Willie Sutton wasn’t wrong. The most famous words regularly attributed to America’s most famous bank robber are as apt today as they were in the last century. He chose banks as his target “because that’s where the money is,” he was purported to say.
Banks are still where the money is. But that’s not the whole story. These days, banks are also where the data is – and that too makes them an attractive target for crooks, all the more so with the rapidly proliferating technologies customers require and criminals eye greedily. Of course, it’s not only the banks that have changed. So have the criminals. Today’s cybercriminals may not have Sutton’s way with words, but they do a lot more damage through potentially devastating cyber-attacks on financial institutions.
Year after year, cybercrime sets new records
The cybercriminals are numerous, smart, highly organized, and more active wreaking their havoc each and every year. Cyber-attacks have become so ubiquitous in the financial sector that the ThreatMatrix Cybercrime Report issued at the end of 2015 boldly warned that, “A major financial institution is likely to be hit by significant cybercriminal activity in 2016.”
That prediction was borne out in short order with the $81 million cyber heist from the Bank of Bangladesh by hackers who gained access to the funds via Swift, the global messaging network. The only good news in the incident is that the fraud was detected and stopped before the criminals succeeded in draining the $1 billion they were after.
In another audacious cybercrime spree described by Kaspersky Lab at a 2015 security summit, a multinational gang used “an arsenal of attack tools” to infiltrate more than 100 banks spanning 30 countries in what actually did amount to a billion dollar hold-up. Not surprisingly, banks and other financial institutions have the dubious distinction of being a preferred target of the cyber crooks, as the latest Data Breach Investigations Report demonstrated.
The far-reaching report – which the Telecom prepares annually in a consortium composed of nearly 70 other businesses and government agencies – covers 64,199 incidents, including 2,260 that were confirmed data breaches. Of the breaches, 795, or 35 percent, hit the financial services sector, with the rest spread out across all other industries.
The statistics reveal a need for enhanced fraud management solutions at many institutions
The pressure on banks to institute state-of-the-art fraud management solutions such as the sophisticated tools created by Nice Actimize, a world leader in the field, doesn’t come solely from the criminals, of course. The heightened emphasis regulators and governments alike now place on cybersecurity also argues for cutting-edge solutions at every financial institution.
Curiously, the Data Breach Investigations Report reveals a surprising fact: over the course of ten years the internal fraud detection systems of companies have flipped from being a leading indicator of breaches in 2005 to being a lagging one in 2015.
In the earlier years, 80 percent of breaches were discovered in-house, but by 2015 fewer than 20 percent were. Fortunately, the declining rates of internal detection coincided with increasing rates of detection by police and other third parties, partially offsetting the internal figures. Even so, the numbers paint a picture of a growing need in the industry for the most comprehensive and sophisticated internal fraud management solutions available today. The ideal tools are the ones that provide unified, holistic solutions that offer protection across all of the channels modern banking relies on, and against both internal and external threats.
That calls for cutting-edge technology that can deliver quietly aggressive detection and protection functionality. But it calls for something else as well in a necessarily customer-centric business like banking and finance. The balancing act is to ensure maximum protection from cybercrime while minimizing any potential disruption for the customer.
Some easy to implement front-line steps banks can take to fight cyber attacks
It’s not all complicated and costly. Some security measures can be as simple as reviewing the data about breaches and acting accordingly.
Think before you click (and make sure every other employee gets that message, too!). The largest portion of data breaches begin with phishing. As primitive as the technique sounds today, the simple act of sending a phishing email with malicious attachments or links is still the surest way to let malware past your defenses. To visit the Data Breach Investigations Report again, the data shows that when tests were run, 13 percent of people clicked on a phishing attachment, despite the warnings we have all heard.
Spread the word. One strength the cybercriminals have is an apparent willingness to collaborate with one another and share tips and tricks. That happens to some extent among the good guys, too – but with one big caveat. While thousands of banks are connected to such threat-sharing groups as the Financial Services Information Sharing and Analysis Center, officials say many members are more interested in getting information than they are in reporting incidents at their own institutions – at least until any litigation is settled much later. Obviously, there are legitimate legal concerns in such situations, but the fact is that timely information sharing can be important in both thwarting attacks and catching attackers.
Don’t make it too easy for the criminals. According to Chris Novak, a spokesperson for the consortium behind the Data Breach Investigations Report, stolen or weak passwords were involved in 63 percent of confirmed data breaches in 2015. Clearly, it is not possible to hold every customer’s hand and enforce strong password choices, but there is a solution that can overcome theft of passwords and simple bad password choices to a significant degree: institute two-factor authentication.
Whatever fraud management solutions a bank adopts in the end, the choices should be made with a clear understanding that the problem of cybercrime is a huge one, and it is rapidly growing bigger. The thieves and hackers are both ruthless and relentless, and there’s one thing we can always be certain of: every hour of every day, there are people out there thinking long and hard about your bank’s fraud protection tools.