Willie Sutton has stolen nearly $2 million during his professional bank robbery career over the past century. Rumor has it that a journalist asked, “Why are you robbing banks?” In response to the question, he replied, “That’s where the money is”. Although Sutton denied this dialogue in the following years, he put his finger on a very correct point about the financial services sector.
These days, stealing money from brick-and-mortar banks remains a very “old-fashioned” approach. Now the currency a cybercriminal will hunt for is personal information, and where they look for it is web applications where online financial transactions flow like water.
Make no mistake, financial institutions are still “where the money is”. Financial services still hold the title of “the most exploited sector” with a rate of 35%. Also, the COVID-19 pandemic, which cybercriminals have benefited really well, has led to a significant growth in online banking, which of course has significantly increased the volume of sensitive personal data that can be stolen. Between January 2021 and May 2021 alone, attacks in the financial services sector increased by 38%.
Deficiencies and errors in protecting sensitive data
The rapid (but also imperative) rise of online banking and the digitization of financial services necessitate the management of more complex and larger volumes of customer data. With the expectation of stricter, tougher data privacy, sensitive data protection has become unprecedentedly difficult. The pace of change in this sector causes many security vulnerabilities to remain open and insufficient and comprehensive protection to be provided. It is obvious that cybercriminals are well aware of this, as attacks on sensitive data are increasing at an alarming rate. According to research, more than 870 million records were seized in January 2021 alone. This is more than the total number of compromised records seen in all of 2017.
DDoS attacks target the top layer of the OSI model, the application layer, which provides connectivity over the internet protocol. The goal is to bombard a server with too many requests and paralyze its traffic until it can no longer respond. The more requests per second (RPS), the more intense the attack. The Digital Banking Report stated that the first goal of financial service providers should be to improve the customer experience. Businesses that take quicker action on attacks that disrupt the customer experience have higher referral rates, but also achieve higher numbers in retaining and cross-selling existing customers. When customers’ access to online banking services is interrupted in some way, the reaction is often anger. This anger can cause complaints on social media platforms, customers to change providers and damage the brand name of banks.
Towards the end of 2020, there was a significant increase in the amount of Ransom Denial of Service (RDoS) threats. Many of these target thousands of business entities worldwide, including financial services.
RDoS attacks are “extortion-based” DDoS threats motivated by financial gain. The hijackers demand payment in bitcoins to stop the DDoS attack on the target. They usually make this request using the names of well-known threat actor groups.
The pattern of these threats is very similar. First, the hijacker sends a threatening email, sometimes intimidating about the content of the attack. This is usually an email that will take the company offline for a short time. The aggrieved enterprise is given a period of 1 week to pay the requested money. The cybercriminal threatens to launch a larger and more unstoppable attack on the specified date in case of non-payment. This is how a ransomware attack usually happens.
Client-side attacks happen when a website user downloads malicious content, allowing the attacker to block user sessions, phishing and damage the website. In financial services, this attack exploits third-party scripts on thousands of websites and is carried out against payment information. Financial websites rely on third-party scripts to improve their services to their customers, but because of the digital transactions that process assets and data, these scripts also become clear and rich targets. For example, when credit card information is stolen, high amounts of purchases can be made in that minute or this information can be sold to other criminals for later use. Consumers and service providers may not realize this until it’s too late.
Supply Chain Attacks
Although we note that vulnerabilities and attack rates are increasing in software security, it is common knowledge that most software vulnerabilities are not reported. “Front-to-back processing for all financial services” brings together and integrates a complex set of software applications including back office, middle office, risk management, business developers, finance and IT. APIs are at the heart of these applications and allow them to communicate with each other. Unfortunately, while APIs work so well, they also contain information that can be used to attack the supply chain, such as applications and their internal structures. Side factors like weak authentication, lack of encryption, unprotected endpoints make APIs even more vulnerable. The attack surface, and therefore the risk, increases as financial services organizations expand their supply chain by engaging with other companies to obtain and deliver services. An inadequately protected supply chain makes your company a shiny target for attackers who are aware of vulnerabilities in APIs and will not hesitate to exploit them.