Practical Risks and Real Remedies in E-Banking: the biggest mistakes banks make in defending against hackers
By Ilia Kolochenko, CEO of High-Tech Bridge
Risk assessment needs to be comprehensive and global
Many financial institutions fail to perform comprehensive risk analysis and assessment, exposing their companies and clients to enormous risk. For example, many banks tend to underestimate or even ignore the security of their websites, focusing instead on “more sensitive” web applications such as e-banking. This is totally wrong, as even if the bank website does not contain any financial data, it is a perfect target for cybercriminals. For example, a medium-risk Cross-Site Scripting (XSS) vulnerability on the bank website may be used to perform spear-phishing campaigns against bank’s clients, infecting their PCs or mobile devices with a Trojan when visiting the website of the bank.
Other problems are outsourcing, external backup, and cloud. Many financial institutions completely ignore the fact that their IT supplier has a privileged access to financial records of the bank, and at the same time do not care about their own internal information security. Obviously, hackers would rather compromise a negligent IT supplier and get everything they need via him, instead of organizing expensive APTs against the bank itself. A “secure” externalization of backup and usage of a cloud has become very popular these days. Keep in mind that if a third-party provider transmitting, hosting, or processing your data is hacked, you are automatically hacked as well.
ATM machines are being compromised and hacked too! For example, a backdoor can eject all the cash out of the ATM when pressing a secret combination of keys instead of your pin. Did you include ATM protection in your cybersecurity plan, or are they still running Windows XP connected to the web?
End-users of e-banking shall be regarded as already compromised
Despite all the efforts taken by the antivirus industry, hackers are still more sophisticated than the security software. Kaspersky itself recently announced being hacked and infected with very complex and invisible malware… Almost any type of security of e-banking solution implemented on the client side can be by-passed if the client’s computer is compromised. One time passwords, two factor authentication, and all other modern security mechanisms will fail if a client’s machine is hacked. And, in combination with a tiny vulnerability on the bank website abandoned by the security team, uneducated users and smart hackers, a client will be hacked – it’s just a question of time.
Therefore, make sure that you have implemented a strict monitoring service that can notify your fraud prevention team about any abnormal activities and block or pause suspicions money transfers. Client notification by an external means, such as SMS or phone call, about any potentially suspicious activities with his or her account – can prevent many fraudulent transactions just in time. Every single minute is important to stop illegal transaction, otherwise money will leave the account and you will never ever see it again.
Every single user of e-banking shall be considered as hacked and compromised. In this area, paranoia is less expensive to the business than negligence.
Strong authentication should be implemented properly
Two Factor Authentication (2FA) and One Time Passwords (OTP) may be evil is implemented wrongly. I know a bank that replaced old fashion scratch cards with more “modern” notification by SMS for their mobile banking solution. The problem was that the card was usually stored separately from the mobile phone, and in case of a robbery, criminals could not access your bank account. However, with this security upgrade, it became enough to steal your mobile phone to get unlimited access to your bank account!
Therefore, when you implement new security solutions, make sure that they are appropriate for your business environment, otherwise you are just harming your business.
Cybersecurity solutions need to be both efficient and effective
Many financial organizations spend huge amount on cybersecurity solutions without analyzing if these solutions are effective, necessary, appropriate, and compatible with their particular business environment and business needs.
I have seen small organizations who spent hundreds of thousands dollars on expensive Data Leakage Prevention (DLP) solutions, leaving their front-end applications with critical data unprotected. Just because security vendors showed them Gartner’s report saying that 90% of threats are coming from insiders…
Another common case is expensive security solutions purchased in the sake of compliance or ordered directly by the management being scared to death by cybersecurity media hype. Due to the high complexity of configuration and management, those expensive boxes were abandoned by IT teams in default configuration, leaving corporate infrastructure as vulnerable as if they didn’t exist. Remember, spending a lot on your IT security does not mean spending wisely.
