a-service” basis, and the lack of expertise needed to carry out attacks means that it has become the lowest common denominator of cybercriminal activity and with financial gain being the primary motivation of most cybercriminals, it’s not surprising that banks are a regular target.

Criminal masterminds are getting smarter

So far, so familiar, but a most interesting and concerning development uncovered by our survey was that a quarter of CISOs had experienced counter-incident responses when defending their networks. Attackers have realised that network defence is often based on simple indicators of compromise that launch an automated or manual incident response playbook. By going off-script after their initial attempt, they can find another way in while security teams think they have thwarted the original threat. Tactics include mutating code, targeting security analysts and engineers in separate but coordinated attacks, deleting logs from endpoints to obscure their activities and launching DDoS attacks on critical defence systems. As attacks grow in sophistication, cyber security becomes a high stakes game of digital chess, where the attacker only has to be lucky once, but defenders need to get it right every time.

The weakest link – third party providers

It’s not just their own security banks need to consider. The security of third party technology service providers is becoming an increasing concern as attackers seek out the weakest link in the chain. They use suppliers’ privileged credentials with the banks’ networks as a stepping stone to gain access to their real target. 44% of CISOs at financial institutions said they’re concerned about this issue and as more incidents come to light the scale of the problem will be more clearly revealed.

To combat the twenty-first century thief, we need to remember that we’re talking about human assailants here. It’s logical that attacks will grow more sophisticated as attackers learn more about companies’ defences – the potential loot is well worth the effort of innovation. Security teams are locked in a cycle of reactivity which needs to be broken if they are to gain the upper hand. So far, only 37% of financial institutions say that they have established threat hunting teams which means that, far from keeping thieves out of the building, 63% are still having to wait until they hear them knocking on the door of the vault before they can act. With an average of 220 days between intrusion and detection a lot of digital gold can leave the building before anything is done about it!

By actively threat hunting, teams look for signs of abnormal activity on endpoints that could indicate compromise well before any alerts are generated. To quickly detect and respond to threats, suppress intrusion and prevent lateral movement, financial institutions need to collect and analyse endpoint data in near-real-time. By doing this they can build up a ‘sight picture’ of attacker behaviour relating to internal movement and external command and control channels. Once these anomalies have been detected and analysed they can be communicated to existing control mechanisms and action taken to disrupt and contain the attacker’s kill chain.

In the age of the digital bank heist a proactive threat hunting strategy is far more effective at stemming the network invasion, capable of evolving alongside the TTPs used by assailants and stopping their digital tunnelling towards the vault. It won’t make such a classic  movie, but it will put a bit of star power in the hands of CISOs and security teams who really are the lead actors in the fight against cybercrime.

Cryptocurrency values have risen and fallen in spectacular fashion over the last year and while financial watchdogs are looking to tighten the regulatory grip on how cryptocurrency trading operates, some traders have already profited from the volatility in the new currencies – and they’re not the only ones. Below Martin Voorzanger, EclecticIQ, explains for Finance Monthly how criminals are making the most of the current crypto sphere.

Another group making profits from the turbulent cryptocurrency market is cybercriminals. In fact, last year there was a marked increase in cryptomalware reports and breaches of crypto exchanges and it’s clear that 2018 will be no different. After all, where there is money, there is crime.

The future ‘bank job’

In some cases, criminals are adapting tried and tested cybercrime techniques – such as hacking email accounts, social engineering and spoofing emails – to prise digital coins out of the hands of those that own them.

For example, in late 2017, criminals pulled off the classic bank heist – with a twist. Making off with approximately 4,700 Bitcoins (valued at the time as $70m) in a raid on digital currency exchange, NiceHash, hackers gained access to the company’s payment services through an employee’s PC. The organisation described the attack as “sophisticated social engineering”.

Hackers found a similar route into Bithumb – South Korea’s biggest cryptocurrency exchange – earlier in 2017. Again, the weak link was an employee – and this time it was their home computer which was compromised. While, in this case, no currency was stolen, a vast amount of personal computer data was. Despite Bithumb suffering no real, initial monetary loss, the theft of sensitive personal data can actually be even more damaging to a business. In this instance, Bithumb stated that no passwords were stolen, but customers reported receiving calls and emails that scammed them out of funds, ultimately resulting in financial loss for Bithumb and potentially an irreversibly damaged reputation.

While, bitcoin and other cryptocurrencies may have been designed with security in mind through the blockchain platform, to keep their crypto assets and data safe, organisations can’t rely on this alone. Yes, blockchain is notoriously difficult to tamper with, however opportunist criminals have found something much easier to compromise – the computers and employees within exchanges.

It is for this reason that organisations must exercise more caution and ensure all security technology and practices are fit for purpose. Good security hygiene should always be front of mind in finance matters – whether it’s around cryptocurrency or not.

A new kind of ‘botnet’

Potentially more worrying than these older, but still successful, cybercrime tactics, is when criminals start to adapt new techniques specifically with the intention of defrauding holders of crypto assets. One of the methods that is becoming popular with criminals in a bid to exploit digital currencies is cryptojacking – where cybercriminals take over employees’ computers to secretly mine cryptocurrency. While the method itself has been around for some time, the surge in the value of cryptocurrencies means mining coins has become an incredibly enticing prospect for criminals. And although each infected device can only mine a small amount of value, criminals are collecting enough machines to create data-mining ‘botnets’ which collectively, can deliver a large profit.

While cryptojacking in itself may not carry the destructive payload of ransomware or other malware, it still represents a device compromise and one which, at best, affects the performance and longevity of devices and, at worst, provides an open doorway for more destructive threats, such as ransomware.

Furthermore, it’s not just the cryptocurrencies themselves that are under threat of attack. Worryingly, earlier this year, security firm Radiflow reported that a European water provider had been compromised. This attack represented the first public discovery of cryptocurrency mining malware in the systems of a critical national infrastructure organisation proving that criminals are no longer just after currency – they want power.

The threat to cryptocurrencies is real and growing - whether the end game of the criminals is financial gain or to disrupt critical infrastructures. Indeed, Microsoft warned earlier this year that it has seen a surge in currency-mining malware infecting Windows PCs in enterprises around the world. The company believes this could be the work of external criminals or, equally, insiders with access to company systems.

Ultimately, while cryptocurrencies themselves are secure, the exchanges and the systems that surround them are not. Humans remain the weakest link – whether intentionally or not – criminals continue to use the same tried and tested vectors of attack and humans are still just as vulnerable to being conned or manipulated by social engineering.

One thing is for certain though – cybercrime activities in this area will not decrease anytime soon. Organisations need to make sure they have the correct security measures in place, including ensuring that employees understand the threats associated with social engineering, to best protect against this new kind of threat.

Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

• Combined total losses fell by 5% to £731.8 million.
• Losses due to unauthorised transactions on payment cards fell 8% year-on-year to £566.0 million. The industry helped prevent £984.9 million in attempted unauthorised card fraud.
• Losses due to unauthorised remote banking fraud totalled £156.1 million, a 14% rise on 2016. Banks prevented £261.4 million of unauthorised remote banking fraud, 27% more than last year.
• Cheque fraud losses fell 28% in 2017 to £9.8 million. This is the lowest annual total on record. £212.3 million of attempted unauthorised cheque fraud was prevented.
• There were 1,910,490 reported cases of unauthorised financial fraud, a rise of 3% compared to the year before.

The new authorised push payment scams data, collected for the first time in 2017, shows:

• There were 43,875 reported cases of authorised push payment scams with a total value of £236.0 million. 88% of this total were retail consumers, losing an average of £2,784, and the remainder were businesses who lost on average £24,355 per case.
• Financial providers were able to return £60.8 million (26%) of the authorised push payment scam losses in 2017.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

• Helping to prevent customers being duped by criminals by raising awareness of how to stay safe through the Take Five to Stop Fraud campaign, in conjunction with the Home Office.
• Working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
• Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need, including around-the-clock availability of fraud teams, to make it easier and better for the customer, and, where possible, improve the likelihood of their funds being recovered. UK Finance will also be the secretariat for the PSR’s new steering group on authorised push payment scams².
• Working with government on making possible legislative changes to account opening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems.
• -Rolling out the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place – to every police force area in the UK. In 2017, while it was still being introduced across the country, the Protocol prevented £13.3 million of fraud and led to 129 arrests.
• Sponsoring the Dedicated Card and Payment Crime Unit⁵, a specialist police unit which tackles the organised criminal groups responsible for financial fraud and scams. This has led to a combined value in savings and disruptions in criminal activity of close to £30 million in 2017.
• Exploring new ways to track stolen funds moved between multiple bank accounts.

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

• A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
• Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
• Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)

Chatbots are quickly becoming the interface of choice for many organisations. In fact, a recent survey conducted by Oracle revealed that 80% of businesses want chatbots by 2020. While the advances in Artificial Intelligence (AI) and mobile technology have created a new set of tools for brands to communicate with, the technology itself has yet to reach a mature state, and is consequently strongly vulnerable to cyberattacks. This is according to Simon Bain, the cybersecurity expert and CEO of BOHH Labs.

Current bot solutions are not entirely secure and can create open passages for cyber criminals to access the data flowing through chatbot’s interface. In essence, this gives cyber attackers direct access to an organisations’ network, applications and databases.

Bain explains: “While bot technology has improved drastically in recent years, for maximum security, chatbot communication should be encrypted and chatbots should be deployed only on encrypted channels. This can be easily set up on an organisation’s own website, but for brands that use chatbots through third-party platforms such as Facebook, the security features are decided by the third party’s own security branch, which means the organization does not have as much control over the security features on the chatbot. Until public platforms offer end-to-end encryption in their chatbots, businesses should remain cautious.

“One of the biggest advantages in using chatbots is that they are a cheaper solution to customer service. They can serve and reach customers in a way that would otherwise require a tremendous amount of time and resources. This is an area where chatbots are gaining momentum, but instead of bots replacing entire customer service teams, organisations are working with them in tandem to improve customer satisfaction. However, as chatbots collect information from users, the information that is stored and the metadata must be properly secured. When running a chatbot, organisations must consider how the information is stored, how long it’s stored for, how it’s used, and who has access to it. This is especially important for highly regulated industries, such as finance, that will deal with sensitive customer information.”

“While there are clear advantages to integrating chatbot technology as a new communication tool, if companies aren’t made aware of the potential security risks, confidential data will be accessible by any determined hacker. Additionally, attackers may be able to repurpose chatbots to harvest sensitive data from unsuspecting customers.” Bain concludes.

(Source: BOHH Labs)