Current financial transaction methods have their limitations, exemplified by the typical £100 contactless transaction limit to prevent extensive fraud, and even risks, such as ATM skimming for PIN thefts.  

Cyberattacks went up 600% due to the COVID-19 pandemic and financial institutions and their customers were undoubtedly priority targets for identity theft, the most common type of financial fraud. 

With 67% of financial institutions reporting an increase in cyberattacks for 2021 and 79% of financial CISOs stating that threat actors are deploying more sophisticated attacks, the race is on for businesses to stay ahead of hackers and invest in technologies to safeguard both internal and customer data privacy.   

In a digital society, where elevated customer experiences are the new normal, people expect their payments to not only be safe but also easy and convenient.

When linked to biometric data, transactions, as well as other pain points for financial services such as lengthy onboarding and account verification, become swift, comprehensive, and exponentially more secure.   

A journey in trust  

Biometric technology’s first forays into the identity verification scene were not without their own set of security and privacy challenges. Back then, some of these technologies proved to be easily hackable, especially facial recognition which could be duped by deep-fakes, 3D printed reconstructions and even photographs of users. Strides made in “liveness” AI algorithms alone now paint a vastly different picture for the security and reliability of biometric authentication, providing 100% secure authentication.   

Beyond this, developments in the space are opening up new and innovative avenues for the most common applications of biometric authentication, one of the largest being finance as we have seen from Mastercard’s recent “smile to pay” biometric payments enablement.   

Fully automated identity verification engines have been advanced in the most crucial areas for financial institutions: privacy, to remain compliant with rapidly evolving government regulations; customer experience, to rapidly enrol customers, and security; to reduce fraud and avoid financial losses.   

At the core of an iconic digital identity verification solution, is the capacity to “orchestrate” multiple dynamic data sets to not only detect and deter fraud, but also to deliver a customer experience, which reduces online friction, converts more applicants to customers, and increases retention rates.  

This also extends beyond initially considered use cases to a growing variety of industries, further validating the increasing trust being instilled in these systems. Face ID is no longer just for iPhones but is being implemented in hospitality for hotel check-in, customised personal experiences and room service payments, all without the need for a physical card.  

Why passwords are more problematic than protective  

It is not entirely unreasonable for organisations to have a fear of the unknown when comes to implementing biometric authentication, and for their customers who are expected to use it. However, where digital identity authentication has been subject to suspicion of data theft and privacy breaches, we must also acknowledge the gravity of the risks associated with passwords and PINs.  

In 2021, 92% of LinkedIn’s users’ data was exposed and sold on the dark web in a breach widely reported as a result of weak passwords, with over 700,000 profiles found to be unlocked with a painfully simple “123456”.   

As we move at a rapidly escalating rate towards a cashless and contactless society, passwords and PINs are not only leaving individual security in the hands of human error but are nearing obsoletion. A worrying 59% of IT security respondents report that their organisation relies on human memory to manage passwords. When left to individuals to create and remember dozens, if not hundreds, of passwords, the likelihood of resorting to easily remembered but weak passwords skyrockets – along with their susceptibility to brute-force cracking by hackers.   

Keeping track of changing passcodes, PINs, and security questions is time-consuming, less secure, and less convenient than in-depth biometric identity verification and authentication. Particularly social engineering scams, a key driver of fraud losses, rely on victims handing over personal details and passwords. This is circumvented when that information is replaced with biometric authentication. 

We do see a convergence between the two where apps use biometrics to unlock a secure password store within the device. However, this typically does not offer added security but serves the purpose of convenience. When the security burden is placed on passwords in our modern cyber-sophisticated age, users are left highly vulnerable to breaches and data theft.   

Identity verification solutions need to balance risk with modern digital consumer needs and expectations. Biometrics as the primary or sole means of verification takes the onus of authentication away from the user, whilst maintaining the elevated levels of security that people and organisations expect from financial transactions.  

One identity everywhere  

As financial fraud becomes more pervasive and elaborate, and people become more focused on ensuring their privacy, creating a world of trust is pivotal, not only for identity verification, but also for the future of payments. The positive impact that AI and biometrics can have will be substantially limited if there is a lack of trust in how the technology is used. Users need to be sure that privacy is a top priority, and that their data is safe from theft or exploitation.   

With AI technology, we can create a smooth, secure, and privacy-enabled identity verification process in which people themselves will be the only documentation needed to verify their identity, an approach central to Incode’s “One Identity Everywhere” future. As consumers, retailers and institutions alike adjust to constant digital innovation, the gold standard in the future of payments will be both frictionless and secure, and where data privacy is absolute. 

About the author: Ricardo Amper is CEO & Founder of Incode.  

[ymal]

The current climate has led more individuals, businesses and government entities to really take a look at what they can do to protect themselves from the very real threat of cyberattacks. Today more than ever, artificial intelligence is playing a larger role in detecting and mitigating cyber risks. 

Why do cybersecurity and insurance go hand in hand?

Risk and protection go hand and hand. The more data that is collected on someone or something, the more valuable it can become for someone who wants to use it for malicious intent. Cyber risk is a new type of risk that has appeared in the past 5 years and that is increasing year after year. The attacks themselves can come with little to no warning, and the task of recovering from one is often time-consuming and costly. 

Ransomware attacks, distributed denial of service attacks and phishing attacks are just a few of the plethora of ways that attackers can gain access to home and company networks, steal passwords and banking information and go as far as wiping clean the computers in offices, leaving nothing more than a paperweight at each desk. These attacks in fact are so common that 23% of small business owners have had an attack in the last 12 months according to a survey by Hiscox. 

Here are some examples of how AI can be used to combat specific types of cyber threats.

1. Data Poisoning

Data poisoning can be seen for literally what it is, taking data and then using it with ill intent. This is done when samples of data that are used for training algorithms are manipulated into having an output or prediction that is hostile that is triggered by specific inputs. This is all the while remaining accurate for all other inputs. 

Data Poisoning that turns systems hostile is done before the model training step. Zelros has an Ethical Report standard, where they collect a dataset signature on the successive steps of modelisation. This is a necessary check that needs to be taken that helps prove afterwards that the data has not been tampered with or otherwise manipulated. This standard can be adapted by other companies as one of the best practices when using AI responsibly.

2. Privacy 

Entities, whether they be government, law enforcement or even personal networks that have specific features within their dataset that are used to train their algorithm, their identity may be compromised. To avoid an individual or multiple identities being compromised as part of the training data and therefore adding risk to their privacy, organisations can use unique techniques such as federated learning. It boils down to training individual models locally at the source and federating them on a more worldwide scale, to keep the personal data secured locally. In general, it’s good to note that detecting specific samples of outliers and excluding them from the training is a recommended good practise to keep on hand.

3. Bias Bounties

As for older generations of software, sharing the details of an AI algorithm can become more of a liability, especially if it becomes exploited with malicious intent to harm since it provides insights into the model structure and its operation. A countermeasure, brought on by Forrester as a trend for 2022, is bias bounties, which support AI software companies to strengthen and improve their algorithm robustness.   

“At least 5 large companies will introduce bias bounties in 2022.”

- According to Forrester: North American Predictions 2022 Guide

Bias bounties are becoming the go-to weapon and armour of defence for ethical and responsible AI because they can help ensure that the algorithm in place is as unbiased and as reliable as possible. All because of the many sets of eyes and different thought processes that review it throughout the course of the campaign.  

4. Human Behaviour

Human behaviour can be some of the hardest and easiest to predict. When it comes to data or AI manipulation, our first thought might be malicious activity. However, organisations should stop to reflect on what Personal Data is being willingly shared by people even if it is not knowingly. 

Our CyberSecurity main weakness is our ability to propagate knowledge of our identity and activities in seconds to thousands of people. Artificial intelligence or even basic tools that can collect data have given this new behaviour consequences that may prove critical when it comes to cyber security.

Let’s look at an old example for reference, with geo-localisation data that is openly shared on social networks: From 2018, it shows how individual scraps of data can be gathered to provide powerful insights into an individual person’s identity and/or behaviour. 

These insights can then actually be used as leveraged by AI systems to categorise ‘potential customer targets’ and provide very specific outputs or recommendations. A more recent reference that can be reviewed is, The Social Dilemma documentary about the world of the “attention economy” that is built on this Personal Data gathering from monumental amounts of information. To decrease the impact and subsequent consequences of our Human behaviour, nothing outperforms culture and scientific awareness. Data Science acculturation is essential for more security of our private data but also for the ethicality that is baked into AI models, as detailed in the first topic of this article.

“AI tools may be too powerful for our own good”: When feeding streams of data on customers, a Machine Learning model may learn much more than we would actually like it to. For example, even when gender is not an explicit data point in customer data, the algorithm can actually learn to infer it through proxy features. All this when a Human could not, at least with that amount of data, in such a limited time. For that reason, analysing and monitoring the ML model is crucial. 

To better equips ourselves to anticipate algorithm and model behaviour, and to help prevent from occurring discrimination through proxies, a key element is diversity. This key can be and is often overlooked when discussing AI solutions. Having multiple reviewers that can provide input through their individual cultural, socioeconomic and ethical backgrounds can lower the risks of biases being placed into AI programs. Organisations can also request algorithmic audits by Third parties, which utilise their expertise and workforce diversity if the team themselves lack diversity to complete these tasks themselves. 

About the author: Antoine de Langlois is Zelros' data science leader for Responsible AI. Antoine has built a career in IT governance, data and security and now ethical AI. Prior to Zelros he held multiple technology roles at Total Energies and Canon Communications. Today he is a member of Impact AI and HUB France AI. Antoine graduated from CentraleSupelec University, France. 

Professional content writer and branding aficionado Annie Button takes a look at some key cybersecurity investments that can protect firms from losing profits.

Cybersecurity is one of the most critical areas for financial businesses to invest in, with the theft of data and hackers taking down entire sites being some of the biggest threats to companies the world over. But, ‘time is money’ and as financial business owners know all too well, cybersecurity is an ongoing task that requires relevant skills and knowledge. 

Since some businesses have historically struggled to battle against cyberattacks, the financial consequences of neglecting cybersecurity and risk factors could be devastating. So, this is an area where investing in cybersecurity pays dividends when it comes to protecting your departments’ networks and details. 

Invest in specialised security products

Cybercriminals are constantly evolving to become more sophisticated in their abilities to steal data and gain access to networks, which means your protective devices need to be updated all the time to stay one step ahead. If a criminal attacks your system and manages to gain access, the cost to your financial firm will be huge, so investing in products that will offer the best level of protection is money well spent in the long term. 

Capitalising on specialist products that are designed specifically for this purpose to get the best results and protect your business data as effectively as possible. From VPNs to firewalls and antivirus software, there are various tools you can invest in and implement to keep your business safe. 

Use centralised software

Businesses often invest in tools and devices only to wind up using a fraction of them on a daily basis. If you haven’t conducted a review of the tools you use in a while, now could be a good time. Reviewing what you actually need and unifying those tools into a single solution is not only better financially but also reduces access to criminal activity. 

It’s not just firewalls and antivirus solutions that can be effective in preventing cybercrime. Investing in the right tools for your industry will have a direct impact on how secure your business is. For example, finance businesses can reduce cybersecurity risks by implementing training policies, installing private virtual private networks (VPNs) and instigating regular network checks. Specifically targeted software will help with data compliance, improve efficiency and, above all, maintain data security for the business. Likewise, law firms can invest in case management software that keeps client documents, details and communications in a centralised location, reducing the need for additional tools. 

Back up with cloud storage

If your network is compromised and you’re the victim of a phishing or virus attack, you may need to clean the system up entirely and start from scratch. In these cases, decontaminating your data is essential. Similarly, if you’re the victim of a ransomware attack, having your data stored somewhere safe can reduce the impact such an attack can have on your business. It provides you with confidence and security that your information is protected no matter what and that you can avoid any costly ransomware issues. 

It’s advisable that you always have three copies of your data stored on two diverse sources – a local storage device and your hard drive so that you always have accessibility to your data in any event. Cloud storage is the best way to keep company data secure, whether it’s customer files, financial records or any other critical information. It reduces the cost of downtime and improves accessibility for your team, which ultimately improves productivity. 

Avoid human intervention with automation tools

Most cybersecurity operations need the human touch, but a lot of these tasks can be automated which improves productivity, reduces human error and optimises decision-making which is better for increasing profits for your business. Monitoring and detection systems with machine-based threat intelligence will classify cyberthreats to spot issues and assign a level of urgency to them, so you can respond to them accordingly. 

You may also invest in other cybersecurity automation tools, such as certificate management,  automatic software updates and user permission attribution. If you’re running a bigger business, investing in these types of cybersecurity tools can save a considerable amount of time and effort, enabling staff to focus on other tasks without impacting your level of protection. 

Train your workforce against cyberattacks

Training is always money well spent in any business, but particularly when it comes to cybersecurity. Having a workforce that’s primed to spot issues and is up to date with the latest security developments and attack trends will ensure your business is ready for a crisis and can avoid the threat of costly cyberattacks on the organisation. 

From the value in using strong passwords and multi-factor authentication to monitoring emails for phishing scams, knowing how to implement a response strategy and being cautious around payment gateways, in-person or online training can all help to save your business thousands in costly errors and it’s a relatively easy investment to make that will benefit your company in many ways. 

An ongoing problem businesses need to address

Cybercrime is a continually evolving problem that all businesses and industries need to take note of in order to protect themselves against data theft, reputational damage and financial concerns. Whether it’s training courses for your staff, specialist software products to secure your systems or backing up information for peace of mind, these investments into your business are essential protective measures that will save your business money in the long run. 

The finance sector is extremely vulnerable to the rising number of cyberattacks, with The 2021 Cybersecurity Census Report finding that finance companies in the UK suffered an average of 60 cyberattacks in the last year. The number of these attacks continues to increase, and finance companies need to employ strategies to keep their data and networks secure from attackers.

For obvious reasons, the finance sector is an advantageous target for cybercriminals, due to the wealth of data contained within these organisations and the fact that attacks can target banks processing systems to disrupt critical financial transactions. Nonetheless, the volume and severity of the attacks we’re seeing is cause for immediate action, with mid-sized financial services organisations worldwide spending an average of over $2m recovering from ransomware attacks. 

Aside from causing disruptions to financial services capabilities and potentially substantial financial losses, financial services organisations that are victims of a cyberattack also stand to suffer significant reputational damage. For example, recent Mimecast research found that consumers think that brands should be responsible for compensating victims of scams, with 39% of consumers saying that not taking responsibility for potential customers being deceived would put them off the brand. Notably, 65% of UK consumers would stop spending money with their favourite brand if they fell victim to a phishing attack involving that brand.  This is increasingly important for the financial sector, as online banking is the second most trusted sector by consumers in the UK, but is the most leveraged sector for cybercrime, with 28% of consumers receiving phishing emails from brands in this sector.

The key here is to move at pace, and employ a security model which helps organisations control access to their networks, applications, and data, enabling the financial services sector to remain secure in the face of sophisticated attacks.

The ‘New And Improved’ Cybercriminal

The pandemic has driven more criminals online, as they have adapted to the new remote/hybrid working world by exploiting improperly secured VPNs, cloud-based services, and unprotected emails. Inevitably, external data breaches are now a matter of when and not if. On top of this, a recent report found that the LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks.

These criminals invest a lot of time in researching organisations and employees, asking questions such as: has someone been passed over for a promotion? Is someone being underpaid? Has someone received a negative performance review? Using this research, and spam/phishing attacks, criminals identify weaker links for exploitation. Criminals are then in contact with corporate insiders, asking them to install ransomware, collect information, plant malware etc. This is creating a perfect storm for many financial services companies.

The Zero Trust Model 

With this combination of internal and external threats and the risks of significant financial and reputational damage increasing, the financial sector might fear it is fighting a losing battle. But there is a model that can be adopted to keep their data and networks secure from attackers: Zero Trust. 

The Zero Trust model is founded on a simple idea, “trust no one and nothing,” this essentially means that the zero-trust security framework gets rid of concepts such as trusted devices and trusted users.  In practical terms, organisations that adopt the Zero Trust model put policies in place to verify everyone and everything, regardless of whether they are internal or external. The model provides a mechanism to secure new ways of working in the cloud while combating the risk of an insider breach. The application of a Zero Trust model is especially important when it comes to insider threats since it is this trust that hackers seek to exploit.

Zero Trust is a great way to address the challenges caused by the rapid transition to an increase in cloud spend and remote working, as it removes implied trust, with each access request needing to be verified, based upon strong authentication, authorisation, device health, and value of the data being accessed. This is one of the most effective ways for organisations to control access to their networks, applications, and data, leading to more security for the enterprise.  

Making It Seamless

One factor that must be taken into account is that, in order to be successful, the integration of zero trust systems must be as seamless as possible, otherwise complexity is re-introduced into the enterprise. Organisations need integrated solutions that optimise their current and future state of security. Avoid solutions that operate in isolation, and instead opt for platforms that integrate to form an ecosystem to improve visibility, enhance control and provide a robust set of orchestration capabilities. Ultimately, zero-trust security is more of a security model than any one tool, making it difficult to implement, especially when the infrastructure it’s being applied to wasn’t designed for new models, as there is no simple way to retrofit some systems for zero trust. For example, as a basic requirement, zero trust relies on multi-factor authentication, which many financial services may not currently have in place.  

As well as this, the financial service industry has not fully migrated to cloud solutions and large amounts of technical debt have been incurred over the years of deploying new applications coupled with digitalisation. With more than 90% of the UK’s financial firms still relying on legacy tech, business-critical information is currently continually stored on out of date software. This equipment is often not compatible with up to date software and provides several opportunities for “backdoor” access. Companies that use older legacy applications may have trouble implementing them on zero-trust networks and for this new solution to be effective, companies will also need to invest in employee training. Training for employees alongside new security solutions is the only way to minimise human error, raise awareness and truly increase cyber-hygiene across a whole organisation. 

While it's a long process, which may require the replacement of legacy equipment, and which demands inward reflection and internal reshaping, the finance sector needs to make cybersecurity a top priority. Otherwise, there is a real risk that even unsophisticated cyberattacks will cause serious damage and undermine organisations. Using new types of tools and capabilities, such as the zero-trust model, the finance sector can have a safer framework in place to help organisations tackle persistent security challenges, as well as mass remote working, allowing financial services to stay protected regardless of what comes next.

The Internet Crime Complaint Center (IC3) report stated that 791,790 cybercrime complaints were reported in 2020 alone, with the reported losses exceeding $4.1 billion. There has been a rise in credit card fraud, identity theft, phishing attacks, cyberstalking, and extortion, and there is a need for financial institutions to enhance their cybersecurity. Here are cybersecurity tips for financial institutions.

1. Use virtual private network (VPN)

With the rise of cybersecurity attacks, financial institutions risk losing data and sensitive customer details to hackers due to weak networks. Cyber attacks not only cost financial institutions money but also their hard-earned reputation. The use of VPN improves data security by securely encrypting data in transit, rendering it unreadable and untraceable to anyone who tries to steal it. In addition, using a VPN makes it safer to access data remotely allowing employees to work remotely. This guide explains how financial institutions can enhance online security for smooth operations by using VPNs. 

2. Management of third-party risks

When financial institutions grant network access to third parties such as vendors and suppliers, they risk having confidential information leaked. To minimise such risks, financial institutions should segment their network to limit third-party access to critical assets, establish and verify security posture for partners and other third parties, monitor and identify any network irregularities, and add security best practices in service agreements.

3. Adherence to regulatory standards

There are fundamental laws and regulations that govern the financial industry. Financial institutions should religiously comply with the laid down guidelines that are specific to them to enhance their protection.

4. Regular network assessment

Also known as internal infrastructure audit, network assessment involves auditing the network to pinpoint any security gaps and lay down mechanisms to improve network security. Acting on the results of the audit leads to secure networks and improved compliance with data privacy regulations.

5. Employee training on cybersecurity

Creating a culture of safety through training helps to reduce cyberattacks that may occur due to a lack of knowledge or negligence. Employees should learn how they can identify phishing emails. The financial institution may also decide to test its preparedness for cybersecurity using penetration testing. If employees fall prey to fake phishing attempts, they should be taken for further training.

Additionally, other security best practices include using password managers and logging out of devices whenever they're out of their duty stations. Financial institutions can keep educating their employees by continually sending them cybercrime newsletters and updating them on emerging cybersecurity challenges and solutions.

6. Use of up-to-date software

Financial institutions should ensure that they update their software each time a new version is released. This is because each upgrade comes with advanced cybersecurity measures that prevent attackers from accessing private data. Keeping every device up-to-date lowers the chances of cyberattacks on the institutions.

Endnote

As technology evolves, hackers find new ways to infiltrate systems and threaten the financial sector's security. These tips will help financial institutions improve cybersecurity for the smooth operation and protection of data.

Pablo Castillo, Cyber Threat Research Analyst at Constella Intelligence, offers Finance Monthly his insight into the cyber threats facing the financial services sector in 2021.

Unsurprisingly, financial services firms and their troves of sensitive data were a big target for threat actors in 2020. The rapid shift to remote work, coupled with insufficient budgets and a lack of training and awareness to mitigate attacks, led to an increased risk for many sectors. Despite the need for cybersecurity and the cost savings it can bring over the long haul (breaches are expensive, especially for financial organisations), businesses prioritised other functions and operations which more directly affected their bottom lines this past year.

Hacker groups took full advantage of these uncertain times. According to VMware Carbon Black, in the first half of 2020, banks faced a 238% surge in attacks. Further, Keeper Security recently revealed that 70% of financial services organizations reported experiencing a cyber-attack in the past year, with a majority of the 370 UK IT respondents suggesting that COVID-related conditions contributed to the increase in severity of attacks.

US Financial Services Subcommittee Chairman Emanuel Cleaver (D-Mo.) explicitly stated back in June 2020, “criminal actors [are] redoubling their efforts to target families, financial institutions, and even governments.” Below, I’ll highlight some of the notable threats these criminal actors pose, specifically as it relates to financial institutions.

Phishing

Last September, it was reported that one in four Americans received a COVID-19-related phishing email. That number has only risen as we’ve made our way through 2021. The marked increase in phishing scams this past year even led to the American Bankers Association launching the #BanksNeverAskThat campaign. Further, the Financial Crimes Enforcement Network (FinCEN) issued a notice in December alerting financial institutions about the potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution – such as phishing schemes luring victims with fraudulent information about vaccines.

Last September, it was reported that one in four Americans received a COVID-19-related phishing email. That number has only risen as we’ve made our way through 2021.

Ransomware

Per FinCEN, “cybercriminals, including ransomware operators, will continue to exploit the COVID-19 pandemic alongside legitimate efforts to develop, distribute, and administer vaccines.” FinCEN warned financial institutions to stay alert to ransomware targeting vaccine delivery operations, as well as the supply chains required to manufacture the vaccines. There are a myriad of examples of ransomware affecting the fintech industry this past year, and it’s a significant threat to all businesses and individuals across the globe.

Business Email Compromise (BEC)

Another top threat, especially amid COVID-19, is BEC. Among Kroll’s cases impacting the FinServ sector, email compromises were the most observed threat. A July 2020 FinCEN advisory outlined the various ways threat actors are exploiting the pandemic and singled out BEC schemes. Threat actors look to convince banks and lenders, for instance, to redirect payments to new accounts, “while claiming the modification is due to pandemic-related changes in business operations.” Often, these sorts of schemes are preventable, but it comes down to training and awareness to combat social engineering.

Disinformation

According to Accenture’s 2020 Future Cyber Threats report, “disinformation and misinformation is not only a threat to efforts to manage COVID-19, it also impacts the financial sector.”

NASDAQ and Financial Industry Regulatory Authority (FINRA), to name a few, have warned of increases in market manipulation as a result of the pandemic. “Often, market manipulation involves elements of disinformation or misinformation directed at influencing unsuspecting investors to aid criminal actors’ objectives,” the report states. There are a plethora of examples, including a UK bank (pre-COVID, it should be noted) having to reassure its customers of its financial health after its share price dropped 9% due to false rumors spreading on WhatsApp that the bank was shutting down, calling for customers to empty their accounts.

“Disinformation and misinformation is not only a threat to efforts to manage COVID-19, it also impacts the financial sector.”

Mobile Banking Exploitation

The pandemic has accelerated the adoption of digital payments – the Internet Crime Complaint Center (IC3) put out a PSA stating that mobile banking usage has surged as much as 50%. Threat actors look to exploit these platforms, namely via app-based banking trojans and fraudulent apps, but the simple solution to combat these types of threats is to remain vigilant for suspicious activity and verify an app is legitimate before downloading.

Distributed Denial-of-Service (DDoS)

We are seeing a significant increase in DDoS attacks on institutions in banking and across a wide range of sectors, from healthcare to energy. DDoS attacks can, among other things, freeze the operations of financial institution customers. Not long ago, New Zealand’s Stock Exchange Market (NZX) faced a barrage of DDoS attacks, disrupting trading for four consecutive days.

Underground Markets

This past year, my organization also noticed a significant rise in the number of threads, items offered for sale, and hacking information related to COVID-19 on deep and dark web forums. This includes the sale of banking information and tools to exploit physical devices (e.g, ATMs for carding).

Financial organisations can stave off money laundering, account takeover, and identity theft attacks, but it requires a two-pronged approach. Organisations must proactively monitor, detect and uncover identity information found in open sources on the surface, social, deep and dark web. Understanding your digital footprint, as well as your adversaries, is important. However, human error also plays a major role in mitigating cyber threats. Simply training employees on cybersecurity awareness can make a world of a difference. Everyone should understand the signs of a scam and remain vigilant. As we move past the pandemic and transition back to “normal” life, we must not let our guard down – especially when it comes to COVID-19 or cyber safety.

[ymal]

Pablo Castillo is a Cyber Threat Research Analyst at Constella Intelligence – a digital risk protection company that works in partnership with some of the world’s largest organisations to safeguard what matters most and defeat digital risk.

In a statement on Thursday, trading app Robinhood confirmed that a “limited number” of customer accounts had been targeted by cybercriminals, though the Robinhood service itself had not been compromised.

Though Robinhood did not specify exactly how many accounts had been affected, it had been previously reported by Bloomberg that almost 2,000 customer accounts had been infiltrated, citing a person with knowledge of Robinhood’s internal probe.

The attacks prompted a backlash on social media, with several users failing to contact the company, which does not list a customer service phone number. Bloomberg’s report noted that Robinhood was considering adding a phone number in addition to other tools.

Robinhood said that the accounts may have been compromised after cybercriminals breached personal email accounts outside of their service.

"The security of Robinhood customer accounts is a top priority and something we take very seriously," the company said in a statement. “We always respond to customers reporting fraudulent or suspicious activity and work as quickly as possible to complete investigations.”

Robinhood is now working with affected customers to secure their accounts, advising that users use two-factor authentication to better protect their data. "2FA adds a strong layer of protection for your account, even if your password is weak, reused, or becomes compromised,” the company said in a push notification sent to customers last week to mark National Cybersecurity Awareness Month.

[ymal]

Robinhood is a California-based company that offers financial services to 13 million customers through its mobile app and website, enabling them to invest in stocks, ETFS and cryptocurrencies.

In 2018, consumers spent a record-breaking $6.22 billion while shopping on Black Friday. Similarly, Cyber Monday sales alone set a record $7.8 billion on spending. Consumer spending on holiday retail is expected to increase 4.5% to 5% this year, rising to more than $1 trillion.

Just as frequently as sales pop up around the holidays, so do global fraud attempts. With increased exposure to spam and hackers, businesses of all sizes should prepare to stay safe during the biggest shopping spree of the year. The importance of cybersecurity and protecting against malware, hackers and cyber-attacks is elevated for individuals and businesses alike during the holiday shopping season.

 The heightened risk can be attributed to increases in shopping and online traffic. This time of year, individuals receive an amplified number of emails related to shopping and online purchasing. Hackers, in turn, know individuals are more receptive to targeting than ever and will often attempt to make a person click a link for a fake deal or coupon.

Businesses are only as safe as their cybersecurity strategy is, and employees are subject to threats and can be prone to receiving illegitimate emails. Companies must properly arm their employees with the knowledge of potential risks, especially all the techniques hackers use around the holiday season. Whether it’s free offers, pop-ups or coupons, ensuring employees are aware of malicious tactics is the most important safety exercise.

Organisations should encourage employees to be cautious through company-wide emails, hosting training sessions and mentioning tips during staff meetings.

Hackers are continuously targeting businesses and trying to get employees to click on links or open attachments by creating fake addresses, names and attaching malicious documents. During November and December, employees may use their work emails and computer programs to do personal holiday shopping or gift-giving.

Hackers may also try to infiltrate a company’s website or intranet. This can happen at any time and may already be underway if the company’s website is not properly configured. While it may seem obvious, an important first step is instructing employees to use secure passwords and implement multi-factor authentication wherever possible. If insecure processes are used, hackers may be able to get malware onto machines and into the company infrastructure. Another primary business risk to be aware of is false wire transfers. With the heightened level of online transactions, it’s crucial to keenly monitor accounts payable.

The best strategy to avoid falling prone to a cyberattack is awareness among an organisation’s employees.

Cybersecurity awareness can be disseminated across a company in a number of ways. Organisations should encourage employees to be cautious through company-wide emails, hosting training sessions and mentioning tips during staff meetings. The more the message is in front of the employee, the more likely it is to be effective. Top preventative tips for employees include visiting known website addresses instead of following links from other platforms, being alert at all times and using multi-factor authentication.

Businesses can keep hackers out by encouraging employees not to click on questionable links, taking the time to pay attention to threats and having multi-factor authentication in place. Firewalls also serve as a crucial layer to cybersecurity. The more barriers a company can put up in front of hackers, the more difficult it will be to compromise a system.

The holidays are a heightened time of vulnerability for consumers and organisations alike.

Company leadership should also arm employees with reactive steps to take if they do fall victim. Employees should be aware that they need to immediately report the potential hack or questionable activity to the organisation’s IT team. The sooner the activity is reported, the better. Once reported, the IT team can investigate the matter and potentially prevent harm to the system before it occurs.

Every IT department should have an incident response plan in place in the event any data is compromised. If there is a breach, proper planning will outline the appropriate authorities to contact and resources available to help with recovery from the hack. If you don’t have an incident response plan in place, contact a financial services or cybersecurity firm with extensive experience. An external partner should be able to assist with the development of a cybersecurity plan and test the existing infrastructure for potential vulnerabilities.

Unfortunately, user error is often inevitable. For that reason, organisations should also have an effective monitoring system in place. This will provide proper controls to detect a hacker trying to get into the system. Software should include intrusion detection and prevention, properly configured firewall and advanced endpoint protection, all of which will prove vital in a time of cybersecurity need. These systems will alert the company if there are suspicious events or activities within the network.

Companies cannot rely on security software alone for monitoring. Organisations must ensure their computer systems are up-to-date and modernised through patches, which are provided by software companies when a vulnerability in the software is exposed. If software is outdated, it will provide an additional entryway for a hacker to access the network. Additional anti-virus and anti-malware programs can aid in picking up on any zero-day exploits or hacks to unpatched software.

The holidays are a heightened time of vulnerability for consumers and organisations alike. With that in mind, businesses must prioritise cybersecurity awareness and best practices. Employees must also play an active role in being mindful of their activities online—from clicking on links to opening attachments and inputting private information.

Organisations should implement cybersecurity practices year-round, with heightened awareness around the holidays. From monitoring to proper controls, each layer of security will provide additional barriers from outside threats. As holiday retail spending reaches more than $1 trillion this year, it’s high time organisations refresh and review cybersecurity training, software and crisis response plans.

Trump vs. China

Back in 1930, the US introduced the Smoot-Hawley Tariff Act, which raised their already high tariffs, triggering a currency war and, as economists argue, exacerbating the Great Depression. With President Donald Trump’s threat to put 10% tariffs on the remaining $300 billion of Chinese imports that aren’t subject to his existing levies, sending markets tumbling from Asia to Europe, the question on everyone’s lips is: Is history about to repeat itself?

In August, in a bid to hit back against Trump’s administration, Beijing allowed the Chinese yuan to plummet past the symbolically important $7 mark. Economists suggest that this currency manipulation is China’s attempt to display dominance and gain the upper hand in the trade war between the two countries as devaluating its currency could help counteract the effects of US’s long list of tariffs on Chinese goods.

As protectionist actions escalate and US-China relations continue deteriorating, investors and markets have been growing increasingly concerned even though Trump has delayed the imposition of his new tariffs until December. A full-blown trade war wouldn’t be good news to anyone and could seriously weaken the global economy, as the IMF has warned, making the world “poorer and more dangerous place”. Both sides are expected to experience losses in economic welfare, while countries on the sidelines could experience collateral damage. Furthermore, if tariffs remain in place, losses in economic output would be permanent, as distorted price signals would prevent the specialisation that maximises global productivity. The one thing that’s certain, no matter how things pan out, is that there will be no winners in this war.

Economists suggest that this currency manipulation is China’s attempt to display dominance and gain the upper hand in the trade war between the two countries as devaluating its currency could help counteract the effects of US’s long list of tariffs on Chinese goods.

Cyberattacks & data fraud

Millions, if not billions, of people’s data has been affected by numerous data breaches in the past couple of years, whilst cyberattacks on both public and private businesses and institutions are becoming a more and more frequent occurrence. With the deepening integration of digital technologies into every aspect of our lives and the dependency we have on them, cybercrime is one of the greatest threats to every company in the world.

Cyberattacks are rapidly increasing in size, sophistication and cost, as cybercrime and data breaches can trigger extensive losses. In 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. According to them, ”this represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined”.

 Emerging Markets crisis

Since the early 1990s, emerging markets have been a key part of investors’ portfolios, as they have been offering strong returns and faster growth. However, global trade tensions, a stronger US dollar and rising interest rates have hit emerging markets hard. Still far from catching up with the developed world, many supposedly emerging markets are developing at a slower pace, which combined with the threat of a global trade war and higher borrowing costs on the rise, has made investors pull in their horns. Emerging markets are the ones feeling the strain and financial panic has been gripping some of the world’s developing economies.

With political instability, external imbalances and poor policymaking which has led to full-blown currency crises in the two nations, Turkey and Argentina have been at the centre of an emerging market sell-off last year. But they are not the only emerging economies faced with a currency crisis – according to the EIU, some economies which are already in the danger zone and could suffer from the same currency volatility include Brazil, Mexico and South Africa.

Still far from catching up with the developed world, many supposedly emerging markets are developing at a slower pace, which combined with the threat of a global trade war and higher borrowing costs on the rise, has made investors pull in their horns.

If the currency crises in Turkey and Argentina continue and develop into banking crises, analysts predict that investors could abandon emerging markets across the globe. “Market sentiment remains fragile, and pressure on emerging markets as a group could re-emerge if market risk appetite deteriorates further than we currently expect”, the EIU explains.

 Climate crisis

In recent months, the media is constantly flooded with reports on the horrifying environmental risks that the climate crisis the Earth is in the midst of poses, but we’re also only starting to come to grips with the potential economic effects that may come with it.

Despite the significant degrees of uncertainty, results of numerous analyses and research vary widely. A US government report from November 2018 raised the prospect that a warmer planet could mean a big hit to GDP. The Stern Review, presented to the British Government in 2006, suggests that this could happen because of climate-related costs such as dealing with increased extreme weather events and stresses to low-lying areas due to sea level rises. These could include the following scenarios:

• Decrease in agricultural areas crop yields due to hotter weather and draught.
• Rebuilding roads that have been destroyed by flooding caused by rising seas and more frequent hurricanes.
• Having to build more efficient power grids because the existing ones are not able to withstand extreme weather conditions.

Due to climate change, low-lying, flood-prone areas are currently at a high risk of becoming uninhabitable, or at least uninsurable. Numerous industries across numerous locations could cease to exist and the map of global agriculture is expected to shift. In an attempt to adapt, people might begin moving to areas which will be affected by a warmer climate in a more favourable way.

A US government report from November 2018 raised the prospect that a warmer planet could mean a big hit to GDP.

All in all, the economic implications of the greatest environmental threat humanity has ever faced range from massive shifts in geography, demographics and technology – with each one affecting the other.

Brexit

Fears that the UK could be on the brink of its first recession in 10 years have been growing after figures showed a 0.2% contraction in the country’s economy between April and June 2019. A weakening global economy and high levels of uncertainty mean the UK’s economic activity was already lagging, but the potential of a no-deal Brexit and the general uncertainty surrounding the UK’s departure from the EU, running down on stock built up before the original 29^th March departure date, falling foreign investment and car plant shutdowns have resulted in its GDP decreasing by 0.2% in Q2. This is the first fall in quarterly GDP the country has seen in six and a half years and as the new deadline (31^st October) approaches, economists are concerned that it could lead to a second successive quarter of negative growth – which is the dictionary definition of recession.

And whilst the implications of Brexit are mainly expected to be felt in the country itself, the whole Brexit process displays the risks that can come from economic and political fragmentation, illustrating what awaits in an increasingly fractured global economy, e.g. less efficient economic interactions, complicated cross-border financial flows and less resilience and agility. As Mohamed El-Erian explains: “in this context, costly self-insurance will come to replace some of the current system’s pooled-insurance mechanisms. And it will be much harder to maintain global norms and standards, let alone pursue international policy harmonisation and coordination”. Additionally, he goes on to note that tax and regulatory arbitrage are likely to become more common, whilst economy policymaking could become a tool for addressing national security concerns.

“Lastly, there will also be a change in how countries seek to structure their economies”, El-Erian continues. “In the past, Britain and other countries prided themselves as “small open economies” that could leverage their domestic advantages through shrewd and efficient links with Europe and the rest of the world. But now, being a large and relatively closed economy might start to seem more attractive. And for countries that do not have that option – such as smaller economies in east Asia – tightly knit regional blocs might provide a serviceable alternative.”

As reported in the Financial Conduct Authority survey by Which?, the UK banking sector was hit by IT outages on a daily basis in the last nine months of 2018, demonstrating a higher frequency of major banking glitches than previously thought. Barclays alone reported 41 major incidents during those months, followed by Lloyds Bank with 37 IT failures and Halifax/Bank of Scotland with 31. Whilst TSB only reported 16 incidents, their week-long outage last year cost them around £330m as well as the longer-term impact of the clients lost.

Just minutes of downtime can significantly impact the financial sector, which holds the data and funds of millions of customers who are reliant on having access to these services and trust that their assets will be kept safe. To minimise the effects of a disaster and ensure business continuity in case of an IT failure or ransomware attack, businesses must invest in customised disaster recovery services which allow data to be brought back as quickly as possible in case of an outage. Diverting just a small proportion of the cybersecurity budget towards routine IT operations can deliver significant ROI in terms of increased operational resilience. Regular testing and optimisation of backup and recovery systems can deliver big rewards in terms of preventing issues and getting back up and running quickly should disaster strike.

As reported in the Financial Conduct Authority survey by Which?, the UK banking sector was hit by IT outages on a daily basis in the last nine months of 2018, demonstrating a higher frequency of major banking glitches than previously thought.

Safeguarding your data 

In the event of an IT failure or a ransomware attack, IT operators need a way to get systems back online and to do so fast. As noted by Gartner, the average cost of IT downtime is £4,400 per minute. The implications of IT failures go far beyond financial losses however, as they also damage the reputation of the business as well as lead to massive amounts of operative time lost. When a cyberattack or an IT outage takes place, it is not the failure or attack itself that causes the most harm but the resulting downtime of operations affecting productivity and credibility of the organisation. To avoid such losses organisations must put appropriate recovery systems in place. But to do so, they must first understand the IT systems they run and know what data they hold.

To stop the nightmare scenario from becoming reality, a solution able to recover business-essential data and get the most crucial systems back online in minutes is needed. A zero-day approach to IT architecture can do just that, as it allows organisations to prioritise workloads, with a planned recovery strategy of making sure the most important systems are brought back to first in case of an outage.

A zero-day recovery architecture is a service that enables operators to quickly bring workloads or data back into operation in the event of an IT failure or cyberattack, without having to worry about whether the workload is compromised. With the so-called 3-2-1 backup rule – meaning three copies of data stored on two different media and one backup kept offsite – zero-day recovery enables an IT department to partner with the cyber team and create a set of policies which define the architecture for what they want to do with data backups being stored offsite, normally in the cloud. This system assigns an appropriate storage cost and therefore recovery time to each workload according to their strategic value to the business, as all data is not created equal in terms of business continuity.

A zero-day recovery architecture is a service that enables operators to quickly bring workloads or data back into operation in the event of an IT failure or cyberattack, without having to worry about whether the workload is compromised.

This recovery system will only prove useful however when set up properly and tested thoroughly and frequently. Approximately 25% of organisations’ nightly backups fail – yet few will be aware of this due to a lack of recovery testing, meaning most businesses will have no idea what data has been lost in the process. With this in mind, operators need to perform disaster recovery testing on their data. Without testing in a controlled and simulated environment, it is impossible for IT and security teams to fully understand their systems’ integrity. Figuring out the data backup and recovery systems have failed after an IT outage has already taken place has no value – this needs to have been done before the worst has a chance to take place.

IT outages in the financial sector are becoming more frequent. In fact, the number of such incidents reported to the Financial Conduct Authority increased by 138% in the first 9 months of 2018, and are showing no signs of slowing down, making them a question of when, not if. With a large portion of the infrastructure in the financial sector relying on IT, minimising outages and limiting threats to this infrastructure should be number one priority to systems operators.

In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. According to Tom Turner, CEO at BitSight, there is a growing need for more effective risk management firms in the financial services sector.

One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

In 2017 anti-phishing technologies detected over 246 million user attempts to visit different kinds of phishing pages. Of those, over 53% were attempts to visit a financial-related website – 6 percentage points higher compared to data from 2016. This is the first time since recording phishing attempts that figures have reached over 50%, according to analysis of the financial threat landscape by Kaspersky Lab.

Financial phishing attacks are fraudulent messages which link to copycat websites that appear legitimate. They aim to gain users’ credentials for banking and credit accounts, and data to access online banking or money transfer accounts – all for the purpose of stealing the victims’ money afterwards. With 53% of phishing attacks taking this form, more than every second attack across the world is looking to steal a victims’ money.

In 2017 the share of all financial phishing categories – attacks against banks, payment systems and e-shops – grew by 1.2, 4.3, and 0.8 percentage points respectively and made up the top 3 categories in overall phishing attacks detected – for the first time.

The distribution of different types of financial phishing detected by Kaspersky Lab in 2017

Moreover, attacks related to the global internet portal category – which includes global search engines, social networks, etc. – fell from the second place in 2016 to fourth position in 2017 with a decrease in share of more than 13 percentage points. This shows that criminals show less interest in stealing these types of accounts and are now focusing on accessing money directly.

The data also shows that Mac users are in increasing danger. Contrary to popular belief about the security of Mac devices, 31.38% of phishing attacks in 2016 against users of the platform were aimed at stealing financial data. The share peaked in 2017, reaching 55.6%.

“The increased focus of cyber criminals to conduct financial phishing attacks means users need to remain extra vigilant. To get to grips with our money, fraudsters are constantly looking for new methods and techniques to catch us out. We need to be just as much determined to not let them succeed, by constantly investing in cyber literacy,” said Nadezhda Demidova, lead web content analyst at Kaspersky Lab.

In order to protect themselves from phishing, Kaspersky Lab experts advise users to take the following measures:

• Always check the legitimacy of the website when paying online. This includes https connections and the domain name belonging to the organization that you think you are paying.
• Use a proven security solution with behavior-based anti-phishing technologies. This will make it possible to identify even the most recent phishing scams which haven’t yet been added to anti-phishing databases.

(Source: Kaspersky Lab)