4 moves cybercriminals will make in 2018

Bad actors are getting better at their work. In this article, we look at the tactics they’re using to steal money and privileged information from banks and their customers, and what financial institutions can do to mitigate their risk.

By Karen Epper Hoffman

If news headlines and buzz at industry events are any indication, there is little doubt that cybercrime is a growth industry—and perpetrators are constantly building their expertise, finding new methods and attack vectors to get what they want.

To add to the difficulty for community banks and their customers, these cybercriminals are not simply coming at them from one direction. They are approaching from all angles, with increasingly sophisticated and pernicious threats to mobile devices and connected devices; through cloud networks, third-party providers, social media and cryptocurrency wallets; and by utilizing older and proven hacks, as well as innovative new methods.

According to the Kaspersky Lab Threat Predictions for 2018 in Financial Services and Fraud, released in late 2017, fraud attacks in financial services have become “increasingly account-centric” in the past year. Customer data has become a key enabler for “large-scale fraud attacks and the frequency of data breaches among other successful attack types, which has provided cybercriminals with valuable sources of personal information to use in account takeover or false identity attacks,” according to Kaspersky’s security bulletin on the report.

Indeed, many financial institutions are a target for malware attacks, breaches and varied new cybersecurity threats, according to a study released by Cisco Systems in July 2017. The networking giant’s research found that only 55 percent of cyber alerts are investigated by financial institutions. Further, according to the 509 banks Cisco surveyed for its report, just over one-quarter of these investigated threats [28 percent] were considered legitimate—and only 43 percent of those legitimate threats were remediated.

Here are several of the cybercrime techniques we see on the rise, and what banks and their customers can do to beat back their effectiveness.

1. Mobile attacks
As more consumers bank and shop and live their day-to-day lives through their mobile devices, it only makes sense that this is the platform through which savvy cybercriminals will carry out many of their attacks. More than one-third of people (35 percent) now use their smartphones for online banking, and a full 29 percent conduct online payments via mobile (up from 22 percent and 19 percent, respectively, in 2016), according to the most recent Kaspersky Cybersecurity Index. Last year saw the emergence of a number of mobile-focused threats aimed at both consumers and businesses. In the first quarter of 2017 alone, McAfee Labs detected more than 1.5 million new incidents of mobile malware. One in five companies admitted their employees’ mobile devices had already been breached, and a whopping 94 percent of companies expect the frequency of attacks on the mobile platform to increase as more businesses conduct transactions here, making it more difficult to secure these interactions and platforms, according to research commissioned by Check Point Software Technologies LTD. Among the myriad mobile security concerns: Many Android smartphones use random number generators that “are not all that random,” making them easier to compromise, according to Johannes Ullrich, dean of research for the SANS Technology Institute, a company that provides cybersecurity training.

Action: Kaspersky estimates that the number of mobile malware variants existing in the wild is likely even higher than reported and that this year will bring even more advanced, persistent threats in mobile. Since people are unlikely to give up their dependence on their mobile devices, the only courses of action available to community banks are to educate customers and employees about these growing threats, encourage both groups to create better passwords and regularly change them, and regularly update software and patch vulnerabilities, according to Jeffrey Korte, director of community institutions and associations for FS-ISAC. Korte also suggests banks may want to consider “providing security software to [their] customers to prevent their systems from being compromised and to notify them of harmful websites.”

2. Account takeover
As the old saying goes, everything old is new again. While many bad actors are breaking new ground in their efforts to come up with innovative attack vectors and techniques, many attacks are covering (or revisiting) well-trammeled territory—relying on old-school malware propagation or seemingly simplistic physical ATM and account takeover attacks that may appear basic but get the job done, stealing money and information. The reason? As many banks and retailers embrace more secure chip and PIN technology, and other security improvements in their transactional systems and at points of sale, fraudsters are falling back on tried-and-true scams, betting that financial institutions and consumers might not be as wary because they have not emerged in a while.

“As online payment security improves through tokenization, biometric technology and more, fraudsters are shifting to account takeover attack,” according to Kaspersky’s predictions for financial cybercrime and fraud in 2018. Korte calls account takeover, business email compromise and fraud scams “the most worrisome type of attacks for institutions.” Account takeover is increasing 5 percent per year by many industry accounts, and research and advisory firm Forrester estimates that this attack vector alone accounted for at least $6.5 billion in losses in 2017, and is set to rise.

Action: Korte advises that institutions “validate new customer information and contact their fraud departments when suspicious activity is present. Also, slow down in approving accounts with new customers and train new account employees how to spot red flags to ensure they are following all the know-your-customer procedures. With all the new account features that many community institutions are rolling out, [account fraud] becomes even more of a concern, because they no longer require the new customer to come into the branch.” To that end, he suggests that banks institute formal anti-fraud steps and “red-flag procedures” for employees to follow if they denote suspicious activity.

3. ATM skimming
Much like account takeover, the decades-old practice of ATM skimming has seen a renaissance among cybercrooks who see this as a simple and effective way to steal money. And they are taking their exploits to new and more devious levels, employing new technologies like “shimmers” and remote and file-less operations technology. “Most people are familiar with ‘skimmers,’ devices that sit on ATMs or POS machines and gather the magnetic stripe information from cards,” Korte says. “Skimmers sit on top or around the card mechanism and/or PIN pad. Shimmers, on the other hand, sit deep within the ATM card slot and capture data on the chip.” Hence, this approach can overcome the protections for EMV chip cards. “Many times, these types of attacks remain unknown until fraud begins with the card numbers and it is traced back to a point of compromise,” Korte adds. In the case of a file-less attack, malware is not even installed, as all the malicious processes are run through the random access memory (RAM), making it difficult for anti-virus or other security software to ferret out. Last year, Kaspersky researchers discovered “Cutlet Maker,” an ATM malware being bought and sold on the dark web for a few thousand dollars that offered even newbie thieves a clear and easy guide to teller machine theft.

Action: Banks should investigate their ATMs for potential compromise on a more frequent and regular basis, and properly train their employees in what to look for. Shimmers are more difficult to spot or prevent against, and require card issuers to consistently check the card’s CVV code when authorizing transactions, Korte adds. Community banks have been sharing their shimmer and skimmer discoveries with other regional banks through the Community Institutions and Associations Council on FS‑ISAC, which also produces a weekly Risk Summary Report detailing all recent fraud incidents, cyberattacks and threat, he says.

Attacking Internet of Things devices
The future is looking more “connected” than ever as everything from fridges and lightbulbs to cars and toys become part of a wider “Internet of Things” (IoT). As of last year, research and advisory company Gartner estimates there were 8.4 billion items connected through internet protocols, up 31 percent from 2016—a number it expects to multiply to 20.4 billion connected things by 2020. And all those connected devices—at work, home, school and in your car—represent ports through which hackers can sneak in to steal private information or funnel funds. Whether or not a bank employee or customer checks their accounts, conducts transactions or stores payment information on a particular device, a shrewd online interloper will find the weakest link in this IP-connected chain—be it your Amazon Alexa device or a child’s interactive toy—and use that as an inroad to valuable data. “Through these IoT devices, hackers can perpetrate command injection flaws or spread malware botnets like Mirai,” says Ed Skoudis, certified instructor and fellow with the SANS Technology Institute. BrickerBot is a permanent denial-of-service botnet that emerged in 2017, primarily attacking unsecured IoT devices.

Action: Like the use of mobile devices and ATMs, the IoT is not going away. To that end, Skoudis advises that all companies and consumers “think carefully about the wireless profile of the devices you’re buying and using.” Consider whether the device connects via Bluetooth, by radio frequency identification or infrared, and how far that signal extends, as well as the built-in security for each item. And, Skoudis adds, as with all connected devices, it is critical to keep the firmware up to date, and change the password from its default “whether the thing is a doll or a thermostat.”

Karen Epper Hoffman is a writer in Washington state.

comments powered by Disqus