“that’s where the money is and the economic incentive for cybercriminals is compelling. Opportunities to access cash, divert funds, and conduct fraud offer an almost limitless number of financial options for a sophisticated cyber attacker. And all of the financial data on customers is highly valuable to cyber-attackers. Stolen credit card numbers, perhaps one of the least profitable rewards for cyber attackers, are often valued between $1 to $2 apiece when sold within the black market or the dark web. Similarly to healthcare and life sciences, financial institutions also maintain large databases that include detailed personal data on their customers. Cyber attackers view this data as a treasure trove to be further exploited for resale to other elements of organized crime. In order to access this data, attackers carefully research their targets using all available resources, including sources such as blogs and social media. This personal data better enables cyber criminals to entice personnel within the target accounts to engage with them so they can find a successful penetration point on the network. These enticements are often solicited via social media postings, email or other content that appears to be trustworthy. Emails may look like official business, reference details on ACH payments or some other category relevant to the financial firm. All it takes is one employee to click on an email or visit a malware hijacked website to bring an attacker into your enterprise. WHY FINANCIAL NETWORKS ARE SO VULNERABLE The defense architecture that security teams have placed within financial institutions are struggling to effectively protect assets from an onslaught of attackers. These architectures generally attempt to defend the perimeter around the enterprise while trying to keep the attackers out. While a perimeter defense strategy will always remain important, the sophisticated APTs need only one successful and undetected penetration of the network to compromise data and put an organization at risk. In short,
attackers can lose 99 times out of 100 but can still be successful based on a single network breach. Most financial institutions remain unaware of these breaches, as well as the length of time attackers traverse internal networks, which can often be for months at a time. Many ATM systems and networks, which are often believed by bank information technology teams to be more isolated and better protected, are in fact often compromised by sophisticated cyber attackers in attacks that have been kept from the public eye. Perhaps surprisingly, the Federal Financial Institutions Council (FFIC) said that cybercriminals stole more than $40m from 12 debit card accounts via an ATM cyber attack in 2014. And globally, that number is likely to be much higher. Financial networks have additional points of vulnerability, such as older operating systems used within ATM networks, that make them even more susceptible to attack. Until recently many ATM’s were running Windows XP while many still run Windows 7. Windows 7 off the shelf still requires substantial customization and hardening to make it more resistant to attackers. But if an attacker can get inside of your ATM network, they will be able to work around these defenses. The major ATM manufacturers do what they can to harden this turnkey environment with tools like whitelisting
and other special enhancements. However, ATMs are computer systems that sit on networks, connected to the other financial systems so they remain vulnerable. Physical access is often gained by compromising a vector that makes cyber security more difficult. For example, many financial institutions have found a variety of password stealers, software, special electronics and pinhole camera’s surreptitiously installed at their ATM locations. Meanwhile, bank employees’ use of mobile devices, memory sticks and email present a constant target to determined attackers. Malware used by attackers is often re-engineered in just a few minutes to enable movement past signature recognition technologies. Once inside, this malware using encrypted formats, can migrate quickly to establish beachheads (backdoors) that allow attackers to continue stealthy data theft. As such, it is virtually impossible to maintain a perimeter that can keep attackers out. RECOMMENDATIONS • Rapidly evolving industry best practices can help maintain a stronger level of cyber defense. There is much you can do to further fortify and expand your current defense. Best practices include: • Use tools that whitelist files within devices such as ATMs. This enables you to detect attempted malware
Payment Quarterly | Q1 2016
17